WebSockets-C2-PoC

WebSockets-C2-PoC Ab...

UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware

An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn. Swiss cybersecurity company PRODAFT is...

Acacium-PostEx-Toolkit

Acacium Automated Post-Exploitation & Lateral Movement Toolkit...

224 malicious apps removed from the Google Play Store after ad fraud campaign discovered

Researchers have discovered a large ad fraud campaign on Google Play Store. The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign "SlopAds." Ad fraud is a...

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories. "These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashou...

Malicious Package

Overview tensorflowjs is a malicious package. This package contains malicious code that uses a sophisticated typosquatting attack. It employs multi-stage malware with heavy obfuscation to evade detection. The malware's primary function is to steal credentials and capture screenshots from Windows...

CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan RAT named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is writt...

VIPER_2025

VIPER 2025 VIPER 2025 is an advanced, modular penetration...

Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling

Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. "In this incident, the threat actor...

MAL-2025-191778 Malicious code in kraken123 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 dc2f76a61af953726f4fc219f725013ce8b477860b47433b7fc0444994ffcfd5 As even described, the package contains a malicious code collecting large amount of data. The description suggests educational use, yet, the code can cause rea...

Exploits and vulnerabilities in Q2 2025

Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverag...

HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims t...

Malicious Package

Overview termncolor is a malicious package. This package is part of a multi-stage attack and its content was removed from the official package manager. The attack utilizes a seemingly harmless package to introduce a malicious dependency. The goal of this attack is to gain remote code execution on...

Malicious Package

Overview colorinal is a malicious package. This package is part of a multi-stage attack and its content was removed from the official package manager. The attack utilizes a seemingly harmless package to introduce a malicious dependency. The goal of this attack is to gain remote code execution on...

GodRAT – New RAT targeting financial institutions

Summary In September 2024, we detected malicious activity targeting financial trading and brokerage firms through the distribution of malicious .scr screen saver files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan RAT named...

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures TTPs to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Deskto...

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures TTPs to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Deskto...

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Cybersecurity researchers have discovered a malicious package in the Python Package Index PyPI repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor , realizes its nefarious functionalit...

Malicious Package

Overview github.com/weightycine/replika is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...

Malicious Package

Overview github.com/ordinarymea/TNSRIDS is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...