From Langflow to Monero: Inside CVE-2026-33017 Cryptominer 2026-06-23 at 17:26 By We tracked a cryptocurrency-mining campaign exploiting CVE-2026-33017, which revealed how threat actors are now scanning exposed AI application infrastructure for their next foothold. This article is an excerpt from Trend Micro Research, News and Perspectives View Original Source
From Langflow to Monero: Inside CVE-2026-33017 Cryptominer Read More »
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign 2026-06-18 at 05:51 By Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ai’s own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware. This article
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign Read More »
Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open 2026-06-08 at 20:33 By Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exploited entry point open long after the fix ships. This
Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open Read More »
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet 2026-05-26 at 17:32 By TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet Read More »
Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware 2026-05-23 at 06:34 By Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. This article is an excerpt from Trend Micro Research, News and Perspectives View Original Source
Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware Read More »
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign 2026-05-21 at 13:14 By A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences. This article is an excerpt
Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft 2026-05-14 at 03:45 By Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale.
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America 2026-05-12 at 09:28 By TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we have observed of AI agents executing
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026-05-06 at 01:31 By Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads. This article
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise Read More »
Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities 2026-05-05 at 02:51 By TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a
Kuse Web App Abused to Host Phishing Document 2026-04-29 at 17:47 By Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users’ trust in Kuse to carry out a phishing attack. This article is an excerpt from Trend Micro Research, News
Kuse Web App Abused to Host Phishing Document Read More »
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026-04-21 at 12:56 By Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories Read More »
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do 2026-04-07 at 20:32 By Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk. This article is an excerpt from
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads 2026-04-03 at 17:52 By A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks. This article is an excerpt from
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads Read More »
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM 2026-03-30 at 18:52 By Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. This article is an excerpt from Trend Micro Research, News and Perspectives View Original Source
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM Read More »
Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026-03-26 at 06:26 By This blog discusses the steganography, cloud abuse, and email-based backdoors used against the Ukrainian defense supply chain in the latest Pawn Storm campaign that TrendAI™ Research observed and analyzed. This article is an excerpt from Trend Micro Research, News and Perspectives View Original Source
Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries 2026-03-20 at 10:22 By We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. This article is an excerpt from Trend Micro Research, News and Perspectives View Original Source
Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries Read More »
From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026-03-18 at 12:35 By Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials (ROPC) flow to
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack 2026-03-16 at 15:10 By Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver. This article is an excerpt from Trend Micro Research,
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack Read More »
New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages 2026-03-05 at 17:11 By The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users. This article is an excerpt from Trend Micro Research, News and
New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages Read More »