Malware 2025 2026() 2025() 2024() 2023() 2022() OTHER()
|
31.12.25 |
Shai Hulud strikes again - The golden path |
PYTHON |
||
|
25.12.25 |
Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers |
STEALER |
||
|
25.12.25 |
SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums |
INFOSTEALER |
||
|
25.12.25 |
From ClickFix to code signed: the quiet shift of MacSync Stealer malware |
Mac OS |
||
|
24.12.25 |
Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan |
ANDROID |
||
|
24.12.25 |
NexusRoute: Attempting to Disrupt an Indian Government Ministry |
ANDROID |
||
|
24.12.25 |
Frogblight threatens you with a court case: a new Android banker targets Turkish users |
ANDROID BANKING |
||
|
24.12.25 |
Meet Cellik - A New Android RAT With Play Store Integration |
ANDROID RAT |
||
|
20.12.25 |
The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. |
LOADER |
||
|
20.12.25 |
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader |
LOADER |
||
|
18.12.25 |
Kimsuky Distributing Malicious Mobile App via QR Code |
ANDROID |
||
|
17.12.25 |
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users |
JAVASCRIPT |
||
|
17.12.25 |
Remediating Atlassian Confluence servers fails to thwart Effluence backdoor |
BACKDOOR |
||
|
17.12.25 |
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign |
BACKDOOR |
||
|
13.12.25 |
This week, SonicWall Capture Labs Threat Research Team analyzed a sample of SalatStealer. This is a Golang malware capable of infiltrating a system and enumerating through browsers, files, cryptowallets and systems while embedding a complete array of monitoring tools to push and pull any data on disk. |
STEALER |
||
|
13.12.25 |
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits |
RAT |
||
|
13.12.25 |
SetcodeRat Exposed: A Telegram Secret Stealing Trojan Customized for Chinese-speaking Regions |
RAT |
||
|
13.12.25 |
PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals |
RAT |
||
|
12.12.25 |
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite |
MALWARE |
||
|
12.12.25 |
The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. |
BACKDOOR |
||
|
12.12.25 |
PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182 |
BACKDOOR |
||
|
10.12.25 |
JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery |
JAVASCRIPT |
||
|
10.12.25 |
EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks |
RAT |
||
|
10.12.25 |
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries |
LOADER |
||
|
8.12.25 |
Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases |
ANDROID |
||
|
8.12.25 |
Return of ClayRat: Expanded Features and Techniques |
RAT |
||
|
8.12.25 |
New FvncBot Android banking trojan targets Poland |
ANDROID |
||
|
7.12.25 |
A malware dropper that allows remote attackers to drop additional payloads on breached devices. |
Dropper |
||
|
7.12.25 |
A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. |
Backdoor |
||
|
6.12.25 |
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities |
IOT |
||
|
5.12.25 |
Silver Fox’s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack |
RAT |
||
|
5.12.25 |
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. V |
BACKDOOR |
||
|
3.12.25 |
Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also. |
Worm |
||
|
2.12.25 |
Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets |
Android |
||
|
25.11.25 |
Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files |
Stealer |
||
|
20.11.25 |
Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption |
Andorid banking |
||
|
19.11.25 |
Advanced Banking Trojan Maverick Uses WhatsApp to Prey on Brazilian Users |
Stealer |
||
|
18.11.25 |
Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One |
Crypter |
||
|
17.11.25 |
RONINGLOADER: DragonBreath’s New Path to PPL Abuse |
Loader |
||
|
15.11.25 |
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery |
JSON |
||
|
15.11.25 |
This week, the SonicWall Capture Labs Threat Research Team analyzed a sample of RondoDox, a Linux botnet infector. |
Botnet |
||
|
12.11.25 |
Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution |
Banking Trojan |
||
|
12.11.25 |
Coyote Banking Trojan Extends Reach & Targets Users through WhatsApp |
Banking Trojan |
||
|
12.11.25 |
Gootloader Returns: What Goodies Did They Bring? |
Loader |
||
|
11.11.25 |
New Kimsuky Malware “EndClient RAT”: First Technical Report and IOCs |
RAT |
||
|
11.11.25 |
Fantasy Hub: Another Russian Based RAT as M-a-a-S |
