Virus Bulletin
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
- The Raven File examines how AI chatbots perform in threat intelligence tasks, focusing on logical errors and failure. The goal was to classify common risks across LLMs and show where human validation is still essential. theravenfile.com/2026/02/05/l...
- LevelBlue SpiderLabs continues its LockBit 5.0 series, with Part 3 analysing the Windows build. The analysis covers a targeted kill list that systematically dismantles the services needed for backups, virtualization and critical business databases. www.levelblue.com/blogs/spider...
- Cisco Talos uncovers DKnife, a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least 2019, its C2 was still active in Jan 2026. blog.talosintelligence.com/knife-cuttin...
- LevelBlue SpiderLabs continues its LockBit 5.0 series with part two, analysing the Linux x64 variant. The report compares behaviour across samples to show what stays consistent and what changes when the ransomware targets Linux systems. www.levelblue.com/blogs/spider...
- Seqrite Labs tracks an RTO-themed Android malware campaign targeting Indian users via WhatsApp-distributed apps. The operation uses a multi-stage chain with anti-analysis and a structured backend for data collection and remote operations. www.seqrite.com/blog/inside-...
- Huntress details an intrusion in which attackers gained access via compromised SonicWall SSLVPN credentials, then deployed an EDR killer using a revoked EnCase forensic driver to terminate security tools from kernel mode, reinforcing the growing BYOVD trend. www.huntress.com/blog/encase-...
- SophosLabs investigates WantToCry remote ransomware cases in which attackers operated from virtual machines with auto-generated NetBIOS names derived from Windows templates provisioned by ISPsystem. www.sophos.com/en-us/blog/m...
- Acronis TRU tracks Transparent Tribe (APT36) expanding beyond its usual government and defence focus to India’s startup ecosystem. The campaign uses startup-themed decoys and ISO files with malicious LNK shortcuts to deliver Crimson RAT. www.acronis.com/en/tru/posts...
- Recorded Future’s Insikt Group profiles Rublevka Team, a Russian SOL wallet drainer operation that pushes a promotion or airdrop event and drains wallets after victims connect and sign a transaction. The group automates campaigns via Telegram bots. www.recordedfuture.com/research/rub...
- RedAsgard shows how a Lazarus-linked fake job interview operation tricked developers into opening a repo & running npm install or loading it in VS Code, leading to credential theft. The investigation found 241k+ stolen credentials tied to 857 victims across 90 countries redasgard.com/blog/hunting...
- Robin Dost details how APT28 uses CVE-2026-21509 in practice, relying on crafted RTF files that trigger OLE parsing without macros. The blog post walks through efficient IOC extraction from weaponised documents. blog.synapticsystems.de/apt28-geofen...
- LevelBlue SpiderLabs analyses DragonForce’s evolving playbook, combining advanced RaaS features with a franchise-style affiliate model. The tooling supports full, header and partial encryption across multiple platforms. www.levelblue.com/blogs/spider...
- Reposted by Virus Bulletin[Not loaded yet]
- Reposted by Virus Bulletin[Not loaded yet]
- Rapid7 reports on the Lotus Blossom campaign, including a compromise of Notepad++ hosting infrastructure used to deliver the Chrysalis backdoor. The report also details custom loaders, including one using Microsoft Warbird to hide shellcode execution. www.rapid7.com/blog/post/tr...
- Zscaler ThreatLabz reports on Operation Neusploit, a January 2026 campaign targeting Central and Eastern Europe. Weaponised Microsoft RTF files exploit CVE-2026-21509 to deliver multi-stage backdoors. The campaign is attributed to APT28 with high confidence. www.zscaler.com/blogs/securi...
- Forcepoint X-Labs tracks a multi-stage PDF phishing chain that evades email scanning by leaning on trusted hosting and layered redirects. The PDF is served from legitimate cloud infrastructure and redirects victims to a Dropbox style page to harvest credentials. www.forcepoint.com/blog/x-labs/...
- Cyble CRIL uncovers ShadowHS, a fileless Linux post-exploitation framework where an obfuscated in-memory loader deploys a weaponised hackshell variant. The payload shows latent capability for credential access, privilege escalation, EDR/AV fingerprinting & data theft. cyble.com/blog/shadowh...
