Virus Bulletin
@virusbtn.bsky.social
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Organisers of the annual Virus Bulletin conference.
Pinned
Virus Bulletin
@virusbtn.bsky.social
· Dec 15
🚨 Important Date Change for VB2026!
VB2026 will now take place 14–16 October 2026, at the already announced venue, the Barceló Sevilla Renacimiento in Seville, Spain.
We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference.
VB2026 will now take place 14–16 October 2026, at the already announced venue, the Barceló Sevilla Renacimiento in Seville, Spain.
We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference.
Recorded Future's Insikt Group look into recent PurpleBravo activity. PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign. www.recordedfuture.com/research/pur...
January 23, 2026 at 10:11 AM
Recorded Future's Insikt Group look into recent PurpleBravo activity. PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign. www.recordedfuture.com/research/pur...
Check Point Research is tracking a phishing campaign linked to a North Korea–aligned threat actor known as KONNI. The attackers deploy an AI-generated PowerShell backdoor, highlighting the growing use of AI by threat actors. research.checkpoint.com/2026/konni-t...
January 23, 2026 at 10:09 AM
Check Point Research is tracking a phishing campaign linked to a North Korea–aligned threat actor known as KONNI. The attackers deploy an AI-generated PowerShell backdoor, highlighting the growing use of AI by threat actors. research.checkpoint.com/2026/konni-t...
eSentire Threat Response Unit identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate India's Income Tax department. www.esentire.com/blog/weaponi...
January 23, 2026 at 10:08 AM
eSentire Threat Response Unit identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate India's Income Tax department. www.esentire.com/blog/weaponi...
Trend Micro's Don Ovid Ladores, Yuya Sato & Yosuke Akiho provide an analysis of a software supply chain compromise involving EmEditor. A compromised installer was used to deliver multistage malware that performs a range of malicious actions. www.trendmicro.com/en_us/resear...
January 23, 2026 at 10:05 AM
Trend Micro's Don Ovid Ladores, Yuya Sato & Yosuke Akiho provide an analysis of a software supply chain compromise involving EmEditor. A compromised installer was used to deliver multistage malware that performs a range of malicious actions. www.trendmicro.com/en_us/resear...
🔊 The Call for Papers is now open for VB2026!
We're looking for engaging, insightful, and original talks for the 36th Virus Bulletin International Conference, taking place 14–16 October 2026 in Seville, Spain.
📅 Deadline: 9 April 2026
📝 Submit your abstract: www.virusbulletin.com/conference/v...
We're looking for engaging, insightful, and original talks for the 36th Virus Bulletin International Conference, taking place 14–16 October 2026 in Seville, Spain.
📅 Deadline: 9 April 2026
📝 Submit your abstract: www.virusbulletin.com/conference/v...
January 22, 2026 at 2:02 PM
🔊 The Call for Papers is now open for VB2026!
We're looking for engaging, insightful, and original talks for the 36th Virus Bulletin International Conference, taking place 14–16 October 2026 in Seville, Spain.
📅 Deadline: 9 April 2026
📝 Submit your abstract: www.virusbulletin.com/conference/v...
We're looking for engaging, insightful, and original talks for the 36th Virus Bulletin International Conference, taking place 14–16 October 2026 in Seville, Spain.
📅 Deadline: 9 April 2026
📝 Submit your abstract: www.virusbulletin.com/conference/v...
Expel's Aaron Walto shows how Gootloader uses a deliberately malformed ZIP archive to bypass detection. The ZIP is correctly extracted by the default tool built into Windows systems but not by specialized tools like 7zip and WinRAR. expel.com/blog/gootloa...
January 22, 2026 at 1:58 PM
Expel's Aaron Walto shows how Gootloader uses a deliberately malformed ZIP archive to bypass detection. The ZIP is correctly extracted by the default tool built into Windows systems but not by specialized tools like 7zip and WinRAR. expel.com/blog/gootloa...
Fortinet researchers identified a multi-stage malware campaign that escalates into a full-system compromise that includes security-control bypass, surveillance, system restriction, deployment of Amnesia RAT, and ransomware delivery. www.fortinet.com/blog/threat-...
January 22, 2026 at 1:56 PM
Fortinet researchers identified a multi-stage malware campaign that escalates into a full-system compromise that includes security-control bypass, surveillance, system restriction, deployment of Amnesia RAT, and ransomware delivery. www.fortinet.com/blog/threat-...
Expel's Marcus Hutchins details recently updated techniques used in the ClearFake malware campaign: the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window feature. expel.com/blog/clearfa...
January 22, 2026 at 1:54 PM
Expel's Marcus Hutchins details recently updated techniques used in the ClearFake malware campaign: the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window feature. expel.com/blog/clearfa...
Reposted by Virus Bulletin
LLM security benchmarks look impressive. They’re also misleading.
