VulnHub

Recent research has uncovered a long-running cybercrime operation targeting fans of pirated books, movies, and TV shows. In 2026, experts identified new websites associated with this gang, attracting tens of millions of visitors. These sites have been linked to malware distribution, including a Remote Access Trojan (RAT) that allows attackers to control infected devices. This situation poses significant risks for users who access these pirated materials, as they may unknowingly download harmful software. It's crucial for consumers to be aware of these dangers and consider the security implications of engaging with pirated content.

Recent reports from WatchGuard and ESET reveal two banking trojan campaigns targeting users in Latin America and Europe. The Grandoreiro malware is aimed at Windows devices, while the BTMOB RAT is designed for Android users. These campaigns specifically target companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The malware's ability to siphon sensitive financial information poses a significant risk to both businesses and individual users. As cybercriminals continue to adapt their tactics, it's crucial for users to remain vigilant and implement security measures to protect their devices and data.

Recent cyber campaigns attributed to Chinese advanced persistent threat (APT) groups have expanded their targets and updated their tactics. The group known as Salt Typhoon has reportedly attacked an energy entity in Azerbaijan, raising concerns about the security of critical infrastructure in the region. Another group, Twill Typhoon, has focused on entities in Asia, deploying an updated remote access Trojan (RAT) that enhances their capabilities. These developments suggest that these APTs are adapting to better infiltrate and exploit various sectors, which could lead to increased risks for organizations in affected areas. As these campaigns evolve, organizations need to bolster their cybersecurity measures to defend against such sophisticated attacks.

Researchers at ThreatFabric have identified a new variant of the TrickMo Android banking trojan, which is now routing its command and control (C2) traffic through The Open Network (TON). This change in infrastructure allows the malware to operate more stealthily, making it harder for security measures to detect and block its activities. The TrickMo trojan primarily targets Android devices, aiming to steal sensitive banking information from users. This development is concerning because it indicates that attackers are adapting their strategies to evade detection, which could lead to increased financial fraud. Users of Android devices, particularly those who engage in online banking, need to be vigilant and take precautions to protect their information.

Researchers have identified a new Brazilian banking trojan named TCLBANKER, which can target 59 different banking, fintech, and cryptocurrency platforms. This malware is being monitored by Elastic Security Labs under the reference ID REF3076. TCLBANKER is considered a significant upgrade from the Maverick malware family, which utilizes a worm called SORVEPOTEL to spread. The trojan's ability to exploit popular communication tools like WhatsApp and Outlook for distribution raises concerns about its potential reach and impact on users' financial security. As attackers continue to evolve their tactics, it's crucial for users and financial institutions to remain vigilant and implement strong security measures.

A new remote access trojan (RAT) known as Quasar is targeting software developers, allowing attackers to gain unauthorized access to systems. This malware is particularly concerning because it can perform surveillance and exfiltrate credentials, putting sensitive information at risk. Developers who work with Linux systems are especially vulnerable to this sophisticated implant. The presence of such malware in the wild raises alarms about the security of development environments and the potential for broader attacks on software supply chains. Users and companies should take immediate steps to secure their systems against this threat, as the implications could affect many in the tech industry.

APT37, a North Korean state-sponsored hacking group, has launched a new social engineering campaign aimed at Facebook users. This operation utilizes the RokRAT trojan, which allows attackers to gain access to victims' devices and sensitive information. The campaign is multi-faceted, indicating a sophisticated approach to trick users into downloading the malware. This is particularly concerning as it targets a widely-used platform, potentially affecting millions of users. As cyber threats continue to evolve, individuals and organizations must remain vigilant about the security of their online activities and the links they interact with.

Security researchers have identified a new Android banking trojan called Mirax, which is targeting users across Europe. This malware utilizes a method known as Malware-as-a-Service (MaaS) to infect devices, allowing cybercriminals to gain remote access and turn affected smartphones into residential proxy nodes. By doing this, attackers can route their malicious activities through the compromised devices, making it harder to trace their actions back to them. This poses a significant risk to users, as their personal data and banking information could be at risk. The emergence of Mirax highlights ongoing vulnerabilities in mobile security and the need for users to remain vigilant against such threats.

Kaspersky's GReAT team has reported on a new campaign involving JanelaRAT, a type of remote access trojan that specifically targets financial information from users in Latin America. This malware is designed to steal sensitive data, including banking credentials, by infecting victims' devices through a series of sophisticated techniques. The infection process and the functionality of the malware have both been updated, making it more dangerous than previous versions. This campaign is particularly concerning as it highlights the ongoing risks to financial security for users in the region, especially given the rise of online banking and digital transactions. Users in Latin America need to be aware of this threat and take steps to protect their financial information.

Researchers have identified a new type of malware called CrystalX RAT, which poses serious risks to users by spying on them and stealing sensitive information. This remote access Trojan (RAT) can also alter device configurations, making it a potent tool for cybercriminals. The malware's sophisticated capabilities suggest that it could be used in targeted attacks against individuals or organizations. Users need to be vigilant and ensure their security measures are up to date to protect against this emerging threat. The discovery of CrystalX RAT emphasizes the ongoing challenges in cybersecurity and the need for continuous awareness and protection against evolving malware.

Kaspersky researchers have identified a new Remote Access Trojan (RAT) called CrystalX, which is being distributed as Malware-as-a-Service (MaaS). This malware combines features of spyware, information stealers, and prankware, making it particularly versatile and dangerous. Users can unknowingly download CrystalX, leading to their personal information being stolen or their devices being used for malicious purposes. The presence of prankware adds a unique twist, as it can also be used to annoy or embarrass victims. This incident underscores the evolving nature of cyber threats and the need for users to be vigilant about the software they install and the links they click on.

A recent phishing campaign has targeted various sectors in Ukraine, including government entities, healthcare providers, financial institutions, educational organizations, and software development firms. Attackers impersonated the country's Computer Emergency Response Team (CERT) to deliver the AGEWHEEZE Remote Access Trojan (RAT) between March 26 and 27. This type of malware allows unauthorized access to infected systems, posing significant risks to sensitive data and operational security. The incidents emphasize the ongoing cyber threats faced by Ukrainian organizations, particularly amid heightened geopolitical tensions. Entities in the affected sectors need to remain vigilant and enhance their cybersecurity measures to mitigate such risks.

A new cyber campaign is targeting Chinese-speaking users by using fake domains that mimic trusted software brands. This operation delivers a remote access trojan (RAT) named AtlasCross, which has not been documented before. The attackers are focusing on applications used for VPN services, encrypted messaging, video conferencing, cryptocurrency tracking, and e-commerce. Eleven domains have been confirmed to deliver this malware, raising concerns about the security of users who may unknowingly download compromised software. This incident highlights the ongoing risk of typosquatting attacks, where malicious actors create look-alike domains to trick users into installing harmful software.

A new banking Trojan is targeting users of Brazil's Pix payment system. This malware operates with a unique twist: it employs a real-time human operator who monitors transactions and waits for the right moment to intervene. Once the operator identifies a vulnerable transaction, they can manipulate it to steal funds. The attack poses a significant risk to Pix users, as it combines traditional malware tactics with human oversight, making detection and prevention more challenging. As Brazil's Pix system continues to gain popularity, the potential for financial loss increases, highlighting the urgent need for users to be vigilant about their online banking security.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.