Reddit NetSec

AlienVault OTX General

CVE Database V5

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The Octalyn Forensic Toolkit, a publicly available GitHub project, presents itself as a research tool but functions as a sophisticated credential stealer. It consists of a C++ payload module and a Delphi-based builder interface, allowing even low-skilled actors to generate functional binaries. The toolkit extracts browser data, Discord and Telegram tokens, VPN configurations, gaming account data, and cryptocurrency wallet artifacts. It establishes persistence, organizes stolen data, and exfiltrates it via Telegram. The malware's modular design, ease of use, and active exfiltration capability pose significant risks if misused. It employs obfuscation techniques, Windows persistence methods, and structured data theft, demonstrating a deliberate effort to evade detection and maximize impact.

The Octalyn Stealer is a sophisticated credential-stealing malware toolkit publicly available on GitHub, masquerading as a forensic research tool. It comprises a C++ payload module responsible for the actual data theft and a Delphi-based builder interface that enables even low-skilled threat actors to generate customized malicious binaries easily. The malware targets a broad range of sensitive data, including browser credentials, Discord and Telegram tokens, VPN configurations, gaming account information, and cryptocurrency wallet artifacts. It establishes persistence on infected Windows systems using standard Windows persistence mechanisms, allowing it to maintain foothold across reboots. The malware employs obfuscation techniques to evade detection by antivirus and endpoint security solutions. Once data is collected and organized, it is exfiltrated via Telegram channels, leveraging the platform's API for covert data transmission. The modular design of Octalyn allows for flexible deployment and extension of capabilities, increasing its threat potential. The toolkit’s availability lowers the barrier to entry for cybercriminals, potentially increasing the volume of attacks using this malware. Although no known exploits in the wild have been reported yet, the malware’s features and ease of use present a significant risk if adopted by malicious actors. The malware’s tactics align with multiple MITRE ATT&CK techniques, including credential dumping, command and control via standard protocols, obfuscation, persistence, and data exfiltration. This combination of features demonstrates a deliberate effort to maximize impact while evading detection and complicating incident response efforts.

Detailed information about OCTALYN STEALER UNMASKED. Get real-time updates, technical details, and mitigation strategies.

OCTALYN STEALER UNMASKED - Live Threat Intelligence - Threat Radar | OffSeq.com

OCTALYN STEALER UNMASKED

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products.

The Snake Keylogger is a malware strain originating from Russia, identified as a .NET-based stealer primarily used in targeted phishing campaigns. It is designed to capture sensitive information such as credentials and other personal data by logging keystrokes and potentially harvesting system information. The recent campaign tracked by the S2 Group targets a broad spectrum of victims, including companies, government entities, and individuals, using spearphishing emails themed around oil product offers. This thematic choice likely aims to exploit geopolitical interests and economic sectors related to energy, increasing the likelihood of successful compromise. The malware is distributed via spearphishing, a highly targeted form of phishing that uses personalized messages to deceive recipients. The campaign abuses trusted Java utilities, indicating a sophisticated approach to evade detection by leveraging legitimate software components. The malware is categorized under multiple MITRE ATT&CK techniques such as T1027 (Obfuscated Files or Information), T1082 (System Information Discovery), T1555 (Credentials from Password Stores), T1566.001 (Spearphishing Attachment), T1574.002 (Hijack Execution Flow: DLL Side-Loading), and T1588.002 (Obtain Capabilities: Malware-as-a-Service), highlighting its multifaceted attack vectors and capabilities. Although no known exploits in the wild are reported, the malware operates as Malware-as-a-Service (MaaS), suggesting it is accessible to various threat actors, potentially increasing its proliferation. The campaign’s geopolitical context and targeting of strategic sectors underscore its relevance in cybercrime operations linked to geopolitical affairs.

MD5 of fe223090ea59abc54312c48ed89765ea5c8821df78134adc094cd799973dde39

MD5 of b33d93e82b4a964c1306d40b054e6a2703e050357a513ab8873651dd4d669f4b

MD5 of 6d7158bf300a5a8769d106500a60141e63436bfc35cab1d24e047aad1dc880ce

MD5 of f099cb320a26b6284e9ca24b352b19d2109bb3df0beeded3c34377c9b934ed3b

MD5 of 54468a4c1261c1c3f4136854c29a50080be77416d040b083ac51776c957a1182

MD5 of 830703e20378110b1db917fcd498fa731aafed37fb1055c002693662053ad13c

SHA1 of fe223090ea59abc54312c48ed89765ea5c8821df78134adc094cd799973dde39

SHA1 of 830703e20378110b1db917fcd498fa731aafed37fb1055c002693662053ad13c

SHA1 of 54468a4c1261c1c3f4136854c29a50080be77416d040b083ac51776c957a1182

SHA1 of 6d7158bf300a5a8769d106500a60141e63436bfc35cab1d24e047aad1dc880ce

SHA1 of b33d93e82b4a964c1306d40b054e6a2703e050357a513ab8873651dd4d669f4b

SHA1 of f099cb320a26b6284e9ca24b352b19d2109bb3df0beeded3c34377c9b934ed3b

Detailed information about Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations. Get real-time updates, technical d

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations - Live Threat Intelligence - Threat Radar | OffSeq.com

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam email or drive-by downloads. The malware sets up registry keys for storing commands, stager configurations, and the final payload. It establishes persistence through a scheduled task and uses techniques to simulate user input. The malware employs multiple stagers to decode and load the final Masslogger payload, which is injected into the AddInProcess32.exe process. The payload targets multiple web browsers and email clients to steal credentials and sensitive information, with capabilities including keylogging, screen capture, and data exfiltration via FTP, SMTP, or Telegram.

The Masslogger Fileless Variant is an advanced form of the Masslogger credential stealer malware that propagates primarily through malicious .VBE (VBScript Encoded) files. These files are typically distributed via spam emails or drive-by download attacks, exploiting user interaction or social engineering to initiate infection. Unlike traditional malware that relies on executable files, this variant operates in a fileless manner, leveraging Windows Registry keys to store and execute its payload, thereby evading conventional file-based detection mechanisms. The infection chain is multi-staged: initially, the .VBE file executes and sets up registry keys that contain encoded commands, stager configurations, and the final payload. Persistence is achieved by creating scheduled tasks, ensuring the malware remains active across system reboots. The malware also employs techniques to simulate user input, which can help bypass certain security controls or user activity monitoring. The final Masslogger payload is loaded through multiple decoding stagers and is injected into the legitimate Windows process AddInProcess32.exe via process hollowing, a technique that replaces the memory of a legitimate process with malicious code to evade detection. Once active, the payload targets a broad range of web browsers and email clients to harvest credentials and sensitive data. Its capabilities include keylogging, screen capturing, and exfiltration of stolen data using various protocols such as FTP, SMTP, and Telegram messaging. The use of multiple exfiltration channels increases the likelihood of successful data theft even if some communication paths are blocked. The malware’s reliance on registry-based storage and fileless execution complicates detection and remediation efforts, as traditional antivirus solutions may not easily identify its presence. The campaign does not currently have known exploits in the wild beyond the initial infection vector and lacks a CVE identifier, but its sophisticated techniques and credential theft capabilities pose a significant threat to targeted environments.

Detailed information about Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry. Get real-time updates, technical details, and mitigation strategie

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry - Live Threat Intelligence - Threat Radar | OffSeq.com

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.

The Interlock ransomware group, active since September 2024, represents a sophisticated and evolving threat actor specializing in targeted ransomware attacks, often referred to as Big Game Hunting. Despite maintaining a relatively low victim count, Interlock demonstrates significant adaptability and innovation in its attack methodologies. Initial access is typically gained through social engineering tactics such as fake browser updates and exploitation of the ClickFix technique, which is known for leveraging vulnerabilities in user interaction flows to deploy malicious payloads. Once inside a network, the group employs a multi-stage attack chain that includes deploying PowerShell backdoors, which allow stealthy and persistent command execution within compromised environments. Additionally, they utilize credential stealers, notably the Berserk Stealer, to harvest sensitive authentication data, facilitating lateral movement and privilege escalation. A custom Remote Access Trojan (RAT), referred to as the Interlock RAT, is also deployed to maintain long-term access and control over infected systems. The group’s operational tactics include double extortion, where data is not only encrypted but also exfiltrated, with threats to leak sensitive information if ransom demands are not met. This approach increases pressure on victims to comply. Interlock has been observed refining their tools continuously, including enhancements to their PowerShell backdoor capabilities and modifications to ransom notes to emphasize potential legal consequences, likely as a psychological tactic to coerce victims. Their strategic focus on avoiding large-scale visibility while maintaining operational effectiveness suggests a deliberate effort to evade detection and prolong their campaigns. The group targets multiple sectors across North America and Europe, indicating a broad geographic and vertical scope.

Detailed information about Interlock ransomware evolving under the radar. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'credential stealer'

Filter Threats

Threats Tagged 'credential stealer'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility