LATEST THREAT INTELLIGENCE.
(Don't) TrustConnect: It's a RAT in an RMM hat
Description: A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300 per month, it offers features like a web-based C2 dashboard, automated payload generation with digital signatures, and remote desktop capabilities. The malware has been distributed through various email campaigns, often alongside legitimate RMM tools. Proofpoint researchers identified links between TrustConnect's creator and previous users of Redline stealer. The emergence of this new MaaS demonstrates the ongoing evolution of the cybercrime market and the thriving ecosystem of RMM abuse.
Created at: 2026-02-19T11:10:29.994000
Updated at: 2026-03-21T11:34:25.575000
Arkanix Stealer targets a variety of data, offers a MaaS referral program
Description: Arkanix Stealer, a newly discovered malware operating under a Malware-as-a-Service model, targets a wide range of user data including cryptocurrencies, gaming, and online banking information. The stealer, available in both Python and C++ versions, offers configurable features and employs various techniques to evade detection. It can extract data from multiple browsers, VPNs, and gaming platforms, as well as capture screenshots and RDP connection details. The malware authors promoted their product through a Discord server and implemented a referral program to attract customers. The campaign appears to have been short-lived, with infrastructure taken down around December 2025.
Created at: 2026-02-19T11:10:30.625000
Updated at: 2026-03-21T11:34:25.575000
VoidStealer: Debugging Chrome to Steal Its Secrets
Description: VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.
Created at: 2026-03-20T09:51:33.321000
Updated at: 2026-03-20T21:06:50.989000
Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
Description: A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.
Created at: 2026-03-20T09:51:35.029000
Updated at: 2026-03-20T21:05:12.398000
CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours
Description: A critical vulnerability in Langflow, an open-source visual framework for AI agents and RAG pipelines, was disclosed on March 17, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated remote code execution on exposed Langflow instances. Within 20 hours, exploitation attempts were observed in the wild. Attackers rapidly developed working exploits from the advisory description and began scanning for vulnerable instances. The Sysdig Threat Research Team deployed honeypots to monitor the attacks, observing automated scanning, custom exploit scripts, and data harvesting activities. The rapid exploitation highlights the accelerating trend of shorter time-to-exploit for vulnerabilities, posing significant challenges for defenders. The attackers targeted high-value data, API keys, and potential software supply chain compromise.
Created at: 2026-03-20T09:51:34.102000
Updated at: 2026-03-20T21:02:18.495000
Law Firm Sites Hijacked in Suspected Supply-Chain Attack
Description: GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.
Created at: 2026-02-18T16:28:06.616000
Updated at: 2026-03-20T16:41:27.242000
An Overview of The Gentlemen's TTPs
Description: This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.
Created at: 2026-03-20T08:24:49.787000
Updated at: 2026-03-20T08:28:04.105000
Beast Ransomware Toolkit: A Proactive Threat Intelligence Report
Description: This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includes various tools for reconnaissance, network mapping, credential theft, persistence, lateral movement, exfiltration, and impact. Notable findings include the presence of both Windows and Linux versions of Beast ransomware, indicating targeting of workstations and Linux servers on VMware ESXi hypervisors. The report highlights the importance of proactive collection of internet telemetry in identifying ransomware operators' toolkits before they can be used against targets.
Created at: 2026-03-20T08:12:00.222000
Updated at: 2026-03-20T08:20:55.619000
Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries
Description: A sophisticated malware campaign delivering PureLog Stealer has been identified, targeting healthcare, government, hospitality, and education sectors in multiple countries. The attack uses localized copyright violation lures to trick victims into executing a multi-stage infection chain. The malware employs encrypted payloads, remote key retrieval, and fileless execution techniques to evade detection. It utilizes a Python-based loader and dual .NET loaders to run PureLog Stealer entirely in memory. The campaign incorporates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting for stealth and intelligence gathering. Evidence confirms communication with PureLog-associated infrastructure.
Created at: 2026-03-20T08:13:38.405000
Updated at: 2026-03-20T08:18:20.719000
Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation
Description: The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.
Created at: 2026-03-19T14:23:02.178000
Updated at: 2026-03-20T08:05:16.104000
