Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

This threat involves a sophisticated attack campaign leveraging compromised WordPress websites to distribute a malicious variant of the NetSupport Manager Remote Access Tool (RAT). The attackers initiate the infection chain through phishing campaigns that lure victims to compromised WordPress sites. These sites have been manipulated using Document Object Model (DOM) techniques and injected JavaScript files to evade detection and present a fake CAPTCHA page, increasing the likelihood of user interaction and trust. Upon interaction, a batch file is downloaded and executed on the victim's machine, which subsequently downloads and runs the NetSupport Client component. NetSupport Manager is a legitimate remote administration tool often used for remote support, but in this context, it is weaponized as a RAT to provide attackers with persistent remote access. Post-infection, the attackers exploit NetSupport's built-in capabilities for reconnaissance, lateral movement, and further exploitation within the victim environment. The attack infrastructure is linked to multiple IP addresses and domains, many associated with hosting providers in Moldova, indicating a geographically clustered command and control setup. The use of compromised WordPress sites and phishing campaigns highlights a multi-stage attack vector combining social engineering, web compromise, and malware deployment. The threat actors employ advanced evasion techniques such as DOM manipulation and multiple JavaScript payloads to avoid detection by security tools. Although no specific CVE or known exploits in the wild are reported, the attack leverages common tactics, techniques, and procedures (TTPs) including phishing (T1566), execution through batch files (T1059.003), remote access (T1021.001), persistence (T1547.001), and reconnaissance (T1082, T1016). The medium severity rating reflects the complexity and potential impact of the attack, though it requires user interaction and initial phishing success to propagate.

Detailed information about Deploying NetSupport RAT via WordPress & ClickFix. Get real-time updates, technical details, and mitigation strategies.

Deploying NetSupport RAT via WordPress & ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Deploying NetSupport RAT via WordPress & ClickFix

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disguised executable. Once executed, the malware installs and connects to a LogMeIn server, allowing remote access and control of the compromised machine. Over 28 distinct campaigns targeting more than 1,271 users have been observed in the past two months. The technique's effectiveness stems from the use of a legitimate platform, a genuine remote access tool, and social engineering tactics. Recommendations include monitoring suspicious Vercel subdomains, educating employees about fake support scams, and implementing strict controls for remote access software installations.

This threat involves a sophisticated phishing campaign leveraging the legitimate frontend hosting platform Vercel to distribute a malicious variant of the remote access tool LogMeIn. Attackers send phishing emails containing links to malicious pages hosted on Vercel, which impersonate an Adobe PDF viewer interface to deceive users. The malicious page prompts users to download an executable disguised as a legitimate file. Upon execution, the malware installs itself and establishes a connection to a LogMeIn server controlled by the attacker, granting remote access and control over the compromised system. This campaign has been active for at least two months, with over 28 distinct campaigns targeting more than 1,271 users. The attack's success is attributed to the abuse of a trusted platform (Vercel), use of a genuine remote access tool (LogMeIn), and effective social engineering tactics such as impersonation of common software and fake support scams. Indicators of compromise include multiple file hashes and suspicious domains. The campaign techniques align with MITRE ATT&CK tactics such as T1566 (phishing), T1204 (user execution), T1219 (remote access software), T1036 (masquerading), and T1105 (remote file copy). No known exploits or threat actors have been identified, and no CVSS score is assigned. The threat is rated medium severity due to its reliance on user interaction and social engineering, but it poses significant risk due to the potential for unauthorized remote access and control.

Detailed information about Cybercriminals Abusing Vercel to Deliver Remote Access Malware. Get real-time updates, technical details, and mitigation strategies.

Cybercriminals Abusing Vercel to Deliver Remote Access Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promising cutting-edge content generation in exchange for user uploads.

The Noodlophile stealer is a newly identified malware strain distributed through fake AI-powered video generation platforms. As AI content creation tools gain popularity, cybercriminals exploit user trust by offering fraudulent services that promise advanced video generation capabilities in exchange for user uploads. These fake platforms serve as a lure to deliver the Noodlophile stealer, which is an infostealer malware designed to harvest sensitive information from infected systems. The malware is linked to multiple attack techniques including credential theft, remote access capabilities, and worm-like propagation features. It is implemented in Python and leverages social engineering tactics such as malicious Word documents and fake AI platform downloads (e.g., VideoLumaAI.zip, Creation_Luma.zip) to infect victims. The malware employs techniques identified by MITRE ATT&CK such as T1036 (Masquerading), T1204 (User Execution), T1041 (Exfiltration Over C2 Channel), T1503 (Steal Application Access Token), T1539 (Steal Web Session Cookie), and T1055 (Process Injection). Once executed, it can steal credentials, session cookies, and potentially establish remote access to compromised systems. The malware distribution is facilitated via URLs hosted on various IP addresses and domains mimicking legitimate AI content creation services. Although no known exploits in the wild have been reported, the malware’s use of social engineering and common user behaviors (downloading AI tools, opening documents) increases its infection potential. The presence of worm-like capabilities suggests it may propagate within networks, increasing its impact. The malware hashes and URLs provide indicators of compromise for detection and response efforts.

MD5 of 18c14dcfb9a54c5359026a5fcbdb3e4ba6ced2628a9cd9ae589baedbb29beaa6

SHA1 of 18c14dcfb9a54c5359026a5fcbdb3e4ba6ced2628a9cd9ae589baedbb29beaa6

Detailed information about New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms. Get real-time updates, technical details, and mitigation 

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms - Live Threat Intelligence - Threat Radar | OffSeq.com

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF file, users are presented with two hyperlinks: 'Preview' leads to a fake Microsoft login page for credential theft, while 'Download' initiates the installation of ConnectWise RAT malware. The malware establishes persistence through system services and registry modifications. This dual-threat approach emphasizes the need for user vigilance and education in recognizing phishing attempts and suspicious emails.

The identified threat, termed 'Pick your Poison - A Double-Edged Email Attack,' is a sophisticated phishing and malware campaign targeting Office365 users. Attackers leverage social engineering by sending emails that use a plausible pretext—a file deletion reminder—and exploit a legitimate file-sharing service to increase credibility and bypass initial suspicion. The email contains a shared PDF file with two embedded hyperlinks: 'Preview' and 'Download.' The 'Preview' link directs victims to a counterfeit Microsoft login page designed to harvest Office365 credentials, enabling attackers to gain unauthorized access to corporate email and cloud resources. The 'Download' link initiates the installation of the ConnectWise Remote Access Trojan (RAT), a malware known for establishing persistence on infected systems through system services and registry modifications (techniques T1543 and T1547). This RAT allows attackers remote control capabilities, potentially enabling data exfiltration, lateral movement, and further compromise. The campaign combines multiple attack techniques, including phishing (T1566), credential theft (T1078), obfuscation (T1027), and execution of malicious code (T1059), highlighting a multi-faceted approach to compromise. The use of a legitimate file-sharing service and a realistic scenario increases the likelihood of user interaction, making this attack particularly dangerous. The absence of known exploits in the wild suggests this is a relatively new or targeted campaign, but the medium severity rating underscores the significant risk posed by credential theft combined with malware infection.

Detailed information about Pick your Poison - A Double-Edged Email Attack. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'remote access'

Filter Threats

Threats Tagged 'remote access'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility