The attack involves a malicious ZIP archive pretending to be a PDF registration form, dropping an executable into the startup folder to establish persistence on the system.

The initial infection involves downloading a malicious package containing a legit CapCut app, JamPlus utility, and a malicious script. The script triggers the download and execution of the final payload from a remote server.

This campaign, active since July, utilizes at least three malicious ISO files to compromise Malaysian entities, containing components like a malicious executable and a decoy PDF file, ultimately delivering the Babylon RAT as a final payload.

Initially discovered in January 2023 impersonating government entities, Gigabud and Golddigger malware campaigns have overlapped, suggesting the same threat actors behind both.

The phishing site tricks users into downloading a malicious file disguised as Google Authenticator, which then drops the two malware components. The ACR Stealer exfiltrates data to a C&C server, while Latrodectus maintains persistence on the machine.

Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".

Cyble Research and Intelligence Labs (CRIL) has identified an increase in the exploitation of the Microsoft SmartScreen vulnerability (CVE-2024-21412) through an active campaign targeting regions like Spain, the US, and Australia.

One campaign discovered by Cyble Research and Intelligence Labs (CRIL) impersonates the Ministry of Human Resources and Social Security of China. The malicious Word document appears as an application notice for receiving labor subsidies.

Researchers at Cyble discovered a new ransomware variant called Trinity that employs a double extortion technique and shares similarities with the Venus ransomware, suggesting a potential link or common actor behind these two variants.

On May 12, 2021, over 200 million personally identifiable information (PII) of Indonesians was found to have been stolen and sold on RaidForums, contributing to a succession of cybercrime events.