CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

GroupUnknown threat actor, attribution unconfirmedTypeModular RAT with novel MFA-interception pluginCVEsNone assigned. Exploits legitimate Windows application behaviour rather than a software vulnerabilityMalwareCloudZ RAT — modular .NET remote access tool with credential theft, screen recording, and C2 capabilities. Pheno — previously undocumented plugin that hijacks Microsoft Phone Link to intercept SMS messages and OTPs

Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap

GroupUNC6692 (financially motivated cluster, attribution unconfirmed beyond Mandiant tracking ID)TypeModular custom malware suite, browser extension plus Python tunneler plus Python backdoorMalwareSNOWBELT (Chromium extension), SNOWGLAZE (WebSocket and SOCKS tunneler), SNOWBASIN (local HTTP backdoor)DeliveryEmail bombing followed by Microsoft Teams impersonation of internal IT helpdesk staffScore7.5 High. Active campaign, novel

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them

GroupUnknown cybercriminal operator(s); attribution unconfirmedTypeInfostealer-as-a-ServiceMalwareStorm; a session-hijacking credential stealer that exfiltrates encrypted browser data to attacker infrastructure for server-side decryption, bypassing Chrome App-Bound Encryption and endpoint detectionScore🟠 8.5 High. Actively deployed against confirmed victims across at least six countries, defeats Google Chrome's App-Bound Encryption, renders MFA

CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads

GroupAttribution unconfirmed. Infrastructure overlap identified with a March 2026 fake FileZilla distribution campaign. C2 domain first observed November 2025. Campaign tagged internally as "CityOfSin".TypeSupply Chain Attack / Remote Access Trojan / BackdoorMalwareSTX RAT (classified as Backdoor.Win64.Alien by Kaspersky) — a multi-stage, memory-resident remote access trojan with credential theft,

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

GroupUNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor)Typenpm Supply Chain Compromise / Cross-Platform Remote Access TrojanMalwareSILKBELL: postinstall dropper embedded in plain-crypto-js@4.2.1. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaignsScore🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded