2025-10-16 (Thursday): Unidentified #stealer/#Loader found when searching for URLs that follow patterns previously seen for Koi Loader/Koi Stealer.
Details at github.com/malware-traf...
Details at github.com/malware-traf...
October 16, 2025 at 5:18 PM
2025-10-16 (Thursday): Unidentified #stealer/#Loader found when searching for URLs that follow patterns previously seen for Koi Loader/Koi Stealer.
Details at github.com/malware-traf...
Details at github.com/malware-traf...
~Paloalto~
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel
PhantomVAI Loader Delivers Infostealers
unit42.paloaltonetworks.com
October 15, 2025 at 4:03 PM
~Paloalto~
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel
Proofpoint Threat Research details TA585, a sophisticated actor that manages its own infrastructure, delivery, and malware installation, and delivers MonsterV2, which has capabilities of a RAT, stealer, and loader. www.proofpoint.com/us/blog/thre...
October 14, 2025 at 8:18 AM
Proofpoint Threat Research details TA585, a sophisticated actor that manages its own infrastructure, delivery, and malware installation, and delivers MonsterV2, which has capabilities of a RAT, stealer, and loader. www.proofpoint.com/us/blog/thre...
TA585 usa MonsterV2 per attacchi mirati contro aziende finanziarie, controllando l’intera catena d’infezione con RAT, stealer e loader avanzati.
#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...
#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...
October 14, 2025 at 7:37 AM
TA585 usa MonsterV2 per attacchi mirati contro aziende finanziarie, controllando l’intera catena d’infezione con RAT, stealer e loader avanzati.
#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...
#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...
MonsterV2 fast facts:
⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer
⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries
⚡️ Expensive compared to its peer malware families
⚡️ Used by TA585 and a small number of actors
⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer
⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries
⚡️ Expensive compared to its peer malware families
⚡️ Used by TA585 and a small number of actors
October 13, 2025 at 8:35 PM
MonsterV2 fast facts:
⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer
⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries
⚡️ Expensive compared to its peer malware families
⚡️ Used by TA585 and a small number of actors
⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer
⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries
⚡️ Expensive compared to its peer malware families
⚡️ Used by TA585 and a small number of actors
2025-10-10 (Friday): Was looking for Koi Loader/Koi Stealer, and I found this #WebDAV server that hosted malicious Windows shortcut (#LNK) files.
Not sure what type of #malware this is, but it's not Koi Stealer.
Details at github.com/malware-traf...
Not sure what type of #malware this is, but it's not Koi Stealer.
Details at github.com/malware-traf...
October 11, 2025 at 1:16 AM
2025-10-10 (Friday): Was looking for Koi Loader/Koi Stealer, and I found this #WebDAV server that hosted malicious Windows shortcut (#LNK) files.
Not sure what type of #malware this is, but it's not Koi Stealer.
Details at github.com/malware-traf...
Not sure what type of #malware this is, but it's not Koi Stealer.
Details at github.com/malware-traf...
CyberProof reports a spike in DarkCloud Stealer attacks against financial firms in August 2025 via phishing. Samples steal credentials from email and FTP clients and browsers, inject into MSBuild.exe, and use a JPG-embedded loader. www.cyberproof.com/blog/darkclo...
September 15, 2025 at 11:09 AM
CyberProof reports a spike in DarkCloud Stealer attacks against financial firms in August 2025 via phishing. Samples steal credentials from email and FTP clients and browsers, inject into MSBuild.exe, and use a JPG-embedded loader. www.cyberproof.com/blog/darkclo...
~Zscaler~
North Korean-aligned APT37 is using a new Rust-based backdoor (Rustonotto) and a Python loader to deploy the FadeStealer info-stealer.
-
IOCs: Rustonotto, FadeStealer
-
#APT37 #Malware #Rust #ThreatIntel
North Korean-aligned APT37 is using a new Rust-based backdoor (Rustonotto) and a Python loader to deploy the FadeStealer info-stealer.
-
IOCs: Rustonotto, FadeStealer
-
#APT37 #Malware #Rust #ThreatIntel
APT37 Deploys Rust Backdoor & Python Loader
www.zscaler.com
September 8, 2025 at 4:02 PM
~Zscaler~
North Korean-aligned APT37 is using a new Rust-based backdoor (Rustonotto) and a Python loader to deploy the FadeStealer info-stealer.
-
IOCs: Rustonotto, FadeStealer
-
#APT37 #Malware #Rust #ThreatIntel
North Korean-aligned APT37 is using a new Rust-based backdoor (Rustonotto) and a Python loader to deploy the FadeStealer info-stealer.
-
IOCs: Rustonotto, FadeStealer
-
#APT37 #Malware #Rust #ThreatIntel
⚡️ Осторожно, Steam! В игре Chemia найдено вредоносное ПО (Hijack Loader, Fickle Stealer, Vidar Stealer), крадущее криптокошельки и личные данные. 🚨 Игры в раннем доступе – повышенный риск. 🛡️ Используйте антивирус, будьте бдительны при загрузках и храните криптоактивы на аппаратных кошельках!
