Collecting Cyber-News from over 60 sources

Tag: powershell

North Korean hackers abuse LNKs and GitHub repos in ongoing campaign

Apr 6, 2026 2:52 PM

Tags: api, attack, detection, github, hacker, Internet, malware, network, north-korea, powershell

GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
North Korean hackers abuse LNKs and GitHub repos in ongoing campaign

Apr 6, 2026 2:52 PM

Tags: api, attack, detection, github, hacker, Internet, malware, network, north-korea, powershell

GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
GitHub-Backed Malware Spread via LNK Files in South Korea

Apr 6, 2026 2:52 PM

Tags: api, cyber, github, hacker, korea, malware, powershell, tool, windows

Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi”‘stage malware campaign against organizations in South Korea. The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts. These older…
GitHub Used as Covert Channel in Multi-Stage Malware Campaign

Apr 2, 2026 4:51 PM

Tags: data, github, malware, powershell

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/github-covert-multi-stage-malware/
RFQ Malware Campaign Uses DOCX, RTF, JS, and Python

Apr 2, 2026 1:52 PM

Tags: cyber, encryption, hacker, malware, powershell

Hackers are abusing DOCX, RTF, JavaScript, PowerShell, and Python to deliver an in”‘memory Cobalt Strike beacon in a stealthy spear”‘phishing campaign that impersonates Boeing procurement under the tag NKFZ5966PURCHASE. The operation chains six stages, relies heavily on living”‘off”‘the”‘land binaries, and reuses the same encryption keys across all known samples, creating both strong evasion and clear…
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack

Mar 31, 2026 11:31 PM

Tags: ai, attack, breach, cloud, control, credentials, crypto, github, incident response, linux, LLM, macOS, malicious, malware, monitoring, open-source, openai, powershell, pypi, rat, spam, supply-chain, tool, windows

postinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency.Shortly after midnight UTC on March 31 a new version of the Axios package, axios@1.14.1, was published on npm followed by axios@0.30.4 39 minutes later. Both listed plain-crypto-js@4.2.1 as a dependency in their package.json files, but…
Latest Xloader Obfuscation Methods and Network Protocol

Mar 31, 2026 6:31 PM

Tags: api, automation, breach, cloud, communications, credentials, data, detection, email, encryption, framework, google, Internet, malicious, malware, microsoft, network, password, powershell, software, threat, tool, update, windows

Introduction Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since…
ClickFix Evades PowerShell Detection via Rundll32 and WebDAV

Mar 30, 2026 2:30 PM

Tags: attack, cyber, detection, powershell, tool, windows

A new variant of the ClickFix attack technique that shifts execution away from commonly monitored tools like PowerShell and mshta, instead abusing native Windows components such as rundll32.exe and WebDAV. This evolution allows attackers to bypass traditional script-based detection mechanisms, increasing the likelihood of a successful, stealthy compromise. The attack begins similarly to earlier ClickFix…
Obfuscated VBS and PNG Loaders Power New Open Directory Malware Campaign with RAT Payloads

Mar 25, 2026 2:47 PM

Tags: cyber, detection, framework, malware, powershell, rat, soc

A sophisticated, multi-stage delivery framework leveraging obfuscated Visual Basic Script (VBS) files, fileless PowerShell loaders, and payloads hidden within PNG images. The activity was initially detected by LevelBlue’s Managed Detection and Response (MDR) SOC through a SentinelOne alert involving a suspicious VBS file. The file, identified as Name_File.vbs, was located in a public downloads directory…
PowerShell Is a Security Risk Here’s How to Fix It

Mar 19, 2026 7:10 PM

Tags: automation, endpoint, microsoft, powershell, risk, windows

If you run a Windows environment, you already know how critical PowerShell is. It’s the backbone of modern administration, used for automation, configuration, and day-to-day operations at scale. And it doesn’t stop at Windows. If you manage Azure, Microsoft 365, Entra ID, or Exchange Online, PowerShell is likely how you do it. A compromised session isn’t just an endpoint risk. It’s a path to……
ClickFix treibt neue Infostealer-Kampagnen an

Mar 18, 2026 11:11 AM

Tags: api, captcha, control, cyberattack, encryption, exploit, framework, github, infrastructure, intelligence, lazarus, login, malware, microsoft, powershell, rat, social-engineering, threat, windows, wordpress

