INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

AI Agent Phishing Worm Code Leaked

| 2026-06-11 13:20 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat landscape is increasingly dominated by sophisticated and targeted attacks, with the Five Eyes intelligence alliance countries warning of China's aggressive use of job platforms to target individuals for sensitive information. A previously unknown group known as SiribClone has been targeting Russian military personnel using bait applications for "safe photo exchange" to distribute malicious files. This is just one example of how Russia-focused phishing waves are being conducted, with the targeted groups including Russia maritime universities, energy facilities, diplomatic missions and government agencies. The threat actors behind these campaigns include an unidentified group that has also been targeting Russian military personnel since at least July 2024, as well as Cloud Atlas, which is using ZIP archives containing malicious shortcuts to launch PowerShell scripts. This malware payload can drop a credential grabber, highlighting the potential for sophisticated attacks in the future.
Technical Mitigations AI-generated
• Use built-in OS settings to weaken endpoint tools. • Be cautious of online offers for consulting work that may be a scam, and treat them with extreme caution.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Contagious InterviewContagious Interview PowerShowerPowerShowerShai-HuludShai-HuludVBShowerVBShowerRansomHubRansomHubCobalt StrikeCobalt StrikeAgent TeslaAgent Tesla CVE-2026-49494CVE-2026-49494
Target & Sectors
ASEAN ASEAN NORTH_AMERICA NORTH_AMERICA EUROPE EUROPE CIS CIS defensedefense governmentgovernment maritimemaritime energyenergy
Incident Timeline
‎late 2020
Russian-speaking malware developer and vendor "o1oo1" leaked worm code.
target_region Russian Federation
The Russian-speaking malware developer and vendor, "o1oo1," has been active since late 2020, previously launching a service called AsmCrypt .
‎May 2021
Threat actors used a contractor's login credentials to access the target company's network and execute malicious PowerShell scripts.
financial $862 $ damage case
$862K damage case Maxwell Schultz , 36, of Columbus, Ohio, has been sentenced to 24 months in federal prison for hacking into his employer's network after his contract was terminated in May 2021.
Impersonating another contractor, Schultz obtained login credentials, accessed the former employer's systems, and executed a malicious PowerShell script that reset roughly 2,500 passwords, locking out employees and contractors and causing more than $862,000 in losses.
‎November 2023
Threat actors used a Five Eyes intelligence alliance countries' AI agent to phish Claude code.
organisation Reuters
In a statement shared with Reuters, the Chinese Embassy in Washington condemned the allegations and called them fabricated.
organisation the Chinese Embassy
In a statement shared with Reuters, the Chinese Embassy in Washington condemned the allegations and called them fabricated.
‎at least July 2024
Russian maritime universities and energy facilities were targeted through phishing campaigns by an unidentified group since at least July 2024.
target_region Russian Federation
Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024.
tactic Phishing
Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024.
industry Maritime
Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024.
industry Energy
Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024.
industry Government
Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024.
‎July 2024
Threat actors used RDP, SSH, and RevSocks to lateral move into systems via PAExec or PsExec as part of the PowerAdmin framework.
organisation Google Sheets
Furthermore, the attacks involve two new tools: PowerCloud, which collects user data with administrator privileges and writes it to Google Sheets, and Browser checker, a PowerShell script that checks whether browser processes (Chrome, Edge, Firefox, and others) are running.
organisation Chrome, Edge
Furthermore, the attacks involve two new tools: PowerCloud, which collects user data with administrator privileges and writes it to Google Sheets, and Browser checker, a PowerShell script that checks whether browser processes (Chrome, Edge, Firefox, and others) are running.
organisation RevSocks
Lateral movement via RDP, SSH, and RevSocks is achieved via PAExec or PsExec as part of a framework known as PowerAdmin.
organisation PAExec
Lateral movement via RDP, SSH, and RevSocks is achieved via PAExec or PsExec as part of a framework known as PowerAdmin.
organisation PsExec
Lateral movement via RDP, SSH, and RevSocks is achieved via PAExec or PsExec as part of a framework known as PowerAdmin.
organisation PowerAdmin
Lateral movement via RDP, SSH, and RevSocks is achieved via PAExec or PsExec as part of a framework known as PowerAdmin.
organisation MLTBackdoor
ClickFix backdoor expands A ransomware-related threat actor has put to use a new malware family called MLTBackdoor that's delivered via ClickFix.
organisation MTLBackdoor
"MTLBackdoor supports a set of commands like downloading and uploading files from the victim's system," Zscaler ThreatLabz said .
organisation Zscaler ThreatLabz
"MTLBackdoor supports a set of commands like downloading and uploading files from the victim's system," Zscaler ThreatLabz said .
organisation Beacon Object Files
"However, one of the most powerful features is the ability to load Beacon Object Files (BOFs) to expand its capabilities."
