Cisco Talos reports UAT-9244 targeting critical telecommunications infrastructure in South America with three new malware implants: TernDoor is a CrowDoor variant, PeerTime is an ELF backdoor using BitTorrent, and BruteEntry is a brute-force scanner. blog.talosintelligence.com/uat-9244/
Cyble CRIL reports on ClipXDaemon, a new Linux X11 clipboard hijacker delivered via a loader previously tied to ShadowHS. It skips C2 entirely and monetizes directly by swapping copied cryptocurrency wallet addresses in real time. cyble.com/blog/clipxda...
The Microsoft Defender Security Research Team warns that fake AI assistant browser extensions can quietly collect full URLs, chat histories and browsing data from tools like ChatGPT and DeepSeek. www.microsoft.com/en-us/securi...
Huntress investigates malicious GitHub repositories posing as OpenClaw installers that were available between 2 and 10 February 2026. Following the install, steps delivered info-stealers and GhostSocks on Windows, and Atomic macOS Stealer on macOS. www.huntress.com/blog/opencla...
Elastic Security Labs launches a two-part series on Linux rootkits, starting with the fundamentals. Part one maps rootkit taxonomy, traces their evolution, and breaks down common hooking techniques. www.elastic.co/security-lab...
Trend Micro researchers detail BoryptGrab, a newly identified stealer spread via SEO-driven public GitHub repositories & deceptive GitHub pages. BoryptGrab harvests browser data, cryptocurrency wallet information, system details, and messaging app tokens. www.trendmicro.com/en_us/resear...
Microsoft describes how a global coalition disrupted Tycoon 2FA, a phishing-as-a-service platform behind tens of millions of fraudulent emails reaching more than 500,000 organizations each month. blogs.microsoft.com/on-the-issue...
Palo Alto Networks Unit42 researchers report web-based indirect prompt injection being used in the wild, where hidden instructions on web pages hijack LLM summarization and content analysis workflows. unit42.paloaltonetworks.com/ai-agent-pro...
Microsoft Defender Experts uncovered phishing campaigns abusing workplace meeting lures & PDFs to deliver signed malware. The fake installers impersonate common apps, then drop legitimate RMM tooling to establish persistent access & enable lateral movement www.microsoft.com/en-us/securi...
CloudSEK warns of a mobile trojan campaign impersonating Israelβs "Red Alert" emergency alert app. Distribution via SMS spoofing sidesteps the official app store, tricking users into sideloading an app that can exfiltrate SMS, contacts and location data. www.cloudsek.com/blog/redaler...
Zscaler ThreatLabz reports Dust Specter APT activity in January 2026 targeting Iraqi government officials. Two attack chains deploy previously undocumented tools including SPLITDROP, TWINTASK, TWINTALK and the GHOSTFORM RAT. www.zscaler.com/blogs/securi...
Qi'anxin XLab reports the return of Funnull, the group behind the 2024 Polyfill.io supply-chain incident & CDN poisoning involving BootCDN, Bootcss & Staticfile. Now it runs its own server-side framework, compromising CDN nodes & operating its own infrastructure blog.xlab.qianxin.com/funnull-resu...
Arctic Wolf Labs tracks SloppyLemming, an India-nexus espionage actor targeting Pakistan and Bangladesh. The report details two attack chains: PDF-driven sideloading that deploys BurrowShell and an Excel macro chain that delivers a Rust-based keylogger. arcticwolf.com/resources/bl...
Microsoft Defender researchers observed phishing campaigns abusing legitimate OAuth redirection to evade common email and browser defences, turning trusted Entra ID and Google Workspace links into a path to attacker-controlled landing pages. www.microsoft.com/en-us/securi...
Zscaler ThreatLabz details Ruby Jumper, an APT37-linked campaign that uses newly discovered tooling and a Ruby-based shellcode loader. The report also examines how Ruby Jumper leverages removable media to infect air-gapped hosts. www.zscaler.com/blogs/securi...
Intrinsec profiles AuraStealer, an emerging infostealer promoted by Russian-speaking operators since July 2025. The report maps 48 C2 domains shifting from .shop to .cfd, and shares 340+ IOCs. www.intrinsec.com/analysis-of-...
G DATA tracks HijackLoader distribution via PiviGames, a well-known Spanish pirated-games site. Visitors are redirected via a malvertising-style chain to download a password-protected ZIP, where a launcher sideloads HijackLoader. blog.gdatasoftware.com/2026/02/3837...
