Post-exploitation tools include SilverScreen (screen capture), SSHcmd, and the GearDoor backdoor. GearDoor uses Google Drive for C2, disguising tasks via file extensions (.png, .pdf, .cab, .rar, .7z). Tradecraft overlaps tie the group to APT41.
Silver Dragon deploys multiple Cobalt Strike infection chains: AppDomain hijacking, Service DLL abuse, and phishing with weaponized LNK files. Custom loaders like MonikerLoader and BambooLoader decrypt payloads in memory and inject them into legitimate Windows processes.
๐จ APT group โSilver Dragonโ targeting Europe & Southeast Asia since mid-2024. Linked to the APT41 umbrella, the China-nexus threat actor focuses mainly on government entities, using server exploits and phishing to gain initial access.
#APT #CyberEspionage #ThreatIntel #CyberSecurity
The phishing sites request 12-, 20-, or 24-word recovery phrases, transmitting them to attacker-controlled infrastructure via backend API endpoints. With the seed phrase captured, threat actors can import wallets and drain funds.
The letters cite urgent deadlines (Oct 2025 / Feb 2026) and warn of lost functionality. QR codes direct recipients to spoofed Trezor and Ledger setup pages designed to mimic official security and compliance communications.
๐จ Snail-mail phishing targets crypto hardware wallet users. Fake letters posing as Trezor & Ledger claim mandatory โAuthenticationโ or โTransactionโ checks. Victims are pressured to scan QR codes tied to recovery-phrase theft campaigns.
#Crypto #Phishing #HardwareWallet #CyberSecurity
The loader retrieves encrypted payloads hidden in fake icon files via steganography, installs persistent DLLs via Task Scheduler, and exfiltrates system data. Linked to Rhysida and possibly Wizard Spider, it delivers ransomware & stealersโan evolving threat into 2026.
OysterLoader uses a 4-stage infection chain: TextShell packer, API flooding, anti-debug checks, custom API hashing, and modified LZMA compression. It dynamically resolves Windows functions and evades AV detection while testing sandbox conditions before contacting C2 over HTTPS.
๐จ Researchers uncovered OysterLoader, a stealthy multi-stage loader powering Rhysida ransomware attacks. Active since 2024, it spreads via fake downloads of PuTTY, WinSCP & AI tools, deploying malware through signed MSI files. A major enterprise threat. #CyberSecurity #Malware #ThreatIntel
CrowdStrike: Labyrinth Chollima split into espionage & crypto-theft units (Golden & Pressure Chollima), linked to Lazarus. Shared HR lures, trojanized apps & rootkits show centralized coordination across DPRK ops. #ThreatHunting #APT #Lazarus #CyberEspionage
The scheme acts as a high-volume revenue engine. Operatives gain admin access to repos, steal data, and convert salaries to crypto using chain-hopping. โContagious Interviewโ lures deploy npm malware, VS Code payloads, BeaverTail & Koalemos RAT for full remote control.
๐จ DPRK-linked actors are infiltrating global firms via LinkedIn, posing as legit remote job candidates. Tracked as Jasper Sleet & Wagemole, the campaign funds weapons programs + enables espionage. Verified emails & badges boost credibility. #CyberSecurity #DPRK #ThreatIntel #LinkedIn #jaspersleet
New capabilities include Chromium login theft, HTTP proxy credential sniffing, active window tracking, and expanded plugins. Browser data is exfiltrated via hardcoded tokens for services like Google Drive, boosting stealth and resilience in Mustang Panda ops. #Malware #ThreatIntel
The updated CoolClient targets gov entities across Asia and beyond, abusing legitimate Sangfor software. It profiles systems, escalates privileges, persists via services and tasks, and runs modular plugins for keylogging, tunneling, file ops, and remote shells.
๐จMustang Panda has rolled out a new CoolClient variant with browser credential theft and clipboard monitoring. Kaspersky links it to targeted espionage via trusted software and multi-stage loaders, signaling an evolution in China-aligned tradecraft. #APT #China #CyberEspionage #MUSTANGPANDA
AsyncRAT runs fully in memory, enabling surveillance, file access, and persistence while blending into normal system behavior. DEAD#VAX shows how attackers combine script abuse, IPFS, and process injection to defeat traditional defenses. #ThreatHunting #Infosec #APT
DEAD#VAX starts with phishing emails delivering fake PDF VHD files. When mounted, scripts launch multi-stage loaders that decrypt shellcode and inject AsyncRAT directly into trusted Windows processes, never dropping a clear payload to disk.
๐จThreat hunters uncovered DEAD#VAX, a stealth malware campaign abusing Windows features to deploy AsyncRAT. Using phishing, IPFS-hosted VHD files, obfuscated scripts, and in-memory execution, it evades detection and forensic analysis. #Malware #AsyncRAT #CyberThreats #EDR #DEADVAX
The APTs That Defined 2025 open.substack.com/pub/malwhere...
#APT #China #Russia #DPRK #Iran #ThreatIntel #CyberSecurity #SaltTyphoon #FlaxTyphoon #MustangPanda #APT17 #APT28 #APT29 #Sandworm #LazarusGroup #Kimsuky #APT42
Attackers abused weak update checks in older Notepad++ versions, sideloading Chrysalis via a trojanized installer. The implant supports shell access, file ops, and C2 control. Rapid7 links the tooling to Lotus Blossomโs evolving, stealth-focused tradecraft.
๐จChina-linked espionage group Lotus Blossom was tied to a Notepad++ hosting breach, enabling targeted delivery of a new backdoor named Chrysalis to select users via redirected updates. The campaign was limited, stealthy, and supply-chain focused. #China #LotusBlossom #CyberEspionage #Malware #APT
Hosted on abuse-tolerant AS202015 with disposable domains and short-lived TLS certs, ToxicSnake isnโt one attack but a reusable delivery platform. Expect rebrands, not shutdowns, unless intelligence is shared fast. #Infosec #ThreatIntel #CyberDefense
The campaign uses fake educational sites, obfuscated JavaScript, browser fingerprinting, and single-use tokens. Only selected victims see malicious content, while analysts get nothing. This selective delivery keeps infrastructure alive and payloads hidden.
๐จToxicSnake shows how modern phishing hides behind Traffic Distribution Systems (TDS). Instead of attacking everyone, it filters visitors to evade scanners and researchers. The weapon isnโt the payload, but the decision engine behind it. #CyberThreats #Phishing #TDS #Malware #ToxicSnake
The campaign abused Moltbotโs popularity, delivering fallback payloads via DLL sideloading and alternate domains. Separately, researchers warn misconfigured Moltbot instances expose credentials and chat data, enabling โagent hijackingโ and manipulation of AI workflows across platforms.
๐จ A malicious VS Code extension impersonating Moltbot (โClawdBot Agent, AI Coding Assistantโ) was distributed via Microsoftโs official Marketplace. The malware executed on launch, fetched remote configs, and deployed ScreenConnect RAT for persistent access.
#SupplyChain #VSCode #Malware #Moltbot
PeckBirdy runs across browsers, MSHTA, WScript, ASP, Node.js, and .NET, dynamically serving payloads via unique attack IDs. Linked clusters SHADOW-VOID-044 and SHADOW-EARTH-045 deployed cookie theft, exploits, backdoors, and modular RATs, complicating detection.
๐๏ธ PeckBirdy is a JavaScript-based C2 framework used by China-aligned APTs since 2023. Tracked by Trend Micro it abuses LOLBins and legacy JScript to deliver malware via fake Chrome updates and injected websites, targeting gambling platforms and Asian orgs
#APT #China #Malware #ThreatIntel #PeckBirdy
While technically unsophisticated, Stanleyโs real danger is its distribution modelโpromising trusted Web Store placement. Researchers warn users to limit extensions, verify publishers, and review permissions as malicious add-ons continue to bypass safeguards
#Infosec #Chrome #CyberCrime #ThreatIntel
Stanley lets operators hijack navigation, inject phishing pages, push browser notifications, and silently install extensions across Chrome, Edge, and Brave. It supports geo-targeting, IP tracking, and persistent C2 polling with backup domains to evade takedowns.
