Virus Bulletin
@virusbtn.bsky.social
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Organisers of the annual Virus Bulletin conference.
Pinned
Virus Bulletin
@virusbtn.bsky.social
· Dec 15
🚨 Important Date Change for VB2026!
VB2026 will now take place 14–16 October 2026, at the already announced venue, the Barceló Sevilla Renacimiento in Seville, Spain.
We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference.
VB2026 will now take place 14–16 October 2026, at the already announced venue, the Barceló Sevilla Renacimiento in Seville, Spain.
We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference.
It’s Friday the 13th.
Good thing security isn’t about luck.
VB2026 | Seville | 14–16 October 2026
➡️ www.virusbulletin.com/conference/v...
#VB2026 #cybersecurity #conference
Good thing security isn’t about luck.
VB2026 | Seville | 14–16 October 2026
➡️ www.virusbulletin.com/conference/v...
#VB2026 #cybersecurity #conference
February 13, 2026 at 3:42 PM
It’s Friday the 13th.
Good thing security isn’t about luck.
VB2026 | Seville | 14–16 October 2026
➡️ www.virusbulletin.com/conference/v...
#VB2026 #cybersecurity #conference
Good thing security isn’t about luck.
VB2026 | Seville | 14–16 October 2026
➡️ www.virusbulletin.com/conference/v...
#VB2026 #cybersecurity #conference
Cato CTRL has identified a new malware loader tracked as Foxveil, which establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages, Netlify, & Discord attachments. www.catonetworks.com/blog/cato-ct...
February 13, 2026 at 9:18 AM
Cato CTRL has identified a new malware loader tracked as Foxveil, which establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages, Netlify, & Discord attachments. www.catonetworks.com/blog/cato-ct...
Sekoia's Pierre Le Bourhis analyses OysterLoader, a multi-stage malware developed in C++ used not only by the Rhysida ransomware group in campaigns leading to Rhysida ransomware, but also by others to distribute commodity malware such as Vidar. blog.sekoia.io/oysterloader...
February 13, 2026 at 9:15 AM
Sekoia's Pierre Le Bourhis analyses OysterLoader, a multi-stage malware developed in C++ used not only by the Rhysida ransomware group in campaigns leading to Rhysida ransomware, but also by others to distribute commodity malware such as Vidar. blog.sekoia.io/oysterloader...
Elastic Security Labs observes large-scale SEO poisoning campaigns targeting IIS servers with BADIIS malware globally, impacting over 1,800 Windows servers. www.elastic.co/security-lab...
February 13, 2026 at 9:13 AM
Elastic Security Labs observes large-scale SEO poisoning campaigns targeting IIS servers with BADIIS malware globally, impacting over 1,800 Windows servers. www.elastic.co/security-lab...
Censys Threat Intelligence team analyses Odyssey Stealer, a macOS information stealer designed to steal cryptocurrencies from a wide range of software. censys.com/blog/odyssey...
February 13, 2026 at 9:11 AM
Censys Threat Intelligence team analyses Odyssey Stealer, a macOS information stealer designed to steal cryptocurrencies from a wide range of software. censys.com/blog/odyssey...
Bitdefender researchers look into a surge in LummaStealer activity, the infections primarily driven by social engineering rather than exploitation of technical vulnerabilities. In many campaigns CastleLoader plays a central role in helping LummaStealer spread. www.bitdefender.com/en-us/blog/l...
February 13, 2026 at 9:09 AM
Bitdefender researchers look into a surge in LummaStealer activity, the infections primarily driven by social engineering rather than exploitation of technical vulnerabilities. In many campaigns CastleLoader plays a central role in helping LummaStealer spread. www.bitdefender.com/en-us/blog/l...
Huntress researchers Anna Pham, Michael Tigges, Dray Agha & Anton Ovrutsky explain how employee monitoring tool Net Monitor for Employees was abused together with RMM platform SimpleHelp in an attempted deployment of Crazy ransomware. www.huntress.com/blog/employe...
February 12, 2026 at 11:09 AM
Huntress researchers Anna Pham, Michael Tigges, Dray Agha & Anton Ovrutsky explain how employee monitoring tool Net Monitor for Employees was abused together with RMM platform SimpleHelp in an attempted deployment of Crazy ransomware. www.huntress.com/blog/employe...
