MalWhere?
@malwhere.bsky.social
👨💻APT Insights
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
Ukraine’s Defense Forces officials were targeted in a charity-themed malware campaign (Oct–Dec 2025) delivering a new backdoor called PluggyApe. CERT-UA links the activity (medium confidence) to Russian-linked actors Void Blizzard / Laundry Bear.
#CyberSecurity #Ukraine #APT #ThreatIntel
#CyberSecurity #Ukraine #APT #ThreatIntel
January 14, 2026 at 10:11 AM
Ukraine’s Defense Forces officials were targeted in a charity-themed malware campaign (Oct–Dec 2025) delivering a new backdoor called PluggyApe. CERT-UA links the activity (medium confidence) to Russian-linked actors Void Blizzard / Laundry Bear.
#CyberSecurity #Ukraine #APT #ThreatIntel
#CyberSecurity #Ukraine #APT #ThreatIntel
Researchers identified a malware campaign named SHADOW#REACTOR that delivers Remcos RAT through a multi-stage attack chain.
The activity targets enterprise and small-to-medium business environments using built-in Windows components.
#Cybersecurity #Malware #ThreatIntel
The activity targets enterprise and small-to-medium business environments using built-in Windows components.
#Cybersecurity #Malware #ThreatIntel
January 13, 2026 at 2:04 PM
Researchers identified a malware campaign named SHADOW#REACTOR that delivers Remcos RAT through a multi-stage attack chain.
The activity targets enterprise and small-to-medium business environments using built-in Windows components.
#Cybersecurity #Malware #ThreatIntel
The activity targets enterprise and small-to-medium business environments using built-in Windows components.
#Cybersecurity #Malware #ThreatIntel
🚨The ransomware group “TheGentlemen” has reportedly targeted industrial firm Systherm Grupa, according to ThreatMon intel. Detected on Jan 7, 2026, the attack adds another high-profile victim to the group’s growing ransomware campaign.
#Cybersecurity #Ransomware #TheGentlemen
#Cybersecurity #Ransomware #TheGentlemen
January 8, 2026 at 9:18 AM
🚨The ransomware group “TheGentlemen” has reportedly targeted industrial firm Systherm Grupa, according to ThreatMon intel. Detected on Jan 7, 2026, the attack adds another high-profile victim to the group’s growing ransomware campaign.
#Cybersecurity #Ransomware #TheGentlemen
#Cybersecurity #Ransomware #TheGentlemen
🚨A threat actor known as Zestix is selling stolen corporate data from dozens of organizations, allegedly breached via ShareFile, Nextcloud, and ownCloud instances. Access is believed to stem from stolen employee credentials, not software exploits.
#Cybersecurity #DataBreach #ThreatIntel #Zestix
#Cybersecurity #DataBreach #ThreatIntel #Zestix
January 7, 2026 at 12:27 PM
🚨A threat actor known as Zestix is selling stolen corporate data from dozens of organizations, allegedly breached via ShareFile, Nextcloud, and ownCloud instances. Access is believed to stem from stolen employee credentials, not software exploits.
#Cybersecurity #DataBreach #ThreatIntel #Zestix
#Cybersecurity #DataBreach #ThreatIntel #Zestix
The Kimwolf botnet has infected 2M+ Android devices, abusing residential proxy networks to spread malware and power large-scale DDoS attacks, according to Synthient. Active since at least Aug 2025, it’s linked to record-setting attacks late last year.
#Cybersecurity #Botnet #Android
#Cybersecurity #Botnet #Android
January 6, 2026 at 1:25 PM
The Kimwolf botnet has infected 2M+ Android devices, abusing residential proxy networks to spread malware and power large-scale DDoS attacks, according to Synthient. Active since at least Aug 2025, it’s linked to record-setting attacks late last year.
#Cybersecurity #Botnet #Android
#Cybersecurity #Botnet #Android
🚨 A fourth wave of the GlassWorm malware is targeting macOS developers, spreading via malicious VSCode/OpenVSX extensions. This time, the campaign focuses on trojanized crypto wallets and developer credentials.