‎April 2025
CrowdStrike identified Famous Chollima as the North Korean threat actor responsible for 47% of state-sponsored attacks on tech sectors between April 2025 and March 2026.
source_region DPRK
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
attribution CrowdStrike
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
threat_actor Contagious Interview
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
general_metric 47 %
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
‎2025/06/11
Threat actors exploited vulnerabilities in Claude code to infect 11.1B devices, while also using AI agents to steal and distribute stolen credentials from over 3.3 billion compromised accounts.
infrastructure 11.1 devices
3.3B identity records exposed A new analysis from Flashpoint has revealed that "more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets."
data_breach 3.3 stolen credentials
3.3B identity records exposed A new analysis from Flashpoint has revealed that "more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets."
‎June 2025
Threat actors used Iran's BLUEWIPE malware to infect a target, where they also exploited an unknown vulnerability in the BLUERABBIT AI agent.
source_region Iran, Islamic Republic of
BLUERABBIT is "related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025," it added.
organisation BLUERABBIT
BLUERABBIT is "related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025," it added.
organisation BLUEWIPE
BLUERABBIT is "related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025," it added.
organisation SEWERGOO
BLUERABBIT is "related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025," it added.
‎early 2025
Threat actors used a worm code to compromise computer systems.
‎September 2025
Threat actors used ClickFix to distribute the MaaS RAT, which targets credentials via Hijack Loader campaigns.
organisation ClickFix
Delivered via ClickFix campaigns using Hijack Loader , the malware uses Hidden Virtual Network Computing (HVNC) to facilitate remote control capabilities, employs techniques like Browser Profile Cloning to replicate a user's browser profile (user agent, extensions, storage, and other fingerprinting attributes) to the attacker's system, and can identify wallet addresses or extract cryptocurrency-related artifacts.
organisation Hidden Virtual Network Computing
Delivered via ClickFix campaigns using Hijack Loader , the malware uses Hidden Virtual Network Computing (HVNC) to facilitate remote control capabilities, employs techniques like Browser Profile Cloning to replicate a user's browser profile (user agent, extensions, storage, and other fingerprinting attributes) to the attacker's system, and can identify wallet addresses or extract cryptocurrency-related artifacts.
‎November 2025
Threat actors used NinjaOne Remote Monitoring and Management (RMM) to target Brazilian organizations, followed by the abuse of Claude Code Action for phishing campaigns.
organisation RMM
RMM abused in Brazil An active phishing campaign has been observed targeting Brazilian organizations with fake business-document lures, resulting in the download of a NinjaOne Remote Monitoring and Management (RMM) agent.
organisation SEFAZ
"The campaign begins with phishing emails that redirect victims to Portuguese-language landing pages impersonating familiar Brazilian workflows, including SEFAZ-related fiscal documents, Reclame Aqui-style complaint processes, and secure document-delivery portals," Cato Networks said .
organisation Cato Networks
"The campaign begins with phishing emails that redirect victims to Portuguese-language landing pages impersonating familiar Brazilian workflows, including SEFAZ-related fiscal documents, Reclame Aqui-style complaint processes, and secure document-delivery portals," Cato Networks said .
organisation NinjaOne
Instead, the download delivers a legitimate NinjaOne RMM agent configured to provide remote access to attacker-controlled infrastructure, highlighting a previously undocumented abuse of NinjaOne in the Brazilian threat Landscape."
organisation Landscape
Instead, the download delivers a legitimate NinjaOne RMM agent configured to provide remote access to attacker-controlled infrastructure, highlighting a previously undocumented abuse of NinjaOne in the Brazilian threat Landscape."
infrastructure Android
Fake banking updates A new phishing campaign impersonating Italian and European banking brands is being used to distribute an Android malware called NFCShare .
organisation APK
The attacks use phishing sites that aim to trick users into entering their credentials, after which they are prompted to update the banking application by downloading an APK file hosted on GitHub ("antoniocastaldo1998/app-scuola").
organisation Pinchy
AI agent phishing risk Four phishing simulations on an OpenClaw email agent codenamed Pinchy have revealed it to be susceptible to tactics commonly used to deceive human users.
organisation the U.S. Justice Department
Murray "devised a scheme where he organized, maintained, and sold lists containing the names, phone numbers, physical addresses, and, in some cases, ages and email addresses, of elderly Americans to individuals in Jamaica involved in lottery fraud schemes," the U.S. Justice Department said .
infrastructure Windows
Another technique devised by Binary Defense involves disabling critical security services, such as Windows Defender and Sysmon, without triggering traditional malware alerts.
"EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting," the researcher said .
It modifies Windows Access Control Lists (ACLs) to add "Deny" Access Control Entries (ACEs) against core system libraries like "kernel32.dll."
"From there, the attack escalates into a staged execution chain involving shellcode decoding, persistence setup, and process injection into legitimate Windows applications like charmap.exe."
"Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant - confirming unified operational control.
"Although the vulnerability can be used to remotely trigger both an out-of-bounds (OOB) read and out-of-bounds write in the Windows kernel, the limitations on both primitives lead me to believe it's unlikely this bug could be weaponized into RCE," Hutchins said .
"While Claude Code Action supported environment scrubbing for subprocess execution paths such as Bash, the Read tool was not subject to the same sandboxing model," the Windows maker said .
organisation Binary Defense
Another technique devised by Binary Defense involves disabling critical security services, such as Windows Defender and Sysmon, without triggering traditional malware alerts.
organisation DLL
"EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting," the researcher said .
organisation Protected Process Light
"EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting," the researcher said .
organisation AV
"EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting," the researcher said .
organisation Windows Access Control Lists
It modifies Windows Access Control Lists (ACLs) to add "Deny" Access Control Entries (ACEs) against core system libraries like "kernel32.dll."
infrastructure 4.4
"Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant - confirming unified operational control.
organisation OOB
"Although the vulnerability can be used to remotely trigger both an out-of-bounds (OOB) read and out-of-bounds write in the Windows kernel, the limitations on both primitives lead me to believe it's unlikely this bug could be weaponized into RCE," Hutchins said .
organisation TikTok
AI video lures spread malware Two social engineering campaigns are using AI-generated TikTok videos and Instagram Reels to direct users to sketchy sites that deploy Vidar Stealer and other dubious programs, in some cases requiring visitors to complete surveys before they could access the promised downloads.
organisation Business Email Compromise
Money laundering goes MaaS Cybersecurity company KELA has shed light on money mule networks, which play a crucial role in modern cybercrime and financial fraud ecosystems, enabling threat actors to launder and monetize proceeds through ransomware, scams, and Business Email Compromise (BEC), and other illicit schemes.
organisation Google Chrome
AI chats exposed G DATA said it has witnessed a growing number of Google Chrome extensions that impersonate legitimate productivity tools while stealthily hijacking users' conversations with AI chatbots.
infrastructure Linux
"The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale," a security researcher named Y4er said .
organisation ELF
"The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale," a security researcher named Y4er said .
organisation DNS
"The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale," a security researcher named Y4er said .
organisation HTTPS (DoH
"The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale," a security researcher named Y4er said .
organisation SAN
"The pivot was a wildcard SAN on the TLS certificate: *.llm-playground.aws.metafb.cloud, which exposed a quiet shadow estate behind metafb.cloud," the cybersecurity company said .
organisation TLS
"The pivot was a wildcard SAN on the TLS certificate: *.llm-playground.aws.metafb.cloud, which exposed a quiet shadow estate behind metafb.cloud," the cybersecurity company said .
organisation GCP OAuth2
Slight (AI built wordlist given JS bundles, context, etc) fuzzing against api.haloworld.xyz then exposed /_api/gcp-token, an unauthenticated endpoint that handed out a valid GCP OAuth2 token."
infrastructure 7.5
One-packet crash bug Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security's firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5).
organisation PoC
One-packet crash bug Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security's firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5).
organisation Inspect.sys
One-packet crash bug Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security's firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5).
