Threats Tagged 'credential theft'

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMMProject, a 4.4 MB Lua-scriptable RAT featuring browser credential theft with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed EtherRAT, a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by lateral movement via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.

Since late 2025, cybercriminals have been exploiting Wallpaper Engine, a popular live wallpaper application on Steam, to distribute malware through Steam Workshop. Attackers target primarily Chinese and Russian gamers by embedding malicious code within application wallpapers shared on the platform. These compromised wallpapers deliver various malware types including infostealers, backdoors, crypto miners, and ransomware. One analyzed sample dropped DarkKomet backdoor while hijacking Steam sessions to steal account credentials. The malware modifies system libraries to locate Steam installations and exfiltrate data to attacker-controlled servers. Compromised accounts are then used to upload additional malicious wallpapers. The diverse malware families suggest multiple independent hacking groups are exploiting this distribution method. Infected wallpapers received thousands of downloads before removal, with 89% of infections occurring in China.

MediumMalwareBritish Indian Ocean TerritoryCanadaChina+5#account hijacking#vidar#wallpaper engine

The 2026 FIFA World Cup presents a concentrated attack surface spanning three nations, 16 cities, and billions of viewers. Cybercriminals have already launched phishing campaigns, fraudulent ticket sales, and brand impersonation schemes targeting governments, sponsors, broadcasters, transportation providers, and telecommunications companies. Financially motivated actors are exploiting tournament-related interest through credential theft and payment fraud. Hacktivist and state-aligned groups, including pro-Iranian actors like Handala and CyberAv3ngers, may conduct DDoS attacks, website defacements, or espionage operations amid heightened geopolitical tensions involving Iran, the United States, and Russia. Ransomware groups such as Qilin, DragonForce, Akira, and Play may target organizations reliant on continuous service availability. Thousands of FIFA-themed domains have been registered, many exhibiting characteristics associated with fraud campaigns. Organizations throughout the ecosystem face elevated ris...

The UNC1151/Ghostwriter group is conducting high-intensity phishing campaigns targeting Gmail accounts of Polish citizens since March 2026. The campaigns primarily target individuals in political and public life, prominent positions, researchers, journalists, public administration and law enforcement employees, and their associates. Attackers use fraudulent emails impersonating Gmail administrators, claiming suspicious activity or policy violations to pressure victims into verifying their accounts. The phishing infrastructure captures login credentials and two-factor authentication codes through fake login panels. The group utilizes dedicated domains, Netlify subdomains, and compromised websites to host phishing pages. Campaigns run primarily on weekdays with new domains appearing almost daily, demonstrating persistent operational tempo against Polish targets.

MediumPhishingPoland#unc1151#gmail#phishing

On May 15, 2026, Huntress agents detected an intrusion where threat actors compromised a terminal server to stage a massive phishing campaign rather than deploy ransomware. The attacker used legitimate bulk email software (Gammadyne Mailer) with a project file named 'dracii' (Romanian for 'the devils') and six recipient lists containing 8,894,920 email addresses. Operating from Romanian IP addresses, the actor impersonated UK pharmacy chain Boots through a fake customer satisfaction survey designed to harvest personal and payment card data. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which Huntress reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery to bypass mail relays, with the mailer configured to send from 666 threads simultaneously. Evidence suggests this Romanian operator has been running multiple UK-targeting campaigns since at least July 2025, rotating between retail, tax, and cryptocurrency themes.

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Computing for invisible remote control, browser profile cloning to bypass session protections, and automated cryptocurrency wallet password cracking. The RAT bypasses Chrome App-Bound Encryption, performs session hijacking, and includes keylogging, clipboard monitoring, and remote desktop capabilities. Distributed through phishing and ClickFix campaigns with operator-hosted infrastructure, SilabRAT uses ChaCha20-Poly1305 encryption for command-and-control communications. The developer also offers AsmCrypt, a companion crypter service, creating a complete malware bundle from evasion to execution and remote control.

A sophisticated supply chain attack campaign has expanded to 471 affected artifacts across npm and PyPI, targeting developers through malicious packages. The campaign uses three distinct delivery methods: executable .pth startup hooks, trojanized native .abi3.so extensions that execute at import time, and a split loader-payload architecture that searches Python's sys.path. Twenty-three newly identified PyPI packages masquerade as bioinformatics tools, AI frameworks, and popular libraries like requests and Flask. The attack deploys heavily obfuscated JavaScript stealers via Bun runtime, harvesting high-value credentials including GitHub tokens, npm registry access, cloud credentials, SSH keys, and CI/CD secrets. The malware employs anti-analysis techniques with fake LLM prompt-injection headers designed to disrupt AI-assisted security scanners, while targeting developer workstations and automated build environments.

Threat actors are increasingly leveraging the global interest in artificial intelligence by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These operations span phishing attacks, malvertising, and search engine optimization-driven tactics that ultimately lead to credential theft, financial fraud, or malware infections. Observed campaigns include ChatGPT-themed phishing collecting credit card data targeting South Africa, Claude-themed adversary-in-the-middle attacks harvesting credentials and access tokens, malvertising campaigns distributing Vidar stealer through fake AI plugin downloads, and fraudulent DeepSeek V4 installers on GitHub. The initial access broker Storm-3075 has been identified employing AI-themed malvertising, while the financially motivated actor Fox Tempest provides malware-signing-as-a-service to enhance payload legitimacy. These campaigns combine traditional social engineering tactics with AI branding to improve success...