Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Kaspersky Security Blog

Check Point Research

CVE Database V5

AlienVault OTX General

SANS ISC Handlers Diary

SecurityWeek

Threatpost

The Hacker News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Reddit NetSec

Reddit InfoSec News

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A sophisticated attack chain was uncovered involving a malicious disk-cleaning utility that installed proxyware on a compromised system. The infection used PowerShell scripts, download cradles, and in-memory execution to evade detection and establish a connection to a command-and-control (C2) server. The attack was intercepted before the proxyware installation completed. This incident underscores the dangers of unauthorized software installations and the critical need to restrict PowerShell usage in corporate environments. The threat leverages multiple advanced techniques including obfuscation, living-off-the-land binaries, and scheduled task abuse. Although no known exploits are currently in the wild, the attack demonstrates a medium severity risk due to its potential for stealthy persistence and resource abuse. European organizations should be vigilant, especially those with lax software installation policies and insufficient PowerShell controls.

This threat involves a multi-stage attack chain initiated by the installation of a seemingly legitimate disk-cleaning utility that was in fact bundled with malicious PowerShell scripts. These scripts leveraged download cradle techniques to fetch additional payloads from domains such as featherstorage.com and others, executing them in-memory to avoid detection by traditional antivirus solutions. The attack utilized living-off-the-land binaries (LOLBins) and scheduled task abuse (T1053.005) to maintain persistence and evade security controls. The proxyware installation, which was the ultimate payload, would have allowed the compromised system to be used as a proxy node, potentially for illicit traffic routing or anonymization services, impacting network integrity and potentially implicating the victim in malicious activities. The use of PowerShell (T1059.001, T1059.003) and obfuscation techniques (T1027) further complicated detection. The SOC team detected suspicious PowerShell activity early, preventing the final proxyware installation. Indicators include multiple file hashes and suspicious domains linked to the attack infrastructure. No CVE or known exploit is associated yet, but the attack chain demonstrates advanced evasion and persistence tactics. This incident highlights the risks posed by unauthorized software installations and the need for strict application whitelisting and PowerShell execution policies.

Detailed information about Stories from the SOC: Mystery of the postponed proxyware install. Get real-time updates, technical details, and mitigation strategies

Stories from the SOC: Mystery of the postponed proxyware install - Live Threat Intelligence - Threat Radar | OffSeq.com

Stories from the SOC: Mystery of the postponed proxyware install

A phishing campaign targeting Brazilian users spreads a banking trojan via WhatsApp Web by leveraging an open-source automation script. The attack starts with a malicious VBS script in a phishing email that downloads and executes an MSI installer and another VBS script. The second VBS installs Python and Selenium to inject malicious JavaScript into WhatsApp Web, enabling the malware to propagate by sending itself to the victim's contacts. The MSI drops an AutoIt script that monitors for Brazilian banking and cryptocurrency application windows and loads an encrypted payload into memory to evade detection. This payload specifically targets Brazilian financial institutions and cryptocurrency wallets. The campaign uses in-memory execution and automation to maintain stealth and persistence. No known exploits in the wild have been reported yet, and the campaign is currently assessed as medium severity. The attack is highly tailored to Brazilian users and financial targets but could pose risks if similar tactics spread elsewhere.

This threat involves a sophisticated phishing campaign primarily targeting Brazilian users, leveraging WhatsApp Web as a propagation vector. The attack chain begins with a phishing email containing a malicious Visual Basic Script (VBS) that downloads and executes two components: an MSI installer and a secondary VBS script. The secondary VBS installs Python and Selenium, which are automation tools commonly used for browser control. Using Selenium, the attackers inject malicious JavaScript into the victim's WhatsApp Web session, enabling the malware to automatically send itself to the victim's WhatsApp contacts, facilitating rapid spread through social engineering. The MSI installer drops an AutoIt script that continuously monitors for windows related to Brazilian banking and cryptocurrency applications. Upon detecting such windows, it loads an encrypted payload directly into memory, avoiding writing to disk and thus evading traditional antivirus detection. This payload is a banking trojan designed to steal credentials and manipulate transactions specifically targeting Brazilian financial institutions and cryptocurrency wallets. The use of in-memory execution, automation frameworks, and social media platforms for propagation demonstrates a multi-layered approach to stealth and infection. Although no known exploits in the wild have been reported, the campaign's complexity and targeting indicate a focused threat against Brazilian financial users. The malware employs multiple MITRE ATT&CK techniques including T1113 (screen capture), T1056.001 (input capture: keylogging), T1059.007 (command and scripting interpreter: JavaScript), T1106 (execution through API), and T1566 (phishing). The campaign's reliance on WhatsApp Web and automation scripts is notable for its innovative propagation method. While currently focused on Brazil, the approach could be adapted to other regions if successful.

