Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This analysis provides insights into Infostealer malware trends observed in June 2025. The data, collected through various automated systems, reveals changes in distribution methods and malware types. While LummaC2 has been dominant, June saw increased activity from Rhadamanthys, ACRStealer, Vidar, and StealC. A new variant of ACRStealer emerged, using advanced techniques like HTTP host domain spoofing and anti-analysis methods. Distribution via crack disguises decreased, with 94.4% in EXE format and 5.6% using DLL-SideLoading. A unique malware type was observed, creating an uncontrollable window prompting browser updates. Some samples now hide compression passwords in image files, indicating evolving evasion tactics.

The June 2025 Infostealer Trend Report highlights evolving trends in the deployment and sophistication of infostealer malware families. Infostealers are malicious programs designed to covertly extract sensitive information such as credentials, cookies, autofill data, and system details from infected hosts. The report identifies several prominent malware strains active in June 2025, including LummaC2, Rhadamanthys, ACRStealer, Vidar, and StealC. Notably, a new variant of ACRStealer has emerged, employing advanced evasion techniques such as HTTP host domain spoofing to masquerade network communications and anti-analysis methods to hinder detection and reverse engineering efforts. The distribution methods have shifted away from crack-based disguises, with 94.4% of samples delivered as standalone executable (EXE) files and 5.6% leveraging DLL side-loading, a technique where malicious DLLs are loaded by legitimate applications to evade detection. A unique malware behavior was observed where an uncontrollable window prompts users to update their browsers, likely a social engineering tactic to induce user interaction or distract from malicious activity. Additionally, some malware samples now embed compression passwords within image files, an innovative evasion tactic to bypass static and heuristic detection by hiding payload decryption keys in innocuous-looking files. The malware families utilize a range of MITRE ATT&CK techniques, including credential dumping (T1555), process injection (T1055), discovery (T1082, T1087), command execution (T1059), and persistence mechanisms (T1547.001). Although no known exploits in the wild are reported, the evolving sophistication and distribution methods indicate a persistent threat landscape. The report underscores the importance of monitoring these malware families and adapting detection and mitigation strategies accordingly.

Detailed information about June 2025 Infostealer Trend Report. Get real-time updates, technical details, and mitigation strategies.

June 2025 Infostealer Trend Report - Live Threat Intelligence - Threat Radar | OffSeq.com

June 2025 Infostealer Trend Report

A sophisticated piece of malware was discovered embedded in a WordPress site's core files, specifically in wp-settings.php. The malware uses a ZIP archive to hide malicious code and perform search engine poisoning and unauthorized content injection. It employs dynamic Command and Control server selection, anti-bot mechanisms, and manipulates SEO-related files. The malware's main goals include manipulating search engine rankings, injecting spam content, and performing unauthorized redirects. It uses obfuscation techniques and ZIP archives for code inclusion, making it challenging to detect and remove. Prevention measures include keeping software updated, using reputable sources for themes and plugins, implementing strong credential security, utilizing a Web Application Firewall, and regularly scanning for malware.

This threat involves a sophisticated PHP malware campaign targeting WordPress websites by embedding malicious code directly into the core WordPress file wp-settings.php. The malware leverages a ZIP archive to conceal its malicious payload, which is dynamically included and executed, complicating detection and removal efforts. Its primary malicious activities include search engine poisoning—manipulating SEO-related files to alter search engine rankings—and unauthorized content injection, such as spam content and redirects to malicious or fraudulent sites. The malware employs advanced evasion techniques, including dynamic Command and Control (C2) server selection to maintain resilience and anti-bot mechanisms to avoid detection by automated scanners or security researchers. The obfuscation of code and use of ZIP archives for code inclusion further enhance its stealth capabilities. The malware’s objectives are to hijack web traffic, degrade the reputation and integrity of infected WordPress sites, and potentially funnel visitors to malicious destinations. Indicators of compromise include domains such as oqmetrix.icercanokt.xyz, wditemqy.enturbioaj.xyz, and yzsurfar.icercanokt.xyz, which serve as C2 or redirect points. Although no specific WordPress versions are identified as vulnerable, the infection vector is through core file compromise, implying that any WordPress site with insufficient security hygiene could be at risk. The campaign does not currently have known exploits in the wild but represents a medium-severity threat due to its stealth, persistence, and impact on website integrity and user trust. The malware’s tactics align with MITRE ATT&CK techniques such as command execution (T1059.007), code obfuscation (T1027), and SEO poisoning (T1491).

Detailed information about Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors. Get real-time updates, technical details, and mitigation strate

Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors - Live Threat Intelligence - Threat Radar | OffSeq.com

Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors

This analysis examines the distribution trends of Infostealer malware in May 2025. It highlights the use of SEO poisoning to distribute malware disguised as cracks and keygens. LummaC2, Vidar, StealC, Rhadamanthys, and Amadey were the main Infostealers observed. Distribution methods included posts on legitimate websites, forums, and Q&A pages. Malware was primarily distributed in EXE format (95.4%), with a decrease in DLL-SideLoading (4.6%). Notable trends include the emergence of BAT script malware, use of the Wormhole file-sharing service for distribution, and the use of Unicode characters in compression passwords to bypass security measures. The report provides insights into distribution volumes, methods, and disguises based on data collected and analyzed by advanced security systems.

