PowerShell
-
Malicious Rust crate ‘evm‑units’ delivered cross‑platform payloads and targeted Web3 developers
A malicious Rust crate named evm‑units masqueraded as an Ethereum helper and delivered platform‑specific payloads to Windows, macOS and Linux machines. Published by a crates.io user called ablerust and included as a dependency of uniswap‑utils, the package fetched and executed scripts or PowerShell based on the host OS and the presence of Qihoo 360 antivirus,…
-
Malicious Blender .blend files used to deliver StealC V2, researchers say
Researchers at Morphisec say a campaign has used malicious Blender .blend files uploaded to free 3D asset sites to execute embedded Python scripts and deliver the StealC V2 information stealer and a secondary Python stealer; the attack runs when Blender’s Auto Run option is enabled.
-
Kaspersky flags expanding ‘Tsundere’ botnet that uses Ethereum to host C2 details
Kaspersky researchers have identified an expanding Windows-targeting botnet called Tsundere that deploys a Node.js-based payload via MSI or PowerShell, retrieves C2 details from the Ethereum blockchain and offers a control panel and marketplace for operators; attribution remains unclear.
-
Researchers detail use of Tuoni C2 in attack on U.S. real-estate firm
Researchers said attackers used the Tuoni C2 framework in a mid-October 2025 intrusion attempt against a U.S. real-estate firm, employing social engineering, PowerShell downloaders, BMP steganography and in-memory execution; the campaign was detected and blocked.
-
Israel agency says Iran-linked APT42 ran espionage campaign targeting officials and family members
Israel’s National Digital Agency says an Iran-linked threat actor known as APT42 has been running a campaign called SpearSpecter since early September 2025 that uses personalised social engineering to target senior officials and their family members and deploys a PowerShell backdoor for persistent access.
-
Researchers link WhatsApp-propagated Maverick malware to Brazilian banking trojans
Researchers say Maverick, a WhatsApp-propagated malware, shares code and tactics with the Brazilian banking trojan Coyote and is being spread via automated WhatsApp Web sessions, with analysts noting ties to a group called Water Saci.
-
Researchers: Russian-linked group used Hyper-V to hide Alpine VM and bypass endpoint security
Bitdefender and Georgia CERT say Curly COMrades abused Hyper-V to run a hidden Alpine VM hosting custom implants CurlyShell and CurlCat, bypassing endpoint security and using host networking to mask malicious traffic; researchers published IoCs on GitHub.
-
Google links three new ‘ROBOT’ malware families to Russia-linked COLDRIVER
Google’s Threat Intelligence Group linked three new malware families — NOROBOT, YESROBOT and MAYBEROBOT — to the Russia-linked COLDRIVER group, describing a ClickFix-style delivery chain and ongoing rapid development aimed at evading detection. Dutch prosecutors also said three youths are suspected of providing services to a foreign government and one had contact with a Russia-affiliated…
-
New FileFix Variant Uses Cache Smuggling to Evade Security, Researchers Say
A new FileFix phishing variant uses cache smuggling to store a malicious ZIP in browser cache and run it via a hidden PowerShell command, letting it evade many security products, researchers said.
-
Trend Micro: SORVEPOTEL self‑propagating malware spreads via WhatsApp, hits Brazil hard
Trend Micro researchers said a self‑propagating malware campaign called SORVEPOTEL is spreading via WhatsApp and email to Windows desktops, concentrating in Brazil; it propagates through malicious ZIP attachments and PowerShell, aims for rapid spread rather than data theft, and has led to mass spam and account suspensions.
