LightNews
virusbtn.bsky.social
Virus Bulletin
@virusbtn.bsky.social
490 followers 46 following 650 posts
Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference.
Posts Media Videos Starter Packs
Pinned
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 9d
We are thrilled to officially announce that VB2026 will take place in the vibrant city of Seville, Spain, from 30 September to 2 October 2026.

More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.

Can't wait to see you there!
VB2026 Seville 30 Sept - 2 Oct
2 4
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
Hunt.io Threat Research details AdaptixC2, a lightweight open-source C2 with multi-protocol communication, advanced evasion, and BOF-based extensibility, confirming 102 active servers in the wild. hunt.io/blog/adaptix...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
Microsoft Threat Intelligence warns that Storm 2657 is actively targeting US-based organizations, especially universities, to access HR SaaS like Workday via social engineering and weak or missing MFA, then divert salaries to attacker-controlled accounts. www.microsoft.com/en-us/securi...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
eSentire Threat Response Unit details ChaosBot, a Rust-based backdoor using Discord for command and control. It was first seen in late September 2025 in a financial services environment, targeting mainly, though not exclusively, Vietnamese speakers. www.esentire.com/blog/new-rus...
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
Cisco Talos reports that actors linked to Storm 2603 installed an outdated version of Velociraptor, the open-source DFIR tool, enabling privilege escalation and arbitrary command execution, which led to ransomware deployment. blog.talosintelligence.com/velociraptor...
Velociraptor leveraged in ransomware attacks
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool.
blog.talosintelligence.com
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 2d
Marcus Hutchins (Expel) details a ClickFix-style campaign using cache smuggling to avoid downloads and network requests by pre-staging data in the browser cache. expel.com/blog/cache-s...
3 5
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 2d
Huntress details log poisoning used to plant a China Chopper-style web shell on a web server, enabling actors to use AntSword and then deploy Nezha, an operations and monitoring tool, which was used to install Ghost RAT. www.huntress.com/blog/nezha-c...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 2d
Unit 42 uncovers the IUAM ClickFix Generator, a phishing kit that generates custom pages with OS detection and clipboard injection capabilities. Unit 42 confirms at least one campaign where DeerStealer was delivered. unit42.paloaltonetworks.com/clickfix-gen...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 2d
FortiGuard Labs analyses Chaos ransomware, which resurfaced in 2025 with a new C++ variant. The analysis provides a walkthrough of its execution flow, encryption, and clipboard hijacking for cryptocurrency, with comparisons to earlier .NET builds. www.fortinet.com/blog/threat-...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 3d
CloudSEK's TRIAD Team analyses a Charming Kitten APT35 leak and documents targeting of government, legal, academic, aviation, energy, and financial sectors, mainly in the Middle East, with regions of interest extending to the US and Asia. www.cloudsek.com/blog/an-insi...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 3d
The Point Wild Lat61 Threat Intelligence Team details Shuyal Stealer, targeting 19 browsers, stealing credentials and Discord tokens, capturing screenshots, and cleaning up after exfiltration. www.pointwild.com/threat-intel...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 3d
Rapid7 Threat Research reports a new threat group, known as the Crimson Collective, attacking AWS environments to exfiltrate data and extort victims. The actor has also announced that it is behind an attack on Red Hat. www.rapid7.com/blog/post/tr...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
Microsoft Threat Intelligence confirms that Storm 1175, known for deploying Medusa ransomware and exploiting public-facing applications, is actively exploiting the CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability. www.microsoft.com/en-us/securi...
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
The Resecurity HUNTER Team warns of a mass exploitation of CVE-2025-61882 in Oracle E-Business Suite, enabling remote code execution. Several victims received extortion emails from Cl0p in late September 2025. www.resecurity.com/blog/article...
1 2
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
Independent researcher Ícaro César (0x0d4y) analyses a Mustang Panda campaign identified in June 2025, targeting the Tibetan community and using a ZIP archive with a decoy named “Voice for the Voiceless Photos.exe” and a hidden DLL to enable DLL side loading. 0x0d4y.blog/mustang-pand...
1 2
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
S2 Grupo's intelligence team LAB52 reports a new Outlook backdoor, named NotDoor and attributed to APT28, that watches for specific trigger words and then exfiltrates data, uploads files, and executes commands on victim hosts. lab52.io/blog/analyzi...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
StrikeReady Labs maps spear-phishing against a Serbian government aviation department and links similar activity across Europe. The campaigns utilise the SOGU/PlugX/Korplug toolset, which is typically associated with China-linked actors. strikeready.com/blog/cn-apt-...
Image showing a spear-phishing email
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
Hunt.io Threat Research observes APT SideWinder shifting to maritime targets, with Pakistan & Sri Lanka as primary targets, utilising free hosting platforms such as Netlify, pages.dev, workers.dev, b4a.run, for credential portals & lures, & staging malware in open directories hunt.io/blog/operati...
Screenshot showing a fake DGDP document at "httpx://drive-dgdp-gov-bd-files[.]netlify[.]app/"
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
WithSecure STINGR reports on TamperedChef, a malvertising campaign targeting European organizations that delivers a fake PDF editor, which runs normally for weeks before activating to steal browser credentials. labs.withsecure.com/publications...
EULA dialog displayed by MSI installer
1 2
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
Trellix ARC reports that XWorm development paused after V5.6 and then returned with V6.0, as seen in a 4 June 2025 post on hackforums. The blog details key plugins, additional payloads, and a script for persistence. www.trellix.com/blogs/resear...
Illustration of the infection chain of XWorm V6.0
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
FortiGuard Labs details the Confucius group shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor, with spear phishing & weaponised documents hitting South Asian government agencies & defence contractors, especially in Pakistan www.fortinet.com/blog/threat-...
Graphical illustration of the activities of threat group Confucius.
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
Trend Micro researchers identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts. www.trendmicro.com/en_gb/resear...
Graphic showing the SORVEPOTEL attack chain
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
ESET researchers look at two Android spyware campaigns targeting individuals interested in secure communication apps (Signal & ToTok). The campaigns distribute malware through deceptive websites & social engineering and appear to target residents of the UAE. www.welivesecurity.com/en/eset-rese...
Diagram illustrating ProSpy execution flow
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
Cisco Talos researcher Joey Chen discloses details of UAT-8099, a Chinese-speaking cybercrime group mainly involved in search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data. blog.talosintelligence.com/uat-8099-chi...
Attack chain diagram
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
Elastic Security Labs researchers review new features added to WARMCOOKIE since its initial publication in 2024, such as addition of new handlers, a new campaign ID field, code optimization, and evasion adjustments. www.elastic.co/security-lab...
Key takeaways The WARMCOOKIE backdoor is actively developed and distributed Campaign ID, a recently added marker, sheds light on targeting specific services and platforms WARMCOOKIE operators appear to receive variant builds distinguished by their command handlers and functionality Elastic Security Labs identified a default certificate that can be used to track new WARMCOOKIE C2 servers
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
NVISO's @lontze7 explains how Lunar Spider has expanded its initial access methods by compromising vulnerable websites, particularly in Europe, using CORS vulnerabilities. These websites are then injected with a FakeCaptcha framework to spread LatrodectusV2. blog.nviso.eu/2025/10/01/l...
1