Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.

The threat campaign titled "From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery" involves a sophisticated multi-stage malware distribution operation exploiting expired Discord invite links. Attackers hijack these expired invites to redirect users to malicious servers, leveraging the inherent trust users place in Discord invite links. The campaign employs ClickFix phishing techniques to lure victims into interacting with malicious content. It uses multi-stage loaders and time-based evasion tactics to avoid detection by security solutions. The primary payloads delivered are AsyncRAT, a remote access trojan capable of extensive system control, and a customized variant of the Skuld Stealer malware specifically targeting cryptocurrency wallets, aiming to exfiltrate sensitive financial data. The attackers utilize trusted cloud services for both payload delivery and data exfiltration, which helps them blend their malicious traffic with legitimate network activity, further complicating detection efforts. Notably, the campaign has evolved to bypass Chrome's App Bound Encryption, a security feature designed to protect browser cookies, by using an adapted tool named ChromeKatz. This capability allows the threat actors to steal cookies from the latest Chromium-based browsers, potentially enabling session hijacking and unauthorized access to web accounts. The exploitation of subtle features in Discord's invite system as an attack vector highlights the innovative approach of the adversaries. Indicators of compromise include multiple malware hashes, IP addresses, and domains such as captchaguard.me and microads.top, which are involved in the campaign's infrastructure. The campaign is ongoing and continues to adapt, underscoring the persistent threat it poses to users relying on Discord and Chromium browsers.

Detailed information about From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery. Get real-time updates, technical details, and m

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery - Live Threat Intelligence - Threat Radar | OffSeq.com

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hijacking. The malware employs advanced defense evasion techniques, disabling Windows Defender through PowerShell and registry manipulations. Its modules harvest browser credentials, Wi-Fi passwords, gaming profiles, and session data from various applications. The builder framework allows adversaries to customize payloads, making it accessible to less technically skilled threat actors. CyberEye's persistence mechanisms, anti-analysis features, and use of public messaging platforms for C2 make it a significant threat to both consumers and enterprises.

CyberEye is a modular Remote Access Trojan (RAT) developed using the .NET framework, notable for its use of Telegram as a Command and Control (C2) channel. This design choice allows attackers to leverage a public messaging platform, eliminating the need to maintain dedicated C2 infrastructure, thereby increasing operational stealth and reducing costs. The RAT provides extensive surveillance and data theft capabilities, including keylogging to capture keystrokes, file grabbing to exfiltrate files, and clipboard hijacking to intercept copied data. It also harvests sensitive credentials such as browser-stored passwords, Wi-Fi keys, gaming profiles, and session information from various applications, enabling broad access to victim data. 

CyberEye employs advanced defense evasion techniques, notably disabling Windows Defender via PowerShell scripts and registry modifications, which complicates detection and removal. Its persistence mechanisms ensure the malware remains active across system reboots, while anti-analysis features hinder reverse engineering and forensic investigations. The RAT builder framework allows adversaries to customize payloads, lowering the technical barrier for less skilled threat actors to deploy sophisticated malware. The use of Telegram for C2 communications (leveraging techniques mapped to MITRE ATT&CK techniques such as T1102.002) also helps evade traditional network-based detection methods. Overall, CyberEye represents a versatile and stealthy threat capable of extensive data exfiltration and system control, targeting both consumer and enterprise Windows environments.

Detailed information about Understanding CyberEYE RAT Builder: Capabilities and Implications. Get real-time updates, technical details, and mitigation strategie

Understanding CyberEYE RAT Builder: Capabilities and Implications - Live Threat Intelligence - Threat Radar | OffSeq.com

Understanding CyberEYE RAT Builder: Capabilities and Implications

Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation techniques employed, and the infrastructure's lifecycle.

Researchers from Censys have uncovered a spear-phishing campaign infrastructure that relies on a cluster of 16 publicly accessible open directories hosting heavily obfuscated Visual Basic Script (VBS) files. These scripts are designed to facilitate malware delivery and execution, leveraging obfuscation techniques to evade detection by security tools. The campaign infrastructure includes domains and IP addresses associated with various RAT (Remote Access Trojan) families such as Remcos, LimeRAT, DC RAT, and AsyncRAT, which are known for their capabilities in remote control, data exfiltration, and persistence on infected systems. The attackers use open directories to store malicious payloads, making them accessible via HTTP URLs, which are then likely distributed through spear-phishing emails targeting specific victims. The obfuscation of VBS scripts complicates analysis and detection, allowing the malware to remain hidden longer. The infrastructure lifecycle analysis indicates active maintenance and use of dynamic DNS services (duckdns.org) to manage domains, enhancing resilience and flexibility. Indicators of compromise include numerous hashes for the malicious scripts, IP addresses located in multiple countries including several European nations, and domains linked to dynamic DNS providers. The campaign employs techniques mapped to MITRE ATT&CK tactics such as T1113 (Screen Capture), T1571 (Non-Standard Port), T1027.003 (Obfuscated Files or Information: Visual Basic), T1059.005 (Command and Scripting Interpreter: Visual Basic), T1566.001 (Spearphishing Attachment), and T1590 (Gather Victim Network Information), highlighting a sophisticated multi-stage attack vector focused on targeted spear-phishing and remote access malware deployment.

MD5 of 657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc

MD5 of b7d205a1560b07a92d744053744c29823064e2c415a71887fccd8524a3cad3fb

MD5 of d8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5

MD5 of 4297de28d569560bf2cd287e1a44771ec4f8deac993cb69b54b36fa497af52d3

SHA1 of d8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5

SHA1 of b7d205a1560b07a92d744053744c29823064e2c415a71887fccd8524a3cad3fb

SHA1 of 4297de28d569560bf2cd287e1a44771ec4f8deac993cb69b54b36fa497af52d3

SHA1 of 657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc

CC=US ASN=AS141995 contabo asia private limited

CC=CO ASN=AS3816 colombia telecomunicaciones s.a. esp

CC=TR ASN=AS39144 redes digitales de telecomunicacion en internet sl

CC=US ASN=AS396073 majestic hosting solutions  llc

Detailed information about Unmasking the Infrastructure of a Spear‑phishing Campaign. Get real-time updates, technical details, and mitigation strategies.

Unmasking the Infrastructure of a Spear‑phishing Campaign - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the Infrastructure of a Spear‑phishing Campaign

In May 2025, Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. However, an investigation reveals most breaches were exaggerated or fake. Alleged data leaks contained primarily public information, website defacements left no real impact, and DDoS attacks caused minimal disruption. The more significant threat came from APT36, which used Crimson RAT malware to target Indian defense networks following the Pahalgam terror attack. The malware, delivered through phishing emails with malicious attachments, allows remote execution of commands and data exfiltration. While hacktivist claims generated alarming headlines, the actual impact was limited, with most targeted websites operating normally.

In May 2025, a surge of cyberattacks was claimed by Pakistan-linked hacktivist groups targeting Indian government, education, and critical infrastructure websites. While over 100 attacks were publicized, investigations revealed that most were exaggerated or fabricated. The majority of alleged data leaks contained publicly available information, website defacements had no lasting operational impact, and distributed denial-of-service (DDoS) attacks caused only brief, minimal disruptions. The more consequential threat originated from the advanced persistent threat group APT36, which leveraged Crimson RAT malware to target Indian defense networks. This malware was delivered primarily through phishing campaigns involving malicious email attachments. Crimson RAT enables remote command execution, persistence, credential harvesting, and data exfiltration, posing a significant risk to confidentiality and integrity of targeted systems. The attack chain aligns with known MITRE ATT&CK techniques such as T1566.002 (phishing with malicious attachments), T1547.001 (boot or logon autostart execution), T1041 (exfiltration over command and control channels), and T1071.001 (web protocol communication). Despite the media attention on hacktivist claims, the actual operational impact was limited, with most targeted websites remaining functional and no widespread compromise beyond the targeted defense networks. Indicators of compromise include suspicious domains mimicking Indian defense and government email infrastructure, suggesting attempts at credential phishing or command and control. No known exploits in the wild or patches are currently associated with this threat, and the attack vector relies heavily on social engineering rather than software vulnerabilities. The threat underscores the tactical use of cyber operations by nation-state affiliated groups to conduct espionage and targeted intrusions rather than broad disruptive campaigns.

Detailed information about Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge. Get real-time updates, technical det

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge - Live Threat Intelligence - Threat Radar | OffSeq.com

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's presence has increased in Latin America since 2024. The infection chain involves downloading a loader called VMDetectLoader, which uses process hollowing to inject DCRat into memory. VMDetectLoader can detect virtual machines and create persistence through scheduled tasks or registry keys. DCRat has various capabilities including recording victims, file manipulation, and keystroke logging. IBM X-Force assesses that Latin America will continue facing targeting from actors deploying banking trojans via phishing campaigns.

The threat involves a growing campaign by the threat actor Hive0131 targeting users primarily in Colombia through phishing emails masquerading as official communications from The Judiciary of Colombia. These emails contain embedded links or PDF attachments designed to lure victims into downloading a loader known as VMDetectLoader. This loader employs advanced evasion techniques such as virtual machine detection to avoid sandbox analysis and uses process hollowing to inject the DCRat banking trojan directly into memory, thereby minimizing its footprint on disk and evading traditional antivirus detection. VMDetectLoader also establishes persistence on infected systems via scheduled tasks or registry modifications. DCRat itself is a Malware-as-a-Service (MaaS) banking trojan with a broad range of capabilities including keystroke logging, file manipulation, and recording victim activity, enabling attackers to steal sensitive financial credentials and other confidential information. The campaign leverages multiple MITRE ATT&CK techniques such as T1566 (phishing), T1055 (process hollowing), T1547 (persistence), and T1056 (input capture), demonstrating a sophisticated multi-stage infection chain. Although currently focused on Latin America, particularly Colombia, the malware’s modularity and MaaS model suggest potential for expansion. IBM X-Force notes an increasing trend of banking trojan campaigns in the region since 2024, indicating sustained threat activity. Indicators of compromise include specific malicious domains and file hashes associated with the loader and trojan components. No known public exploits exist, but the campaign’s reliance on social engineering and evasion techniques makes it a persistent threat vector.

Detailed information about Threat Analysis: DCRat presence growing in Latin America. Get real-time updates, technical details, and mitigation strategies.

Threat Analysis: DCRat presence growing in Latin America - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Analysis: DCRat presence growing in Latin America

Chaos RAT, an open-source remote administration tool written in Golang, has evolved since its first appearance in 2022. Recent variants have been identified in Linux and Windows attacks. The malware offers cross-platform compatibility and is being exploited by threat actors for malicious purposes. It provides an administrative panel for payload generation and control of compromised systems. The latest samples show improved encoding of configuration data and expanded capabilities. A critical vulnerability in Chaos RAT's web panel allowed attackers to execute remote code on the server. While overall usage remains limited, its low detection profile creates opportunities for espionage, data exfiltration, and establishing footholds for further attacks.

Chaos RAT is an open-source remote administration tool (RAT) developed in Golang, first appearing in 2022 and evolving significantly since then. It is designed to operate cross-platform, targeting both Windows and Linux environments, which broadens its potential attack surface. The malware provides threat actors with an administrative panel that facilitates payload generation and centralized control over compromised systems. Recent variants have enhanced their capabilities, including improved encoding of configuration data, making detection and analysis more difficult. A critical vulnerability (CVE-2024-30850) was discovered in Chaos RAT's web panel, allowing remote code execution on the server hosting the control interface, which could enable attackers to take over the RAT infrastructure itself or pivot to other targets. Although the overall usage of Chaos RAT remains limited compared to more widespread malware families, its low detection profile and cross-platform nature make it a potent tool for espionage, data exfiltration, and establishing persistent footholds within targeted networks. The malware leverages numerous tactics and techniques mapped to MITRE ATT&CK, such as process injection (T1055), persistence mechanisms (T1543, T1547), command and control communications (T1071), credential access (T1078), and defense evasion (T1562), indicating a sophisticated and modular design. Indicators of compromise include numerous file hashes and associated domains/IPs used for command and control or distribution. No known widespread exploits in the wild have been reported yet, but the presence of a critical vulnerability in the RAT’s web panel increases the risk of exploitation by skilled adversaries.

Detailed information about From open-source to open threat: Tracking Chaos RAT’s evolution. Get real-time updates, technical details, and mitigation strategies.

From open-source to open threat: Tracking Chaos RAT’s evolution - Live Threat Intelligence - Threat Radar | OffSeq.com

From open-source to open threat: Tracking Chaos RAT’s evolution

Blitz is a new Windows-based malware discovered in 2024 consisting of a downloader and bot payload. The latest version was spread through backdoored game cheats for Standoff 2 distributed via Telegram. Blitz abuses Hugging Face Spaces to host components of its C2 infrastructure and payloads. The malware performs information stealing and DDoS attacks. An XMRig cryptocurrency miner was also deployed as follow-up malware. By May 2025, the developer claimed to have abandoned the project. Russia accounted for the highest number of infections among 289 victims across 26 countries. Palo Alto Networks customers are protected through various security products and services.

Blitz is a Windows-based malware campaign identified in 2024, characterized by a modular architecture consisting primarily of a downloader and a bot payload. The malware was distributed through backdoored game cheats specifically targeting the popular mobile game Standoff 2, with distribution channels leveraging Telegram, a widely used messaging platform. This initial infection vector exploits the gaming community's demand for cheats, thereby increasing the likelihood of user interaction and infection. Blitz's command and control (C2) infrastructure is notable for abusing Hugging Face Spaces, a legitimate AI and machine learning hosting platform, to host components of its C2 servers and payloads, which helps evade traditional detection mechanisms by blending malicious traffic with legitimate web services. Once installed, Blitz performs multiple malicious activities including information stealing—likely harvesting sensitive user data and system information—and launching distributed denial-of-service (DDoS) attacks, which can disrupt network availability. Additionally, the campaign deployed XMRig, a cryptocurrency mining software, as a secondary payload, enabling attackers to illicitly mine Monero cryptocurrency using infected systems' resources. By May 2025, the malware developer publicly claimed to have abandoned the project, though residual infections and impacts may persist. The campaign affected 289 victims across 26 countries, with Russia experiencing the highest infection rates. Palo Alto Networks has implemented protections against Blitz through various security products and services, indicating that detection and mitigation capabilities exist within certain commercial security solutions. The malware employs a broad range of techniques and tactics, including process injection, persistence mechanisms, credential access, and network communications, as indicated by the extensive MITRE ATT&CK technique tags provided (e.g., T1055 Process Injection, T1547.001 Boot or Logon Autostart Execution, T1041 Exfiltration Over C2 Channel). The use of backdoored game cheats as a delivery vector and abuse of legitimate cloud platforms for C2 infrastructure represent sophisticated evasion and social engineering strategies.

Detailed information about Blitz Malware: A Tale of Game Cheats and Code Repositories. Get real-time updates, technical details, and mitigation strategies.

Blitz Malware: A Tale of Game Cheats and Code Repositories - Live Threat Intelligence - Threat Radar | OffSeq.com

Blitz Malware: A Tale of Game Cheats and Code Repositories

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services as Command and Control servers, a tactic known as 'Living off Trusted Sites.' The malware, identified as RoKRAT, collected system information, captured screenshots, and exfiltrated data to cloud-based C2 servers. The campaign, named 'Operation: ToyBox Story,' employed sophisticated techniques including fileless attacks and multiple encryption layers to evade detection. The threat actors impersonated academic events and used decoy documents to lure targets, highlighting the need for advanced endpoint detection and response solutions.

The threat described involves a sophisticated cyber espionage campaign dubbed 'Operation ToyBox Story,' attributed to APT37, a North Korean state-sponsored advanced persistent threat group. The campaign targets activists focused on North Korea by leveraging spear phishing emails containing Dropbox links to malicious LNK (Windows shortcut) files. When victims execute these LNK files, they trigger the deployment of RoKRAT malware, which is capable of collecting extensive system information, capturing screenshots, and exfiltrating sensitive data to cloud-based Command and Control (C2) servers. APT37 employs 'Living off the Land' tactics by using legitimate cloud services as C2 infrastructure, complicating detection and attribution efforts. The malware utilizes fileless attack techniques and multiple layers of encryption to evade traditional endpoint security solutions. The threat actors also impersonate academic events and use decoy documents to increase the likelihood of successful compromise. The campaign exploits CVE-2022-41128, a known vulnerability, although no known exploits in the wild have been reported. The attack chain includes reconnaissance, initial access via spear phishing, execution of malicious LNK files, persistence, credential access, command and control communication, and data exfiltration. The use of legitimate cloud services for C2 and fileless techniques indicates a high level of operational security and sophistication, requiring advanced endpoint detection and response (EDR) capabilities for effective mitigation.

Detailed information about Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story). Get r

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story) - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leading to RATs and infostealers. The campaign involves automated commits, obfuscation techniques, and complex payloads. Researchers found over 100 malicious repositories with distinct contributor roles, suggesting an automated framework. The eventual payload includes AsyncRAT, Remcos, and Lumma Stealer. The threat actor uses Telegram for notifications and various paste sites for hosting malicious code. This case highlights the complexity of modern cyber threats and the importance of cautious approaches to open-source repositories.

The threat campaign dubbed "ischhfd83" represents a sophisticated and large-scale malicious operation targeting primarily game cheaters and inexperienced cybercriminals through backdoored GitHub repositories. The adversary, potentially linked to a Distribution-as-a-Service (DaaS) model, leverages automated commits and obfuscation techniques to maintain and propagate over 100 malicious repositories. These repositories contain complex infection chains that ultimately deliver Remote Access Trojans (RATs) such as AsyncRAT and Remcos, as well as the Lumma Stealer infostealer. The infection chain involves multiple stages, including the use of backdoors embedded in open-source code, which are then used to download and execute further payloads. The campaign employs a variety of evasion and persistence techniques, including code obfuscation, automated contributor roles suggesting a framework for continuous deployment, and the use of Telegram channels for command-and-control notifications. Additionally, the threat actor hosts malicious code on various paste sites and domains, complicating detection and takedown efforts. The campaign exploits common tactics, techniques, and procedures (TTPs) such as credential dumping (T1003), input capture (T1056.001), command and scripting interpreter abuse (T1059 variants), user execution (T1204.002), obfuscated files or information (T1027), and persistence mechanisms (T1547.001), among others. This multi-layered approach highlights the increasing complexity of modern cyber threats that abuse legitimate platforms like GitHub to distribute malware, emphasizing the need for heightened scrutiny of open-source repositories and supply chain security.

Detailed information about The strange tale of ischhfd83: When cybercriminals eat their own. Get real-time updates, technical details, and mitigation strategies

The strange tale of ischhfd83: When cybercriminals eat their own - Live Threat Intelligence - Threat Radar | OffSeq.com

The strange tale of ischhfd83: When cybercriminals eat their own

StealC V2, introduced in March 2025, is an enhanced version of the popular information stealer and malware downloader. Key updates include a streamlined JSON-based C2 communication protocol with RC4 encryption, expanded payload delivery options (MSI packages and PowerShell scripts), and a redesigned control panel with an integrated builder. New features comprise multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials. The malware now supports customizable payload delivery rules based on geolocation, hardware IDs, and installed software. Technical analysis reveals improvements in obfuscation, API resolution, and configuration encryption. StealC V2 is actively developed and frequently used in conjunction with other malware families like Amadey.

StealC V2 is an advanced iteration of the StealC malware family, primarily functioning as an information stealer and malware downloader. Released in March 2025, this version introduces significant technical enhancements aimed at improving stealth, flexibility, and operational control. The malware employs a streamlined JSON-based command and control (C2) communication protocol encrypted with RC4, which facilitates efficient and obfuscated data exchange between infected hosts and the attacker’s infrastructure. StealC V2 expands its payload delivery mechanisms to include MSI installer packages and PowerShell scripts, enabling it to deploy a wider range of malicious payloads with greater ease and adaptability. The control panel has been redesigned to include an integrated builder, allowing operators to customize payloads dynamically. Notably, new features include multi-monitor screenshot capture, a unified file grabber capable of exfiltrating various file types, and server-side brute forcing for credential harvesting. The malware supports highly granular payload delivery rules based on geolocation, hardware identifiers, and installed software, allowing targeted attacks and evasion of detection in undesired environments. Technical improvements also encompass advanced obfuscation techniques, dynamic API resolution to avoid static detection, and encrypted configuration files to hinder analysis. StealC V2 is actively maintained and frequently deployed alongside other malware families such as Amadey, indicating its role in multi-stage attack campaigns. Indicators of compromise include multiple file hashes associated with the malware components. Although no known exploits are currently reported in the wild, the malware’s capabilities for credential theft, data exfiltration, and lateral movement pose a substantial threat to targeted organizations.

Detailed information about I StealC You: Tracking the Rapid Changes To Steal. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 't1113'

Filter Threats

Threats Tagged 't1113'