Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Search Results: "mshta.exe"
Click on any threat for detailed analysis and mitigation recommendations
Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan 0 SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations. Join the discussion | AlienVault OTX General | 05/29/2026, 10:49:19 UTC Added: 05/29/2026, 12:33:32 UTC |
ClickFix Gets Creative: Malware Buried in Images 0 A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis. Join the discussion | AlienVault OTX General | 11/24/2025, 21:10:01 UTC Added: 11/25/2025, 09:13:18 UTC |
APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux 0 A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing clipboard-based execution techniques. On Windows, the attack utilized mshta.exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of ClickFix techniques in new contexts. Join the discussion | AlienVault OTX General | 05/06/2025, 19:41:33 UTC Added: 06/05/2025, 19:13:27 UTC |
Showing 1 to 3 of 3 results