Verticals Targeted: Financial
Regions Targeted: Argentina
Related Families: VNCSpy
Executive Summary
PromptSpy is the first documented Android malware family to integrate generative AI, specifically Google's Gemini, into its execution flow for dynamic, context-aware persistence. Primarily functioning as a remote access trojan with a built-in VNC module, this malware demonstrates how large language models can enhance adaptability in mobile threats, particularly for UI manipulation resistant to device variations.
Verticals Targeted: Cryptocurrency, Corporations, Social Media, Finance, Developers
Regions Targeted: Not Specified
Related Families: Trojan/OpenClaw.PolySkill, Atomic Stealer (AMOS)
Executive Summary
Threat actors conducted a widespread supply chain poisoning operation, named ClawHavoc, by uploading hundreds of malicious Skills to the ClawHub marketplace for the OpenClaw AI agent framework, employing social engineering to induce users to execute payloads that install information stealers and backdoors. The campaign leverages over 900 malicious skills to target high-value users across cryptocurrency, productivity, and social media categories to steal credentials, wallet data, and bot configurations.
Verticals Targeted: Financial, Government
Regions Targeted: Southern Europe
Related Families: None
Executive Summary
Massiv represents an emerging Android banking Trojan family capable of overlay-based credential theft, keylogging, message interception, and full device takeover via remote control features, enabling fraudulent transactions and account manipulations. Distributed primarily through fake IPTV applications sideloaded outside official stores, it has facilitated confirmed fraud in southern Europe, particularly exploiting Portuguese government digital identity tools for bypassing security verifications.
Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Executive Summary
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.
Verticals Targeted: Government, Telecommunications, Finance, Aerospace
Regions Targeted: North America, South America, Africa, Europe, Asia
Related Families: Diaoyu Loader, ShadowGuard, Cobalt Strike, VShell
Executive Summary
A sophisticated state-aligned cyberespionage operation attributed to TGR-STA-1030 (also tracked as UNC6619) has been discovered, operating from Asia. It has compromised government and critical infrastructure entities across 37 countries over the past year while conducting reconnaissance against government infrastructure in 155 countries. The group's “Shadow Campaigns” leverage phishing, N-day exploitations, and advanced tooling to prioritize intelligence collection on economic partnerships, trade, and diplomatic activities.
Verticals Targeted: Not specified
Regions Targeted: Central and Eastern Europe
Related Families: MiniDoor, Covenant Grunt, PixyNetLoader
Executive Summary
Operation Neusploit is a campaign attributed with high confidence to the Russia-linked Fancy Bear group, which exploits the zero-day vulnerability CVE-2026-21509 in Microsoft RTF files to deploy backdoors and email stealers targeting users in Central and Eastern Europe. The multi-stage infection chain delivers MiniDoor for email exfiltration from Outlook and PixyNetLoader leading to a Covenant Grunt implant for C2.
Verticals Targeted: Cryptocurrency, Financial, Industrial, Manufacturing, Defense, Aerospace, Logistics, Shipping
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor