{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/malware/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mysten-metrics"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rust"],"_cs_type":"advisory","_cs_vendors":["MystenLabs"],"content_html":"\u003cp\u003eOn April 20, 2026, a malicious crate named \u003ccode\u003emysten-metrics\u003c/code\u003e was published to crates.io. This crate contained a build script designed to exfiltrate data from the machine during the build process. The crate was identified and removed from crates.io. At the time of removal, only one version of the crate had been published, and there was no evidence of actual usage. The crate had no dependencies on crates.io, limiting the potential spread. This incident highlights the risks associated with supply chain attacks targeting software build processes and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker publishes the \u003ccode\u003emysten-metrics\u003c/code\u003e crate to crates.io.\u003c/li\u003e\n\u003cli\u003eA developer adds \u003ccode\u003emysten-metrics\u003c/code\u003e as a dependency to their project.\u003c/li\u003e\n\u003cli\u003eThe developer builds the project using \u003ccode\u003ecargo build\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs part of the build process, the malicious build script within \u003ccode\u003emysten-metrics\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe build script collects sensitive data from the build environment (e.g., environment variables, file contents, system information).\u003c/li\u003e\n\u003cli\u003eThe build script attempts to exfiltrate the collected data to a remote attacker-controlled server. The exact exfiltration method is not specified, but could involve HTTP/S requests or DNS tunneling.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data from the compromised build machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful execution of the malicious build script could lead to the exposure of sensitive information, including API keys, credentials, source code, and other confidential data present on the build machine. This data could be used to compromise the developer\u0026rsquo;s infrastructure, intellectual property, and customer data. Since there were no known usages, the impact was contained by its early removal.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement integrity checks for all third-party dependencies to identify and prevent the use of malicious packages.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from build processes for suspicious outbound traffic, as this could indicate data exfiltration. Create network connection rules.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on build machines to detect unauthorized modifications to files during the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:43:56Z","date_published":"2026-05-04T21:43:56Z","id":"/briefs/2026-05-mysten-metrics-exfiltration/","summary":"The `mysten-metrics` crate was removed from crates.io after it was found to contain a malicious build script that attempted to exfiltrate data from the build machine during the build process.","title":"Malicious mysten-metrics Crate Exfiltrates Build Machine Data","url":"https://feed.craftedsignal.io/briefs/2026-05-mysten-metrics-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["sui-execution-cut"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rust"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 20, 2026, a malicious crate named \u003ccode\u003esui-execution-cut\u003c/code\u003e was published to crates.io. This crate included a build script that, when executed, attempted to exfiltrate data from the machine on which the crate was being built. The crate had no dependencies and only one version was ever published. The malicious package was quickly removed from crates.io after discovery. While the crate was available for a short period, there is no evidence of actual usage, however, supply chain compromises can have a wide impact if successful, and even this low-usage crate warrants monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer adds the malicious \u003ccode\u003esui-execution-cut\u003c/code\u003e crate as a dependency to their Rust project.\u003c/li\u003e\n\u003cli\u003eDuring the build process, the \u003ccode\u003ecargo\u003c/code\u003e build system executes the build script embedded within the \u003ccode\u003esui-execution-cut\u003c/code\u003e crate.\u003c/li\u003e\n\u003cli\u003eThe build script executes a series of commands designed to gather sensitive information from the build environment.\u003c/li\u003e\n\u003cli\u003eThe script establishes an outbound network connection to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe gathered data is transmitted to the attacker\u0026rsquo;s server via HTTP POST or a similar method.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data, which could include environment variables, file contents, or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the stolen data for valuable secrets, credentials, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esui-execution-cut\u003c/code\u003e crate, if used, could have compromised developer machines by exfiltrating sensitive data during the build process. Although the crate was quickly removed and showed no signs of usage, a successful attack of this nature could lead to the exposure of secrets, credentials, and intellectual property. The lack of usage limits the impact, but the nature of supply chain attacks makes even low-usage crates a potential risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected network connections originating from build processes, especially connections to unknown or suspicious domains. Use the \u0026ldquo;Detect Suspicious Outbound Connections from Build Processes\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict dependency review processes to identify and prevent the introduction of malicious packages into your software supply chain.\u003c/li\u003e\n\u003cli\u003eContinuously monitor crates.io and other package repositories for reports of malicious packages and promptly remove them from your dependencies if identified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:42:55Z","date_published":"2026-05-04T21:42:55Z","id":"/briefs/2026-05-sui-execution-cut-exfiltration/","summary":"The `sui-execution-cut` crate on crates.io contained a build script designed to exfiltrate data from the build machine during the build process.","title":"Malicious sui-execution-cut Crate Exfiltrates Build Machine Data","url":"https://feed.craftedsignal.io/briefs/2026-05-sui-execution-cut-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Atomic macOS Stealer (AMOS)"],"_cs_severities":["high"],"_cs_tags":["malware","social-engineering","ai-platforms"],"_cs_type":"advisory","_cs_vendors":["Hugging Face","Acronis"],"content_html":"\u003cp\u003eThreat actors are leveraging AI distribution platforms like Hugging Face and ClawHub to distribute malware. This involves social engineering tactics to deceive users into downloading files that contain malicious code. Instead of directly compromising AI agents, the attackers abuse user trust by injecting indirect prompts into resources that the AI accesses. Acronis reported that on ClawHub, nearly 600 malicious skills across 13 developer accounts were identified distributing trojans, cryptominers, and information stealers targeting both Windows and macOS. On Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and other types of malware targeting Windows, Linux, and Android. This tactic allows attackers to bypass traditional security measures and leverage the platforms\u0026rsquo; reputation for trusted AI tooling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious repository or skill on Hugging Face or ClawHub.\u003c/li\u003e\n\u003cli\u003eThe repository or skill contains files that appear legitimate but include malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses social engineering to entice users to download the files.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code fetches additional payloads from external sources.\u003c/li\u003e\n\u003cli\u003eFor macOS, the payload can be Atomic macOS Stealer (AMOS) Stealer.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload executes commands to install hidden dependencies.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe malware performs its intended malicious actions, such as stealing information or mining cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to the installation of various types of malware, including infostealers, trojans, cryptominers, and malware loaders. The targeted platforms include Windows, macOS, Linux, and Android, potentially impacting a wide range of users and systems. The abuse of trust in AI distribution platforms poses a significant risk, as users may be less likely to scrutinize files from these sources. Acronis identified close to 600 malicious skills on ClawHub alone, indicating the scale of this threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of downloaded files from Hugging Face or ClawHub with unusual parent processes using the \u0026ldquo;Detect Suspicious Process Execution from AI Platforms\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known malicious domains or IPs associated with malware distribution campaigns that originate from processes associated with AI platform tooling.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading files from untrusted sources, even on trusted platforms like Hugging Face and ClawHub.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for known malware signatures and indicators of compromise associated with infostealers and trojans.