Threats Tagged 'malware'

The entire @mastra npm scope was hijacked, affecting 141 packages including @mastra/core. The attacker did not modify the original source code but added a malicious dependency named easy-day-js, a seemingly benign dayjs clone. The attack exploited semantic versioning by specifying a dependency version range (^1.11.21) while the latest tag pointed to a newer version (1.11.22) containing a malicious postinstall hook. This allowed the malicious code to execute during package installation without immediate detection.

Maltrail IOC for 2026-06-17

HallWatch is a user-mode detection tool designed to identify indirect syscalls by patching the syscall instruction itself to trigger breakpoints. It targets modern syscall bypass techniques such as Hell's Hall, Tartarus' Gate, RecycledGate, and VEH syscalls that evade traditional user-mode hooks. The tool is currently a research proof-of-concept and aims to provide lightweight syscall detection for system libraries in Windows environments.

Remus Stealer is a 64-bit malware evolution of Lumma Stealer that emerged in 2026 as a Malware-as-a-Service infostealer. It targets credentials, browser cookies, authentication tokens, and cryptocurrency wallets, notably capable of stealing active session cookies to bypass multi-factor authentication. The malware uses advanced evasion techniques including EtherHiding, which stores command-and-control addresses in Ethereum smart contracts to avoid takedowns, and enhanced anti-analysis features such as sandbox DLL checks and PST honeypot detection. Infection vectors include phishing, fake software downloads, malvertising, fake CAPTCHA campaigns, SEO poisoning, and fake GitHub projects. It targets sectors like financial services, healthcare, government, technology firms, and managed service providers. No official patch or remediation is indicated, and no known exploits in the wild are reported yet.

This entry describes a Discord server community focused on binary security research topics such as reverse engineering, binary obfuscation, exploit development, and malware analysis. It is a community resource rather than a security threat or vulnerability. No specific vulnerability, exploit, or attack vector is described.

Maltrail IOC for 2026-06-16

Maltrail IOC for 2026-06-15

A malspam infrastructure is distributing a JavaScript backdoor malware targeting various sectors globally, including energy and finance ministries in the CIS region. The campaigns appear financially motivated, aiming at email account compromise and business email compromise. The malicious infrastructure uses two bulletproof hosting networks: GHOSTYNETWORKS (a rebrand of OPTIBOUNCE linked to AnonRDP) and OMEGATECH (associated with Virtualine). These networks provide resilient hosting for both spam sending IPs and command-and-control servers. Historical analysis shows this threat actor has been active since late 2025 with related malspam and malware operations supported by similar bulletproof hosting services.

Maltrail IOC for 2026-06-14

Maltrail IOC for 2026-06-13