#CyberSecurity #Malware #macOS #SupplyChainAttack
#CyberSecurity #Malware #macOS #SupplyChainAttack
January 2, 2026 at 3:16 PM
🚨 A fourth wave of the GlassWorm malware is targeting macOS developers, spreading via malicious VSCode/OpenVSX extensions. This time, the campaign focuses on trojanized crypto wallets and developer credentials.
#CyberSecurity #Malware #macOS #SupplyChainAttack
#CyberSecurity #Malware #macOS #SupplyChainAttack
Silver Fox, a China-linked cybercrime group, is targeting Indian users with income tax–themed phishing emails to deliver ValleyRAT (aka Winos 4.0). The modular RAT enables espionage, financial theft, and long-term persistence via DLL sideloading.
#CyberSecurity #Malware #Phishing #India
#CyberSecurity #Malware #Phishing #India
December 30, 2025 at 4:55 PM
Silver Fox, a China-linked cybercrime group, is targeting Indian users with income tax–themed phishing emails to deliver ValleyRAT (aka Winos 4.0). The modular RAT enables espionage, financial theft, and long-term persistence via DLL sideloading.
#CyberSecurity #Malware #Phishing #India
#CyberSecurity #Malware #Phishing #India
Darktrace has linked a newly observed BeaverTail malware variant to North Korean (DPRK) threat clusters tied to the Lazarus Group. Targets include crypto traders, developers, and retail employees—pointing to both financial theft and espionage. #CyberSecurity #DPRK #LazarusGroup #Malware
December 23, 2025 at 10:30 AM
Darktrace has linked a newly observed BeaverTail malware variant to North Korean (DPRK) threat clusters tied to the Lazarus Group. Targets include crypto traders, developers, and retail employees—pointing to both financial theft and espionage. #CyberSecurity #DPRK #LazarusGroup #Malware
🚨 A malicious NPM package named lotusbail poses as a legitimate WhatsApp Web API library, allowing attackers to secretly steal messages, credentials, contacts & media all while delivering fully functional code.
#CyberSecurity #NPM #Malware
#CyberSecurity #NPM #Malware
December 22, 2025 at 5:00 PM
🚨 A malicious NPM package named lotusbail poses as a legitimate WhatsApp Web API library, allowing attackers to secretly steal messages, credentials, contacts & media all while delivering fully functional code.
#CyberSecurity #NPM #Malware
#CyberSecurity #NPM #Malware
GhostPairing campaign hijacks WhatsApp accounts by abusing the legitimate device-linking feature. Victims are tricked into pairing an attacker’s browser—no password or MFA bypass required—granting full access to chats and media.
#WhatsApp #CyberSecurity #AccountTakeover #Phishing
#WhatsApp #CyberSecurity #AccountTakeover #Phishing
December 19, 2025 at 12:39 PM
GhostPairing campaign hijacks WhatsApp accounts by abusing the legitimate device-linking feature. Victims are tricked into pairing an attacker’s browser—no password or MFA bypass required—granting full access to chats and media.
#WhatsApp #CyberSecurity #AccountTakeover #Phishing
#WhatsApp #CyberSecurity #AccountTakeover #Phishing
🚨A campaign dubbed GhostPoster hid malicious JavaScript inside the image logos of Firefox extensions—using steganography—to spy on users and plant a backdoor. Over 50,000 downloads across popular add-ons like VPNs, translators, and utilities.
#CyberSecurity #BrowserSecurity #Malware #GhostPoster
#CyberSecurity #BrowserSecurity #Malware #GhostPoster
December 17, 2025 at 9:19 AM
🚨A campaign dubbed GhostPoster hid malicious JavaScript inside the image logos of Firefox extensions—using steganography—to spy on users and plant a backdoor. Over 50,000 downloads across popular add-ons like VPNs, translators, and utilities.