Detailed information about Brazilian Campaign: Spreading the Malware via WhatsApp. Get real-time updates, technical details, and mitigation strategies.

Brazilian Campaign: Spreading the Malware via WhatsApp - Live Threat Intelligence - Threat Radar | OffSeq.com

Brazilian Campaign: Spreading the Malware via WhatsApp

In October 2025, a major U. S. real estate firm was targeted by a sophisticated cyberattack leveraging the emerging Tuoni command-and-control (C2) framework. The attack chain began with social engineering via Microsoft Teams impersonation, delivering a malicious PowerShell script that used steganography to hide payloads within images and employed in-memory execution to evade detection. The Tuoni C2 framework served as the core implant, enabling stealthy remote control. The attack showed signs of AI-assisted code generation, indicating advanced threat actor capabilities. Morphisec's Automated Moving Target Defense (AMTD) technology successfully prevented the attack before execution, demonstrating effectiveness against unknown threats without relying on signatures or heuristics. Although the attack was neutralized, the techniques used highlight evolving adversary tactics that could threaten organizations globally. No known exploits are currently in the wild, and no CVE or specific threat actor attribution is available. The medium severity rating reflects the attack's complexity and potential impact if successful.

The reported threat involves a highly sophisticated cyberattack targeting a U.S. real estate company in October 2025, utilizing the emerging Tuoni C2 framework as the primary implant for command and control. The attack chain initiated with social engineering via Microsoft Teams impersonation, a vector that exploits trust in collaboration platforms to deliver malicious payloads. The initial payload was a PowerShell script hosted on suspicious domains (e.g., kupaoquan.com), which leveraged steganography techniques to conceal additional payloads within image files, complicating detection by traditional antivirus or network monitoring tools. The attack employed in-memory execution techniques (e.g., process injection and reflective loading) to avoid writing malicious code to disk, thereby evading endpoint detection systems that rely on file scanning. The Tuoni C2 framework itself is a sophisticated implant designed for stealthy remote control, likely supporting encrypted communications and modular payload delivery. Notably, the attack showed signs of AI-assisted code generation, suggesting the use of advanced automation to craft evasive and polymorphic malware components. Morphisec's AMTD technology, which implements a prevention-first approach by dynamically shifting attack surfaces and blocking execution of unknown threats without relying on signatures or behavioral heuristics, successfully thwarted the attack before any malicious code could execute. The attack tactics align with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.001 (PowerShell), T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1106 (Execution through API), and T1071.001 (Web Protocols). No CVE identifiers or known threat actor attribution are provided, and no exploits are currently observed in the wild, indicating this is an emerging threat vector rather than a widespread campaign.

Detailed information about Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted. Get real-time updates, technical details, and mitigation strategies.

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted - Live Threat Intelligence - Threat Radar | OffSeq.com

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-stage attack utilized advanced social engineering, adversary-in-the-middle techniques, and evasion tactics. The malware payload, SOGU.SEC backdoor, was deployed through a digitally signed downloader (STATICPLUGIN) and a side-loaded DLL (CANONSTAGER). The campaign demonstrated the evolving capabilities of PRC-nexus threat actors, employing stealthy tactics to avoid detection and leveraging legitimate Windows features for malicious purposes.