M-a-a-S |
||
|
11.11.25 |
Lazarus Group targets Aerospace and Defense with new Comebacker variant |
Loader |
||
|
9.11.25 |
In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices |
Loader |
||
|
9.11.25 |
Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. |
Loader |
||
|
8.11.25 |
Cracking XLoader with AI: How Generative Models Accelerate Malware Analysis |
Loader |
||
|
8.11.25 |
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices |
ANDROID |
||
|
8.11.25 |
REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally. |
FRAMEWORK |
||
|
6.11.25 |
GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools |
AI |
||
|
4.11.25 |
SesameOp: Novel backdoor uses OpenAI Assistants API for command and control |
Backdoor |
||
|
4.11.25 |
SleepyDuck malware invades Cursor through Open VSX |
RAT |
||
|
4.11.25 |
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant |
Dropper |
||
|
4.11.25 |
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant |
Tool |
||
|
1.11.25 |
RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules. |
RAT |
||
|
1.11.25 |
Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan Executive Summary This report covers the analysis and findings related to three Android application packages (APKs) |
Android |
||
|
1.11.25 |
The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. |
Loader |
||
|
1.11.25 |
Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack |
MALWARE |
||
|
1.11.25 |
The sophisticated campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as |
Backdoor |
||
|
30.10.25 |
Unpacking NetSupport RAT Loaders Delivered via ClickFix |
RAT |
||
|
30.10.25 |
Fileless Remcos Attacks on the Rise |
Fileless |
||
|
30.10.25 |
Atroposia is a stealthy RAT with HRDP, credential theft, DNS hijacking & fileless exfiltration — aka cybercrime made easy for low-skill attackers. |
RAT |
||
|
30.10.25 |
LATAM baited into the delivery of PureHVNC |
RAT |
||
|
30.10.25 |
PhantomRaven: NPM Malware Hidden in Invisible Dependencies |
nmp |
||
|
29.10.25 |
New Android Malware Herodotus Mimics Human Behaviour to Evade Detection |
Android |
||
|
26.10.25 |
ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER |
Stealer |
||
|
26.10.25 |
Rhysida using Oyster Backdoor to deliver ransomware |
Backdoor |
||
|
26.10.25 |
PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation |
RAT |
||
|
26.10.25 |
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem |
Stealer |
||
|
25.10.25 |
Sophisticated Android malware that mines crypto and silently steals banking credentials. EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic |
Android |
||
|
25.10.25 |
Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. |
Stealer |
||
|
25.10.25 |
Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts |
Stealer |
||
|
25.10.25 |
TransparentTribe targets Indian military organisations with DeskRAT |
RAT |
||
|
25.10.25 |
GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace |
Worm |
||
|
25.10.25 |
PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation |
RAT |
||
|
22.10.25 |
GhostSocks: From Initial Access to Residential Proxy |
Maas |
||
|
22.10.25 |
Defrosting PolarEdge’s Backdoor |
Backdoor |
||
|
21.10.25 |
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER |
Malware |
||
|
21.10.25 |
Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion |
RAT |
||
|
20.10.25 |
From China to Malaysia, FortiGuard Labs traces a hacker group’s shifting campaigns and evolving malware delivery tactics across Asia |
RAT |
||
|
18.10.25 |
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. |
Loader |
||
|
17.10.25 |
BeaverTail and OtterCookie evolve with a new Javascript module |
JavaScipt |
||
|
17.10.25 |
LinkPro: eBPF rootkit analysis |
Rootkit |
||
|
13.10.25 |
Astaroth: Banking Trojan Abusing GitHub for Resilience |
Banking |
||
|
13.10.25 |
New Rust Malware "ChaosBot" Uses Discord for Command and Control |
Bot |
||
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application |
RAT |
||
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application |
RAT |
||
|
10.10.25 |
ClayRat: A New Android Spyware Targeting Russia |
RAT |
||
|
10.10.25 |
According to CERT-UA, this is a stealer targeting a range of file extensions and creating screenshots of the compromised machine to be then uploaded via cURL. |
Stealer |
||
|
5.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Android |
