APT & Nation-State Intelligence
Advanced Persistent Threat intelligence tracking nation-state actors — Lazarus Group, Sandworm, Volt Typhoon, and others. Campaign TTPs, targeted sectors, and SIGMA/KQL detection rules.
APT & Nation-State — Archive & Latest
TwizAdmin RaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Multi-Stage Crypto Theft & macOS ClickFix
Urgent: TwizAdmin Crypto Clipper/RaaS and Lazarus Mach-O Man active. Credential theft, macOS targeting, and Middle East C2 expansion detected.
TwizAdmin MaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Cross-Platform C2 & Credential Theft
Urgent: OTX data reveals active TwizAdmin MaaS operation & Lazarus Mach-O Man targeting Finance/Tech. High credential theft risk.
Lazarus Mach-O Man & TwizAdmin Operation: OTX Pulse Analysis — Multi-Platform Malware & C2 Infrastructure Surge
Lazarus macOS malware, TwizAdmin clipper, and massive Middle Eastern C2 infrastructure detected. High urgency.
TwizAdmin MaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Multi-Platform C2 & ClickFix Detection Pack
OTX Pulse data reveals active TwizAdmin MaaS and Lazarus Mach-O Man campaigns targeting crypto and macOS via ClickFix. Urgency: High.
TwizAdmin MaaS, Lazarus Mach-O Man & Middle East C2 Surge: OTX Pulse Analysis
Active threats: DataBreachPlus TwizAdmin crypto-stealer, Lazarus macOS ClickFix campaign, & massive Middle East APT C2 infrastructure mapped.
Lazarus & WageMole Campaigns: macOS ClickFix, Mach-O Man & Dev Supply Chain Attacks — OTX Pulse Analysis
Active macOS ClickFix and dev supply chain attacks by Lazarus & WageMole using stealers and RATs. High urgency.
Void Dokkaebi Supply Chain Poisoning & Fox Tempest MSaaS: OTX Pulse Analysis
Analysis of Void Dokkaebi repo poisoning, Fox Tempest signing abuse, and macOS ClickFix stealers targeting developers and enterprises.
Fox Tempest MSaaS, UAT-8616 SD-WAN Attacks, & macOS ClickFix: Enterprise Detection Pack
Active exploitation of Cisco SD-WAN by UAT-8616, Fox Tempest's malware signing service, and macOS ClickFix infostealers.
Cisco Edge Exploitation: UAT-8616, Interlock & The Gentlemen — Webshell & RaaS Tactics
Active exploitation of Cisco/Fortinet CVEs by UAT-8616, Interlock, and The Gentlemen using webshells, Sliver, and SystemBC.
UAT-8616, Interlock & The Gentlemen: Cisco Edge Exploitation, Sliver C2, and PlasmaLoader OTX Pulse Analysis
Active exploitation of Cisco SD-WAN & FMC zero-days by UAT-8616 & Interlock; Sliver C2, Godzilla webshells, and SystemBC detected. Urgent patching required.
Cisco Edge Exploitation & SystemBC C2: UAT-8616, Interlock, and The Gentlemen Campaign Analysis
Active exploitation of Cisco SD-WAN/FMC & Fortinet. Threats include webshells, ransomware (Interlock), and SystemBC (Gentlemen).
UAT-8616 & Chollima APTs: Cisco SD-WAN Exploits & NPM Supply Chain Attacks — OTX Pulse Analysis
Active exploitation of Cisco SD-WAN & npm packages by UAT-8616 & Chollima. Detection for webshells, stealers, & ransomware. Urgency: High.
Cisco SD-WAN Zero-Days & NPM Supply Chain Attacks: UAT-8616, FAMOUS CHOLLIMA, and Interlock Campaigns
Critical exploitation of Cisco infrastructure and npm supply chains. UAT-8616 and Chollima active; crypto-mining and ransomware payloads confirmed.
UAT-5616 & Chollima Campaigns: Cisco SD-WAN Zero-Days & npm Supply Chain Attacks — Detection Engineering Briefing
Active exploitation of Cisco SD-WAN/FMC flaws and npm supply chain attacks by UAT-5616, Interlock, & Chollima. Immediate patching and IOC hunting required.
UAT-8616 & Interlock Cisco Exploits + FAMOUS CHOLLIMA NPM Supply Chain: OTX Pulse Analysis
Active exploitation of Cisco SD-WAN/FMC zero-days by UAT-8616 & Interlock, alongside North Korean OtterCookie npm attacks.
Cisco SD-WAN Exploit & Npm Supply Chain Attack: UAT-8616 & Chollima Campaign
Active exploitation of Cisco SD-WAN by UAT-8616 and North Korean npm supply chain attacks using OtterCookie infostealer.