organisation CVSS
One-packet crash bug Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security's firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5).
organisation NFC
Under the hood, the app reads NFC card data (ISO-DEP) and exfiltrates it to a remote WebSocket endpoint.
organisation ISO-DEP
Under the hood, the app reads NFC card data (ISO-DEP) and exfiltrates it to a remote WebSocket endpoint.
organisation WebSocket
Under the hood, the app reads NFC card data (ISO-DEP) and exfiltrates it to a remote WebSocket endpoint.
organisation Apple
"Building on its ability to alert users about weak and compromised passwords, Passwords can now automatically fix these for users with just a tap," Apple said .
organisation EDR
" EDR telemetry throttled A new technique called EDRChoker that interferes with the client-server connection of Endpoint Detection and Response (EDR) software to sidestep defenses.
organisation EDRChoker
" EDR telemetry throttled A new technique called EDRChoker that interferes with the client-server connection of Endpoint Detection and Response (EDR) software to sidestep defenses.
organisation Endpoint Detection and Response
" EDR telemetry throttled A new technique called EDRChoker that interferes with the client-server connection of Endpoint Detection and Response (EDR) software to sidestep defenses.
organisation Quality of Service
"EDRChoker uses policy-based Quality of Service (QoS) to throttle EDR agents to the lowest bandwidth; when agents attempt to connect, they will consistently time out due to the extremely low bandwidth," a security researcher who goes by the name Zero Salarium said .
organisation QoS
"It takes a list of common EDR process names and creates QoS policies that limit those processes to 8 bits per second.
organisation STX
STX RAT supply chain grows The supply chain attack targeting CPUID to deliver STX RAT is broader in scope than previously thought, with a new analysis from Cyderes uncovering seven additional trojanized packages tied to the same campaign.
organisation Cyderes
STX RAT supply chain grows The supply chain attack targeting CPUID to deliver STX RAT is broader in scope than previously thought, with a new analysis from Cyderes uncovering seven additional trojanized packages tied to the same campaign.
organisation Leda Elacoate
"The actor, operating under the alias Leda Elacoate (pufferfish11@firemail[.]cc), built and maintained a Bitbucket repository of trojanized installers over approximately one month, targeting a wide range of user demographics."
organisation Tesla
Agent, Tesla is designed to steal browser credentials, log keystrokes, capture screenshots, and extract sensitive data from the system.
organisation SMTP
The collected information is then exfiltrated using SMTP-based communication, allowing malicious traffic to blend with normal-looking email activity.
organisation KYC
Threat actors have also been found to rely on forged documentation, deepfake-enabled KYC bypass methods, account takeover techniques, and automated account "warming" activity to set up resilient laundering infrastructures across multiple financial platforms.
organisation Claude & DeepSeek
Some of these include Urban VPN , Smart Sidebar: ChatGPT, Claude & DeepSeek , and Chat AI, the last of which exhibits traits consistent with a campaign dubbed AiFrame .
organisation DATA
"User data generated through AI conversations may still be vulnerable to theft by threat actors utilizing plug-ins that pose as legitimate tools," G DATA said.
organisation Meta
507 Meta repos exposed A public Meta IP address running an open Grafana instance acted as a pathway for read-write access to 507 private Meta repositories, netting the Sectricity Security Team a bug bounty of $157,000.
organisation Meta IP
507 Meta repos exposed A public Meta IP address running an open Grafana instance acted as a pathway for read-write access to 507 private Meta repositories, netting the Sectricity Security Team a bug bounty of $157,000.
organisation the Sectricity Security Team
507 Meta repos exposed A public Meta IP address running an open Grafana instance acted as a pathway for read-write access to 507 private Meta repositories, netting the Sectricity Security Team a bug bounty of $157,000.
organisation GCP
The GCP token, in turn, granted read access to the project's Secret Manager that contained a Vercel token.
organisation TCP
"The bug does, however, enable you to remotely crash the target system with a single TCP/IP packet, even if the firewall is configured to block all ports."
victims 100 reported users
Among the impacted packages is X-VPN, a consumer VPN with over 100 million reported users.
‎March 2026
Threat actors used CrowdStrike's AI agent to phish current or former U.S. government and military employees, with Famous Chollima being behind the North Korean threat actor known as Contagious Interview that accounted for 47% of state-sponsored hands-on-keyboard operations against tech companies between April 2025 and March 2026.
source_region DPRK
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
attribution CrowdStrike
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
threat_actor Contagious Interview
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
general_metric 47 %
47% of tech intrusions CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
infrastructure 13 domains
13 domains seized The U.S. Department of Justice has announced the seizure of 13 internet domains masquerading as consulting companies used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information.
‎the beginning of April 2026
Threat actors used a worm code to infect over 33,000 unique users across multiple countries.
target_region India
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
target_region Brazil
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
target_region Argentina
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
target_region Mexico
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
target_region Spain
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
victims 33,000 unique users
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
‎April 29, 2026
The threat actors used a Golang backdoor called BLUERABBIT to route malware through RabbitMQ for tasking, Redis for state management and MinIO for S3-compatible data exfiltration.
infrastructure 2.1.128
Following responsible disclosure on April 29, 2026, the issue was fixed on May 5 with the release of Claude Code version 2.1.128.
organisation Nimbus Manticore
Fake $200K job lure The Iranian hacking group known as Nimbus Manticore approached an employee via LinkedIn by impersonating a headhunter, luring them with a salary offer of $200,000 per year.
organisation LinkedIn
Fake $200K job lure The Iranian hacking group known as Nimbus Manticore approached an employee via LinkedIn by impersonating a headhunter, luring them with a salary offer of $200,000 per year.
financial $200 $ job
Fake $200K job lure The Iranian hacking group known as Nimbus Manticore approached an employee via LinkedIn by impersonating a headhunter, luring them with a salary offer of $200,000 per year.
organisation Golang
Backdoor with wiper modules Cybersecurity researchers have flagged a new Golang backdoor called BLUERABBIT that routes C2 through RabbitMQ for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration.
organisation S3
Backdoor with wiper modules Cybersecurity researchers have flagged a new Golang backdoor called BLUERABBIT that routes C2 through RabbitMQ for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration.
organisation Nextron Systems
Per Nextron Systems, the interaction is said to have redirected the victim to a fake hiring portal branded as Ebix Recruitment that prompted them to enter temporary credentials received from the recruiter to log in to the website.
organisation Ebix Recruitment
Per Nextron Systems, the interaction is said to have redirected the victim to a fake hiring portal branded as Ebix Recruitment that prompted them to enter temporary credentials received from the recruiter to log in to the website.
‎May 5
The Claude Code version 2.1.128 was released on May 5 after being patched following a responsible disclosure incident on April 29, 2026.
infrastructure 2.1.128
Following responsible disclosure on April 29, 2026, the issue was fixed on May 5 with the release of Claude Code version 2.1.128.
‎May 2026
Threat actors used RustyRocket to target 33,000 users.
victims 33,000 unique users
" 33,000 users targeted A new Go-based loader named GoFlateLoader is being used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer.
organisation SvitStealer
" 33,000 users targeted A new Go-based loader named GoFlateLoader is being used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer.
organisation World Leaks
In recent months, ransomware and data extortion attacks involving DragonForce and World Leaks have employed backdoors like VIPERTUNNEL , a Python malware previously linked to RansomHub, and RustyRocket , a custom-built Rust tool to facilitate covert data exfiltration and persistent access.
organisation VIPERTUNNEL
In recent months, ransomware and data extortion attacks involving DragonForce and World Leaks have employed backdoors like VIPERTUNNEL , a Python malware previously linked to RansomHub, and RustyRocket , a custom-built Rust tool to facilitate covert data exfiltration and persistent access.
organisation RustyRocket
"Once an attacker runs it, RustyRocket can securely connect back to an attacker-controlled server using heavily encrypted and layered traffic that blends in with normal internet activity, making it very hard for defenders to detect," Accenture's T. Ryan Whelan said.
organisation WooCommerce
" WooCommerce card theft A new skimmer campaign is targeting WooCommerce sites to steal card details from checkout pages.
organisation CloudSEK
"The skimmer impersonates the real Stripe payment element, validates cards in real time so the victim never suspects anything," CloudSEK said .
organisation PE
"The loader is designed for in-memory payload execution and is deliberately inflated with a massive PE overlay to hinder detection."
organisation Traffic Distribution System
The malware is delivered via cracked software and a malicious Traffic Distribution System (TDS) that has been used to deliver Remus Stealer, AnimateClipper, and the SessionGate framework.
organisation TDS
The malware is delivered via cracked software and a malicious Traffic Distribution System (TDS) that has been used to deliver Remus Stealer, AnimateClipper, and the SessionGate framework.
organisation AnimateClipper
The malware is delivered via cracked software and a malicious Traffic Distribution System (TDS) that has been used to deliver Remus Stealer, AnimateClipper, and the SessionGate framework.
organisation SessionGate
The malware is delivered via cracked software and a malicious Traffic Distribution System (TDS) that has been used to deliver Remus Stealer, AnimateClipper, and the SessionGate framework.
‎2026/06/04
Threat actors used a worm code to compromise 304 components of various devices.
general_metric 304 components
As of last week, a total of 304 components have been impacted by Miasma.
‎June 8, 2026
The attackers used Microsoft Exchange to send spoofing emails masquerading as any user.
infrastructure Windows
"The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse/keyboard control," the company said .
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
The gap between the Windows and macOS versions indicates this is still a work in progress."
Windows systems, on the other hand, are infected by a stealer known as SiribGrabber.
infrastructure Macos
"The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse/keyboard control," the company said .
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
The gap between the Windows and macOS versions indicates this is still a work in progress."
organisation Iru
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
organisation SStar
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
organisation SiribGrabber
Windows systems, on the other hand, are infected by a stealer known as SiribGrabber.
organisation PyPI
"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors."
organisation RubyGems
"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors."
organisation GitHub Actions
"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors."
organisation SSH
"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors."
organisation Exchange
" Exchange spoofing risk A weakness in certain configurations of Microsoft Exchange could be abused by attackers to send emails masquerading as any user to a vulnerable organization.
organisation Microsoft Exchange
" Exchange spoofing risk A weakness in certain configurations of Microsoft Exchange could be abused by attackers to send emails masquerading as any user to a vulnerable organization.
infrastructure Android
Attacks targeting Android devices lead to the deployment of a spyware called SafeLoveStealer that can steal photographs, videos, documents, and location data.
organisation SafeDep
According to SafeDep, the source code has been published through compromised developer accounts.
organisation Google
Search uploads retained Google has revealed that it intends to save the images, files, audio, and video users upload to Search under a new "Search Services History" setting.
organisation Search
Search uploads retained Google has revealed that it intends to save the images, files, audio, and video users upload to Search under a new "Search Services History" setting.
organisation Search Live
This can include images, files, and audio/video recordings, such as Google Lens images, content you upload, and recordings from Search Live, Translate speaking practice, and voice searches, per Google .
organisation the Search Services History
The tech giant said the Search Services History setting will be used to "provide, develop, and improve its services," including its AI models, as well as offer personalized suggestions and ads if the new " Personalized Recommendations " option is switched on.
organisation POST
"Notably, the malware includes a large POST request via endpoint /api/telemetry/report that constantly monitors and exfiltrates the entire directory tree to monitor files of interest.
organisation GitHub
The lure is a bogus Web3 engineering take-home assessment, a GitHub repository ("star45674/smart-contract-engineer-role") that's likely distributed to targets.
organisation Telegram
In some cases, members of the group have posed as women seeking romantic relationships to infect smartphones, computers, and Telegram accounts.
infrastructure 50,000 downloads
This approach has been observed in a package named " ambar-src ," which reached more than 50,000 downloads in three days after attackers published hundreds of benign versions of the package before introducing the actual malicious payload.
"Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package's download count to more than 50,000 downloads in just three days.
‎Jun 11, 2026
Threat actors used a public repository to distribute a supply chain attack kit, including a RAT that clones browsers.
organisation Hacking News / Cybersecurity News
Hacking News / Cybersecurity News It's been one of those weeks.
financial $5,000 $ RAT
Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials.
‎2016 to 2023
Murray sold lists containing information on Jamaican scammers to lottery fraud perpetrators in the United States.
target_region Jamaica
"From 2016 to 2023, Murray sold these lists to Jamaican scammers, who perpetrated lottery fraud on elderly American consumers, earning Murray hundreds of thousands of dollars each year."
target_region United States
"From 2016 to 2023, Murray sold these lists to Jamaican scammers, who perpetrated lottery fraud on elderly American consumers, earning Murray hundreds of thousands of dollars each year."
