The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

The Hivemind

Find me on:

Recent Posts

A New Variant of ClayRAT Transmutes

Dec 12, 2025 2:03:27 PM / by The Hivemind posted in Threat Bulletin, accessibility service abuse, lockscreen bypass, ClayRAT, Android Spyware, MediaProjection API, screen recording malware

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Russia
Related Families: Previous ClayRAT variants

Executive Summary

The ClayRAT Android spyware family has returned with a markedly more sophisticated variant that heavily weaponizes Android Accessibility Services and Default SMS privileges to achieve near-complete device takeover. New capabilities include automated lock-screen credential theft, persistent screen recording, programmable overlays, and interactive fake notifications designed to phish user replies.

Read More

Albiriox Android Malware

Dec 8, 2025 1:43:05 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, on-device fraud, overlay attacks, Android banking trojan, MaaS Malware, Mobile RAT, Android Overlay Attacks, Golden Crypt, Albiriox, Russian-speaking Threat Actors

0 Comments

Verticals Targeted: Financial, Cryptocurrency
Regions Targeted: Austria, Global
Related Families: None

Read More

APT24’s BadAudio

Dec 5, 2025 2:11:03 PM / by The Hivemind posted in Threat Bulletin, Phishing Campaigns, Pitty Panda, BadAudio, PRC cyber espionage, APT24, supply chain compromise, strategic web compromise, Cobalt Strike Beacon

0 Comments

Verticals Targeted: Digital Marketing, Industrial Sectors, Recreational Goods, Animal Rescue Organizations
Regions Targeted: Taiwan
Related Families: Cobalt Strike

Read More

DigitStealer MacOS Infostealer

Dec 1, 2025 1:47:01 PM / by The Hivemind posted in Threat Bulletin, cryptocurrency stealers, DigitStealer, Ledger Live tampering, macOS security bypass, LaunchAgent persistence, anti-VM checks, macOS infostealer, JXA malware, Apple Silicon evasion

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

DigitStealer is a highly evasive macOS information stealer that executes almost entirely in memory, leverages JavaScript for Automation (JXA) and AppleScript, and employs novel hardware-based anti-analysis checks targeting Apple Silicon M2 and newer devices. The campaign demonstrates increasing adversary sophistication through multi-stage payload delivery and abuse of legitimate infrastructure.

Read More

Lazarus Group's ScoringMathTea RAT

Nov 24, 2025 1:55:16 PM / by The Hivemind posted in Threat Bulletin, Reflective DLL Injection, Gotta Fly campaign, Lazarus APT, ScoringMathTea, Operation DreamJob, North Korea Cyberespionage, API Hashing, TEA encryption

0 Comments

Verticals Targeted: Aerospace, Defense
Regions Targeted: Entities providing UAV technology to Ukraine  
Related Families: None

Read More

Kraken Ransomware

Nov 21, 2025 1:56:50 PM / by The Hivemind posted in Threat Bulletin, Cross-Platform Ransomware, double extortion, HelloKitty successor, Cloudflared persistence, Kraken ransomware, ESXi ransomware, ChaCha20 encryption, SMB exploitation

0 Comments

Verticals Targeted: None specified
Regions Targeted: United States, United Kingdom, Canada, Denmark, Panama, Kuwait
Related Families: HelloKitty

Read More

Landfall Android Spyware

Nov 17, 2025 12:33:16 PM / by The Hivemind posted in Threat Bulletin, Android Malware, DNG exploit, Landfall spyware, CVE-2025-21042, Samsung zero-day, mobile espionage, SELinux manipulation

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Middle East
Related Families: None

Executive Summary

A novel Android spyware family, dubbed Landfall, leveraged a zero-day vulnerability in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, enabled extensive surveillance capabilities and remained undetected until historical samples were analyzed post-patch.

Read More

Rise of the AI-Enabled Malware

Nov 10, 2025 1:41:22 PM / by The Hivemind posted in Threat Bulletin, Data Exfiltration, AI-enabled malware, LLM misuse, FRUITSHELL, PROMPTFLUX, PROMPTLOCK, dynamic obfuscation, state-sponsored AI, PROMPTSTEAL, QUIETVAULT, APT28, Gemini API abuse

0 Comments

Verticals Targeted: None Specified
Regions Targeted: Ukraine
Related Families: FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, QUIETVAULT

Executive Summary

Industry researchers have noted the emergence of AI-integrated malware that queries large language models during runtime to generate code, obfuscate payloads, and adapt behaviors. This evolution extends beyond productivity aids, enabling nation state actors and cybercriminals to enhance intrusion chains with dynamic capabilities. Associated malware includes FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More