Socket uncovered a malicious npm supply chain campaign in which compromised @mastra/* packages were modified to pull in the typosquatted easy-day-js dependency, triggering a postinstall loader that downloaded a second-stage implant. The payload disabled TLS validation, persisted across Windows, macOS, and Linux, and stole browser history plus data from more than 160 cryptocurrency wallet browser extensions while exfiltrating to attacker infrastructure. #Mastra #easy-day-js #ehindero #sergey2016 #protocal.cjs
Category: Threat Research
Datadog Security Research outlines Salesforce hunting queries to detect attacker reconnaissance, credential abuse, OAuth token misuse, and data discovery patterns across Event Log Files and Real-Time Event Monitoring. The post maps these behaviors to MITRE ATT&CK, references GRUB1/UNC6395 and Salesloft-related activity, and shows how Salesforce logs can reveal suspicious API requests, logins, and exfiltration preparation. #Salesforce #Datadog #GRUB1 #UNC6395 #Salesloft
World Cup âfree HD streamâ websites are being used as bait to push visitors through malicious advertising networks that trigger pop-ups, redirects, scams, and possible malware downloads. More than 40 nearly identical sites use the same template and infrastructure to monetize clicks rather than provide real football streams. #WorldCup #MalwarebytesBrowserGuard #MalwarebytesPremium…
Rokarolla is a newly identified Android banking trojan that spreads through malicious websites, impersonates popular apps, and targets 217 banking and cryptocurrency applications. It uses 137 commands, deceptive overlays, keylogging, SMS theft, call blocking, and dynamic C2 infrastructure to steal credentials and enable financial fraud. #Rokarolla #GooglePlayProtect #TikTok #GoogleChrome #WhatsApp
Russian intelligence-linked operations are increasingly focused on communications-layer collection, using compromised SOHO routers, DNS hijacking, and phishing against Signal, WhatsApp, Telegram, and Microsoft 365. These campaigns are attributed largely to the Russian GRU’s Unit 26165 (APT28/Fancy Bear/Forest Blizzard) and target government, defense, critical infrastructure, journalists, NGOs, and Ukraine-related organizations for persistent access and intelligence gathering. #APT28 #FancyBear #ForestBlizzard #Unit26165 #Signal #WhatsApp #Telegram #Microsoft365
The Gentlemen ransomware group is reported to have used LLMs to accelerate data analysis, social engineering, and tool development, helping it claim around 500 victims in less than a year. The article also describes its RaaS model, exploitation of infostealer-obtained credentials and unpatched Cisco and Fortinet devices, and its rapid response after a May 2026 data leak by moving communications to decentralized platforms. #TheGentlemen #Qwen #BlackBasta #Cisco #Fortinet
Sekoia TDR analyzed ErrTraffic, a MaaS ClickFix framework that abuses compromised WordPress sites and fake AI-themed websites to distribute payloads through EtherHiding and blockchain-based C2 resolution. The report separates âAnalyticsâ and âBeerâ clusters, links them to different operators and campaigns, and highlights payloads such as Vidar, Stealc, Remus, Salat, DanaBot, HijackLoader, and SmokeLoader. #ErrTraffic #ClickFix #EtherHiding #WordPress #Vidar #DanaBot #HijackLoader #SmokeLoader
Socketâs Threat Research team uncovered trojanized Open VSX Visual Studio Code extensions that delivered a TinyGo-compiled WebAssembly payload and used Solana memos as a takedown-resistant command-and-control dead drop. The campaign, attributed with medium confidence to the GlassWorm developer, was dubbed âGlassWASMâ and involved packages impersonating ExarGD.vsblack and noellee-doc.flint-debug. #GlassWASM #OpenVSX #Solana #GlassWorm
Since late 2025, attackers have abused Wallpaper Engineâs Steam Workshop sharing feature to hide malware in malicious wallpaper packages and target gamers in China and Russia for Steam account theft. The campaigns have delivered backdoors, infostealers, crypto miners, and loaders, with one infection chain dropping Synaptics.exe and stealing credentials through a modified AggregatorHost.dll before sending data to hxxp://120.48.156[.]17/ey.php. #WallpaperEngine #SteamWorkshop #DarkKomet #Lumma #Vidar #RenEngine
Sysdig TRT observed threat actors using CTF and CVE-hunting framing to jailbreak their own LLMs into generating exploit code, then deploying it against AI-related targets and Gotenberg. The activity spanned multiple operators and left a visible fingerprint in User-Agents, passwords, AWS roleSessionName values, and API aliases. #PraisonAI #LiteLLM #FastGPT #OpenWebUI #Gotenberg #LangFlow #n8n #Bedrock
Researchers uncovered FakeWallet, a phishing campaign that used more than 20 fake crypto wallet apps to steal usersâ recovery phrases and private keys through trojanized App Store pages. Analysis of network and historical infrastructure showed the operation had been active since at least fall 2025 and involved domains such as crypto-stroe[.]cc, gxzhrc[.]cn, and jhxrpbgq[.]com. #FakeWallet #crypto-stroe[.]cc #gxzhrc[.]cn #jhxrpbgq[.]com
Threat hunters uncovered EtherRAT being distributed through a suspicious website that led to a broader malicious infrastructure hosting malware, phishing pages, and remote desktop software. EtherRAT is a Node.js-based RAT that uses the Ethereum blockchain to resolve its C2 server and employs layered loaders, obfuscation, and persistence to execute attacker-supplied code….
CERT-AGID reports a steady rise in suspicious and abusive messages sent through legitimate Italian PEC mailboxes, with over 650 events handled since January 2026. The agency is coordinating with PEC providers to reset compromised accounts or shut down malicious ones, while warning recipients not to click suspicious links or open unknown attachments. #CERT-AGID #PEC #[email protected]
Fox Kitten is an Iranian state-sponsored APT that combines intelligence collection for the IRGC with a profit-driven business selling access to ransomware affiliates. It has repeatedly exploited internet-facing VPN and firewall devices worldwide, using tools and custom malware such as HanifNet, HXLibrary, NeoExpressRAT, and Pay2Key to maintain access and support extortion operations. #FoxKitten #IRGC #HanifNet #HXLibrary #NeoExpressRAT #Pay2Key
Google Threat Intelligence Group attributed a long-running campaign to UNC6508, which targeted North American academic, medical, and military research institutions by compromising REDCap servers, deploying the INFINITERED malware, and stealing credentials and data. The actor later abused enterprise content compliance rules to silently forward sensitive emails to a threat actor-controlled Gmail account while using strong operational security and proxy infrastructure to stay hidden. #UNC6508 #REDCap #INFINITERED #BebitaBarefoot774gmailcom