July 28, 2025 at 5:29 PM
⚡️ Осторожно, Steam! В игре Chemia найдено вредоносное ПО (Hijack Loader, Fickle Stealer, Vidar Stealer), крадущее криптокошельки и личные данные. 🚨 Игры в раннем доступе – повышенный риск. 🛡️ Используйте антивирус, будьте бдительны при загрузках и храните криптоактивы на аппаратных кошельках!
🚨 New update spotted in MonsterV2 malware:
✅ Stealer can now be launched on all or selected bots
⚙️ Loader speed improved
🐞 Bug fix for browser cookie theft on high-handle systems
📌 Rebuild required – expect fresh variants in the wild
#ThreatIntel #Malware #HVNC #Infostealer
✅ Stealer can now be launched on all or selected bots
⚙️ Loader speed improved
🐞 Bug fix for browser cookie theft on high-handle systems
📌 Rebuild required – expect fresh variants in the wild
#ThreatIntel #Malware #HVNC #Infostealer
July 12, 2025 at 7:15 PM
🚨 New update spotted in MonsterV2 malware:
✅ Stealer can now be launched on all or selected bots
⚙️ Loader speed improved
🐞 Bug fix for browser cookie theft on high-handle systems
📌 Rebuild required – expect fresh variants in the wild
#ThreatIntel #Malware #HVNC #Infostealer
✅ Stealer can now be launched on all or selected bots
⚙️ Loader speed improved
🐞 Bug fix for browser cookie theft on high-handle systems
📌 Rebuild required – expect fresh variants in the wild
#ThreatIntel #Malware #HVNC #Infostealer
SHELLTER: framework commerciale di evasione usato in-the-wild per info-stealer e loader avanzati, con cifratura, polimorfismo e tecniche anti-EDR su Windows.
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
July 8, 2025 at 6:40 AM
SHELLTER: framework commerciale di evasione usato in-the-wild per info-stealer e loader avanzati, con cifratura, polimorfismo e tecniche anti-EDR su Windows.
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
🚨 New Stealer Alert: AURA Stealer
Highly modular & stealthy malware targeting over 110 browsers, 70+ apps (incl. wallets & 2FA), and 250+ extensions.
Server-side decryption
Custom shellcode & morpher
Loader included
Cookie theft w/o killing processes
#CyberSecurity #ThreatIntel #Malware #InfoStealer
Highly modular & stealthy malware targeting over 110 browsers, 70+ apps (incl. wallets & 2FA), and 250+ extensions.
Server-side decryption
Custom shellcode & morpher
Loader included
Cookie theft w/o killing processes
#CyberSecurity #ThreatIntel #Malware #InfoStealer
July 8, 2025 at 5:03 AM
🚨 New Stealer Alert: AURA Stealer
Highly modular & stealthy malware targeting over 110 browsers, 70+ apps (incl. wallets & 2FA), and 250+ extensions.
Server-side decryption
Custom shellcode & morpher
Loader included
Cookie theft w/o killing processes
#CyberSecurity #ThreatIntel #Malware #InfoStealer
Highly modular & stealthy malware targeting over 110 browsers, 70+ apps (incl. wallets & 2FA), and 250+ extensions.
Server-side decryption
Custom shellcode & morpher
Loader included
Cookie theft w/o killing processes
#CyberSecurity #ThreatIntel #Malware #InfoStealer
Splunk researchers analyse a malicious Inno Setup installer that leverages Inno Setup's Pascal scripting capabilities to retrieve and execute HijackLoader, a known loader used to evade detection and deliver the final payload - in this case, RedLine Stealer. www.splunk.com/en_us/blog/s...
July 7, 2025 at 11:31 AM
Splunk researchers analyse a malicious Inno Setup installer that leverages Inno Setup's Pascal scripting capabilities to retrieve and execute HijackLoader, a known loader used to evade detection and deliver the final payload - in this case, RedLine Stealer. www.splunk.com/en_us/blog/s...
2025-06-26 (Thursday): #LummaStealer ( #Lumma ) infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware. A #pcap of the infection traffic, the associated malware, and IOCs are available at: www.malware-traffic-analysis.net/2025/06/26/i...
June 27, 2025 at 5:22 AM
2025-06-26 (Thursday): #LummaStealer ( #Lumma ) infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware. A #pcap of the infection traffic, the associated malware, and IOCs are available at: www.malware-traffic-analysis.net/2025/06/26/i...
Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. www.zscaler.com/blogs/securi...
June 25, 2025 at 9:29 AM
Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. www.zscaler.com/blogs/securi...
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
June 24, 2025 at 3:11 AM
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
MonsterV2 has many capabilities, but seems to function primarily as a stealer and a loader.