The PRC-Nexus espionage campaign, attributed to the UNC6384 threat actor group linked to the People's Republic of China (PRC), represents a sophisticated and multi-stage cyber espionage operation primarily targeting diplomats in Southeast Asia and other global entities. The attack chain begins with hijacking web traffic through captive portal redirects, a technique often used in public or semi-public Wi-Fi environments to intercept and manipulate user connections. This redirection delivers malware disguised as legitimate software updates, leveraging advanced social engineering tactics to deceive targets into executing malicious payloads. The campaign employs a digitally signed downloader named STATICPLUGIN, which enhances the malware's stealth by exploiting trusted Windows code-signing mechanisms, thereby evading traditional signature-based detection. Following this, a side-loaded DLL called CANONSTAGER is used to execute the SOGU.SEC backdoor, a malware payload that enables persistent remote access and espionage capabilities. The attackers utilize adversary-in-the-middle techniques to intercept and manipulate network traffic, combined with in-memory execution and evasion tactics to avoid detection by endpoint security solutions. The campaign also leverages legitimate Windows features and processes (e.g., DLL side-loading, signed binaries) to blend malicious activity with normal system operations, complicating detection and response efforts. The use of multiple MITRE ATT&CK techniques such as T1033 (System Owner/User Discovery), T1218.011 (Signed Binary Proxy Execution: Regsvr32), T1055 (Process Injection), and T1574.002 (DLL Side-Loading) indicates a high level of operational sophistication and adaptability. Overall, this campaign exemplifies the evolving capabilities of PRC-linked threat actors in conducting stealthy, targeted espionage against high-value diplomatic targets through a combination of network manipulation, social engineering, and advanced malware deployment.

Detailed information about PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Get real-time updates, technical details, and mitigation strate

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats - Live Threat Intelligence - Threat Radar | OffSeq.com

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and uses in-memory execution techniques for stealth. Active since early 2025, PS1Bot's information stealer targets cryptocurrency wallets and employs wordlists to identify files containing passwords and seed phrases. The campaign overlaps with previously reported Skitnet activities and uses similar C2 infrastructure. Delivery involves compressed archives with obfuscated scripts, leading to PowerShell modules for antivirus detection, screen capture, data theft, keylogging, and system information collection. Persistence is established through startup directory manipulation.

The PS1Bot malware campaign represents a sophisticated multi-stage threat primarily distributed via malvertising, leveraging deceptive online advertisements to infect victims. PS1Bot is implemented using PowerShell and C#, featuring a modular architecture that allows attackers to deploy various payloads tailored for information theft, keylogging, reconnaissance, and establishing persistent access on compromised systems. The malware employs advanced stealth techniques, including in-memory execution to avoid detection by traditional antivirus solutions and minimize forensic artifacts. The infection chain typically begins with compressed archives containing obfuscated scripts that execute PowerShell modules. These modules perform a range of malicious activities such as antivirus evasion, screen capturing, data exfiltration, keylogging, and system information gathering. Notably, PS1Bot targets cryptocurrency wallets by scanning files with wordlists to locate passwords and seed phrases, indicating a focus on financial theft. Persistence is maintained by manipulating the startup directory, ensuring the malware executes upon system reboot. The campaign has been active since early 2025 and shares infrastructure and tactics with the previously reported Skitnet malware group, suggesting a possible link or evolution. The use of malvertising as a delivery vector increases the attack surface, as it can reach a broad and diverse user base through compromised or malicious advertising networks. The modular design and use of PowerShell and C# enable rapid adaptation and deployment of new capabilities, making PS1Bot a versatile and persistent threat.

Detailed information about Malvertising campaign leads to PS1Bot, a multi-stage malware framework. Get real-time updates, technical details, and mitigation stra

Malvertising campaign leads to PS1Bot, a multi-stage malware framework - Live Threat Intelligence - Threat Radar | OffSeq.com

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques.

XWorm version 6.0 is a sophisticated malware strain that demonstrates advanced evasion and persistence capabilities targeting Windows environments. The infection chain initiates with a VBScript that downloads and executes a PowerShell script. This PowerShell script performs an AMSI (Antimalware Scan Interface) bypass by modifying the CLR.DLL module in memory, effectively disabling AMSI's ability to detect malicious scripts and payloads. Following this, the malware downloads and loads the main XWorm binary, which executes primarily in-memory to avoid detection by traditional disk-based antivirus solutions. A notable feature of XWorm V6 is its ability to run as a critical Windows process, which prevents termination without administrative privileges, thereby enhancing its persistence on infected systems. The malware also incorporates anti-analysis techniques, such as terminating execution if it detects it is running on Windows XP (likely to avoid legacy analysis environments) and detecting if it is running in data center or hosting provider environments, where it will also terminate to evade sandbox or virtualized analysis. The malware leverages various MITRE ATT&CK techniques including process injection (T1055), credential dumping (T1003), persistence via registry run keys (T1547.001), and command execution through PowerShell (T1059.001) and VBScript (T1059.005). These capabilities make XWorm V6 a stealthy and resilient threat capable of evading detection and maintaining long-term access to compromised systems.

