The PolySwarm Blog

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: ddaemon

Verticals Targeted: Government, Utilities
Regions Targeted: US
Related Families: TetraLoader, Cobalt Strike, VShell, AntSword, chinatso/Chopper, Behinder

Verticals Targeted: Finance, Construction, Manufacturing, Technology
Regions Targeted: US, UK, Canada
Related Families: Cobalt Strike, Meterpreter

Verticals Targeted: Government, Defense
Regions Targeted: Ukraine, Bulgaria, Romania, Africa, EU, South America
Related Families: None specified

Executive Summary

Operation RoundPress, a Russia-aligned cyberespionage campaign attributed to Fancy Bear, deploys SpyPress malware via cross-site scripting (XSS) vulnerabilities to steal sensitive email data from high-value webmail servers. Active since 2023 and expanding in 2024, the campaign primarily targets Ukrainian government entities and Eastern European defense contractors, exploiting zero-day and known vulnerabilities across platforms like Roundcube, Horde, MDaemon, and Zimbra.

Verticals Targeted: NGOs, Diplomats, Government  
Regions Targeted: Western countries, Eastern Europe, Ukraine  
Related Families: Spica

Executive Summary

Star Blizzard, a Russian state-sponsored threat actor, has deployed a malware family named LOSTKEYS to steal sensitive documents and system information from NGOs, diplomats, and government officials in Western countries and Eastern Europe.

Verticals Targeted: E-commerce
Regions Targeted: Not specified
Related Families: None identified

Executive Summary

PupkinStealer, a .NET-based infostealer written in C#, targets sensitive data such as browser credentials and desktop files, exfiltrating it via Telegram’s Bot API. First observed in April 2025, its simplicity and reliance on legitimate platforms make it a notable threat.

Related Families: Amadey

Executive Summary

StealC V2, a sophisticated evolution of the StealC information stealer, introduces enhanced payload delivery, RC4 encryption, and a redesigned control panel, posing significant risks to organizations.

Related Families: VenomLNK, TerraLoader, TerraStealer, TerraTV, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, Venom Loader

Executive Summary

TerraStealerV2 and TerraLogger are two new malware families from Venom Spider, enhancing their Malware-as-a-Service (MaaS) platform with credential theft and keylogging capabilities. These tools, observed between January and April 2025, indicate active development but lack the sophistication of mature Venom Spider malware.