June 5, 2025 at 9:07 PM
MonsterV2 has many capabilities, but seems to function primarily as a stealer and a loader.
Cybereason researchers describe an ongoing phishing campaign they have observed that uses a copyright infringement lure to target multimedia professionals from central and eastern Europe to deliver Rhadamanthys stealer. www.cybereason.com/blog/rhadama...
May 23, 2025 at 9:26 AM
Cybereason researchers describe an ongoing phishing campaign they have observed that uses a copyright infringement lure to target multimedia professionals from central and eastern Europe to deliver Rhadamanthys stealer. www.cybereason.com/blog/rhadama...
2025-05-09 (Friday): #KoiLoader / #KoiStealer activity. Same type of distribution chain and infection characteristics as always.
Example of downloaded zip available at:
- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...
Example of downloaded zip available at:
- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...
May 10, 2025 at 1:10 AM
2025-05-09 (Friday): #KoiLoader / #KoiStealer activity. Same type of distribution chain and infection characteristics as always.
Example of downloaded zip available at:
- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...
Example of downloaded zip available at:
- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...
Slow Pisces, a North Korean hacking group, used LinkedIn to target crypto developers with malicious coding challenges. PDFs linked to malware-laden GitHub repos (RN Loader & RN Stealer), stealing data and credentials. GitHub & LinkedIn removed the threats.#SlowPiscesLinkedInAttack
April 16, 2025 at 6:08 AM
Slow Pisces, a North Korean hacking group, used LinkedIn to target crypto developers with malicious coding challenges. PDFs linked to malware-laden GitHub repos (RN Loader & RN Stealer), stealing data and credentials. GitHub & LinkedIn removed the threats.#SlowPiscesLinkedInAttack
(1/3)
🚨 North Korean APT behind Contagious Interview is back, Now targeting the npm ecosystem. 12 malicious packages like dev-debugger-vite & icloud-cod dropped malware incl. BeaverTail stealer & a new RAT loader. Over 5,600 downloads before takedown.
🚨 North Korean APT behind Contagious Interview is back, Now targeting the npm ecosystem. 12 malicious packages like dev-debugger-vite & icloud-cod dropped malware incl. BeaverTail stealer & a new RAT loader. Over 5,600 downloads before takedown.
April 8, 2025 at 12:15 PM
(1/3)
🚨 North Korean APT behind Contagious Interview is back, Now targeting the npm ecosystem. 12 malicious packages like dev-debugger-vite & icloud-cod dropped malware incl. BeaverTail stealer & a new RAT loader. Over 5,600 downloads before takedown.
🚨 North Korean APT behind Contagious Interview is back, Now targeting the npm ecosystem. 12 malicious packages like dev-debugger-vite & icloud-cod dropped malware incl. BeaverTail stealer & a new RAT loader. Over 5,600 downloads before takedown.
-Chrome rolls out new Rust-based font loader
-CapitalOne hacker to be resentenced
-BlackBasta admin brags about getting state protection
-Rise in ServiceNow exploitation
-New Ox Thief, VanHelsing, and Babuk2 ransomware
-New DollyWay botnet
-RansomHub's new Betruger backdoor
-Arcane Stealer report
-CapitalOne hacker to be resentenced
-BlackBasta admin brags about getting state protection
-Rise in ServiceNow exploitation
-New Ox Thief, VanHelsing, and Babuk2 ransomware
-New DollyWay botnet
-RansomHub's new Betruger backdoor
-Arcane Stealer report
March 21, 2025 at 8:32 AM
-Chrome rolls out new Rust-based font loader
-CapitalOne hacker to be resentenced
-BlackBasta admin brags about getting state protection
-Rise in ServiceNow exploitation
-New Ox Thief, VanHelsing, and Babuk2 ransomware
-New DollyWay botnet
-RansomHub's new Betruger backdoor
-Arcane Stealer report
-CapitalOne hacker to be resentenced
-BlackBasta admin brags about getting state protection
-Rise in ServiceNow exploitation
-New Ox Thief, VanHelsing, and Babuk2 ransomware
-New DollyWay botnet
-RansomHub's new Betruger backdoor
-Arcane Stealer report
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
March 6, 2025 at 10:50 AM
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
Reverse Engineering and Cataloging Vidar (Info stealer/Loader) www.reddit.com/r/ReverseEng...
Reverse Engineering and Cataloging Vidar (Info stealer/Loader)
www.reddit.com
February 2, 2025 at 4:05 AM
Reverse Engineering and Cataloging Vidar (Info stealer/Loader) www.reddit.com/r/ReverseEng...
Reverse Engineering and Cataloging Vidar (Info stealer/Loader) : thetrueartist.co.uk/index.php/20...
February 1, 2025 at 7:16 PM
Reverse Engineering and Cataloging Vidar (Info stealer/Loader) : thetrueartist.co.uk/index.php/20...