Threats Tagged 't1140'

A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.

StealC and Amadey are malware families involved in credential theft and enterprise breaches. StealC is a C++ infostealer that collects credentials from browsers, wallets, messaging apps, email clients, and gaming platforms, also acting as a secondary loader. Amadey is a modular backdoor loader active since 2018, delivering payloads including StealC, Lumma Stealer, and ransomware. Both operate on rental models where stolen credentials are sold through underground markets to access brokers. On June 24, 2026, law enforcement disrupted over 200 command-and-control domains supporting these malware operations.

Between February and May 2026, five malicious skills were identified on ClawHub, OpenClaw's AI agent marketplace, that bypassed detection by VirusTotal and ClawScan. These included two macOS infostealers communicating with command-and-control servers, one skill using file padding to evade scanners, and two agentic threats exploiting the AI supply chain for financial gain. The infostealers delivered AMOS malware via Base64-encoded droppers and paste-site redirects. One skill forced AI agents to recommend products through malicious referral links (runtime affiliate injection), while another coordinated AI agents to manipulate cryptocurrency token launches via front-running. These attacks exploit semantic instruction hijacking and insufficient isolation between skill logic and agent authority, compromising AI agent ecosystems.

macOS.Gaslight is a sophisticated Rust-based backdoor implant targeting macOS systems. It features a unique 3.5 KB prompt-injection payload designed to disrupt LLM-assisted malware analysis by fabricating system messages. The malware communicates with its operators via the Telegram Bot API using AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction to hide sensitive tokens from logs. It provides an interactive shell, collects system information, and steals credentials through a bundled Python script targeting browser data, keychains, and command histories. Persistence is achieved via a LaunchAgent masquerading as an Apple system service. This malware is attributed with high confidence to DPRK-aligned threat actors and represents an evolution in adversarial techniques focusing on evading analyst detection rather than sandbox evasion.

The GhostShell threat group has been targeting Ukraine's unmanned aerial vehicle (UAV) supply chain since February 2026 using a malware chain disguised as documents from Besomar, a Ukrainian drone manufacturer. The attack involves three payloads: a custom backdoor using mTLS client certificates for screen capture and command execution, an in-memory stager masquerading as a Windows Health Service that retrieves further payloads via Telegram, and a proxy launcher that tunnels traffic through Xray Core to deploy the Vidar v2 information stealer. This campaign aims to compromise defense and procurement networks related to UAVs. Attribution to Russian actors is suggested but not confirmed due to the use of the SOLBIT framework to avoid misattribution. No known exploits in the wild or patches are reported.

MediumMalwareUkraine#ghostshell#uav#ukraine

EvilTokens is a sophisticated phishing kit that uses browser-side AES-GCM encryption to hide key attack components, evading traditional static URL analysis. It abuses Microsoft's OAuth device-code login flow to take over Microsoft 365 accounts without stealing passwords directly. The attack involves multiple stages including gate checks, user code requests, and session monitoring, ultimately redirecting victims to legitimate OneDrive pages to appear authentic. Primarily targeting organizations in the United States across sectors such as managed security services, technology, manufacturing, education, banking, and consulting, the kit requires dynamic analysis to fully reveal its malicious behavior.

MediumMalwareUnited States#oauth device-code phishing#dom manipulation#microsoft 365 compromise

A sophisticated phishing campaign was identified distributing multiple malware families through a multi-stage loader utilizing steganography and fileless techniques. The infection chain begins with archive attachments containing files disguised as financial documents, primarily targeting Indian organizations using names related to GST, NEFT, RTGS, and IMPS transactions. The loader employs in-memory execution to avoid disk-based artifacts and uses embedded .NET Bitmap objects to conceal payloads. Various malware families have been deployed including Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Dark Cloud, Red Line Stealer, Snake keyloggers, Formbook, and xworm. The final payloads establish persistence through registry Run keys, perform process hollowing, steal browser credentials, record audio and webcam, and exfiltrate data to command-and-control infrastructure. The campaign exhibits characteristics of a loader-as-a-service operation serving multiple threat actors globally.

MediumMalwareBritish Indian Ocean TerritoryIndia#fileless#loader-as-a-service#steganography

A sophisticated supply chain attack leverages typosquatting of the legitimate postcss-selector-parser npm package, which receives over 150 million weekly downloads. Three malicious packages published by user 'abdrizak' masquerade as PostCSS utilities while delivering a multi-stage Windows RAT. The infection chain begins with encoded JavaScript that drops PowerShell scripts, which then download a bundled Python runtime containing Nuitka-compiled modules. The final payload implements comprehensive RAT capabilities including HTTP C2 communication with RC4 encryption, registry persistence, VM detection, remote shell execution, file transfer, and Chrome credential theft using DPAPI and app-bound decryption. The attack demonstrates how build tooling dependencies can serve as delivery mechanisms for sophisticated Windows malware targeting developer environments.

A sophisticated phishing campaign leverages evolved ClickFix techniques to bypass modern endpoint security through victim-assisted execution. Targets receive emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack uses LNK shortcuts that redirect victims to landing pages, silently injecting PowerShell commands into their clipboard. Through social engineering, victims are tricked into manually executing commands via Win+R, circumventing traditional security filters. The campaign employs DNS TXT records for payload staging, avoiding HTTP detection. The threat infrastructure hosts multiple malicious components including obfuscated scripts, fake MSI installers masquerading as legitimate software like ConnectWise, and ISO images with spyware for persistent access. This represents a shift toward long-game tactics focused on establishing full post-compromise environmental control.

A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\EdgeBroker\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.