The May 2025 Infostealer Trend Report details the evolving distribution and characteristics of Infostealer malware campaigns observed during May 2025. The report identifies several prominent Infostealer families including LummaC2, Vidar, StealC, Rhadamanthys, and Amadey. These malware strains are primarily designed to exfiltrate sensitive information such as credentials, financial data, and system details from infected hosts. A key distribution vector highlighted is SEO poisoning, where threat actors manipulate search engine results to promote malicious downloads disguised as software cracks and keygens. This tactic exploits users seeking pirated software, increasing the likelihood of infection. Distribution channels also include legitimate websites, forums, and Q&A pages, lending credibility to the malicious payloads and facilitating user trust.

The malware is predominantly delivered in executable (EXE) format, accounting for 95.4% of observed samples, with a smaller portion (4.6%) utilizing DLL side-loading techniques to evade detection and maintain persistence. Notably, there is an emergence of BAT script-based malware, which can execute commands and scripts on Windows systems, potentially broadening the attack surface. The Wormhole file-sharing service is identified as a novel distribution platform, enabling threat actors to share malicious payloads securely and bypass some traditional detection mechanisms. Additionally, the use of Unicode characters in compression passwords is a sophisticated evasion technique designed to circumvent security controls that scan compressed archives for malware signatures.

The report underscores the adaptability of Infostealer campaigns in leveraging social engineering, technical evasion, and diverse distribution methods to maximize infection rates. The inclusion of multiple MITRE ATT&CK techniques such as T1140 (Deobfuscate/Decode Files or Information), T1036 (Masquerading), T1059.001 (PowerShell), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1059.003 (Windows Command Shell), T1574.002 (DLL Side-Loading), and T1204.001 (User Execution) illustrates the multi-faceted approach attackers use to infiltrate and maintain control over victim systems.

Detailed information about May 2025 Infostealer Trend Report. Get real-time updates, technical details, and mitigation strategies.

May 2025 Infostealer Trend Report - Live Threat Intelligence - Threat Radar | OffSeq.com

May 2025 Infostealer Trend Report

Cisco Talos has uncovered new threats disguised as legitimate AI tool installers, including CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly-discovered malware called Numero. These threats exploit the increasing popularity of AI across various industries. CyberLock, developed using PowerShell, encrypts specific files and demands a $50,000 ransom in Monero. Lucky_Gh0$t is a variant of Yashma ransomware, distributed as a fake ChatGPT installer. Numero, masquerading as an AI video creation tool, manipulates the Windows GUI, rendering systems unusable. Threat actors are using SEO poisoning and social media to distribute these fraudulent installers, targeting businesses in B2B sales, technology, and marketing sectors. Organizations must exercise caution and rely on reputable vendors to avoid falling prey to these malicious campaigns.

Cisco Talos has identified a new wave of cyber threats that leverage the growing popularity of AI tools by disguising malware as legitimate AI software installers. The primary malicious payloads include CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered malware named Numero. CyberLock ransomware is implemented using PowerShell scripts and targets specific file types for encryption, demanding a ransom payment of $50,000 in Monero cryptocurrency. Lucky_Gh0$t is a variant of the Yashma ransomware family and is distributed under the guise of a fake ChatGPT installer, exploiting user trust in popular AI applications. Numero malware masquerades as an AI video creation tool but instead manipulates the Windows graphical user interface, effectively rendering infected systems unusable and causing operational chaos. These threats are propagated through SEO poisoning techniques and social media campaigns, which direct victims to download these fraudulent installers. The attackers specifically target organizations in B2B sales, technology, and marketing sectors, where AI adoption is rapidly increasing. The lack of known exploits in the wild suggests these campaigns may be in early stages or targeted, but the use of sophisticated social engineering and distribution methods indicates a significant risk. The threat actors exploit user trust in AI tools and the current hype around AI technologies to increase infection rates. The malware variants differ in their impact: ransomware strains encrypt data for financial gain, while Numero disrupts system usability, potentially causing downtime and productivity loss. This multi-faceted approach increases the overall threat landscape complexity for organizations relying on AI tools or interested in adopting them.

MD5 of e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd

MD5 of c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef

MD5 of 080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39

MD5 of b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589

MD5 of 14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878

MD5 of f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf

MD5 of ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5

MD5 of 79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63

MD5 of 0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10

MD5 of 1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23

MD5 of 527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff

MD5 of ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f

MD5 of 57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683

MD5 of e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c

MD5 of d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c

MD5 of a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065

MD5 of f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c

MD5 of 2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77

MD5 of 03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e

MD5 of 51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd

MD5 of 63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea

MD5 of a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a

MD5 of 4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b

MD5 of 0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412

SHA1 of ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f

SHA1 of 4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b

SHA1 of 0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412

SHA1 of f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf

SHA1 of 2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77

SHA1 of d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c

SHA1 of c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef

SHA1 of f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c

SHA1 of 0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10

SHA1 of 03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e

SHA1 of 527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff

SHA1 of 57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683

SHA1 of b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589

SHA1 of 080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39

SHA1 of a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065

SHA1 of e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c

SHA1 of a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a

SHA1 of 51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd

SHA1 of 14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878

SHA1 of 63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea

SHA1 of ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5

SHA1 of 1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23

SHA1 of e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd

SHA1 of 79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63

MD5 of 14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f

MD5 of 1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901

MD5 of c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738

MD5 of 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9

SHA1 of 14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f

SHA1 of 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9

SHA1 of c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738

SHA1 of 1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901

Detailed information about Cybercriminals camouflaging threats as AI tool installers. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'seo poisoning'

Filter Threats

Threats Tagged 'seo poisoning'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility