Keenadu is a firmware-level Android backdoor embedded into libandroid_runtime.so and some system apps during the firmware build phase, which injects into the Zygote process to load malicious modules into every app and expose a binder-based malicious system service. The platform delivers encrypted modular payloads (clickers, loaders, monetizers, spyware) via HTTP-based C2 infrastructure and shows links to other large Android botnets including BADBOX and Triada. #Keenadu #BADBOX
Category: Threat Research
Threat actors created disposable Atlassian Jira Cloud instances and abused Jira Automation and the platformâs trusted atlassian.net email reputation to deliver automated, localized spam and targeted lures to recipients across multiple languages and sectors. The campaigns used integrated email-sending services and Keitaro TDS redirects to funnel victims to investment scams and…
In July 2025 a SEO-poisoning campaign redirected users searching for ManageEngine OpManager to a malicious site (opmanager.pro) that delivered a trojanized MSI installer, which installed Bumblebee and established HTTPS C2 via DGA domains. The actor dumped domain credentials, created privileged accounts, used remote access tools and SSH tunneling for persistence and exfiltration, and ultimately deployed Akira ransomware across parent and child domains. #Bumblebee #Akira
Microsoft and others reported exploitation of Internet-facing SolarWinds Web Help Desk servers that enabled multi-stage intrusions beginning in December 2025, involving remote MSI installations, abuse of RMM tooling, and credential dumping. Elastic and Microsoft observed use of legitimate tools (Velociraptor, Cloudflared, QEMU) for persistence and tunneling, and Elastic published detection and prevention rules to detect the activity. #SolarWindsWHD #Velociraptor
The intrusion began with a valid RDP login using pre-compromised credentials and progressed through rapid discovery, lateral movement, and persistent account creation before data exfiltration and a final ransomware deployment. The actor exfiltrated archives to temp.sh and deployed Lynx ransomware, leveraging infrastructure tied to Railnet LLC/Virtualine. #Lynx #RailnetLLC
The article analyzes an adaptive phishing email that spoofed an internal sender and delivered an active HTML attachment which emulates a login page to harvest credentials. The stolen credentials and contextual metadata (public IP, hostname, timestamp) were exfiltrated to an attacker-controlled Telegram bot using the Telegram Bot API. #TelegramBotAPI #DMARC
Foxveil is a newly identified initial-stage loader active since August 2025 that retrieves Donut-generated shellcode from trusted hosting platforms (Cloudflare Pages, Netlify) and occasionally Discord attachments, operating in two variants with different injection and persistence techniques. It uses in-memory injection (Early Bird APC in v1, self-injection in v2), service/SysWOW64-based persistence, and a runtime string-mutation routine to frustrate analysis; Cato’s SASE platform blocks the loader before staged payloads execute. #Foxveil #Cloudflare
The defense industrial base faces sustained, multi-vector cyber threats from state-sponsored groups and hacktivists targeting personnel, supply chains, edge devices, and battlefield technologies such as UAS and secure messaging apps. Notable tactics include phishing and job-themed lures, exploitation of edge device zero-days, mobile malware, supply-chain compromises, and hack-and-leak or DDoS operations by pro-Russia and pro-Iran hacktivists. #UNC5221 #CANFAIL
OpenClaw is an agentic AI platform that runs locally with deep system access and an extensible thirdâparty “skill” ecosystem, enabling file management, workflow automation, and direct shell command execution. Security researchers have identified widespread malicious skills (notably the ClawHavoc campaign) and critical vulnerabilities such as CVE-2026-25253 that enable credential theft, data exfiltration, and remote code execution, prompting mitigations like VirusTotal scanning, Clawdex detection, and blocking via Iru. #OpenClaw #ClawHavoc
OpenClaw is an open-source agentic AI that links multiple actions to automate tasks like booking tickets, processing emails, and sending messages, and it can be extended via user-created “skills” and external LLMs such as ChatGPT and Claude. Because much of its code was generated by AI and remains largely unreviewed, malicious skills (including infostealers and prompt-injection attacks), excessive token consumption, and the need to grant broad access (sometimes admin-level) create significant security and financial risksâprojects now cooperate with VirusTotal to scan for malicious skills. #OpenClaw #VirusTotal
Elastic Security Labs observed a large-scale, coordinated SEO poisoning campaign (REF4033) that has compromised over 1,800 Windows IIS servers worldwide by deploying a malicious IIS module called BADIIS to inject SEO backlinks and redirect users to illicit gambling and cryptocurrency phishing sites. The intrusion chain included a webshell, rapid escalation to create an administrative account and a persistent WalletServiceInfo Windows service that loads a ServiceDLL to install BADIIS modules and modify IIS configuration. #BADIIS #REF4033
DomainTools Investigations | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign
Investigators determined the Notepad++ update mechanism (WinGUp/GUP.exe) was subverted for roughly six months to selectively deliver trojanized installers to a narrow set of high-value targets without modifying the projectâs source code. The operation is attributed with moderateâhigh confidence to the China-aligned espionage cluster Lotus Blossom, which deployed bespoke implants (notably Chrysalis), DLL sideloading, and API-style HTTPS C2 to enable long-term intelligence collection. #LotusBlossom #Chrysalis
Acronis TRU analyzed LockBit 5.0, a crossâplatform ransomware family (Windows, Linux, ESXi) that uses XChaCha20 and Curve25519 encryption, random perâfile extensions, and shared execution/encryption logic while applying extensive defenseâevasion techniques on Windows. The report also links LockBit infrastructure to a SmokeLoaderâassociated IP and documents doubleâextortion exfiltration and enterprise/virtualization targeting (including Proxmox and ESXi). #LockBit #SmokeLoader
Mispadu is a long-standing Latin American banking Trojan that has surged in use since 2019 and is now primarily delivered via dynamically generated HTAâJSâVBS chains often embedded in password-protected PDFs and executed with a legitimate AutoIT interpreter to evade detection. The single APT group behind Mispadu (tracked as TA2725/Malteiro/Manipulated Caiman) has added self-propagation via Outlook contacts, geofencing, advanced obfuscation, and credential theft capabilities while primarily targeting Spanish-speaking countries such as Mexico and Brazil. #Mispadu #TA2725
Organizations rapidly adopt Copilot Studio agents but misconfigurationsâbroad sharing, unauthenticated access, unsafe HTTP requests, author authentication, hardâcoded credentials, unmanaged MCP tools, missing orchestration instructions, dormant or orphaned agents, and email-capable actionsâcreate new identity and dataâaccess paths that traditional controls donât monitor. Microsoft Defender Security Research provides ten detection-focused scenarios with Advanced Hunting queries and a mitigation playbook emphasizing ownership, least privilege, enforced authentication, hardened orchestration, and secret management to help teams find and fix these risks early. #CopilotStudio #MicrosoftDefender