Related Families: GigaWiper, Crucio, FlockWiper, Zebrocy
GigaWiper: Inside a Modular Cyberweapon
Jul 17, 2026 2:51:19 PM / by The Hivemind posted in Threat Bulletin, modular malware, Microsoft threat intelligence, GigaWiper, BLUERABBIT, Crucio ransomware, Zebrocy, Golang malware, FlockWiper
BusySnake Stealer: Inside Armored Likho's AI-Assisted Malware Operation
Jul 13, 2026 1:09:43 PM / by The Hivemind posted in Threat Bulletin, Infostealer, Spear Phishing, Python Malware, credential theft, Armored Likho, BusySnake Stealer, AI-assisted malware, Eagle Werewolf, reverse SSH tunnel
Verticals Targeted: Government, Electric, Energy, Critical Infrastructure
Regions Targeted: Russia, Kazakhstan, Brazil
Related Threat Actors: Armored Likho
Related Families: BusySnake
Executive Summary
Researchers have identified an active phishing campaign introducing a previously undocumented Python-based infostealer dubbed BusySnake Stealer. Targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil, the campaign combines AI-assisted first-stage loaders, modular malware, GitHub-hosted payload delivery, and advanced credential theft capabilities. The operation demonstrates the group's continued technical evolution and highlights how increasingly modular malware can complicate traditional signature-based detection while reinforcing the importance of behavioral analytics and threat intelligence.
JADEPUFFER: Agentic Ransomware Signals a New Era of AI-Driven Cyber Operations
Jul 10, 2026 11:24:05 AM / by The Hivemind posted in Threat Bulletin, AI-powered ransomware, AI-generated malware, autonomous cyber attacks, JADEPUFFER, autonomous malware, agentic ransomware, LLM malware
Executive Summary
Industry researchers recently documented JADEPUFFER, a ransomware operation they assess to be the first publicly documented example of agentic ransomware. Unlike traditional ransomware operations that rely on manually operated toolkits or prebuilt malware, JADEPUFFER reportedly leveraged a large language model (LLM) to autonomously perform reconnaissance, credential theft, lateral movement, persistence, and database extortion. Although the campaign primarily abused well-known vulnerabilities and insecure configurations rather than novel exploits, its ability to adapt to operational failures and generate new task-specific payloads demonstrates how AI may significantly lower the barrier to conducting sophisticated cyberattacks while creating new challenges for defenders.
When Disaster Strikes, Cybercriminals Follow: The Persistent Threat of Disaster-Themed Fraud Campaigns
Jul 6, 2026 2:47:54 PM / by The Hivemind posted in Threat Bulletin, Phishing Campaigns, disaster phishing, charity fraud, natural disaster cyber threats, disaster-themed cyber campaigns, fake charities, cyber fraud
Executive Summary
Natural disasters create opportunities not only for emergency responders and humanitarian organizations to do good, but also for cybercriminals seeking to exploit public fear, urgency, and generosity. Following the June 2026 Venezuela earthquake, researchers observed hundreds of newly registered disaster-themed domains, highlighting how quickly threat actors and opportunistic scammers can capitalize on breaking events. This activity reflects a broader pattern observed after major disasters worldwide, where fraudulent websites, phishing campaigns, and fake charities emerge alongside legitimate relief efforts, complicating efforts to distinguish trusted resources from malicious infrastructure.
SharkLoader Emerges as Stealthy Cobalt Strike Delivery Framework
Jul 2, 2026 9:31:24 AM / by The Hivemind posted in Threat Bulletin, Cobalt Strike, malware loader, DLL sideloading, SharkLoader, StrikeShark
Verticals Targeted: Government, Diplomatic Organizations, Software Development
Regions Targeted: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia
Related Families: SharkLoader, Cobalt Strike
Executive Summary
Researchers have identified a previously undocumented malware loader named SharkLoader, used by an intrusion cluster tracked as StrikeShark to deploy Cobalt Strike Beacon against organizations across multiple countries and industries. The campaign has leveraged exploitation of vulnerable internet-facing applications alongside custom droppers disguised as legitimate software installers to establish initial access. Confirmed victims include government-related organizations, diplomatic entities, software development companies, and organizations in additional sectors spanning Asia, Europe, the Middle East, and Latin America.
Mistic: New Malware May Signal Evolution in Access Broker Tooling
Jun 29, 2026 3:02:43 PM / by The Hivemind posted in Threat Bulletin, initial access broker, Mistic, Backdoor.Mistic, ModeloRAT, MLTBackdoor, Woodgnat, KongTuke
Verticals Targeted: Insurance, Education, Information Technology
Related Families: Mistic, ModeloRAT
Beyond Banking Trojans: Rokarolla Expands the Android Fraud Playbook
Jun 26, 2026 2:32:36 PM / by The Hivemind posted in Threat Bulletin, Android Malware, Android banking trojan, mobile banking fraud, cryptocurrency malware, Rokarolla, banking malware, Android phishing overlays
Verticals Targeted: Financial, Cryptocurrency
Regions Targeted: Global
Related Families: Rokarolla
Executive Summary
Researchers have identified Rokarolla, a newly discovered Android banking trojan distributed through malicious websites impersonating trusted applications such as TikTok, Google Chrome, and Google Play Protect. The malware targets at least 217 banking and cryptocurrency applications and leverages Android Accessibility Services, phishing overlays, SMS interception, keylogging, screen monitoring, and call blocking to facilitate financial fraud. Rokarolla exposes at least 137 operator commands and employs multiple persistence and evasion mechanisms, allowing attackers to maintain extensive control over infected devices while minimizing user awareness and intervention.
Beyond the Pitch: Assessing Cyber Risks to the 2026 FIFA World Cup
Jun 22, 2026 3:29:49 PM / by The Hivemind posted in Threat Bulletin, World Cup cyber threats, FIFA World Cup 2026, FIFA World Cup cybersecurity, Handala malware, OlympicDestroyer, RedLine infostealer
Verticals Targeted: Sports, Transportation, Hospitality, Telecommunications, Financial, Technology, Media, Government
Regions Targeted: US, Canada, Mexico, Participating Nations
Related Threat Actors: Handala, CyberAv3ngers, Sandworm, NoName057(16), Cyber Army of Russia Reborn, KillNet affiliates, APT41, Volt Typhoon, Silent Ransom Group, Scattered Spider
Related Families: HANDALA, OlympicDestroyer, NKWIPER, HermeticWiper, RedLine, BlackCat (ALPHV)
Executive Summary