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T08:41:57Z","date_published":"2026-05-01T08:41:57Z","id":"/briefs/2026-05-huggingface-clawhub-malware/","summary":"Threat actors are using social engineering to distribute malware via AI distribution platforms such as Hugging Face and ClawHub by tricking users into downloading malicious files, which leads to malware infections on Windows, macOS, Linux, and Android systems.","title":"Malware Distribution via Hugging Face and ClawHub","url":"https://feed.craftedsignal.io/briefs/2026-05-huggingface-clawhub-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pytorch-lightning"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","credential-theft","malware"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eOn April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used \u003ccode\u003epytorch-lightning\u003c/code\u003e package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the publisher account for the \u003ccode\u003epytorch-lightning\u003c/code\u003e package on PyPI.\u003c/li\u003e\n\u003cli\u003eAttacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.\u003c/li\u003e\n\u003cli\u003eA modified \u003ccode\u003e__init__.py\u003c/code\u003e file within the package initiates a background process upon import.\u003c/li\u003e\n\u003cli\u003eThe background process executes silently, without any visible output or indication of compromise to the user.\u003c/li\u003e\n\u003cli\u003eThe malicious package downloads a runtime (Bun) from GitHub.\u003c/li\u003e\n\u003cli\u003eThe package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.\u003c/li\u003e\n\u003cli\u003eStolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOrganizations that downloaded and used versions 2.6.2 or 2.6.3 of the \u003ccode\u003epytorch-lightning\u003c/code\u003e package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware\u0026rsquo;s ability to download and execute secondary payloads further increases the potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove versions 2.6.2 and 2.6.3 of the \u003ccode\u003elightning\u003c/code\u003e package from all systems where they are installed (see overview).\u003c/li\u003e\n\u003cli\u003eAudit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).\u003c/li\u003e\n\u003cli\u003eRotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Suspicious PyPI Package Installation\u003c/code\u003e Sigma rule to identify potential malicious packages being installed in the future (see rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Credential Harvesting via Bun\u003c/code\u003e Sigma rule to catch execution of the malicious JavaScript payload (see rules).\u003c/li\u003e\n\u003cli\u003ePin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T00:45:31Z","date_published":"2026-05-01T00:45:31Z","id":"/briefs/2026-05-pytorch-lightning-compromise/","summary":"Compromised PyTorch Lightning packages versions 2.6.2 and 2.6.3 on PyPI contain malicious code to steal developer credentials from cloud and developer environments, and republish infected packages.","title":"Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-05-pytorch-lightning-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["npm packages"],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe CanisterSprawl campaign, first disclosed in April 2026, is a self-propagating malware targeting npm packages. This campaign focuses on stealing sensitive information, such as API keys, authentication tokens, and crypto wallet data from developer environments. The malware attempts to automate the process of publishing malicious packages to the npm registry using compromised developer accounts. By hijacking trusted credentials, CanisterSprawl seeks to extend its reach within the open-source ecosystem, turning a single compromised machine into a potential source of widespread supply chain attacks. This campaign highlights the need for robust security measures to prevent the installation of malicious packages and detect unauthorized activity within developer environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious npm package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the package executes embedded code automatically.\u003c/li\u003e\n\u003cli\u003eThe malware scans environment variables on the local system, looking for credentials and developer tokens.\u003c/li\u003e\n\u003cli\u003eThe malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.\u003c/li\u003e\n\u003cli\u003eThe collected data is exfiltrated to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate an npm automation token on the infected machine.\u003c/li\u003e\n\u003cli\u003eIf a token is found, the malware lists all packages to which the token grants \u0026ldquo;write\u0026rdquo; access.\u003c/li\u003e\n\u003cli\u003eThe malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware\u0026rsquo;s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRemove any identified malicious packages immediately to prevent further data theft and propagation.\u003c/li\u003e\n\u003cli\u003eRotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.\u003c/li\u003e\n\u003cli\u003eReview environment variables and local credentials on developer machines for potential compromise.\u003c/li\u003e\n\u003cli\u003eAudit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T16:18:33Z","date_published":"2026-04-23T16:18:33Z","id":"/briefs/2026-04-canistersprawl-npm-malware/","summary":"The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.","title":"CanisterSprawl: Self-Propagating npm Malware Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-canistersprawl-npm-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["command_and_control","malware","llm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies instances where suspicious processes are communicating with known Large Language Model (LLM) endpoints. The activity suggests potential command and control behavior, where malware or unauthorized scripts leverage LLMs to dynamically execute actions on compromised systems. This behavior emerged in late 2025 and continues to evolve. The rule focuses on detecting DNS queries originating from unsigned binaries or common scripting utilities like PowerShell, \u003ccode\u003emshta.exe\u003c/code\u003e, and \u003ccode\u003ewscript.exe\u003c/code\u003e. The targeting scope includes both Windows and macOS systems. Defenders should be aware of this technique as attackers increasingly integrate LLMs to enhance malware capabilities and evade traditional detection methods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently executes a malicious script or binary, potentially delivered through social engineering or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe malicious script, such as a PowerShell script or JavaScript within \u003ccode\u003emshta.exe\u003c/code\u003e, is launched.\u003c/li\u003e\n\u003cli\u003eThe script executes code to perform reconnaissance, gathering system information or user credentials.\u003c/li\u003e\n\u003cli\u003eThe script constructs a query for a Large Language Model (LLM) endpoint, such as \u003ccode\u003eapi.openai.com\u003c/code\u003e, using a common scripting utility.\u003c/li\u003e\n\u003cli\u003eThe DNS query is resolved, and a network connection is established to the LLM API endpoint, bypassing standard network security controls.\u003c/li\u003e\n\u003cli\u003eThe malicious script sends data to the LLM API, requesting instructions or performing tasks such as code generation or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe LLM responds with instructions or processed data, which the script then executes on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system by leveraging the LLM to perform various malicious activities, like lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems could be remotely controlled via LLM APIs, allowing attackers to perform data exfiltration, lateral movement, or deploy ransomware. Successful exploitation can lead to significant data breaches, financial loss, and reputational damage. The number of victims is currently unknown, but the attack vector affects organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to identify suspicious processes querying LLM endpoints.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging on both Windows and macOS endpoints to provide the necessary data source for the detections.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the parent process and associated network activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned binaries and common scripting utilities from untrusted locations.\u003c/li\u003e\n\u003cli\u003eReview and update network firewall rules to restrict outbound connections to known malicious or suspicious domains.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for command-line arguments that indicate the use of scripting engines to perform DNS queries to LLM domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T16:34:10Z","date_published":"2026-04-22T16:34:10Z","id":"/briefs/2024-01-30-llm-command-and-control/","summary":"This rule detects DNS queries to known Large Language Model (LLM) domains by unsigned binaries or common Windows scripting utilities, indicating potential command and control activity leveraging LLMs for dynamic actions on compromised systems.","title":"Suspicious Processes Connecting to Large Language Model Endpoints","url":"https://feed.craftedsignal.io/briefs/2024-01-30-llm-command-and-control/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","notepad++"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Notepad++ updater, \u003ccode\u003egup.exe\u003c/code\u003e, is a component designed to automatically update the Notepad++ application. However, attackers can potentially exploit this updater to deliver malware or place unwarranted files on a system. This activity often begins with a compromised update server or a man-in-the-middle attack. Successful exploitation can lead to the installation of backdoors, credential access, and collection of sensitive information. The references provided highlight historical incidents involving the Notepad++ updater being abused in supply chain attacks. Defenders should monitor file creation events by \u003ccode\u003egup.exe\u003c/code\u003e outside of expected program directories and temporary update locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user installs Notepad++ on their Windows system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egup.exe\u003c/code\u003e updater component, located within the Notepad++ installation directory, is executed to check for updates.