A newly discovered PowerShell-based shellcode loader, y1.ps1, leverages advanced in-memory execution and evasion techniques to bypass traditional disk-based detection. The y1.ps1 script was found hosted on an open directory on a Chinese server.

Cybercriminals are exploiting the trusted text-sharing platform Paste.ee to deliver sophisticated malware strains, including XWorm and AsyncRAT. These campaigns leverage phishing emails and social engineering to distribute malicious payloads.

Hunt researchers uncovered a malicious server, revealing SuperShell C2 payloads and a Linux ELF Cobalt Strike beacon. The server also hosted reconnaissance tools, highlighting the sophistication and layered nature of modern cyber threats.

Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.

The threat actors behind this campaign sought to exploit the player-driven economy of Albion Online, where in-game assets are exchanged for real money through third-party markets.

The attackers rely on search engine optimization (SEO) poisoning to direct users to fraudulent download pages for apps like Signal, Line, and Gmail, which deliver ZIP files containing executable malware.

Disguised as a benign application, LummApp deploys malicious browser extensions capable of exfiltrating data, capturing screen activity, manipulating clipboard contents, and tracking user browsing behavior.

MoqHao, also known as Wroba and XLoader, is a mobile malware family linked to Roaming Mantis, a cybercrime group believed to be operating out of China. Malicious payloads are usually delivered through SMS phishing attacks targeting mobile devices.

The ongoing threat campaign known as VEILDrive is utilizing Microsoft services such as Teams, SharePoint, Quick Assist, and OneDrive in its operations to distribute spear-phishing attacks and store malware.

The attackers use spear-phishing lures and watering hole campaigns to infiltrate networks and collect sensitive data. Huntress identified four compromised hosts in recent attacks, linking them to Cobalt Strike Beacons and encrypted DLL payloads.