||
|
5.10.25 |
MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments |
Toolkit |
||
|
5.10.25 |
A sophisticated bootkit and user-mode capability, targeting Cisco ASA devices. A significant advancement over LINE DANCER and LINE RUNNER. |
Bookit |
||
|
4.10.25 |
Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP. |
Backdoor |
||
|
4.10.25 |
XWorm V6, a potent malware, has resurfaced with new plugins and persistence methods. Stay informed and enhance your defenses against evolving cyber threats. Protect your organization now! |
Worm |
||
|
4.10.25 |
Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns. |
Stealer |
||
|
3.10.25 |
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users |
Malware |
||
|
3.10.25 |
Klopatra: exposing a new Android banking trojan operation with roots in Turkey |
Banking |
||
|
3.10.25 |
EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks |
AI |
||
|
3.10.25 |
Datzbro: RAT Hiding Behind Senior Travel Scams |
RAT |
||
|
3.10.25 |
First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails |
Backdoor |
||
|
27.9.25 |
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking |
Backdoor |
||
|
27.9.25 |
SVG Phishing hits Ukraine with Amatera Stealer, PureMiner |
Stealer |
||
|
26.9.25 |
XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory |
MacOS |
||
|
26.9.25 |
Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. |
Loader |
||
|
26.9.25 |
In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices. |
Loader |
||
|
25.9.25 |
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors |
BACKDOOR |
||
|
25.9.25 |
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception |
AI |
||
|
24.9.25 |
YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus |
BACKDOOR |
||
|
23.9.25 |
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique |
nmp |
||
|
22.9.25 |
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure |
JavaScript |
||
|
20.9.25 |
Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” |
LOADER |
||
|
20.9.25 |
Cyble Research & Intelligence Labs detected Maranhão Stealer, a Node.js–based credential stealer leveraging reflective DLL injection. |
STEALER |
||
|
20.9.25 |
DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities |
STEALER |
||
|
20.9.25 |
UNMASKING A PYTHON STEALER – “XillenStealer” |
STEALER |
||
|
20.9.25 |
"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19) |
PYTHON |
||
|
16.9.25 |
Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm |
USB |
||
|
13.9.25 |
FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control. |
RAT |
||
|
12.9.25 |
The script uses the same method to erase both its own contents and the contents of the VBShower Launcher copy, which is used solely for the malware’s first run. |
BACKDOOR |
||
|
11.9.25 |
AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan |
RAT |
||
|
11.9.25 |
EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company |
Keylogger |
||
|
10.9.25 |
ChillyHell: A Deep Dive into a Modular macOS Backdoor |
MacOS |
||
|
10.9.25 |
ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT |
RAT |
||
|
9.9.25 |
Off Your Docker: Exposed APIs Are Targeted in New Malware Strain |
CRYPTOCURRENCY |
||
|
9.9.25 |
The Rise of RatOn: From NFC heists to remote control and ATS |
ANDROID |
||
|
9.9.25 |
MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access |
RAT |
||
|
9.9.25 |
GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe |
GPU |
||
|
5.9.25 |
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure |
RAT |
||
|
5.9.25 |
An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps |
Stealer |
||
|
5.9.25 |
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes |
Backdoor |
||
|
4.9.25 |
RapperBot: From Infection to DDoS in a Split Second |
Bot |
||
|
2.9.25 |
Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions |
Python |
||
|
2.9.25 |
Android Droppers: The Silent Gatekeepers of Malware |
Android |
||
|
2.9.25 |
Operation HanKook Phantom: North Korean APT37 targeting South Korea |
RAT |
||
|
30.8.25 |
Android Document Readers and Deception: Tracking the Latest Updates to Anatsa |
Android |
||
|
30.8.25 |
Android backdoor spies on employees of Russian businesses |
Android |
||
|
30.8.25 |
Executive Summary Cyble Research and Intelligence Labs (CRIL) has uncovered an ongoing Android malware tracker named “SikkahBot,” active since July 2024 and explicitly targeting students in Bangladesh. |
Bot |
||
|
30.8.25 |
EXECUTIVE SUMMARY Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data. The executable |
Stealer |
||
|
30.8.25 |
EXECUTIVE SUMMARY At CYFIRMA, we are dedicated to providing timely intelligence on emerging cyber threats and adversarial tactics that target both individuals and organizations. |
Keylogger |
||
|
29.8.25 |
Pirates of The Nang Hai: Follow the Artifacts No One Know |
Loader |
||
|
29.8.25 |
Truesec has observed what appears to be a large cybercrime campaign, involving multiple fraudulent websites promoted through a Google advertising campaign. |
Stealer |
||
|
26.8.25 |
Hook Version 3: The Banking Trojan with The Most Advanced Capabilities |
Banking |
||
|
26.8.25 |
Phishing Campaign Targeting Companies via UpCrypter |
Crypter |
||
|
24.8.25 |
XenoRAT malware campaign hits multiple embassies in South Korea |
RAT |
||
|
23.8.25 |
Chihuahua Stealer: Disguising Data Theft in Plain Lyrics |
Stealer |
||
|
22.8.25 |
The Silent, Fileless Threat of VShell |
Linux |
||
|
22.8.25 |
A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor |
Backdoor |
||
|
21.8.25 |
A new malware loader delivering infostealers and RATs |
RAT |
||
|
20.8.25 |
Patching for persistence: How DripDropper Linux malware moves through the cloud |
Linux |
||
|
19.8.25 |
GodRAT – New RAT targeting financial institutions |
RAT |
||
|
19.8.25 |
Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints |
STEALER |
||
|
17.8.25 |
New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer |
STEALER |
||
|
17.8.25 |
Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak |
Android |
||
|
14.8.25 |
PhantomCard: New NFC-driven Android malware emerging in Brazil |
Android |
||
|
14.8.25 |
Malvertising campaign leads to PS1Bot, a multi-stage malware framework |
Backdoor |
||
|
5.08.25 |
PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT |
RAT |
||
|
5.08.25 |
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem |
STEALER |
||
|
25.7.25 |
Understanding Current CastleLoader Campaigns |
Loader |
||
|
24.7.25 |
Coyote in the Wild: First-Ever Malware That Abuses UI Automation |
AI |
||
|
22.7.25 |
Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict |
ANDROID |
||
|
20.7.25 |
Highly targeted credential and OAuth 2.0 tokenstealing malware targeting Outlook. |
STEALING |
||
|
20.7.25 |
Matanbuchus: Malware-as-a-Service with Demonic Intentions |
MaaS |
||
|
19.7.25 |
Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico |
TOOL |
||
|
19.7.25 |
Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities |
LOADER |
||
|
19.7.25 |
DslogdRAT Malware Installed in Ivanti Connect Secure |
RAT |
||
|
19.7.25 |
SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability |
|||
|
18.7.25 |
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities |
Loader |
||
|
18.7.25 |
VulnCheck observed exploitation of CVE-2021-41773 in the wild. This, in itself, is hardly noteworthy. The vulnerability was an inaugural member of both the CISA KEV and VulnCheck KEV. |
CRYPTOCURRENCY |
||
|
16.7.25 |
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication |
BACKDOOR |
||
|
16.7.25 |
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). |
RAT |
||
|
10.7.25 |
macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App |
MacOS |
||
|
9.7.25 |
Taking SHELLTER: a commercial evasion framework abused in- the- wild |
INFOSTEALER |
||
|
9.7.25 |
Anatsa Targets North America; Uses Proven Mobile Campaign Process |
Mobil |
||
|
8.7.25 |
NordDragonScan: Quiet Data-Harvester on Windows |
INFOSTEALER |
||
|
8.7.25 |
Batavia spyware steals data from Russian organizations |
SPYWARE |
||
|
8.7.25 |
DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal |
RAT |
||
|
5.7.25 |
Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. |
Backdoor |
||
|
3.7.25 |
macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware |
macOS |
||
|
2.7.25 |
Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. |
LOADER |
||
|
2.7.25 |
A lightweight, staged downloader targeting Windows, delivered via spear-phishing. |
DOWNLOADER |
||
|
28.6.25 |
GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations |
STEALER |
||
|
27.6.25 |
The CYFIRMA research team has uncovered multiple websites employing Clickfix tactics to deliver malicious AppleScripts (osascripts). |
STEALER |
||
|
27.6.25 |
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit |
BACKDOOR |
||
|
27.6.25 |
