Threats Tagged 't1087'

Mistic is a stealthy backdoor malware linked to the initial access broker Woodgnat, active since April 2026. It uses sideloading of legitimate Microsoft files to execute payloads in memory without disk writes, enhancing stealth. The backdoor includes typical remote access capabilities and a self-delete kill switch. It has been observed deployed alongside ModeloRAT, another tool associated with Woodgnat. Targeting is opportunistic across sectors such as insurance, education, IT, and professional services. Woodgnat sells persistent remote access to ransomware affiliates involved in multiple ransomware operations. The malware is distributed using social engineering lures delivered via compromised WordPress sites.

A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...

In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise Salesforce environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via Salesforce REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting Salesforce through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to ShinyHunters and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.

A sophisticated supply chain attack campaign has expanded to 471 affected artifacts across npm and PyPI, targeting developers through malicious packages. The campaign uses three distinct delivery methods: executable .pth startup hooks, trojanized native .abi3.so extensions that execute at import time, and a split loader-payload architecture that searches Python's sys.path. Twenty-three newly identified PyPI packages masquerade as bioinformatics tools, AI frameworks, and popular libraries like requests and Flask. The attack deploys heavily obfuscated JavaScript stealers via Bun runtime, harvesting high-value credentials including GitHub tokens, npm registry access, cloud credentials, SSH keys, and CI/CD secrets. The malware employs anti-analysis techniques with fake LLM prompt-injection headers designed to disrupt AI-assisted security scanners, while targeting developer workstations and automated build environments.

Unknown attackers conducted a five-month espionage campaign against a senior executive at a major global stock exchange, systematically stealing the victim's Outlook mailbox in incremental batches. The attackers demonstrated sophisticated operational discipline by using legitimate cloud services like Dropbox and OneDrive Personal for exfiltration and command-and-control infrastructure. They employed an Aspose-based mailbox stealer to extract OST files in date-range windows, beginning with historical emails from August 2025 and continuing with regular two-to-four-week intervals through February 2026. The intrusion maintained persistence through masquerading binaries and scheduled tasks themed around legitimate Adobe and Lenovo services. By extracting mailbox data incrementally and routing traffic through trusted cloud platforms, the attackers avoided detection while building a comprehensive intelligence picture of the executive's communications and organizational activities.

In April 2026, threat actors deployed Nimbus RAT against a legal industry target using Microsoft Teams voice phishing. The attack began with email bombing (282 emails in 90 minutes), followed by a fake IT helpdesk contact via Teams who convinced the victim to grant Quick Assist remote access. Within 20 minutes, a Java-based RAT was deployed that uses Google Drive and Google Sheets for command-and-control, making network traffic appear benign. Analysis of 1,540 suspicious Teams messages across 172 customer environments over 12 months revealed 65% originated from throwaway onmicrosoft.com tenants with IT-themed names. The malware bundles its own Java runtime, implements two credential theft mechanisms, and allows in-memory second-stage code execution. Post-compromise targeting included Signal Desktop attachments and Outlook mailboxes.