BPFDoor Variants Hide with Stateless C2 and ICMP Relay Tactics
Rapid7 Labs identified seven new BPFDoor variants that embed Berkeley Packet Filter code in the Linux kernel, allowing the backdoor to remain hidden in telecom environments. The malware now employs a stateless command‑and‑control model, treating the source of a specially crafted “magic packet” as the C2 endpoint, and introduces ICMP‑based relay shells that can tunnel commands without opening conventional ports. Additional variants add HTTP tunneling with a “magic ruler” payload and an active beacon that masquerades as TLS traffic to NTP‑styled domains. Rapid7 released YARA, Suricata signatures and a triage script to detect anomalous BPF filters, raw sockets, and malformed ICMP markers.
Fake Gemini Npm Package Steals AI Tool Tokens
Hackers published a counterfeit npm package named gemini‑ai‑checker, posing as a Google Gemini token verifier, to hijack developers' AI coding environments. The package contacts a Vercel‑hosted endpoint during installation, retrieves an obfuscated JavaScript backdoor, and executes it in memory, stealing...
Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows
Hackers have revived the ClickFix social‑engineering scheme to drop a sophisticated Node.js‑based remote access Trojan on Windows machines. The campaign uses a fake CAPTCHA page to execute a Base64‑encoded PowerShell command that silently installs a malicious MSI containing a full...
CrystalX Malware-as-a-Service Spreads via Telegram With Stealer, RAT Tools
Hackers are marketing a new Malware‑as‑a‑Service platform called CrystalX RAT through private Telegram channels, offering a subscription‑based toolkit that blends remote‑access, data‑stealing, keylogging, crypto‑clipping, and prankware capabilities. The service provides an automated builder with geofencing, anti‑analysis, and ChaCha20‑encrypted payloads, while...
Hackers Exploit Hotel Booking Systems to Send Fake Payment Requests to Guests
Hackers are weaponizing compromised hotel staff credentials to infiltrate booking management systems and send personalized payment requests to guests. By blending real reservation details with urgent language, the "Reservation Hijack Scam" tricks travelers into entering card information on counterfeit pages....
Open VSX Scanner Vulnerability Lets Malicious Extensions Go Live
Open VSX, the extension marketplace for VS Code forks, patched a critical “Open Sesame” vulnerability that let malicious extensions bypass its pre‑publish scanning pipeline. The flaw stemmed from a Boolean logic error that treated scanner failures as a “no scanners configured”...
Hackers Target South Asian Financial Firm with BRUSHWORM and BRUSHLOGGER Attacks
A South Asian financial institution was compromised by a custom malware suite that pairs the BRUSHWORM backdoor with the BRUSHLOGGER DLL side‑loader. BRUSHWORM provides persistence, modular payload loading, USB‑based worming and bulk file theft, while BRUSHLOGGER captures keystrokes with per‑window...
New ClickFix Attack Exploits Windows Run Dialog and macOS Terminal to Deploy Malware
Threat actors are standardizing a ClickFix social‑engineering attack that lures victims into running malicious commands via the Windows Run dialog, PowerShell, or macOS Terminal. Insikt Group identified five active clusters since May 2024, impersonating brands like QuickBooks, Booking.com, and Zillow. The...
Leak Bazaar Converts Stolen Corporate Data Into Organized Criminal Marketplace
Leak Bazaar, a new Russian‑speaking cyber‑crime service, debuted on March 25, 2026, offering a structured marketplace that transforms raw stolen corporate data into refined, buyer‑ready datasets. The platform combines automated filtering, machine‑learning analysis, and human validation to repackage information into...
Oblivion RAT Masquerades as Play Store Update to Spy on Android Users
Oblivion RAT, a new Android remote access trojan, is sold as a malware‑as‑service platform for as little as $300 per month. It uses a two‑stage infection chain that mimics Google Play Store updates to trick users into sideloading a malicious...
LeakNet Boosts Ransomware with ClickFix Lures, Stealthy Deno Loader
LeakNet is expanding its ransomware campaign by deploying mass‑market ClickFix lures on compromised legitimate websites and coupling them with a stealthy Deno‑based loader that runs malicious code almost entirely in memory. The ClickFix technique tricks users into executing an msiexec...
Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks
Handala Hack, an Iranian state‑linked group known as Void Manticore, has been conducting coordinated wiper attacks using compromised RDP sessions and the legitimate mesh‑networking tool NetBird. The actors gain initial access via stolen VPN credentials, dwell for months, harvest domain admin...
CamelClone Uses Public File-Sharing Sites in Government Cyberattacks
Operation CamelClone targets government, defense, diplomatic and energy agencies in Algeria, Mongolia, Ukraine and Kuwait, using spear‑phishing ZIP archives that contain LNK shortcuts to launch PowerShell commands. The shortcuts download a JavaScript loader, HOPPINGANT, from the public file‑sharing site filebulldogs.com,...
Google Unveils Android 17 Advanced Protection Mode to Stop Malicious Services
Google announced Android 17, featuring Android Advanced Protection Mode (AAPM) to harden mobile security for high‑risk users. AAPM blocks app sideloading, disables USB data signaling, restricts non‑accessibility services, and enforces always‑on Play Protect. The release also adds a privacy‑focused Contact Picker...
.webp?ssl=1)
Fake FileZilla Downloads Spread RAT via Stealthy Multi-Stage Loader
Cybercriminals are distributing a counterfeit FileZilla installer that bundles a malicious DLL, turning the popular FTP client into a delivery vehicle for a sophisticated Remote Access Trojan. The DLL leverages Windows DLL search order to sideload, then launches a multi‑stage,...