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit |
BACKDOOR |
||
|
26.6.25 |
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play |
MOBIL |
||
|
24.6.25 |
Malware targeting Fortinet devices |
RAT |
||
|
24.6.25 |
A post-exploitation tool for remote shell access & TCP tunnelling through a victim device. |
RAT |
||
|
24.6.25 |
SadFuture: Mapping XDSpy latest evolution |
GO |
||
|
23.6.25 |
GodFather Malware Returns Targeting Banking Users |
BANKING |
||
|
23.6.25 |
Promon discovers new Android banking malware, “FjordPhantom” |
BANKING |
||
|
21.6.25 |
During our recent investigation at Seqrite Labs, we identified a sophisticated variant of Masslogger credential stealer malware spreading through .VBE (VBScript Encoded) files |
VBE |
||
|
21.6.25 |
Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. |
STEALER |
||
|
21.6.25 |
VMDetector-Based Loader Abuses Steganography to Deliver Infostealers |
STEALER |
||
|
21.6.25 |
Famous Chollima deploying Python version of GolangGhost RAT |
RAT |
||
|
20.6.25 |
Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation |
STEALER |
||
|
14.6.25 |
The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets. |
STEALER |
||
|
11.6.25 |
Demystifying Myth Stealer: A Rust Based InfoStealer |
STEALER |
||
|
8.6.25 |
A simple customer query leads to a rabbit hole of backdoored malware and game cheats |
RAT |
||
|
7.6.25 |
AMOS update |
AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers |
Stealer |
|
|
6.6.25 |
DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance |
RAT |
||
|
4.6.25 |
From open-source to open threat: Tracking Chaos RAT’s evolution |
RAT |
||
|
3.6.25 |
Crocodilus Mobile Malware: Evolving Fast, Going Global |
Android |
||
|
1.6.25 |
Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader |
MALWARE |
||
|
30.5.25 |
Malware with wide range of capabilities ranging from RAT to ransomware. |
RAT |
||
|
30.5.25 |
Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns |
STEALER |
||
|
30.5.25 |
Malware with wide range of capabilities ranging from RAT to ransomware. |
RAT |
||
|
30.5.25 |
Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns |
STEALER |
||
|
29.5.25 |
The MS-DOS Header is a 64-byte structure at the beginning of a PE file. Along with the DOS stub, the DOS header is responsible for MS-DOS backward compatibility. |
RAT |
||
|
28.5.25 |
Dero miner zombies biting through Docker APIs to build a cryptojacking horde |
CRYPTOCURRENCY |
||
|
28.5.25 |
Inside a VenomRAT Malware Campaign |
RAT |
||
|
27.5.25 |
NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign |
Loader |
||
|
24.5.25 |
Following the spiders: Investigating Lactrodectus malware |
RAT |
||
|
21.5.25 |
Pure Harm: PureRAT Attacks Russian Organizations |
RAT |
||
|
20.5.25 |
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale |
CRYPTOCURRENCY |
||
|
18.5.25 |
SnipVex—more than a Clipbanker |
Stealer |
||
|
18.5.25 |
XRed Backdoor: The Hidden Threat in Trojanized Programs |
Backdoor |
||
|
18.5.25 |
Skitnet is a multi-stage malware that uses Rust and Nim to execute a stealthy reverse shell over DNS, leveraging encryption, manual mapping, and dynamic API resolution to evade detection |
Loader |
||
|
16.5.25 |
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT |
RAT |
||
|
13.5.25 |
New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms |
STEALER |
||
|
10.5.25 |
Additional Features of OtterCookie Malware Used by WaterPlum |
STEALER |
||
|
9.5.25 |
PupkinStealer : A .NET-Based Info-Stealer |
STEALER |
||
|
9.5.25 |
HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage |
STEALER |
||
|
8.5.25 |
I StealC You: Tracking the Rapid Changes To StealC |
Steal |
||
|
8.5.25 |
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs |
Steal |
||
|
6.5.25 |
TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered |
Loader |
||
|
2.5.25 |
Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting |
Loader |
||
|
1.5.25 |
IBM X-Force discovers new Sheriff Backdoor used to target Ukraine |
Backdoor |
||
|
25.4.25 |
DslogdRAT Malware Installed in Ivanti Connect Secure |
RAT |
||
|
24.4.25 |
io_uring Is Back, This Time as a Rootkit |
ROOTKIT |
||
|
22.4.25 |
A novel Android malware offered through a Malware-as-a-Service (MaaS) model, enabling NFC relay attacks for fraudulent cash-outs. |
ANDROID |
||
|
18.4.25 |
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia |
RAT |
||
|
18.4.25 |
Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 |
APT |
||
|
18.4.25 |
Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 |
APT |
||
|
18.4.25 |
Unmasking the new XorDDoS controller and infrastructure |
DDoS |
||
|
16.4.25 |
Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft? |
Android |
||
|
16.4.25 |
BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets |
Backdoor |
||
|
16.4.25 |
According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell). |
Linux |
||
|
15.4.25 |
New Malware Variant Identified: ResolverRAT Enters the Maze |
RAT |
||
|
15.4.25 |
Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks |
RAT |
||
|
12.4.25 |
TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications |
Bot |
||
|
11.4.25 |
Newly Registered Domains Distributing SpyNote Malware |
Android RAT |
||
|
10.4.25 |
Shuckworm Targets Foreign Military Mission Based in Ukraine |
PowerShell |
||
|
9.4.25 |
How ToddyCat tried to hide behind AV software |
Rootkit |
||
|
9.4.25 |
Attackers distributing a miner and the ClipBanker Trojan via SourceForge |
Trojan |
||
|
2.4.25 |
Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective |
Linux |
||
|
2.4.25 |
Analyzing New HijackLoader Evasion Tactics |
Loader |
||
|
2.4.25 |
The Savage Ladybug , also known as FIN7, has developed a new, mildly obfuscated Python-based backdoor called Anubis Backdoor . |
Backdoor |
||
|
1.4.25 |
To achieve persistence on infected systems, Water Gamayun employs two distinct backdoors in their campaigns. |
Backdoor |
||
|
1.4.25 |
The MSC EvilTwin loader represents a novel approach (CVE-2025-26633) to malware deployment by leveraging specially crafted Microsoft Saved Console (.msc) files. |
Loader |
||
|
1.4.25 |
SilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and maintain unauthorized remote control of compromised systems. |
Backdoor |
||
|
1.4.25 |
On July 26, 2024, security researcher Germán Fernández tweeted about a fake WinRAR website distributing various types of malwares, including stealers, miners, hidden virtual network computing (hVNC), |
Stealer |
||
|
31.3.25 |
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. |
ICS |
||
|
29.3.25 |
Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices |
ANDROID |
||
|
28.3.25 |
ANALYSIS OF A DISCORD-BASED REMOTE ACCESS TROJAN (RAT) |
RAT |
||
|
28.3.25 |
Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques |
RAT |
||
|
28.3.25 |
SnakeKeylogger – A Multistage Info Stealer Malware Campaign |
Keylogger |
||
|
28.3.25 |
CoffeeLoader: A Brew of Stealthy Techniques |
Loader |
||
|
28.3.25 |
PJobRAT makes a comeback, takes another crack at chat apps |
ANDROID RAT |
||
|
28.3.25 |
Shifting the sands of RansomHub’s EDRKillShifter |
Tool |
||
|
25.3.25 |
Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks |
Worm |
||
|
25.3.25 |
Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks |
Worm |
||
|
21.3.25 |
The notorious cluster changes its toolkit by switching from malware to a legitimate remote administration tool |
Toolkit |
||
|
21.3.25 |
Shedding light on the ABYSSWORKER driver |
Driver |
||
|
21.3.25 |
What’s intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS. |
Stealer |
||
|
20.3.25 |
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations |
Android |
||
|
20.3.25 |
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware |
DROPPER |
||
|
20.3.25 |
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery |
JAVASCRIPT |
||
|
18.3.25 |
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft |
RAT |
||
|
16.3.25 |
THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool |
TOOL |
||
|
14.3.25 |
Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure |
Cryptojacking |
||
|
14.3.25 |
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits |
Rootkit |
||
|
13.3.25 |
Lookout Discovers New Spyware by North Korean APT37 |
Spyware |
||
|
8.3.25 |
Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes |
Android |
||
|
8.3.25 |
Inside Zloader’s Latest Trick: DNS Tunneling |
Loader |
||
|
8.3.25 |
TMPN (Skuld) Stealer: The dark side of open source |
Stealer |
||
|
8.3.25 |
Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity |
AI |
||
|
8.3.25 |
(a.k.a Sardonic Backdoor) is a sophisticated toolkit of the Monstrous Mantis |
Loader |
||
|
7.3.25 |
Unmasking the new persistent attacks on Japan |
Kit |
||
|
7.3.25 |
Unveiling EncryptHub: Analysis of a multi-stage malware campaign |
