The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Recent Ransomware Threats to the Healthcare Vertical

Sep 8, 2025 1:12:36 PM / by The Hivemind posted in Threat Bulletin, US healthcare cybersecurity, ransomware healthcare 2025, healthcare ransomware attacks, hospital cyber threats, healthcare data breaches, ransomware groups 2025, patient data theft, healthcare operational disruptions

0 Comments

Verticals Targeted: Healthcare
Regions Targeted: US, Europe, Worldwide
Related Families: Multiple

Executive Summary

The healthcare sector in 2025 has endured a persistent wave of ransomware attacks, with threat actors exploiting vulnerabilities to disrupt critical operations and exfiltrate sensitive patient data, underscoring the need for robust defenses against evolving cyber threats.

Read More

PromptLock AI-Powered Ransomware

Sep 5, 2025 2:36:00 PM / by The Hivemind posted in Threat Bulletin, Data Exfiltration, Linux Malware, Windows Malware, file encryption, proof of concept, AI-powered ransomware, PromptLock malware, AI cybersecurity threats, Golang ransomware, Lua scripts, POC

0 Comments

Verticals Targeted: None yet
Regions Targeted: None yet
Related Families: None

Read More

Hook Android Banking Trojan Evolves

Sep 2, 2025 12:52:33 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Android Malware, ransomware overlay, fake NFC overlay, phishing overlay, Accessibility Services abuse, lockscreen bypass, GitHub malware distribution, financial sector threats, Hook banking trojan

0 Comments

Verticals Targeted: Financial, Enterprises
Regions Targeted: Not specified
Related Families: Ermac, Brokewell

Executive Summary

Hook Version 3 is an advanced Android banking trojan with ransomware, phishing, and lockscreen bypass capabilities, posing significant risks to financial institutions and enterprises. Its distribution via phishing websites and GitHub amplifies its reach, necessitating robust mobile threat defenses.

Read More

VShell Linux Backdoor

Aug 29, 2025 12:46:41 PM / by The Hivemind posted in Threat Bulletin, Linux Malware, VShell malware, malicious filename, command injection, XOR encryption, Bash payload, remote access backdoor, fileless malware, Snowlight dropper, Linux server security

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: Snowlight dropper

Executive Summary

VShell is a sophisticated Go-based backdoor targeting Linux systems through a novel infection chain that weaponizes filenames in RAR archives. This malware, linked to Chinese APT groups, exploits common shell scripting practices to execute malicious Bash payloads, delivering a stealthy, memory-resident backdoor capable of remote control, file operations, and network tunneling.

Read More

GodRAT

Aug 25, 2025 2:36:30 PM / by The Hivemind posted in Threat Bulletin, AsyncRAT, Gh0st RAT, password stealer, shellcode injector, GodRAT, Remote Access Trojan, financial malware, steganography, FileManager plugin

0 Comments

Verticals Targeted: Financial
Regions Targeted: Hong Kong, United Arab Emirates, Lebanon, Malaysia, Jordan
Related Families: AsyncRAT, AwesomePuppet, Gh0st RAT

Executive Summary

GodRAT is a RAT derived from the Gh0st RAT codebase. It was observed targeting financial institutions via malicious .scr and .pif files distributed through Skype. Leveraging steganography and additional plugins like FileManager, GodRAT facilitates credential theft and system exploration.

Read More

PS1Bot Malware Framework

Aug 22, 2025 1:48:23 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, Evolving Threat, PS1Bot, malware campaign, information stealer, C# malware, malvertising, cryptocurrency wallet theft, keylogger, in-memory execution, persistence module

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: AHK Bot, Skitnet/Bossnet

Read More

Charon Ransomware Targets Middle East

Aug 18, 2025 1:56:06 PM / by The Hivemind posted in Threat Bulletin, Emerging Threat, Charon ransomware, Earth Baxia, APT techniques, process injection, anti-EDR, DLL sideloading, Middle East cyber attacks, public sector malware, aviation industry threats, ransomware defense

0 Comments

Verticals Targeted: Public Sector, Aviation
Regions Targeted: Middle East
Related Families: None

Executive Summary

Charon is a new ransomware family employing advanced APT-style techniques, targeting Middle Eastern public sector and aviation organizations with tailored ransom demands. Its sophisticated attack chain, including DLL sideloading and process injection, underscores the growing convergence of ransomware and APT tactics.

Read More

Plague Linux Backdoor

Aug 15, 2025 11:28:22 AM / by The Hivemind posted in Threat Hunting, Threat Bulletin, PAM malware, stealthy authentication bypass, Linux backdoor, XOR obfuscation, SSH persistence, Linux security

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

Researchers have uncovered Plague, a previously undetected Linux backdoor masquerading as a malicious Pluggable Authentication Module (PAM) to enable persistent SSH access and authentication bypass. This implant's layered obfuscation and environment tampering allow it to evade detection, persisting across system updates with minimal forensic traces.

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts