Virus Bulletin
@virusbtn.bsky.social
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Organisers of the annual Virus Bulletin conference.
Pinned
Virus Bulletin
@virusbtn.bsky.social
· Oct 1
We are thrilled to officially announce that VB2026 will take place in the vibrant city of Seville, Spain, from 30 September to 2 October 2026.
More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.
Can't wait to see you there!
More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.
Can't wait to see you there!
Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers and fake game trainers across torrent websites & other easily found domains. www.bitdefender.com/en-us/blog/l...
November 26, 2025 at 10:17 AM
Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers and fake game trainers across torrent websites & other easily found domains. www.bitdefender.com/en-us/blog/l...
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
November 26, 2025 at 10:05 AM
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. www.zscaler.com/blogs/securi...
November 26, 2025 at 9:56 AM
Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. www.zscaler.com/blogs/securi...
Reposted by Virus Bulletin
Some recent security conference videos:
Troopers - www.youtube.com/playlist?lis...
Hexacon - www.youtube.com/playlist?lis...
Bsides Canberra - www.youtube.com/playlist?lis...
NYMJCSC - www.youtube.com/playlist?lis...
VirusBulletin - www.youtube.com/playlist?lis...
Troopers - www.youtube.com/playlist?lis...
Hexacon - www.youtube.com/playlist?lis...
Bsides Canberra - www.youtube.com/playlist?lis...
NYMJCSC - www.youtube.com/playlist?lis...
VirusBulletin - www.youtube.com/playlist?lis...
TROOPERS25 - YouTube
www.youtube.com
November 25, 2025 at 1:25 PM
Some recent security conference videos:
Troopers - www.youtube.com/playlist?lis...
Hexacon - www.youtube.com/playlist?lis...
Bsides Canberra - www.youtube.com/playlist?lis...
NYMJCSC - www.youtube.com/playlist?lis...
VirusBulletin - www.youtube.com/playlist?lis...
Troopers - www.youtube.com/playlist?lis...
Hexacon - www.youtube.com/playlist?lis...
Bsides Canberra - www.youtube.com/playlist?lis...
NYMJCSC - www.youtube.com/playlist?lis...
VirusBulletin - www.youtube.com/playlist?lis...
Reposted by Virus Bulletin
my VB2025 talk, "Rogue hirer, rogue hiree: workplace cyber threats to individuals and businesses", is now online. paper here: www.virusbulletin.com/uploads/pdf/...
Rogue hirer, rogue hiree: workplace cyber threats to individuals and businesses — Chris Boyd
YouTube video by Virus Bulletin
www.youtube.com
November 24, 2025 at 12:28 PM
my VB2025 talk, "Rogue hirer, rogue hiree: workplace cyber threats to individuals and businesses", is now online. paper here: www.virusbulletin.com/uploads/pdf/...
Reposted by Virus Bulletin
Check out our @cyberalliance.bsky.social @virusbtn.bsky.social TIPS Summit recordings!
TIPS is a mini-summit within the VB Conference that unites analysts, researchers, operators, and developers to address the key challenges and successes in threat intelligence.
www.youtube.com/playlist?lis...
TIPS is a mini-summit within the VB Conference that unites analysts, researchers, operators, and developers to address the key challenges and successes in threat intelligence.
www.youtube.com/playlist?lis...
VB2025 Threat Intelligence Practitioners' Summit - YouTube
VB2025 Threat Intelligence Practitioners' Summit, co-hosted with the Cyber Threat Alliance.
www.youtube.com
November 24, 2025 at 3:39 PM
Check out our @cyberalliance.bsky.social @virusbtn.bsky.social TIPS Summit recordings!
TIPS is a mini-summit within the VB Conference that unites analysts, researchers, operators, and developers to address the key challenges and successes in threat intelligence.
www.youtube.com/playlist?lis...
TIPS is a mini-summit within the VB Conference that unites analysts, researchers, operators, and developers to address the key challenges and successes in threat intelligence.
www.youtube.com/playlist?lis...
Reposted by Virus Bulletin
#ESETresearch discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
November 24, 2025 at 5:57 PM
#ESETresearch discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
Wiz researchers detected malicious npm packages linked to the recent Shai-Hulud-style campaign in which popular projects from Zapier, ENS Domains, PostHog, and Postman were trojanized. www.wiz.io/blog/shai-hu...
November 25, 2025 at 1:45 PM
Wiz researchers detected malicious npm packages linked to the recent Shai-Hulud-style campaign in which popular projects from Zapier, ENS Domains, PostHog, and Postman were trojanized. www.wiz.io/blog/shai-hu...
Morphisec's Shmuel Uzan looks into a StealC V2 campaign targeting Blender users via malicious .blend 3D model files implanted on platforms like CGTrader. www.morphisec.com/blog/morphis...
November 25, 2025 at 1:43 PM
Morphisec's Shmuel Uzan looks into a StealC V2 campaign targeting Blender users via malicious .blend 3D model files implanted on platforms like CGTrader. www.morphisec.com/blog/morphis...
Huntress researchers Anna Pham (@RussianPanda9xx) & Ben Folland detail a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 & Rhadamanthys. www.huntress.com/blog/clickfi...
November 25, 2025 at 1:38 PM
Huntress researchers Anna Pham (@RussianPanda9xx) & Ben Folland detail a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 & Rhadamanthys. www.huntress.com/blog/clickfi...
The ENKI WhiteHat team looks at the evolution of KimJongRAT, a modular malware family attributed to Kimsuky that exfiltrates sensitive victim data, including system configuration and browser artifacts. www.enki.co.kr/en/media-cen...
November 24, 2025 at 9:15 AM
The ENKI WhiteHat team looks at the evolution of KimJongRAT, a modular malware family attributed to Kimsuky that exfiltrates sensitive victim data, including system configuration and browser artifacts. www.enki.co.kr/en/media-cen...
Sophos researcher Colin Cowie describes a persistent, multi-stage malware distribution campaign targeting WhatsApp users in Brazil. STAC3150 delivers archive attachments containing a downloader script that retrieves multiple second-stage payloads, including Astaroth. news.sophos.com/en-us/2025/1...
November 24, 2025 at 9:13 AM
Sophos researcher Colin Cowie describes a persistent, multi-stage malware distribution campaign targeting WhatsApp users in Brazil. STAC3150 delivers archive attachments containing a downloader script that retrieves multiple second-stage payloads, including Astaroth. news.sophos.com/en-us/2025/1...
Domaintools researchers present a report on APT35 (also referenced as “Charming Kitten”) based on leaked internal documents. The report reveals a regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command. dti.domaintools.com/threat-intel...
November 24, 2025 at 9:10 AM
Domaintools researchers present a report on APT35 (also referenced as “Charming Kitten”) based on leaked internal documents. The report reveals a regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command. dti.domaintools.com/threat-intel...
K7 Labs analyse a campaign ongoing in Brazil, spreading malware via WhatsApp web from the victim’s machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. labs.k7computing.com/index.php/br...
November 24, 2025 at 9:06 AM
K7 Labs analyse a campaign ongoing in Brazil, spreading malware via WhatsApp web from the victim’s machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. labs.k7computing.com/index.php/br...
K7's Praveen Babu analyses a Python-based malware sample that uses multi-stage obfuscation. labs.k7computing.com/index.php/ma...
November 21, 2025 at 9:53 AM
K7's Praveen Babu analyses a Python-based malware sample that uses multi-stage obfuscation. labs.k7computing.com/index.php/ma...
The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications to trick users into installing them, which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. www.acronis.com/en/tru/posts...
November 21, 2025 at 9:52 AM
The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications to trick users into installing them, which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. www.acronis.com/en/tru/posts...
Orange researchers investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization. The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure, sent to a project engineer. www.orangecyberdefense.com/global/blog/...
November 21, 2025 at 9:48 AM
Orange researchers investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization. The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure, sent to a project engineer. www.orangecyberdefense.com/global/blog/...
Trustwave SpiderLabs researchers analyse Eternidade Stealer, a banking trojan distributed through WhatsApp hijacking and social engineering lures. www.trustwave.com/en-us/resour...
November 20, 2025 at 10:43 AM
Trustwave SpiderLabs researchers analyse Eternidade Stealer, a banking trojan distributed through WhatsApp hijacking and social engineering lures. www.trustwave.com/en-us/resour...
ESET's Facundo Muñoz & Dávid Gábriš provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. www.welivesecurity.com/en/eset-rese...
November 20, 2025 at 10:42 AM
ESET's Facundo Muñoz & Dávid Gábriš provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. www.welivesecurity.com/en/eset-rese...
Jamf Threat Labs dissects the new DigitStealer malware, a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. www.jamf.com/blog/jtl-dig...
November 20, 2025 at 10:39 AM
Jamf Threat Labs dissects the new DigitStealer malware, a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. www.jamf.com/blog/jtl-dig...
Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42, Mint Sandstorm, Educated Manticore, CharmingCypress). govextra.gov.il/national-dig...
November 19, 2025 at 10:33 AM
Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42, Mint Sandstorm, Educated Manticore, CharmingCypress). govextra.gov.il/national-dig...
For The DFIR report @Friffnz, Daniel Casenove & @MittenSec analyse an intrusion that started with a successful RDP logon to an internet-exposed system and in the end led to Lynx ransomware deployment. thedfirreport.com/2025/11/17/c...
November 18, 2025 at 11:12 AM
For The DFIR report @Friffnz, Daniel Casenove & @MittenSec analyse an intrusion that started with a successful RDP logon to an internet-exposed system and in the end led to Lynx ransomware deployment. thedfirreport.com/2025/11/17/c...
Mandiant's Mohamed El-Banna, Daniel Lee, Mike Stokkel & Josh Goddard detail TTPs observed in a targeted UNC1549 campaign against the aerospace, aviation, and defence industries in the Middle East. cloud.google.com/blog/topics/...
November 18, 2025 at 11:10 AM
Mandiant's Mohamed El-Banna, Daniel Lee, Mike Stokkel & Josh Goddard detail TTPs observed in a targeted UNC1549 campaign against the aerospace, aviation, and defence industries in the Middle East. cloud.google.com/blog/topics/...
Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. www.splunk.com/en_us/blog/s...
November 17, 2025 at 9:58 AM
Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. www.splunk.com/en_us/blog/s...
Palo Alto Networks Unit 42 researchers identified two interconnected malware campaigns active throughout 2025, using large-scale brand impersonation to deliver Gh0st remote access trojan (RAT) variants to Chinese-speaking users. unit42.paloaltonetworks.com/impersonatio...
November 17, 2025 at 9:55 AM
Palo Alto Networks Unit 42 researchers identified two interconnected malware campaigns active throughout 2025, using large-scale brand impersonation to deliver Gh0st remote access trojan (RAT) variants to Chinese-speaking users. unit42.paloaltonetworks.com/impersonatio...