LightNews
virusbtn.bsky.social
Virus Bulletin
@virusbtn.bsky.social
490 followers 46 following 660 posts
Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference.
Posts Media Videos Starter Packs
Pinned
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 13d
We are thrilled to officially announce that VB2026 will take place in the vibrant city of Seville, Spain, from 30 September to 2 October 2026.

More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.

Can't wait to see you there!
VB2026 Seville 30 Sept - 2 Oct
2 4
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 14h
We put together a short video to capture some of the atmosphere from VB2025. Talks, moments in between, and a few quick interviews with folks who were there.

🎥 Watch our VB2025 highlight reel: www.youtube.com/watch?v=h6Mv...
VB2025 Highlights
YouTube video by Virus Bulletin
www.youtube.com
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 19h
Red Canary tracks macOS stealers in 2024–2025, noting that Poseidon Stealer was sold and rebranded as Odyssey Stealer, which shares significant code and features with Atomic Stealer (aka AMOS). redcanary.com/blog/threat-...
3
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 19h
Seqrite Threat Research reports Spanish language judicial notification lures targeting Colombian users, using SVG HTA VBS and PowerShell stages to download and decode a loader, ending with AsyncRAT injected into a legitimate Windows process. www.seqrite.com/blog/judicia...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 19h
Proofpoint Threat Research details TA585, a sophisticated actor that manages its own infrastructure, delivery, and malware installation, and delivers MonsterV2, which has capabilities of a RAT, stealer, and loader. www.proofpoint.com/us/blog/thre...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
The Socket Threat Research Team reports that the Contagious Interview campaign is escalating in 2025, involving 338 malicious npm packages. DPRK actors are using 180+ fake personas with new npm aliases and registration emails to deploy HexEval XORIndex & encrypted loaders. socket.dev/blog/north-k...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
The Sophos Counter Threat Unit is investigating an ongoing WhatsApp worm in Brazil that began on 29 September 2025, tricking users into downloading a ZIP file containing a malicious LNK that runs PowerShell. news.sophos.com/en-us/2025/1...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
FortiGuard Labs details a Stealit campaign that shifts from Electron installers to the Node.js Single Executable Application feature while still posing as game and VPN installers. www.fortinet.com/blog/threat-...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 1d
McAfee’s Threat Research team uncovers a new Astaroth campaign leveraging GitHub to host malware configurations. Infection starts with a phishing link that downloads a zipped LNK. When executed, it installs Astaroth. www.mcafee.com/blogs/other-...
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
Hunt.io Threat Research details AdaptixC2, a lightweight open-source C2 with multi-protocol communication, advanced evasion, and BOF-based extensibility, confirming 102 active servers in the wild. hunt.io/blog/adaptix...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
Microsoft Threat Intelligence warns that Storm 2657 is actively targeting US-based organizations, especially universities, to access HR SaaS like Workday via social engineering and weak or missing MFA, then divert salaries to attacker-controlled accounts. www.microsoft.com/en-us/securi...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
eSentire Threat Response Unit details ChaosBot, a Rust-based backdoor using Discord for command and control. It was first seen in late September 2025 in a financial services environment, targeting mainly, though not exclusively, Vietnamese speakers. www.esentire.com/blog/new-rus...
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 4d
Cisco Talos reports that actors linked to Storm 2603 installed an outdated version of Velociraptor, the open-source DFIR tool, enabling privilege escalation and arbitrary command execution, which led to ransomware deployment. blog.talosintelligence.com/velociraptor...
Velociraptor leveraged in ransomware attacks
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool.
blog.talosintelligence.com
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
Marcus Hutchins (Expel) details a ClickFix-style campaign using cache smuggling to avoid downloads and network requests by pre-staging data in the browser cache. expel.com/blog/cache-s...
3 5
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
Huntress details log poisoning used to plant a China Chopper-style web shell on a web server, enabling actors to use AntSword and then deploy Nezha, an operations and monitoring tool, which was used to install Ghost RAT. www.huntress.com/blog/nezha-c...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
Unit 42 uncovers the IUAM ClickFix Generator, a phishing kit that generates custom pages with OS detection and clipboard injection capabilities. Unit 42 confirms at least one campaign where DeerStealer was delivered. unit42.paloaltonetworks.com/clickfix-gen...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 5d
FortiGuard Labs analyses Chaos ransomware, which resurfaced in 2025 with a new C++ variant. The analysis provides a walkthrough of its execution flow, encryption, and clipboard hijacking for cryptocurrency, with comparisons to earlier .NET builds. www.fortinet.com/blog/threat-...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 6d
CloudSEK's TRIAD Team analyses a Charming Kitten APT35 leak and documents targeting of government, legal, academic, aviation, energy, and financial sectors, mainly in the Middle East, with regions of interest extending to the US and Asia. www.cloudsek.com/blog/an-insi...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 6d
The Point Wild Lat61 Threat Intelligence Team details Shuyal Stealer, targeting 19 browsers, stealing credentials and Discord tokens, capturing screenshots, and cleaning up after exfiltration. www.pointwild.com/threat-intel...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 6d
Rapid7 Threat Research reports a new threat group, known as the Crimson Collective, attacking AWS environments to exfiltrate data and extort victims. The actor has also announced that it is behind an attack on Red Hat. www.rapid7.com/blog/post/tr...
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 7d
Microsoft Threat Intelligence confirms that Storm 1175, known for deploying Medusa ransomware and exploiting public-facing applications, is actively exploiting the CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability. www.microsoft.com/en-us/securi...
1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 7d
The Resecurity HUNTER Team warns of a mass exploitation of CVE-2025-61882 in Oracle E-Business Suite, enabling remote code execution. Several victims received extortion emails from Cl0p in late September 2025. www.resecurity.com/blog/article...
1 2
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 7d
Independent researcher Ícaro César (0x0d4y) analyses a Mustang Panda campaign identified in June 2025, targeting the Tibetan community and using a ZIP archive with a decoy named “Voice for the Voiceless Photos.exe” and a hidden DLL to enable DLL side loading. 0x0d4y.blog/mustang-pand...
1 2
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 7d
S2 Grupo's intelligence team LAB52 reports a new Outlook backdoor, named NotDoor and attributed to APT28, that watches for specific trigger words and then exfiltrates data, uploads files, and executes commands on victim hosts. lab52.io/blog/analyzi...
1 1
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
StrikeReady Labs maps spear-phishing against a Serbian government aviation department and links similar activity across Europe. The campaigns utilise the SOGU/PlugX/Korplug toolset, which is typically associated with China-linked actors. strikeready.com/blog/cn-apt-...
Image showing a spear-phishing email
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 8d
Hunt.io Threat Research observes APT SideWinder shifting to maritime targets, with Pakistan & Sri Lanka as primary targets, utilising free hosting platforms such as Netlify, pages.dev, workers.dev, b4a.run, for credential portals & lures, & staging malware in open directories hunt.io/blog/operati...
Screenshot showing a fake DGDP document at "httpx://drive-dgdp-gov-bd-files[.]netlify[.]app/"