The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Transparent Tribe Evolves Tradecraft With Multi-Stage LNK Malware

Jan 12, 2026 1:55:19 PM / by The Hivemind posted in Threat Bulletin, APT36, Spear Phishing, Remote Access Trojan, cyber espionage, LNK Malware

0 Comments

Verticals Targeted: Government, Academia
Regions Targeted: India
Related Families: None

Executive Summary

APT36, also known as Transparent Tribe, a Pakistan-aligned threat actor, has launched a targeted cyber espionage campaign against Indian governmental, academic, and strategic entities using sophisticated deception techniques. The operation delivers a multi-stage Remote Access Trojan (RAT) through a weaponized LNK file disguised as a PDF, enabling persistent access, surveillance, and data exfiltration with minimal detection risk. The campaign has targeted government, academic, and strategic entities in India.

Read More

Kimwolf Botnet Targeting Android TV Devices Worldwide

Jan 9, 2026 9:46:08 AM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Android Malware, DDoS Attacks, Kimwolf botnet, IoT vulnerabilities, Aisuru variant

0 Comments

Verticals Targeted: Consumer Electronics, Residential Networks
Regions Targeted: Brazil, India, United States, Vietnam, Saudi Arabia, Russia, Argentina, South Africa, Philippines, Mexico, Thailand, Indonesia, Morocco, Turkey, Iraq, Pakistan, China
Related Families: Aisuru

Executive Summary

Security researchers have detailed the Kimwolf botnet, a massive Android-based network exceeding 1.8 million infected devices, primarily TV boxes, enabling DDoS attacks, proxy services, and other malicious activities through exploitation of residential proxy networks and device vulnerabilities. This threat demonstrates rapid growth and resilience, leveraging advanced evasion techniques to maintain control and monetize infections.

Read More

PolySwarm’s 2025 Year in Review

Jan 5, 2026 1:04:00 PM / by The Hivemind posted in Threat Bulletin, RedLine Stealer, Akira Ransomware, AsyncRAT trojan, VShell backdoor, 2025 malware trends, ransomware 2025, Cl0p ransomware, Qilin ransomware, SocGholish downloader, LummaStealer infostealer

0 Comments

Verticals Targeted: Multiple
Regions Targeted: Multiple
Related Families: Cl0p, Qilin, SocGholish, Akira, AsyncRAT, LummaStealer, RedLineStealer, VShell

Executive Summary

PolySwarm's 2025 Year in Review spotlights resilient malware that dominated the threat landscape and nation-state espionage from the Big Four. React2Shell (CVE-2025-55182) emerged as the top vulnerability, while AI-driven attacks defined the year's paradigm shift.

Read More

RansomHouse Upgrades Its Encryption

Dec 29, 2025 12:26:13 PM / by The Hivemind posted in Threat Bulletin, double extortion, Mario Encryptor, MrAgent Tool, VMware hypervisor, RansomHouse Ransomware, ESXi Targeting, ransomware upgrade, encryption evolution

0 Comments

Verticals Targeted:  Healthcare, Finance, Transportation, Government
Regions Targeted: Not specified
Related Families: MrAgent, Mario

Read More

SantaStealer

Dec 23, 2025 12:13:07 PM / by The Hivemind posted in Threat Bulletin, Infostealer, Malware-As-A-Service, Emerging Threat, Windows Malware, credential theft, information stealer, C language malware, SantaStealer

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: BluelineStealer, ChromElevator

Read More

Multiple Threat Actors Leveraging CVE-2025-55182 (React2Shell)

Dec 19, 2025 1:24:26 PM / by The Hivemind posted in Threat Bulletin, Linux backdoor, post-exploitation activity, CVE-2025-55182, React RCE, Next.js vulnerability, KSwapDoor backdoor, Cobalt Strike Linux, EtherRAT

0 Comments

Verticals Targeted: Technology
Regions Targeted: Unspecified
Related Families: KSwapDoor, EtherRAT, Noodle RAT, SNOWLIGHT, VShell, Cobalt Strike, XMRig, Mirai, Others

Read More

MuddyWater's UDPGangster Backdoor

Dec 15, 2025 2:04:50 PM / by The Hivemind posted in Threat Bulletin, anti-analysis techniques, Phishing Campaigns, cyber espionage, VBA macros, UDPGangster, UDP backdoor

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Turkey, Israel, Azerbaijan
Related Families: Phoenix

Read More

A New Variant of ClayRAT Transmutes

Dec 12, 2025 2:03:27 PM / by The Hivemind posted in Threat Bulletin, accessibility service abuse, lockscreen bypass, ClayRAT, Android Spyware, MediaProjection API, screen recording malware

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Russia
Related Families: Previous ClayRAT variants

Executive Summary

The ClayRAT Android spyware family has returned with a markedly more sophisticated variant that heavily weaponizes Android Accessibility Services and Default SMS privileges to achieve near-complete device takeover. New capabilities include automated lock-screen credential theft, persistent screen recording, programmable overlays, and interactive fake notifications designed to phish user replies.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More