https://feed.craftedsignal.io/tags/infostealer/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 13:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/Thu, 30 Apr 2026 13:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.The BackgroundFix campaign is a social engineering scheme using fake “remove your photo background” services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.

Attack Chain

1. Victim searches for an online background removal tool and lands on a malicious BackgroundFix site.
2. The victim uploads an image to the fake website.
3. After clicking a checkbox, the site instructs the victim to copy a command to their clipboard.
4. The copied command executes finger.exe to query cheeshomireciple[.]com
5. finger.exe retrieves a batch script from the C2 server.
6. The batch script executes commands to download and execute further payloads.
7. CastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.
8. NetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.

Impact

Successful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.

Recommendation

• Monitor process creation events for the execution of finger.exe with command-line arguments pointing to external domains (IOC: cheeshomireciple[.]com).
• Deploy the Sigma rule to detect the execution of finger.exe to identify potential initial access attempts.
• Block the C2 domain cheeshomireciple[.]com at the DNS resolver to prevent initial payload delivery.
• Monitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: poronto[.]com:688, giovettiadv[.]com:688).

]]>highadvisoryclickfixmalwaresocial-engineeringratinfostealercastleloadernetsupporthttps://feed.craftedsignal.io/briefs/2026-03-teampcp-supply-chain/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-teampcp-supply-chain/TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.TeamPCP is conducting a supply chain attack targeting multiple companies through the compromise of their CI/CD pipelines and GitHub accounts. The attack involves an infostealer designed to harvest sensitive information such as credentials from CI environments, contents of .env files, and cloud tokens. The compromised credentials allowed the attackers to gain unauthorized access and potentially inject malicious code into the software development lifecycle. The attack has impacted projects including Trivy, KICS, and LiteLLM, suggesting a broad targeting scope within the software development and cloud security sectors. This type of attack poses a significant risk to the integrity and security of the software supply chain, as compromised code can be distributed to numerous downstream users.

Attack Chain

1. Initial compromise of a developer’s machine or CI/CD environment via an unspecified initial access vector.
2. Deployment of an infostealer binary onto the compromised system.
3. The infostealer scans the local file system for .env files containing sensitive credentials.
4. The infostealer targets CI/CD environment variables to extract API keys, tokens, and other secrets.
5. The infostealer searches for cloud tokens, potentially targeting AWS credentials, Azure service principals, or GCP service account keys.
6. Extracted credentials are used to gain unauthorized access to GitHub accounts and CI/CD pipelines.
7. Attackers inject malicious code or dependencies into the targeted projects, potentially leading to supply chain contamination.
8. Compromised code is distributed to downstream users of Trivy, KICS, LiteLLM, and other impacted projects.

Impact

The TeamPCP supply chain attack has impacted multiple companies and projects, including Trivy, KICS, and LiteLLM. The compromise of CI/CD pipelines and GitHub accounts allows attackers to inject malicious code into software projects, potentially affecting thousands of users. This can lead to data breaches, malware infections, and erosion of trust in the affected software. The exact number of victims is unknown, but the impact is significant due to the widespread use of the compromised projects in the cloud security and development sectors.

Recommendation

• Implement multi-factor authentication (MFA) on all GitHub accounts and CI/CD pipelines to prevent unauthorized access.
• Rotate API keys and tokens regularly, especially those used in CI/CD environments, to minimize the impact of credential theft.
• Implement secrets scanning in CI/CD pipelines to prevent accidental exposure of sensitive information in code repositories.
• Deploy the Sigma rule “Detect Infostealer Activity in CI/CD Environments” to identify suspicious processes accessing environment variables.
• Monitor file system access for unusual reads of .env files, using the “Detect .env File Access” Sigma rule.
• Implement network monitoring to detect anomalous connections originating from CI/CD servers or developer workstations.

]]>highthreatsupply-chainci/cdinfostealerhttps://feed.craftedsignal.io/briefs/2024-01-08-snappyclient/Fri, 20 Mar 2026 05:19:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-08-snappyclient/SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.SnappyClient is a sophisticated malware delivered via HijackLoader, a known malware distribution platform. The malware exhibits a wide array of capabilities, indicative of its intent to compromise systems and exfiltrate sensitive data. These capabilities include screenshot capture, keylogging, establishing a remote terminal for interactive command execution, and targeted data theft from web browsers, browser extensions, and other applications. The combination of these functions points towards a threat actor focused on credential harvesting, data collection, and maintaining persistent access through remote command and control. Defenders should prioritize detection and prevention measures to mitigate the risk of SnappyClient infections. The initial report of this activity was published in March 2026.

Attack Chain

1. Initial Access: HijackLoader infects the system (delivery mechanism unspecified).
2. Persistence: HijackLoader establishes persistence to ensure SnappyClient is executed upon system reboot.
3. Malware Deployment: HijackLoader deploys and executes the SnappyClient malware.
4. Screenshot Capture: SnappyClient begins capturing screenshots of the user’s desktop activity using built-in OS functions.
5. Keylogging: SnappyClient logs keystrokes to capture sensitive information such as usernames, passwords, and financial details.
6. Browser Data Theft: SnappyClient targets web browsers and their extensions to steal cookies, saved credentials, and browsing history.
7. Remote Terminal: SnappyClient establishes a remote terminal, granting the attacker interactive command execution capabilities.
8. Data Exfiltration: Stolen data is exfiltrated to a command and control server controlled by the attacker.

