Threats Tagged 't1566'

Between February and May 2026, five malicious skills were identified on ClawHub, OpenClaw's AI agent marketplace, that bypassed detection by VirusTotal and ClawScan. These included two macOS infostealers communicating with command-and-control servers, one skill using file padding to evade scanners, and two agentic threats exploiting the AI supply chain for financial gain. The infostealers delivered AMOS malware via Base64-encoded droppers and paste-site redirects. One skill forced AI agents to recommend products through malicious referral links (runtime affiliate injection), while another coordinated AI agents to manipulate cryptocurrency token launches via front-running. These attacks exploit semantic instruction hijacking and insufficient isolation between skill logic and agent authority, compromising AI agent ecosystems.

EvilTokens is a sophisticated phishing kit that uses browser-side AES-GCM encryption to hide key attack components, evading traditional static URL analysis. It abuses Microsoft's OAuth device-code login flow to take over Microsoft 365 accounts without stealing passwords directly. The attack involves multiple stages including gate checks, user code requests, and session monitoring, ultimately redirecting victims to legitimate OneDrive pages to appear authentic. Primarily targeting organizations in the United States across sectors such as managed security services, technology, manufacturing, education, banking, and consulting, the kit requires dynamic analysis to fully reveal its malicious behavior.

MediumMalwareUnited States#oauth device-code phishing#dom manipulation#microsoft 365 compromise

This threat involves observed activity by the Sidewinder advanced persistent threat (APT) group using a malicious document named No.9374.docx (hash 64f2681ad0940e6c2c9c76e6834117bf) as a lure. The campaign employs a command and control (C2) infrastructure hosted on the domain update.ms-office.app, which mimics legitimate Microsoft services. Sidewinder is known for sophisticated social engineering tactics and targeted operations. No specific affected software versions or patches are indicated. The threat is assessed as medium severity based on the observed tactics and infrastructure.

ScreenConnect is used in phishing URLs to deliver RMM payload. DocuSign has been observed to be the common theme in these phishing emails.

FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

Lookalike attacks exploit human cognitive shortcuts rather than technical vulnerabilities, designing domain names that resemble legitimate services to bypass security controls. These attacks leverage predictable patterns in how people read and process text, using techniques including homographs, typosquatting, domain embedding, and keyword association. The domain name itself embeds targeting intent, making attacks visible in DNS infrastructure before malicious activity occurs. Attackers face deliberate tradeoffs between plausibility and uniqueness, often maintaining domains in dormant states between campaigns to evade takedown. DNS provides early structural signals about attacker intent and brand targeting, though ambiguity remains inherent as legitimate services often exhibit similar patterns. Effective detection requires separating targets from imposters and understanding that domain-based analysis surfaces risk rather than definitive verdicts.

A sophisticated malware campaign exploits growing interest in artificial intelligence by distributing malicious files disguised as AI-related learning resources and technical guides. The attack employs an exceptionally complex multi-stage infection chain beginning with compressed archives containing LNK shortcuts and hidden PDF files. Through multiple layers of obfuscation involving PowerShell scripts, batch files, and AutoHotkey loaders, the campaign establishes persistent access and deploys two distinct .NET Remote Access Trojans including AsyncRAT. The intermediate scripts extensively use Simplified Chinese variable names and exhibit coding patterns suggesting AI-assisted development, with cultural references to Chinese mythology used as symbolic aliases for Windows API calls. The attack implements advanced techniques including process hollowing, reflective DLL injection, and scheduled task persistence while actively disabling Windows Defender exclusions to facilitate execution.