Threats Tagged 't1102'

An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.

MediumMalwareThailand#batch script obfuscation#github payload hosting#python stealer

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

MediumMalwareFrance#tailscale#rustdesk#poisson

FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.

In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise Salesforce environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via Salesforce REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting Salesforce through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to ShinyHunters and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.

A new post-exploitation red team tool named Splinter has been discovered on customer systems through Advanced WildFire's memory scanning capabilities. Developed in Rust programming language, Splinter is exceptionally large at around 7MB due to statically linked libraries. The tool uses a JSON configuration structure containing implant ID, C2 server details, and operational parameters. It operates through a task-based model with capabilities including Windows command execution, remote process injection, file upload/download, cloud service information gathering, and self-deletion. Communication with the C2 server occurs via HTTPS using specific URL paths for task synchronization, heartbeat connections, and file transfers. While not as sophisticated as Cobalt Strike, Splinter represents a growing variety of penetration testing tools that could potentially be misused by threat actors.

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

MediumMalwareUkraine#vbscript#gammaworm#cyberespionage

Multiple malicious Chrome extensions are exploiting the growing use of AI platforms by disguising themselves as legitimate productivity tools while secretly stealing user conversations and personal data. Extensions including Urban VPN, Smart Sidebar, and AI Assistant/Chat AI collectively reach millions of users but contain hidden scripts that intercept communications with popular AI platforms like ChatGPT, Claude, DeepSeek, Gemini, and others. These extensions inject malicious JavaScript that overrides network requests, monitors DOM elements for chat interactions, and exfiltrates sensitive data including conversation content, session identifiers, and timestamps to remote servers. The threat is particularly concerning as users frequently share confidential personal, medical, and corporate information with AI platforms, making intercepted conversations highly valuable for threat actors.

Unknown attackers conducted a five-month espionage campaign against a senior executive at a major global stock exchange, systematically stealing the victim's Outlook mailbox in incremental batches. The attackers demonstrated sophisticated operational discipline by using legitimate cloud services like Dropbox and OneDrive Personal for exfiltration and command-and-control infrastructure. They employed an Aspose-based mailbox stealer to extract OST files in date-range windows, beginning with historical emails from August 2025 and continuing with regular two-to-four-week intervals through February 2026. The intrusion maintained persistence through masquerading binaries and scheduled tasks themed around legitimate Adobe and Lenovo services. By extracting mailbox data incrementally and routing traffic through trusted cloud platforms, the attackers avoided detection while building a comprehensive intelligence picture of the executive's communications and organizational activities.

Gamaredon, an FSB-operated cyberespionage group, continues targeting Ukrainian government, military, and critical infrastructure through sophisticated multi-stage infection chains. This analysis examines GammaLoad, a collection of VBScript loaders that establish continuous access through three distinct stages. The malware leverages Dead Drop Resolvers on legitimate platforms including Telegram, Telegraph, and Check-Host to maintain persistent C2 communications while storing configurations in Windows registry keys. Each stage employs different techniques: the first fingerprints hosts and uses failover mechanisms, the second writes payloads to Alternate Data Streams and establishes persistence via scheduled tasks, and the third executes obfuscated PowerShell to deliver the final GammaSteel payload. This matryoshka architecture enables operators to deploy arbitrary payloads while remaining largely invisible by abusing trusted Windows features and cloud platforms.

MediumMalwareUkraine#gammaload#gammasteel#gammawipe