Threats Tagged 'rat'
View all threats tagged with 'rat'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'rat'
Click on any threat for detailed analysis and mitigation recommendations
From PostCSS Masquerading to Windows RAT 0 A sophisticated supply chain attack uses typosquatting on the popular postcss-selector-parser npm package to distribute a multi-stage Windows Remote Access Trojan (RAT). Malicious packages masquerade as PostCSS utilities and deploy encoded JavaScript that drops PowerShell scripts. These scripts download a bundled Python runtime with Nuitka-compiled modules, culminating in a RAT with capabilities such as encrypted HTTP C2 communication, persistence, VM detection, remote shell, file transfer, and Chrome credential theft via DPAPI. This attack highlights risks in build tooling dependencies as malware delivery vectors targeting developer environments. Join the discussion | AlienVault OTX General | 06/23/2026, 17:20:30 UTC Added: 06/23/2026, 19:24:39 UTC |
Twitter Feed - nextronresearch - 17-06-2026 0 SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections. Join the discussion | AlienVault OTX General | 06/18/2026, 03:19:07 UTC Added: 06/18/2026, 20:20:24 UTC |
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant 0 Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threat actor introduced a novel JSONPing technique allowing distribution pages to verify in real time whether victims executed the payload via JSONP queries to localhost servers. Analysis revealed a new HttpSpy variant with a three-stage execution chain replacing the previous single-binary architecture, utilizing RC4 encryption and shared infrastructure indicators. Attribution was confirmed through code pattern overlaps, reused encryption keys, XAMPP certificate fingerprints, and preferred ASN usage consistent with historical Kimsuky operations targeting South Korea. Join the discussion | AlienVault OTX General | 05/29/2026, 11:20:12 UTC Added: 05/29/2026, 12:48:34 UTC |
Showing 1 to 3 of 3 results