Virus Bulletin
@virusbtn.bsky.social
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Organisers of the annual Virus Bulletin conference.
Pinned
Virus Bulletin
@virusbtn.bsky.social
· Oct 1
We are thrilled to officially announce that VB2026 will take place in the vibrant city of Seville, Spain, from 30 September to 2 October 2026.
More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.
Can't wait to see you there!
More details coming soon on the venue, call for papers, sponsorship opportunities, and how to join us.
Can't wait to see you there!
AhnLab Security Intelligence Center analyses Yurei ransomware’s Go-based builder and encryption design. The group was first publicly identified in early September 2025. asec.ahnlab.com/en/90975/
November 13, 2025 at 10:23 AM
AhnLab Security Intelligence Center analyses Yurei ransomware’s Go-based builder and encryption design. The group was first publicly identified in early September 2025. asec.ahnlab.com/en/90975/
Trend Micro Research observes increased Lumma Stealer activity and notes the malware now uses browser fingerprinting in its command-and-control tactics. www.trendmicro.com/en_us/resear...
November 13, 2025 at 10:18 AM
Trend Micro Research observes increased Lumma Stealer activity and notes the malware now uses browser fingerprinting in its command-and-control tactics. www.trendmicro.com/en_us/resear...
We're already thinking about VB2026 and we want to hear from YOU! ✨
What would you love to see at next year's conference? Different topics? New formats? Wild ideas? Share your wishes and suggestions in the VB2026 Wish Machine. 👇
tinyurl.com/y2ppm2jy
What would you love to see at next year's conference? Different topics? New formats? Wild ideas? Share your wishes and suggestions in the VB2026 Wish Machine. 👇
tinyurl.com/y2ppm2jy
November 12, 2025 at 2:49 PM
We're already thinking about VB2026 and we want to hear from YOU! ✨
What would you love to see at next year's conference? Different topics? New formats? Wild ideas? Share your wishes and suggestions in the VB2026 Wish Machine. 👇
tinyurl.com/y2ppm2jy
What would you love to see at next year's conference? Different topics? New formats? Wild ideas? Share your wishes and suggestions in the VB2026 Wish Machine. 👇
tinyurl.com/y2ppm2jy
AhnLab Security intelligence Center details campaigns in which attackers deploy LogMeIn Resolve or PDQ Connect from fake utility sites and use them to execute PowerShell and drop PatoRAT on victim hosts. asec.ahnlab.com/en/90968/
November 12, 2025 at 11:32 AM
AhnLab Security intelligence Center details campaigns in which attackers deploy LogMeIn Resolve or PDQ Connect from fake utility sites and use them to execute PowerShell and drop PatoRAT on victim hosts. asec.ahnlab.com/en/90968/
Intel 471 analyses a ClickFix campaign that targets Windows and macOS users searching for cracked software by tricking them into pasting commands that deploy infostealers. www.intel471.com/blog/clickfi...
November 12, 2025 at 11:30 AM
Intel 471 analyses a ClickFix campaign that targets Windows and macOS users searching for cracked software by tricking them into pasting commands that deploy infostealers. www.intel471.com/blog/clickfi...
Members of the Point Wild Lat61 Threat Intelligence Team analyse a Bitcoin-themed fake tool that drops DarkComet RAT, detailing its behaviour and attacker capabilities. www.pointwild.com/threat-intel...
November 12, 2025 at 11:27 AM
Members of the Point Wild Lat61 Threat Intelligence Team analyse a Bitcoin-themed fake tool that drops DarkComet RAT, detailing its behaviour and attacker capabilities. www.pointwild.com/threat-intel...
Cyble Research and Intelligence Labs uncovers a phishing campaign using HTML email attachments that run JavaScript to steal credentials and exfiltrate them to attacker-controlled Telegram bots. cyble.com/blog/multi-b...
November 11, 2025 at 11:36 AM
Cyble Research and Intelligence Labs uncovers a phishing campaign using HTML email attachments that run JavaScript to steal credentials and exfiltrate them to attacker-controlled Telegram bots. cyble.com/blog/multi-b...
Mees van Wickeren uncovers unreported domains, IPs and emails linked to UNC3782, expanding the open-source indicators on this DPRK cluster. medium.com/@meeswicky11...
November 11, 2025 at 11:32 AM
Mees van Wickeren uncovers unreported domains, IPs and emails linked to UNC3782, expanding the open-source indicators on this DPRK cluster. medium.com/@meeswicky11...
