MalWhere?
@malwhere.bsky.social
👨💻APT Insights
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
A new wave of malvertising is putting millions at risk. Since June 2025, the Rhysida ransomware gang has been using fake ads for popular tools like PuTTy, Teams & Zoom to spread the OysterLoader malware — hitting users & orgs with precision.
#CyberSecurity #Malware #Ransomware #Infosec
#CyberSecurity #Malware #Ransomware #Infosec
November 4, 2025 at 11:03 AM
A new wave of malvertising is putting millions at risk. Since June 2025, the Rhysida ransomware gang has been using fake ads for popular tools like PuTTy, Teams & Zoom to spread the OysterLoader malware — hitting users & orgs with precision.
#CyberSecurity #Malware #Ransomware #Infosec
#CyberSecurity #Malware #Ransomware #Infosec
GhostCall & GhostHire — two ongoing campaigns tied to North Korea’s Lazarus sub-cluster BlueNoroff, part of the long-running SnatchCrypto operation. They target Web3 and blockchain professionals via Telegram lures posing as investors or recruiters.
#CyberEspionage #APT38 #Web3Threats
#CyberEspionage #APT38 #Web3Threats
October 30, 2025 at 11:26 AM
GhostCall & GhostHire — two ongoing campaigns tied to North Korea’s Lazarus sub-cluster BlueNoroff, part of the long-running SnatchCrypto operation. They target Web3 and blockchain professionals via Telegram lures posing as investors or recruiters.
#CyberEspionage #APT38 #Web3Threats
#CyberEspionage #APT38 #Web3Threats
1/3
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
October 27, 2025 at 8:52 AM
1/3
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT
Russian state-backed hackers Star Blizzard (aka #ColdRiver / Callisto / UNC4057) have ramped up ops, unleashing new malware — NOROBOT, YESROBOT, MAYBEROBOT — via ClickFix CAPTCHA-style lures. Victims think they’re proving they’re human — but end up running code. #CyberSecurity #APT
October 22, 2025 at 10:14 AM
Russian state-backed hackers Star Blizzard (aka #ColdRiver / Callisto / UNC4057) have ramped up ops, unleashing new malware — NOROBOT, YESROBOT, MAYBEROBOT — via ClickFix CAPTCHA-style lures. Victims think they’re proving they’re human — but end up running code. #CyberSecurity #APT
🚨 OtterCandy— a new cross-platform malware from the WaterPlum Cluster B threat group is turning heads across the cybersecurity world.
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
October 20, 2025 at 8:50 AM
🚨 OtterCandy— a new cross-platform malware from the WaterPlum Cluster B threat group is turning heads across the cybersecurity world.
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy
🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
October 14, 2025 at 12:59 PM
🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon
🚨Threat group Storm-2603 (aka Gold Salem) is exploiting the open-source DFIR tool Velociraptor in ransomware attacks using strains like Warlock and LockBit.
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
October 13, 2025 at 10:37 AM
🚨Threat group Storm-2603 (aka Gold Salem) is exploiting the open-source DFIR tool Velociraptor in ransomware attacks using strains like Warlock and LockBit.
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel
Threat group Crimson Collective has been targeting AWS cloud environments to steal data and extort companies.
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
October 9, 2025 at 2:54 PM
Threat group Crimson Collective has been targeting AWS cloud environments to steal data and extort companies.
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware
🚨Microsoft warns affiliates of the Medusa ransomware RaaS are exploiting a critical GoAnywhere MFT flaw (CVE-2025-10035) to deploy crypto-locking malware. The bug allows command injection via forged license signatures. #ransomware #Medusa #infosec #CVE202510035 #GoAnywhere
October 8, 2025 at 8:33 AM
🚨Microsoft warns affiliates of the Medusa ransomware RaaS are exploiting a critical GoAnywhere MFT flaw (CVE-2025-10035) to deploy crypto-locking malware. The bug allows command injection via forged license signatures. #ransomware #Medusa #infosec #CVE202510035 #GoAnywhere
🚨CHRIST Juweliere has been added to the victim list of the WorldLeaks ransomware group, per ThreatMon intel. The breach follows ASICS’ hack by ShinyHunters, marking a surge in dark web attacks on global retail. #cyberattack #ransomware #WorldLeaks #infosec
October 6, 2025 at 8:42 AM
🚨CHRIST Juweliere has been added to the victim list of the WorldLeaks ransomware group, per ThreatMon intel. The breach follows ASICS’ hack by ShinyHunters, marking a surge in dark web attacks on global retail. #cyberattack #ransomware #WorldLeaks #infosec
🚨Japan’s largest brewer Asahi has suffered a cyberattack, halting domestic order & shipment systems plus call center ops. No data leak confirmed yet, but recovery timeline unknown. Global branches unaffected. #cyberattack #Asahi #infosec #datasecurity #Japan
September 30, 2025 at 9:30 AM
🚨Japan’s largest brewer Asahi has suffered a cyberattack, halting domestic order & shipment systems plus call center ops. No data leak confirmed yet, but recovery timeline unknown. Global branches unaffected. #cyberattack #Asahi #infosec #datasecurity #Japan
🚨 Zscaler has uncovered a fresh campaign by COLDRIVER, the Russian APT (aka Callisto/Star Blizzard/UNC4057). Using ClickFix-style lures, victims are tricked into running a fake CAPTCHA DLL (BAITSWITCH) that delivers SIMPLEFIX, a PowerShell backdoor for espionage.
