A structured, multi-stage infection chain delivers the CrySome RAT via a logistics-themed spear-phishing lure. Initial access is achieved through a fake rate confirmation portal that drops a batch file, which chains UAC bypass (ICMLuaUtil COM interface), in-memory AMSI patching, and the open-source WinDefCtl utility to weaken Microsoft Defender before deploying the persistent RAT payload. CrySome RAT provides the operator with remote command execution, credential theft from Chromium browsers, HVNC, keylogging, and persistence via a scheduled task executing every 5 minutes.
Kaspersky's 2025 compromise assessment report reveals that organizations consistently fail to detect long-dwelling threats, with 30.8% of incidents persisting over 3 months and 52% of high-severity compromises going undetected for 90+ days. Key findings include widespread abuse of LoLBins and remote management tools in every incident-bearing engagement, 40% of web shells surviving in backups to be restored post-remediation, and a strong correlation between in-house forensics/reverse-engineering capability and reduced incident severity. Multiple case studies document dormant crypto-mining on domain controllers (4 years), in-memory LionTail implants on critical servers, PurpleFox rootkit infections evading EDR with disabled memory scanning, and ClipBanker persistence via registry Run keys with Defender exclusions.
Malicious Chrome and Firefox browser extensions masquerading as free VPN tools ('VPN Go: Free VPN') were distributed via official extension marketplaces and later updated to include clipboard-stealing functionality. The extensions monitor clipboard contents on a timer, chunk copied text into ~1000-character segments, and exfiltrate data via HTTP GET requests to hardcoded attacker-controlled IP addresses using a /html/continue.php endpoint with uid, part, total, and data query parameters. Both extensions share infrastructure, code patterns, and build artifacts, confirming a common threat actor. The staged update pattern—initial versions functioning as legitimate proxy tools with later versions adding clipboard theft—highlights the risk of extension update supply chain compromise.
The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise 22 npm package versions under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The malicious packages use a binding.gyp 'Phantom Gyp' trick to execute hidden root-level index.js payloads without preinstall/postinstall hooks, followed by AES-128-GCM decryption and multi-stage delivery under the Bun runtime. The final payload exfiltrates developer and CI/CD secrets via the GitHub API to attacker-controlled repositories, and the campaign likely propagated through a compromised codfish/semantic-release-action GitHub Action that enabled access to release automation credentials.
StealC is a C++ malware-as-a-service infostealer that harvests credentials, cookies, and session tokens from browsers, email clients, crypto wallets, and gaming platforms, using APC injection to bypass Chromium App-Bound Encryption. Amadey is a modular MaaS loader that delivers StealC and other payloads through a rich backdoor command set including process injection, SOCKS proxying, RDP enablement, and hidden admin account creation. Microsoft DCU disrupted over 200 C2 domains and IPs associated with both threats in a coordinated action with Europol on June 24, 2026.
OpenClaw, a widely adopted AI agent ecosystem with a skill marketplace called ClawHub, is being actively abused by attackers who publish malicious skills containing embedded shell commands or harmful natural-language instructions. Approximately 530 vulnerabilities have been discovered in OpenClaw and its underlying technologies, many involving sensitive data storage and excessive privileges. Kaspersky identified over 600 malicious skills from 24 accounts in April, with 1,100+ malicious accounts created since January. Malicious skills observed include macOS payloads using base64-encoded curl-pipe-to-bash execution and Windows MSI installers distributed via password-protected ZIP archives.
A large-scale campaign abuses the legitimate ScreenConnect remote management tool, distributed via 90+ spoofed freeware download sites using SEO poisoning, to silently deploy AsyncRAT. The attack uses DLL sideloading via a Microsoft-signed install.exe binary, followed by a multi-stage loader chain involving PowerShell and VBScript scripts that disable Defender, bypass UAC, and ultimately inject AsyncRAT into RegAsm.exe via process hollowing. The campaign targets both consumers and corporate networks across multiple languages and regions.
This threat intelligence report highlights recent data breaches involving third-party vendors, emerging AI threat vectors such as prompt injection and WebSocket abuse, and active exploitation of critical vulnerabilities in Fortinet, Cisco, and Splunk products. Additionally, seasonal phishing campaigns targeting travelers and Amazon Prime members are surging alongside a cross-platform Rust-based crypto clipboard hijacker.
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
The ThreatLabz 2026 Phishing and Initial Access Report highlights a shift towards highly targeted, AI-enabled phishing campaigns against the public sector. Despite a 20% overall drop in phishing volume, attackers are increasingly utilizing AI site builders, encrypted delivery channels, and AiTM/BiTM techniques to bypass traditional MFA and secure initial access.
A critical vulnerability in the Google Cloud Vertex AI SDK for Python allows attackers to achieve cross-tenant Remote Code Execution (RCE) via bucket squatting. By predicting default staging bucket names and exploiting a lack of ownership verification, attackers can intercept model uploads and inject malicious pickle payloads, leading to the theft of highly privileged service account tokens.
Varonis Threat Labs demonstrated that enterprise AI agents, specifically an OpenClaw deployment, are vulnerable to traditional phishing and social engineering techniques. In simulated attacks, the agent successfully identified technical phishing indicators like malicious OAuth flows but failed to recognize social context, resulting in the exfiltration of AWS credentials and sensitive CRM data to an external attacker.
Threat actors are proactively targeting the 2026 FIFA World Cup ecosystem, employing mobile-first malware, QR-code phishing against event organizers, and real-time AiTM phishing kits to bypass MFA. The campaigns leverage AI-generated infrastructure and urgency-based lures to distribute Android cryptominers, Windows infostealers, and compromise corporate Google Workspace accounts.
A fast-moving supply chain campaign dubbed Mini Shai-Hulud/Miasma is targeting Python developers via malicious PyPI wheels. The threat actors are utilizing novel execution techniques, including trojanized native extensions and split-loader .pth hooks that search sys.path for payloads, to deploy the Hades stealer and harvest credentials from CI/CD pipelines and developer workstations.
Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
Threat actors are increasingly leveraging the hype around AI platforms like ChatGPT, Claude, and DeepSeek to conduct social engineering attacks. These campaigns utilize phishing, malvertising, and SEO poisoning to distribute infostealers such as Vidar or facilitate credential theft via adversary-in-the-middle (AiTM) infrastructure.
This threat intelligence report highlights active exploitation of critical vulnerabilities, including a Windows Netlogon RCE (CVE-2026-41089) and an Android Framework flaw. It also details significant data breaches affecting DentaQuest and the UN WFP, emerging AI-driven threats such as EDR evasion labs, a supply chain compromise of the Hola browser, and Iranian state-sponsored espionage operations utilizing Dutch hosting infrastructure.
A highly coordinated supply chain attack compromised 56 npm packages across 286 versions by abusing the binding.gyp native build configuration to silently execute malicious code during installation. The multi-stage, heavily encrypted payload targets CI/CD environments to harvest cloud credentials, propagates via stolen OIDC tokens, and establishes persistence with a destructive dead man's switch.
ANY.RUN's Q1 2026 Cyber Risk Report highlights a significant acceleration in attacker operational tempo, with the median time-to-persistence dropping to 21 seconds and LOTL execution occurring in 16 seconds. The data also shows a marked increase in loader-based attacks, credential theft, and the weaponization of trusted tools via JavaScript LOLBAS techniques, emphasizing the critical need for rapid, behavior-based detection capabilities.
This threat intelligence bulletin highlights a surge in data breaches driven by social engineering, alongside the increasing weaponization of AI tools for phishing, malware development, and supply chain attacks. Active exploitation of vulnerabilities in PAN-OS GlobalProtect and Ghost CMS has been observed, while a critical unpatched RCE in Gogs remains a significant risk. Additionally, targeted campaigns like Grandoreiro and JINX-0164 continue to threaten the financial and cryptocurrency sectors using platform-specific malware and DLL side-loading.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
Threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, to deploy a novel credential stealer named EKZ Infostealer to managed endpoints. The attackers abused legitimate VPN scripting workflows to execute malicious PowerShell commands that downloaded the stealer, which subsequently harvested browser credentials and exfiltrated them to a threat-actor-controlled server.
In May 2026, ANY.RUN observed a surge in sophisticated phishing and malware campaigns utilizing fileless execution, browser-based credential theft, and legitimate workflow abuse. Key threats included Agent Tesla credential harvesting, ClickFix fileless malware, BlobPhish in-memory page generation, and phishing-to-RMM chains bypassing traditional MFA via real-time OTP interception.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
Chinese-language Phishing-as-a-Service (PhaaS) platforms are evolving to utilize real-time interception and AI-driven automation to bypass MFA and tokenize stolen payment data into digital wallets. Threat actors leverage encrypted messaging protocols like RCS and iMessage for delivery, while platforms like YY Lai Yu provide highly localized, dynamic phishing infrastructure to target global consumers.
Russian threat actor UTA0355 is conducting targeted phishing campaigns against foreign policy and government professionals by spoofing European security conferences. The attackers use rapport-building techniques and out-of-band messaging to trick victims into authorizing malicious Microsoft 365 OAuth applications and Device Code workflows, granting unauthorized access to their accounts.
Modern social engineering attacks have evolved to closely mimic legitimate business workflows, utilizing techniques like ClickFix, OAuth device code abuse, and in-browser blob phishing. These tactics bypass traditional security controls and create "gray-zone" alerts that require deep behavioral analysis to determine the true scope of compromise, such as credential theft, token abuse, or RMM deployment.
In response to the ongoing Mini Shai-Hulud supply chain campaign, npm has invalidated all granular access tokens that bypass two-factor authentication. The threat actors have been harvesting credentials from CI/CD environments to automate the publishing of malicious package versions, successfully bypassing existing controls like OIDC Trusted Publishing. To provide a more robust defense, npm has introduced an opt-in Staged Publishing feature that requires interactive MFA approval for automated releases.
The China-aligned APT group Webworm has updated its toolset in 2025, shifting focus to European and South African targets. The group deployed two new custom backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API respectively for command and control. Additionally, Webworm utilizes a complex network of custom proxy tools and compromised infrastructure, including GitHub and Amazon S3, to stage payloads and exfiltrate data.
A large-scale npm supply chain attack compromised hundreds of packages, notably within the @antv ecosystem, using a malware variant known as Mini Shai-Hulud. The malware executes upon installation to harvest sensitive developer and CI/CD secrets, exfiltrating them to a hardcoded C2 server or via a GitHub repository fallback, and leverages stolen npm tokens to propagate itself to other packages.
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
Kazuar is a sophisticated, modular P2P botnet attributed to the Russian state-sponsored actor Secret Blizzard. It utilizes a tripartite architecture (Kernel, Bridge, Worker) and a leader election mechanism to minimize external C2 traffic, relying on Mailslots, Window Messaging, and Named Pipes for internal communication and HTTP, WSS, or EWS for external C2.
SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.
A supply chain attack utilizing five malicious NuGet packages typosquatting Chinese .NET libraries has been discovered distributing a cross-platform infostealer. The malware leverages .NET Reactor and JIT hooking via module initializers to execute automatically upon assembly load, targeting credentials and cryptocurrency wallets across developer workstations and CI/CD pipelines.
A large-scale phishing campaign is targeting U.S. organizations across multiple sectors using fake event invitations. The campaign employs a repeatable infrastructure to bypass initial defenses via CAPTCHA, subsequently leading to either credential and OTP interception or the deployment of legitimate Remote Monitoring and Management (RMM) tools for persistent access.
A large-scale Adversary-in-the-Middle (AiTM) phishing campaign targeted over 35,000 users using sophisticated 'code of conduct' lures. The attack chain leveraged legitimate email services, PDF attachments, and multiple CAPTCHA gates to evade detection, ultimately proxying Microsoft 365 authentication sessions to steal tokens and bypass standard MFA.
A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence.
The Mini Shai-Hulud supply chain attack campaign has expanded into the PHP ecosystem by compromising the widely used intercom/intercom-php package on Packagist. The malicious artifact abuses Composer plugin execution to download the Bun runtime and execute an obfuscated JavaScript payload designed to harvest and exfiltrate sensitive credentials from developer environments and CI/CD pipelines.
The popular PyPI package 'lightning' was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3. The malicious package executes an obfuscated JavaScript payload via the Bun runtime to harvest cloud and developer credentials, poison GitHub repositories by impersonating Anthropic's Claude Code, and infect local npm packages.
A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.
A supply-chain attack was identified involving the unscoped npm package 'tanstack', which brand-squats the legitimate '@tanstack/*' organization. Versions 2.0.4 through 2.0.7 contain malicious postinstall scripts designed to silently exfiltrate environment variables and markdown files to an attacker-controlled Svix endpoint.
SHADOW-EARTH-053 is a China-aligned cyberespionage campaign exploiting legacy N-day vulnerabilities in Microsoft Exchange and IIS servers to target government and defense sectors primarily in Asia. The threat actors utilize GODZILLA web shells for persistence and deploy ShadowPad implants via DLL sideloading, sharing significant operational overlaps with another intrusion set tracked as SHADOW-EARTH-054.
The 'mini Shai-Hulud' campaign is a software supply chain attack involving compromised npm packages associated with SAP's Cloud Application Programming Model (CAP). The malicious packages execute upon installation or runtime to harvest sensitive credentials, encrypt the stolen data, and exfiltrate it via public GitHub repositories. Package maintainers have released patched versions to mitigate the threat.
Arctic Wolf Labs identified a highly targeted campaign by the DPRK-nexus threat actor BlueNoroff against the Web3 sector. The attackers utilize sophisticated social engineering, including AI-generated deepfakes and stolen webcam footage, to lure victims into fake Zoom or Teams meetings. Once engaged, a ClickFix clipboard injection attack deploys a fileless PowerShell C2 implant, leading to the theft of cryptocurrency wallets, browser credentials, and Telegram sessions.
A Huntress engineer encountered a malvertising campaign via a Google sponsored search result for 'Claude Code'. The malicious link delivered a multi-stage macOS malware utilizing base64 encoding, gzip compression, and obfuscated AppleScript to bypass Gatekeeper and attempt extraction of Claude Code credentials from the macOS keychain.