RAT |
||
|
6.3.25 |
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
RAT |
||
|
5.3.25 |
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems |
Go |
||
|
5.3.25 |
Qbot is Back.Connect |
Stealer |
||
|
5.3.25 |
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware |
Go |
||
|
5.3.25 |
Infostealer Campaign against ISPs |
Infostealer |
||
|
4.3.25 |
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 |
Loader |
||
|
27.2.25 |
New “CleverSoar” Installer Targets Chinese and Vietnamese Users |
Rootkit |
||
|
27.2.25 |
ValleyRAT Insights: Tactics, Techniques, and Detection Methods |
RAT |
||
|
27.2.25 |
Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan |
MALWARE |
||
|
27.2.25 |
Android trojan TgToxic updates its capabilities |
Android |
||
|
26.2.25 |
Auto-Color: An Emerging and Evasive Linux Backdoor |
Linux |
||
|
26.2.25 |
LightSpy Expands Command List to Include Social Media Platforms |
Spyware |
||
|
25.2.25 |
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign |
RAT |
||
|
24.2.25 |
ACRStealer Infostealer Exploiting Google Docs as C2 |
Stealer |
||
|
22.2.25 |
Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors |
Backdoor |
||
|
22.2.25 |
Updated Shadowpad Malware Leads to Ransomware Deployment |
Backdoor |
||
|
20.2.25 |
XLoader Executed Through JAR Signing Tool (jarsigner.exe) |
Loader |
||
|
20.2.25 |
StaryDobry ruins New Year’s Eve, delivering miner instead of presents |
Cryptominer |
||
|
20.2.25 |
FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant |
Keylogger |
||
|
20.2.25 |
javascript-to-command-and-control-c2-server-malware |
JavaScript |
||
|
18.2.25 |
An Update on Fake Updates: Two New Actors, and New Mac Malware |
MacOS |
||
|
18.2.25 |
Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst |
Linux |
||
|
18.2.25 |
DEATHLOTUS |
A passive CGI backdoor that supports file creation and command execution |
Backdoor |
|
|
18.2.25 |
UNAPIMON |
A defense evasion utility written in C++ |
Utility |
|
|
18.2.25 |
PRIVATELOG |
A loader that's used to drop Winnti RAT (aka DEPLOYLOG) which, in turn, delivers a kernel-level rootkit named WINNKIT by means of a rootkit installer |
Rootkit |
|
|
18.2.25 |
CUNNINGPIGEON |
A backdoor that uses Microsoft Graph API to fetch commands – file and process management, and custom proxy – from mail messages |
Backdoor |
|
|
18.2.25 |
WINDJAMMER |
A rootkit with capabilities to intercept TCPIP Network Interface, as well as create covert channels with infected endpoints within intranet |
Rootkit |
|
|
18.2.25 |
SHADOWGAZE |
A passive backdoor reusing listening port from IIS web server |
Backdoor |
|
|
18.2.25 |
Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. |
MacOS |
||
|
18.2.25 |
Telegram Abused as C2 Channel for New Golang Backdoor |
Backdoor |
||
|
10.2.25 |
From South America to Southeast Asia: The Fragile Web of REF7707 |
Malware |
||
|
10.2.25 |
NAPLISTENER: more bad dreams from developers of SIESTAGRAPH |
Malware |
||
|
10.2.25 |
This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. |
Malware |
||
|
10.2.25 |
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. |
Malware |
||
|
10.2.25 |
Malicious ML models discovered on Hugging Face platform |
AI |
||
|
10.2.25 |
Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques |
RAT |
||
|
10.2.25 |
Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor |
Backdoor |
||
|
10.2.25 |
Take my money: OCR crypto stealers in Google Play and App Store |
Android |
||
|
5.2.25 |
Persistent Threats from the Kimsuky Group Using RDP Wrapper |
Wrapper |
||
|
5.2.25 |
AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again |
RAT |
||
|
5.2.25 |
macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed |
macOS |
||
|
5.2.25 |
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence |
GO Backdoor |
||
|
5.2.25 |
Coyote Banking Trojan: A Stealthy Attack via LNK Files |
Banking |
||
|
27.1.25 |
MintsLoader: StealC and BOINC Delivery |
Loader |
||
|
25.1.25 |
New TorNet backdoor seen in widespread campaign |
Backdoor |
||
|
10.1.25 |
Cracking the Code: How Banshee Stealer Targets macOS Users |
MacOS |
||
|
10.1.25 |
The NonEuclid Remote Access Trojan (RAT) is a type of malicious software that enables unauthorised remote access and control of a victim’s computer, often without their awareness. |
RAT |
||
|
2.1.25 |
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts |
RAT |