- In a three-part series, LevelBlue SpiderLabs analyses LockBit 5.0 across 19 samples, showing how the cross-platform malware operates on Windows, Linux and ESXi. Part 1 focuses on the ESXi variant and highlights shared components plus ESXi-specific behaviours. www.levelblue.com/blogs/spider...
- ESET Research updates its DynoWiper findings, sharing deeper technical details on a wiper used against an energy company in Poland. TTPs overlap with the ZOV wiper case in Ukraine, and the activity is attributed to Sandworm with medium confidence. www.welivesecurity.com/en/eset-rese...
- Digital Security Lab Ukraine warns Ukrainian organisations were targeted on 22 Jan 2026 with National Bank of Ukraine themed phishing. The multi-stage chain led to installation of remote admin malware and established persistent endpoint control. dslua.org/publications...
- Zimperium zLabs identifies Arsink, a cloud-native Android RAT that harvests sensitive data and enables remote device control. The malware leverages Google Apps Script and Drive for file uploads, and alternative builds use Firebase and Telegram for C2 and data theft. zimperium.com/blog/the-ris...
- Point Wild analyses a multistage Windows malware chain, using LOTL tooling & in-memory payload delivery. A hidden BAT persists via a Run registry key, launches PowerShell & injects Donut shellcode into trusted processes before data exfiltration via Discord &Telegram www.pointwild.com/threat-intel...
- Sekoia details IClickFix, a ClickFix campaign rotating multi-stage JavaScript loaders across compromised WordPress sites. The loader serves a fake Cloudflare Turnstile CAPTCHA, then clipboard-driven PowerShell drops NetSupport RAT. blog.sekoia.io/meet-iclickf...
- HarfangLab reports RedKitten, a new campaign seen in early January 2026 targeting Iranian interests, including NGOs & people documenting abuses. It uses GitHub and Google Drive for config/modules and Telegram for C2, with signs of LLM-assisted development. harfanglab.io/insidethelab...
- FortiGuard Labs tracks Interlock’s shifting toolkit across recent intrusions. A key addition is a process-killing tool that leverages a zero-day vulnerability in a gaming anti-cheat driver to try to disable EDR and AV. www.fortinet.com/blog/threat-...
- FortiGuard Labs analyses EncystPHP, a weaponized web shell delivering remote command execution, persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. www.fortinet.com/blog/threat-...
- ESET Research uncovered GhostChat, an Android spyware campaign using romance-scam tactics to target individuals in Pakistan. The campaign uses fake profiles (likely operated via WhatsApp), while the spyware exfiltrates victim data. www.welivesecurity.com/en/eset-rese...
- Google’s Threat Intelligence Group warns WinRAR CVE-2025-8088 is still being exploited for initial access and payload delivery by both state-backed and financially motivated actors. The exploitation method allows files to be dropped into the Windows Startup folder. cloud.google.com/blog/topics/...
- Reposted by Virus Bulletin[Not loaded yet]
- CloudSEK tracks interconnected fraud clusters targeting Canadians with traffic ticket and fine-payment lures aligned to the PayTool SMS phishing ecosystem, alongside parallel scams spoofing CRA, Air Canada and Canada Post for large-scale data harvesting. www.cloudsek.com/blog/pivotin...
- The second part of Zscaler ThreatLabz’s Gopher Strike/Sheet Attack research profiles three additional backdoors in Sheet Attack: SHEETCREEP using Google Sheets for C2, FIREPOWER abusing Firebase, and MAILCREEP leveraging Microsoft Graph. www.zscaler.com/blogs/securi...
- Blackpoint SOC details a ClickFix chain that proxies execution via the signed App-V script SyncAppvPublishingServer.vbs, avoiding more obvious PowerShell launch paths. The multi-stage flow ultimately delivers Amatera Stealer. blackpointcyber.com/blog/novel-f...
- Zscaler ThreatLabz tracks 2 campaigns -Gopher Strike & Sheet Attack- tied to a Pakistan-based actor targeting Indian government entities, and profiles tooling including the GOGITTER downloader, GITSHELLPAD C2 backdoor & GOSHELL loader deploying Cobalt Strike. www.zscaler.com/blogs/securi...
