Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Kaspersky Security Blog

Reddit NetSec

Check Point Research

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

SANS ISC Handlers Diary

SecurityWeek

Threatpost

The Hacker News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A malicious campaign is targeting indie game platforms Itch. io and Patreon by posting fake update links in comments, which lead to downloads of LummaStealer malware. This malware uses advanced anti-analysis techniques to evade detection, including checks for virtual machines, specific usernames, and malware analysis processes. The payload is delivered via a nexe-compiled JavaScript file that drops and loads a DLL variant of LummaStealer. Despite efforts to remove malicious accounts, attackers continuously create new ones, indicating an ongoing and persistent threat. The campaign primarily targets users seeking game updates, exploiting trust in indie game communities. No known exploits in the wild have been reported yet, but the malware’s stealth and persistence pose a medium-level risk. European organizations involved in gaming, digital content creation, or using these platforms could be impacted, especially those with less mature security controls. Mitigation requires targeted detection of fake update links, monitoring of platform comments, and enhanced endpoint defenses against DLL injection and obfuscated JavaScript. Countries with active indie game development and strong Patreon/Itch.

This threat involves a malware campaign distributing LummaStealer via fake update links posted on indie game platforms Itch.io and Patreon. Attackers create new accounts to spam comments on legitimate game pages, claiming to offer updates through Patreon links. These links lead to downloads containing a nexe-compiled JavaScript file, which acts as a dropper for a DLL variant of LummaStealer. LummaStealer is a credential and information stealer known for its stealth capabilities. The malware employs multiple anti-analysis techniques, such as detecting virtual machine environments, checking for specific usernames, and scanning for processes commonly used in malware analysis, to avoid sandbox detection and forensic investigation. The use of nexe (Node.js executable) compiled JavaScript adds complexity and obfuscation, making static and dynamic analysis more difficult. The DLL payload is injected into processes to steal sensitive data stealthily. Despite platform efforts to remove malicious accounts, attackers persistently create new ones, indicating a sustained campaign. No CVE or known exploits in the wild have been reported, but the campaign’s ongoing nature and sophisticated evasion techniques suggest a medium severity threat. The campaign targets users of indie game platforms, which could include developers, gamers, and content creators, potentially leading to credential theft, data exfiltration, and further compromise of user systems.

Detailed information about LummaStealer dropped via fake updates from itch.io and Patreon. Get real-time updates, technical details, and mitigation strategies.

LummaStealer dropped via fake updates from itch.io and Patreon - Live Threat Intelligence - Threat Radar | OffSeq.com

LummaStealer dropped via fake updates from itch.io and Patreon

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to compromised systems to various cybercriminal clients. The primary tactic involves deceptive 'fake browser update' lures initiated by JavaScript injections on compromised websites, leading to drive-by malware downloads. SocGholish leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious content. TA569 acts as an Initial Access Broker, enabling other notorious groups and even Russian GRU's Unit 29155 to conduct follow-on attacks, including ransomware deployments. The threat uses domain shadowing and frequent domain rotation to evade detection, making proactive threat intelligence crucial for defense.

SocGholish is a sophisticated Malware-as-a-Service (MaaS) campaign operated by the threat actor TA569, who acts as an Initial Access Broker (IAB). The campaign primarily employs deceptive tactics involving fake browser update prompts delivered via JavaScript injections on compromised legitimate websites. These injections trigger drive-by downloads of malware payloads without requiring explicit user consent beyond interacting with the fake update prompt. SocGholish leverages Traffic Distribution Systems (TDS) such as Parrot TDS and Keitaro TDS to selectively filter and redirect victims to malicious content, enhancing the efficiency and targeting of the campaign. The operator TA569 sells access to compromised systems to various cybercriminal clients, including notorious ransomware groups and reportedly Russian GRU’s Unit 29155, enabling follow-on attacks such as ransomware deployment and espionage. The campaign employs domain shadowing and frequent domain rotation to evade detection and takedown efforts, complicating defensive measures. Indicators of compromise include a large set of suspicious domains used in the infrastructure. The campaign’s tactics align with multiple MITRE ATT&CK techniques, including T1059.007 (JavaScript execution), T1133 (External Remote Services), T1547 (Boot or Logon Autostart Execution), T1204.002 (User Execution: Malicious File), T1071 (Application Layer Protocol), T1190 (Exploit Public-Facing Application), T1036 (Masquerading), T1090 (Proxy), T1497 (Virtualization/Sandbox Evasion), T1102 (Web Service), T1608 (Stage Capabilities), T1199 (Trusted Relationship), T1559 (Inter-Process Communication), T1078 (Valid Accounts), T1027 (Obfuscated Files or Information), T1573 (Encrypted Channel), T1132 (Data Encoding), and T1189 (Drive-by Compromise). This multi-faceted approach makes SocGholish a persistent and adaptable threat requiring proactive and layered defense strategies.

Detailed information about Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569. Get real-time updates, technical 

Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569 - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.

SocGholish is a sophisticated Malware-as-a-Service (MaaS) platform operated by the threat actor group TA569. It primarily uses deceptive tactics, notably fake browser update prompts, to trick users into initiating the infection process. The malware campaign employs Traffic Distribution Systems (TDS) such as Parrot TDS and Keitaro TDS to selectively filter and redirect victims, ensuring that only high-value targets receive the final malicious payload. This selective targeting is achieved through advanced filtering and tracking mechanisms, which analyze victim attributes before payload delivery. SocGholish’s infection chain is multi-staged, beginning with compromised legitimate websites that redirect victims to malicious domains or URLs. The malware also uses domain shadowing and frequent domain rotation to evade detection and takedown efforts, complicating defensive measures. TA569 acts as an Initial Access Broker, selling or leasing access to compromised systems to other cybercriminal groups, including notable ransomware operators like Evil Corp and MintsLoader. These groups then conduct follow-on attacks such as ransomware deployment, data exfiltration, or further network compromise. Indicators of compromise include numerous malicious domains and URLs used in the infection chain, many of which are designed to appear legitimate or benign. The malware leverages various techniques including living-off-the-land binaries (LOLBins), obfuscation, and persistence mechanisms to maintain footholds on infected systems. The campaign’s sophistication and modularity make it a persistent threat capable of adapting to defensive countermeasures and targeting specific victims with tailored payloads.

Detailed information about Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator. Get real-time updates, techni

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.

The threat described involves a newly uncovered infrastructure linked to GrayAlpha, a threat actor associated with the financially motivated cybercrime group FIN7. The key technical components include a custom PowerShell loader named PowerNet, which is used to deploy the NetSupport Remote Access Trojan (RAT), and another loader called MaskBat. These loaders facilitate the covert installation and execution of malicious payloads on victim systems. The attackers employ three primary infection vectors: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. These vectors are designed to socially engineer victims into executing malicious code by masquerading as legitimate software updates or downloads. At the time of analysis, only the fake 7-Zip download sites remained active, indicating a possible shift in attacker tactics or operational focus.

The PowerNet loader leverages PowerShell, a legitimate Windows scripting environment, to evade detection and execute payloads in-memory, complicating traditional signature-based defenses. The NetSupport RAT deployed by PowerNet provides attackers with extensive remote control capabilities, including data exfiltration, credential theft, and lateral movement within networks. MaskBat likely serves as an additional loader or persistence mechanism, although specific technical details are limited. The use of multiple infection vectors and loaders demonstrates the adversary's sophistication and adaptability.

The TAG-124 traffic distribution system is a known infrastructure component used to manage and distribute malicious traffic, further indicating a well-resourced and organized campaign. The threat actor employs various MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via malicious file), T1583.001 (establishing infrastructure), T1055 (process injection), T1059.001 and T1059.003 (PowerShell and command-line interface), T1547.001 (registry run keys for persistence), T1102.002 (web service communication), T1071.001 (application layer protocol), T1204.001 (user execution via malicious link), T1569.002 (service execution), and T1584.001 (compromise infrastructure). This indicates a multi-faceted attack chain involving social engineering, code execution, persistence, and command and control.

The identification of a potential individual involved in GrayAlpha operations suggests ongoing intelligence efforts to attribute and disrupt this threat actor. Overall, this campaign highlights the need for layered security controls, including behavioral detection, application allow-listing, and continuous user awareness training to mitigate the risk posed by such advanced threats.

Detailed information about New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks. Get real-time updates, technical details, and mitigation st

Title	Severity	Type	Source	Date

Threats Tagged 'fake updates'

Stop chasing alerts. Route them.

Filter Threats

Threats Tagged 'fake updates'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility