Malware - Cybersec Sentinel

Malware

A collection of 176 posts

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

GroupUnknown threat actor, attribution unconfirmedTypeModular RAT with novel MFA-interception pluginCVEsNone assigned. Exploits legitimate Windows application behaviour rather than a software vulnerabilityMalwareCloudZ RAT — modular .NET remote access tool with credential theft, screen recording, and C2 capabilities. Pheno — previously undocumented plugin that hijacks Microsoft Phone Link to intercept SMS messages and OTPs

Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap

Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap

GroupUNC6692 (financially motivated cluster, attribution unconfirmed beyond Mandiant tracking ID)TypeModular custom malware suite, browser extension plus Python tunneler plus Python backdoorMalwareSNOWBELT (Chromium extension), SNOWGLAZE (WebSocket and SOCKS tunneler), SNOWBASIN (local HTTP backdoor)DeliveryEmail bombing followed by Microsoft Teams impersonation of internal IT helpdesk staffScore7.5 High. Active campaign, novel

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them

GroupUnknown cybercriminal operator(s); attribution unconfirmedTypeInfostealer-as-a-ServiceMalwareStorm; a session-hijacking credential stealer that exfiltrates encrypted browser data to attacker infrastructure for server-side decryption, bypassing Chrome App-Bound Encryption and endpoint detectionScore🟠 8.5 High. Actively deployed against confirmed victims across at least six countries, defeats Google Chrome's App-Bound Encryption, renders MFA

CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads

Supply Chain Attack

CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads

GroupAttribution unconfirmed. Infrastructure overlap identified with a March 2026 fake FileZilla distribution campaign. C2 domain first observed November 2025. Campaign tagged internally as "CityOfSin".TypeSupply Chain Attack / Remote Access Trojan / BackdoorMalwareSTX RAT (classified as Backdoor.Win64.Alien by Kaspersky) — a multi-stage, memory-resident remote access trojan with credential theft,

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

Supply Chain Attack

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

GroupUNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor)Typenpm Supply Chain Compromise / Cross-Platform Remote Access TrojanMalwareSILKBELL: postinstall dropper embedded in plain-crypto-js@4.2.1. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaignsScore🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded

TeamPCP Injects Credential Stealer Into Trivy Releases and Spreads to npm via CanisterWorm

TeamPCP Injects Credential Stealer Into Trivy Releases and Spreads to npm via CanisterWorm

GroupTeamPCP (financially motivated threat actor, reportedly collaborating with LAPSUS$ for extortion; nationality unconfirmed)TypeMulti-Ecosystem Supply Chain Attack, Infostealer, Self-Propagating Worm, Kubernetes WiperDeliveryCompromised GitHub Actions (trivy-action, setup-trivy, kics-github-action, ast-github-action) plus poisoned PyPI packages (litellm) and self-propagating npm infection via CanisterWormMalwareTeamPCP Cloud Stealer — three-stage CI/CD credential harvester; CanisterWorm —

DarkSword iOS Exploit Chains Six Vulnerabilities for Silent Device Takeover

DarkSword iOS Exploit Chains Six Vulnerabilities for Silent Device Takeover

GroupUNC6353 (suspected Russian espionage); UNC6748 (cybercriminal); PARS Defense (commercial surveillance vendor)TypeiOS Exploit Kit, Infostealer, APT CampaignCVEsCVE-2025-31277 (JavaScriptCore JIT type confusion); CVE-2025-43529 (JavaScriptCore DFG garbage collection bug); CVE-2026-20700 (dyld PAC bypass); CVE-2025-14174 (ANGLE memory corruption, CVSS 8.8); CVE-2025-43510 (XNU copy-on-write privilege escalation, CVSS 8.6); CVE-2025-43520 (XNU VFS race

GlassWorm Exploits Trust in Open Source Ecosystems

GlassWorm Exploits Trust in Open Source Ecosystems

Threat Group – Unattributed Threat Type – Supply chain malware, infostealer, credential theft Exploited Vulnerabilities – No CVE assigned. Abuse of trusted package registries, compromised publisher access, stolen developer credentials, invisible Unicode obfuscation, and extension dependency abuse Malware Used – GlassWorm loader and follow on JavaScript based payloads Threat Score – 8.7 🔥 Critical Last

VodkaStealer Malware Harvests Browser Credentials and Session Token

VodkaStealer Malware Harvests Browser Credentials and Session Token

Threat Group – Unidentified financially motivated threat actor associated with the ClickFix WordPress compromise campaign Threat Type – Information Stealer Exploited Vulnerabilities – ClickFix social engineering using compromised WordPress sites and fake Cloudflare verification prompts Malware Used – VodkaStealer, DoubleDonut loader, ChromElevator Threat Score – 🔴 7.6 High – Advanced credential harvesting malware delivered through large

UnsolicitedBooker Deploys MarsSnake Against Telecom Providers

UnsolicitedBooker Deploys MarsSnake Against Telecom Providers

Threat Group – UnsolicitedBooker Threat Type – Backdoor / Advanced Persistent Threat Exploited Vulnerabilities – CVE-2018-0802 Malware Used – MarsSnake, MarsSnakeLoader, LuciDoor, LuciLoad Threat Score – 8.7 🔥 Critical – State aligned espionage platform with wormable capability, decentralised IPFS command fallback, telecommunications targeting, long term persistence and advanced evasion techniques Last Threat Observation – 24 February 2026 Overview