Impact

Successful SnappyClient infections can result in significant data breaches, including the compromise of sensitive credentials, financial information, and personal data. The remote terminal functionality allows attackers to perform arbitrary actions on compromised systems, potentially leading to further damage or lateral movement within the network. While the number of victims and specific sectors targeted are unknown, the malware’s capabilities make it a high-risk threat to organizations of all sizes.

Recommendation

• Enable Sysmon process-creation logging to enhance visibility into HijackLoader and SnappyClient execution (logsource: process_creation).
• Implement network monitoring to detect and block connections to known HijackLoader command and control infrastructure.
• Deploy the Sigma rules in this brief to your SIEM to detect SnappyClient activity and tune for your environment.
• Monitor registry modifications for persistence mechanisms used by HijackLoader to launch SnappyClient (logsource: registry_set).

]]>highadvisorysnappyclienthijackloadermalwareinfostealerkeyloggerhttps://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/Thu, 19 Mar 2026 19:08:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.A new iOS exploit named “DarkSword” has been identified as being actively used in infostealer attacks against iPhones. While the specific details of the exploit remain limited in the provided source, its use signifies a significant threat to iOS users. The attackers are leveraging this exploit to potentially bypass security measures and gain unauthorized access to sensitive information stored on targeted devices. The lack of specific details regarding the exploit’s technical aspects and targeted iOS versions makes it challenging to implement precise detection and mitigation strategies. However, the active exploitation necessitates immediate attention and proactive measures to safeguard iOS devices from potential compromise.

Attack Chain

1. Initial Access: The attack begins with an unknown initial access vector, potentially involving malicious links or app sideloading techniques, leading to the execution of the DarkSword exploit.
2. Exploit Execution: The DarkSword exploit is executed on the targeted iPhone, leveraging an unspecified vulnerability within the iOS operating system.
3. Privilege Escalation: Successful exploitation leads to privilege escalation, granting the attacker elevated permissions on the compromised device.
4. Infostealer Installation: The attacker leverages the escalated privileges to install an infostealer payload onto the device.
5. Data Collection: The infostealer malware collects sensitive data, including contacts, messages, photos, and potentially credentials stored on the iPhone.
6. Data Staging: The collected data is staged for exfiltration, potentially compressed and encrypted to evade detection.
7. Command and Control (C2) Communication: The malware establishes a connection with a remote C2 server to receive further instructions and prepare for data exfiltration.
8. Data Exfiltration: The stolen data is exfiltrated from the compromised iPhone to the attacker’s C2 server via an encrypted channel.

Impact

The successful exploitation of the DarkSword exploit and deployment of the infostealer can lead to severe consequences for iPhone users. Stolen data can be used for identity theft, financial fraud, or other malicious purposes. The potential compromise of sensitive information stored on iPhones makes this a high-priority threat, impacting potentially a large number of users depending on the scope of the campaign.

Recommendation

• Monitor network traffic for unusual outbound connections from iOS devices, which may indicate C2 communication (log source: network_connection).
• Implement a Mobile Threat Defense (MTD) solution capable of detecting and blocking exploit attempts and malicious app installations on iOS devices.
• Encourage users to avoid sideloading apps from untrusted sources, as this increases the risk of installing malware (awareness training).
• Deploy the Sigma rule to detect suspicious process execution patterns indicative of exploit activity (Sigma rule below).

]]>highadvisoryiosexploitinfostealerdarkswordhttps://feed.craftedsignal.io/briefs/2026-03-emeditor-supply-chain/Thu, 19 Mar 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-emeditor-supply-chain/A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.A supply chain compromise involving the EmEditor text editor led to the distribution of a trojanized installer. Attackers replaced the legitimate EmEditor installer with a malicious version containing an infostealer. This compromised installer was then distributed through trusted or official channels, deceiving users into installing the malware. This incident underscores the importance of verifying software integrity, even when obtained from seemingly reputable sources, and highlights the potential for significant damage when software supply chains are targeted. The goal is to steal sensitive information from victim machines. Defenders should focus on detecting anomalous process execution and network activity following software installations.

Attack Chain

1. The attacker compromises the EmEditor software supply chain.
2. A malicious EmEditor installer is created, embedding an infostealer payload.
3. The trojanized installer is distributed through trusted or official EmEditor distribution channels.
4. Unsuspecting users download and execute the malicious installer on their Windows systems.
5. The installer executes the infostealer payload in the background.
6. The infostealer collects sensitive information such as credentials, browser data, and other valuable data.
7. The stolen data is exfiltrated to a command-and-control server controlled by the attacker.
8. The attacker uses the stolen information for further malicious activities, such as account compromise or data theft.

Impact

The EmEditor supply chain compromise resulted in the distribution of an infostealer to an unknown number of users. Victims who downloaded and installed the trojanized EmEditor installer had their sensitive information stolen, potentially leading to financial loss, identity theft, and further compromise of their systems and accounts. The software supply chain compromise can erode trust in legitimate software vendors and distribution channels.

Recommendation

• Implement robust software integrity verification mechanisms, such as checking digital signatures and file hashes, before installing any software (reference: overview).
• Monitor for unusual process execution and network connections after software installations to detect potential post-compromise activity (reference: attack chain).
• Deploy the Sigma rules provided below to detect potential infostealer activity and malicious installer execution (reference: rules).

]]>highadvisorysupply-chaininfostealerwindows