Operation-Molasses

🍯 OPERATION MOLASSES PEKMEZ Zencefil Efendi's Cyber Dow...

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

A previously undocumented Linux implant codenamed Quasar Linux RAT QLNX is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and...

CloudZ RAT potentially steals OTP messages using Pheno plugin

Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool RAT and a previously undocumented plugin called "Pheno." According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of...

Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic

Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. "PowMix employs randomized command-and-control C2 beaconing intervals, rather than persisten...

Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution

Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution By Madhini Muralidharan · March 11, 2026 Traditional malware campaigns rely heavily on dropping executable files to disk—artifacts that defenders can scan, quarantine, and analyze with signature-based security tools. Mode...

Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan RATs payloads that correspond to XWorm, AsyncRAT, and Xeno RAT. The stealthy attack chain has been codenamed VOIDGEIST by...

Linux RC4 Packer with In-Memory Execution (x86)

This evasion module packs Linux payloads using RC4 encryption and executes them from memory using memfdcreate for fileless execution. The evasion module works on systems with Linux Kernel 3.17+ due to memfdcreate support. Features: - RC4 encryption with configurable key size - Fileless execution...

Exploit for CVE-2025-30401

👻 GhostPort: WhatsApp Web Stager PoC 📌 Project Overview GhostP...

📄 Metasploit Web Delivery PHP Proof of Concept

This project presents an advanced proof of concept that emulates the behavior of Metasploit's multi/script/webdelivery module using PHP. The goal is to demonstrate how script-based payload delivery works in a modular and extensible way, without relying directly on Metasploit. The script launches ...

Malicious PixelCode Delivery Technique

Malicious PixelCode is a security research project that demonstrates a covert technique for encoding executable files into pixel data and storing them inside images or videos. A lightweight loader retrieves the media file, reconstructs the original binary, and executes it in memory. This project...

CVE-2020-7456

In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-STABLE before r361919, 11.3-RELEASE before p10, and 11.4-RC2 before p1, an invalid memory location may be used for HID items if the push/pop level is not restored within the processing of that HID item allowing an attacker with...

Exploit for Out-of-bounds Write in Mediatek Software_Development_Kit

What is Registry Exploit? Phantom-Registry-Exploit-Cve2025-20...

CVE-2017-20201

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 32-bit builds contained a malicious pre-entry-point loader that diverts execution from scrtcommonmainseh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at...

CVE-2017-20201 CCleaner v5.33.6162 & CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 32-bit builds contained a malicious pre-entry-point loader that diverts execution from scrtcommonmainseh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at...

EUVD-2025-33278

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 32-bit builds contained a malicious pre-entry-point loader that diverts execution from scrtcommonmainseh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at...

PT-2025-41312

Name of the Vulnerable Software and Affected Versions CCleaner versions 5.33.6162 CCleaner Cloud versions 1.07.3191 Description CCleaner and CCleaner Cloud contained a malicious pre-entry-point loader that redirects execution to a custom loader. This loader decodes an embedded blob into shellcode...

EUVD-2018-11534

Malware in sbrugna...

Malicious Package

Overview github.com/stripedconsu/linker is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...

Malicious Package

Overview github.com/wetteepee/hcloud-ip-floater is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate package...

Malicious Package

Overview github.com/lastnymph/gouid is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...