Pierluigi Paganini
May 24, 2026
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter Popular node-ipc npm Package Infected with Credential Stealer New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here Active Supply Chain Attack Compromises @antv Packages on npm actions-cool/issues-helper GitHub Action Compromised: All Tags Point to […]
Pierluigi Paganini
May 23, 2026
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads. The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a new phishing campaign targeting Ukrainian government organizations. This time the lure is Prometheus, a legitimate Ukrainian online learning platform that many government employees actually use. Using […]
Pierluigi Paganini
May 22, 2026
Canadian authorities arrested a 23-year-old Ottawa man accused of running the Kimwolf DDoS botnet. The US is now seeking extradition. US authorities have charged 23-year-old Jacob Butler (aka “Dort”), an Ottawa resident, for allegedly operating the recently disrupted Kimwolf botnet. Authorities arrested the suspect in Canada, he could face up to 10 years in prison […]
Pierluigi Paganini
May 22, 2026
Hunt.io mapped 1,350+ C2 servers across the Middle East, revealing how a small group of providers quietly supports major malware activity. For years, threat intelligence focused mostly on malware families, phishing domains, and individual indicators. But a new report from Hunt.io shows why defenders may need to pay closer attention to something more boring, hosting […]
Pierluigi Paganini
May 19, 2026
Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) that allowed attackers to sign malware with fake trusted certificates. Microsoft said it disrupted a cybercrime operation run by a threat actor named Fox Tempest, which helped threat actors sign malware with short-lived certificates to make malicious software appear legitimate. The service abused Microsoft Artifact Signing and supported […]
Pierluigi Paganini
May 19, 2026
Shai-Hulud worm copycats are already attacking NPM developers after its source code leaked, enabling fast supply chain exploitation. The first copycats of the Shai-Hulud worm have already started showing up online, only a few days after the malware’s source code was dumped on GitHub. Researchers had warned this would happen almost immediately, and they were […]
Pierluigi Paganini
May 17, 2026
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter JDownloader site hacked to replace installers with Python RAT malware New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment Operation […]
Pierluigi Paganini
May 17, 2026
Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages. A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, according to Sansec researchers. Funnel Builder by FunnelKit is a checkout and upsell plugin […]
Pierluigi Paganini
May 16, 2026
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems. Microsoft researchers say the malware allows attackers to maintain long-term control while making detection […]
Pierluigi Paganini
May 14, 2026
Chinese-linked FamousSparrow repeatedly targeted an Azerbaijani oil and gas company, reusing the same entry point in three intrusions from Dec 2025 to Feb 2026. Chinese-linked threat actor FamousSparrow has conducted a sustained intrusion campaign against an Azerbaijani oil and gas company, returning to the same compromised entry point three separate times between late December 2025 […]
