Threats Tagged 't1105'

A sophisticated supply chain attack uses typosquatting on the popular postcss-selector-parser npm package to distribute a multi-stage Windows Remote Access Trojan (RAT). Malicious packages masquerade as PostCSS utilities and deploy encoded JavaScript that drops PowerShell scripts. These scripts download a bundled Python runtime with Nuitka-compiled modules, culminating in a RAT with capabilities such as encrypted HTTP C2 communication, persistence, VM detection, remote shell, file transfer, and Chrome credential theft via DPAPI. This attack highlights risks in build tooling dependencies as malware delivery vectors targeting developer environments.

A malicious npm package named 'node-fetch-utils' was identified masquerading as a legitimate utility. It uses a remote tarball dependency from GitHub that executes during installation on Windows systems. The package runs an obfuscated postinstall script that downloads a bundled Python runtime, placing it as Microsoft\EdgeBroker\pythonw.exe for persistence. This runtime is then used to execute a fileless Python implant decrypted in memory and launched stealthily via wscript. The dropper scripts self-delete while the disguised runtime remains active, establishing command and control communications.

An active malware campaign has been discovered distributing malicious VBScript files through WhatsApp direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise WhatsApp accounts and send weaponized VBS files disguised as business and financial documents to contacts. The multi-stage infection chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting social engineering techniques with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.

MediumMalwareThailand#batch script obfuscation#github payload hosting#python stealer

On May 14, 2026, a supply chain attack was discovered targeting the Okendo Reviews widget, a customer review platform used by over 18,000 brands. The threat actor injected malicious JavaScript code into the legitimate widget, which is deployed on high-traffic e-commerce pages including storefronts and product pages. The compromised JavaScript acted as a staged loader, using obfuscation, localStorage tracking, User-Agent filtering, and XOR-based decoding to conceal next-stage infrastructure. The attack employed ClickFix-style social engineering to deceive users into executing malicious commands, ultimately delivering remote access trojans like NetSupport and Remcos, or information stealers such as StealC. Affected websites received hundreds of thousands to millions of monthly visitors, with nearly 15,000 blocks recorded in a single day.

SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.

MediumMalwareBritish Indian Ocean TerritoryIndia#rat#indian defense targeting#double extension

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

MediumMalwareBritish Indian Ocean TerritoryFranceHong Kong+6#gitlab pages abuse#macsync#ai impersonation

Global law enforcement, including agencies from the Netherlands, Canada, United States, and Germany, coordinated Operation Endgame to disrupt TA569, a prominent cybercriminal group tracked since 2018. The operation targeted SocGholish infrastructure, taking down over 100 servers and domains while remediating 14,971 compromised websites. TA569 pioneered web inject techniques using fake browser updates to distribute malware, often leading to ransomware attacks. The group compromised high-traffic websites across multiple industries, affecting millions of visitors globally. Their attack chains involved traffic distribution systems like Keitaro TDS and ParrotTDS, delivering GhoLoader payloads that could lead to ransomware deployment in enterprise environments. Law enforcement actions included server disruption and website disinfection, significantly impacting the threat actor's operations, infrastructure, and reputation within the cybercriminal ecosystem.

MediumMalwareUnited StatesAustraliaCanada+2#gholoader#operation endgame#ransomhub

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.