LATEST THREAT INTELLIGENCE.
Technical Analysis of SnappyClient
Description: Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing. The malware receives configuration files from its C2 server and uses a custom encrypted network protocol. SnappyClient's main functions include stealing browser data, taking screenshots, keylogging, and providing remote shell access. Analysis suggests potential ties to HijackLoader based on code similarities. The primary goal appears to be cryptocurrency theft, targeting wallet addresses and crypto-related applications.
Created at: 2026-03-18T15:30:24.018000
Updated at: 2026-03-18T16:30:07.645000
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
Description: Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.
Created at: 2026-03-18T15:44:33.832000
Updated at: 2026-03-18T16:29:12.361000
Inside a network of 20,000+ fake shops
Description: A massive network of over 20,000 fraudulent e-commerce domains has been uncovered, all sharing common infrastructure and design patterns. These fake shops, primarily using the .shop domain, are designed to steal payment details and personal data from unsuspecting consumers. The operation is highly industrialized, with domains resolving to just 36 IP addresses, indicating a franchise-style model where a core team manages servers and templates while individual operators launch storefronts. The shops use familiar e-commerce tactics and psychological pressure to lure victims. To protect yourself, use browser protection tools, scrutinize unfamiliar domains, be wary of deep discounts, and look for independent reviews before making purchases.
Created at: 2026-03-18T16:24:46.457000
Updated at: 2026-03-18T16:26:35.597000
Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Description: A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumma Stealer, a credential-harvesting malware. Linux users are directed to download a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions and persistence mechanisms. The campaign utilizes Google's trusted ecosystem to bypass security measures and increase user confidence. Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs have been identified in this global operation, posing significant risks to organizations including credential theft, account takeover, and remote command execution.
Created at: 2026-02-16T10:44:40.850000
Updated at: 2026-03-18T11:40:31.075000
Minecraft: Dark Tale of Scams, Malware & Extortion
Description: The article exposes a sophisticated scam targeting Minecraft players through fake 'grief-free' server communities. The SugarSMP website, promising a safe gaming experience, was found to distribute malware-infected mod packs. The malware, named Spark stealer, steals sensitive data including Discord tokens, browser credentials, and crypto wallet information. The threat actors employ social engineering tactics to maintain their fake community's reputation and remove warnings about their activities. Multiple similar websites were discovered, all hosting various types of malware. The scam's persistence mechanisms and social engineering techniques are detailed, along with remediation steps for affected users.
Created at: 2026-03-18T10:42:02.188000
Updated at: 2026-03-18T11:13:11.087000
Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign
Description: The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies.
Created at: 2026-03-18T10:49:03.576000
Updated at: 2026-03-18T11:11:04.750000
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators
Description: The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.
Created at: 2026-03-18T10:49:56.673000
Updated at: 2026-03-18T11:09:18.852000
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine
Description: An exposed open directory revealed a comprehensive Roundcube exploitation toolkit used by APT28 to target Ukrainian government entities. The toolkit includes XSS payloads, a Flask-based C2 server, CSS injection tools, and a Go-based implant. It enables credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction. The primary target was identified as mail.dmsu.gov.ua, Ukraine's State Migration Service. Technical analysis shows significant overlaps with previously documented APT28 operations, while introducing new capabilities such as CSS-based side-channel attacks and browser credential theft. The toolkit's modular approach and sophisticated evasion techniques demonstrate APT28's evolving tactics in compromising webmail platforms for long-term intelligence gathering.
Created at: 2026-03-18T10:51:37.946000
Updated at: 2026-03-18T11:06:11.357000
Casting a Wider Net: Scaling Threat
Description: LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.
Created at: 2026-03-18T10:53:13.088000
Updated at: 2026-03-18T11:00:23.524000
Fake Pudgy World site steals crypto passwords
Description: A sophisticated phishing campaign is targeting users of the newly-launched Pudgy World browser game, exploiting the game's requirement to connect cryptocurrency wallets. The fake site mimics the official game's appearance and wallet connection process, presenting convincing forgeries of 11 different wallet interfaces to steal credentials. The attack employs advanced evasion techniques to avoid detection by security researchers and sandboxes. It capitalizes on the excitement around the game's launch and users' unfamiliarity with Web3 onboarding processes. The campaign demonstrates a high level of technical sophistication, potentially indicating the use of a commercial phishing kit designed for crypto-related attacks.
Created at: 2026-03-18T10:37:06.529000
Updated at: 2026-03-18T10:37:53.217000
