Malware & Criminal Tooling Intelligence
New malware families, crimeware updates, loader/dropper campaigns, C2 infrastructure, and initial access broker tooling emerging from criminal underground channels.
Malware & Criminal Tooling — Archive & Latest
BabaDeda Loader: ClickFix Malware Campaign Analysis — Enterprise Detection Pack
Evolving BabaDeda loader using ClickFix technique for payload delivery. Urgent: block identified C2 IPs and hunt for installer-based infections.
Nezha Web Shell Campaign & BabaDeda ClickFix Loader: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal active abuse of Nezha monitoring tool via phpMyAdmin log poisoning and the evolution of the BabaDeda ClickFix loader.
AsyncRAT & Remcos Steganography Campaign: OTX Pulse Analysis — Enterprise Detection Pack
Active global phishing campaign using Excel macros and steganography to deliver AsyncRAT/Remcos. High urgency.
CastleRAT, AsyncRAT & Havoc Framework: Multi-Vector Malware Campaign Analysis — Detection Pack
Active campaigns utilizing ClickFix, steganography, and tax lures delivering CastleRAT, AsyncRAT, and Havoc. High urgency.
RustDuck Botnet, AsyncRAT Sideloading & Gamaredon GammaWorm: OTX Pulse Analysis — Enterprise Detection Pack
Critical surge in threats: RustDuck IoT DDoS botnet, AsyncRAT via typosquatting, and Gamaredon espionage targeting Ukraine.
Gamaredon APT, BTMOB Android RAT & Malicious VPN Extensions: OTX Pulse Analysis
FSB-linked Gamaredon targeting Ukraine, Android RAT surge in LatAm, and clipper malware distributed via trojanized VPN extensions.
GHOST STADIUM, Millenium RAT, and LokiBot: OTX Pulse Analysis — Phishing, MaaS, and Infostealer Campaigns
Active campaigns detected: FIFA World Cup phishing (Vidar/Lumma), Millenium RAT MaaS, and LokiBot infostealer. High urgency for credential protection.
FortiBleed Harvesters & Ghost Stadium Phish: OTX Pulse Analysis — Steganography & Credential Theft
Three active threats: FortiBleed FortiGate harvester, multi-stage stego loaders (Remcos/Agent Tesla), and Ghost Stadium FIFA fraud.
StrikeShark Campaign & macOS.Gaslight Backdoor: OTX Pulse Analysis — Multi-Vector Threat Briefing
Active StrikeShark exploitation, DPRK macOS.Gaslight backdoor, and PostCSS supply chain RAT detected. High urgency for gov/tech sectors.
Lazarus Supply Chain & Cloud Atlas APT: OTX Pulse Analysis — Multi-Vector Malware Detection Pack
Urgent: Lazarus 3CX supply chain attack and Cloud Atlas APT campaigns targeting Gov/Healthcare. IOCs and detection rules inside.
Lazarus Supply Chain & Cloud Atlas RATs: OTX Pulse Analysis — Global Threat Briefing
Lazarus targets finance/energy via trojanized 3CX; Cloud Atlas and unknown actors hit gov/healthcare with stealers and RATs. Urgency: High.
Shai-Hulud npm Worm, Cloud Atlas APT, & Gentlemen RaaS: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal active supply-chain attacks via npm, Cloud Atlas APT targeting government, and Gentlemen ransomware defense evasion tactics.
Shai-Hulud Supply Chain Attack, Cloud Atlas APT Recon, and The Gentlemen RaaS Evasion: OTX Pulse Analysis
Critical threats: Shai-Hulud npm worm, Cloud Atlas phishing new payloads, and The Gentlemen ransomware clearing logs.
Shai-Hulud NPM Worm, The Gentlemen RaaS, & ClickFix Polymorphism: OTX Pulse Analysis
Active npm supply-chain attacks, evasive ransomware TTPs, and polymorphic ClickFix campaigns detected. High urgency for credential theft.
Operation Endgame Aftermath: SocGholish, NPM Shai-Hulud Worm, and ClickFix Fileless Attacks
Briefing on SocGholish infrastructure disruption, npm Shai-Hulud worms, and ClickFix fileless attacks. Critical detection guidance included.
Operation Endgame Disruption & Shai-Hulud Supply Chain: TA569, GoldFactory, and NPM Threats
TA569 infrastructure disrupted; Shai-Hulud worm hits npm; GoldFactory tax fraud active. Block IOCs immediately.
Shai-Hulud, ShinyHunters (CVE-2026-35273), & Potemkin Loader: OTX Pulse Analysis — Enterprise Detection Pack
Active NPM supply chain attack, Oracle PeopleSoft zero-day exploitation, and Potemkin ClickFix loader campaign detected. High urgency.
Potemkin Loader, AsyncRAT AI Lures & APT37 NarwhalRAT: OTX Pulse Analysis — Enterprise Detection Pack
Urgent OTX pulses reveal ClickFix attacks delivering Potemkin/RMMProject, AI-themed AsyncRAT campaigns, and APT37 NarwhalRAT spear-phishing.
ShinyHunters, Potemkin & AsyncRAT Campaigns: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns: UNC6240 targeting Education via Oracle RCE, and widespread Potemkin/AsyncRAT distribution via ClickFix & AI lures.
AsyncRAT, APT37 NarwhalRAT & OnyxC2: OTX Pulse Analysis of Active RAT & Stealer Campaigns
Active campaigns delivering AsyncRAT via AI lures, APT37's NarwhalRAT, and OnyxC2 MaaS. High urgency due to credential theft.
4BID Hacktivist Ops, Needle Crypto-Stealer, & The Gentlemen Ransomware: OTX Pulse Analysis
OTX pulses reveal active 4BID hacktivism via ProxyShell, Needle MaaS crypto-theft, and The Gentlemen ransomware targeting critical sectors.
The Gentlemen RaaS & AI Supply Chain Poisoning: SystemBC, AMOS Stealer, and CVE-2024-55591 Exploitation
Active RaaS operation Storm-2697 exploits CVE-2024-55591 while threat actors poison AI supply chains with AMOS Stealer. Urgent patching required.
The Gentlemen RaaS (Storm-2697) & AI Supply Chain (AMOS Stealer): OTX Pulse Analysis
Alert: The Gentlemen ransomware exploiting CVE-2024-55591 and AI supply chain trojans dropping AMOS stealer. High urgency.
OTX Pulse Analysis: 4BID Hacktivist Operations & PAN-OS Zero-Day Exploitation (CL-STA-1132)
4BID group leverages ProxyShell/Sliver to target Gov/Healthcare; CL-STA-1132 exploits PAN-OS zero-day; GriefLure hits Vietnam/Philippines.
ClickFix RATs & CL-STA-1132 PAN-OS Exploitation: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns targeting macOS/Windows with ClickFix (CastleLoader/AMOS) and critical PAN-OS zero-day exploitation by CL-STA-1132.
ClickFix Campaigns & PAN-OS Exploitation: OTX Pulse Analysis — CastleLoader, macOS Infostealers, and EarthWorm
Active ClickFix campaigns delivering CastleLoader/macOS infostealers plus CL-STA-1132 exploiting PAN-OS zero-days for tunneling.
Remus Stealer, Gamaredon GammaSteel, and macOS ClickFix Campaigns: OTX Pulse Analysis — Enterprise Detection Pack
Active detection guidance for Remus/Lumma evolution, macOS ClickFix infostealers, and Gamaredon's GammaSteel targeting Ukraine.
ClickFix macOS Campaigns, Remus Browser Bypass, and Gamaredon GammaSteel Espionage: OTX Pulse Intelligence
Active macOS ClickFix infostealers, Remus browser encryption bypass, and Gamaredon GammaSteel targeting Ukraine analyzed via OTX pulses.
ClickFix & Gamaredon Operations: MacOS Stealers and GammaSteel Espionage — OTX Pulse Analysis
Active ClickFix macOS campaigns delivering AMOS/Shub stealer alongside Gamaredon's GammaSteel targeting Ukraine. Critical IOCs and detection engineering included.
Remus Stealer, Gamaredon GammaSteel, and CloudZ Pheno: OTX Pulse Analysis — Enterprise Detection Pack
Active info-stealers and espionage tooling targeting credentials and OTPs via Phone Link and browser bypasses. Urgent patching required.
Remus Stealer, Gamaredon GammaSteel & CloudZ RAT: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns featuring Remus ABE bypass, Gamaredon's GammaSteel registry persistence, and CloudZ OTP theft via Phone Link. Urgency: High.
CloudZ OTP Theft, UAT-8302 APT Intrusions, and DesckVB RAT: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns feature CloudZ OTP theft via Microsoft Phone Link, UAT-8302 exploiting CVE-2025-0994, and DesckVB malspam. High urgency.
DesckVB RAT, Kali365 PhaaS, and Gamaredon GammaWorm: OTX Pulse Analysis — Multi-Vector Threat Landscape
Live OTX intel: Active campaigns involving DesckVB RAT malspam, Kali365 OAuth token theft, and Gamaredon espionage tools detected. Urgency: High.
Gamaredon GammaWorm, SideCopy XenoRAT, and BTMOB MaaS Campaigns: OTX Pulse Analysis & Enterprise Detection Pack
Active espionage and malware campaigns targeting Ukraine, Afghanistan, and LATAM. Gamaredon, SideCopy, and BTMOB using HTA persistence, RAR exploits, and Android RATs. High Urgency.
