Verticals Targeted: Financial
Regions Targeted: Hong Kong, United Arab Emirates, Lebanon, Malaysia, Jordan
Related Families: AsyncRAT, AwesomePuppet, Gh0st RAT
Recent Posts
GodRAT
Aug 25, 2025 2:36:30 PM / by The Hivemind posted in Threat Bulletin, AsyncRAT, Gh0st RAT, password stealer, shellcode injector, GodRAT, Remote Access Trojan, financial malware, steganography, FileManager plugin
GodRAT is a RAT derived from the Gh0st RAT codebase. It was observed targeting financial institutions via malicious .scr and .pif files distributed through Skype. Leveraging steganography and additional plugins like FileManager, GodRAT facilitates credential theft and system exploration.
PS1Bot Malware Framework
Aug 22, 2025 1:48:23 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, Evolving Threat, PS1Bot, malware campaign, information stealer, C# malware, malvertising, cryptocurrency wallet theft, keylogger, in-memory execution, persistence module
Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: AHK Bot, Skitnet/Bossnet
Charon Ransomware Targets Middle East
Aug 18, 2025 1:56:06 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, Charon ransomware, Earth Baxia, APT techniques, process injection, anti-EDR, DLL sideloading, Middle East cyber attacks, public sector malware, aviation industry threats, ransomware defense
Verticals Targeted: Public Sector, Aviation
Regions Targeted: Middle East
Related Families: None
Executive Summary
Charon is a new ransomware family employing advanced APT-style techniques, targeting Middle Eastern public sector and aviation organizations with tailored ransom demands. Its sophisticated attack chain, including DLL sideloading and process injection, underscores the growing convergence of ransomware and APT tactics.
Plague Linux Backdoor
Aug 15, 2025 11:28:22 AM / by The Hivemind posted in Threat Hunting, Threat Bulletin, PAM malware, stealthy authentication bypass, Linux backdoor, XOR obfuscation, SSH persistence, Linux security
Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None
Executive Summary
Researchers have uncovered Plague, a previously undetected Linux backdoor masquerading as a malicious Pluggable Authentication Module (PAM) to enable persistent SSH access and authentication bypass. This implant's layered obfuscation and environment tampering allow it to evade detection, persisting across system updates with minimal forensic traces.
Gunra Ransomware
Aug 11, 2025 2:41:54 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, Evolving Threat, Data Exfiltration, Gunra Ransomware, Linux Ransomware Variant, Multi-Thread Encryption, Partial Encryption, Cross-Platform Ransomware, Conti-Inspired, Ransomware Analysis, Gunra Group, Enterprise Targeting
Verticals Targeted: Government, Healthcare, Manufacturing, Transportation, Law and Consulting, IT, Agriculture
Regions Targeted: Brazil, Japan, Canada, Turkey, South Korea, Taiwan, United States
Related Families: Conti
Executive Summary
Gunra ransomware has debuted a Linux variant that boosts encryption speed and flexibility, signaling a shift toward broader cross-platform attacks following its initial Windows campaigns.
CastleLoader
Aug 8, 2025 11:51:37 AM / by The Hivemind posted in Threat Bulletin, Phishing, Redline, Emerging Threat, PowerShell, StealC, ClickFix, CastleLoader, GitHub, DeerStealer, malware loader, NetSupport RAT
Verticals Targeted: Government
Regions Targeted: US
Related Families: StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, SectopRAT
Executive Summary
CastleLoader, a versatile malware loader, has infected 469 devices since May 2025, leveraging Cloudflare-themed ClickFix phishing and fake GitHub repositories to deliver information stealers and RATs. Its sophisticated attack chain, high infection rate, and modular design make it a significant threat to organizations, particularly U.S. government entities.
Active Exploitation of "ToolShell" Vulnerabilities Targets Microsoft SharePoint Servers
Aug 4, 2025 2:55:02 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, SharePoint vulnerabilities, CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771, Chinese nation-state actors, web shell deployment, Linen Typhoon, Violet Typhoon, Storm-2603, on-premises exploitation, MachineKey theft, ToolShell
Verticals Targeted: Government, Defense, NGOs, Think Tanks, Education, Media, Financial, Healthcare
Regions Targeted: US, Europe, East Asia, Africa
Related Families: Warlock, LockBit
Executive Summary
Microsoft has disclosed active exploitation of critical vulnerabilities in on-premises SharePoint servers by Chinese threat actors, urging immediate patching and additional mitigations to prevent unauthorized access and data theft.
Static Kitten Observed Using DCHSpy Android Malware
Aug 1, 2025 1:17:27 PM / by The Hivemind posted in Threat Bulletin, Static Kitten, Spyware, Data Exfiltration, Mobile Security, DCHSpy, Android surveillanceware, Starlink spoofing, Iranian malware, Middle East cyber threats, VPN phishing
Verticals Targeted: None specified
Regions Targeted: Iran, Middle East
Related Families: None specified