π Custom Obfuscation: Leverages non-standard Base64 encoding with randomized shifts to evade automated detection.
πΌοΈ Steganography: Hides payloads within innocuous-looking icon images retrieved from the C2.
π Advanced Evasion: Packed with TextShell for enhanced obfuscation (custom LZMA); utilizes API "hammering" and anti-debug traps to bypass detection and delay manual analysis.
In this deep-dive analysis, our Threat Detection & Research (TDR) team uncovers a sophisticated, multi-stage infection designed to bypass security controls. Key findings:
π¦ Deceptive Distribution: Spreads via fake sites impersonating IT tools like PuTTY or WinSCP.
#OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.
blog.sekoia.io/oysterloader...
#Reverse
As usual, IoCs are available in our Community GitHub repository:
github.com/SEKOIA-IO/Co...
The attacker is abusing the open-source URL shortener YOURLS as a Traffic Distribution System (TDS), filtering visitors by device type and protecting their infrastructure.
To our knowledge, this is the first time cybercriminals have used YOURLS as a TDS.
We named the framework "IClickFix" after its characteristic HTML the tag "ic-tracker-js".
In November 2025, we unveiled IClickFix via an internal tool detecting watering hole attacks and YARA rules tuned to identify ClickFix pages.
#TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.
blog.sekoia.io/meet-iclickf...
This research highlights how defensive kernel mechanisms can be repurposed to strengthen behavioural detection on Linux endpoints.
The blog post dives into how #Landlock, originally designed as a security hardening mechanism, can also become a powerful source of telemetry for detection engineering on #Linux systems.
π§ Leveraging #Landlock Telemetry for #Linux Detection Engineering
Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.
blog.sekoia.io/leveraging-l...
In the third part of our series βAdvent of Configuration Extractionβ, we dissect #SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on #Linux systems.
buff.ly/Crz8rDh
In the second part, we unwrap #QuasarRAT, a popular .NET remote access trojan, and show how to extract its encrypted configuration out of the binary.
buff.ly/agWWCnp
The first part introduces #Assemblyline, the analysis pipeline used by #TDR and more specifically, the configextractor service.
buff.ly/mpEzALh
The series outlines the methodology we employ at Sekoiaβs Threat Detection & Research (#TDR) team to automate the extraction of #malware configuration data, from initial analysis to the production of usable intelligence.
π
Check out the first three episodes of our special Advent of Configuration Extraction
Part 1: buff.ly/mpEzALh
Part 2: buff.ly/agWWCnp
Part3: buff.ly/Crz8rDh
π Last part following Monday! π
π Infrastructure patterns: Redirectors hosted on compromised websites, domains registered via Namecheap/Regway, and access routed through Big Mama Proxy.
πΈοΈ AiTM phishing kit: A homemade ProtonMail kit enabled credential theft and 2FA relay through injected JavaScript and attacker-controlled APIs.
π Fake PDFs & redirectors: Decoy PDFs (sometimes disguised ZIP files) redirected victims through compromised websites to Calistoβs phishing kit.
Key takeaways:
π― Trusted-contact impersonation: Calisto used ProtonMail accounts to send missing or faulty attachments, prompting victims to request a resend containing the malicious link.
π·πΊ French NGO Reporters Without Borders targeted by #Calisto in recent campaign
Sekoia #TDR analysed a recent #Calisto (aka #ColdRiver #Star Blizzard) spear-phishing campaign aimed at Reporters sans frontières and other #Ukraine-supporting organisations.
blog.sekoia.io/ngo-reporter...
Histoire et dissection du ππππ€πππ ou chargeur malveillant π·πΊ #Latrodectus par Pierre Le Bourhis @sekoia.io Γ #UYBHYS25
@uybhys.bsky.social
Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.
In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.
We also detailed the fraud scheme targeting hotel customers.
Attackers target hotel establishments to harvest credentials that grant access to booking platforms.
Those credentials are used to launch personalised fraud campaigns against hotel guests, impersonating billing services and tricking them into paying twice for their reservation.
#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.
blog.sekoia.io/phishing-cam...
Discover how #TransparentTribe (#APT36) uses a disguised DESKTOP dropper to deploy #DeskRAT, a Golang RAT, on BOSS Linux endpoints in India.
Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .
Read more π blog.sekoia.io/transparentt...
By correlating #Office365 events with Entra ID sign-in logs, weβve mapped each bit in the UserAuthenticationMethod field to its corresponding authentication factorβPassword Hash Sync, Windows Hello for Business, Passkeys, SMS sign-in, and more.
Our latest technical deep-dive unravels the mystery behind the opaque numeric codes (16, 272, 33554432, etc.) you see in #Microsoft365 audit logs.
blog.sekoia.io/userauthenti...
π»βοΈ These exploitations led to the deployment of an undocumented TLS backdoor we dubbed the βPolarEdge Backdoor.β
π¬ This follow-up provides a detailed analysis of the backdoor, including the anti-analysis techniques it employs.
