Verticals Targeted: Government, Electric, Energy, Critical Infrastructure
Regions Targeted: Russia, Kazakhstan, Brazil
Related Threat Actors: Armored Likho
Related Families: BusySnake
BusySnake Stealer: Inside Armored Likho's AI-Assisted Malware Operation
Jul 13, 2026 1:09:43 PM / by The Hivemind posted in Threat Bulletin, Infostealer, Spear Phishing, Python Malware, credential theft, Armored Likho, BusySnake Stealer, AI-assisted malware, Eagle Werewolf, reverse SSH tunnel
JADEPUFFER: Agentic Ransomware Signals a New Era of AI-Driven Cyber Operations
Jul 10, 2026 11:24:05 AM / by The Hivemind posted in Threat Bulletin, AI-powered ransomware, AI-generated malware, autonomous cyber attacks, JADEPUFFER, autonomous malware, agentic ransomware, LLM malware
Executive Summary
Industry researchers recently documented JADEPUFFER, a ransomware operation they assess to be the first publicly documented example of agentic ransomware. Unlike traditional ransomware operations that rely on manually operated toolkits or prebuilt malware, JADEPUFFER reportedly leveraged a large language model (LLM) to autonomously perform reconnaissance, credential theft, lateral movement, persistence, and database extortion. Although the campaign primarily abused well-known vulnerabilities and insecure configurations rather than novel exploits, its ability to adapt to operational failures and generate new task-specific payloads demonstrates how AI may significantly lower the barrier to conducting sophisticated cyberattacks while creating new challenges for defenders.
When Disaster Strikes, Cybercriminals Follow: The Persistent Threat of Disaster-Themed Fraud Campaigns
Jul 6, 2026 2:47:54 PM / by The Hivemind posted in Threat Bulletin, Phishing Campaigns, disaster phishing, charity fraud, natural disaster cyber threats, disaster-themed cyber campaigns, fake charities, cyber fraud
Executive Summary
Natural disasters create opportunities not only for emergency responders and humanitarian organizations to do good, but also for cybercriminals seeking to exploit public fear, urgency, and generosity. Following the June 2026 Venezuela earthquake, researchers observed hundreds of newly registered disaster-themed domains, highlighting how quickly threat actors and opportunistic scammers can capitalize on breaking events. This activity reflects a broader pattern observed after major disasters worldwide, where fraudulent websites, phishing campaigns, and fake charities emerge alongside legitimate relief efforts, complicating efforts to distinguish trusted resources from malicious infrastructure.
SharkLoader Emerges as Stealthy Cobalt Strike Delivery Framework
Jul 2, 2026 9:31:24 AM / by The Hivemind posted in Threat Bulletin, Cobalt Strike, malware loader, DLL sideloading, SharkLoader, StrikeShark
Verticals Targeted: Government, Diplomatic Organizations, Software Development
Regions Targeted: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia
Related Families: SharkLoader, Cobalt Strike
Executive Summary
Researchers have identified a previously undocumented malware loader named SharkLoader, used by an intrusion cluster tracked as StrikeShark to deploy Cobalt Strike Beacon against organizations across multiple countries and industries. The campaign has leveraged exploitation of vulnerable internet-facing applications alongside custom droppers disguised as legitimate software installers to establish initial access. Confirmed victims include government-related organizations, diplomatic entities, software development companies, and organizations in additional sectors spanning Asia, Europe, the Middle East, and Latin America.
Mistic: New Malware May Signal Evolution in Access Broker Tooling
Jun 29, 2026 3:02:43 PM / by The Hivemind posted in Threat Bulletin, initial access broker, Mistic, Backdoor.Mistic, ModeloRAT, MLTBackdoor, Woodgnat, KongTuke
Verticals Targeted: Insurance, Education, Information Technology
Related Families: Mistic, ModeloRAT
Beyond Banking Trojans: Rokarolla Expands the Android Fraud Playbook
Jun 26, 2026 2:32:36 PM / by The Hivemind posted in Threat Bulletin, Android Malware, Android banking trojan, mobile banking fraud, cryptocurrency malware, Rokarolla, banking malware, Android phishing overlays
Verticals Targeted: Financial, Cryptocurrency
Regions Targeted: Global
Related Families: Rokarolla
Executive Summary
Researchers have identified Rokarolla, a newly discovered Android banking trojan distributed through malicious websites impersonating trusted applications such as TikTok, Google Chrome, and Google Play Protect. The malware targets at least 217 banking and cryptocurrency applications and leverages Android Accessibility Services, phishing overlays, SMS interception, keylogging, screen monitoring, and call blocking to facilitate financial fraud. Rokarolla exposes at least 137 operator commands and employs multiple persistence and evasion mechanisms, allowing attackers to maintain extensive control over infected devices while minimizing user awareness and intervention.
Beyond the Pitch: Assessing Cyber Risks to the 2026 FIFA World Cup
Jun 22, 2026 3:29:49 PM / by The Hivemind posted in Threat Bulletin, World Cup cyber threats, FIFA World Cup 2026, FIFA World Cup cybersecurity, Handala malware, OlympicDestroyer, RedLine infostealer
Verticals Targeted: Sports, Transportation, Hospitality, Telecommunications, Financial, Technology, Media, Government
Regions Targeted: US, Canada, Mexico, Participating Nations
Related Threat Actors: Handala, CyberAv3ngers, Sandworm, NoName057(16), Cyber Army of Russia Reborn, KillNet affiliates, APT41, Volt Typhoon, Silent Ransom Group, Scattered Spider
Related Families: HANDALA, OlympicDestroyer, NKWIPER, HermeticWiper, RedLine, BlackCat (ALPHV)
Executive Summary
The 2026 FIFA World Cup presents one of the largest cyber target environments in modern history, spanning three host nations, sixteen host cities, critical infrastructure, transportation systems, hospitality providers, broadcasters, government agencies, and millions of attendees. Historical precedent demonstrates that major sporting events attract nation-state actors, hacktivists, cybercriminals, and opportunistic threat actors seeking financial gain, disruption, intelligence collection, or publicity. PolySwarm telemetry confirms continued circulation of destructive malware, infostealers, and ransomware families during the tournament period, highlighting the diverse threat landscape facing organizations supporting World Cup operations.
Miasma Expands Software Supply Chain Attacks Through Compromised CI/CD Infrastructure
Jun 15, 2026 2:57:00 PM / by The Hivemind posted in Threat Bulletin, Supply Chain Attack, Mini Shai-Hulud, GitHub Actions, Miasma, npm, SLSA, Open Source Security, CI/CD Security
Verticals Targeted: Software Development
Regions Targeted: Global
Related Families: Miasma, Mini Shai-Hulud