Malware

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.

The Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.

This brief summarizes newly published IOCs consisting of domains and URLs associated with the Kimsuky APT group as of June 2nd, 2026, sourced from a Maltrail feed.

This brief analyzes a Maltrail IOC list from June 1, 2026, identifying domains and IP addresses associated with various malware and threat actors, including android_fvncbot, lummac2, magentocore, sectoprat, apt_lazarus, offloader, android_joker, cyberstrikeai, and nightshadec2, potentially used for command and control, malware distribution, or phishing campaigns.

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

BTMOB is a Malware-as-a-Service (MaaS) Android RAT, first observed in February 2025, that uses phishing lures and the abuse of Android Accessibility Services to gain control of devices for data exfiltration, screen capture, and remote access.

The Red Canary Intelligence Insights report for May 2026 highlights the rise of ClearFake, ACR Stealer, and GraphRunner, with ClearFake using JavaScript injection to deliver malware like ACR Stealer, and GraphRunner being abused for reconnaissance and data exfiltration via the Microsoft Graph API.

A commodity BadIIS malware variant is fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups, allowing them to execute malicious SEO fraud, hijack server content, and redirect traffic to illicit sites.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux, downloading and executing a second-stage payload from a remote IP address, potentially leading to arbitrary code execution.

The Q1 2026 mobile threat landscape saw a decrease in overall attack volume driven by reduced adware and RiskTool detections, while the number of unique users targeted remained stable, with new SparkCat variants on app stores and increased banking Trojan and Triada backdoor activity.

A steganography-based malware campaign uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods.

Kimsuky, a North Korean APT group, is actively targeting organizations, primarily in South Korea, with evolving tactics and tools, leveraging spear-phishing emails and messenger contacts to deploy malware such as PebbleDash and AppleSeed for establishing backdoors and stealing information.

The Mini Shai-Hulud supply chain campaign, attributed to TeamPCP, has compromised several npm packages, including those within the @tanstack, @uipath, and @mistralai namespaces, leading to credential theft and potential further compromise.

On April 22, 2026, Checkmarx and Bitwarden suffered supply chain attacks where malicious versions of their developer tools were distributed through official channels, attempting to harvest sensitive information such as GitHub and npm tokens and exfiltrating data to audit.checkmarx[.]cx.

JDownloader's website was compromised on May 6-7, 2026, with download links repointed to malicious installers deploying a Remote Access Trojan on Windows and harmful shell commands on Linux. Users who installed from affected links should treat the system as fully compromised and perform a clean OS reinstall.

A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.

TCLBanker is a banking trojan targeting 59 financial platforms, spreading via trojanized Logitech AI Prompt Builder installers and worm modules for WhatsApp and Outlook, enabling remote control and data theft.

OSX.Dummy is a new macOS malware targeting the cryptocurrency community, as reported by Objective-See.

A new version of the CloudZ RAT utilizes the Pheno plugin to hijack Microsoft Phone Link connections, enabling the theft of SMS messages and one-time passwords (OTPs) from victims' mobile devices.

The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.

The `mysten-metrics` crate was removed from crates.io after it was found to contain a malicious build script that attempted to exfiltrate data from the build machine during the build process.

The `sui-execution-cut` crate on crates.io contained a build script designed to exfiltrate data from the build machine during the build process.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

Threat actors are using social engineering to distribute malware via AI distribution platforms such as Hugging Face and ClawHub by tricking users into downloading malicious files, which leads to malware infections on Windows, macOS, Linux, and Android systems.

The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.

UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.

The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.

This rule detects DNS queries to known Large Language Model (LLM) domains by unsigned binaries or common Windows scripting utilities, indicating potential command and control activity leveraging LLMs for dynamic actions on compromised systems.

The Notepad++ updater (gup.exe) creating files in suspicious locations can indicate potential exploitation for malware delivery or unwarranted file placement, potentially leading to credential access and collection.

Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.

Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.

Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.

A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.

Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.

TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.

GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.

The Speagle malware hijacks the Cobra DocGuard application to exfiltrate sensitive data from infected machines to attacker-controlled Cobra DocGuard servers, effectively masking malicious traffic as legitimate DocGuard communication.

SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.

StoatWaffle is malware employed by the WaterPlum threat actor, used for an unknown purpose.

The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.

Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.

The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.

Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.

This brief analyzes IOCs aggregated by Maltrail on February 27, 2026, highlighting network activity associated with diverse threat actors including APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp campaigns targeting various sectors.

This rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, often observed during malware installation.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.

This rule identifies PowerShell script blocks linked to multiple distinct PowerShell detections via the same ScriptBlock ID, indicating compound suspicious behavior associated with chained obfuscation, decoding, and execution within a single script block.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

This rule detects the creation and execution of executable files by Microsoft Office applications, which is often associated with malicious documents containing scripts or exploitation of Microsoft Office vulnerabilities, leading to the execution of arbitrary code.

The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.

The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.

A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.

This brief analyzes Mac malware discovered in 2018, including OSX.Mami, a DNS hijacker distributed via browser popups, and CrossRAT, a cross-platform Java-based backdoor likely spread through phishing, highlighting infection vectors, persistence mechanisms, and capabilities.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

The Lazarus group's macloader malware (OSX.AppleJeus.C) uses a launch daemon for persistence and executes downloaded payloads directly from memory, communicating with a C2 server to retrieve second-stage payloads, posing a significant threat due to its fileless execution and potential for repurposing.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.

A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

The detection identifies the modification of the Windows Registry key 'PONT_STRING' under Outlook Options by a process other than Outlook.exe, potentially indicating malware activity such as NotDoor.

The execution of MpCmdRun.exe with the '-RemoveDefinitions' argument, used to remove definitions from the Windows Malware Protection Engine, can indicate potential malware activity or attempts to bypass security measures.

This brief details a detection for a PowerShell loader pattern commonly used with Cobalt Strike to decompress and execute payloads, often observed in scripted web delivery attacks.

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

This analytic detects the use of the taskkill command to terminate known browser processes, a technique employed by malware such as Braodo stealer to steal credentials by forcefully closing browsers like Chrome, Edge, and Firefox to unlock files containing sensitive information.

This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.

Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.

OSX/MaMi is a macOS malware that hijacks DNS settings and installs a malicious certificate into the system keychain to intercept network traffic, while also possessing capabilities for taking screenshots, simulating mouse events, persisting as a launch item, downloading and uploading files, and executing commands.

An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.