XenoRAT, BTMOB, and The Gentlemen: OTX Pulse Analysis — Enterprise Detection Pack
Active OTX pulses reveal SideCopy targeting Afghanistan with XenoRAT, BTMOB Android RAT in LatAm, and The Gentlemen RaaS ransomware.
Laravel Supply Chain RCE, SideCopy XenoRAT Campaigns, and The Gentlemen RaaS Activity — Enterprise Detection Pack
Urgent OTX Analysis: Laravel supply chain RCE, SideCopy XenoRAT targeting Afghan Finance, and The Gentlemen RaaS propagation detected.
Laravel Supply Chain Attack, SideCopy XenoRAT Campaign, & The Gentlemen RaaS: OTX Pulse Analysis
Active threats: Laravel supply chain backdoor, SideCopy XenoRAT targeting Afghanistan, and The Gentlemen RaaS emergence. High urgency.
Laravel Supply Chain Attack, SideCopy XenoRAT, and The Gentlemen RaaS: OTX Pulse Analysis
Critical analysis of Laravel backdoors, SideCopy APT targeting Afghanistan, and The Gentlemen RaaS. Immediate action required.
Operation XENOFISCAL & The Gentlemen: OTX Pulse Analysis — SideCopy XenoRAT, Storm-2697 RaaS & FortiClient EMS Exploitation
SideCopy targets Afghan Finance with XenoRAT; Storm-2697 deploys 'The Gentlemen' ransomware; FortiClient EMS exploited for EKZ infostealer. Critical patches required.
Operation XENOFISCAL & Storm-2697: XenoRAT, The Gentlemen RaaS, and FortiClient EMS Exploitation — OTX Pulse Intelligence
SideCopy's XenoRAT targets Afghanistan MoF; Storm-2697's Gentlemen RaaS propagates; FortiClient EMS exploited to deliver EKZ Infostealer.
DinDoor Backdoor, AdaptixC2 & The Gentlemen RaaS: Multi-Vector OTX Pulse Analysis — Enterprise Detection Pack
Active MuddyWater and Tropic Trooper campaigns use Deno runtime and trojanized PDFs; Gentlemen RaaS ramps up defense evasion. High urgency.
DinDoor Backdoor, AdaptixC2 Beacon, and The Gentlemen RaaS: OTX Threat Landscape Analysis — Detection & Response
Active OTX pulses reveal MuddyWater's Deno-based malware, Tropic Trooper's trojanized PDFs, and The Gentlemen ransomware. Critical detection engineering.
The Gentlemen RaaS, Webworm APT, & AI Impersonation Infostealers: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal active RaaS, China-aligned espionage, and AI-themed SEO poisoning. Urgent hunting required.
The Gentlemen RaaS, Webworm APT, and AI SEO Poisoning: OTX Pulse Analysis — Enterprise Detection Pack
RaaS (The Gentlemen) and APT (Webworm) campaigns intersect with AI-themed infostealers targeting developers. Critical detection guidance provided.
Webworm APT, FrostyNeighbor Espionage, and Ghost CMS Mass Exploit: OTX Pulse Analysis
China-aligned Webworm & Belarus FrostyNeighbor target Europe; Ghost CMS mass exploits fuel ClickFix attacks. High urgency.
Shai-Hulud npm Worm, SHub Reaper macOS Stealer, and Nexcorium IoT Botnet: OTX Pulse Analysis
OTX pulses reveal Shai-Hulud npm supply chain attacks, SHub Reaper macOS spoofing, and Nexcorium IoT exploitation. Critical priority.
Nexcorium IoT Botnet, UNC1945 Financial Threats, and NKAbuse Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns involving Nexcorium IoT botnet, UNC1945 targeting finance, and NKAbuse via HuggingFace. Urgent detection required.
ASO RAT Surveillance & NKAbuse Blockchain Botnet: OTX Pulse Analysis — Enterprise Detection Pack
Active Arabic Android RAT targeting Syria + macOS/crypto stealer notnullOSX. Urgent C2 blocking required.
Kimsuky PebbleDash, Vidar Stealer & ASO RAT: OTX Pulse Analysis — Enterprise Detection Pack
Urgent intel on Kimsuky's new Rust backdoors, Vidar Stealer via AutoIt loaders, and ASO RAT surveillance. High risk to Gov/Defense sectors.
ASO RAT, Vidar Stealer, and Kimsuky PebbleDash: OTX Pulse Intelligence Brief
Live OTX analysis of ASO RAT surveillance, Vidar Stealer AutoIt loaders, and Kimsuky's Rust backdoors. High urgency for credential theft and espionage.
Showing 50 of 84 reports. Archive expands automatically as new intel is generated.
Every Malware & Criminal ToolingReport Includes SIGMA & KQL Detection Rules
Every intelligence briefing on this page includes at least one Sigma rule, a Microsoft Sentinel KQL hunt query, and an IOC check script — ready to drop into your SIEM. No paywall. No registration.