‎2026/06/11
Threat actors used AI-generated TikTok videos to direct users to sketchy sites that deployed Vidar Stealer malware.
organisation TikTok
AI video lures spread malware Two social engineering campaigns are using AI-generated TikTok videos and Instagram Reels to direct users to sketchy sites that deploy Vidar Stealer and other dubious programs.
Tactical Metrics
Metrics
victims
33,000
Unique Users
Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
" 33,000 users targeted A new Go-based loader named GoFlateLoader is being used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer.
Metrics
infrastructure
13
Internet Domains
13 domains seized The U.S. Department of Justice has announced the seizure of 13 internet domains masquerading as consulting companies used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information.
Metrics
infrastructure
‎Windows
Affected Product
Another technique devised by Binary Defense involves disabling critical security services, such as Windows Defender and Sysmon, without triggering traditional malware alerts.
"The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse/keyboard control," the company said .
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
The gap between the Windows and macOS versions indicates this is still a work in progress."
Windows systems, on the other hand, are infected by a stealer known as SiribGrabber.
"EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting," the researcher said .
It modifies Windows Access Control Lists (ACLs) to add "Deny" Access Control Entries (ACEs) against core system libraries like "kernel32.dll."
"From there, the attack escalates into a staged execution chain involving shellcode decoding, persistence setup, and process injection into legitimate Windows applications like charmap.exe."
"Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant - confirming unified operational control.
"Although the vulnerability can be used to remotely trigger both an out-of-bounds (OOB) read and out-of-bounds write in the Windows kernel, the limitations on both primitives lead me to believe it's unlikely this bug could be weaponized into RCE," Hutchins said .
"While Claude Code Action supported environment scrubbing for subprocess execution paths such as Bash, the Read tool was not subject to the same sandboxing model," the Windows maker said .
Metrics
infrastructure
‎Macos
Affected Product
"The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse/keyboard control," the company said .
Cross-platform RAT emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems.
The gap between the Windows and macOS versions indicates this is still a work in progress."
Metrics
infrastructure
‎Android
Affected Product
Fake banking updates A new phishing campaign impersonating Italian and European banking brands is being used to distribute an Android malware called NFCShare .
Attacks targeting Android devices lead to the deployment of a spyware called SafeLoveStealer that can steal photographs, videos, documents, and location data.
Metrics
infrastructure
11,100,000
Devices
3.3B identity records exposed A new analysis from Flashpoint has revealed that "more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets."
Metrics
data_breach
3,300,000,000
Stolen Credentials
3.3B identity records exposed A new analysis from Flashpoint has revealed that "more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets."
Metrics
infrastructure
‎Linux
Affected Product
"The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale," a security researcher named Y4er said .
Metrics
infrastructure
‎4.4
Software Version
"Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant - confirming unified operational control.
Metrics
infrastructure
‎7.5
Software Version
One-packet crash bug Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security's firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5).
Metrics
infrastructure
‎2.1.128
Software Version
Following responsible disclosure on April 29, 2026, the issue was fixed on May 5 with the release of Claude Code version 2.1.128.
Metrics
financial
862,000
$ Damage Case
$862K damage case Maxwell Schultz , 36, of Columbus, Ohio, has been sentenced to 24 months in federal prison for hacking into his employer's network after his contract was terminated in May 2021.
Impersonating another contractor, Schultz obtained login credentials, accessed the former employer's systems, and executed a malicious PowerShell script that reset roughly 2,500 passwords, locking out employees and contractors and causing more than $862,000 in losses.
Metrics
financial
200,000
$ Job
Fake $200K job lure The Iranian hacking group known as Nimbus Manticore approached an employee via LinkedIn by impersonating a headhunter, luring them with a salary offer of $200,000 per year.
Metrics
financial
5,000
$ Rat
Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials.
Metrics
infrastructure
50,000
Downloads
This approach has been observed in a package named " ambar-src ," which reached more than 50,000 downloads in three days after attackers published hundreds of benign versions of the package before introducing the actual malicious payload.
"Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package's download count to more than 50,000 downloads in just three days.
Metrics
victims
100,000,000
Reported Users
Among the impacted packages is X-VPN, a consumer VPN with over 100 million reported users.
Intelligence Sources
The Hacker News 2026-06-11
The Hacker News 2026-06-11