September 26, 2025 at 1:26 PM
🚨 Zscaler has uncovered a fresh campaign by COLDRIVER, the Russian APT (aka Callisto/Star Blizzard/UNC4057). Using ClickFix-style lures, victims are tricked into running a fake CAPTCHA DLL (BAITSWITCH) that delivers SIMPLEFIX, a PowerShell backdoor for espionage.
Reposted by MalWhere?
Chinese APT RedNovember Exploits Public Vulnerabilities to Spy on Global Targets
A Shadow War in Cyberspace Cyber espionage is no longer defined by cutting-edge malware or stealthy zero-day exploits. Instead, a rising Chinese state-aligned threat group known as RedNovember (aka Storm-2077) has…
A Shadow War in Cyberspace Cyber espionage is no longer defined by cutting-edge malware or stealthy zero-day exploits. Instead, a rising Chinese state-aligned threat group known as RedNovember (aka Storm-2077) has…
Chinese APT RedNovember Exploits Public Vulnerabilities to Spy on Global Targets
A Shadow War in Cyberspace Cyber espionage is no longer defined by cutting-edge malware or stealthy zero-day exploits. Instead, a rising Chinese state-aligned threat group known as RedNovember (aka Storm-2077) has shown that simple but timely moves can cause devastating consequences. Operating without its own unique tools, this group weaponizes public proof-of-concept (PoC) exploits and widely available malware, targeting governments and corporations in critical sectors.
undercodenews.com
September 25, 2025 at 1:13 AM
Chinese APT RedNovember Exploits Public Vulnerabilities to Spy on Global Targets
A Shadow War in Cyberspace Cyber espionage is no longer defined by cutting-edge malware or stealthy zero-day exploits. Instead, a rising Chinese state-aligned threat group known as RedNovember (aka Storm-2077) has…
A Shadow War in Cyberspace Cyber espionage is no longer defined by cutting-edge malware or stealthy zero-day exploits. Instead, a rising Chinese state-aligned threat group known as RedNovember (aka Storm-2077) has…
🚨Cybercrime escalates: cosmetics firm Fattore Cosméticos Ltda has fallen victim to the Spacebears ransomware group, per ThreatMon intel. The attack underscores a global surge in data theft & extortion hitting beauty, retail, healthcare & finance. #ransomware #cybercrime #Spacebears #threatintel
September 25, 2025 at 9:22 AM
🚨Cybercrime escalates: cosmetics firm Fattore Cosméticos Ltda has fallen victim to the Spacebears ransomware group, per ThreatMon intel. The attack underscores a global surge in data theft & extortion hitting beauty, retail, healthcare & finance. #ransomware #cybercrime #Spacebears #threatintel
1/3
🚨 A Chinese-linked APT compromised a Philippines-based military company using EggStreme, a previously undocumented fileless malware. The multi-stage framework hides in memory, abuses DLL sideloading, and enables stealthy espionage, lateral movement, and data theft.
#Cybersecurity #EggStreme #APT
🚨 A Chinese-linked APT compromised a Philippines-based military company using EggStreme, a previously undocumented fileless malware. The multi-stage framework hides in memory, abuses DLL sideloading, and enables stealthy espionage, lateral movement, and data theft.
#Cybersecurity #EggStreme #APT
September 11, 2025 at 1:53 PM
1/3
🚨 A Chinese-linked APT compromised a Philippines-based military company using EggStreme, a previously undocumented fileless malware. The multi-stage framework hides in memory, abuses DLL sideloading, and enables stealthy espionage, lateral movement, and data theft.
#Cybersecurity #EggStreme #APT
🚨 A Chinese-linked APT compromised a Philippines-based military company using EggStreme, a previously undocumented fileless malware. The multi-stage framework hides in memory, abuses DLL sideloading, and enables stealthy espionage, lateral movement, and data theft.
#Cybersecurity #EggStreme #APT
1/3
🚨 A new campaign dubbed DarkSamural—a subspecies of OceanLotus—has targeted high-value orgs in Pakistan. Using malicious LNK & MSC files with GrimResource, attackers delivered multi-stage payloads to steal data. Researchers now link it to Patchwork.
