Threats Tagged 't1090'

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

MediumMalwareFrance#tailscale#rustdesk#poisson

A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

On May 15, 2026, Huntress agents detected an intrusion where threat actors compromised a terminal server to stage a massive phishing campaign rather than deploy ransomware. The attacker used legitimate bulk email software (Gammadyne Mailer) with a project file named 'dracii' (Romanian for 'the devils') and six recipient lists containing 8,894,920 email addresses. Operating from Romanian IP addresses, the actor impersonated UK pharmacy chain Boots through a fake customer satisfaction survey designed to harvest personal and payment card data. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which Huntress reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery to bypass mail relays, with the mailer configured to send from 666 threads simultaneously. Evidence suggests this Romanian operator has been running multiple UK-targeting campaigns since at least July 2025, rotating between retail, tax, and cryptocurrency themes.

In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.

A sophisticated multi-stage malware campaign targets victims through tax-themed phishing emails impersonating Indian and Japanese government authorities. The operation leverages social engineering, fraudulent tax notifications, and trusted third-party email delivery services to distribute ZIP archives containing three staged payloads. The malware implements advanced evasion techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs primarily in memory, significantly reducing forensic artifacts. The malware establishes persistent WebSocket-based command-and-control communication through HTTP protocol upgrades, allowing malicious traffic to blend with legitimate activity. Chinese-language artifacts were observed throughout the infrastructure and code, though attribution remains at moderate confidence. The campaign demonstrates characteristics of a mature, ...

MediumCampaignBritish Indian Ocean TerritoryIndiaJapan#websocket c2#dll hijacking#government impersonation

A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.

A sophisticated cyber-espionage campaign attributed to China-linked actors targets officials and citizens in Czech Republic and Taiwan through spearphishing attacks. The operation deploys malicious ZIP archives containing dual infection paths that ultimately deliver AZUREVEIL, an Adaptix C2 agent. The campaign uniquely leverages Microsoft Azure Blob Storage as a dead-drop command-and-control channel, bypassing traditional C2 infrastructure. A multi-stage infection chain employs RUSTCLOAK, a Rust-based loader implementing triple-layer encryption using modified RC4, Base64, and SM4-CBC algorithms. The final payload supports 36 post-exploitation commands including Beacon Object File execution in memory, file system manipulation, process control, network pivoting, and data exfiltration. Lure documents impersonate official communications from Taiwanese research institutions and Czech Social Security Administration, demonstrating targeted social engineering tailored to each region.

MediumMalwareCzechiaTaiwan#china-linked#taiwan#dll sideloading

A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.

MediumCampaignUnited StatesAlbaniaArmenia+16#smishing#government impersonation#credential harvesting