\u003c/li\u003e\n\u003cli\u003eThe updater connects to the Notepad++ update server to retrieve update information.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises the update server or performs a man-in-the-middle attack.\u003c/li\u003e\n\u003cli\u003eThe compromised update server provides malicious instructions to \u003ccode\u003egup.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egup.exe\u003c/code\u003e creates a malicious executable or script in an unexpected location, such as the user\u0026rsquo;s temporary directory outside of normal update procedures.\u003c/li\u003e\n\u003cli\u003eThe malicious file is executed, leading to further compromise such as installing a backdoor or stealing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform collection and credential access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting the Notepad++ updater can lead to the installation of malware, such as backdoors, allowing attackers to gain persistent access to the compromised system. This can lead to data theft, credential compromise, and further lateral movement within the network. The number of potential victims depends on the scope of the compromised update server or the success of the man-in-the-middle attack. Historically, supply chain attacks targeting widely used software have impacted thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Notepad++ Updater (gup.exe) Creates Uncommon Files\u0026rdquo; to your SIEM and tune for your environment. This rule detects file creation events by \u003ccode\u003egup.exe\u003c/code\u003e in suspicious locations (see rule configuration).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003efile_event\u003c/code\u003e logs for unusual file creation events initiated by \u003ccode\u003egup.exe\u003c/code\u003e using the specified \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and prevent man-in-the-middle attacks against the Notepad++ update server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:34:51Z","date_published":"2026-04-21T10:34:51Z","id":"/briefs/2026-06-notepadpp-updater-file-creation/","summary":"The Notepad++ updater (gup.exe) creating files in suspicious locations can indicate potential exploitation for malware delivery or unwarranted file placement, potentially leading to credential access and collection.","title":"Notepad++ Updater (gup.exe) Creates Uncommon Files","url":"https://feed.craftedsignal.io/briefs/2026-06-notepadpp-updater-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["adware","antivirus-evasion","malware","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA digitally signed adware tool distributed by Dragon Boss Solutions LLC has been observed deploying payloads designed to disable antivirus protections. The campaign, discovered by Huntress on March 22, 2026, leverages signed executables initially classified as potentially unwanted programs (PUPs) to gain a foothold on victim machines. These PUPs, often disguised as browser tools like Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser, use an advanced update mechanism to deliver malicious payloads. This update mechanism, powered by the commercial Advanced Installer, silently deploys MSI and PowerShell scripts with elevated SYSTEM privileges. This allows the threat actors to disable or remove antivirus software without user interaction. The campaign has impacted over 23,500 hosts across 124 countries, including high-value networks in the educational, utilities, government, and healthcare sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via the installation of signed adware tools (PUPs) from Dragon Boss Solutions LLC, such as Chromnius or WorldWideWeb.\u003c/li\u003e\n\u003cli\u003eThe adware uses the Advanced Installer update mechanism to silently download and execute an MSI payload (Setup.msi) disguised as a GIF image.\u003c/li\u003e\n\u003cli\u003eThe MSI payload is executed with SYSTEM privileges, allowing it to bypass user account control (UAC) restrictions.\u003c/li\u003e\n\u003cli\u003eThe MSI installer performs reconnaissance, checking admin status, detecting virtual machines, verifying internet connectivity, and identifying installed antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.\u003c/li\u003e\n\u003cli\u003eA PowerShell script (ClockRemoval.ps1) is deployed to disable the detected security products by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors\u0026rsquo; uninstallers, and forcefully deleting files.\u003c/li\u003e\n\u003cli\u003eThe ClockRemoval.ps1 script is scheduled to run at system boot, logon, and every 30 minutes to ensure persistent removal of antivirus products.\u003c/li\u003e\n\u003cli\u003eThe hosts file is modified to block access to antivirus vendor domains, preventing reinstallation or updates of the security software.\u003c/li\u003e\n\u003cli\u003eWith antivirus protections disabled, the compromised system becomes vulnerable to further exploitation and malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign has impacted over 23,500 hosts across 124 countries. Identified infected hosts include 221 academic institutions, 41 operational technology networks, 35 municipal governments and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. The disabling of antivirus software leaves systems vulnerable to further malware infections, data breaches, and other malicious activities. The potential exists for threat actors to leverage this established infrastructure to deploy far more dangerous payloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting the ClockRemoval.ps1 script execution to your SIEM to identify affected systems.\u003c/li\u003e\n\u003cli\u003eMonitor for WMI event subscriptions containing \u0026ldquo;MbRemoval\u0026rdquo; or \u0026ldquo;MbSetup,\u0026rdquo; scheduled tasks referencing \u0026ldquo;WMILoad\u0026rdquo; or \u0026ldquo;ClockRemoval,\u0026rdquo; and processes signed by Dragon Boss Solutions LLC, as recommended by Huntress.\u003c/li\u003e\n\u003cli\u003eReview the hosts file for entries blocking AV vendor domains and check Microsoft Defender exclusions for suspicious paths such as \u0026ldquo;DGoogle,\u0026rdquo; \u0026ldquo;EMicrosoft,\u0026rdquo; or \u0026ldquo;DDapps.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains chromsterabrowser[.]com and worldwidewebframework3[.]com at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that have downloaded the Setup.msi payload, identified by its hash.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-dragon-boss-adware/","summary":"Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.","title":"Dragon Boss Solutions Adware Disabling Antivirus Protections","url":"https://feed.craftedsignal.io/briefs/2026-04-dragon-boss-adware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["n8n","phishing","malware","workflow-automation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the victim\u0026rsquo;s browser to the n8n platform, which triggers the pre-configured workflow.\u003c/li\u003e\n\u003cli\u003eThe n8n workflow serves an HTML page containing a CAPTCHA to the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAfter the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.\u003c/li\u003e\n\u003cli\u003eClicking the download button initiates the download of a malicious executable (e.g., \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo;) from an external host.\u003c/li\u003e\n\u003cli\u003eThe executable installs a modified version of Datto RMM, establishes a connection to a relay on \u003ccode\u003ecentrastage[.]net\u003c/code\u003e, granting the attacker remote access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for URLs containing \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and flag them as suspicious (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify network connections to \u003ccode\u003ecentrastage[.]net\u003c/code\u003e initiated by unusual processes (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eInspect process creation events for the execution of \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo; or similar filenames downloaded from n8n domains (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and \u003ccode\u003ecentrastage[.]net\u003c/code\u003e at the DNS resolver (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T10:03:05Z","date_published":"2026-04-15T10:03:05Z","id":"/briefs/2026-04-n8n-abuse/","summary":"Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.","title":"n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ai-agent","execution","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents\u0026rsquo; ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.\u003c/li\u003e\n\u003cli\u003eThe user installs a malicious skill from ClawHub or is subject to a prompt injection attack.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw agent, running under Node.js, receives a command to execute a shell command.\u003c/li\u003e\n\u003cli\u003eThe Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eThe shell process executes a command to download a payload from a remote server using tools like curl or certutil.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with an obfuscated name.\u003c/li\u003e\n\u003cli\u003eThe shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (\u003ca href=\"#execution-via-openclaw-agent---linuxmacoswindows\"\u003eExecution via OpenClaw Agent - Linux/macOS/Windows\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eBlock known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.\u003c/li\u003e\n\u003cli\u003eReview OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.