Malware & Criminal Tooling Intelligence
New malware families, crimeware updates, loader/dropper campaigns, C2 infrastructure, and initial access broker tooling emerging from criminal underground channels.
Malware & Criminal Tooling — Archive & Latest
The Gentlemen RaaS & AI Supply Chain Poisoning: SystemBC, AMOS Stealer, and CVE-2024-55591 Exploitation
Active RaaS operation Storm-2697 exploits CVE-2024-55591 while threat actors poison AI supply chains with AMOS Stealer. Urgent patching required.
The Gentlemen RaaS (Storm-2697) & AI Supply Chain (AMOS Stealer): OTX Pulse Analysis
Alert: The Gentlemen ransomware exploiting CVE-2024-55591 and AI supply chain trojans dropping AMOS stealer. High urgency.
OTX Pulse Analysis: 4BID Hacktivist Operations & PAN-OS Zero-Day Exploitation (CL-STA-1132)
4BID group leverages ProxyShell/Sliver to target Gov/Healthcare; CL-STA-1132 exploits PAN-OS zero-day; GriefLure hits Vietnam/Philippines.
ClickFix RATs & CL-STA-1132 PAN-OS Exploitation: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns targeting macOS/Windows with ClickFix (CastleLoader/AMOS) and critical PAN-OS zero-day exploitation by CL-STA-1132.
ClickFix Campaigns & PAN-OS Exploitation: OTX Pulse Analysis — CastleLoader, macOS Infostealers, and EarthWorm
Active ClickFix campaigns delivering CastleLoader/macOS infostealers plus CL-STA-1132 exploiting PAN-OS zero-days for tunneling.
Remus Stealer, Gamaredon GammaSteel, and macOS ClickFix Campaigns: OTX Pulse Analysis — Enterprise Detection Pack
Active detection guidance for Remus/Lumma evolution, macOS ClickFix infostealers, and Gamaredon's GammaSteel targeting Ukraine.
ClickFix macOS Campaigns, Remus Browser Bypass, and Gamaredon GammaSteel Espionage: OTX Pulse Intelligence
Active macOS ClickFix infostealers, Remus browser encryption bypass, and Gamaredon GammaSteel targeting Ukraine analyzed via OTX pulses.
ClickFix & Gamaredon Operations: MacOS Stealers and GammaSteel Espionage — OTX Pulse Analysis
Active ClickFix macOS campaigns delivering AMOS/Shub stealer alongside Gamaredon's GammaSteel targeting Ukraine. Critical IOCs and detection engineering included.
Remus Stealer, Gamaredon GammaSteel, and CloudZ Pheno: OTX Pulse Analysis — Enterprise Detection Pack
Active info-stealers and espionage tooling targeting credentials and OTPs via Phone Link and browser bypasses. Urgent patching required.
Remus Stealer, Gamaredon GammaSteel & CloudZ RAT: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns featuring Remus ABE bypass, Gamaredon's GammaSteel registry persistence, and CloudZ OTP theft via Phone Link. Urgency: High.
CloudZ OTP Theft, UAT-8302 APT Intrusions, and DesckVB RAT: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns feature CloudZ OTP theft via Microsoft Phone Link, UAT-8302 exploiting CVE-2025-0994, and DesckVB malspam. High urgency.
DesckVB RAT, Kali365 PhaaS, and Gamaredon GammaWorm: OTX Pulse Analysis — Multi-Vector Threat Landscape
Live OTX intel: Active campaigns involving DesckVB RAT malspam, Kali365 OAuth token theft, and Gamaredon espionage tools detected. Urgency: High.
Gamaredon GammaWorm, SideCopy XenoRAT, and BTMOB MaaS Campaigns: OTX Pulse Analysis & Enterprise Detection Pack
Active espionage and malware campaigns targeting Ukraine, Afghanistan, and LATAM. Gamaredon, SideCopy, and BTMOB using HTA persistence, RAR exploits, and Android RATs. High Urgency.
XenoRAT, BTMOB, and The Gentlemen: OTX Pulse Analysis — Enterprise Detection Pack
Active OTX pulses reveal SideCopy targeting Afghanistan with XenoRAT, BTMOB Android RAT in LatAm, and The Gentlemen RaaS ransomware.
Laravel Supply Chain RCE, SideCopy XenoRAT Campaigns, and The Gentlemen RaaS Activity — Enterprise Detection Pack
Urgent OTX Analysis: Laravel supply chain RCE, SideCopy XenoRAT targeting Afghan Finance, and The Gentlemen RaaS propagation detected.
Laravel Supply Chain Attack, SideCopy XenoRAT Campaign, & The Gentlemen RaaS: OTX Pulse Analysis
Active threats: Laravel supply chain backdoor, SideCopy XenoRAT targeting Afghanistan, and The Gentlemen RaaS emergence. High urgency.
Laravel Supply Chain Attack, SideCopy XenoRAT, and The Gentlemen RaaS: OTX Pulse Analysis
Critical analysis of Laravel backdoors, SideCopy APT targeting Afghanistan, and The Gentlemen RaaS. Immediate action required.
Operation XENOFISCAL & The Gentlemen: OTX Pulse Analysis — SideCopy XenoRAT, Storm-2697 RaaS & FortiClient EMS Exploitation
SideCopy targets Afghan Finance with XenoRAT; Storm-2697 deploys 'The Gentlemen' ransomware; FortiClient EMS exploited for EKZ infostealer. Critical patches required.
Operation XENOFISCAL & Storm-2697: XenoRAT, The Gentlemen RaaS, and FortiClient EMS Exploitation — OTX Pulse Intelligence
SideCopy's XenoRAT targets Afghanistan MoF; Storm-2697's Gentlemen RaaS propagates; FortiClient EMS exploited to deliver EKZ Infostealer.
DinDoor Backdoor, AdaptixC2 & The Gentlemen RaaS: Multi-Vector OTX Pulse Analysis — Enterprise Detection Pack
Active MuddyWater and Tropic Trooper campaigns use Deno runtime and trojanized PDFs; Gentlemen RaaS ramps up defense evasion. High urgency.
DinDoor Backdoor, AdaptixC2 Beacon, and The Gentlemen RaaS: OTX Threat Landscape Analysis — Detection & Response
Active OTX pulses reveal MuddyWater's Deno-based malware, Tropic Trooper's trojanized PDFs, and The Gentlemen ransomware. Critical detection engineering.
The Gentlemen RaaS, Webworm APT, & AI Impersonation Infostealers: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal active RaaS, China-aligned espionage, and AI-themed SEO poisoning. Urgent hunting required.
The Gentlemen RaaS, Webworm APT, and AI SEO Poisoning: OTX Pulse Analysis — Enterprise Detection Pack
RaaS (The Gentlemen) and APT (Webworm) campaigns intersect with AI-themed infostealers targeting developers. Critical detection guidance provided.
Webworm APT, FrostyNeighbor Espionage, and Ghost CMS Mass Exploit: OTX Pulse Analysis
China-aligned Webworm & Belarus FrostyNeighbor target Europe; Ghost CMS mass exploits fuel ClickFix attacks. High urgency.
Shai-Hulud npm Worm, SHub Reaper macOS Stealer, and Nexcorium IoT Botnet: OTX Pulse Analysis
OTX pulses reveal Shai-Hulud npm supply chain attacks, SHub Reaper macOS spoofing, and Nexcorium IoT exploitation. Critical priority.
Nexcorium IoT Botnet, UNC1945 Financial Threats, and NKAbuse Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns involving Nexcorium IoT botnet, UNC1945 targeting finance, and NKAbuse via HuggingFace. Urgent detection required.
ASO RAT Surveillance & NKAbuse Blockchain Botnet: OTX Pulse Analysis — Enterprise Detection Pack
Active Arabic Android RAT targeting Syria + macOS/crypto stealer notnullOSX. Urgent C2 blocking required.
Kimsuky PebbleDash, Vidar Stealer & ASO RAT: OTX Pulse Analysis — Enterprise Detection Pack
Urgent intel on Kimsuky's new Rust backdoors, Vidar Stealer via AutoIt loaders, and ASO RAT surveillance. High risk to Gov/Defense sectors.
ASO RAT, Vidar Stealer, and Kimsuky PebbleDash: OTX Pulse Intelligence Brief
Live OTX analysis of ASO RAT surveillance, Vidar Stealer AutoIt loaders, and Kimsuky's Rust backdoors. High urgency for credential theft and espionage.
ASO RAT, Vidar Stealer Loader, and Kimsuky APT Campaigns: OTX Pulse Analysis — Enterprise Detection Pack
Active surveillance (ASO RAT), info-stealing loaders (Vidar), and DPRK phishing (Kimsuky) detected. High urgency for credential theft.
Needle C2, PCPJack Cloud Worm & Beagle Backdoor: OTX Pulse Analysis — Enterprise Detection Pack
Active MaaS crypto-stealer (Needle), cloud worm (PCPJack), and AI-themed backdoor (Beagle) campaigns. Urgent IOC enforcement required.
Remus Stealer, ClickFix macOS Infostealers, and Malicious OpenClaw Skills: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns: Remus bypassing browser encryption, ClickFix macOS attacks, and OpenClaw delivering Remcos RAT via AI agents.
Remcos RAT, Remus Stealer & macOS ClickFix: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns distributing Remcos RAT via AI lures, Remus Stealer bypassing browser encryption, and macOS ClickFix infostealers.
