Sebastion
All Intelligence

Malware

Malware analysis, reverse engineering findings, and detection guidance.

41 items

VulnerabilitiesMalwareCampaignsSupply ChainPolicyTools
highMalwareActive

SharkLoader malware family targets diplomatic and government networks across Indo-Pacific region

A previously undocumented loader malware called SharkLoader has been observed in a campaign tracked as StrikeShark, delivering Cobalt Strike Beacon to diplomatic organisations in Indonesia and government networks in Taiwan. The campaign represents a targeted operation against sensitive government infrastructure using commodity post-exploitation tools.

Indonesian diplomatic organisations, Taiwan government organisations
highMalwareContained

International takedown of SocGholish botnet disrupts Evil Corp's malware distribution infrastructure

Law enforcement conducted a coordinated international operation against the SocGholish botnet, a distribution mechanism linked to Russia-based cybercrime group Evil Corp. The disruption degrades Evil Corp's ability to deliver secondary payloads and conduct follow-on attacks against compromised networks.

SocGholish botnet victims, organisations compromised by Evil Corp campaigns
highMalwareActive

NetNut Residential Proxy Service Masking Four-Year Android Botnet Operation at Scale

Popa, a multi-year Android botnet compromising millions of consumer TV boxes, has been attributed to NetNut, a residential proxy service operated by publicly-traded Israeli firm Alarum Technologies. The botnet facilitates advertising fraud, account takeovers, and mass data scraping under commercial cover.

Alarum Technologies Ltd (NASDAQ: ALAR), NetNut (residential proxy service), Android TV boxes +1
highMalwareActive

Infostealer-First Attack Pattern Signals Shift Away From Exploit Dependency

Attackers are increasingly deploying infostealers to harvest credentials at scale, using stolen login details as the primary entry vector for ransomware and other operations rather than relying on exploits. This trend indicates defenders must prioritise credential hygiene and detection of infostealer activity.

Enterprise networks (all sectors), End-user devices (Windows, macOS, Linux), Cloud platforms relying on stolen credentials
highMalwareActive

JDY Botnet Resurges with 1,500+ SOHO and IoT Devices for State-Sponsored Reconnaissance

A China-linked botnet called JDY has expanded to compromise over 1,500 small office, home office, and IoT devices, operating as a centralised scanner for discovering and mapping exposed internet-facing services. This represents a significant reconnaissance infrastructure used by state-sponsored actors to identify targets at scale.

SOHO devices (unspecified models), IoT devices (unspecified models)
highMalwareResolved

17 Million-Device Botnet Dismantled by Dutch Authorities: Infrastructure Analysis and Takedown Mechanics

Dutch law enforcement and the NCSC successfully dismantled a botnet commanding at least 17 million infected devices across multiple platforms, with over 200 command-and-control servers operating from the Netherlands. This represents a significant disruption to a large-scale criminal infrastructure, though the source and purpose of the botnet remain unclear from available details.

computers, tablets, smartphones +1
highMalwareActive

ChatGPT Share Links Exploited as Malware Distribution Vector via Fake Outage Social Engineering

Threat actors are abusing ChatGPT's legitimate content-sharing feature to host convincing fake OpenAI outage pages that redirect users to download malware masquerading as the official ChatGPT desktop client. This exploits user trust in OpenAI's infrastructure and takes advantage of the feature's legitimacy to bypass security filters.

OpenAI ChatGPT, ChatGPT desktop application users
highMalwareContained

Kimwolf IoT Botnet Operator Arrested: International Prosecution Marks Escalation in Law Enforcement Against DDoS-for-Hire Operators

Canadian authorities arrested a 23-year-old suspected operator of Kimwolf, an IoT botnet that compromised millions of devices for large-scale DDoS attacks. The arrest and cross-border charges signal coordinated enforcement against botnet operators who target journalists and security researchers.

Internet-of-Things devices (millions), Online services targeted by DDoS attacks, Media and security research organisations
highMalwareContained

Ukrainian law enforcement dismantles infostealer operation run by 18-year-old, recovering 28,000 compromised accounts

Ukrainian cyberpolice and U.S. law enforcement identified and disrupted an infostealer malware operation run by an 18-year-old from Odesa who had compromised approximately 28,000 user accounts from a California-based online retailer. The case demonstrates effective international law enforcement coordination against financially-motivated cybercriminals operating from Eastern Europe.

Unnamed California-based online retail store
highMalwareResolved

UNC6692 deploys Snow malware via Microsoft Teams social engineering, signalling expansion of platform-based attack delivery

Threat actor UNC6692 is using Microsoft Teams to socially engineer targets into executing a custom malware suite called Snow, which comprises a browser extension, tunneler, and backdoor. This represents a shift toward trusted communication platforms as malware delivery vectors, complicating detection and increasing organisational risk.

Microsoft Teams, Microsoft 365 users
highMalwareResolved

Payouts King ransomware weaponises QEMU hypervisor for blind-spot evasion

Payouts King ransomware operators are deploying QEMU virtual machines as covert execution containers, using reverse SSH tunnels to maintain hidden command channels that bypass endpoint detection and response tools. This represents a maturation of VM-based evasion tactics in ransomware operations.

Systems running endpoint detection and response (EDR) solutions, Windows hosts with QEMU installation capability
highMalwareContained

RedLine Infostealer Administrator Arrested: Law Enforcement Disrupts Malware-as-a-Service Operation

Hambardzum Minasyan, an Armenian national allegedly involved in developing and administering the RedLine infostealer, has been extradited to the United States. This arrest represents a significant enforcement action against a malware-as-a-service operation that has compromised thousands of organisations globally.

Organisations using compromised credentials, Enterprise networks, Financial institutions