Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

AlienVault OTX General

SANS ISC Handlers Diary

SecurityWeek

Threatpost

Dark Reading

The Hacker News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Check Point Research

Kaspersky Security Blog

Reddit NetSec

CVE Database V5

Reddit InfoSec News

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persistence. The attack chain involves three stages: initial infection via a batch file, persistence establishment, and cryptomining execution. The malware targets diverse countries, including Russia, Belgium, Greece, and China. It disables Windows Update services, evades Windows Defender, and uses scheduled tasks for persistence. The XMRig miner creates registry entries and drops files for continued operation. Despite its simple, unobfuscated nature, the malware proved effective in avoiding detection.

The threat described is a resurgence of malware deploying the XMRig cryptominer, discovered in mid-April 2025, coinciding with an increase in the value of the Monero cryptocurrency. This malware uses a multi-stage infection chain and Living Off the Land Binaries and Scripts (LOLBAS) techniques, leveraging legitimate Windows tools such as PowerShell to deliver payloads, evade detection, and maintain persistence. The attack chain consists of three stages: initial infection via a batch file, establishment of persistence through scheduled tasks and registry modifications, and execution of the XMRig cryptominer to mine Monero. The malware disables Windows Update services to prevent system patches, evades Windows Defender detection mechanisms, and uses scheduled tasks to ensure continued operation after reboots. It creates registry entries and drops files to maintain persistence and continued cryptomining activity. Despite the malware’s relatively simple and unobfuscated code, it effectively avoids detection by abusing legitimate system tools and disabling security features. The malware has been observed targeting multiple countries, including Russia, Belgium, Greece, and China. Indicators of compromise include specific file hashes and a domain (notif.su) used in the attack infrastructure. The malware’s tactics align with several MITRE ATT&CK techniques such as T1053.005 (Scheduled Task), T1489 (Service Stop), T1059.001 (PowerShell), and others related to persistence, defense evasion, and execution. No known exploits or threat actors are currently linked to this malware, and no CVE identifiers are assigned. The overall severity is assessed as medium by the source, reflecting its impact and ease of detection avoidance but limited direct destructive capabilities.

Detailed information about Digging Gold with a Spoon – Resurgence of Monero-mining Malware. Get real-time updates, technical details, and mitigation strategies.

Digging Gold with a Spoon – Resurgence of Monero-mining Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hijacking. The malware employs advanced defense evasion techniques, disabling Windows Defender through PowerShell and registry manipulations. Its modules harvest browser credentials, Wi-Fi passwords, gaming profiles, and session data from various applications. The builder framework allows adversaries to customize payloads, making it accessible to less technically skilled threat actors. CyberEye's persistence mechanisms, anti-analysis features, and use of public messaging platforms for C2 make it a significant threat to both consumers and enterprises.

CyberEye is a modular Remote Access Trojan (RAT) developed using the .NET framework, notable for its use of Telegram as a Command and Control (C2) channel. This design choice allows attackers to leverage a public messaging platform, eliminating the need to maintain dedicated C2 infrastructure, thereby increasing operational stealth and reducing costs. The RAT provides extensive surveillance and data theft capabilities, including keylogging to capture keystrokes, file grabbing to exfiltrate files, and clipboard hijacking to intercept copied data. It also harvests sensitive credentials such as browser-stored passwords, Wi-Fi keys, gaming profiles, and session information from various applications, enabling broad access to victim data. 

CyberEye employs advanced defense evasion techniques, notably disabling Windows Defender via PowerShell scripts and registry modifications, which complicates detection and removal. Its persistence mechanisms ensure the malware remains active across system reboots, while anti-analysis features hinder reverse engineering and forensic investigations. The RAT builder framework allows adversaries to customize payloads, lowering the technical barrier for less skilled threat actors to deploy sophisticated malware. The use of Telegram for C2 communications (leveraging techniques mapped to MITRE ATT&CK techniques such as T1102.002) also helps evade traditional network-based detection methods. Overall, CyberEye represents a versatile and stealthy threat capable of extensive data exfiltration and system control, targeting both consumer and enterprise Windows environments.

Detailed information about Understanding CyberEYE RAT Builder: Capabilities and Implications. Get real-time updates, technical details, and mitigation strategie

Title	Severity	Type	Source	Date

Threats Tagged 'windows defender evasion'

Filter Threats

Scan a website for live threats in under a minute

Threats Tagged 'windows defender evasion'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility