ZiChatBot: OceanLotus APT Uses Zulip Chat APIs as Covert Command and Control in PyPI Supply Chain Attack
A newly discovered malware called ZiChatBot abuses Zulip REST APIs for command and control, hiding malicious traffic as legitimate chat communications. Linked to the OceanLotus (APT32) threat group,...
UAT-8302: China-Nexus APT Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies
Cisco Talos has detailed UAT-8302, a China-nexus APT group conducting long-term espionage campaigns against government agencies in southeastern Europe. The group blends custom backdoors like NetDraft and CloudSorcerer...
Malicious DeepSeek-Claw AI Skill Delivers Remcos RAT and GhostLoader in Agentic AI Supply Chain Attack
Zscaler ThreatLabZ has uncovered a campaign where attackers published a fake DeepSeek integration for the OpenClaw AI framework on GitHub, hiding malicious commands in a SKILL.md file. The...
DEEP#DOOR: New Python Backdoor Silently Harvests Browser Passwords, Cloud Tokens, SSH Keys, and Wi-Fi Credentials
Securonix researchers have documented DEEP#DOOR, a self-contained Python backdoor delivered via obfuscated batch files that systematically disables Windows defenses before establishing persistent remote access. Its credential-harvesting engine simultaneously...
China-Aligned SHADOW-EARTH Deploys ShadowPad, IOX Proxy, and WMIC in Multi-Stage Espionage Campaign Across Asia
A China-aligned threat group has conducted a prolonged espionage campaign against government agencies and critical infrastructure across eight Asian countries. The attackers used ShadowPad delivered via DLL sideloading,...
Lazarus Group Targets macOS Users With Sophisticated “Mach-O Man” Four-Stage Malware Kit
North Korea's Lazarus Group has deployed a new modular macOS malware kit called "Mach-O Man" targeting fintech executives and crypto developers. The attack uses ClickFix social engineering to...
BlueNoroff Deploys AI Deepfake Zoom Lures and Fileless PowerShell to Drain Crypto Wallets Across 20+ Countries
North Korea's BlueNoroff subgroup has launched a sophisticated global campaign targeting cryptocurrency and Web3 executives, using AI-generated deepfake Zoom meetings, ClickFix clipboard injection, and fileless PowerShell implants that...
Hackers Weaponize Fake Claude Code Leak to Distribute Vidar Infostealer and GhostSocks Proxy Malware
Threat actors are using fake GitHub repositories impersonating the leaked Anthropic Claude Code source to deliver a Rust dropper that installs both the Vidar infostealer (v18.7) and GhostSocks...