UAT-8616 & Chollima APTs: Critical Cisco Exploitation and NPM Supply Chain Attacks — OTX Pulse Analysis
Active exploitation of Cisco SD-WAN/FMC by UAT-8616 & Interlock, alongside North Korean npm supply chain attacks targeting tech.
UAT-8616 & FAMOUS CHOLLIMA: Critical Cisco SD-WAN Exploitation & NPM Supply Chain Attack
Active exploitation of Cisco SD-WAN & npm packages by UAT-8616 & FAMOUS CHOLLIMA. Immediate patching required.
TroyDen & FAMOUS CHOLLIMA Campaigns: AI-Generated Lures & npm Supply Chain Attack — OTX Intelligence Briefing
AI-assisted lure factory and npm infostealer campaigns targeting developers; requires immediate IOC blocking and credential verification.
TroyDen & Chollima Supply Chain Attacks: LuaJIT & npm Infostealers — OTX Analysis
Active campaigns targeting developers via GitHub/npm packages; Interlock ransomware exploiting zero-days. High urgency.
TroyDen, Famous Chollima & Mr_Rot13 Campaigns: GitHub/npm Supply Chain & cPanel Exploitation Detection Pack
High urgency: Active supply chain attacks targeting developers (TroyDen/FAMOUS CHOLLIMA) and critical cPanel exploitation (Mr_Rot13) deploying infostealers.
TroyDen, Chollima & Mr_Rot13: Multi-Front Supply Chain Assault via GitHub, npm, and cPanel CVE-2026-41940
Critical APT campaigns targeting developers via malicious GitHub/npm packages and exploiting cPanel CVE-2026-41940 for backdoor deployment.
TroyDen, Mr_Rot13 & Lumma Remus: AI-Generated GitHub Lures, cPanel Exploits, and Stealer Evolution
OTX pulses reveal surge in infostealer campaigns via AI GitHub lures (TroyDen) and cPanel exploits (Mr_Rot13). High urgency.
TroyDen AI Lures & Mr_Rot13 cPanel Backdoors: OTX Pulse Analysis — Enterprise Detection Pack
Critical campaigns: TroyDen's AI GitHub lures distributing LuaJIT/Lumma, and Mr_Rot13 exploiting cPanel CVE-2026-41940 for persistence.
TroyDen & Mr_Rot13: AI-Generated Lures, LuaJIT Infostealers, and cPanel Backdoors — OTX Pulse Analysis
AI-assisted infostealers (LuaJIT/Lumma) and critical cPanel backdoors (Mr_Rot13) target gov/tech sectors; immediate blocking required.
TroyDen GitHub Lures, Mr_Rot13 cPanel Exploits & Remus Lumma Stealer: OTX Pulse Analysis
Active campaigns include TroyDen's AI-generated GitHub lures, Mr_Rot13's cPanel backdoors, and Remus 64-bit Lumma Stealer via EtherHiding.
Remus Infostealer v2, Beagle Backdoor, and Aerospace Extortion: OTX Pulse Analysis
64-bit Remus Stealer bypasses encryption via EtherHiding; Fake Claude site spreads Beagle via DLL sideloading; Aerospace sector faces intensified extortion.
Remus Stealer, Aerospace Extortion, and Beagle Backdoor: OTX Pulse Analysis — Enterprise Detection Pack
Remus 64-bit infostealer, aerospace supply chain extortion, and Beagle backdoor via fake Claude AI detected. Critical updates for SOCs.
Remus Infostealer & Aerospace Ransomware: OTX Pulse Analysis — Detection Engineering Pack
Emerging 64-bit Remus stealer, Beagle backdoor via fake Claude AI, and LockBit/Cl0p targeting aerospace sectors.
Remus 64-bit Infostealer, Beagle Backdoor & Aerospace APT Campaigns: OTX Pulse Analysis
Detection of Remus 64-bit infostealer, Beagle backdoor via fake Claude AI, and aerospace-targeted ransomware/APTs. Urgency: High.
Remus Stealer & Beagle Backdoor: Aerospace Extortion & AI-Themed Threats — OTX Pulse Analysis
Critical update: 64-bit Remus infostealer uses EtherHiding; Beagle targets AI users; Aerospace sector faces LockBit/APT ransomware pressure.
Remus Stealer, Aerospace Extortion, and Beagle Backdoor: OTX Pulse Analysis
Active campaigns include Remus infostealer (64-bit Lumma), aerospace supply chain ransomware, and Beagle backdoor via fake Claude AI site. High urgency.
Remus Infostealer & Aerospace Ransomware: Multi-Vector Threat Landscape — OTX Pulse Analysis
64-bit Remus infostealer targeting global aerospace via LockBit ransomware; fake Claude AI distributing Beagle backdoor.
ClickFix Loaders & UAT-8302 Arsenal: OTX Pulse Analysis — Enterprise Detection Pack
Active ClickFix campaigns dropping NetSupport RAT via finger.exe, UAT-8302 APT activity, and LockBit aerospace extortion. High urgency.
KarstoRAT Surveillance & TeamPCP Supply Chain: OTX Pulse Analysis — RAT & Loader Detection Pack
Active campaigns: KarstoRAT surveillance, ClickFix/CastleLoader social engineering, and TeamPCP PyPI supply chain attack. High urgency.
KarstoRAT, ClickFix, and TeamPCP Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
Threat actors utilize KarstoRAT, ClickFix, and PyPI supply chain attacks to steal credentials via gaming lures and social engineering.
KarstoRAT Surveillance & TeamPCP Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses expose active campaigns featuring KarstoRAT webcam surveillance, ClickFix social engineering lures, and TeamPCP's PyPI SDK compromise.
KarstoRAT Surveillance & ClickFix/CastleLoader Campaigns: OTX Pulse Analysis
OTX pulses detect KarstoRAT, ClickFix social engineering, and malicious PyPI SDK packages. High urgency credential theft and RAT activity observed.
KarstoRAT Surveillance, ClickFix CastleLoader & PyPI Supply Chain: OTX Pulse Analysis
New KarstoRAT malware, ClickFix campaigns delivering NetSupport RAT, and TeamPCP supply chain attacks detected via OTX.
TeamPCP PyPI Supply Chain Attack, LofyStealer, and GhostSocks Proxy Botnet: OTX Pulse Analysis — Enterprise Detection Pack
OTX detects TeamPCP PyPI attack, LofyStealer targeting gamers, and GhostSocks MaaS proxy botnet. Immediate credential theft risk.
Supply Chain Attack: TeamPCP Telnyx SDK, LofyStealer & GhostSocks — OTX Pulse Analysis
Active PyPI supply chain compromise (TeamPCP), LofyStealer infostealer, and GhostSocks proxy MaaS detected. Critical credential theft risk.
TeamPCP Supply Chain Attack, LofyStealer & GhostSocks Proxy: OTX Pulse Analysis — Enterprise Detection Pack
Critical OTX alerts reveal TeamPCP PyPI supply chain attack, LofyStealer targeting gamers, and GhostSocks MaaS infecting education.
TeamPCP PyPI Supply Chain, LofyStealer, & GhostSocks Botnet: OTX Pulse Analysis — Enterprise Detection Pack
Supply chain attack on Telnyx SDK, LofyStealer targeting gamers, and GhostSocks proxy malware detected. Urgent credential theft risks.
TeamPCP PyPI Supply Chain Attack & LofyStealer/GhostSocks Campaigns: OTX Pulse Analysis
Supply chain compromise of Telnyx SDK, LofyStealer targeting gamers, and GhostSocks proxy malware. Critical update.
TeamPCP, LofyStealer & GhostSocks: OTX Threat Analysis — Enterprise Detection Pack
Urgent IOCs and detection logic for TeamPCP supply chain attack, LofyStealer infostealer, and GhostSocks proxy malware.
TeamPCP Supply Chain, LofyStealer & GhostSocks: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal TeamPCP PyPI attack, LofyStealer targeting gamers, and GhostSocks proxy botnet. Urgent supply chain & infostealer detection required.
GlassWorm, EtherRAT & Rebex Telegram RAT: Blockchain & Messaging C2 Convergence
Active campaigns exploiting Solana/Ethereum blockchains & Telegram for C2. Targets developers, retail & Vietnam via supply chain & CHM lures.
GlassWorm, EtherRAT & Rebex RAT: Blockchain-C2 and Multi-Stage Supply Chain Attacks
APTs using Solana/Ethereum smart contracts & Telegram API for resilient C2. Targeting developers & retail sectors. Urgency: High.
ClickFix & GlassWorm: Multi-Vector Stealer and RAT Campaigns — Enterprise Detection Pack
Active ClickFix and GlassWorm campaigns target enterprise devs and finance sectors with stealers and RATs via social engineering and supply chain.
ClickFix, GlassWorm & EtherRAT: Multi-Vector Social Engineering and Blockchain C2 Campaigns — Enterprise Detection Pack
OTX pulses reveal active ClickFix campaigns, GlassWorm supply chain attacks, and North Korean EtherRAT using Ethereum for C2 evasion.
Showing 50 of 78 reports. Archive expands automatically as new intel is generated.
Every APT & Nation-StateReport Includes SIGMA & KQL Detection Rules
Every intelligence briefing on this page includes at least one Sigma rule, a Microsoft Sentinel KQL hunt query, and an IOC check script — ready to drop into your SIEM. No paywall. No registration.