\u003c/li\u003e\n\u003cli\u003eEnable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of curl/certutil downloads (\u003ca href=\"#openclaw-download-activity\"\u003eOpenClaw Download Activity\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:07:54Z","date_published":"2026-04-08T12:07:54Z","id":"/briefs/2026-06-openclaw-execution/","summary":"Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.","title":"OpenClaw Agent Suspicious Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2026-06-openclaw-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","strapi","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA threat actor has compromised the Strapi ecosystem by publishing 36 malicious NPM packages posing as legitimate Strapi plugins. This supply chain attack, discovered by SafeDep, targets users of the open-source headless CMS, Strapi, which is built on Node.js. The malicious packages contain a variety of payloads designed to compromise Strapi installations. These payloads include capabilities for Redis code execution, Docker container escape, credential harvesting, reverse shell deployment, and establishing persistent implants. The attackers specifically targeted the cryptocurrency payment gateway Guardarian, indicating a focus on financial gain and data exfiltration from this specific organization. The malicious activity was observed starting around April 6, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker publishes 36 malicious NPM packages to the NPM registry, using names that mimic legitimate Strapi plugins to entice Strapi developers to install them.\u003c/li\u003e\n\u003cli\u003eA Strapi developer installs one or more of the malicious NPM packages into their Strapi project using the \u003ccode\u003enpm install\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eUpon installation, the malicious package executes its payload, which may include Redis code execution by injecting crontab entries and deploying PHP/Node.js reverse shells.\u003c/li\u003e\n\u003cli\u003eThe payload attempts to escape Docker containers via overlay filesystem discovery, writing shells to host directories and launching a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe malicious code harvests credentials from the compromised system, including database passwords, API keys, JWT secrets, Elasticsearch credentials, and wallet/key files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a reverse shell on the compromised system, allowing them to execute arbitrary commands and further explore the network.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates Strapi configurations and Guardarian API module data to an external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent implants on the compromised system to maintain long-term access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to severe consequences for Strapi users, particularly those in the cryptocurrency sector. If successful, the attack allows for unauthorized access to sensitive data, including API keys, database credentials, and customer information. The direct targeting of Guardarian suggests a high-value target with potential for significant financial loss. A successful attack could result in data breaches, financial theft, and reputational damage for affected organizations. The ability to escape Docker containers further broadens the attack surface, potentially compromising the host system and other containers running on the same infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; Sigma rule to identify potentially malicious package installations (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to facilitate detection and investigation of suspicious activity.\u003c/li\u003e\n\u003cli\u003eRotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on systems where the malicious packages may have been installed, as recommended in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for reverse shell activity originating from Strapi servers, as described in the Attack Chain (reference network_connection log source in Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to Strapi configuration files and other sensitive files (reference file_event log source in Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:00Z","date_published":"2026-04-07T10:00:00Z","id":"/briefs/2026-04-strapi-npm-attack/","summary":"A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.","title":"Malicious NPM Packages Target Strapi Users","url":"https://feed.craftedsignal.io/briefs/2026-04-strapi-npm-attack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 25, 2026, two malicious versions of the \u003ccode\u003elitellm\u003c/code\u003e package (versions 1.82.7 and 1.82.8) were discovered on the PyPI repository. These versions were found to contain automatically activated malware. The malicious code was designed to harvest sensitive credentials and files from systems where the compromised packages were installed. This supply chain attack follows a previous API token exposure stemming from a compromised trivy dependency, indicating a potential escalation in targeting the \u003ccode\u003elitellm\u003c/code\u003e project. The compromised packages exfiltrate stolen data to a remote API controlled by the attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises the \u003ccode\u003elitellm\u003c/code\u003e PyPI package repository, likely leveraging exposed credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into versions 1.82.7 and 1.82.8 of the \u003ccode\u003elitellm\u003c/code\u003e package. The malicious code is automatically activated upon installation.\u003c/li\u003e\n\u003cli\u003eA user installs either \u003ccode\u003elitellm\u003c/code\u003e version 1.82.7 or 1.82.8 via \u003ccode\u003epip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code begins harvesting credentials and files accessible to the \u003ccode\u003elitellm\u003c/code\u003e environment. This may include API keys, tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a network connection to a remote API server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials and files are exfiltrated to the attacker\u0026rsquo;s remote API server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to services and data protected by the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacts any user who installed the malicious \u003ccode\u003elitellm\u003c/code\u003e packages (versions 1.82.7 and 1.82.8). Successful credential harvesting allows attackers to pivot and compromise other systems and services accessible with the stolen credentials, potentially leading to data breaches, unauthorized access, and further lateral movement within victim environments. The number of affected users is currently unknown, but the popularity of \u003ccode\u003elitellm\u003c/code\u003e suggests a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately revoke and rotate any credentials accessible to environments where \u003ccode\u003elitellm\u003c/code\u003e versions 1.82.7 or 1.82.8 were installed (description).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect installations of the affected \u003ccode\u003elitellm\u003c/code\u003e versions (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003elitellm\u003c/code\u003e processes to external, untrusted APIs (network_connection).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency management practices, including the use of software composition analysis tools, to identify and prevent the installation of malicious packages (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-litellm-supply-chain/","summary":"Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.","title":"Malicious LiteLLM Versions Harvest Credentials","url":"https://feed.craftedsignal.io/briefs/2026-03-litellm-supply-chain/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm","canisterworm"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 21, 2026, it was reported that threat actor TeamPCP successfully deployed CanisterWorm, a malicious worm, onto the NPM package registry. This followed a compromise of Trivy, a widely-used open-source vulnerability scanner. The specifics of the Trivy compromise are not detailed in this brief, but it likely involved exploiting vulnerabilities within Trivy or its infrastructure to gain unauthorized access and the ability to publish malicious packages. The scope of this incident affects developers and organizations that rely on NPM packages and utilize Trivy in their software development lifecycle. Defenders should prioritize detecting and mitigating the spread of CanisterWorm within their environments, focusing on identifying compromised Trivy instances and monitoring for suspicious activity related to NPM package installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eMalware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.\u003c/li\u003e\n\u003cli\u003eNPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.\u003c/li\u003e\n\u003cli\u003ePackage Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.\u003c/li\u003e\n\u003cli\u003eWorm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.\u003c/li\u003e\n\u003cli\u003ePersistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.\u003c/li\u003e\n\u003cli\u003eAnalyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.\u003c/li\u003e\n\u003cli\u003eReview and strengthen the security of your software supply chain to mitigate the risk of future attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T10:00:00Z","date_published":"2026-03-22T10:00:00Z","id":"/briefs/2026-03-teampcp-canisterworm/","summary":"TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.","title":"TeamPCP Deploys CanisterWorm on NPM After Trivy Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-canisterworm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["github","malware","macos","credential-theft","ai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates a seemingly legitimate software repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe repository contains a project with files that may appear benign or related to AI workflows.\u003c/li\u003e\n\u003cli\u003eA malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.\u003c/li\u003e\n\u003cli\u003eA user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.\u003c/li\u003e\n\u003cli\u003eThe user executes the GhostLoader script or binary on their macOS system.\u003c/li\u003e\n\u003cli\u003eGhostLoader executes, initiating the credential-stealing process.