Virus Bulletin
@virusbtn.bsky.social
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Organisers of the annual Virus Bulletin conference.
Trend Micro researchers share their findings on the Shai-hulud 2.0 campaign and reveal new functions that weren’t observed in its first variant, such as backdoor capabilities. www.trendmicro.com/en_us/resear...
November 28, 2025 at 9:41 AM
Trend Micro researchers share their findings on the Shai-hulud 2.0 campaign and reveal new functions that weren’t observed in its first variant, such as backdoor capabilities. www.trendmicro.com/en_us/resear...
WithSecure researchers analyse TangleCrypt. The packer was found on two executables used in a recent ransomware attack; their payloads were both identified as an EDR killer known as STONESTOP that leverages the malicious ABYSSWORKER driver. labs.withsecure.com/publications...
November 28, 2025 at 9:35 AM
WithSecure researchers analyse TangleCrypt. The packer was found on two executables used in a recent ransomware attack; their payloads were both identified as an EDR killer known as STONESTOP that leverages the malicious ABYSSWORKER driver. labs.withsecure.com/publications...
Cleafy Threat Intelligence team has identified & analysed Albiriox, a newly emerging Android malware family promoted as a malware-as-a-service within underground cybercrime forums. Evidence suggests the operation is managed by Russian-speaking threat actors. www.cleafy.com/cleafy-labs/...
November 28, 2025 at 9:32 AM
Cleafy Threat Intelligence team has identified & analysed Albiriox, a newly emerging Android malware family promoted as a malware-as-a-service within underground cybercrime forums. Evidence suggests the operation is managed by Russian-speaking threat actors. www.cleafy.com/cleafy-labs/...
ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. www.reversinglabs.com/blog/bootstr...
November 27, 2025 at 12:17 PM
ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. www.reversinglabs.com/blog/bootstr...
FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities at the end of October during a global disruption of AWS connections. This activity was likely a test run conducted in preparation for future attacks. www.fortinet.com/blog/threat-...
November 27, 2025 at 12:12 PM
FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities at the end of October during a global disruption of AWS connections. This activity was likely a test run conducted in preparation for future attacks. www.fortinet.com/blog/threat-...
Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers and fake game trainers across torrent websites & other easily found domains. www.bitdefender.com/en-us/blog/l...
November 26, 2025 at 10:17 AM
Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers and fake game trainers across torrent websites & other easily found domains. www.bitdefender.com/en-us/blog/l...
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
November 26, 2025 at 10:05 AM
Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...
Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. www.zscaler.com/blogs/securi...
November 26, 2025 at 9:56 AM
Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. www.zscaler.com/blogs/securi...
Wiz researchers detected malicious npm packages linked to the recent Shai-Hulud-style campaign in which popular projects from Zapier, ENS Domains, PostHog, and Postman were trojanized. www.wiz.io/blog/shai-hu...
November 25, 2025 at 1:45 PM
Wiz researchers detected malicious npm packages linked to the recent Shai-Hulud-style campaign in which popular projects from Zapier, ENS Domains, PostHog, and Postman were trojanized. www.wiz.io/blog/shai-hu...
Morphisec's Shmuel Uzan looks into a StealC V2 campaign targeting Blender users via malicious .blend 3D model files implanted on platforms like CGTrader. www.morphisec.com/blog/morphis...
November 25, 2025 at 1:43 PM
Morphisec's Shmuel Uzan looks into a StealC V2 campaign targeting Blender users via malicious .blend 3D model files implanted on platforms like CGTrader. www.morphisec.com/blog/morphis...
Huntress researchers Anna Pham (@RussianPanda9xx) & Ben Folland detail a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 & Rhadamanthys. www.huntress.com/blog/clickfi...
November 25, 2025 at 1:38 PM
Huntress researchers Anna Pham (@RussianPanda9xx) & Ben Folland detail a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 & Rhadamanthys. www.huntress.com/blog/clickfi...
The ENKI WhiteHat team looks at the evolution of KimJongRAT, a modular malware family attributed to Kimsuky that exfiltrates sensitive victim data, including system configuration and browser artifacts. www.enki.co.kr/en/media-cen...
November 24, 2025 at 9:15 AM
The ENKI WhiteHat team looks at the evolution of KimJongRAT, a modular malware family attributed to Kimsuky that exfiltrates sensitive victim data, including system configuration and browser artifacts. www.enki.co.kr/en/media-cen...
Sophos researcher Colin Cowie describes a persistent, multi-stage malware distribution campaign targeting WhatsApp users in Brazil. STAC3150 delivers archive attachments containing a downloader script that retrieves multiple second-stage payloads, including Astaroth. news.sophos.com/en-us/2025/1...
November 24, 2025 at 9:13 AM
Sophos researcher Colin Cowie describes a persistent, multi-stage malware distribution campaign targeting WhatsApp users in Brazil. STAC3150 delivers archive attachments containing a downloader script that retrieves multiple second-stage payloads, including Astaroth. news.sophos.com/en-us/2025/1...
Domaintools researchers present a report on APT35 (also referenced as “Charming Kitten”) based on leaked internal documents. The report reveals a regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command. dti.domaintools.com/threat-intel...
November 24, 2025 at 9:10 AM
Domaintools researchers present a report on APT35 (also referenced as “Charming Kitten”) based on leaked internal documents. The report reveals a regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command. dti.domaintools.com/threat-intel...
K7 Labs analyse a campaign ongoing in Brazil, spreading malware via WhatsApp web from the victim’s machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. labs.k7computing.com/index.php/br...
November 24, 2025 at 9:06 AM
K7 Labs analyse a campaign ongoing in Brazil, spreading malware via WhatsApp web from the victim’s machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. labs.k7computing.com/index.php/br...
K7's Praveen Babu analyses a Python-based malware sample that uses multi-stage obfuscation. labs.k7computing.com/index.php/ma...
November 21, 2025 at 9:53 AM
K7's Praveen Babu analyses a Python-based malware sample that uses multi-stage obfuscation. labs.k7computing.com/index.php/ma...
The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications to trick users into installing them, which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. www.acronis.com/en/tru/posts...
November 21, 2025 at 9:52 AM
The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications to trick users into installing them, which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. www.acronis.com/en/tru/posts...
Orange researchers investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization. The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure, sent to a project engineer. www.orangecyberdefense.com/global/blog/...
November 21, 2025 at 9:48 AM
Orange researchers investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization. The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure, sent to a project engineer. www.orangecyberdefense.com/global/blog/...
Trustwave SpiderLabs researchers analyse Eternidade Stealer, a banking trojan distributed through WhatsApp hijacking and social engineering lures. www.trustwave.com/en-us/resour...
November 20, 2025 at 10:43 AM
Trustwave SpiderLabs researchers analyse Eternidade Stealer, a banking trojan distributed through WhatsApp hijacking and social engineering lures. www.trustwave.com/en-us/resour...
ESET's Facundo Muñoz & Dávid Gábriš provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. www.welivesecurity.com/en/eset-rese...
November 20, 2025 at 10:42 AM
ESET's Facundo Muñoz & Dávid Gábriš provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. www.welivesecurity.com/en/eset-rese...
Jamf Threat Labs dissects the new DigitStealer malware, a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. www.jamf.com/blog/jtl-dig...
November 20, 2025 at 10:39 AM
Jamf Threat Labs dissects the new DigitStealer malware, a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. www.jamf.com/blog/jtl-dig...
Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42, Mint Sandstorm, Educated Manticore, CharmingCypress). govextra.gov.il/national-dig...
November 19, 2025 at 10:33 AM
Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42, Mint Sandstorm, Educated Manticore, CharmingCypress). govextra.gov.il/national-dig...
For The DFIR report @Friffnz, Daniel Casenove & @MittenSec analyse an intrusion that started with a successful RDP logon to an internet-exposed system and in the end led to Lynx ransomware deployment. thedfirreport.com/2025/11/17/c...
November 18, 2025 at 11:12 AM
For The DFIR report @Friffnz, Daniel Casenove & @MittenSec analyse an intrusion that started with a successful RDP logon to an internet-exposed system and in the end led to Lynx ransomware deployment. thedfirreport.com/2025/11/17/c...
Mandiant's Mohamed El-Banna, Daniel Lee, Mike Stokkel & Josh Goddard detail TTPs observed in a targeted UNC1549 campaign against the aerospace, aviation, and defence industries in the Middle East. cloud.google.com/blog/topics/...
November 18, 2025 at 11:10 AM
Mandiant's Mohamed El-Banna, Daniel Lee, Mike Stokkel & Josh Goddard detail TTPs observed in a targeted UNC1549 campaign against the aerospace, aviation, and defence industries in the Middle East. cloud.google.com/blog/topics/...
Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. www.splunk.com/en_us/blog/s...
November 17, 2025 at 9:58 AM
Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. www.splunk.com/en_us/blog/s...