#CyberSecurity #BrowserSecurity #Malware #GhostPoster
#CyberSecurity #BrowserSecurity #Malware #GhostPoster
A new phishing kit called Spiderman is mimicking European banking and crypto platforms with pixel-perfect fake sites. It captures logins, 2FA codes, credit card data, and even crypto wallet seed phrases—putting major institutions and users at risk.
#CyberSecurity #Phishing #InfoSec #BankingSecurity
#CyberSecurity #Phishing #InfoSec #BankingSecurity
December 11, 2025 at 10:46 AM
A new phishing kit called Spiderman is mimicking European banking and crypto platforms with pixel-perfect fake sites. It captures logins, 2FA codes, credit card data, and even crypto wallet seed phrases—putting major institutions and users at risk.
#CyberSecurity #Phishing #InfoSec #BankingSecurity
#CyberSecurity #Phishing #InfoSec #BankingSecurity
ShadyPanda is a long-running malware operation hiding inside 145 Chrome & Edge extensions—amassing 4.3M+ installs. First appearing legit, these extensions evolved into spyware delivering affiliate fraud, search hijacking & data theft.
#CyberSecurity #InfoSec #Malware #BrowserSecurity #ThreatIntel
#CyberSecurity #InfoSec #Malware #BrowserSecurity #ThreatIntel
December 8, 2025 at 11:05 AM
ShadyPanda is a long-running malware operation hiding inside 145 Chrome & Edge extensions—amassing 4.3M+ installs. First appearing legit, these extensions evolved into spyware delivering affiliate fraud, search hijacking & data theft.
#CyberSecurity #InfoSec #Malware #BrowserSecurity #ThreatIntel
#CyberSecurity #InfoSec #Malware #BrowserSecurity #ThreatIntel
Space Bears is emerging as a major ransomware threat. The group allegedly targeted Quasar Inc, stealing sensitive city communication designs—showing a shift toward high-value, infrastructure-linked data.
#SpaceBears #Ransomware #Cybersecurity #ThreatIntel
#SpaceBears #Ransomware #Cybersecurity #ThreatIntel
December 4, 2025 at 9:43 AM
Space Bears is emerging as a major ransomware threat. The group allegedly targeted Quasar Inc, stealing sensitive city communication designs—showing a shift toward high-value, infrastructure-linked data.
#SpaceBears #Ransomware #Cybersecurity #ThreatIntel
#SpaceBears #Ransomware #Cybersecurity #ThreatIntel
Glassworm malware is back for a third wave, adding 24 new malicious packages to the VS Marketplace & OpenVSX. The campaign hides code with invisible Unicode, steals GitHub/npm/OpenVSX creds & crypto data, and deploys SOCKS proxies + HVNC. #cybersecurity #infosec #malware
December 3, 2025 at 9:08 AM
Glassworm malware is back for a third wave, adding 24 new malicious packages to the VS Marketplace & OpenVSX. The campaign hides code with invisible Unicode, steals GitHub/npm/OpenVSX creds & crypto data, and deploys SOCKS proxies + HVNC. #cybersecurity #infosec #malware
(1/3)
🚨 Hackers exploited a critical flaw in Gladinet’s Triofox (#CVE202512480), using the built-in antivirus feature for remote code execution with SYSTEM privileges. The auth bypass was caused by spoofing “localhost” in HTTP headers. #CyberSecurity #Infosec #RCE #Triofox
🚨 Hackers exploited a critical flaw in Gladinet’s Triofox (#CVE202512480), using the built-in antivirus feature for remote code execution with SYSTEM privileges. The auth bypass was caused by spoofing “localhost” in HTTP headers. #CyberSecurity #Infosec #RCE #Triofox
November 12, 2025 at 1:11 PM
(1/3)
🚨 Hackers exploited a critical flaw in Gladinet’s Triofox (#CVE202512480), using the built-in antivirus feature for remote code execution with SYSTEM privileges. The auth bypass was caused by spoofing “localhost” in HTTP headers. #CyberSecurity #Infosec #RCE #Triofox
🚨 Hackers exploited a critical flaw in Gladinet’s Triofox (#CVE202512480), using the built-in antivirus feature for remote code execution with SYSTEM privileges. The auth bypass was caused by spoofing “localhost” in HTTP headers. #CyberSecurity #Infosec #RCE #Triofox
A new wave of malvertising is putting millions at risk. Since June 2025, the Rhysida ransomware gang has been using fake ads for popular tools like PuTTy, Teams & Zoom to spread the OysterLoader malware — hitting users & orgs with precision.
#CyberSecurity #Malware #Ransomware #Infosec
#CyberSecurity #Malware #Ransomware #Infosec
November 4, 2025 at 11:03 AM
A new wave of malvertising is putting millions at risk. Since June 2025, the Rhysida ransomware gang has been using fake ads for popular tools like PuTTy, Teams & Zoom to spread the OysterLoader malware — hitting users & orgs with precision.
#CyberSecurity #Malware #Ransomware #Infosec
#CyberSecurity #Malware #Ransomware #Infosec
GhostCall & GhostHire — two ongoing campaigns tied to North Korea’s Lazarus sub-cluster BlueNoroff, part of the long-running SnatchCrypto operation. They target Web3 and blockchain professionals via Telegram lures posing as investors or recruiters.
#CyberEspionage #APT38 #Web3Threats
#CyberEspionage #APT38 #Web3Threats
October 30, 2025 at 11:26 AM
GhostCall & GhostHire — two ongoing campaigns tied to North Korea’s Lazarus sub-cluster BlueNoroff, part of the long-running SnatchCrypto operation. They target Web3 and blockchain professionals via Telegram lures posing as investors or recruiters.
#CyberEspionage #APT38 #Web3Threats
#CyberEspionage #APT38 #Web3Threats
1/3
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
October 27, 2025 at 8:52 AM
1/3
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
Russian state-backed hackers Star Blizzard (aka #ColdRiver / Callisto / UNC4057) have ramped up ops, unleashing new malware — NOROBOT, YESROBOT, MAYBEROBOT — via ClickFix CAPTCHA-style lures. Victims think they’re proving they’re human — but end up running code. #CyberSecurity #APT
October 22, 2025 at 10:14 AM
Russian state-backed hackers Star Blizzard (aka #ColdRiver / Callisto / UNC4057) have ramped up ops, unleashing new malware — NOROBOT, YESROBOT, MAYBEROBOT — via ClickFix CAPTCHA-style lures. Victims think they’re proving they’re human — but end up running code. #CyberSecurity #APT
🚨 OtterCandy— a new cross-platform malware from the WaterPlum Cluster B threat group is turning heads across the cybersecurity world.
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
October 20, 2025 at 8:50 AM
🚨 OtterCandy— a new cross-platform malware from the WaterPlum Cluster B threat group is turning heads across the cybersecurity world.
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
October 14, 2025 at 12:59 PM
🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
🚨Threat group Storm-2603 (aka Gold Salem) is exploiting the open-source DFIR tool Velociraptor in ransomware attacks using strains like Warlock and LockBit.
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
October 13, 2025 at 10:37 AM
🚨Threat group Storm-2603 (aka Gold Salem) is exploiting the open-source DFIR tool Velociraptor in ransomware attacks using strains like Warlock and LockBit.
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Threat group Crimson Collective has been targeting AWS cloud environments to steal data and extort companies.
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
October 9, 2025 at 2:54 PM
Threat group Crimson Collective has been targeting AWS cloud environments to steal data and extort companies.
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
🚨Microsoft warns affiliates of the Medusa ransomware RaaS are exploiting a critical GoAnywhere MFT flaw (CVE-2025-10035) to deploy crypto-locking malware. The bug allows command injection via forged license signatures. #ransomware #Medusa #infosec #CVE202510035 #GoAnywhere
October 8, 2025 at 8:33 AM
🚨Microsoft warns affiliates of the Medusa ransomware RaaS are exploiting a critical GoAnywhere MFT flaw (CVE-2025-10035) to deploy crypto-locking malware. The bug allows command injection via forged license signatures. #ransomware #Medusa #infosec #CVE202510035 #GoAnywhere