\u003c/li\u003e\n\u003cli\u003eStolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.\u003c/li\u003e\n\u003cli\u003eEducate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.\u003c/li\u003e\n\u003cli\u003eEnable and review macOS system logs for suspicious activity related to credential access and keychain modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T13:03:03Z","date_published":"2026-03-21T13:03:03Z","id":"/briefs/2024-01-ghostloader/","summary":"GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.","title":"GhostLoader Malware Targeting macOS via GitHub and AI Workflows","url":"https://feed.craftedsignal.io/briefs/2024-01-ghostloader/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["malware","data-exfiltration","cobra-docguard","speagle"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new malware strain dubbed \u0026ldquo;Speagle\u0026rdquo; has been discovered leveraging the legitimate Cobra DocGuard software to exfiltrate sensitive data. This malware infects systems and then uses compromised Cobra DocGuard servers as a C2 to receive stolen data. By masquerading as legitimate DocGuard client-server communication, Speagle seeks to evade detection. First reported in March 2026, the malware represents a sophisticated approach to data theft. The threat actors are exploiting trust in a legitimate software product to conceal their activities, making detection more challenging for defenders. The targeting scope is currently unknown, but any organization utilizing Cobra DocGuard should be considered potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eSpeagle infects a target machine through an unknown initial access vector.\u003c/li\u003e\n\u003cli\u003eThe malware identifies and hooks into the Cobra DocGuard application.\u003c/li\u003e\n\u003cli\u003eSpeagle harvests sensitive information from the compromised system, focusing on documents and other valuable data.\u003c/li\u003e\n\u003cli\u003eThe gathered data is prepared for exfiltration, likely compressed and encrypted.\u003c/li\u003e\n\u003cli\u003eSpeagle establishes a connection to a compromised Cobra DocGuard server.\u003c/li\u003e\n\u003cli\u003eThe stolen data is transmitted to the compromised server, disguised as legitimate DocGuard client-server traffic.\u003c/li\u003e\n\u003cli\u003eThe attackers retrieve the exfiltrated data from the compromised Cobra DocGuard server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Speagle infections can lead to significant data breaches, resulting in the loss of sensitive documents, intellectual property, and confidential information. The number of affected organizations is currently unknown, but any company using Cobra DocGuard is potentially at risk. The impact of a successful attack can range from financial losses and reputational damage to legal and regulatory penalties, depending on the type of data compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual communication patterns associated with Cobra DocGuard, even if it appears legitimate (see rules below).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring on Cobra DocGuard servers to detect unauthorized access or data manipulation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any Cobra DocGuard client machines exhibiting suspicious behavior, such as unusual file access or network activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T00:38:59Z","date_published":"2026-03-21T00:38:59Z","id":"/briefs/2026-03-speagle-docguard-hijack/","summary":"The Speagle malware hijacks the Cobra DocGuard application to exfiltrate sensitive data from infected machines to attacker-controlled Cobra DocGuard servers, effectively masking malicious traffic as legitimate DocGuard communication.","title":"Speagle Malware Hijacks Cobra DocGuard for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-03-speagle-docguard-hijack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["snappyclient","hijackloader","malware","infostealer","keylogger"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSnappyClient is a sophisticated malware delivered via HijackLoader, a known malware distribution platform. The malware exhibits a wide array of capabilities, indicative of its intent to compromise systems and exfiltrate sensitive data. These capabilities include screenshot capture, keylogging, establishing a remote terminal for interactive command execution, and targeted data theft from web browsers, browser extensions, and other applications. The combination of these functions points towards a threat actor focused on credential harvesting, data collection, and maintaining persistent access through remote command and control. Defenders should prioritize detection and prevention measures to mitigate the risk of SnappyClient infections. The initial report of this activity was published in March 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: HijackLoader infects the system (delivery mechanism unspecified).\u003c/li\u003e\n\u003cli\u003ePersistence: HijackLoader establishes persistence to ensure SnappyClient is executed upon system reboot.\u003c/li\u003e\n\u003cli\u003eMalware Deployment: HijackLoader deploys and executes the SnappyClient malware.\u003c/li\u003e\n\u003cli\u003eScreenshot Capture: SnappyClient begins capturing screenshots of the user\u0026rsquo;s desktop activity using built-in OS functions.\u003c/li\u003e\n\u003cli\u003eKeylogging: SnappyClient logs keystrokes to capture sensitive information such as usernames, passwords, and financial details.\u003c/li\u003e\n\u003cli\u003eBrowser Data Theft: SnappyClient targets web browsers and their extensions to steal cookies, saved credentials, and browsing history.\u003c/li\u003e\n\u003cli\u003eRemote Terminal: SnappyClient establishes a remote terminal, granting the attacker interactive command execution capabilities.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Stolen data is exfiltrated to a command and control server controlled by the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful SnappyClient infections can result in significant data breaches, including the compromise of sensitive credentials, financial information, and personal data. The remote terminal functionality allows attackers to perform arbitrary actions on compromised systems, potentially leading to further damage or lateral movement within the network. While the number of victims and specific sectors targeted are unknown, the malware\u0026rsquo;s capabilities make it a high-risk threat to organizations of all sizes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to enhance visibility into HijackLoader and SnappyClient execution (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and block connections to known HijackLoader command and control infrastructure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect SnappyClient activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications for persistence mechanisms used by HijackLoader to launch SnappyClient (logsource: registry_set).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:19:06Z","date_published":"2026-03-20T05:19:06Z","id":"/briefs/2024-01-08-snappyclient/","summary":"SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.","title":"SnappyClient Malware Delivered via HijackLoader","url":"https://feed.craftedsignal.io/briefs/2024-01-08-snappyclient/"},{"_cs_actors":["WaterPlum"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["stoatwaffle","waterplum","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe threat brief addresses the StoatWaffle malware associated with the threat actor WaterPlum. Specific details regarding the malware\u0026rsquo;s capabilities, deployment methods, and targeted sectors are currently limited based on the available source material. Further analysis is required to determine the exact scope and impact of StoatWaffle and WaterPlum\u0026rsquo;s operations. Defenders should prioritize gathering additional intelligence on this threat to implement appropriate detection and mitigation strategies. Understanding the malware\u0026rsquo;s functionality is crucial for effective defense.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The initial access vector is currently unknown. Further investigation is needed to determine how WaterPlum deploys StoatWaffle.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e StoatWaffle executes on the compromised system, but the specific method is unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The method StoatWaffle uses to maintain persistence is not described in the available information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Any privilege escalation techniques are presently unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Any defense evasion techniques are unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Credential access methods used by StoatWaffle are unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The information gathering activities of StoatWaffle post-compromise are unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e Command and control channels used by StoatWaffle are unknown.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe precise impact of StoatWaffle malware is currently undetermined. Without more information, it is difficult to determine the number of potential victims, sectors targeted, or potential damage resulting from successful exploitation. The consequences of a successful attack remain unclear, pending further analysis of the malware and the threat actor\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConduct further research on StoatWaffle malware and the WaterPlum threat actor to gather more specific intelligence about their tactics, techniques, and procedures.\u003c/li\u003e\n\u003cli\u003eMonitor threat intelligence feeds for updated information on StoatWaffle IOCs or detection signatures.\u003c/li\u003e\n\u003cli\u003eImplement generic malware detection rules that identify suspicious process behavior, network traffic, or file modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:35:27Z","date_published":"2026-03-19T05:35:27Z","id":"/briefs/2024-01-stoatwaffle/","summary":"StoatWaffle is malware employed by the WaterPlum threat actor, used for an unknown purpose.","title":"StoatWaffle Malware Used by WaterPlum Actor","url":"https://feed.craftedsignal.io/briefs/2024-01-stoatwaffle/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["glassworm","malware","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm campaign has been identified deploying a Wave 3 Windows payload. This indicates a continuation of the threat actor\u0026rsquo;s operations, with an updated payload targeting Windows systems. The specifics of the delivery mechanism and the exact functionality of the Wave 3 payload are currently unknown. Defenders should be aware of the ongoing GlassWorm activity and implement detections for suspicious Windows executables. Further analysis is required to fully understand the capabilities of the Wave 3 payload and the scope of the campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The initial access vector is unknown.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: A Wave 3 Windows payload is delivered to the system.\u003c/li\u003e\n\u003cli\u003eExecution: The Windows payload is executed.\u003c/li\u003e\n\u003cli\u003ePersistence: The payload establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The payload connects to a command and control server for instructions.\u003c/li\u003e\n\u003cli\u003eData Collection: The payload gathers sensitive data from the system.\u003c/li\u003e\n\u003cli\u003eExfiltration: The collected data is exfiltrated to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of the GlassWorm Wave 3 payload could lead to data theft, system compromise, and potential financial loss. The impact depends on the specific objectives of the threat actor and the sensitivity of the data compromised. The lack of specific information about victimology makes determining the overall scope impossible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for unknown or unsigned executables, especially those with network connections (reference: process_creation and network_connection log sources).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to the execution of potentially malicious Windows executables.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T15:00:22Z","date_published":"2026-03-16T15:00:22Z","id":"/briefs/2024-01-glassworm-wave3/","summary":"The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.","title":"GlassWorm Campaign Deploying Wave 3 Windows Payload","url":"https://feed.craftedsignal.io/briefs/2024-01-glassworm-wave3/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["malware","google_ads","initial_access","windows","macos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA malware campaign is underway, leveraging deceptive advertisements on Google that masquerade as legitimate \u0026lsquo;Claude Code\u0026rsquo; software. The attackers are using these ads to direct unsuspecting users to malicious websites hosting malware payloads for both Windows and macOS systems. While specific details on the malware are limited, the campaign\u0026rsquo;s reliance on search engine advertisement poisoning indicates a broad targeting strategy aimed at users actively seeking \u0026lsquo;Claude Code\u0026rsquo; related software or tools. This campaign highlights the increasing sophistication of threat actors in using search engine optimization (SEO) poisoning techniques to distribute malware. Defenders should be aware of the potential for users to be directed to malicious sites through search results.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious advertisements on Google that mimic legitimate \u0026lsquo;Claude Code\u0026rsquo; software or related tools.\u003c/li\u003e\n\u003cli\u003eUsers searching for \u0026lsquo;Claude Code\u0026rsquo; or related terms encounter the malicious advertisements in their search results.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users click on the malicious advertisement, believing it to be a legitimate source for \u0026lsquo;Claude Code\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe advertisement redirects the user to a malicious website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious website hosts malware payloads tailored for both Windows and macOS operating systems.\u003c/li\u003e\n\u003cli\u003eUpon visiting the site, the user is tricked into downloading and executing the malware, potentially through social engineering or drive-by download techniques.\u003c/li\u003e\n\u003cli\u003eThe malware executes on the victim\u0026rsquo;s system, establishing persistence and potentially disabling security controls.\u003c/li\u003e\n\u003cli\u003eThe malware performs its intended malicious activities, such as data theft, credential harvesting, or further malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this campaign could be widespread, affecting both individual users and organizations who rely on \u0026lsquo;Claude Code\u0026rsquo;. Successful infection can lead to data theft, financial loss, and reputational damage. Given the use of Google Ads, the number of potential victims is substantial. The cross-platform nature of the attack further amplifies the risk, as it targets a broader range of users regardless of their operating system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement browser security extensions and ad blockers to reduce the likelihood of users clicking on malicious advertisements.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking on advertisements in search results and encourage them to verify the legitimacy of websites before downloading software.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to newly registered domains or known malicious IP addresses associated with malware distribution.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to detect and prevent malware execution on both Windows and macOS systems.\u003c/li\u003e\n\u003cli\u003eEnable and review web proxy logs for user visits to suspicious domains.\u003c/li\u003e\n\u003cli\u003eConfigure intrusion detection systems (IDS) to identify and block malicious traffic originating from advertisement networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:31:12Z","date_published":"2026-03-15T15:31:12Z","id":"/briefs/2024-01-03-fake-claude-ads/","summary":"Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.","title":"Malware Spreading Through Fake 'Claude Code' Google Ads","url":"https://feed.craftedsignal.io/briefs/2024-01-03-fake-claude-ads/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","unicode","malware","github"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects.  Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.\u003c/li\u003e\n\u003cli\u003eThese Unicode characters are strategically placed within the code to be innocuous visually but alter the program\u0026rsquo;s execution when interpreted.\u003c/li\u003e\n\u003cli\u003eThe altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters\u0026rsquo; invisibility.\u003c/li\u003e\n\u003cli\u003eWhen a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.\u003c/li\u003e\n\u003cli\u003eDuring the build process (e.g., \u003ccode\u003enpm install\u003c/code\u003e), the malicious code embedded within the Unicode characters is executed.\u003c/li\u003e\n\u003cli\u003eThis execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the developer\u0026rsquo;s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users.  Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eUtilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:30:24Z","date_published":"2026-03-15T15:30:24Z","id":"/briefs/2024-02-29-glassworm-unicode-malware/","summary":"The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.","title":"Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories","url":"https://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["malware","github","infrastructure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief summarizes an analysis of GlassWorm V2, focusing on its infrastructure rotation and GitHub injection techniques. While specific details regarding the threat actor and initial attack vectors are not provided in this analysis, the report highlights the malware\u0026rsquo;s ability to dynamically change its command and control (C2) infrastructure and potentially leverage GitHub for code injection or storage. Understanding these techniques is crucial for defenders to develop robust detection and mitigation strategies against this evolving threat. The full analysis is available on Codeberg.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Specific initial access vector is unknown.\u003c/li\u003e\n\u003cli\u003eGitHub Injection: The malware leverages GitHub to host malicious code or configurations, potentially obfuscating its activities within legitimate traffic.\u003c/li\u003e\n\u003cli\u003eInfrastructure Rotation: GlassWorm V2 employs techniques to rotate its C2 infrastructure, making it more difficult to track and block.\u003c/li\u003e\n\u003cli\u003eCommunication: The malware establishes communication with its C2 server using the dynamically updated infrastructure.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The C2 server issues commands to the infected host.\u003c/li\u003e\n\u003cli\u003ePersistence: Unknown persistence mechanism is used.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Lateral Movement/Impact: The ultimate goal is currently unknown.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful GlassWorm V2 infection could range from data theft and system compromise to disruption of services, depending on the specific objectives of the attacker. The use of infrastructure rotation makes it harder to block attacker infrastructure. The GitHub injection may also lead to supply chain concerns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or newly registered domains, even if they initially appear benign.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on systems to detect unauthorized modifications to critical system files.