Threats Tagged 't1083'

A sophisticated phishing campaign was identified distributing multiple malware families through a multi-stage loader utilizing steganography and fileless techniques. The infection chain begins with archive attachments containing files disguised as financial documents, primarily targeting Indian organizations using names related to GST, NEFT, RTGS, and IMPS transactions. The loader employs in-memory execution to avoid disk-based artifacts and uses embedded .NET Bitmap objects to conceal payloads. Various malware families have been deployed including Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Dark Cloud, Red Line Stealer, Snake keyloggers, Formbook, and xworm. The final payloads establish persistence through registry Run keys, perform process hollowing, steal browser credentials, record audio and webcam, and exfiltrate data to command-and-control infrastructure. The campaign exhibits characteristics of a loader-as-a-service operation serving multiple threat actors globally.

MediumMalwareBritish Indian Ocean TerritoryIndia#fileless#loader-as-a-service#steganography

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

MediumMalwareBritish Indian Ocean TerritoryFranceHong Kong+6#gitlab pages abuse#macsync#ai impersonation

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.

More than 140 Mastra npm packages were compromised through a supply chain attack that injected a typosquatted dependency called easy-day-js. A single npm account published malicious versions within a short timeframe, affecting packages including @mastra/core with over 918K weekly downloads. The attack executes during npm install via a postinstall hook, deploying a two-stage payload. The first stage disables TLS validation and downloads a second-stage implant that installs cross-platform persistence on Windows, macOS, and Linux. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, harvests browser history, and can execute arbitrary code sent by operators. The malicious code executes before developers import packages, compromising systems during installation.

SearchJack represents a coordinated campaign comprising 23 deceptive Chrome browser extensions that silently hijack users' default search engines, redirecting queries through monetization middleware before delivering results. These extensions masquerade as various productivity tools, satellite imagery viewers, maps, and news readers while their actual purpose is generating search affiliate revenue. The campaign affects approximately 758,000 users across 22 unique publishers and leverages at least 8 distinct monetization brokers, primarily routing traffic through Yahoo Hosted Search affiliate programs. The extensions employ manifest-only wrappers using chrome_settings_overrides to hijack search settings, with some implementing runtime obfuscation to evade static analysis. Several extensions feature false privacy claims, anomalous review patterns, and anonymous publishers with fictional corporate identities, enabling operators to monetize user search behavior while maintaining zero accountability.

An active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins operated by Awesome Motive. Attackers injected malicious JavaScript into legitimate files served through Awesome Motive's CDN endpoints. The malware activates when a logged-in administrator accesses the site, creating backdoor admin accounts (developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. The backdoor provides unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to tidio.cc, a lookalike domain mimicking the legitimate tidio.com. The breach likely originated from compromised Awesome Motive servers or their BunnyNet CDN account. The campaign began in late April 2026 and remained active through mid-June, affecting OptinMonster (over 1 million installations), TrustPulse, and PushEngage users.

A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.