Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infection process. The spyware's ultimate goal is to exfiltrate sensitive internal documents and system data. The attack involves multiple stages, including downloading encrypted VBS scripts, executing Delphi-written executables, and deploying C++-based malware for expanded data theft. Batavia employs advanced evasion tactics and persistence mechanisms, making it a significant threat to organizational security. The campaign remains active, with potential for further damage due to its ability to download additional payloads.

The Batavia spyware campaign represents a sophisticated multi-stage malware attack primarily targeting Russian industrial organizations since July 2024. The attack vector begins with a phishing campaign that delivers weaponized Microsoft Word documents disguised as contract agreements. When an employee opens the malicious document, it triggers the download of encrypted Visual Basic Script (VBS) files. These scripts then execute Delphi-written executables, which subsequently deploy C++-based malware components designed for extensive data theft. This multi-layered infection chain leverages advanced evasion techniques to avoid detection by security solutions and incorporates persistence mechanisms to maintain long-term access within compromised systems. The spyware's main objective is to exfiltrate sensitive internal documents and system data, potentially causing significant intellectual property loss and operational disruption. The campaign remains active and is capable of downloading additional payloads, increasing the risk of further damage or lateral movement within targeted networks. Indicators of compromise include specific file hashes and domains such as oblast-ru.com and ru-exchange.com, which are associated with command and control infrastructure. The attack techniques align with several MITRE ATT&CK tactics and techniques, including phishing (T1566), data from local system (T1005), process injection (T1055), persistence (T1547.001), and obfuscated files or information (T1027). No CVE or known exploits in the wild have been reported for this threat, indicating it relies on social engineering and custom malware rather than exploiting publicly known vulnerabilities.

Detailed information about Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads. Get real-time updates, technical details, and mi

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads - Live Threat Intelligence - Threat Radar | OffSeq.com

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms

Source: https://thehackernews.com/2025/07/researchers-uncover-batavia-windows.html

The Batavia spyware is a newly uncovered Windows-based espionage tool primarily targeting Russian firms. According to recent research reported by The Hacker News and discussed on InfoSec-related Reddit forums, this spyware is designed to stealthily infiltrate Windows environments and exfiltrate sensitive documents. While specific technical details such as infection vectors, persistence mechanisms, or command and control infrastructure have not been disclosed in the provided information, the core capability centers on document theft, indicating a focus on intellectual property and confidential corporate data. The lack of known exploits in the wild suggests this spyware may be in early stages of deployment or detection. However, its classification as high severity underscores the potential risk it poses, especially given its targeted nature against organizations in Russia. The spyware’s operation on Windows platforms implies it could leverage common attack surfaces such as phishing, malicious attachments, or exploitation of unpatched vulnerabilities to gain initial access. Once inside, it likely employs stealth techniques to avoid detection by antivirus or endpoint detection and response (EDR) solutions while continuously harvesting documents for exfiltration. The geopolitical context, with Russian firms as targets, suggests a state-sponsored or highly motivated threat actor aiming to gather intelligence or disrupt business operations. The minimal discussion on Reddit and the recent discovery highlight the need for increased vigilance and further research to fully understand the spyware’s capabilities and scope.

Detailed information about Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms. Get real-time updates, technical details, and miti

Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms - Live Threat Intelligence - Threat Radar | OffSeq.com

Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms

Reddit Discussion: Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms

The Batavia spyware campaign, active since July 2024, targets Russian industrial enterprises through phishing emails containing malicious links disguised as contract documents. The infection process involves three stages: a VBS script downloader, the WebView.exe spyware, and the javav.exe module. These components collect and exfiltrate various types of files, including system logs, office documents, and screenshots. The malware employs techniques to avoid duplicate file uploads and can download additional payloads. Over 100 users across dozens of organizations have been affected. The campaign highlights the importance of comprehensive cybersecurity measures and employee training to mitigate such threats.

The Batavia spyware campaign, active since July 2024, is a targeted cyber espionage operation focusing primarily on Russian industrial enterprises. The attack vector is phishing emails containing malicious links disguised as contract documents, leveraging social engineering to trick users into initiating the infection. The infection unfolds in three distinct stages: initially, a Visual Basic Script (VBS) downloader is executed, which then retrieves and installs the main spyware component named WebView.exe. Subsequently, a secondary module called javav.exe is deployed. These components collectively perform extensive data collection and exfiltration activities, targeting system logs, office documents, screenshots, and other sensitive files. The malware incorporates mechanisms to avoid redundant data uploads, optimizing its stealth and efficiency. Additionally, it has the capability to download further payloads, potentially expanding its functionality or persistence. The campaign has impacted over 100 users across dozens of organizations, indicating a moderately widespread operation. The malware also employs User Account Control (UAC) bypass techniques to escalate privileges, enhancing its ability to operate undetected and persistently within compromised environments. The campaign's tactics, techniques, and procedures (TTPs) align with multiple MITRE ATT&CK techniques such as T1113 (Screen Capture), T1548.002 (UAC Bypass), T1566.002 (Phishing Link), and others related to credential access, persistence, and defense evasion. The threat actor behind this campaign, referred to as Batavia, demonstrates a focused interest in industrial espionage and intelligence gathering within Russian organizations. The campaign underscores the critical need for multi-layered cybersecurity defenses, including robust phishing awareness training, endpoint detection capabilities, and network monitoring to detect anomalous data exfiltration.

Detailed information about Batavia spyware steals data from Russian organizations. Get real-time updates, technical details, and mitigation strategies.

Batavia spyware steals data from Russian organizations - Live Threat Intelligence - Threat Radar | OffSeq.com

Batavia spyware steals data from Russian organizations

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persistence. The attack chain involves three stages: initial infection via a batch file, persistence establishment, and cryptomining execution. The malware targets diverse countries, including Russia, Belgium, Greece, and China. It disables Windows Update services, evades Windows Defender, and uses scheduled tasks for persistence. The XMRig miner creates registry entries and drops files for continued operation. Despite its simple, unobfuscated nature, the malware proved effective in avoiding detection.

The threat described is a resurgence of malware deploying the XMRig cryptominer, discovered in mid-April 2025, coinciding with an increase in the value of the Monero cryptocurrency. This malware uses a multi-stage infection chain and Living Off the Land Binaries and Scripts (LOLBAS) techniques, leveraging legitimate Windows tools such as PowerShell to deliver payloads, evade detection, and maintain persistence. The attack chain consists of three stages: initial infection via a batch file, establishment of persistence through scheduled tasks and registry modifications, and execution of the XMRig cryptominer to mine Monero. The malware disables Windows Update services to prevent system patches, evades Windows Defender detection mechanisms, and uses scheduled tasks to ensure continued operation after reboots. It creates registry entries and drops files to maintain persistence and continued cryptomining activity. Despite the malware’s relatively simple and unobfuscated code, it effectively avoids detection by abusing legitimate system tools and disabling security features. The malware has been observed targeting multiple countries, including Russia, Belgium, Greece, and China. Indicators of compromise include specific file hashes and a domain (notif.su) used in the attack infrastructure. The malware’s tactics align with several MITRE ATT&CK techniques such as T1053.005 (Scheduled Task), T1489 (Service Stop), T1059.001 (PowerShell), and others related to persistence, defense evasion, and execution. No known exploits or threat actors are currently linked to this malware, and no CVE identifiers are assigned. The overall severity is assessed as medium by the source, reflecting its impact and ease of detection avoidance but limited direct destructive capabilities.

Detailed information about Digging Gold with a Spoon – Resurgence of Monero-mining Malware. Get real-time updates, technical details, and mitigation strategies.

Digging Gold with a Spoon – Resurgence of Monero-mining Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

'Batavia' Windows spyware campaign targets dozens of Russian orgs

Source: https://www.bleepingcomputer.com/news/security/batavia-windows-spyware-campaign-targets-dozens-of-russian-orgs/

The 'Batavia' Windows spyware campaign is a targeted cyber espionage operation primarily aimed at dozens of organizations within Russia. This campaign involves the deployment of spyware specifically designed for Windows environments, enabling threat actors to covertly gather sensitive information from compromised systems. Although detailed technical specifics such as infection vectors, persistence mechanisms, or command and control infrastructure are not provided, the campaign's classification as spyware indicates capabilities for data exfiltration, keylogging, screen capturing, and potentially lateral movement within targeted networks. The campaign's targeting of Russian organizations suggests a geopolitical motivation, possibly linked to intelligence gathering or disruption efforts. The absence of known exploits in the wild and lack of affected software versions imply that this campaign may rely on social engineering, spear-phishing, or custom malware delivery rather than exploiting publicly disclosed vulnerabilities. The campaign's high severity rating underscores the significant risk posed by the spyware's ability to compromise confidentiality and integrity of sensitive data within targeted organizations.

Detailed information about 'Batavia' Windows spyware campaign targets dozens of Russian orgs. Get real-time updates, technical details, and mitigation strategie

'Batavia' Windows spyware campaign targets dozens of Russian orgs - Live Threat Intelligence - Threat Radar | OffSeq.com

'Batavia' Windows spyware campaign targets dozens of Russian orgs

Reddit Discussion: 'Batavia' Windows spyware campaign targets dozens of Russian orgs

A new Android SMS stealer family, named Qwizzserial, has been uncovered, primarily targeting users in Uzbekistan. The malware exploits the reliance on SMS for two-factor authentication in local payment systems, allowing fraudsters to intercept SMS messages and gain control over victims' finances. Distributed through Telegram, the Qwizzserial campaign mirrors the structure of Classiscam. The stealer has infected approximately 100,000 users, resulting in financial losses of at least US$62,000. The malware's effectiveness stems from the widespread use of SMS for various financial transactions in Uzbekistan, including P2P transfers, payments, and authorization confirmations, often serving as the sole security layer in the absence of 3D Secure or biometric authentication.

Qwizzserial is a newly identified Android malware family designed to steal SMS messages from infected devices. This malware primarily targets users in Uzbekistan, exploiting the prevalent use of SMS-based two-factor authentication (2FA) in local financial systems. By intercepting SMS messages, Qwizzserial enables attackers to bypass authentication mechanisms and gain unauthorized access to victims' financial accounts, facilitating fraudulent transactions and financial theft. The malware is distributed mainly through Telegram channels, mimicking the operational structure of the previously known Classiscam malware family. Qwizzserial has reportedly infected around 100,000 users, causing financial losses estimated at a minimum of US$62,000. The malware’s success is largely due to the reliance on SMS as the sole or primary security layer for payment authorizations, peer-to-peer transfers, and other financial operations in Uzbekistan, where more advanced security measures like 3D Secure or biometric authentication are often absent. Although no known exploits are currently reported in the wild beyond the initial infection vector, the malware’s capability to silently intercept SMS messages poses a significant threat to the confidentiality and integrity of user financial data. The lack of patch links or specific affected Android versions suggests that the malware exploits social engineering and distribution through Telegram rather than exploiting a specific software vulnerability.

MD5 of 85648d3c1106b2f19ac0a0f41e122d17258893e0

MD5 of 643753ce846339765ffe9f483c30e1652fc3d75e

SHA256 of 643753ce846339765ffe9f483c30e1652fc3d75e

SHA256 of 85648d3c1106b2f19ac0a0f41e122d17258893e0

MD5 of 0ff0182805e573533646992496d7b28602e9121d

MD5 of ec7cc098bdf56a58df93b1d6626786ab59224870

SHA256 of 0ff0182805e573533646992496d7b28602e9121d

SHA256 of ec7cc098bdf56a58df93b1d6626786ab59224870

Detailed information about Discovery of Qwizzserial: A New Android SMS Stealer Family. Get real-time updates, technical details, and mitigation strategies.

Discovery of Qwizzserial: A New Android SMS Stealer Family - Live Threat Intelligence - Threat Radar | OffSeq.com

Discovery of Qwizzserial: A New Android SMS Stealer Family

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto miner. Their tactics include disabling security measures, scheduling tasks to cover their tracks, and exfiltrating sensitive data. The campaign primarily affects industrial enterprises and engineering schools in Russia, with some victims in Belarus and Kazakhstan. The group continues to refine its methods, focusing on data exfiltration, remote access, and email account compromise through phishing sites.

The threat involves the APT group known as Librarian Ghouls, which targets entities primarily in Russia and the Commonwealth of Independent States (CIS) through a sophisticated campaign. The attack vector is primarily phishing emails containing malicious archives that exploit social engineering to trick victims into executing payloads. The group leverages legitimate third-party software and scripting tools to establish persistent remote access, enabling them to steal credentials and exfiltrate sensitive data. Additionally, they deploy the XMRig cryptocurrency miner to illicitly mine Monero, thereby monetizing compromised systems. Their tactics include disabling security tools to evade detection, scheduling tasks to maintain persistence and cover tracks, and compromising email accounts via phishing sites to facilitate further lateral movement and data theft. The campaign mainly targets industrial enterprises and engineering schools, indicating a focus on sectors with valuable intellectual property and operational technology. The group continuously refines its methods, employing a range of MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1036.005 (Masquerading), T1566.001 (Spearphishing Attachment), and others related to credential access, defense evasion, and command execution. While the campaign is currently concentrated in Russia, Belarus, and Kazakhstan, the use of legitimate tools and phishing makes it a flexible threat that could potentially affect similar targets elsewhere. No known public exploits exist for this campaign, and no specific vulnerable software versions are identified, indicating the attack relies heavily on social engineering and post-compromise tool usage rather than zero-day vulnerabilities.

Detailed information about APT carries out attacks with data theft and crypto miner deployment. Get real-time updates, technical details, and mitigation strateg

APT carries out attacks with data theft and crypto miner deployment - Live Threat Intelligence - Threat Radar | OffSeq.com

APT carries out attacks with data theft and crypto miner deployment

A new wave of Mirai botnet attacks is exploiting CVE-2024-3721 to target TBK DVR devices. The campaign uses a POST request to execute system commands without authorization, downloading and running an ARM32 binary. This Mirai variant includes features like RC4 string encryption, anti-VM checks, and anti-emulation techniques. The malware verifies if it's running in a virtual environment and checks for allowed directories. Infected devices are primarily located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Over 50,000 exposed DVR devices are potentially vulnerable. The botnet's main goal is to conduct DDoS attacks. Updating vulnerable devices and performing factory resets are recommended as protective measures.

The threat described involves a new wave of attacks by a Mirai botnet variant exploiting a recently disclosed vulnerability identified as CVE-2024-3721. This vulnerability affects TBK brand Digital Video Recorder (DVR) devices, which are commonly used in surveillance and security camera systems. The exploitation method involves sending a specially crafted POST request that allows unauthenticated attackers to execute arbitrary system commands on the targeted device. Upon successful exploitation, the attacker downloads and executes an ARM32 binary payload, which is a variant of the Mirai malware. This variant incorporates advanced evasion techniques such as RC4 string encryption to obfuscate its code and communications, anti-virtual machine (VM) checks, and anti-emulation methods to avoid detection and analysis in sandboxed or virtualized environments. The malware also verifies that it is running in allowed directories before proceeding, which further complicates forensic analysis and detection. The primary objective of this botnet is to conscript vulnerable DVR devices into a large-scale distributed denial-of-service (DDoS) botnet, leveraging their network connectivity and processing power to overwhelm targeted systems or networks. The campaign has identified over 50,000 exposed TBK DVR devices as potentially vulnerable, with infections primarily reported in countries including China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Although the campaign is currently not reported to have active exploits in the wild beyond initial observations, the scale of vulnerable devices and the sophistication of the malware indicate a significant threat vector. The lack of available patches or firmware updates for these devices exacerbates the risk, making mitigation reliant on device resets and network-level protections. The technical sophistication of the malware, combined with the critical role of DVR devices in security infrastructure, underscores the importance of addressing this vulnerability promptly.

Detailed information about Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721. Get real-time updates, technical details, and mitiga

Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721

Blitz is a new Windows-based malware discovered in 2024 consisting of a downloader and bot payload. The latest version was spread through backdoored game cheats for Standoff 2 distributed via Telegram. Blitz abuses Hugging Face Spaces to host components of its C2 infrastructure and payloads. The malware performs information stealing and DDoS attacks. An XMRig cryptocurrency miner was also deployed as follow-up malware. By May 2025, the developer claimed to have abandoned the project. Russia accounted for the highest number of infections among 289 victims across 26 countries. Palo Alto Networks customers are protected through various security products and services.

Blitz is a Windows-based malware campaign identified in 2024, characterized by a modular architecture consisting primarily of a downloader and a bot payload. The malware's distribution vector is notably through backdoored game cheats for the popular mobile game Standoff 2, which were disseminated via Telegram channels. This method leverages the gaming community's trust and eagerness for cheats to propagate the malware. A distinctive feature of Blitz is its abuse of Hugging Face Spaces, a legitimate AI model hosting platform, to host components of its command and control (C2) infrastructure and payloads. This tactic complicates detection and takedown efforts because it blends malicious activity with legitimate cloud services.

Once deployed, Blitz performs multiple malicious activities: it steals sensitive information from infected systems and conducts distributed denial-of-service (DDoS) attacks, potentially disrupting network availability for targeted entities. Additionally, the malware deploys an XMRig cryptocurrency miner as a secondary payload, which hijacks system resources to mine Monero cryptocurrency, leading to degraded system performance and increased operational costs. By May 2025, the malware developer reportedly abandoned the project, but the infection footprint remains significant, with 289 victims identified across 26 countries. Russia has the highest infection count, indicating either targeting preferences or greater exposure.

The malware employs a wide range of tactics and techniques as mapped to MITRE ATT&CK, including credential dumping (T1003.001), input capture (T1056.001), command and control over web protocols (T1071), process injection (T1055), and persistence mechanisms (T1547.001), among others. These techniques enable stealthy operation, lateral movement, and sustained presence within compromised environments. Palo Alto Networks customers benefit from protection via their security products, but organizations outside this ecosystem may remain vulnerable.

Overall, Blitz represents a multifaceted threat combining social engineering (via game cheats), abuse of legitimate cloud infrastructure, and a blend of espionage and resource hijacking activities.

Detailed information about Blitz Malware: A Tale of Game Cheats and Code Repositories. Get real-time updates, technical details, and mitigation strategies.

Blitz Malware: A Tale of Game Cheats and Code Repositories - Live Threat Intelligence - Threat Radar | OffSeq.com

Blitz Malware: A Tale of Game Cheats and Code Repositories

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamil Shafeev «Подсказки» от DaData.ru allows Stored XSS. This issue affects «Подсказки» от DaData.ru: from n/a through 1.0.6.

CVE-2025-30931 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the product «Подсказки» от DaData.ru developed by Shamil Shafeev. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and store malicious scripts within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability affects versions up to 1.0.6, with no specific version range detailed beyond 'n/a through 1.0.6'. The CVSS v3.1 base score is 5.9, indicating a medium severity level, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to moderate. No known exploits are currently reported in the wild, and no patches or mitigations have been linked yet. The vulnerability was reserved in March 2025 and published in June 2025. Stored XSS vulnerabilities are particularly dangerous because they can persist on the server and affect multiple users over time, increasing the attack surface and potential damage. The product «Подсказки» от DaData.ru is a tool/service presumably used for data suggestions or autocomplete, likely integrated into web applications, which may increase exposure if widely deployed.

Detailed information about CVE-2025-30931: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Shamil Shafeev «Подска

CVE-2025-30931: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Shamil Shafeev «Подсказки» от DaData.ru - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Affecting Russia

Filter Threats

Threats Affecting Russia

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility