Malware Threats

The Miasma campaign is a critical supply chain attack involving a self-propagating npm worm that compromised over 89 npm packages, including 32 Red Hat packages. It leveraged stolen developer credentials that were traded in underground markets for seven weeks before being weaponized. The campaign bypassed high-integrity supply chain protections by producing malicious packages with valid SLSA Build Level 3 provenance attestations. It escalated to target AI coding assistants in developers' local environments, expanding the attack surface beyond package registries. The attack exemplifies a new threat model called the Developer Credential Economy, where stolen developer credentials are commoditized and weaponized in multi-layered campaigns. The campaign highlights the insufficiency of traditional endpoint detection tools against ephemeral CI/CD environment compromises and stresses the need for treating developer credentials as critical infrastructure.

Maltrail IOC for 2026-06-23

A new malware masquerading as ClearMic, a legitimate microphone noise suppression application, has been identified. This malicious software is a Remote Access Trojan (RAT) that logs keystrokes, captures screens, hijacks clipboard data, records microphone audio, and exfiltrates this information to a remote server. It also deletes Windows Shadow Copies to hinder file recovery, a behavior typical of ransomware. The malware detects sandbox environments to evade analysis. Users who have installed this malware are advised to disconnect from the internet, run anti-malware tools, and change passwords from a clean device.

ThreatFox IOCs for 2026-06-22

A malware campaign is targeting WhatsApp users globally by sending deceptive VBScript files disguised as business and financial documents from compromised contacts. When executed on Windows, the VBScript disables User Account Control (UAC) protections and silently installs ManageEngine Endpoint Central software configured to connect to attacker-controlled servers, granting remote access to the victim's PC. The campaign affects multiple countries and uses localized filenames to increase effectiveness. The exact method of WhatsApp account compromise is unknown. Users are advised to verify files received via WhatsApp and scan them before execution.

MediumMalwareBrazilIndiaMexico+8#remote

Since June 2026, an active malware campaign distributes malicious VBScript files via WhatsApp direct messages. The campaign targets users globally, with Malaysia having the highest victim concentration. Attackers compromise WhatsApp accounts to send weaponized VBS scripts disguised as business and financial documents. The infection chain deploys legitimate ManageEngine Endpoint Central RMM software to maintain persistent remote access. The scripts use heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT suggest possible Chinese-speaking operators. The campaign primarily uses opportunistic social engineering with localized filenames in multiple languages.

MediumMalwareAustraliaBrazilBritish Indian Ocean Territory+7#uac bypass#valleyrat#gh0st rat

Maltrail IOC for 2026-06-22

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. The post What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks appeared first on SecurityWeek .

AryStinger is a malware family that hijacks over 4,300 outdated routers built on Realtek RTL819X chips, primarily D-Link DIR-850L devices, to create a stealthy reconnaissance and intrusion support network. It exploits old vulnerabilities disclosed in 2013 and 2016 to install a lightweight Linux binary that performs distributed scanning and information gathering without typical malicious activities like file encryption or cryptocurrency mining. A second, more capable Go-based build targets NAS devices via a 2025 code injection vulnerability. The malware communicates with its command and control infrastructure using obfuscated protocols and establishes persistence via Dropbear SSH. The infected routers act as Executors that perform parallel scanning tasks, enabling efficient network footprinting. The infection is concentrated mainly in South Korea and China but also affects other countries. The malware's low detection rate and use of legacy hardware with no firmware updates pose ongoing risks to privacy, enterprise security, and national infrastructure.

MediumMalwareSouth KoreaChinaSweden+2#cybersecurity#reddit#malware