MalWhere?

The phishing sites request 12-, 20-, or 24-word recovery phrases, transmitting them to attacker-controlled infrastructure via backend API endpoints. With the seed phrase captured, threat actors can import wallets and drain funds.

The letters cite urgent deadlines (Oct 2025 / Feb 2026) and warn of lost functionality. QR codes direct recipients to spoofed Trezor and Ledger setup pages designed to mimic official security and compliance communications.

🚨 Snail-mail phishing targets crypto hardware wallet users. Fake letters posing as Trezor & Ledger claim mandatory “Authentication” or “Transaction” checks. Victims are pressured to scan QR codes tied to recovery-phrase theft campaigns.
#Crypto #Phishing #HardwareWallet #CyberSecurity

The loader retrieves encrypted payloads hidden in fake icon files via steganography, installs persistent DLLs via Task Scheduler, and exfiltrates system data. Linked to Rhysida and possibly Wizard Spider, it delivers ransomware & stealers—an evolving threat into 2026.

OysterLoader uses a 4-stage infection chain: TextShell packer, API flooding, anti-debug checks, custom API hashing, and modified LZMA compression. It dynamically resolves Windows functions and evades AV detection while testing sandbox conditions before contacting C2 over HTTPS.

🚨 Researchers uncovered OysterLoader, a stealthy multi-stage loader powering Rhysida ransomware attacks. Active since 2024, it spreads via fake downloads of PuTTY, WinSCP & AI tools, deploying malware through signed MSI files. A major enterprise threat. #CyberSecurity #Malware #ThreatIntel

CrowdStrike: Labyrinth Chollima split into espionage & crypto-theft units (Golden & Pressure Chollima), linked to Lazarus. Shared HR lures, trojanized apps & rootkits show centralized coordination across DPRK ops. #ThreatHunting #APT #Lazarus #CyberEspionage

The scheme acts as a high-volume revenue engine. Operatives gain admin access to repos, steal data, and convert salaries to crypto using chain-hopping. “Contagious Interview” lures deploy npm malware, VS Code payloads, BeaverTail & Koalemos RAT for full remote control.

🚨 DPRK-linked actors are infiltrating global firms via LinkedIn, posing as legit remote job candidates. Tracked as Jasper Sleet & Wagemole, the campaign funds weapons programs + enables espionage. Verified emails & badges boost credibility. #CyberSecurity #DPRK #ThreatIntel #LinkedIn #jaspersleet

New capabilities include Chromium login theft, HTTP proxy credential sniffing, active window tracking, and expanded plugins. Browser data is exfiltrated via hardcoded tokens for services like Google Drive, boosting stealth and resilience in Mustang Panda ops. #Malware #ThreatIntel

The updated CoolClient targets gov entities across Asia and beyond, abusing legitimate Sangfor software. It profiles systems, escalates privileges, persists via services and tasks, and runs modular plugins for keylogging, tunneling, file ops, and remote shells.

🚨Mustang Panda has rolled out a new CoolClient variant with browser credential theft and clipboard monitoring. Kaspersky links it to targeted espionage via trusted software and multi-stage loaders, signaling an evolution in China-aligned tradecraft. #APT #China #CyberEspionage #MUSTANGPANDA

AsyncRAT runs fully in memory, enabling surveillance, file access, and persistence while blending into normal system behavior. DEAD#VAX shows how attackers combine script abuse, IPFS, and process injection to defeat traditional defenses. #ThreatHunting #Infosec #APT

DEAD#VAX starts with phishing emails delivering fake PDF VHD files. When mounted, scripts launch multi-stage loaders that decrypt shellcode and inject AsyncRAT directly into trusted Windows processes, never dropping a clear payload to disk.

🚨Threat hunters uncovered DEAD#VAX, a stealth malware campaign abusing Windows features to deploy AsyncRAT. Using phishing, IPFS-hosted VHD files, obfuscated scripts, and in-memory execution, it evades detection and forensic analysis. #Malware #AsyncRAT #CyberThreats #EDR #DEADVAX

The APTs That Defined 2025 How State-Aligned Threat Actors Shaped the Global Cyber Battlefield

The APTs That Defined 2025 open.substack.com/pub/malwhere...