Malwarebytes tracks a fake Zoom βupdateβ scam that installs Teramind on Windows. After one domain takedown, researchers found a parallel Google Meet impersonation running on fresh infrastructure, showing the operation is still active and scaling. www.malwarebytes.com/blog/threat-...
ENKI details the DPRK-nexus Contagious Interview campaign. ENKI found GitHub malware that weaponises VS Code tasks to auto-execute payloads when a repo is opened, delivering BeaverTail, InvisibleFerret & OtterCookie, with signs of LLM-assisted code and new C2 mapping. www.enki.co.kr/en/media-cen...
Cisco Talos discovered UAT-10027 targeting US education and healthcare sectors with a new backdoor dubbed Dohdoor. It uses DNS-over-HTTPS for stealthy C2, abuses legitimate Windows executables for sideloading, and can download & execute additional payloads. blog.talosintelligence.com/new-dohdoor-...
OpenAI disrupted new malicious use of ChatGPT... mostly for romance scams and info-ops
openai.com/index/disrup...
FortiGuard Labs unpacks a recent Agent Tesla infection chain, where phishing emails contain a RAR attachment with a JScript loader, followed by in-memory loader execution and process hollowing, ending with an in-memory .NET Agent Tesla payload. www.fortinet.com/blog/threat-...
Googleβs GTIG & Mandiant disrupted UNC2814, a PRC-nexus espionage actor targeting telecoms & governments across 4 continents. The takedown cut off attacker-controlled Google Cloud projects, disabled infrastructure, and revoked Google Sheets API access used for C2. cloud.google.com/blog/topics/...
35 Years of Virus Bulletin Conferences JERSEY - 1991 EDINBURGH - 1992 AMSTERDAM - 1993 JERSEY - 1994 BOSTON - 1995 BRIGHTON - 1996 SAN FRANCISCO -1997 MUNICH - 1998 PRAGUE - 2022 VANCOUVER - 1999 ORLANDO - 2000 PRAGUE - 2001 NEW ORLEANS - 2002 TORONTO - 2003 CHICAGO - 2004 DUBLIN - 2005 MONTREAL - 2006 VIENNA - 2007 OTTAWA - 2008 GENEVA - 2009 VANCOUVER - 2010 BARCELONA - 2011 DALLAS - 2012 BERLIN - 2013 SEATTLE - 2014 PRAGUE - 2015 DENVER - 2016 MADRID - 2017 MONTREAL - 2018 LONDON - 2019 LOCALHOST - 2020 LOCALHOST - 2021 PRAGUE - 2022 LONDON - 2023 DUBLIN - 2024 BERLIN - 2025 SEVILLE - 2026 What's your VB count?
35 years of Virus Bulletin Conferences π
Whatβs your VB count?
Where did your journey start?
Next stop: Seville | 14β16 October 2026 πͺπΈ
β‘οΈ www.virusbulletin.com/conference/v...
#VirusBulletin #VB2026 #VBConference #CyberSecurity #InfoSec
VMRay profiles Hydra Saiga - an espionage actor active since 2021 and compromising at least 34 organisations across 8 countries - linking the activity to Kazakhstan state interests. The tooling leans on Telegram-based C2 and a mix of Rust, Go and Python implants. www.vmray.com/hydra-saiga-...
Point Wild describes Tycoon 2FA as a business model: Tycoon 2FA is a phishing-as-a-service selling MFA bypass to low-skill actors; it's cheap, scaling fast, and silently relays credentials, MFA approvals and sessions to an adversary in real time. www.pointwild.com/threat-intel...
Microsoft Defender Experts report a developer-targeting campaign using trojanised repos posing as legitimate Next.js projects and technical assessment materials. www.microsoft.com/en-us/securi...
Malwarebytes details a fake Huorong Security AV software that installs ValleyRAT, a Winos4.0-based RAT with stealth & injection features. The lure relies on typosquatting & a trojanised NSIS installer attributed to the Silver Fox APT targeting China-based users. www.malwarebytes.com/blog/scams/2...
Jamf Threat Labs researchers Nir Avraham and Hu Ke reverse engineer Predator spyware and uncover previously undocumented mechanics used to bypass iOS recording indicators once it already has kernel-level access. www.jamf.com/blog/predato...
Jan Kopriva at SANS ISC describes a fresh malspam chain using a large obfuscated JScript file inside a GZIP attachment. After deobfuscation it spawns hidden PowerShell via WMI, pulls an image file with an embedded payload, and the chain ends with Remcos RAT. dshield.org/diary/Anothe...
