The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

The Hivemind

Find me on:

Recent Posts

APT24’s BadAudio

Dec 5, 2025 2:11:03 PM / by The Hivemind posted in Threat Bulletin, Phishing Campaigns, Pitty Panda, BadAudio, PRC cyber espionage, APT24, supply chain compromise, strategic web compromise, Cobalt Strike Beacon

0 Comments

Verticals Targeted: Digital Marketing, Industrial Sectors, Recreational Goods, Animal Rescue Organizations
Regions Targeted: Taiwan
Related Families: Cobalt Strike

Read More

DigitStealer MacOS Infostealer

Dec 1, 2025 1:47:01 PM / by The Hivemind posted in Threat Bulletin, cryptocurrency stealers, DigitStealer, Ledger Live tampering, macOS security bypass, LaunchAgent persistence, anti-VM checks, macOS infostealer, JXA malware, Apple Silicon evasion

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

DigitStealer is a highly evasive macOS information stealer that executes almost entirely in memory, leverages JavaScript for Automation (JXA) and AppleScript, and employs novel hardware-based anti-analysis checks targeting Apple Silicon M2 and newer devices. The campaign demonstrates increasing adversary sophistication through multi-stage payload delivery and abuse of legitimate infrastructure.

Read More

Lazarus Group's ScoringMathTea RAT

Nov 24, 2025 1:55:16 PM / by The Hivemind posted in Threat Bulletin, Reflective DLL Injection, Gotta Fly campaign, Lazarus APT, ScoringMathTea, Operation DreamJob, North Korea Cyberespionage, API Hashing, TEA encryption

0 Comments

Verticals Targeted: Aerospace, Defense
Regions Targeted: Entities providing UAV technology to Ukraine  
Related Families: None

Read More

Kraken Ransomware

Nov 21, 2025 1:56:50 PM / by The Hivemind posted in Threat Bulletin, Cross-Platform Ransomware, double extortion, HelloKitty successor, Cloudflared persistence, Kraken ransomware, ESXi ransomware, ChaCha20 encryption, SMB exploitation

0 Comments

Verticals Targeted: None specified
Regions Targeted: United States, United Kingdom, Canada, Denmark, Panama, Kuwait
Related Families: HelloKitty

Read More

Landfall Android Spyware

Nov 17, 2025 12:33:16 PM / by The Hivemind posted in Threat Bulletin, Android Malware, DNG exploit, Landfall spyware, CVE-2025-21042, Samsung zero-day, mobile espionage, SELinux manipulation

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Middle East
Related Families: None

Executive Summary

A novel Android spyware family, dubbed Landfall, leveraged a zero-day vulnerability in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, enabled extensive surveillance capabilities and remained undetected until historical samples were analyzed post-patch.

Read More

Rise of the AI-Enabled Malware

Nov 10, 2025 1:41:22 PM / by The Hivemind posted in Threat Bulletin, Data Exfiltration, AI-enabled malware, LLM misuse, FRUITSHELL, PROMPTFLUX, PROMPTLOCK, dynamic obfuscation, state-sponsored AI, PROMPTSTEAL, QUIETVAULT, APT28, Gemini API abuse

0 Comments

Verticals Targeted: None Specified
Regions Targeted: Ukraine
Related Families: FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, QUIETVAULT

Executive Summary

Industry researchers have noted the emergence of AI-integrated malware that queries large language models during runtime to generate code, obfuscate payloads, and adapt behaviors. This evolution extends beyond productivity aids, enabling nation state actors and cybercriminals to enhance intrusion chains with dynamic capabilities. Associated malware includes FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT.

Read More

Airstalk Used in Supply Chain Attacks

Nov 7, 2025 12:58:20 PM / by The Hivemind posted in Threat Bulletin, Supply Chain Attack, PowerShell malware, Airstalk Malware, Browser Exfiltration, AirWatch API, MDM Abuse, Nation-State Actor, .NET Malware, CL-STA-1009

0 Comments

Verticals Targeted: Business Process Outsourcing (BPO)
Regions Targeted: Not Specified
Related Families: None

Executive Summary

Airstalk is a new Windows malware family deployed by a suspected nation-state actor in supply chain attacks, leveraging AirWatch API for covert C2 to exfiltrate browser data. Available in PowerShell and .NET variants, the malware highlights evolving threats to third-party vendors.

Read More

MuddyWater Targets MENA Governments With Phoenix Backdoor

Nov 3, 2025 2:09:14 PM / by The Hivemind posted in Threat Bulletin, MuddyWater, Phishing Campaign, credential stealers, cyber espionage, Middle East targeting, VBA macros, FakeUpdate injector, Iran APT, Phoenix Backdoor, RMM tools

0 Comments

Verticals Targeted: Government
Regions Targeted: Middle East, North Africa
Related Families: Phoenix, FakeUpdate

Executive Summary

A sophisticated phishing operation has been attributed to the Iran-linked APT MuddyWater, deploying an updated Phoenix backdoor to conduct espionage against government and international entities. The campaign leverages compromised mailboxes and macro-enabled Word documents to deliver custom injectors and persistence mechanisms, highlighting the group's reliance on trusted channels for initial access.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More