CyberProof Threat Research identifies the Maverick banking malware spreading via WhatsApp, and notes technical overlaps with Coyote malware. www.cyberproof.com/blog/maveric...
November 11, 2025 at 11:27 AM
CyberProof Threat Research identifies the Maverick banking malware spreading via WhatsApp, and notes technical overlaps with Coyote malware. www.cyberproof.com/blog/maveric...
Unit 42 uncovers the new LANDFALL Android spyware delivered as DNG images that exploit CVE-2025-21042 in Samsung devices. unit42.paloaltonetworks.com/landfall-is-...
November 10, 2025 at 10:17 AM
Unit 42 uncovers the new LANDFALL Android spyware delivered as DNG images that exploit CVE-2025-21042 in Samsung devices. unit42.paloaltonetworks.com/landfall-is-...
ENKI identifies a new variant of Comebacker, attributed to the Lazarus Group, that targets the aerospace and defence sector via lure documents. ENKI assesses the campaign has been active since at least March 2025. www.enki.co.kr/en/media-cen...
November 10, 2025 at 10:14 AM
ENKI identifies a new variant of Comebacker, attributed to the Lazarus Group, that targets the aerospace and defence sector via lure documents. ENKI assesses the campaign has been active since at least March 2025. www.enki.co.kr/en/media-cen...
Genians Security Center documents the first confirmed case of a North Korea linked APT abusing Google’s Find Hub by compromising accounts to track & remotely reset Android devices, with stress relief apps spread via KakaoTalk used in the same KONNI campaign. www.genians.co.kr/en/blog/thre...
November 10, 2025 at 10:05 AM
Genians Security Center documents the first confirmed case of a North Korea linked APT abusing Google’s Find Hub by compromising accounts to track & remotely reset Android devices, with stress relief apps spread via KakaoTalk used in the same KONNI campaign. www.genians.co.kr/en/blog/thre...
Sekoia.io TDR assesses a broader operation behind a booking-themed phishing campaign where infostealers on hotel machines stole credentials for platforms like Booking.com & Expedia, which were sold or used to email customers for banking fraud. blog.sekoia.io/phishing-cam...
November 7, 2025 at 10:15 AM
Sekoia.io TDR assesses a broader operation behind a booking-themed phishing campaign where infostealers on hotel machines stole credentials for platforms like Booking.com & Expedia, which were sold or used to email customers for banking fraud. blog.sekoia.io/phishing-cam...
Hybrid Analysis details a new two-stage malware: LeakyInjector loads LeakyStealer to hunt crypto wallets and extensions and collect browser history from Chrome, Edge, Brave, Opera and Vivaldi. hybrid-analysis.blogspot.com/2025/11/leak...
November 7, 2025 at 10:08 AM
Hybrid Analysis details a new two-stage malware: LeakyInjector loads LeakyStealer to hunt crypto wallets and extensions and collect browser history from Chrome, Edge, Brave, Opera and Vivaldi. hybrid-analysis.blogspot.com/2025/11/leak...
Zimperium zLabs identifies "Fantasy Hub", an Android RAT sold as MaaS on Russian language channels that steals SMS messages, contacts, call logs and media, and can intercept replies and delete incoming notifications. zimperium.com/blog/fantasy...
November 7, 2025 at 10:02 AM
Zimperium zLabs identifies "Fantasy Hub", an Android RAT sold as MaaS on Russian language channels that steals SMS messages, contacts, call logs and media, and can intercept replies and delete incoming notifications. zimperium.com/blog/fantasy...
Google Threat Intelligence Group confirms first operational use of “just in time” AI in malware families such as PROMPTFLUX and PROMPTSTEAL, where LLMs generate malicious scripts and obfuscate code on the fly. cloud.google.com/blog/topics/...
November 6, 2025 at 10:24 AM
Google Threat Intelligence Group confirms first operational use of “just in time” AI in malware families such as PROMPTFLUX and PROMPTSTEAL, where LLMs generate malicious scripts and obfuscate code on the fly. cloud.google.com/blog/topics/...
Proofpoint Threat Research details an espionage campaign targeting Iranian academics & foreign policy experts, starting with a benign Iran-themed conversation, moving to credential harvesting, and a URL to an archive with an MSI installer that deploys RMM tools. www.proofpoint.com/us/blog/thre...
November 6, 2025 at 10:23 AM
Proofpoint Threat Research details an espionage campaign targeting Iranian academics & foreign policy experts, starting with a benign Iran-themed conversation, moving to credential harvesting, and a URL to an archive with an MSI installer that deploys RMM tools. www.proofpoint.com/us/blog/thre...
Huntress reports that Gootloader is back, using custom WOFF2 fonts with glyph substitution to obfuscate filenames; exploiting WordPress comment endpoints for XOR-encrypted ZIPs; and shifting persistence to the Startup folder. www.huntress.com/blog/gootloa...
November 6, 2025 at 10:20 AM
Huntress reports that Gootloader is back, using custom WOFF2 fonts with glyph substitution to obfuscate filenames; exploiting WordPress comment endpoints for XOR-encrypted ZIPs; and shifting persistence to the Startup folder. www.huntress.com/blog/gootloa...
Bitdefender, with support from Georgian CERT, exposes Curly COMrades’ new tactic of deploying a tiny Alpine Linux VM via Hyper-V to run CurlyShell and CurlCat, securing persistence while bypassing standard EDR solutions. businessinsights.bitdefender.com/curly-comrad...
November 5, 2025 at 10:09 AM
Bitdefender, with support from Georgian CERT, exposes Curly COMrades’ new tactic of deploying a tiny Alpine Linux VM via Hyper-V to run CurlyShell and CurlCat, securing persistence while bypassing standard EDR solutions. businessinsights.bitdefender.com/curly-comrad...
The Raven File, by Rakesh Krishnan, analyses the Clop ransomware group through its network footprint. theravenfile.com/2025/11/04/c...
November 5, 2025 at 10:07 AM
The Raven File, by Rakesh Krishnan, analyses the Clop ransomware group through its network footprint. theravenfile.com/2025/11/04/c...
The SEQRITE Labs APT-Team has been tracking Silent Lynx - which targets Kyrgyzstan Turkmenistan and Uzbekistan for espionage - since November 2024, presenting their findings at VB2025. Further research has now uncovered multiple related campaigns. www.seqrite.com/blog/operati...
November 4, 2025 at 10:06 AM
The SEQRITE Labs APT-Team has been tracking Silent Lynx - which targets Kyrgyzstan Turkmenistan and Uzbekistan for espionage - since November 2024, presenting their findings at VB2025. Further research has now uncovered multiple related campaigns. www.seqrite.com/blog/operati...
Proofpoint Threat Research tracks a cybercriminal cluster targeting trucking and logistics companies, abusing legitimate RMM tools to hijack cargo and steal physical goods. www.proofpoint.com/us/blog/thre...
November 4, 2025 at 10:00 AM
Proofpoint Threat Research tracks a cybercriminal cluster targeting trucking and logistics companies, abusing legitimate RMM tools to hijack cargo and steal physical goods. www.proofpoint.com/us/blog/thre...
Check Point Research demonstrates how generative AI can speed up reverse engineering from days to hours by exporting IDA data to ChatGPT for deep static analysis. research.checkpoint.com/2025/generat...
November 4, 2025 at 9:59 AM
Check Point Research demonstrates how generative AI can speed up reverse engineering from days to hours by exporting IDA data to ChatGPT for deep static analysis. research.checkpoint.com/2025/generat...
Members of Gen Digital Threat Labs uncover two new DPRK toolsets - Kimsuky’s HttpTroy backdoor and Lazarus’s upgraded BLINDINGCAN remote access tool - and explain how these tools work. www.gendigital.com/blog/insight...
November 3, 2025 at 12:11 PM
Members of Gen Digital Threat Labs uncover two new DPRK toolsets - Kimsuky’s HttpTroy backdoor and Lazarus’s upgraded BLINDINGCAN remote access tool - and explain how these tools work. www.gendigital.com/blog/insight...
SEQRITE Labs details Operation SkyCloak targeting Russian and Belarusian military personnel, where decoys lead to PowerShell stages that expose local services over Tor using obfs4 bridges, enabling covert communication. www.seqrite.com/blog/operati...
November 3, 2025 at 12:08 PM
SEQRITE Labs details Operation SkyCloak targeting Russian and Belarusian military personnel, where decoys lead to PowerShell stages that expose local services over Tor using obfs4 bridges, enabling covert communication. www.seqrite.com/blog/operati...