- Hybrid Analysis reports an organised “traffer gang” targeting crypto holders and Web3 employees. The operation delivers malware via fake Electron apps, disguised as legitimate tools. hybrid-analysis.blogspot.com/2026/01/orga...
- Varonis tracks a new browser-based MaaS threat named Stanley. The service packages phishing-style site spoofing as a Chrome extension and is marketed on Russian forums for $2k–$6k. www.varonis.com/blog/stanley...
- ESET Research observed a new instance of Operation DreamJob under the Lazarus umbrella targeting European defence companies, including firms tied to the UAV sector. Researchers provide a high-level overview of the tools used. www.welivesecurity.com/en/eset-rese...
- Trend Micro details PeckBirdy, a JScript-based C2 framework. The JScript design enables flexible LOLBin execution and supports multiple kill-chain roles, while HOLODONUT and MKDOOR add modular backdoor capability. www.trendmicro.com/en_us/resear...
- Recorded Future's Insikt Group look into recent PurpleBravo activity. PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign. www.recordedfuture.com/research/pur...
- Check Point Research is tracking a phishing campaign linked to a North Korea–aligned threat actor known as KONNI. The attackers deploy an AI-generated PowerShell backdoor, highlighting the growing use of AI by threat actors. research.checkpoint.com/2026/konni-t...
- eSentire Threat Response Unit identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate India's Income Tax department. www.esentire.com/blog/weaponi...
- Trend Micro's Don Ovid Ladores, Yuya Sato & Yosuke Akiho provide an analysis of a software supply chain compromise involving EmEditor. A compromised installer was used to deliver multistage malware that performs a range of malicious actions. www.trendmicro.com/en_us/resear...
- 🔊 The Call for Papers is now open for VB2026! We're looking for engaging, insightful, and original talks for the 36th Virus Bulletin International Conference, taking place 14–16 October 2026 in Seville, Spain. 📅 Deadline: 9 April 2026 📝 Submit your abstract: www.virusbulletin.com/conference/v...
- Expel's Aaron Walto shows how Gootloader uses a deliberately malformed ZIP archive to bypass detection. The ZIP is correctly extracted by the default tool built into Windows systems but not by specialized tools like 7zip and WinRAR. expel.com/blog/gootloa...
- Fortinet researchers identified a multi-stage malware campaign that escalates into a full-system compromise that includes security-control bypass, surveillance, system restriction, deployment of Amnesia RAT, and ransomware delivery. www.fortinet.com/blog/threat-...
- Expel's Marcus Hutchins details recently updated techniques used in the ClearFake malware campaign: the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window feature. expel.com/blog/clearfa...
- Reposted by Virus Bulletin[Not loaded yet]
- Reposted by Virus Bulletin[Not loaded yet]
- Check Point Research believes a new era of AI-generated malware has begun: VoidLink is as the first evidently documented case of this era, as an advanced malware framework authored almost entirely by AI, likely under the direction of a single individual. research.checkpoint.com/2026/voidlin...
- Infoblox researchers managed to snoop on the communications of an affiliate advertising push notification system whose DNS records were left misconfigured, allowing the researchers to receive a copy of every ad they sent victims, along with recorded metrics. www.infoblox.com/blog/threat-...
- Jamf Threat Labs has identified another evolution in the Contagious Interview campaign. In this campaign, infection begins when a victim clones and opens a malicious Git repository in Visual Studio Code. www.jamf.com/blog/threat-...
- Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s judicial sector. The campaign leverages a multi-stage infection chain to deploy a stealthy remote access trojan. www.seqrite.com/blog/operati...
- Fortinet researchers found a phishing campaign delivering a new variant of Remcos, a commercial lightweight remote access tool with a wide range of capabilities, including system resource management, remote surveillance, network management & Remcos agent management. www.fortinet.com/blog/threat-...
- Reposted by Virus Bulletin[Not loaded yet]
- The Seqrite Labs APT Team looks into Operation Nomad Leopard, a spear-phishing campaign targeting Afghan government employees. www.seqrite.com/blog/operati...
- Swiss Post Cybersecurity researcher Louis Schürmann describes the complete attack chain in a PURELOGS stealer campaign, from the initial use of legitimate infrastructure to the final data exfiltration. www.swisspost-cybersecurity.ch/news/purelog...