\u003c/li\u003e\n\u003cli\u003eConsider using tools that specifically analyze and detect malicious use of GitHub repositories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T13:51:21Z","date_published":"2026-03-15T13:51:21Z","id":"/briefs/2024-01-26-glassworm-v2-analysis/","summary":"Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.","title":"GlassWorm V2 Infrastructure Rotation and GitHub Injection Analysis","url":"https://feed.craftedsignal.io/briefs/2024-01-26-glassworm-v2-analysis/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","threat-intelligence","apt","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups\u0026rsquo; network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation:\u003c/strong\u003e The initial loader executes on the victim\u0026rsquo;s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes communication with a command-and-control server, using domains such as \u003ccode\u003edax.estate\u003c/code\u003e (SmokeLoader) or \u003ccode\u003eresistantmusic.shop\u003c/code\u003e (PowerShell Injector) to receive instructions and transmit data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Injection:\u003c/strong\u003e The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as \u003ccode\u003eapostile.zapto.org\u003c/code\u003e and \u003ccode\u003egoogletranslate.zapto.org\u003c/code\u003e may resolve to infrastructure involved in command and control of compromised hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as \u003ccode\u003eashersoftlib.com\u003c/code\u003e (APT_Bitter) for staging or exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAndroid Exploitation:\u003c/strong\u003e In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with \u003ccode\u003epetitle.cloud\u003c/code\u003e for command and control, potentially leading to data theft or installation of further malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinal Objective:\u003c/strong\u003e The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T23:00:14Z","date_published":"2026-02-27T23:00:14Z","id":"/briefs/2026-02-maltrail-iocs/","summary":"This brief analyzes IOCs aggregated by Maltrail on February 27, 2026, highlighting network activity associated with diverse threat actors including APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp campaigns targeting various sectors.","title":"Maltrail IOCs Report: Tracking Multiple Threat Actors","url":"https://feed.craftedsignal.io/briefs/2026-02-maltrail-iocs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","cryptography","malware","asyncrat","xworm","vip keylogger"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes the \u003ccode\u003eSystem.Security.Cryptography\u003c/code\u003e namespace to perform cryptographic operations.\u003c/li\u003e\n\u003cli\u003eThe script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).\u003c/li\u003e\n\u003cli\u003eThe decrypted payload is written to disk or loaded directly into memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware leverages the established persistence mechanism for long-term access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e to your SIEM to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e based on your environment\u0026rsquo;s specific needs and known-good PowerShell usage to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-cryptography/","summary":"The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.","title":"Suspicious PowerShell Script Using Cryptography Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-cryptography/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Firefox","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","malware","firefox"],"_cs_type":"advisory","_cs_vendors":["Mozilla","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to Firefox profile directories. The Firefox profile directory stores sensitive user data, including login credentials, browsing history, and cookies. When a non-Firefox process accesses this directory, it could be an indicator of malicious activity, such as a Remote Access Trojan (RAT) or other malware attempting to steal user information. The analytic leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This is relevant because successful credential theft can lead to account compromise, data breaches, and further propagation of malware within the network. The threat encompasses a broad range of malware families, including stealers (Azorult, RedLine Stealer, 0bj3ctivity Stealer), RATs (Remcos, Quasar RAT, Warzone RAT), keyloggers (Snake Keylogger, VIP Keylogger), and other malware like DarkGate, NjRAT, AgentTesla, and Lokibot. The activity has been observed in campaigns such as CISA AA23-347A and the 3CX Supply Chain Attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user executes a malicious file, potentially delivered via phishing or drive-by download (not covered in source).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes and establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to access the Firefox profile directory, located at \u003ccode\u003e*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event 4663 is generated, logging the access attempt to the Firefox profile directory.\u003c/li\u003e\n\u003cli\u003eThe malware reads sensitive data, such as login credentials, cookies, and browsing history, from the profile directory.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to user accounts and sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and credential theft can lead to a wide range of negative outcomes, including unauthorized access to sensitive data, financial fraud, and further compromise of systems within the organization. The impact can range from individual user account compromise to large-scale data breaches affecting thousands of users. Industries heavily reliant on web-based applications and sensitive user data, such as finance, healthcare, and e-commerce, are particularly vulnerable. The consequences include financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure it to log both success and failure events for object access to activate the underlying log source required for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect non-Firefox processes accessing Firefox profile directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eObjectName\u003c/code\u003e to identify potentially malicious processes and the specific profile data being accessed.\u003c/li\u003e\n\u003cli\u003eReview and update your organization\u0026rsquo;s security policies to restrict unauthorized access to sensitive user data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:22:32Z","date_published":"2024-01-03T15:22:32Z","id":"/briefs/2024-01-firefox-profile-access/","summary":"This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.","title":"Non-Firefox Process Accessing Firefox Profile Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-firefox-profile-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["time-based-evasion","malware","persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of \u003ccode\u003echoice.exe\u003c/code\u003e being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of \u003ccode\u003echoice.exe\u003c/code\u003e for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unknown vector.\u003c/li\u003e\n\u003cli\u003eA batch script is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe batch script uses \u003ccode\u003echoice.exe\u003c/code\u003e with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to introduce a time delay. The \u003ccode\u003e/T\u003c/code\u003e parameter specifies a timeout period, and the \u003ccode\u003e/N\u003c/code\u003e parameter suppresses the display of choices.\u003c/li\u003e\n\u003cli\u003eThis delay allows the malware to evade time-sensitive detection mechanisms.\u003c/li\u003e\n\u003cli\u003eAfter the delay, the script executes further commands, potentially downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.\u003c/li\u003e\n\u003cli\u003eThe keylogger captures sensitive information such as keystrokes and clipboard data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a remote server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker\u0026rsquo;s objectives and the compromised systems\u0026rsquo; value.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Choice.exe Time Delay\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003echoice.exe\u003c/code\u003e with time-delay parameters (log source: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003echoice.exe\u003c/code\u003e being used with the \u003ccode\u003e/T\u003c/code\u003e and \u003ccode\u003e/N\u003c/code\u003e parameters to determine if it is part of a malicious script.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint activity for suspicious processes and network connections originating from systems where \u003ccode\u003echoice.exe\u003c/code\u003e has been detected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-time-based-evasion-choice/","summary":"Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.","title":"Windows Time-Based Evasion via Choice Exec","url":"https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion-choice/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["wscript","cscript","lolbin","malware","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (unknowingly or through social engineering) executes a malicious script.\u003c/li\u003e\n\u003cli\u003eThe malicious script is interpreted by either \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script executes a LOLBIN such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN executes further commands or downloads additional payloads. \u003ccode\u003eCertutil.exe\u003c/code\u003e may be used to decode and install malicious binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges and establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Child Processes Spawned by WScript or CScript\u003c/code\u003e to your SIEM to detect suspicious child processes. Tune the rule based on your environment\u0026rsquo;s baseline activity, filtering out any legitimate use cases.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.\u003c/li\u003e\n\u003cli\u003eBlock execution of the LOLBINs (\u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e) if they are not required in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-wscript-cscript-suspicious-child-process/","summary":"Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.","title":"Suspicious Child Processes Spawned by WScript or CScript","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wscript-cscript-suspicious-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script-execution","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, and \u003ccode\u003epowershell.exe\u003c/code\u003e to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA malicious script is dropped into a suspicious folder such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e%TEMP%\u003c/code\u003e, or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e) or hide the window (e.g., \u003ccode\u003e-w hidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, PowerShell may be invoked with the \u003ccode\u003e-ep bypass\u003c/code\u003e or \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flags, along with a command to execute the script located in the temporary folder.\u003c/li\u003e\n\u003cli\u003eThe script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe script may leverage built-in Windows utilities for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eScript Interpreter Execution From Suspicious Folder\u003c/code\u003e to your SIEM to detect suspicious script executions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events with a focus on script interpreters (\u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) executing from suspicious directories, using the \u003ccode\u003elogsource\u003c/code\u003e and \u003ccode\u003edetection\u003c/code\u003e sections of the Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eTune the filters in the Sigma rule based on your environment to reduce false positives, as described in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and block any observed malicious command lines containing flags like \u003ccode\u003e-ep bypass\u003c/code\u003e, \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e, or \u003ccode\u003e-w hidden\u003c/code\u003e, as detailed in the \u003ccode\u003eselection_proc_flags\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-suspicious-script-execution/","summary":"Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/"},{"_cs_actors":["Braodo Stealer"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["stealc-stealer","crypto-stealer","braodo-stealer","apt37","hellcat-ransomware","vip-keylogger","screen-capture","malware"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe Braodo stealer malware is known for capturing screenshots of a victim\u0026rsquo;s desktop as part of its data theft activities. This malware, often distributed through malicious campaigns, targets sensitive information by creating image files of the user\u0026rsquo;s active screen. These screenshots are typically saved in directories that are easily accessible and commonly used by malware, such as temporary folders. This technique allows attackers to gather credentials, financial information, or other confidential data displayed on the screen. The stealer has been observed in campaigns originating from Vietnam, targeting users in the United States with malware, fraud, and dropshipping schemes. Detecting and responding to these types of screen capture attempts is crucial for preventing sensitive data from being compromised and exfiltrated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe Braodo stealer malware is executed on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe malware begins capturing screenshots of the victim\u0026rsquo;s desktop using Windows APIs.\u003c/li\u003e\n\u003cli\u003eThe screenshots are saved as .png, .jpg, or .bmp files.\u003c/li\u003e\n\u003cli\u003eThe files are saved in the user\u0026rsquo;s TEMP directory (e.g., C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\).\u003c/li\u003e\n\u003cli\u003eThe malware may compress or encrypt the captured screenshots.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates the captured data to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information displayed on the victim\u0026rsquo;s screen, such as credentials or financial data, and uses it for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware\u0026rsquo;s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Screen Capture Files Created in TEMP Directory\u003c/code\u003e to identify potential screen capture activity in temporary directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint security policies to prevent the execution of malware from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-braodo-screen-capture/","summary":"This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.","title":"Braodo Stealer Screen Capture in TEMP Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-braodo-screen-capture/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Slack","WebEx","Teams","Discord","WhatsApp","Zoom","Outlook","Thunderbird","Grammarly","Dropbox","Tableau","Google Drive","MSOffice","Okta","OneDrive","Chrome","Firefox","Edge","Brave","GoogleCloud Related Tools","Github Related Tools","Notion"],"_cs_severities":["medium"],"_cs_tags":["masquerading","defense-evasion","initial-access","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Slack","Cisco","Microsoft","Discord","Zoom","Mozilla","Grammarly","Dropbox","Tableau","Google","Okta","Brave","GitHub","Notion"],"content_html":"\u003cp\u003eAttackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim\u0026rsquo;s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a compromised website or clicks on a malicious advertisement.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable is placed in the user\u0026rsquo;s Downloads folder (e.g., C:\\Users*\\Downloads*).\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded file.\u003c/li\u003e\n\u003cli\u003eThe executable, lacking a valid code signature, begins execution.\u003c/li\u003e\n\u003cli\u003eThe malicious installer may drop and execute additional malware components.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence, potentially using techniques such as registry key modification.\u003c/li\u003e\n\u003cli\u003eThe malware performs malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePotential Masquerading as Business App Installer\u003c/code\u003e to detect unsigned executables resembling legitimate business applications in download directories.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture the execution of unsigned executables.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of downloading and executing files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications.\u003c/li\u003e\n\u003cli\u003eRegularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes originating from the Downloads folder that lack valid code signatures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-masquerading-business-apps/","summary":"Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.","title":"Masquerading Business Application Installers","url":"https://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Outlook","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","phishing","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes of Microsoft Outlook, often associated with spear phishing activity and the execution of malicious attachments. Attackers may leverage malicious documents delivered via email to execute arbitrary code on a victim\u0026rsquo;s machine. The rule focuses on identifying processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and other system binaries being spawned by Outlook, suggesting the potential execution of malicious attachments or exploitation for initial access. This activity is designed to bypass traditional security measures and gain an initial foothold within the targeted environment. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a spear phishing email with a malicious attachment (e.g., a Microsoft Office document or PDF).\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, unknowingly triggering embedded malicious code (e.g., macros or exploits).\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the context of Microsoft Outlook (outlook.exe).\u003c/li\u003e\n\u003cli\u003eThe malicious code spawns a suspicious child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to download and execute further malicious payloads from external sources.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and begins reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access, allowing attackers to gain a foothold within the network, escalate privileges, and potentially exfiltrate sensitive data, deploy ransomware, or conduct other malicious activities. While specific victim counts and sectors are unavailable, similar attacks have targeted a wide range of industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious MS Outlook Child Process Spawning Command Interpreter\u0026rdquo; to your SIEM to detect potential initial access attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eBlock the execution of commonly abused system binaries (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e) as child processes of Outlook using application control policies where possible.\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict macro policies in Microsoft Office applications to prevent the execution of malicious code within documents.\u003c/li\u003e\n\u003cli\u003eRegularly review and update email security policies to prevent spear phishing emails from reaching users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-02-suspicious-outlook-child-process/","summary":"Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.","title":"Suspicious MS Outlook Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-outlook-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Malware","version":"https://jsonfeed.org/version/1.1"}