Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that employ Disc...
TTPs
20 articles
Gremlin Stealer Hides C2 and Exfiltration Paths in Encrypted Resources
A newly identified variant of the Gremlin stealer malware is leveraging advanced obfuscation techniques to conceal its command-and-control (C2) infrastructur...
GraphWorm Malware Abuses Microsoft OneDrive for Stealthy C2 Operations
A new activity from Webworm, a China-aligned advanced persistent threat (APT) group, revealing a significant evolution in its cyber espionage toolkit during ...
China-Linked Webworm APT Evolves Tactics, Expands to European Targets
China-linked Webworm APT expands beyond Asia, targeting European government organizations and refining its cyber espionage tactics, according to ESET research
Webworm: New burrowing techniques
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal
Void Botnet Leverages Ethereum for Resilient C2
A newly identified botnet, named Void, is leveraging Ethereum smart contracts to build a resilient, hard-to-disrupt command-and-control (C2) infrastructure, ...
Trapdoor Android Ad Fraud Ring Abuses 455 Apps for Fake Clicks
A large-scale Android ad fraud campaign named “Trapdoor,” exposing a sophisticated ecosystem built on 455 malicious apps and 183 command-and-control (C2) dom...
Mini Shai-Hulud Attack Hits npm Ecosystem, Compromising Over 600 Packages
A large-scale supply chain attack targeting the npm ecosystem has resurfaced with a new variant of the Mini Shai-Hulud malware, compromising more than 600 pa...
What happens when your identity provider becomes the kill chain
In this Help Net Security video, Colin Constable, CTO at Atsign, explains why your identity provider (IdP) has become the kill chain in cyberattacks. Attacke...
CIRT insights: How to help prevent unauthorized account removals from AWS Organizations
The AWS Customer Incident Response Team works with customers to help them recover from active security incidents. As part of this work, the team often uncove...
Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, p...
New macOS infostealer impersonates Apple, Microsoft, and Google in a single attack chain
A SHub macOS infostealer variant called Reaper impersonates Apple, Microsoft, and Google to trick users into executing malicious code, then targets browser d...
JavaScript Malware Campaign Drops Crypto Clipper via PowerShell
A large-scale CountLoader campaign that uses layered obfuscation, multi-stage payload delivery, and covert command-and-control (C2) communication to deploy c...
Malaysian government-linked campaign used hidden infrastructure for years
The operation, believed to be a long-term espionage effort, has maintained its command and control infrastructure for several years by employing sophisticate...
Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign
A campaign linked to a suspected Malaysian government operation has been using hidden command and control infrastructure for…
Gremlin Stealer Hides Payloads in .NET Resources to Evade Detection
A newly discovered variant of the Gremlin Stealer is raising concerns among security researchers by adopting stealth-focused techniques that significantly re...
Welcome to BlackFile: Inside a Vishing Extortion Operation
Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo Introduction Google Threat Intelligence Group (GTIG) has continued to track an expansiv...
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.
New Malware Framework Enables Screen Control and UAC Bypass
A sophisticated malware framework capable of screen control, browser artifact access, and User Account Control (UAC) bypass, highlighting how attackers are i...
Fired employee sought AI help to hide deletion of hosting firm’s customer data
The apparent revenge deletion of US federal databases after the dismissal of twin brothers from an online hosting company is another reminder to IT and HR le...