ClickFix macOS Lures, Remus Stealer, & OpenClaw RAT Supply Chain: OTX Pulse Analysis
Active campaigns using ClickFix macOS lures and malicious OpenClaw skills to deliver AMOS, Remus, and Remcos RAT. High urgency.
Remus Stealer & Weaponized AI Frameworks: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns deploying Remus Stealer, ClickFix macOS infostealers, and Remcos RAT via malicious AI skills. Urgent C2 blocking required.
Remus Stealer, ClickFix & AI Framework Abuse: Cross-Platform Infostealer Campaigns — OTX Pulse Analysis
Active ClickFix macOS campaigns distributing AMOS/Shub; Remus stealer bypassing browser encryption; OpenClaw AI abuse delivering Remcos RAT.
Trigona Exfiltration Tooling, OceanLotus PyPI Supply Chain & QUIC RAT in DAEMON Tools: OTX Pulse Analysis — Enterprise Detection Pack
Trigona custom exfil, OceanLotus PyPI supply chain, and QUIC RAT in DAEMON Tools detected. Urgency: Critical. Hunt for hashes now.
GhostSocks Proxy & Remcos RAT: OTX Pulse Analysis — AI Framework & Mobile Link Exploits
Intelligence on GhostSocks proxy malware, Remcos RAT via OpenClaw AI, and CloudZ OTP theft targeting Education and Enterprise sectors.
MioLab Stealer, GhostSocks Proxy & CloudZ RAT: Multi-Vector Malware Campaign Analysis
Active OTX pulses reveal MacOS MioLab stealer, GhostSocks residential proxy botnet, and CloudZ RAT exploiting Phone Link for OTP theft.
MioLab Stealer, GhostSocks Proxy Botnet, and Trigona Exfil Tool: OTX Pulse Analysis — Enterprise Detection Pack
Emerging MaaS threats: MioLab macOS stealer, GhostSocks proxy network, and Trigona custom exfiltration tool detected via OTX.
Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis
Urgent: Active Telegram RAT targeting Vietnam, AI-themed GachiLoader, and TeamPCP supply chain wiper detected. Immediate action required.
Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns involving Telegram RATs, AI-themed infostealers, and supply chain attacks on security tools identified.
TeamPCP Supply Chain, Rebex Telegram RAT, & GachiLoader: OTX Pulse Analysis
Active campaigns detected: TeamPCP supply chain attack (CanisterWorm), Rebex RAT targeting Vietnam, and GachiLoader dropping Rhadamanthys via AI lures. Urgency: High.
TeamPCP Supply Chain Attack & GachiLoader AI Lures: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal TeamPCP exploiting security tools via CVE-2025-55182, GachiLoader using AI lures, and a Rebex Telegram RAT targeting Vietnam. High urgency.
Rebex Telegram RAT, GachiLoader & TeamPCP Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
Active campaigns include a Telegram RAT targeting Vietnam, AI-themed GachiLoader, and TeamPCP supply chain attacks on security infrastructure. High urgency.
Telegram RAT, Rhadamanthys & ValleyRAT: OTX Pulse Analysis — Enterprise Detection Pack
Telegram RAT, GachiLoader, and Silver Fox targeting Vietnam, Japan, and AI users. High urgency detection pack provided.
PRISMEX, ValleyRAT, and AMOS Stealer: OTX Pulse Analysis — APT Espionage, Targeted Tax Fraud, and AI-Agent Exploitation
Active campaigns: APT28's PRISMEX suite, Silver Fox's ValleyRAT in Japan, and AMOS Stealer via Cursor AI. Urgent detection updates.
PRISMEX, ValleyRAT & AMOS Stealer: OTX Pulse Analysis — Enterprise Detection Pack
APT28 uses PRISMEX for espionage; Silver Fox targets Japan with ValleyRAT; AMOS Stealer exploits Cursor AI. Critical urgency.
EtherRAT, PRISMEX, and ValleyRAT: Multi-Front APT Campaign Analysis — Node.js Backdoors & Steganography Detection Pack
North Korean & Russian APTs target Finance & Gov sectors with EtherRAT & PRISMEX; Void Arachne hits Japan. High urgency.
PRISMEX, DinDoor, and ValleyRAT: OTX Pulse Analysis of APT28, MuddyWater, and Void Arachne — Enterprise Detection Pack
Analysis of active OTX pulses revealing PRISMEX (APT28), DinDoor (MuddyWater), and ValleyRAT (Void Arachne) targeting govt, finance, and manufacturing.
Showing 50 of 63 reports. Archive expands automatically as new intel is generated.
Every Malware & Criminal ToolingReport Includes SIGMA & KQL Detection Rules
Every intelligence briefing on this page includes at least one Sigma rule, a Microsoft Sentinel KQL hunt query, and an IOC check script — ready to drop into your SIEM. No paywall. No registration.