We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB

EDRUnChoker😀registers a permanent WMI subscription with a 5-second timer runs embedded VBScript (fileless) that deletes malicious MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles. github.com/sbousseaden/EDRUn…

New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events #pentest #cybersecurity Github: TwoSevenOneT/EDRChoker

We uncovered a new Brazilian banking trojan campaign: TCLBANKER. What makes TCLBANKER notable isn’t just the malware itself, but how it spreads. The campaign uses compromised WhatsApp and Outlook accounts to propagate through trusted user relationships, deploys targeted banking overlays, and incorporates anti-analysis techniques designed to evade detection. For defenders, it’s another example of malware increasingly blending into legitimate user behavior and everyday communication channels, making detection harder and trust easier to exploit. Our latest research breaks down the infection chain, propagation methods, evasion tactics, and detection opportunities observed across the campaign. Read the full analysis: go.es.io/4ewvCKF

"Salary Slips.exe." "Dont Delete.exe." "Important.exe." These are the filenames BRUSHWORM copies itself as when spreading across USB drives in a targeted attack on a South Asian financial institution. Elastic Security Labs uncovered two custom components working together: a modular backdoor and a persistent keylogger masquerading as libcurl.dll. Full analysis: go.es.io/4tg9vw6

‼️ The axios lead maintainer has gone public on how he was socially engineered into installing the malware behind the npm supply chain attack. We have example images showing exactly how the attack was staged.

One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon. The following Monday night it caught the Axios npm compromise before most people knew it existed. Elastic Security Labs is open sourcing the tool. Full story by @dez_ here: go.es.io/4bOfsuq

We are working it, sharing what we know as of now - gist.github.com/joe-desimone…

Analysis of the macho malware used in the Axios supply chain compromise gist.github.com/joe-desimone…

If you've not seen the work that @dez_, @DefSecSentinel and the whole @elasticseclabs team have published on Axios, you're missing out.

🧵 The axios @npmjs compromise dropped a @macOS backdoor that closely mirrors North Korea's (@DPRK) recent WAVESHAPER backdoor. Let's take a quick look the full intrusion:

We have discovered a massive supply chain compromise in the Axios npm package. A backdoored maintainer account delivered a cross-platform RAT for Linux, Windows & macOS, targeting the Axios package, which has ~100M weekly downloads and is in the top five most popular Node.js packages. We filed a GitHub Security Advisory to coordinate the disclosure, ensuring that the maintainers and the npm registry could act swiftly on the compromised versions. Full analysis: go.es.io/4sHybxr

ElasticSecurityLabs detects the Axios npm supply chain attack across Linux, Windows & macOS. Our behavioral detections caught it without relying on static indicators. Full malware analysis dropping soon: go.es.io/488UwvJ