Malware

A collection of 149 posts
LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure
Ransomware

LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure

Threat Group – LockBit operators Threat Type – Ransomware as a Service Exploited Vulnerabilities – Exposed remote access services, unpatched internet facing infrastructure, valid credential reuse, weak virtualisation hardening Malware Used – LockBit 5.0 Windows Linux and ESXi variants Threat Score – 7.5 🔴 High – Cross platform impact with ESXi targeting, rapid encryption, and
6 min read
BRICKSTORM new Windows variant expands targeting of legal and technology sectors
$BRICKSTORM

BRICKSTORM new Windows variant expands targeting of legal and technology sectors

Threat Group – China-nexus UNC5221 Threat Type – Espionage backdoor and post-exploitation toolkit Exploited Vulnerabilities – Ivanti Connect Secure auth-bypass and command injection (CVE-2023-46805, CVE-2024-21887), Ivanti Connect Secure RCE buffer overflow (CVE-2025-22457), weak edge-appliance hardening, exposed management interfaces, valid-credential reuse Malware Used – BRICKSTORM backdoor with file-manager UI and network tunnelling; associated tooling and
6 min read
COLDRIVER targets policy and critical infrastructure using BAITSWITCH-SIMPLEFIX chain
COLDRIVER

COLDRIVER targets policy and critical infrastructure using BAITSWITCH-SIMPLEFIX chain

Threat Group – COLDRIVER Threat Type – Espionage malware and social engineering Exploited Vulnerabilities – User execution via ClickFix lure, abuse of rundll32, script execution and registry-based persistence (no CVEs assigned) Malware Used – BAITSWITCH downloader, SIMPLEFIX PowerShell backdoor, LOSTKEYS VBS payload, SPICA backdoor Threat Score – 8.2 🔴 High Last Threat Observation – 25 September
7 min read
Sindoor Dropper Phishing Exploits Linux Desktop Files for Persistent Remote Control
Phishing

Sindoor Dropper Phishing Exploits Linux Desktop Files for Persistent Remote Control

Threat Group: Transparent Tribe / APT36 / Mythic Leopard / G0134 Threat Type: Targeted phishing dropper, Linux desktop shortcut abuse, remote administration tool deployment, cyber espionage Exploited Vulnerabilities: No public CVE exploitation confirmed. Abuse of Linux .desktop launcher behaviour, user execution, weak attachment controls, and trusted cloud storage delivery. Malware Used: Sindoor Dropper
5 min read
Skype Delivered SCR and PIF Files Deploy GodRAT Malware in Financial Campaigns
Malware

Skype Delivered SCR and PIF Files Deploy GodRAT Malware in Financial Campaigns

Threat Group: Winnti (APT41) – suspected attribution based on code lineage and targeting Threat Type: Remote Access Trojan (RAT) Exploited Vulnerabilities: Social engineering via Skype delivering malicious .SCR and .PIF files containing steganographic shellcode in JPEGs and DLL sideloading Malware Used: GodRAT – evolution of Gh0st RAT and AwesomePuppet, featuring plugin-based architecture
4 min read
PXA Stealer Malware Uses Trusted Cloud Services to Exfiltrate Government and Education Credentials
Malware

PXA Stealer Malware Uses Trusted Cloud Services to Exfiltrate Government and Education Credentials

Threat Group: Vietnamese-speaking cybercrime actors (possible overlap with CoralRaider) Threat Type: Python-based Information Stealer (Infostealer) Exploited Vulnerabilities: DLL sideloading, phishing ZIP archives, abuse of legitimate cloud services (Cloudflare Workers, Dropbox) Malware Used: PXA Stealer Threat Score: 🔥 Critical (9.0/10) – Due to advanced evasion, large-scale credential theft, and abuse of
3 min read