Detailed information about XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed. Get real-time updates, technical details, and mitigation strategies

XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed - Live Threat Intelligence - Threat Radar | OffSeq.com

XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.

This threat involves an initial access broker group identified as TGR-CRI-0045 exploiting leaked Machine Keys from ASP.NET web applications to gain unauthorized access to targeted organizations. Machine Keys in ASP.NET are cryptographic keys used to protect View State data, authentication tokens, and other sensitive information. If these keys are leaked or compromised, attackers can manipulate or forge View State data, enabling deserialization attacks that execute arbitrary code in server memory. The attackers leverage ASP.NET View State deserialization vulnerabilities to run malicious payloads directly in memory, which reduces forensic footprints and complicates detection. After initial access, the threat actors deploy post-exploitation tools to maintain persistence and escalate privileges within the compromised environment. The campaign, active since October 2024 with heightened activity from January to March 2025, targets industries including finance, manufacturing, and technology sectors primarily in Europe and the United States. The group’s tactics and indicators overlap with those attributed to the Gold Melody threat actor, suggesting possible linkage. The exploitation technique focuses on abusing leaked cryptographic keys rather than exploiting software vulnerabilities directly, making traditional patching ineffective. Organizations are advised to audit and rotate Machine Keys following Microsoft's remediation guidance to invalidate compromised keys and prevent further exploitation. Indicators of compromise include multiple IP addresses and file hashes associated with the attack infrastructure and payloads. The attack chain involves initial access via crafted View State payloads, in-memory execution of malicious code, and subsequent lateral movement and privilege escalation using known techniques such as token manipulation and service persistence. The threat leverages IIS-hosted ASP.NET applications, which are prevalent in enterprise environments, making this a significant risk vector for organizations relying on this technology stack.

Detailed information about Exploitation of Leaked Machine Keys by Initial Access Broker. Get real-time updates, technical details, and mitigation strategies.

Exploitation of Leaked Machine Keys by Initial Access Broker - Live Threat Intelligence - Threat Radar | OffSeq.com

Exploitation of Leaked Machine Keys by Initial Access Broker

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.

This threat involves a fileless malware campaign distributing AsyncRAT, a remote access trojan, targeting primarily German-speaking users through websites themed around the 'Clickfix' concept. The attack vector leverages a fake 'I'm not a robot' CAPTCHA prompt to trick victims into executing malicious PowerShell commands. These commands then download and execute obfuscated C# code directly in memory, avoiding any disk writes and thereby evading traditional file-based detection mechanisms. The in-memory execution allows the attacker to establish full remote control over the compromised system, enabling credential theft, data exfiltration, and other malicious activities. Persistence is maintained by creating or modifying registry keys, ensuring the malware survives system reboots. Communication with the attacker’s command and control (C2) infrastructure occurs over port 4444, facilitating ongoing control and data transfer. The campaign has been active since at least April 2025 and is focused on German-speaking regions, with indicators including multiple IP addresses and the domain 'namoet.de'. The use of obfuscation and fileless techniques complicates detection and mitigation. The attack employs multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1140 (Deobfuscate/Decode Files or Information), T1059.001 (PowerShell), T1547.001 (Registry Run Keys/Startup Folder), T1571 (Non-Standard Port), T1027 (Obfuscated Files or Information), T1127.001 (Trusted Developer Utilities Proxy Execution), T1071.001 (Web Protocols), T1105 (Ingress Tool Transfer), and T1055.001 (Process Injection). This combination highlights a sophisticated, stealthy approach to compromise and maintain control over victim systems without leaving traditional forensic artifacts on disk.

Detailed information about Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users. Get real-time updates, technical details, and m

Title	Severity	Type	Source	Date

Threats Tagged 'in-memory execution'

Stop chasing alerts. Route them.

Filter Threats

Threats Tagged 'in-memory execution'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility