Threats Tagged 't1140'

Acronis Threat Research Unit identified two espionage campaigns targeting Cambodian government entities in defense and public works sectors, attributed to a cluster tracked as Khmer Shadow. Both campaigns delivered a custom C++ loader named NIGHTFORGE through government-themed lures in self-extracting archives. NIGHTFORGE employs sophisticated evasion techniques including NTDLL unhooking and Hell's Gate syscall resolution to decrypt and execute a Havoc Demon payload in memory. The loader utilizes DLL sideloading through a legitimate VMware-signed binary (VMwareNamespaceCmd.exe) and establishes persistence via COM-based scheduled tasks. Despite advanced technical capabilities, the actor demonstrated poor operational security by reusing identical payloads and infrastructure across targets. The campaigns targeted Cambodia's Information Collection Bureau and Ministry of Public Works and Transport using meeting-themed social engineering lures.

MediumMalwareCambodia#kaynldr#nightforge#khmer shadow

A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.

In May 2026, a new malware family named MLTBackdoor was identified, likely leveraged by ransomware-related threat actors to establish footholds for lateral movement. Delivered through multi-stage ClickFix infection chains targeting automotive-related web pages, this backdoor employs sophisticated obfuscation techniques including Mixed Boolean-Arithmetic and Control Flow Flattening. MLTBackdoor features indirect system calls, API hashing, and extensive anti-analysis checks that detect debuggers and sandboxed environments. Its capabilities include filesystem operations and a powerful Beacon Object File loader that dynamically expands functionality. The malware uses custom encrypted binary protocols over TLS with Elliptic-Curve Diffie-Hellman key exchange for command-and-control communications. Additionally, it implements a deterministic date-based Domain Generation Algorithm to maintain persistence when hardcoded C2 domains become unreachable, demonstrating advanced resilience against takedown attempts.

A sophisticated supply chain attack campaign has expanded to 471 affected artifacts across npm and PyPI, targeting developers through malicious packages. The campaign uses three distinct delivery methods: executable .pth startup hooks, trojanized native .abi3.so extensions that execute at import time, and a split loader-payload architecture that searches Python's sys.path. Twenty-three newly identified PyPI packages masquerade as bioinformatics tools, AI frameworks, and popular libraries like requests and Flask. The attack deploys heavily obfuscated JavaScript stealers via Bun runtime, harvesting high-value credentials including GitHub tokens, npm registry access, cloud credentials, SSH keys, and CI/CD secrets. The malware employs anti-analysis techniques with fake LLM prompt-injection headers designed to disrupt AI-assisted security scanners, while targeting developer workstations and automated build environments.

A new post-exploitation red team tool named Splinter has been discovered on customer systems through Advanced WildFire's memory scanning capabilities. Developed in Rust programming language, Splinter is exceptionally large at around 7MB due to statically linked libraries. The tool uses a JSON configuration structure containing implant ID, C2 server details, and operational parameters. It operates through a task-based model with capabilities including Windows command execution, remote process injection, file upload/download, cloud service information gathering, and self-deletion. Communication with the C2 server occurs via HTTPS using specific URL paths for task synchronization, heartbeat connections, and file transfers. While not as sophisticated as Cobalt Strike, Splinter represents a growing variety of penetration testing tools that could potentially be misused by threat actors.

Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-controlled GitHub repositories hosting malicious scripts. The infection chain exploited Visual Studio Code workflows and deployed malicious Visual Studio Extensions (VSIX) requiring minimal user interaction. Cross-platform malware was executed on macOS, Linux, and Windows systems, including the open-source Overlord framework. The campaigns specifically targeted developer assets including API tokens, cryptocurrency wallets, and credentials. Attackers employed fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to establish credibility and lure victims.

MediumMalwareUnited States#wallet exfiltration#ottercookie#cryptocurrency theft

A newly identified China-linked espionage cluster designated OP-512 has been discovered targeting Internet Information Services (IIS) servers through advanced AI-driven detection. The operation involves deploying a sophisticated custom web shell framework consisting of three components: a file manager with command-and-control notification channel and two cryptographically authenticated command handlers. Each deployment is cryptographically unique, utilizing RSA and RC4 encryption alongside timestomping techniques to evade signature-based detection. The attacker maintained persistence for 75 days before rapid deployment of multiple access paths, privilege escalation tools including BadPotato, SweetPotato, and EfsPotato, and establishment of dual notification channels through DNS and HTTP. The framework employs hex-encoded subdomain queries for self-reporting and automated builder-generated code with randomized variables. This represents the fourth China-linked cluster documented targeting legacy IIS infrast...

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

MediumMalwareUkraine#vbscript#gammaworm#cyberespionage

A sophisticated multi-stage malware campaign targets victims through tax-themed phishing emails impersonating Indian and Japanese government authorities. The operation leverages social engineering, fraudulent tax notifications, and trusted third-party email delivery services to distribute ZIP archives containing three staged payloads. The malware implements advanced evasion techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs primarily in memory, significantly reducing forensic artifacts. The malware establishes persistent WebSocket-based command-and-control communication through HTTP protocol upgrades, allowing malicious traffic to blend with legitimate activity. Chinese-language artifacts were observed throughout the infrastructure and code, though attribution remains at moderate confidence. The campaign demonstrates characteristics of a mature, ...

MediumCampaignBritish Indian Ocean TerritoryIndiaJapan#websocket c2#dll hijacking#government impersonation

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.