Meet #GoFlateLoader: a widespread Golang loader pushing some of the most notorious #infostealers ITW – #Amatera, #Remus, #Lumma, #Vidar, and #StealC. Most loaders pile on heavy obfuscation and anti-analysis tricks to evade detection. GoFlateLoader doesn't bother. Instead, it relies on a much simpler trick – a deliberately inflated PE overlay aimed at slipping past size-constrained scanners and analysis pipelines. Yet, despite its simplicity, it is still highly widespread across our userbase, making it a good reminder that prevalence and sophistication are not always the same thing. Read more ↓ gendigital.com/blog/insights…

After months of active development, #Amatera has gradually become the most prevalent #infostealer in our userbase. And it's not slowing down – we're now observing fresh Amatera builds newly introducing control-flow flattening and indirect control-flow obfuscation. IoCs ↓ 0bf1eda8374ff2e3eb705e37eac8d65750a4d85454f535346100056399eba16f e72ec2cbe762ca672a14a7ee660c0cab61ba020267c56f9ab8982e3be1f61a8b 58fe4ed4bc57c28b4da6b9230ff4c9d62528cdc00bba79b9f105d2a742426f4b

#Remus has officially caught up with #Lumma. Over the past few weeks, our telemetry shows Remus to be already nearly just as active as Lumma. Remus is a newly rebranded 64-bit variant of Lumma Stealer that emerged from the ashes earlier this year. More details about Remus ↓ gendigital.com/blog/insights… #malware #infostealer

Most backdoors don't check your Shadow Stack pointer before executing. Most don't hide shellcode in PNG chunks. Most don't erase themselves when the handler stops calling. This one did all three, on a single machine in 🇬🇧 the UK, for a year, and then vanished. We wrote it up. Someone should. gendigital.com/blog/insights… #reverseengineering #malware

Booking.com is notifying affected users that some reservation data was accessed by unauthorized parties and that reservation PINs are being reset. Those alerts are real. At the same time, we are detecting reservation hijack scams that take advantage of real booking data, as in the screenshot here. No obvious red flags, no generic message, just the right hotel, the right dates, the right amount, and a link that feels like part of the normal booking flow. That is exactly why these scams work. Do not trust the message alone. Verify through the official website, app, or your original confirmation. More details in our blog: gendigital.com/blog/insights…

Meet #Remus, a new 64-bit variant of the infamous #Lumma Stealer – emerging in the wake of Lumma's takedown and the doxxing of its alleged core members. Same stealing arsenal, same techniques, new name. Is Remus the Lumma rebrand we've been waiting for? Main attribution indicators: → The same Application-Bound Encryption bypass employed specifically by Remus and Lumma → Transitional test builds ("Tenzor") that share a Steam dead drop resolver with confirmed Lumma samples → Matching AntiVM cpuid checks against five hypervisor signatures in identical order → Shared direct syscall/sysenter architecture → Identical per-string obfuscation technique Remus also introduces notable changes: traditional Steam and Telegram dead drop resolvers are replaced by #EtherHiding, with C2 addresses stored in Ethereum smart contracts, making the infrastructure even more resilient to takedown operations. Full research ↓ gendigital.com/blog/insights… #infostealer #abe_bypass

You trust login[.]microsoftonline[.]com. So does your email gateway. Attackers know this — and they're using Microsoft's OAuth redirect to send victims from that trusted domain straight to credential harvesting pages. No vulnerability. Just a feature doing exactly what it's told. How: attackers register a multi-tenant Azure OAuth app with a malicious reply URL, then craft an /authorize request with prompt=none. When auth fails silently, Microsoft's JS fires the urlAppError handler and redirects the browser to the attacker's domain. The entire redirect originates from Microsoft's infrastructure. This bypasses URL filters that whitelist Microsoft login domains. Victims see a legitimate address bar the whole time. Lures typically pose as DocuSign, Adobe Acrobat Sign, or "sharing link violation" alerts. Redirect chain ITW: login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=... → securedoc9a09b4dfda82e3e[.]rentawareinc[.]com (302) → pub-ac3265049b9b4c1ebf987170df4fcce0[.]r2[.]dev (phishing page) @Microsoft wrote about OAuth redirect abuse here: microsoft.com/en-us/security… #phishing #OAuth #Microsoft

