Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-control server via the Tor network. It has additional capabilities to brute-force WordPress sites and harvest email addresses for further distribution. The malware primarily targeted users in Brazil, India, Spain, Russia, Italy, and Germany between October 2024 and July 2025, affecting over 5,000 Kaspersky users.

The Efimer Trojan is a multifaceted malware strain actively spreading through compromised WordPress websites, malicious torrent files, and targeted email campaigns impersonating legal professionals. Its primary malicious function is to steal cryptocurrency by intercepting and replacing wallet addresses copied to the clipboard, a technique known as clipboard hijacking. Beyond this, Efimer can execute additional malicious scripts, enhancing its persistence and capabilities. Communication with its command-and-control (C2) infrastructure is conducted over the Tor network, which anonymizes traffic and complicates detection and takedown efforts. The Trojan also incorporates brute-force attack capabilities aimed at WordPress sites, attempting to gain unauthorized access by guessing credentials. Additionally, it harvests email addresses from infected systems to expand its distribution via phishing campaigns. The malware has been observed targeting users predominantly in Brazil, India, Spain, Russia, Italy, and Germany from October 2024 through July 2025, impacting over 5,000 users monitored by Kaspersky. The attack vectors leverage common web application vulnerabilities and social engineering, exploiting WordPress’s widespread deployment and the trust users place in email communications from purported legal entities. The use of the Tor network for C2 communication and the combination of multiple infection and propagation methods make Efimer a persistent and evasive threat. Although no specific affected software versions are listed, the brute-force attacks on WordPress suggest exploitation of weak credentials or unpatched installations. The malware’s tactics align with several MITRE ATT&CK techniques, including clipboard data theft (T1115), command execution (T1059.007), phishing (T1566.002), brute forcing (T1110), and use of anonymizing networks (T1571).

Detailed information about Efimer Trojan delivered via email and hacked WordPress websites. Get real-time updates, technical details, and mitigation strategies.

Efimer Trojan delivered via email and hacked WordPress websites - Live Threat Intelligence - Threat Radar | OffSeq.com

Efimer Trojan delivered via email and hacked WordPress websites

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser extension for Google Chrome, Microsoft Edge, and Brave, and another utilizing Mesh Agent or PDQ Connect Agent. The campaign aimed to steal authentication data from victims' bank accounts, particularly targeting Banco do Brasil customers. Over 700 downloads of the malicious extension were recorded, affecting users in Brazil, Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries. The attackers used sophisticated techniques, including virtualization checks, UAC bypass, and file deletion to evade detection.

Operation Phantom Enigma is a malicious cyber campaign first identified in early 2025, primarily targeting Brazilian residents. The attackers leveraged phishing emails, some originating from compromised corporate email servers, to distribute malware designed to steal banking authentication credentials. The campaign employed two main attack vectors: a malicious browser extension compatible with Google Chrome, Microsoft Edge, and Brave browsers, and exploitation of legitimate remote management tools such as Mesh Agent and PDQ Connect Agent. The browser extension was downloaded over 700 times, indicating a significant infection vector. The primary target was Banco do Brasil customers, with the attackers aiming to harvest login credentials and potentially conduct fraudulent transactions. The campaign also affected users in Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries, demonstrating a broad geographic reach. The attackers used advanced evasion techniques including virtualization environment detection to avoid sandbox analysis, User Account Control (UAC) bypass to escalate privileges without user consent, and file deletion to remove traces of their activities. These tactics suggest a well-resourced adversary focused on stealth and persistence. The use of legitimate remote management tools as part of the attack chain indicates a sophisticated approach to lateral movement and persistence within compromised networks. The campaign’s medium severity rating reflects the targeted nature of the attacks and the moderate scale of infections, but the potential for significant financial theft and data compromise remains high.

Detailed information about Operation Phantom Enigma. Get real-time updates, technical details, and mitigation strategies.

Operation Phantom Enigma - Live Threat Intelligence - Threat Radar | OffSeq.com

Operation Phantom Enigma

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

OSINT - DownAndExec: Banking malware utilizes CDNs in Brazil

DownAndExec is a banking malware campaign identified primarily in Brazil that leverages Content Delivery Networks (CDNs) to distribute malicious payloads. The use of CDNs allows the malware operators to mask their infrastructure, making detection and takedown more challenging. This malware targets banking credentials by injecting malicious code into web sessions or by other means to intercept sensitive information such as login credentials, two-factor authentication tokens, or session cookies. The campaign's reliance on CDNs suggests a sophisticated approach to evading traditional network security controls and complicates attribution efforts. Although detailed technical specifics such as infection vectors, command and control mechanisms, or payload capabilities are not provided, the classification as banking malware indicates its primary objective is financial theft. The threat level and analysis scores indicate a moderate concern, but the overall severity is marked as low, possibly due to limited spread or impact at the time of reporting. The absence of known exploits in the wild and lack of affected software versions suggest this is a malware campaign rather than a software vulnerability. The campaign's focus on Brazil, a country with a large and active banking sector, highlights the attackers' intent to exploit regional financial ecosystems.

Detailed information about OSINT - DownAndExec: Banking malware utilizes CDNs in Brazil. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting Brazil

Filter Threats

Threats Affecting Brazil

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility