PowerShell
-
Threat actors abuse patched FortiClient EMS flaw to push credential stealer
Threat actors are exploiting a patched FortiClient EMS flaw to push a credential stealer disguised as a Fortinet update, according to a technical analysis from Arctic Wolf. The campaign affects managed endpoints and can expose browser data, cookies and saved credentials.
-
MuddyWater campaign hit at least nine organizations across four continents, researchers say
MuddyWater was linked to a 2026 campaign that hit at least nine organizations in nine countries. Researchers said the group used DLL side loading, signed binaries and browser-stealing malware to support espionage.
-
Australia warns of ClickFix attacks spreading Vidar Stealer malware
Australia’s cyber security agency warned of a ClickFix campaign using compromised WordPress sites to push Vidar Stealer. The advisory recommends restricting PowerShell, using allow-listing and updating WordPress plugins and themes.
-
DPRK-linked hackers use GitHub as command hub in South Korea attacks
DPRK-linked hackers used GitHub as command and control infrastructure in attacks on South Korean organizations, Fortinet said. The campaigns relied on LNK files, PowerShell, persistence tasks and trusted cloud services to hide activity.
-
Researchers identify suspected AI-assisted Slopoly backdoor used by Hive0163
Researchers identified a suspected AI-generated PowerShell backdoor called Slopoly used by the cybercrime group Hive0163 in early 2026. The backdoor established persistence and beaconed to a command server while analysts examined code patterns.
-
ClickFix campaign uses compromised sites to deliver new MIMICRAT remote access trojan
A ClickFix campaign abused compromised legitimate sites to install MIMICRAT, a previously undocumented C++ remote access trojan. The multi-stage PowerShell chain drops a Lua loader and the RAT supports 22 commands.
-
DEAD#VAX campaign mounts IPFS VHDs to deliver in-memory AsyncRAT
Researchers disclosed DEAD#VAX, a campaign that uses IPFS-hosted VHD files to mount virtual drives and deploy AsyncRAT as encrypted shellcode run in memory, avoiding disk-based artifacts and complicating detection.
-
Threat actors exploit Metro4Shell RCE in React Native CLI
Threat actors exploited a critical Metro Development Server RCE in the @react-native-community/cli package starting December 21, 2025, tracked as CVE-2025-11953 with a CVSS score of 9.8.
-
New SHADOW#REACTOR campaign uses text only stagers and MSBuild to deploy Remcos RAT
A technical report from Securonix details SHADOW#REACTOR, a campaign that stages text only fragments and in memory loaders to deliver the Remcos RAT and achieve persistent access, using MSBuild and other legitimate Windows binaries.
-
Kaspersky links new Operation ForumTroll phishing wave to targeted attacks on Russian academics
Kaspersky detected a targeted October 2025 phishing campaign tied to Operation ForumTroll that used eLibrary impersonation and personalized one‑time links to deliver a PowerShell chain and the Tuoni remote access framework to academics in Russia; the group’s origins remain unknown.
