Threats Tagged 't1539'

StealC and Amadey are malware families involved in credential theft and enterprise breaches. StealC is a C++ infostealer that collects credentials from browsers, wallets, messaging apps, email clients, and gaming platforms, also acting as a secondary loader. Amadey is a modular backdoor loader active since 2018, delivering payloads including StealC, Lumma Stealer, and ransomware. Both operate on rental models where stolen credentials are sold through underground markets to access brokers. On June 24, 2026, law enforcement disrupted over 200 command-and-control domains supporting these malware operations.

macOS.Gaslight is a sophisticated Rust-based backdoor implant targeting macOS systems. It features a unique 3.5 KB prompt-injection payload designed to disrupt LLM-assisted malware analysis by fabricating system messages. The malware communicates with its operators via the Telegram Bot API using AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction to hide sensitive tokens from logs. It provides an interactive shell, collects system information, and steals credentials through a bundled Python script targeting browser data, keychains, and command histories. Persistence is achieved via a LaunchAgent masquerading as an Apple system service. This malware is attributed with high confidence to DPRK-aligned threat actors and represents an evolution in adversarial techniques focusing on evading analyst detection rather than sandbox evasion.

EvilTokens is a sophisticated phishing kit that uses browser-side AES-GCM encryption to hide key attack components, evading traditional static URL analysis. It abuses Microsoft's OAuth device-code login flow to take over Microsoft 365 accounts without stealing passwords directly. The attack involves multiple stages including gate checks, user code requests, and session monitoring, ultimately redirecting victims to legitimate OneDrive pages to appear authentic. Primarily targeting organizations in the United States across sectors such as managed security services, technology, manufacturing, education, banking, and consulting, the kit requires dynamic analysis to fully reveal its malicious behavior.

MediumMalwareUnited States#oauth device-code phishing#dom manipulation#microsoft 365 compromise

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

MediumMalwareBritish Indian Ocean TerritoryFranceHong Kong+6#gitlab pages abuse#macsync#ai impersonation

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.

Since late 2025, cybercriminals have been exploiting Wallpaper Engine, a popular live wallpaper application on Steam, to distribute malware through Steam Workshop. Attackers target primarily Chinese and Russian gamers by embedding malicious code within application wallpapers shared on the platform. These compromised wallpapers deliver various malware types including infostealers, backdoors, crypto miners, and ransomware. One analyzed sample dropped DarkKomet backdoor while hijacking Steam sessions to steal account credentials. The malware modifies system libraries to locate Steam installations and exfiltrate data to attacker-controlled servers. Compromised accounts are then used to upload additional malicious wallpapers. The diverse malware families suggest multiple independent hacking groups are exploiting this distribution method. Infected wallpapers received thousands of downloads before removal, with 89% of infections occurring in China.

MediumMalwareBritish Indian Ocean TerritoryCanadaChina+5#account hijacking#vidar#wallpaper engine

A sophisticated Chinese-origin fraud operation is targeting FIFA World Cup 2026 attendees through pixel-perfect website clones and a multi-tenant phishing infrastructure. The actors deploy typosquatted domains and a commercially developed administrative system to mimic legitimate FIFA ticketing platforms. Technical analysis reveals high-fidelity brand cloning, real-time card skimming capabilities, and a distributed reseller ecosystem supporting at least 15 active operator instances. The platform functions as an active Man-in-the-Middle framework intercepting payment card details and bypassing SMS-based two-factor authentication in real time. Traffic is primarily driven through Facebook and Instagram in-app browsers. Simplified Chinese localizations and operator geolocations from IP addresses in China indicate PRC-based actors. The core payment routing hub tbpay[.]uk lacks financial regulatory authorization and has historical malicious patterns.

Multiple phishing campaigns are exploiting the FIFA World Cup 2026 event to target mobile users globally. These campaigns use typosquatting, institutional spoofing, and impersonation of major sports retailers to harvest credentials. A sophisticated recruitment fraud campaign also targets corporate Google Workspace accounts with an Adversary-in-the-Middle platform capable of bypassing MFA. Attack vectors include SMS, WhatsApp, and search engines, leveraging emotional urgency and ticket scarcity. This creates risks for enterprises as employees may access work resources via compromised personal devices.

The 2026 FIFA World Cup presents a concentrated attack surface spanning three nations, 16 cities, and billions of viewers. Cybercriminals have already launched phishing campaigns, fraudulent ticket sales, and brand impersonation schemes targeting governments, sponsors, broadcasters, transportation providers, and telecommunications companies. Financially motivated actors are exploiting tournament-related interest through credential theft and payment fraud. Hacktivist and state-aligned groups, including pro-Iranian actors like Handala and CyberAv3ngers, may conduct DDoS attacks, website defacements, or espionage operations amid heightened geopolitical tensions involving Iran, the United States, and Russia. Ransomware groups such as Qilin, DragonForce, Akira, and Play may target organizations reliant on continuous service availability. Thousands of FIFA-themed domains have been registered, many exhibiting characteristics associated with fraud campaigns. Organizations throughout the ecosystem face elevated ris...