@sentinellabs.bsky.social found that today’s LLM security benchmarks don’t measure real security work. 🧵
Read the full report: s1.ai/benchmk1
@sentinellabs.bsky.social found that today’s LLM security benchmarks don’t measure real security work. 🧵
Read the full report: s1.ai/benchmk1
LLMs in the SOC (Part 1) | Why Benchmarks Fail Security Operations Teams
LLM cybersecurity benchmarks fail to measure what defenders need: faster detection, reduced containment time, and better decisions under pressure.
s1.ai
January 20, 2026 at 10:14 PM
LLM security benchmarks look impressive. They’re also misleading.
@sentinellabs.bsky.social found that today’s LLM security benchmarks don’t measure real security work. 🧵
Read the full report: s1.ai/benchmk1
@sentinellabs.bsky.social found that today’s LLM security benchmarks don’t measure real security work. 🧵
Read the full report: s1.ai/benchmk1
Reposted by Virus Bulletin
Excellent and very detailed write-up by Resident.NGO of a layer 7 DDoS attack against a Belarusian investigative journalism outlet resident.ngo/lab/writeups...
Forensic Analysis Report of a DDoS Attack on a Belarusian Investigative Center Website 2026 - RESIDENT.NGO THREAT LAB
RESIDENT.NGO helped mitigate a significant 12-hour DDoS attack involving a botnet of approximately 245,000 unique IP addresses targeting https://investigatebel.org/, the website of the Belarusian Inve...
resident.ngo
January 20, 2026 at 10:37 AM
Excellent and very detailed write-up by Resident.NGO of a layer 7 DDoS attack against a Belarusian investigative journalism outlet resident.ngo/lab/writeups...
Check Point Research believes a new era of AI-generated malware has begun: VoidLink is as the first evidently documented case of this era, as an advanced malware framework authored almost entirely by AI, likely under the direction of a single individual. research.checkpoint.com/2026/voidlin...
January 21, 2026 at 10:35 AM
Check Point Research believes a new era of AI-generated malware has begun: VoidLink is as the first evidently documented case of this era, as an advanced malware framework authored almost entirely by AI, likely under the direction of a single individual. research.checkpoint.com/2026/voidlin...
Infoblox researchers managed to snoop on the communications of an affiliate advertising push notification system whose DNS records were left misconfigured, allowing the researchers to receive a copy of every ad they sent victims, along with recorded metrics. www.infoblox.com/blog/threat-...
January 21, 2026 at 10:33 AM
Infoblox researchers managed to snoop on the communications of an affiliate advertising push notification system whose DNS records were left misconfigured, allowing the researchers to receive a copy of every ad they sent victims, along with recorded metrics. www.infoblox.com/blog/threat-...
Jamf Threat Labs has identified another evolution in the Contagious Interview campaign. In this campaign, infection begins when a victim clones and opens a malicious Git repository in Visual Studio Code. www.jamf.com/blog/threat-...
January 21, 2026 at 10:29 AM
Jamf Threat Labs has identified another evolution in the Contagious Interview campaign. In this campaign, infection begins when a victim clones and opens a malicious Git repository in Visual Studio Code. www.jamf.com/blog/threat-...
Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s judicial sector. The campaign leverages a multi-stage infection chain to deploy a stealthy remote access trojan. www.seqrite.com/blog/operati...
January 20, 2026 at 11:32 AM
Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s judicial sector. The campaign leverages a multi-stage infection chain to deploy a stealthy remote access trojan. www.seqrite.com/blog/operati...
Fortinet researchers found a phishing campaign delivering a new variant of Remcos, a commercial lightweight remote access tool with a wide range of capabilities, including system resource management, remote surveillance, network management & Remcos agent management. www.fortinet.com/blog/threat-...
January 20, 2026 at 11:31 AM
Fortinet researchers found a phishing campaign delivering a new variant of Remcos, a commercial lightweight remote access tool with a wide range of capabilities, including system resource management, remote surveillance, network management & Remcos agent management. www.fortinet.com/blog/threat-...
Reposted by Virus Bulletin
2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a #pcap of scans and probes and web traffic hitting my web server. Feel free to check out my latest posts at www.malware-traffic-analysis.net/2026/index.h...
Or not. I'm not the boss of you.
Or not. I'm not the boss of you.
January 20, 2026 at 3:41 AM
2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a #pcap of scans and probes and web traffic hitting my web server. Feel free to check out my latest posts at www.malware-traffic-analysis.net/2026/index.h...
Or not. I'm not the boss of you.
Or not. I'm not the boss of you.
The Seqrite Labs APT Team looks into Operation Nomad Leopard, a spear-phishing campaign targeting Afghan government employees. www.seqrite.com/blog/operati...
January 20, 2026 at 11:28 AM
The Seqrite Labs APT Team looks into Operation Nomad Leopard, a spear-phishing campaign targeting Afghan government employees. www.seqrite.com/blog/operati...
Swiss Post Cybersecurity researcher Louis Schürmann describes the complete attack chain in a PURELOGS stealer campaign, from the initial use of legitimate infrastructure to the final data exfiltration. www.swisspost-cybersecurity.ch/news/purelog...
January 20, 2026 at 11:25 AM
Swiss Post Cybersecurity researcher Louis Schürmann describes the complete attack chain in a PURELOGS stealer campaign, from the initial use of legitimate infrastructure to the final data exfiltration. www.swisspost-cybersecurity.ch/news/purelog...