ClickFix-Kampagnen werden immer raffinierter und zielen verstärkt auf WordPress-Webseiten.Cyberkriminelle kombinieren kompromittierte Websites mit immer raffinierteren Social-Engineering-Köder-Methoden, um neue Infostealer-Malware zu verbreiten. Bekannt ist das Ganze unter dem Namen ClickFix und zudem effektiv: In einer einzigen Kampagne wurden über 250 WordPress-Websites in zwölf Ländern infiziert.Während diese Kampagne zu unauffälligen, im Arbeitsspeicher ausgeführten Schadprogrammen führt, beobachtete Microsoft…
Judicial Targets Hit by COVERT RAT via Court Docs and GitHub Payloads

Mar 18, 2026 7:10 AM

Tags: access, cyber, github, powershell, rat, windows

Attackers are abusing fake court documents and GitHub”‘hosted payloads in a focused spear”‘phishing campaign that deploys a stealthy Rust”‘based COVERT RAT against Argentina’s judicial sector. This operation chains Windows LNK shortcuts, BAT loaders, and PowerShell to quietly fetch and execute a masqueraded payload, msedge_proxy.exe, from GitHub infrastructure. The operation, tracked as “Operation Covert Access,” uses…
Fileless Remcos RAT Attack Uses JavaScript and PowerShell to Slip Past Detection

Mar 13, 2026 7:09 AM

Tags: attack, cyber, defense, detection, malware, powershell, rat, windows

A recent Remcos RAT campaign showcases how commodity malware has fully embraced fileless, multi”‘stage execution to bypass traditional defenses and remain stealthy on compromised Windows systems. Instead of dropping a static executable to disk, the operators rely on JavaScript, PowerShell, and a managed .NET injector to execute Remcos entirely in memory, dramatically reducing forensic artifacts…
ClickFix attackers using new tactic to evade detection, says Microsoft

Mar 6, 2026 11:48 PM

Tags: access, attack, awareness, blockchain, ciso, computer, control, crypto, cybersecurity, defense, detection, email, endpoint, infosec, infrastructure, injection, login, malicious, malware, microsoft, phishing, powershell, risk, tactics, tool, training, windows

AppData\Local that is then invoked through cmd.exe to write a VBScript to %Temp%. The batch script is executed via cmd.exe with the /launched command-line argument, and is then executed again through MSBuild.exe, resulting in LOLBin abuse. The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique, and also performs QueueUserAPC()-based code injection into chrome.exe…
Iran”‘Linked “Dust Specter” APT Deploys AI”‘Aided Malware Against Iraqi Officials

Mar 4, 2026 2:46 PM

Tags: apt, attack, cyber, government, group, infrastructure, iraq, malware, powershell

Iran”‘nexus APT group “Dust Specter” is targeting Iraqi government officials with AI”‘assisted custom .NET malware, using dual attack chains that blend DLL sideloading, in”‘memory PowerShell, and ClickFix”‘style lures. In January 2026, Zscaler ThreatLabz tracked a new campaign against Iraqi officials in which the actor impersonated Iraq’s Ministry of Foreign Affairs and abused compromised government infrastructure…
Dust Specter APT Targets Government Officials in Iraq

Mar 2, 2026 5:47 PM

Tags: access, ai, api, apt, attack, backdoor, browser, chrome, cisco, cloud, control, data, detection, encryption, google, government, group, infrastructure, iran, iraq, malicious, malware, monitoring, network, open-source, password, powershell, rat, service, social-engineering, software, threat, tool, update, windows

IntroductionIn January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an…
OCRFix Botnet Uses ClickFix Phishing and EtherHiding to Mask Blockchain C2 Infrastructure

Mar 2, 2026 9:46 AM

Tags: blockchain, botnet, captcha, cyber, infrastructure, phishing, powershell

OCRFix is a multi-stage botnet Trojan campaign that abuses a fake Tesseract OCR download site, ClickFix-style PowerShell execution, and EtherHiding on BNB Smart Chain to conceal a rotating blockchain-backed command infrastructure. The fake site gates content behind a bogus CAPTCHA and then instructs users to open PowerShell and paste a pre-copied command, a hallmark of…
Microsoft warns of RAT delivered through trojanized gaming utilities

Feb 28, 2026 10:37 AM

Tags: access, microsoft, powershell, rat, threat, tool

Attackers spread trojanized gaming tools to deliver a stealthy RAT using PowerShell, LOLBins, and Defender evasion tactics. Threat actors are tricking users into running trojanized gaming utilities shared through browsers and chat platforms to deploy a remote access trojan. >>Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or…
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms

Feb 27, 2026 12:37 PM

Tags: access, intelligence, malicious, microsoft, powershell, rat, threat, tool

Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT).”A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “This…
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor

Feb 26, 2026 9:36 PM

Tags: access, backdoor, cisco, healthcare, phishing, powershell, threat

UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor. Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
New ClickFix Attack Targets Crypto Wallets and 25+ Browsers with Infostealer

Feb 21, 2026 8:02 PM

Tags: attack, captcha, crypto, malicious, powershell

Researchers at CyberProof have identified a new fake captcha campaign linked to the ClickFix operation. This stealthy infostealer targets over 25 browsers, cryptocurrency wallets like MetaMask, and gaming accounts by tricking users into executing malicious PowerShell commands. First seen on hackread.com Jump to article: hackread.com/clickfix-attack-crypto-wallets-browsers-infostealer/
Dynamic Objects in Active Directory: The Stealthy Threat

Feb 20, 2026 6:01 PM

Tags: access, attack, blueteam, breach, cloud, computer, container, control, credentials, cve, data, defense, detection, dns, endpoint, group, identity, malicious, microsoft, monitoring, password, powershell, risk, soc, strategy, threat, tool, update, vulnerability

Active Directory’s “dynamic objects” feature offers attackers a perfect evasion cloak. These objects automatically self-destruct without a trace, so they allow adversaries to bypass quotas, pollute access lists, and persist in the cloud, leaving forensic investigators with nothing to analyze. Key takeaways The threat: Dynamic objects self-delete without leaving any traces, or “tombstones” in AD…
Fake CAPTCHA Scam Tricks Windows Users Into Installing Malware

Feb 16, 2026 8:58 PM

Tags: captcha, crypto, malware, password, powershell, scam, windows

A fake CAPTCHA scam is tricking Windows users into running PowerShell commands that install StealC malware and steal passwords, crypto wallets, and more. The post Fake CAPTCHA Scam Tricks Windows Users Into Installing Malware appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-fake-captcha-scam-stealc-malware-windows/
New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS

Feb 16, 2026 1:58 AM

Tags: attack, dns, malware, powershell, social-engineering, threat

Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-clickfix-attack-abuses-nslookup-to-retrieve-powershell-payload-via-dns/
New ClickFix Attack Wave Targets Windows Systems to Deploy StealC Stealer

Feb 13, 2026 7:58 AM

Tags: attack, captcha, credentials, crypto, cyber, email, infection, malicious, powershell, windows

A new wave of ClickFix attacks is targeting Windows users with fake Cloudflare-style CAPTCHA verification pages that trick victims into executing malicious PowerShell commands. This campaign delivers a multi-stage, fileless infection chain that ends with StealC, a powerful information stealer capable of harvesting credentials, cryptocurrency wallets, gaming accounts, emails, and detailed system fingerprints. The operation…
Cyberattackers Exploit DNS TXT Records in ClickFix Script to Execute Malicious PowerShell Commands

Feb 5, 2026 7:13 AM

Tags: cyber, dns, exploit, malicious, powershell, social-engineering

A new evolution in the >>ClickFix<>ClickFix<>Verify […] The post Cyberattackers Exploit DNS TXT Records in ClickFix Script to Execute Malicious PowerShell Commands appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform. First seen on gbhackers.com Jump to article: gbhackers.com/dns-txt-records/
ValleyRAT Masquerades as LINE Installer to Target Users and Harvest Login Credentials

Feb 4, 2026 10:13 AM

Tags: communications, credentials, cyber, cybercrime, login, malware, powershell, software, threat

A malware campaign where cybercriminals distribute a fake LINE messenger installer that secretly deploys the ValleyRAT malware to steal credentials and evade detection. Since early 2025, threat actors have increasingly used fraudulent software installers to deliver malware. This campaign shares techniques with previously discovered LetsVPN-themed attacks, including task-scheduler persistence, PowerShell-based evasion, and C2 communications via Hong Kong servers. Cybereason GSOC performed…
This stealthy Windows RAT holds live conversations with its operators

Feb 2, 2026 2:13 PM

Tags: access, data, detection, injection, malware, mitigation, monitoring, powershell, rat, reverse-engineering, theft, windows

RAT capabilities and stealer functionality: The .NET payload implements a remote access trojan that allows operators to interact directly with compromised systems. Unlike many commodity RATs that rely on periodic check-ins, this malware supports live command handling, enabling attackers to issue instructions and receive responses in near real-time.This interactive design allows operators to perform reconnaissance,…