Threats Affecting Spain

An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access. [...]

MediumMalwareBrazilIndiaMexico+8#remote

An active malware campaign has been discovered distributing malicious VBScript files through WhatsApp direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise WhatsApp accounts and send weaponized VBS files disguised as business and financial documents to contacts. The multi-stage infection chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting social engineering techniques with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

A malware-as-a-service campaign named Weedhack targets Minecraft users by distributing malicious Java JAR files via SEO poisoning and YouTube videos. The malware steals credentials, system information, and can remotely control infected systems. It is notable for its ease of access, free tier, and appeal to younger users, with infections primarily in the U. S.and several other countries. Additionally, a large CountLoader campaign spreads cryptocurrency clipper malware via cracked software, and a separate campaign distributes cryptocurrency miners through pirated content sites. These campaigns leverage sophisticated persistence and evasion techniques and have been active since early 2026.

MediumSecurity-newsUnited StatesGermanyIndia+9#cybersecurity#reddit

The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE). [...]

MediumVulnerabilitySpain

We analyze how fake IPTV apps gain control of Android devices, abuse screen access features, and steal credentials, cash, and crypto assets.

MediumVulnerabilityPortugalSpainFrance+2#android

A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.

MediumCampaignUnited StatesAlbaniaArmenia+16#smishing#government impersonation#credential harvesting