#Cybersecurity #DarkSamural #APT #Infosec
🚨 A new campaign dubbed DarkSamural—a subspecies of OceanLotus—has targeted high-value orgs in Pakistan. Using malicious LNK & MSC files with GrimResource, attackers delivered multi-stage payloads to steal data. Researchers now link it to Patchwork.
#Cybersecurity #DarkSamural #APT #Infosec
September 10, 2025 at 11:13 AM
1/3
🚨 A new campaign dubbed DarkSamural—a subspecies of OceanLotus—has targeted high-value orgs in Pakistan. Using malicious LNK & MSC files with GrimResource, attackers delivered multi-stage payloads to steal data. Researchers now link it to Patchwork.
#Cybersecurity #DarkSamural #APT #Infosec
🚨 A new campaign dubbed DarkSamural—a subspecies of OceanLotus—has targeted high-value orgs in Pakistan. Using malicious LNK & MSC files with GrimResource, attackers delivered multi-stage payloads to steal data. Researchers now link it to Patchwork.
#Cybersecurity #DarkSamural #APT #Infosec
1/3
🚨 Lab52 has uncovered NotDoor, a custom backdoor deployed by APT28 (Fancy Bear). Hidden inside Microsoft Outlook via VBA macros, it monitors emails for trigger phrases like “Daily Report,” enabling file theft, uploads, and remote commands while blending into normal mail flow.
🚨 Lab52 has uncovered NotDoor, a custom backdoor deployed by APT28 (Fancy Bear). Hidden inside Microsoft Outlook via VBA macros, it monitors emails for trigger phrases like “Daily Report,” enabling file theft, uploads, and remote commands while blending into normal mail flow.
September 5, 2025 at 11:03 AM
1/3
🚨 Lab52 has uncovered NotDoor, a custom backdoor deployed by APT28 (Fancy Bear). Hidden inside Microsoft Outlook via VBA macros, it monitors emails for trigger phrases like “Daily Report,” enabling file theft, uploads, and remote commands while blending into normal mail flow.
🚨 Lab52 has uncovered NotDoor, a custom backdoor deployed by APT28 (Fancy Bear). Hidden inside Microsoft Outlook via VBA macros, it monitors emails for trigger phrases like “Daily Report,” enabling file theft, uploads, and remote commands while blending into normal mail flow.
1/3
🚨 Cybercriminals are evolving fast. The TamperedChef campaign disguises itself as a free PDF editor, delivered through fake ads and websites. Once installed, it hides in plain sight-sometimes for 56 days-before activating as a powerful infostealer.
🚨 Cybercriminals are evolving fast. The TamperedChef campaign disguises itself as a free PDF editor, delivered through fake ads and websites. Once installed, it hides in plain sight-sometimes for 56 days-before activating as a powerful infostealer.
September 1, 2025 at 10:23 AM
1/3
🚨 Cybercriminals are evolving fast. The TamperedChef campaign disguises itself as a free PDF editor, delivered through fake ads and websites. Once installed, it hides in plain sight-sometimes for 56 days-before activating as a powerful infostealer.
🚨 Cybercriminals are evolving fast. The TamperedChef campaign disguises itself as a free PDF editor, delivered through fake ads and websites. Once installed, it hides in plain sight-sometimes for 56 days-before activating as a powerful infostealer.
1/3:
Chinese state-backed group Murky Panda (aka Silk Typhoon, Hafnium) is exploiting trusted cloud relationships to infiltrate downstream customer networks. They target gov, tech, legal, & academic sectors in North America.
#Cybersecurity #CloudSecurity #APT
Chinese state-backed group Murky Panda (aka Silk Typhoon, Hafnium) is exploiting trusted cloud relationships to infiltrate downstream customer networks. They target gov, tech, legal, & academic sectors in North America.
#Cybersecurity #CloudSecurity #APT
August 26, 2025 at 11:56 AM
1/3:
Chinese state-backed group Murky Panda (aka Silk Typhoon, Hafnium) is exploiting trusted cloud relationships to infiltrate downstream customer networks. They target gov, tech, legal, & academic sectors in North America.
#Cybersecurity #CloudSecurity #APT
Chinese state-backed group Murky Panda (aka Silk Typhoon, Hafnium) is exploiting trusted cloud relationships to infiltrate downstream customer networks. They target gov, tech, legal, & academic sectors in North America.
#Cybersecurity #CloudSecurity #APT
🚨 Researchers uncovered a major campaign by Paper Werewolf (aka GOFFEE) exploiting critical flaws in WinRAR. Active since July 2025, the group targets Russian orgs via phishing, using both known bugs and a dangerous zero-day in WinRAR up to v7.12 to gain persistent access.
August 20, 2025 at 1:37 PM
🚨 Researchers uncovered a major campaign by Paper Werewolf (aka GOFFEE) exploiting critical flaws in WinRAR. Active since July 2025, the group targets Russian orgs via phishing, using both known bugs and a dangerous zero-day in WinRAR up to v7.12 to gain persistent access.
🚨 PipeMagic malware, tied to threat actor Storm-2460, poses as the ChatGPT Desktop app on GitHub. Microsoft found it exploiting CVE-2025-29824, a Windows CLFS flaw, in targeted attacks across IT, finance, real estate, and more, spanning the US, Europe, South America, and the Middle East.
August 19, 2025 at 9:03 AM
🚨 PipeMagic malware, tied to threat actor Storm-2460, poses as the ChatGPT Desktop app on GitHub. Microsoft found it exploiting CVE-2025-29824, a Windows CLFS flaw, in targeted attacks across IT, finance, real estate, and more, spanning the US, Europe, South America, and the Middle East.
🚨ThreatMon confirmed on Aug 18, 2025, that the Warlock ransomware group added Colt.net to its victim list. A major digital services provider, Colt.net now joins a growing roster of targets, as Warlock continues to publicize its attacks on dark web forums to maximize disruption and exposure.
August 18, 2025 at 9:58 AM
1/3
🚨 PhantomCard malware alert
A new Android threat in Brazil uses NFC to steal banking card data and PINs in real time. Victims think they’re verifying their card, but PhantomCard captures info remotely through fake “Card Protection” apps.
#CyberSecurity #MobileMalware #NFCFraud
🚨 PhantomCard malware alert
A new Android threat in Brazil uses NFC to steal banking card data and PINs in real time. Victims think they’re verifying their card, but PhantomCard captures info remotely through fake “Card Protection” apps.
#CyberSecurity #MobileMalware #NFCFraud
August 15, 2025 at 9:55 AM
1/3
🚨 PhantomCard malware alert
A new Android threat in Brazil uses NFC to steal banking card data and PINs in real time. Victims think they’re verifying their card, but PhantomCard captures info remotely through fake “Card Protection” apps.
#CyberSecurity #MobileMalware #NFCFraud
🚨 PhantomCard malware alert
A new Android threat in Brazil uses NFC to steal banking card data and PINs in real time. Victims think they’re verifying their card, but PhantomCard captures info remotely through fake “Card Protection” apps.
#CyberSecurity #MobileMalware #NFCFraud
Reposted by MalWhere?
WinRAR’s Zero-Day Dilemma: How Paper Werewolf and Friends Exploited a Vulnerability Fiesta!
WinRAR update fixes zero-day bug CVE-2025-8088. Stop bad guys from unpacking trouble on your computer with this crucial patch!
thenimblenerd.com?p=1052713
WinRAR update fixes zero-day bug CVE-2025-8088. Stop bad guys from unpacking trouble on your computer with this crucial patch!
thenimblenerd.com?p=1052713
WinRAR’s Zero-Day Dilemma: How Paper Werewolf and Friends Exploited a Vulnerability Fiesta!
WinRAR has updated its software to patch a zero-day vulnerability, CVE-2025-8088, which could allow hackers to sneak into your computer like a cat burglar with a PhD in path traversal. This bug had the potential to turn your zips into zaps, but WinRAR 7.13 has now put a lid on this can of worms.
thenimblenerd.com
August 11, 2025 at 6:52 AM
WinRAR’s Zero-Day Dilemma: How Paper Werewolf and Friends Exploited a Vulnerability Fiesta!
WinRAR update fixes zero-day bug CVE-2025-8088. Stop bad guys from unpacking trouble on your computer with this crucial patch!
thenimblenerd.com?p=1052713
WinRAR update fixes zero-day bug CVE-2025-8088. Stop bad guys from unpacking trouble on your computer with this crucial patch!
thenimblenerd.com?p=1052713
1/3
🚨 GreedyBear crypto theft campaign exposed. Over 150 fake Firefox extensions posed as MetaMask, TronLink, Exodus & more — stealing $1M+ in assets. Technique: Extension Hollowing — build trusted add-ons first, then weaponize later.
🚨 GreedyBear crypto theft campaign exposed. Over 150 fake Firefox extensions posed as MetaMask, TronLink, Exodus & more — stealing $1M+ in assets. Technique: Extension Hollowing — build trusted add-ons first, then weaponize later.
August 11, 2025 at 8:56 AM
1/3
🚨 GreedyBear crypto theft campaign exposed. Over 150 fake Firefox extensions posed as MetaMask, TronLink, Exodus & more — stealing $1M+ in assets. Technique: Extension Hollowing — build trusted add-ons first, then weaponize later.
🚨 GreedyBear crypto theft campaign exposed. Over 150 fake Firefox extensions posed as MetaMask, TronLink, Exodus & more — stealing $1M+ in assets. Technique: Extension Hollowing — build trusted add-ons first, then weaponize later.