🚨 UPDATE: The Google-abusing #Magecart campaign we exposed in late 2024 https://t.co/3onXmIDs4q
Is now being used for #ClickFix attacks 👇
1️⃣ A WebSocket opens to metrics.brandiser.\net
2️⃣ Its incoming message runs & fires a fake request to https://t.co/6loESbbI5c[.]com
3️⃣ The reflected code calls consent.trandiqs.\com
4️⃣ The response serves the ClickFix attack
#ClientSideSecurity #infosec #malware #magecart
A malicious Chromium-based extension spoofed the AI-powered answer engine Perplexity AI to intercept browser search traffic and collect user input before redirecting users to expected search providers. https://t.co/moxI8DxhiQ
Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. https://t.co/VerutunRvb
Threat actors have continued to refine the campaign over time while maintaining the same core attack chain. Microsoft observed two distinct waves of activity, including changes to delivery mechanisms, infrastructure, and evasion techniques designed to help the operation persist and avoid detection.
For example, the second wave demonstrates the resilience of the campaign's dual-persistence model. In one observed case, malicious payloads were blocked, yet Node.js persistence remained active and later re-established command-and-control (C2) communications through new infrastructure.
Learn more about the campaign's evolution, phishing infrastructure, and persistence mechanisms, and review Microsoft Defender detections and recommendations to help organizations investigate and defend against this activity.
🚨💣 ÚLTIMA HORA - COMUNICADO DEL CLUB EN EL @diarioas.
“El Atlético llevará al Barcelona ante la justicia deportiva por la negociación con Julián Alvarez, un jugador con contrato hasta 2030 con los rojiblancos, para provocar el cambio del Metropolitano por el Camp Nou este verano”.
“En el pasado ya hemos visto la forma de funcionar del Barcelona”.
“Cuando el Atlético se estaba jugando la Champions frente a la Juve”.
“Prometiendo comisiones a su hermana (Griezmann) , a su familia y al propio jugador...”.
“No hay ninguna cantidad por la que el Barcelona pueda comprar a Julián, que no será transferido al Barcelona”. “O paga la cláusula (de 500 millones) o nada”.
“Todo el mundo sabe que es un club tramposo”.
“Se han topado con un club que no les va a reír la gracia”.
Brazilian malware campaign observed leveraging an HTA/VBScript loader using VBScript to stage payloads from larpers[.]eu into a random %TEMP% directory.
It downloads two files, renames them to p.exe and hda_config.dat, executes the PE silently, then opens a fake PDF as decoy:
Classic HTA + curl + temp payload execution chain.
larpers[.]eu/api/d/c66ae1c001c64d8a93574503077403cf/a?t=852c57eb7d0d9843c12c8eb344d12527/
Victims are lured to a fake digital artist portfolio ("Mya Artes"), complete with a convincing backstory, anime-themed design, and free artwork downloads. The advertised ZIP ultimately delivers an HTA loader that stages and executes the malware.
A good reminder that well-crafted fake websites remain highly effective infection vectors and AI is making it easier than ever for threat actors to build convincing phishing lures.
Last week I presented at #Rebellion2026 conference on DPRK IT workers, with a focus on endpoint forensics, OSINT investigations, abused identity marketplaces, and related tradecraft.
I also released a small tool #Ghosthire - a free triage tool for candidate screening and on some common tactics abused by DPRK IT Workers. You can drop a resume (docx/pdf) and it pulls and checks
1. Metadata
2. Identity mismatch detection
3. GitHub backdated commit history
4. VOIP phone number usage
5. And the best feature follower cluster mapping to find additional fake identities linked to the same Github account (Attached Figure, 1 account revealed 8 other accounts that needs review)
Tool Link - https://t.co/LU4oEqS07w
Here is the demo uploaded on YouTube
https://t.co/iI319gxFEL
🔒 Private DFIR Report: ClickFix Leads to Tsundere Bot, Tunnels, RMMs, and Double Theft
Hands-on-keyboard activity began less than 20 minutes after initial execution. The threat actor quickly performed host and domain discovery, captured screenshots, enumerated domain users and groups, and escalated operations through Cobalt Strike, Kerberoasting, and the use of compromised privileged credentials.
Request access to the private DFIR report or schedule a demo to see how our Threat Intelligence offering delivers timely, actionable intel for defenders: https://t.co/T4Yoza4Ipx
Final comment on the ServiceNow incident. I've had the opportunity to review the code that was live during the incident. There are appropriate guardrails in place to prevent arbitrary table write (e.g user creation, script execution).
Cuando el futbol femenino no necesitaba tapar una mala etapa del club... cuando Putellas ganaba títulos con el Espanyol (y no tenían repercusión mediática).
Otra (otra más) historia de la "Masia"
Putellas, Torrejón, Cucurella, Dani Olmo, Joan García.
Es muy difícil sobrevivir
An #adware campaign involving 50+ Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40+ extensions and wiping IndexedDB on install and startup. Details at https://t.co/yihnkqJ3tj
One host touching 50+ internal IPs across 5+ ports in under 5 minutes is not “normal admin activity.”
That is how ransomware operators map your network before encryption. 👀
The best part?
This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic.
I shared both the KQL and ESQL versions in the article. More discovery-phase detections soon.
On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.
This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them.
https://t.co/rl9EVrA371
With another VS Code Extension compromise, probably being one night of sleep away, and the compromise of GitHub being conformed to orignate from an VS Code Extension, it is time to share some thoughts in the 🧵
https://t.co/55N5uaZ1zL
🚨 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗕𝟮𝗕 𝗪𝗲𝗯𝘀𝗶𝘁𝗲𝘀 𝗔𝗯𝘂𝘀𝗲𝗱 𝗳𝗼𝗿 𝗙𝗶𝗹𝗲𝗹𝗲𝘀𝘀 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝘆: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We’re tracking widespread #ClickFix activity using compromised legitimate websites to deliver fileless malware, lowering suspicion and delaying detection.
⚠️ Finance, banking, healthcare, manufacturing, and tech are among the most exposed industries.
❗️ The activity looks low-risk until fileless execution and outbound C2 traffic are already established. Attackers inject a lightweight inline JavaScript loader into compromised sites, which retrieves a second-stage payload directly into the victim’s browser from external infrastructure.
The attack chain blends into normal web traffic, relies on PowerShell and in-memory execution, and later shifts C2 communication into the legitimate system process svchost.exe, making malicious activity harder to distinguish from routine system behavior for SOC and MSSP teams.
⚡️ #ANYRUN Sandbox helps teams validate suspicious activity faster and contain fileless attacks before they escalate. Analysts can observe the full execution chain in real time:
Inline JS loader ➡️ User-executed PowerShell (IEX/IRM) ➡️ Hidden second-stage PowerShell and loader retrieval ➡️ Fileless in-memory execution inside powershell.exe ➡️ Follow-on .NET payload delivery ➡️ svchost.exe injection ➡️ Custom TCP C2 🚨
👨💻 Learn how #ANYRUN helps security teams detect complex threats and contain incidents faster: https://t.co/Lb2wUnzq1F
📈 Scale your SOC with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: https://t.co/oPVnlqPvPY
IOCs:
/jsrepo?rnd=
/teamrepo?rnd=
ntdnewtds[.]shop
dnsnewtds[.]shop
sdntds[.]shop
newtdsone[.]shop
nttdss[.]shop
Dntds[.]shop
178[.]16[.]52[.]232
158[.]94[.]208[.]92
158[.]94[.]208[.]104
91[.]92[.]243[.]161
#ExploreWithANYRUN