The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group, targeting both JavaScript and Python developers. www.reversinglabs.com/blog/fake-re...
February 12, 2026 at 11:04 AM
The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group, targeting both JavaScript and Python developers. www.reversinglabs.com/blog/fake-re...
Forcepoint researchers look into a high-volume Phorpiex campaign delivered through malspam emails weaponized with Windows Shortcut .lnk files. www.forcepoint.com/blog/x-labs/...
February 12, 2026 at 11:02 AM
Forcepoint researchers look into a high-volume Phorpiex campaign delivered through malspam emails weaponized with Windows Shortcut .lnk files. www.forcepoint.com/blog/x-labs/...
FortiGuard researcher Xiaopeng Zhang analyses a recent phishing campaign in the wild delivering a new variant of XWorm. www.fortinet.com/blog/threat-...
February 12, 2026 at 11:00 AM
FortiGuard researcher Xiaopeng Zhang analyses a recent phishing campaign in the wild delivering a new variant of XWorm. www.fortinet.com/blog/threat-...
Orange researchers report on how hacktivism has evolved over three years of research: Hacktivism has become more frequent, more coordinated, and increasingly entangled with real-world geopolitical events. www.orangecyberdefense.com/global/blog/...
February 11, 2026 at 10:07 AM
Orange researchers report on how hacktivism has evolved over three years of research: Hacktivism has become more frequent, more coordinated, and increasingly entangled with real-world geopolitical events. www.orangecyberdefense.com/global/blog/...
Malwarebytes researcher Stefan Dasic shows how a convincing lookalike of popular archiver site 7-Zip has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it's been hiding in plain sight for some time. www.malwarebytes.com/blog/threat-...
February 11, 2026 at 10:03 AM
Malwarebytes researcher Stefan Dasic shows how a convincing lookalike of popular archiver site 7-Zip has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it's been hiding in plain sight for some time. www.malwarebytes.com/blog/threat-...
Palo Alto Networks researchers unveil a new state-aligned espionage group, tracked as TGR-STA-1030. The group primarily targets government ministries & departments and critical infrastructure organizations, with attacks across 37 countries in the last year unit42.paloaltonetworks.com/shadow-campa...
February 11, 2026 at 9:53 AM
Palo Alto Networks researchers unveil a new state-aligned espionage group, tracked as TGR-STA-1030. The group primarily targets government ministries & departments and critical infrastructure organizations, with attacks across 37 countries in the last year unit42.paloaltonetworks.com/shadow-campa...
Microsoft XDR team has observed increasing numbers of macOS infostealer campaigns using social engineering techniques—including ClickFix-style prompts & malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync & AMOS. www.microsoft.com/en-us/securi...
February 11, 2026 at 9:47 AM
Microsoft XDR team has observed increasing numbers of macOS infostealer campaigns using social engineering techniques—including ClickFix-style prompts & malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync & AMOS. www.microsoft.com/en-us/securi...
Mandiant researchers investigate an intrusion attributed to UNC1069 that used a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. cloud.google.com/blog/topics/...
February 10, 2026 at 9:28 AM
Mandiant researchers investigate an intrusion attributed to UNC1069 that used a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. cloud.google.com/blog/topics/...
Huntress researchers Anna Pham, John Hammond & Jamie Levy observed threat actors exploiting a SolarWinds Web Help Desk vulnerability and warn organizations to apply the update from SolarWinds’ website as soon as possible. www.huntress.com/blog/active-...
February 10, 2026 at 9:22 AM
Huntress researchers Anna Pham, John Hammond & Jamie Levy observed threat actors exploiting a SolarWinds Web Help Desk vulnerability and warn organizations to apply the update from SolarWinds’ website as soon as possible. www.huntress.com/blog/active-...
Zscaler ThreatLabz explores the anti-analysis techniques employed by GuLoader, including use of polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation. www.zscaler.com/blogs/securi...
February 10, 2026 at 9:13 AM
Zscaler ThreatLabz explores the anti-analysis techniques employed by GuLoader, including use of polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation. www.zscaler.com/blogs/securi...