Trend Micro researchers analyse a multi-stage campaign delivering the Evelyn information stealer, which was used to target software developers. www.trendmicro.com/en_us/resear...
January 19, 2026 at 9:58 AM
Trend Micro researchers analyse a multi-stage campaign delivering the Evelyn information stealer, which was used to target software developers. www.trendmicro.com/en_us/resear...
Huntress researchers Anna Pham, Tanner Filip & Dani Lopez look into a new ClickFix variant dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT. www.huntress.com/blog/malicio...
January 19, 2026 at 9:56 AM
Huntress researchers Anna Pham, Tanner Filip & Dani Lopez look into a new ClickFix variant dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT. www.huntress.com/blog/malicio...
Sophos MDR teams recently identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI. The majority of victims affected by this campaign are in Germany, the UK & France. www.sophos.com/en-us/blog/t...
January 19, 2026 at 9:54 AM
Sophos MDR teams recently identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI. The majority of victims affected by this campaign are in Germany, the UK & France. www.sophos.com/en-us/blog/t...
Genians researchers analyse Operation Poseidon from the Konni APT. The threat actor bypasses security filtering and user boundaries through spear phishing campaigns disguised as advertising URLs that lead to EndRAT malware. www.genians.co.kr/blog/threat_...
January 19, 2026 at 9:52 AM
Genians researchers analyse Operation Poseidon from the Konni APT. The threat actor bypasses security filtering and user boundaries through spear phishing campaigns disguised as advertising URLs that lead to EndRAT malware. www.genians.co.kr/blog/threat_...
Reposted by Virus Bulletin
🚨 New from the Socket Threat Research Team: 5 coordinated Chrome extensions hijack sessions and block security controls in enterprise HR and ERP platforms like Workday and NetSuite.
Full report → socket.dev/blog/5-malic... #CyberSecurity #EnterpriseSecurity
Full report → socket.dev/blog/5-malic... #CyberSecurity #EnterpriseSecurity
5 Malicious Chrome Extensions Enable Session Hijacking in En...
Five coordinated Chrome extensions enable session hijacking and block security controls across enterprise HR and ERP platforms.
socket.dev
January 15, 2026 at 8:58 PM
🚨 New from the Socket Threat Research Team: 5 coordinated Chrome extensions hijack sessions and block security controls in enterprise HR and ERP platforms like Workday and NetSuite.
Full report → socket.dev/blog/5-malic... #CyberSecurity #EnterpriseSecurity
Full report → socket.dev/blog/5-malic... #CyberSecurity #EnterpriseSecurity
Reposted by Virus Bulletin
Why does “powershell” get blocked — but “power” + “shell” gets through?
Why can a nonsense suffix like “::sda_!!” hijack a model’s attention?
It’s not magic — it’s math. We trace the LLM attack surface from tokenization to attention. s1.ai/inside-llm-1
Why can a nonsense suffix like “::sda_!!” hijack a model’s attention?
It’s not magic — it’s math. We trace the LLM attack surface from tokenization to attention. s1.ai/inside-llm-1
Inside the LLM | Understanding AI & the Mechanics of Modern Attacks
Learn how attackers exploit tokenization, embeddings and LLM attention mechanisms to bypass LLM security filters and hijack model behavior.
s1.ai
January 15, 2026 at 4:35 PM
Why does “powershell” get blocked — but “power” + “shell” gets through?
Why can a nonsense suffix like “::sda_!!” hijack a model’s attention?
It’s not magic — it’s math. We trace the LLM attack surface from tokenization to attention. s1.ai/inside-llm-1
Why can a nonsense suffix like “::sda_!!” hijack a model’s attention?
It’s not magic — it’s math. We trace the LLM attack surface from tokenization to attention. s1.ai/inside-llm-1
Reposted by Virus Bulletin
Recent threat actor activity shows an emphasis on misusing trust, identity, and cloud-native capabilities to achieve maximum impact with minimal noise msft.it/6016tCBFm.
Open SesameOp: Abusing trusted AI platforms to host a C2 server
To kick off Season 3 of Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Microsoft security researchers Anna Seitz and Jonathan Checchi. Our guests examine two developments shaping today’s threat landscape: the cloud-native evolution of ransomware group Storm-0501 and the SesameOp backdoor’s abuse of trusted AI platforms for stealthy command-and-control. The discussion highlights how identity, hybrid-cloud pivot points, and federated authentication enable high-impact attacks without traditional malware, and why policy-compliant platform abuse is becoming harder to detect. Sherrod, Anna, and Jonathan provide guidance for defenders around enforcing MFA, tightening conditional access and identity controls, monitoring across cloud and on-prem environments, and partnering with platform providers to disrupt emerging attacker tradecraft.
msft.it
January 15, 2026 at 7:08 PM
Recent threat actor activity shows an emphasis on misusing trust, identity, and cloud-native capabilities to achieve maximum impact with minimal noise msft.it/6016tCBFm.