Interesting observation in a #React2Shell (CVE-2025-55182) exploitation: payload removes competing miners & their persistence 😂while Establishes its own via cron, systemd & SSH key. Exfiltrates AWS/GCP creds & included a comment "npx fix-react2shell-next".

We at @esthreat are tracking AI subscription resale across underground markets - shared logins, carded upgrades, and free creds. Access to these accounts can expose workspace data, chat history and other corporate insights💀as well. More here: https://t.co/Jkc32nLTBP

TRU is tracking active exploitation of #React2Shell and released an advisory with observables/indicators. Observed activity includes system reconnaissance and attempts to exfiltrate AWS credentials. https://t.co/zpcQfKNiKE

Blog is out on reverse engineering #Amatera stealer! We discovered threat clusters using Amatera for data-theft and as a loader for #NetSupport RAT. Fun techniques, config extractors, hashes w/ samples in VT, and CyberChef recipes below 👇 https://t.co/bO0p2sTvBn

.NET malware analysis tip: If you see "This breakpoint will not currently be hit" for a dynamically invoked method: Wait for the assembly to load (e.g., [System.Reflection.Assembly]::Load(byte[] assembly)). In dnSpy: - Go to View > Options and enable "Debug files loaded

Looks like they updated the alphabet for base64 decoding in 0.9.3, parser is being updated now!

Updated malware config parser for #Rhadamanthys! https://t.co/9L86Tm0ofn Samples appear to use an LZO-like decompressor, where control codes less than 0x20 are literal runs and greater than or equal to 0x20 are described as follows - 0x20 - Short match back-reference, copy

TRU's advisory on Windows Server Update Service vulnerability CVE-2025-59287 has been updated with technical details and IoCs from recent incidents. Read the Latest: https://t.co/zoWEMiOypl

NetSupport RAT operators: *sees our blog and updates loader to use random filenames + renaming* Us: *updates unpacking tool same day* They really thought that would stop us 😂 Tool: https://t.co/VwnGalhRAl Sample: https://t.co/tKFpoOiyOF C2: foundationasdasd[.]com

New blog on #NetSupport RAT: a year's worth of incidents, identified 3 threat groups using it maliciously, and created an unpacking tool for PowerShell-based loader variants! https://t.co/m12Bo83Gfi

Seeing #MyKings #Smominru botnet dropping #XMRig, uses HTTP user agent "Custom C++ HTTP Client/1.0" in requests. They drop a batch script (included below) to remove other threat actors' malware/scheduled tasks/WMI subscriptions, and block tcp 135 (RPC), 445 (SMB), and 139

Seeing new #NetSupport campaigns that use a new PowerShell-based loader that drops/executes NetSupport and deletes RunMRU registry values in order to hide evidence of #ClickFix execution! This one has a licensee named KAKAN, though is likely related to EVALUSION campaigns. C2:

New blog on #ChaosBot! A novel Rust-based backdoor that uses Discord for C2 and supports commands like shell (execute powershell commands), scr (screenshot), download (download files to victim device), and upload (exfiltrate files from victim device). https://t.co/LdbXDHt8wV

Update 2: What I thought was UltraViewer is actually a potential newer variant of ChaosBot (ChaosC2)

Here's the sample: https://t.co/8hIKsoaZeZ

New malware analysis blog on #DarkCloud, an infostealer written in VB6 + a config extractor and string decryption tool for IDA Pro! https://t.co/Lf3sDxeNxd

Seeing a new PowerShell-based stealer that shares many resemblances to #KoiLoader, and is possibly a new tool for the threat group. Tracking it as #KoiStealerPS. Screenshots below show the HTTP POST request format exfiltrating stolen data/system information. The "enc" key stores