Lightnews — Scholar-powered news

Virus Bulletin

@virusbtn.bsky.social

490 followers 46 following 660 posts

Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference.

Posts Media Videos Starter Packs

Pinned

Virus Bulletin @virusbtn.bsky.social · 14d

We are thrilled to officially announce that VB2026 will take place in the vibrant city of Seville, Spain, from 30 September to 2 October 2026.

More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.

Can't wait to see you there!

2 4

Virus Bulletin @virusbtn.bsky.social · 9h

In early 2025 Sekoia.io Threat Detection & Research reported PolarEdge exploiting CVE-2023-20118 to gain RCE and drop a web shell on routers. A follow-up blog post provides an in-depth technical analysis of the undocumented TLS-based implant. blog.sekoia.io/polaredge-ba...

Virus Bulletin @virusbtn.bsky.social · 9h

Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. www.elastic.co/security-lab...

3 6

Virus Bulletin @virusbtn.bsky.social · 9h

Cyble Research and Intelligence Labs observes Android campaigns posing as Indian RTO (Regional Transport Office) apps, spreading via WhatsApp and SMS links to GitHub-hosted APKs and compromised sites, then using phishing pages to collect banking credentials and UPI PINs. cyble.com/blog/ghostba...

Virus Bulletin @virusbtn.bsky.social · 1d

We put together a short video to capture some of the atmosphere from VB2025. Talks, moments in between, and a few quick interviews with folks who were there.

🎥 Watch our VB2025 highlight reel: www.youtube.com/watch?v=h6Mv...

VB2025 Highlights

YouTube video by Virus Bulletin

www.youtube.com

Virus Bulletin @virusbtn.bsky.social · 1d

Red Canary tracks macOS stealers in 2024–2025, noting that Poseidon Stealer was sold and rebranded as Odyssey Stealer, which shares significant code and features with Atomic Stealer (aka AMOS). redcanary.com/blog/threat-...

Virus Bulletin @virusbtn.bsky.social · 1d

Seqrite Threat Research reports Spanish language judicial notification lures targeting Colombian users, using SVG HTA VBS and PowerShell stages to download and decode a loader, ending with AsyncRAT injected into a legitimate Windows process. www.seqrite.com/blog/judicia...

1 1

Virus Bulletin @virusbtn.bsky.social · 1d

Proofpoint Threat Research details TA585, a sophisticated actor that manages its own infrastructure, delivery, and malware installation, and delivers MonsterV2, which has capabilities of a RAT, stealer, and loader. www.proofpoint.com/us/blog/thre...

Virus Bulletin @virusbtn.bsky.social · 2d

The Socket Threat Research Team reports that the Contagious Interview campaign is escalating in 2025, involving 338 malicious npm packages. DPRK actors are using 180+ fake personas with new npm aliases and registration emails to deploy HexEval XORIndex & encrypted loaders. socket.dev/blog/north-k...

Virus Bulletin @virusbtn.bsky.social · 2d

The Sophos Counter Threat Unit is investigating an ongoing WhatsApp worm in Brazil that began on 29 September 2025, tricking users into downloading a ZIP file containing a malicious LNK that runs PowerShell. news.sophos.com/en-us/2025/1...

Virus Bulletin @virusbtn.bsky.social · 2d

FortiGuard Labs details a Stealit campaign that shifts from Electron installers to the Node.js Single Executable Application feature while still posing as game and VPN installers. www.fortinet.com/blog/threat-...

Virus Bulletin @virusbtn.bsky.social · 2d

McAfee’s Threat Research team uncovers a new Astaroth campaign leveraging GitHub to host malware configurations. Infection starts with a phishing link that downloads a zipped LNK. When executed, it installs Astaroth. www.mcafee.com/blogs/other-...

Virus Bulletin @virusbtn.bsky.social · 5d

Hunt.io Threat Research details AdaptixC2, a lightweight open-source C2 with multi-protocol communication, advanced evasion, and BOF-based extensibility, confirming 102 active servers in the wild. hunt.io/blog/adaptix...

Virus Bulletin @virusbtn.bsky.social · 5d

Microsoft Threat Intelligence warns that Storm 2657 is actively targeting US-based organizations, especially universities, to access HR SaaS like Workday via social engineering and weak or missing MFA, then divert salaries to attacker-controlled accounts. www.microsoft.com/en-us/securi...

Virus Bulletin @virusbtn.bsky.social · 5d

eSentire Threat Response Unit details ChaosBot, a Rust-based backdoor using Discord for command and control. It was first seen in late September 2025 in a financial services environment, targeting mainly, though not exclusively, Vietnamese speakers. www.esentire.com/blog/new-rus...

Virus Bulletin @virusbtn.bsky.social · 5d

Cisco Talos reports that actors linked to Storm 2603 installed an outdated version of Velociraptor, the open-source DFIR tool, enabling privilege escalation and arbitrary command execution, which led to ransomware deployment. blog.talosintelligence.com/velociraptor...

Velociraptor leveraged in ransomware attacks

Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool.

blog.talosintelligence.com

Virus Bulletin @virusbtn.bsky.social · 6d

Marcus Hutchins (Expel) details a ClickFix-style campaign using cache smuggling to avoid downloads and network requests by pre-staging data in the browser cache. expel.com/blog/cache-s...

3 5

Virus Bulletin @virusbtn.bsky.social · 6d

Huntress details log poisoning used to plant a China Chopper-style web shell on a web server, enabling actors to use AntSword and then deploy Nezha, an operations and monitoring tool, which was used to install Ghost RAT. www.huntress.com/blog/nezha-c...

Virus Bulletin @virusbtn.bsky.social · 6d

Unit 42 uncovers the IUAM ClickFix Generator, a phishing kit that generates custom pages with OS detection and clipboard injection capabilities. Unit 42 confirms at least one campaign where DeerStealer was delivered. unit42.paloaltonetworks.com/clickfix-gen...

1 1

Virus Bulletin @virusbtn.bsky.social · 6d

FortiGuard Labs analyses Chaos ransomware, which resurfaced in 2025 with a new C++ variant. The analysis provides a walkthrough of its execution flow, encryption, and clipboard hijacking for cryptocurrency, with comparisons to earlier .NET builds. www.fortinet.com/blog/threat-...

1 1

Virus Bulletin @virusbtn.bsky.social · 7d

CloudSEK's TRIAD Team analyses a Charming Kitten APT35 leak and documents targeting of government, legal, academic, aviation, energy, and financial sectors, mainly in the Middle East, with regions of interest extending to the US and Asia. www.cloudsek.com/blog/an-insi...

Virus Bulletin @virusbtn.bsky.social · 7d

The Point Wild Lat61 Threat Intelligence Team details Shuyal Stealer, targeting 19 browsers, stealing credentials and Discord tokens, capturing screenshots, and cleaning up after exfiltration. www.pointwild.com/threat-intel...

Virus Bulletin @virusbtn.bsky.social · 7d

Rapid7 Threat Research reports a new threat group, known as the Crimson Collective, attacking AWS environments to exfiltrate data and extort victims. The actor has also announced that it is behind an attack on Red Hat. www.rapid7.com/blog/post/tr...

Virus Bulletin @virusbtn.bsky.social · 8d

Microsoft Threat Intelligence confirms that Storm 1175, known for deploying Medusa ransomware and exploiting public-facing applications, is actively exploiting the CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability. www.microsoft.com/en-us/securi...

Virus Bulletin @virusbtn.bsky.social · 8d

The Resecurity HUNTER Team warns of a mass exploitation of CVE-2025-61882 in Oracle E-Business Suite, enabling remote code execution. Several victims received extortion emails from Cl0p in late September 2025. www.resecurity.com/blog/article...

1 2

Virus Bulletin @virusbtn.bsky.social · 8d

Independent researcher Ícaro César (0x0d4y) analyses a Mustang Panda campaign identified in June 2025, targeting the Tibetan community and using a ZIP archive with a decoy named “Voice for the Voiceless Photos.exe” and a hidden DLL to enable DLL side loading. 0x0d4y.blog/mustang-pand...

1 2