Reposted by Virus Bulletin
🚨 New WithSecure research
We’ve uncovered two linked cyber campaigns by DPRK‑aligned Andariel, including new malware, supply‑chain compromise, and 3 previously unseen RATs.
🔗 www2.withsecure.com/en/whats-new...
#threatintel #research #cybersecurity
We’ve uncovered two linked cyber campaigns by DPRK‑aligned Andariel, including new malware, supply‑chain compromise, and 3 previously unseen RATs.
🔗 www2.withsecure.com/en/whats-new...
#threatintel #research #cybersecurity
January 22, 2026 at 8:33 AM
🚨 New WithSecure research
We’ve uncovered two linked cyber campaigns by DPRK‑aligned Andariel, including new malware, supply‑chain compromise, and 3 previously unseen RATs.
🔗 www2.withsecure.com/en/whats-new...
#threatintel #research #cybersecurity
We’ve uncovered two linked cyber campaigns by DPRK‑aligned Andariel, including new malware, supply‑chain compromise, and 3 previously unseen RATs.
🔗 www2.withsecure.com/en/whats-new...
#threatintel #research #cybersecurity
S2W researchers report that ScarCruft has recently been employing a new attack method to distribute ROKRAT using an HWP OLE-based dropper/loader structure, deviating from its traditional LNK-based attack chain. s2w.inc/en/resource/...
February 9, 2026 at 10:18 AM
S2W researchers report that ScarCruft has recently been employing a new attack method to distribute ROKRAT using an HWP OLE-based dropper/loader structure, deviating from its traditional LNK-based attack chain. s2w.inc/en/resource/...
Kaseya researchers show how bad actors use DKIM replay attacks that involve abuse of legitimate invoices and dispute notifications from well-known vendors such as PayPal, Apple, DocuSign and HelloSign. www.kaseya.com/blog/dkim-re...
February 9, 2026 at 10:16 AM
Kaseya researchers show how bad actors use DKIM replay attacks that involve abuse of legitimate invoices and dispute notifications from well-known vendors such as PayPal, Apple, DocuSign and HelloSign. www.kaseya.com/blog/dkim-re...
eSentire's Threat Response Unit share technical artifacts uncovered in their investigation of a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer. www.esentire.com/blog/tenant-...
February 9, 2026 at 10:11 AM
eSentire's Threat Response Unit share technical artifacts uncovered in their investigation of a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer. www.esentire.com/blog/tenant-...
BfV & BSI warn that a likely state-controlled threat actor is conducting phishing attacks via messaging services such as Signal. The targets are high-ranking individuals in politics, military, & diplomacy and investigative journalists in Germany & Europe. www.bsi.bund.de/SharedDocs/C...
February 9, 2026 at 10:03 AM
BfV & BSI warn that a likely state-controlled threat actor is conducting phishing attacks via messaging services such as Signal. The targets are high-ranking individuals in politics, military, & diplomacy and investigative journalists in Germany & Europe. www.bsi.bund.de/SharedDocs/C...
The Raven File examines how AI chatbots perform in threat intelligence tasks, focusing on logical errors and failure. The goal was to classify common risks across LLMs and show where human validation is still essential. theravenfile.com/2026/02/05/l...
February 6, 2026 at 10:26 AM
The Raven File examines how AI chatbots perform in threat intelligence tasks, focusing on logical errors and failure. The goal was to classify common risks across LLMs and show where human validation is still essential. theravenfile.com/2026/02/05/l...
LevelBlue SpiderLabs continues its LockBit 5.0 series, with Part 3 analysing the Windows build. The analysis covers a targeted kill list that systematically dismantles the services needed for backups, virtualization and critical business databases. www.levelblue.com/blogs/spider...
February 6, 2026 at 10:24 AM
LevelBlue SpiderLabs continues its LockBit 5.0 series, with Part 3 analysing the Windows build. The analysis covers a targeted kill list that systematically dismantles the services needed for backups, virtualization and critical business databases. www.levelblue.com/blogs/spider...
Cisco Talos uncovers DKnife, a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least 2019, its C2 was still active in Jan 2026. blog.talosintelligence.com/knife-cuttin...
February 6, 2026 at 10:19 AM
Cisco Talos uncovers DKnife, a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least 2019, its C2 was still active in Jan 2026. blog.talosintelligence.com/knife-cuttin...