Threats Tagged 'fake updates'
View all threats tagged with 'fake updates'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'fake updates'
Click on any threat for detailed analysis and mitigation recommendations
A miner with a side of RAT: the unintended gift with your TV show or book 0 A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate executables and malicious DLLs. The malware employs DLL side-loading, establishes persistence through Windows services, and deploys multiple components including XMRig-based CPU miners, GPU miners, a watchdog module, and a RAT agent with remote control capabilities. The campaign leverages highly popular pirated content sites with monthly traffic reaching up to 40 million visits, significantly expanding the potential victim pool. The malware includes sophisticated anti-detection features, DNS tunneling for command-and-control, and domain generation algorithms based on dates. Join the discussion | AlienVault OTX General | 05/28/2026, 10:56:53 UTC Added: 05/28/2026, 15:18:34 UTC |
LummaStealer dropped via fake updates from itch.io and Patreon 0 A malicious campaign is targeting indie game platforms Itch.io and Patreon by posting fake update links in comments, which lead to downloads of LummaStealer malware. This malware uses advanced anti-analysis techniques to evade detection, including checks for virtual machines, specific usernames, and malware analysis processes. The payload is delivered via a nexe-compiled JavaScript file that drops and loads a DLL variant of LummaStealer. Despite efforts to remove malicious accounts, attackers continuously create new ones, indicating an ongoing and persistent threat. The campaign primarily targets users seeking game updates, exploiting trust in indie game communities. No known exploits in the wild have been reported yet, but the malware’s stealth and persistence pose a medium-level risk. European organizations involved in gaming, digital content creation, or using these platforms could be impacted, especially those with less mature security controls. Mitigation requires targeted detection of fake update links, monitoring of platform comments, and enhanced endpoint defenses against DLL injection and obfuscated JavaScript. Countries with active indie game development and strong Patreon/Itch. Join the discussion | AlienVault OTX General | 12/08/2025, 17:25:04 UTC Added: 12/09/2025, 12:43:02 UTC |
Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569 0 SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to compromised systems to various cybercriminal clients. The primary tactic involves deceptive 'fake browser update' lures initiated by JavaScript injections on compromised websites, leading to drive-by malware downloads. SocGholish leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious content. TA569 acts as an Initial Access Broker, enabling other notorious groups and even Russian GRU's Unit 29155 to conduct follow-on attacks, including ransomware deployments. The threat uses domain shadowing and frequent domain rotation to evade detection, making proactive threat intelligence crucial for defense. Join the discussion | AlienVault OTX General | 08/08/2025, 17:08:30 UTC Added: 08/08/2025, 21:02:50 UTC |
Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator 0 SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload. Join the discussion | AlienVault OTX General | 08/08/2025, 07:53:14 UTC Added: 08/08/2025, 08:32:47 UTC |
New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks 0 Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques. Join the discussion | AlienVault OTX General | 06/13/2025, 20:55:44 UTC Added: 06/18/2025, 12:49:44 UTC |
Showing 1 to 5 of 5 results