LATEST THREAT INTELLIGENCE.
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Description: A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.
Created at: 2026-02-20T00:28:19.348000
Updated at: 2026-03-22T00:04:28.839000
ClickFix in action: how fake captcha can encrypt an entire company
Description: The report details a malware attack on a large Polish organization involving fake CAPTCHA techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: Latrodectus (version 2.3) and Supper. The report provides technical details on the malware's functionality, communication protocols, and persistence mechanisms. It also includes indicators of compromise, such as C2 server IP addresses and file hashes. The authors emphasize the importance of employee education and monitoring for unusual events to mitigate such threats.
Created at: 2026-02-19T15:26:28.037000
Updated at: 2026-03-21T15:28:05.039000
The Curious Case of the Triton Malware Fork
Description: A malicious fork of the MacOS app Triton was discovered on GitHub, containing Windows-targeted malware disguised as the legitimate application. The attacker modified the repository, redirecting download links to a ZIP file hosting the malware. Analysis revealed sophisticated evasion techniques, anti-analysis features, and potential cryptocurrency functionality. The low detection rate and peculiar implementation suggest either an amateur attempt or a possible AI-generated attack. The incident highlights broader concerns about GitHub's security practices and Microsoft's priorities, prompting a call for developers to consider alternative code hosting platforms that better align with open-source values and user privacy.
Created at: 2026-02-19T15:26:26.212000
Updated at: 2026-03-21T15:28:05.039000
Invitation to Trouble: The Rise of Calendar Phishing Attacks
Description: A new phishing tactic involving fake Microsoft and Google Calendar invites has been identified, aimed at stealing login credentials. These sophisticated attacks mimic designs from well-known platforms, exploiting routine business activities like scheduling meetings. Threat actors use email spoofing and create fake urgent calendar invitations to deceive employees. The phishing emails often contain buttons or links that redirect to fake login pages, closely resembling official Microsoft or Google login screens. The campaigns exploit the popularity of calendar invitations in corporate environments, allowing attackers to gather sensitive information if users are not vigilant. To prevent falling victim to these attacks, it is crucial to verify the authenticity of calendar invites, carefully check sender details, and avoid clicking suspicious links from unknown senders.
Created at: 2026-02-19T15:26:25.602000
Updated at: 2026-03-21T15:28:05.039000
(Don't) TrustConnect: It's a RAT in an RMM hat
Description: A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300 per month, it offers features like a web-based C2 dashboard, automated payload generation with digital signatures, and remote desktop capabilities. The malware has been distributed through various email campaigns, often alongside legitimate RMM tools. Proofpoint researchers identified links between TrustConnect's creator and previous users of Redline stealer. The emergence of this new MaaS demonstrates the ongoing evolution of the cybercrime market and the thriving ecosystem of RMM abuse.
Created at: 2026-02-19T11:10:29.994000
Updated at: 2026-03-21T11:34:25.575000
Arkanix Stealer targets a variety of data, offers a MaaS referral program
Description: Arkanix Stealer, a newly discovered malware operating under a Malware-as-a-Service model, targets a wide range of user data including cryptocurrencies, gaming, and online banking information. The stealer, available in both Python and C++ versions, offers configurable features and employs various techniques to evade detection. It can extract data from multiple browsers, VPNs, and gaming platforms, as well as capture screenshots and RDP connection details. The malware authors promoted their product through a Discord server and implemented a referral program to attract customers. The campaign appears to have been short-lived, with infrastructure taken down around December 2025.
Created at: 2026-02-19T11:10:30.625000
Updated at: 2026-03-21T11:34:25.575000
VoidStealer: Debugging Chrome to Steal Its Secrets
Description: VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.
Created at: 2026-03-20T09:51:33.321000
Updated at: 2026-03-20T21:06:50.989000
Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
Description: A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.
Created at: 2026-03-20T09:51:35.029000
Updated at: 2026-03-20T21:05:12.398000
CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours
Description: A critical vulnerability in Langflow, an open-source visual framework for AI agents and RAG pipelines, was disclosed on March 17, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated remote code execution on exposed Langflow instances. Within 20 hours, exploitation attempts were observed in the wild. Attackers rapidly developed working exploits from the advisory description and began scanning for vulnerable instances. The Sysdig Threat Research Team deployed honeypots to monitor the attacks, observing automated scanning, custom exploit scripts, and data harvesting activities. The rapid exploitation highlights the accelerating trend of shorter time-to-exploit for vulnerabilities, posing significant challenges for defenders. The attackers targeted high-value data, API keys, and potential software supply chain compromise.
Created at: 2026-03-20T09:51:34.102000
Updated at: 2026-03-20T21:02:18.495000
Law Firm Sites Hijacked in Suspected Supply-Chain Attack
Description: GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.
Created at: 2026-02-18T16:28:06.616000
Updated at: 2026-03-20T16:41:27.242000