If your #AI stack talks to #LLMs through #LiteLLM — and a lot of them do — check your version. 1.82.7 and 1.82.8 on PyPI were #backdoored with a payload that vacuums up every secret it can find and, if you're on K8s, deploys privileged pods to every node in the cluster. Stage1 (25,844 bytes): • Harvests ~/.ssh/*, AWS/GCP/Azure/K8s creds, crypto wallets, .env, shell history, SSL keys, CI/CD secrets • AES-256-CBC hardcoded 4096-bit RSA pubkey → POST to models.litellm[.]cloud • Installs ~/.config/sysmon/sysmon.py systemd user service ("System Telemetry Service") • Backdoor polls checkmarx[.]zone/raw every ~50min for next-stage URL → /tmp/pglog • If K8s SA token exists: reads all cluster secrets, spawns privileged alpine pods (node-setup-*) in kube-system on every node, mounts host FS, installs backdoor on each Attacker left two commented-out earlier iterations in the source — went from RC4 string obfuscation (51KB) to plain base64 (25KB). Lazy or confident. JARM: 27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523 Both C2s on AS205759 (🇳🇱 NL), Let's Encrypt E7 certs IoCs: models.litellm[.]cloud — 46.151.182[.]203 checkmarx[.]zone — 83.142.209[.]11 71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 (.pth) d6fc0ff06978742a2ef789304bcdbe69a731693ad066a457db0878279830d6a9 (stage1) 8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 (1.82.7 .whl) d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb (1.82.8 .whl) Discovered by futuresearch.ai/blog/litellm… #SupplyChain #PyPI #InfoStealer #Kubernetes #litellm #Python

🔎New #ABE #bypass spotted ITW #VoidStealer is the first #infostealer to weaponize a debugger-based technique that extracts the v20_master_key straight from browser memory, requiring neither privilege escalation nor code injection, making it significantly stealthier than existing methods – a truly elegant (and scary) technique. Full technical analysis ↓ gendigital.com/blog/insights… IoC: f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4 #infostealer #threatresearch #Chrome #malware #abe_bypass

VoidStealer malware steals Chrome master key via debugger trick bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

Fake @SocialSecurity PDFs are hitting thousands in the 🇺🇸 US right now. The payload? @datto #RMM - a legit remote access tool turned weapon. We've seen the same playbook with older @ConnectWise RMM versions too. PDF: Social_security_statements_2025.pdf a566c0e10dc4e3adc38d8427d457d686ecad700d6e34e4c8471ba1043aa0498d RMM: b492f06dbc632afcd8e6e35f55a141bdbd5e2cc07374bb6ab2ac5dd96b491c13 Hosted on: hxxps://pub-44db1288f9da4543b525029ecd44e149[.]r2[.]dev/SOCIAL-SECURITY_DOCUMENTS_2025[.]exe #phishing

We observed a #clipboard payload that injects a Telegram bot into @OpenClaw's config — whether intentional attack or not, it demonstrates how easily an AI agent with shell access can be hijacked through a single paste. #OpenClaw #ClipboardAttack #CyberSecurity IoC: github.com/avast/ioc/blob/ma…

Lazarus is running their payloads through an AI #agent to dodge our detections. The giveaway? Neatly numbered comments, "Optimized XOR loop" labels, and original code left beside AI-suggested rewrites. A for effort. Still caught. #Lazarus #APT #ThreatIntel

Your AI agent found a skill. Installed it. And it charged you $39,214. No bad intent. No warning. Just automation. Agent Trust Hub helps agents check skill safety BEFORE they act. ai.gendigital.com/agent-trus…

Tired of Base64 and XOR? Check out the latest #Wincir's approach to hiding data: Embed encrypted payload INSIDE x64 instruction immediates. 48 81 E2 E2 00 00 00 ← sets decode key (AND) 48 B8 8A BC 4E 14 __ ← carries 8 bytes (MOV) State machine in assembly. 14 polymorphic patterns. Same byte = 50 encodings. They heard we like to disassemble, so they put a disassembler in the malware so we can disassemble while it disassembles itself. IoCs: b78d25290b7a0313d51a66fcc3c1fef8f64179dc51188ff65c469bd9ad417b90 #Threat #Research #Fun

Yesterday, Gen researchers identified around 300 #skills on #ClawHub that contained prompts to download #malicious #payload. At the time of discovery, that accounted for 12% of available skills. The skills seemed like a weaponized versions of existing skills. All lead to malware. @Norton and @Avast are already protecting users from threats delivered through these skills. AI “skills” are add-ons that let agents take real actions, like clicking links or downloading files, and attackers are abusing them to turn AI assistants into a new delivery channel. This new world of AI agents is unfolding before our eyes. We are protecting people today, and we will continue to share what our researchers uncover as this space evolves. IoCs: hxxps://glot.io/snippets/hfd3x9ueu5 hxxps://glot.io/snippets/hfdxv8uyaf hxxps://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip (pass: openclaw)

🚨#ScamAlert: That "official" notification from the Ministry claiming your device is locked for accessing illegal content? It's a #scam demanding hundreds of € and stealing your credit card details. Tens of thousands users affected last week mostly in 🇬🇧🇮🇹🇷🇴🇸🇰🇬🇷 Share and warn others! #Cybersecurity #StaySafe IoCs: corazstop[.]cyou ecmypasscode[.]icu ecpremiasslp[.]site gbmypasscode[.]icu gbpremiasslp[.]site gbsaks[.]cyou gbservstp[.]cyou gbsiteslocks[.]cyou grmypasscode[.]icu itmypasscode[.]icu itpremiasslp[.]site itsaks[.]cyou itsiteslocks[.]cyou phmypasscode[.]icu phpremiasslp[.]site romypasscode[.]icu ropremiasslp[.]site rosaks[.]cyou rositeslocks[.]cyou skmypasscode[.]icu slmypasscode[.]icu Exfil via sockets: admadprpr[.]top

#Vidar v2.0 refines its approach to #bypass AppBound Encryption, combining known and novel techniques that leverage browser process injection: - Reflective DLL #injection combined with IElevator (known technique) - Shellcode injection via section mapping (ZwMapViewOfSection) with hooking of CryptUnprotectData in an attempt to directly capture and steal the v20_master_key. With the key, Vidar is able to decrypt all browser data, effectively defeating AppBound Encryption in a novel way. Additionally, Vidar v2.0 introduced control-flow flattening and begun encrypting most of the strings. IoCs: 07c56ba57a813ab8f0eb4879c8638d5fbeab01163ac928a0d29c5826ab4abd9a da89f3e6e9cf71c26162728dfabf6720a2b802bcad3c40635a7d4fb25e5ad627 aa5a38f1b0e7a1dab29f1ab8c8d9fa1bc0f028242349461da8d199f570d02027

We have detected ongoing #Quishing campaign targeting #Microsoft brand. The attacker uses AV evasion in malicious QR code to avoid detection: - QR code splitted into 2 images - Non standard colors - QR code drawn using the content-stream Stay sharp & safe! #Cybersecurity #Phishing

#CryptoScam Alert 🚨: Fake "37% profit exploit" from @pastebin Public Pastes via @Swapzone_io is malware! It swaps wallet addresses & steals funds. Don't run unknown JS or trust "secret profit" posts. Stay safe! Don't #ScamYourself IoCs: hxxps://pastebin[.]com/RJrZ5ege hxxps://docs[.]google[.]com/document/d/1Nk_cNjyNadCuBDHlIBNVKbHj5GfdwSOjw894DcBxVyc/edit?tab=t[.]0 hxxps://paste[.]sh/w71C3CMP#YhD_JtHecu-kEZueDYo5pFEO hxxps://2x3[.]ac/s[.]php a37a1f6b463f4052d524ee3d97e8d5bfa38911b6c66598326daa341f31509ede