#APT #China #Russia #DPRK #Iran #ThreatIntel #CyberSecurity #SaltTyphoon #FlaxTyphoon #MustangPanda #APT17 #APT28 #APT29 #Sandworm #LazarusGroup #Kimsuky #APT42

Attackers abused weak update checks in older Notepad++ versions, sideloading Chrysalis via a trojanized installer. The implant supports shell access, file ops, and C2 control. Rapid7 links the tooling to Lotus Blossom’s evolving, stealth-focused tradecraft.

🚨China-linked espionage group Lotus Blossom was tied to a Notepad++ hosting breach, enabling targeted delivery of a new backdoor named Chrysalis to select users via redirected updates. The campaign was limited, stealthy, and supply-chain focused. #China #LotusBlossom #CyberEspionage #Malware #APT

Hosted on abuse-tolerant AS202015 with disposable domains and short-lived TLS certs, ToxicSnake isn’t one attack but a reusable delivery platform. Expect rebrands, not shutdowns, unless intelligence is shared fast. #Infosec #ThreatIntel #CyberDefense

The campaign uses fake educational sites, obfuscated JavaScript, browser fingerprinting, and single-use tokens. Only selected victims see malicious content, while analysts get nothing. This selective delivery keeps infrastructure alive and payloads hidden.

🚨ToxicSnake shows how modern phishing hides behind Traffic Distribution Systems (TDS). Instead of attacking everyone, it filters visitors to evade scanners and researchers. The weapon isn’t the payload, but the decision engine behind it. #CyberThreats #Phishing #TDS #Malware #ToxicSnake

The campaign abused Moltbot’s popularity, delivering fallback payloads via DLL sideloading and alternate domains. Separately, researchers warn misconfigured Moltbot instances expose credentials and chat data, enabling “agent hijacking” and manipulation of AI workflows across platforms.

🚨 A malicious VS Code extension impersonating Moltbot (“ClawdBot Agent, AI Coding Assistant”) was distributed via Microsoft’s official Marketplace. The malware executed on launch, fetched remote configs, and deployed ScreenConnect RAT for persistent access.
#SupplyChain #VSCode #Malware #Moltbot

PeckBirdy runs across browsers, MSHTA, WScript, ASP, Node.js, and .NET, dynamically serving payloads via unique attack IDs. Linked clusters SHADOW-VOID-044 and SHADOW-EARTH-045 deployed cookie theft, exploits, backdoors, and modular RATs, complicating detection.

🕊️ PeckBirdy is a JavaScript-based C2 framework used by China-aligned APTs since 2023. Tracked by Trend Micro it abuses LOLBins and legacy JScript to deliver malware via fake Chrome updates and injected websites, targeting gambling platforms and Asian orgs
#APT #China #Malware #ThreatIntel #PeckBirdy

While technically unsophisticated, Stanley’s real danger is its distribution model—promising trusted Web Store placement. Researchers warn users to limit extensions, verify publishers, and review permissions as malicious add-ons continue to bypass safeguards
#Infosec #Chrome #CyberCrime #ThreatIntel

Stanley lets operators hijack navigation, inject phishing pages, push browser notifications, and silently install extensions across Chrome, Edge, and Brave. It supports geo-targeting, IP tracking, and persistent C2 polling with backup domains to evade takedowns.

🧩 A new malware-as-a-service dubbed Stanley is selling malicious Chrome extensions that claim to pass Google’s review and land in the Chrome Web Store. The MaaS enables phishing via full-screen iframe overlays while the browser address bar shows a legitimate site.
#Malware #BrowserSecurity #Phishing

Analysts warn the attack reflects a wider trend: hotels are prime targets due to nonstop operations and pressure to restore services fast. Exposure of employee data suggests deliberate data theft. Under EU regulations, the incident may carry legal, financial, and reputational fallout.

🏨 Bulgaria’s Vitosha Park Hotel was hit by ransomware linked to the Anubis threat actor. Employee data is confirmed exposed, with full impact still under review. The case shows how digitally dependent hotels face growing extortion risk from modern ransomware groups #Ransomware #Anubis #CyberSecurity