WebRAT Malware Spread via Fake Vulnerability Exploits on GitHub
The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed vulnerabilities. Previously spread via pirated software and game cheats, WebRAT is a backdoor with information-stealing capabilities, including credential theft for messaging platforms and cryptocurrency wallets, webcam spying, and screenshot capture.
Source: BleepingComputer

Operation PCPcat: Hunting a Next.js Credential Stealer That’s Already Compromised 59K Servers
Researchers monitoring a Docker honeypot uncovered a large-scale attack campaign exploiting vulnerabilities in Next.js and React to achieve remote code execution, credential theft, and persistent command-and-control access. The campaign, attributed to a group identifying as “PCP,” has already compromised over 59,000 servers in less than 48 hours, demonstrating industrial-scale exploitation and data exfiltration.
Source: Beelzebub AI

APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
A targeted malware campaign attributed to APT36 uses social engineering and malicious shortcut files disguised as government advisory PDFs. The attack chain delivers a hidden MSI payload that deploys a .NET loader, malicious DLLs, and registry-based persistence while displaying a decoy document to evade detection and maintain long-term access.
Source: CYFIRMA

UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
SEQRITE Labs has been tracking a persistent threat cluster, UNG0801, primarily targeting Israeli organizations through phishing campaigns written in Hebrew. The attackers heavily rely on antivirus icon spoofing, abusing trusted security vendor branding in malicious documents to increase user trust and drive follow-on compromise.
Source: Seqrite

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Researchers identified an APT37 campaign dubbed “Artemis” that embeds malicious OLE objects inside HWP documents. The multi-stage attack leverages masquerading techniques and DLL side-loading within legitimate processes to evade signature-based detection and execute malicious payloads.
Source: Genians