Threats Tagged 't1071'

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

Since late 2025, cybercriminals have been exploiting Wallpaper Engine, a popular live wallpaper application on Steam, to distribute malware through Steam Workshop. Attackers target primarily Chinese and Russian gamers by embedding malicious code within application wallpapers shared on the platform. These compromised wallpapers deliver various malware types including infostealers, backdoors, crypto miners, and ransomware. One analyzed sample dropped DarkKomet backdoor while hijacking Steam sessions to steal account credentials. The malware modifies system libraries to locate Steam installations and exfiltrate data to attacker-controlled servers. Compromised accounts are then used to upload additional malicious wallpapers. The diverse malware families suggest multiple independent hacking groups are exploiting this distribution method. Infected wallpapers received thousands of downloads before removal, with 89% of infections occurring in China.

MediumMalwareBritish Indian Ocean TerritoryCanadaChina+5#account hijacking#vidar#wallpaper engine

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

Lookalike attacks exploit human cognitive shortcuts rather than technical vulnerabilities, designing domain names that resemble legitimate services to bypass security controls. These attacks leverage predictable patterns in how people read and process text, using techniques including homographs, typosquatting, domain embedding, and keyword association. The domain name itself embeds targeting intent, making attacks visible in DNS infrastructure before malicious activity occurs. Attackers face deliberate tradeoffs between plausibility and uniqueness, often maintaining domains in dormant states between campaigns to evade takedown. DNS provides early structural signals about attacker intent and brand targeting, though ambiguity remains inherent as legitimate services often exhibit similar patterns. Effective detection requires separating targets from imposters and understanding that domain-based analysis surfaces risk rather than definitive verdicts.

A new post-exploitation red team tool named Splinter has been discovered on customer systems through Advanced WildFire's memory scanning capabilities. Developed in Rust programming language, Splinter is exceptionally large at around 7MB due to statically linked libraries. The tool uses a JSON configuration structure containing implant ID, C2 server details, and operational parameters. It operates through a task-based model with capabilities including Windows command execution, remote process injection, file upload/download, cloud service information gathering, and self-deletion. Communication with the C2 server occurs via HTTPS using specific URL paths for task synchronization, heartbeat connections, and file transfers. While not as sophisticated as Cobalt Strike, Splinter represents a growing variety of penetration testing tools that could potentially be misused by threat actors.

Multiple malicious Chrome extensions are exploiting the growing use of AI platforms by disguising themselves as legitimate productivity tools while secretly stealing user conversations and personal data. Extensions including Urban VPN, Smart Sidebar, and AI Assistant/Chat AI collectively reach millions of users but contain hidden scripts that intercept communications with popular AI platforms like ChatGPT, Claude, DeepSeek, Gemini, and others. These extensions inject malicious JavaScript that overrides network requests, monitors DOM elements for chat interactions, and exfiltrates sensitive data including conversation content, session identifiers, and timestamps to remote servers. The threat is particularly concerning as users frequently share confidential personal, medical, and corporate information with AI platforms, making intercepted conversations highly valuable for threat actors.

A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.

Iran's Ministry of Intelligence has broadened its Handala brand beyond cyber operations to include physical threats and influence campaigns targeting US and Israeli interests. The expansion encompasses multiple personas: Handala Popular Resistance Front claiming physical attacks inside Israel, VIPEmployment recruiting proxies globally for espionage and sabotage, and MOISIRAN conducting surveillance operations. These entities engage in coordinated amplification across platforms, soliciting individuals to conduct attacks for financial rewards. The consolidation creates a multi-domain threat combining hacktivist activities with physical operations, espionage recruitment, and influence campaigns. This approach leverages Handala Hack Team's recognition to amplify recruitment efforts while increasing risks to law enforcement, military, intelligence personnel, and critical infrastructure across targeted regions.

MediumMalwareUnited StatesAlbaniaIsrael#hprf#void manticore#proxy recruitment

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.