The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

The Hivemind

Find me on:

Recent Posts

Famous Chollima Evolves Its Arsenal, Merging BeaverTail and OtterCookie

Oct 24, 2025 1:15:09 PM / by The Hivemind posted in Threat Bulletin, Famous Chollima, North Korean cyber threats, DPRK hackers, BeaverTail malware, OtterCookie backdoor, cryptocurrency stealers, InvisibleFerret payload

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Sri Lanka
Related Families: BeaverTail, OtterCookie, InvisibleFerret

Executive Summary

Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers. A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group's adaptation in delivery methods.

Read More

AdaptixC2

Oct 20, 2025 4:00:36 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, PowerShell malware, AdaptixC2, post-exploitation framework, C2 framework, AI-generated malware

0 Comments

Verticals Targeted: Financial
Regions Targeted: Asia
Related Families: Fog Ransomware

Executive Summary

AdaptixC2, an open-source command-and-control framework, has emerged as a potent tool for threat actors, enabling file manipulation, data exfiltration, and covert network communication in attacks. Its modular design and AI-assisted deployment methods underscore the need for robust defenses to counter its evolving tactics.

Read More

ClayRAT

Oct 17, 2025 4:14:26 PM / by The Hivemind posted in Threat Bulletin, Malware, mobile threat evolution, ClayRAT, Android Spyware, spyware distribution, Android Security, Telegram phishing, SMS handler abuse, Phishing Campaigns, Malware Propagation

0 Comments

Verticals Targeted: None specified
Regions Targeted: Russia
Related Families: None

Executive Summary

ClayRAT, a sophisticated Android spyware campaign targeting Russian users, leverages Telegram channels and phishing sites to distribute malicious APKs disguised as popular apps. Its rapid evolution, extensive surveillance capabilities, and self-propagation via SMS make it a significant threat to mobile security.

Read More

EvilAI

Oct 14, 2025 1:18:06 PM / by The Hivemind posted in EvilAI malware, AI-generated trojans, Node.js malware, credential stealers, AES-256-CBC encryption, social engineering attacks, infostealer payloads

0 Comments

Verticals Targeted: Manufacturing, Government, Healthcare, Technology, Retail, Education, Financial, Construction
Regions Targeted: India, US, Europe, Brazil, Canada
Related Families: None

Executive Summary

The EvilAI malware campaign leverages AI-generated code and deceptive applications with valid digital signatures to infiltrate systems globally, targeting critical industries like manufacturing, government, and healthcare. By mimicking legitimate software and employing sophisticated obfuscation, EvilAI evades detection, exfiltrates sensitive data, and maintains persistent control via encrypted C2 communications, posing a significant threat to organizations worldwide.

Read More

LockBit 5.0

Oct 10, 2025 2:50:07 PM / by The Hivemind posted in Cybercrime, Linux Malware, Windows Malware, LockBit Ransomware, double extortion, VMware virtualization, ESXi attacks, ransomware trends, data encryption, anti-analysis techniques

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: LockBit

Executive Summary

LockBit 5.0, the latest evolution of the notorious ransomware, targets Windows, Linux, and VMware ESXi systems with advanced obfuscation, DLL reflection, and anti-analysis techniques. Its cross-platform capabilities and enhanced encryption methods make it a formidable threat to enterprise networks.

Read More

Akira Reloaded

Oct 7, 2025 1:04:01 PM / by The Hivemind posted in Threat Bulletin, Data Exfiltration, credential theft, SonicWall VPN, Ransomware Campaign, Akira Ransomware, CVE-2024-40766, SSL VPN

0 Comments

Verticals Targeted: Real Estate, Insurance, Energy, Manufacturing, Legal Services, Healthcare, Construction, Retail, Agriculture, Finance, Business Services, Transportation, Software, Hospitality, Government, Telecommunications
Regions Targeted: US, Europe, South America, Australia, Canada, India, Africa

Executive Summary

A surge in Akira ransomware attacks since July 2025 exploits SonicWall VPNs via CVE-2024-40766, enabling rapid credential-based intrusions with dwell times as short as 55 minutes. Threat actors leverage stolen credentials, bypass MFA, and deploy tools such as Impacket and WinRAR for lateral movement and data exfiltration, targeting organizations across various sectors.

Read More

BRICKSTORM Targets U.S. Tech and Legal Sectors with Stealthy Espionage

Oct 3, 2025 3:29:53 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, credential theft, SonicWall VPN, Ransomware Campaign, Akira Ransomware, CVE-2024-40766, SSL VPN, multi-factor authentication

0 Comments

Verticals Targeted: Legal Services, Software, Business Services, Technology
Regions Targeted: US
Related Families: BRICKSTEAL, SLAYSTYLE 

Executive Summary

The BRICKSTORM backdoor, attributed to the suspected China-nexus threat cluster UNC5221, has been actively targeting U.S. organizations in the legal, SaaS, BPO, and technology sectors since March 2025, enabling prolonged espionage with an average dwell time of 393 days. This sophisticated malware leverages zero-day exploits and stealthy techniques to maintain persistent access, evade detection, and steal sensitive data, posing significant risks to critical infrastructure.

Read More

Nimbus Manticore’s Evolving Cyberespionage Campaign

Sep 29, 2025 2:53:45 PM / by The Hivemind posted in Threat Bulletin, Telecommunications, Spear Phishing, malware obfuscation, DLL sideloading, Iranian APT, Nimbus Manticore, MiniJunk, MiniBrowse, defense manufacturing

0 Comments

Verticals Targeted: Defense Manufacturing, Telecommunications, Aerospace
Regions Targeted: Western Europe, Middle East
Related Families: MiniJunk, MiniBrowse

Executive Summary

Nimbus Manticore, an Iranian APT group, has intensified its cyberespionage campaign targeting defense, telecommunications, and aerospace sectors in Western Europe and the Middle East, deploying advanced malware such as MiniJunk and MiniBrowse via sophisticated spear-phishing and DLL sideloading techniques. The group’s focus on stealth, obfuscation, and resilient infrastructure underscores its alignment with IRGC strategic priorities.

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts