The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

The Hivemind

Find me on:

Recent Posts

CastleLoader

Aug 8, 2025 11:51:37 AM / by The Hivemind posted in Threat Bulletin, Phishing, Redline, Emerging Threat, PowerShell, StealC, ClickFix, CastleLoader, GitHub, DeerStealer, malware loader, NetSupport RAT

0 Comments

Verticals Targeted: Government
Regions Targeted: US
Related Families: StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, SectopRAT

Executive Summary

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025, leveraging Cloudflare-themed ClickFix phishing and fake GitHub repositories to deliver information stealers and RATs. Its sophisticated attack chain, high infection rate, and modular design make it a significant threat to organizations, particularly U.S. government entities.

Read More

Active Exploitation of "ToolShell" Vulnerabilities Targets Microsoft SharePoint Servers

Aug 4, 2025 2:55:02 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, SharePoint vulnerabilities, CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771, Chinese nation-state actors, web shell deployment, Linen Typhoon, Violet Typhoon, Storm-2603, on-premises exploitation, MachineKey theft, ToolShell

0 Comments

Verticals Targeted: Government, Defense, NGOs, Think Tanks, Education, Media, Financial, Healthcare
Regions Targeted: US, Europe, East Asia, Africa 
Related Families: Warlock, LockBit

Executive Summary

Microsoft has disclosed active exploitation of critical vulnerabilities in on-premises SharePoint servers by Chinese threat actors, urging immediate patching and additional mitigations to prevent unauthorized access and data theft.

Read More

Static Kitten Observed Using DCHSpy Android Malware

Aug 1, 2025 1:17:27 PM / by The Hivemind posted in Threat Bulletin, Static Kitten, Spyware, Data Exfiltration, Mobile Security, DCHSpy, Android surveillanceware, Starlink spoofing, Iranian malware, Middle East cyber threats, VPN phishing

0 Comments

Verticals Targeted: None specified
Regions Targeted: Iran, Middle East
Related Families: None specified

Executive Summary

DCHSpy is an Android surveillanceware linked to Iran’s Static Kitten group, targeting Iranian users with fake VPN and Starlink apps to steal sensitive data amid regional conflict. This malware, active since October 2023, exploits social engineering to access WhatsApp, location data, and personal files.

Read More

Konfety Android Malware

Jul 28, 2025 3:08:29 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Konfety malware, Android evasion techniques, ad fraud operations, secondary DEX files, runtime injection, mobile security analysis, hidden APK components, mobile threat evolution, dynamic code loading, malware obfuscation

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: Campaigns abusing the CaramelAds SDK

Executive Summary

Konfety, a longstanding mobile malware, has resurfaced with enhanced evasion capabilities, including dynamic code loading and multi-layered obfuscation, to facilitate ad fraud while evading detection on Android devices. This evolution underscores the persistent challenge of concealed malicious logic in mobile applications, demanding advanced scrutiny from security teams.

Read More

Atomic Stealer Evolves

Jul 25, 2025 2:47:25 PM / by The Hivemind posted in Threat Bulletin, Malware-As-A-Service, Evolving Threat, Spear Phishing, Cryptocurrency Theft, macOS security, Atomic macOS Stealer, AMOS malware, macOS backdoor, persistent access, Moonlock cybersecurity

0 Comments

Verticals Targeted: Cryptocurrency, Freelancers, Artists
Regions Targeted: United States, France, Italy, United Kingdom, Canada, others
Related Families: None

Read More

New MacOS.ZuRu Variant Discovered

Jul 22, 2025 3:05:50 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Malware Analysis, Cybersecurity Threat, MacOS malware, ZuRu malware, Termius trojan, macOS security, backdoor threat, SSH client attack, Khepri C2, developer security

0 Comments

Verticals Targeted: IT, software development  
Regions Targeted: None specified
Related Families: None

Executive Summary

A new variant of the macOS.ZuRu malware, first identified in 2021, was discovered, leveraging a trojanized Termius application to deploy a modified Khepri C2 beacon, targeting developers and IT professionals. This sophisticated backdoor employs advanced techniques to evade detection and establish persistent remote access.

Read More

Anatsa Android Banking Trojan Targets US Banks

Jul 18, 2025 2:08:41 PM / by The Hivemind posted in Threat Bulletin, Banker, Banking Trojan, Anatsa, Android Malware, overlay attacks, Google Play Store, credential theft, North America, financial fraud, device takeover, mobile banking

0 Comments

Verticals Targeted: Financial
Regions Targeted: US, Canada
Related Families: None

Read More

NimDoor MacOS Malware

Jul 14, 2025 2:34:09 PM / by The Hivemind posted in Threat Bulletin, North Korea, Stealer, Infostealer, Cryptocurrency, social engineering, Stardust Chollima, NimDoor, AppleScript, MacOS malware, Web3, Nim, Zoom phishing

0 Comments

Verticals Targeted: Cryptocurrency
Regions Targeted: Not Specified
Related Families: None

Executive Summary

NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More