REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.

NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.

A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.

The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.

AtlasCross is a newly identified RAT targeting Chinese-speaking users through typosquatted domains impersonating VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce platforms. The malware runs on Windows and macOS, establishes persistence via scheduled tasks and LaunchAgents, and exfiltrates credentials, session cookies, SSH keys, and cryptocurrency wallet data over encrypted C2 channels. SOC teams should monitor for domain-age anomalies, staging behavior in AppData directories, and clipboard access on hosts with crypto software installed.

AtlasCross is an undocumented Windows RAT distributed through typosquatted domains impersonating VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications targeting Chinese-speaking users. The malware establishes registry-based persistence, harvests credentials and clipboard content, and maintains encrypted C2 communication. Detection relies on registry and network telemetry; affected hosts should be isolated, credentials rotated, and endpoints reimaged.

Axios npm versions 1.14.1 and 0.30.4 were tampered to inject the malicious package plain-crypto-js 4.2.1, delivering a cross-platform trojan affecting Windows, macOS, and Linux. The malware targets developer credentials, cloud tokens, and SSH keys stored on infected hosts and establishes persistence via OS-native mechanisms. Organizations should audit installed Axios versions, remove plain-crypto-js, rotate all secrets from exposed environments, and rebuild affected CI/CD runners from clean images.

Researchers identified a malware campaign using large volumes of AI-generated junk code to inflate binary size and evade static analysis, obscuring credential-harvesting and C2 functionality targeting Windows endpoints. The technique leverages LLM output to produce syntactically valid but functionally inert code at scale, degrading signature-based detection without requiring manual obfuscation expertise. SOC teams should prioritize behavioral detection, ASR rule enforcement, and full credential rotation on affected systems.

DeepLoad is a new malware loader delivered via the ClickFix social engineering tactic, identified by ReliaQuest researchers. It uses likely AI-assisted obfuscation and process injection to evade static detection, and begins stealing credentials and session tokens immediately upon execution — before the primary loader can be blocked. Windows endpoints without PowerShell restrictions or application control policies are the primary targets.

Sansec researchers have uncovered a payment skimmer malware that uses WebRTC data channels to deliver payloads and exfiltrate payment data, bypassing traditional HTTP-based detection. The malware targets e-commerce sites, exploiting WebRTC's legitimate communication channels to evade security controls and persist on checkout pages.

The PoisonPackage malware family is distributed via an AI-assisted campaign spreading over 300 poisoned packages targeting developer tools and game cheats. The malware persists through startup modifications, exfiltrates sensitive data, and communicates with encrypted C2 servers on Windows and Linux platforms. Detection and removal require auditing package installations, blocking C2 communications, and leveraging updated security signatures from vendors like CrowdStrike.

TeamPCP, a financially motivated cybercrime group, has launched a supply chain attack delivering the CanisterWorm wiper targeting cloud systems configured for Iran. Leveraging exposed Docker, Kubernetes, and Redis services, the worm destroys data on infected nodes and steals credentials for extortion. Detection involves monitoring cloud control plane exploits and malicious Trivy versions, with removal focusing on credential rotation and securing cloud environments.