Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets

In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote – the parent process for all Android apps – to infect...

A single post-release of dydx-v4-client contained obfuscated multi-stage loader

A PyPI user account compromised by an attacker and was able to upload a malicious version 1.1.5.post1 of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible...

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware

Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident...

Hackers Utilize MSIX App Packages to Disseminate GHOSTPULSE Malware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A new cyber attack campaign has emerged, involving the use of fake MSIX Windows app packages masquerading as legitimate applications. These deceptive MSIX packages are employed to distribute a new malwar...

Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer

A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America. "DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF...