Netskope's Jan Michael Alcantara looks at a ClickFix campaign targeting both Windows & macOS users and details the infection chain that delivers an AppleScript-based infostealer to macOS users. www.netskope.com/jp/blog/maco...

Trellix researchers analyse PureRAT, a multi-stage fileless RAT utilizing steganography & process hollowing. The modular architecture allows operators to deploy specialized plugins for environmental monitoring, keylogging, or remote desktop access on demand. www.trellix.com/blogs/resear...

Check Point researchers look into The Gentlemen RaaS program, which is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks occurring in the first months of 2026. research.checkpoint.com/2026/dfir-re...

Splunk Threat Research team is tracking a new malware campaign with a specific loader that’s currently pushing two very different threats at once: Gh0st RAT & CloverPlus adware - giving the attackers long-term control of systems while they make quick profits. www.splunk.com/en_us/blog/s...

DomainTools assesses with high-confidence that personas 'Homeland Justice', 'Karma' & 'Handala' constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles. dti.domaintools.com/research/moi...

Validin Efstratios Lontzetidis & Christos Fotopoulos look into a UNC1069 campaign targeting individuals by luring them into fraudulent meetings hosted by fake companies. The malware used appears to be updated variants of Cabbage RAT. www.validin.com/blog/i_cant_...

Huntress Security Operations Center has seen an uptick in incidents involving compromised Bomgar remote monitoring & management (RMM) instances. In some cases threat actors have used the compromised Bomgar instances to deploy the LockBit ransomware. www.huntress.com/blog/uptick-...

The cybersecurity world meets in Seville. Venue & travel info coming soon. Stay tuned for updates. 14-16 October 2026. Barcelo Sevilla Renacimiento. VB2026 Seville 14-16 October.

VB2026 is heading to Seville ✨

Join us in Seville 14-16 October 2026 at Barceló Sevilla Renacimiento.

Travel and venue information will be shared soon, so stay tuned for updates ✈️

#VB2026 #VirusBulletin #Cybersecurity #Seville

Did you know? The VB2026 venue is right next to Isla Magica. Described as the world's first urban theme park. See you there! VB2026 Seville. 14-16 October.

Did you know? 💡

The VB2026 venue, the Barceló Sevilla Renacimiento, places attendees right next to Isla Mágica, one of Seville’s most distinctive attractions 🎢

VB2026 | Seville | 14–16 October 2026

See you there!

Stefan Dasic at Malwarebytes uncovers a fake Claude site that serves a trojanised installer while still delivering a working copy of the app. Behind the scenes, the ZIP contains a PlugX malware that gives attackers remote access to the victim system. www.malwarebytes.com/blog/scams/2...

Nir Avraham at Jamf Threat Labs reveals Predator spyware’s previously unreported iOS kernel exploitation engine, showing how it achieves the deep access. The analysed chain targets iOS versions before 17 and devices through the A16 generation. www.jamf.com/blog/predato...

Genians Security Center uncovers an APT37 campaign that used social networking as an initial access vector. Two Facebook accounts set to North Korea-linked locations were used to screen targets, build trust, and move conversations to Messenger. www.genians.co.kr/en/blog/thre...

Malwarebytes' Stefan Dasic uncovers a fake Windows support website that tricks users into downloading a large MSI file posing as a legitimate update. The chain uses Electron, VBS, & a renamed Python process to deliver a credential-stealing payload. www.malwarebytes.com/blog/scams/2...

Robin Dost analyses a UAC-0226 sample, identifying it as a GIFTEDCROOK stealer variant. The chain starts with CVE-2025-6218 & CVE-2025-8088; a LNK launches a payload that decodes another binary, uses chunked data exfiltration & reconstructs its C2 at runtime blog.synapticsystems.de/obfuscation-...

Kaivalya Khursale at Zscaler ThreatLabz reports a recent campaign where a fake Adobe Reader lure led to ScreenConnect installation. The report details direct in-memory execution & obfuscation methods, including dynamic code that resolves method & type names at runtime www.zscaler.com/blogs/securi...

Moonlock Lab Team reports notnullOSX, a Go-written macOS stealer. The analysis describes the malware as being distributed via ClickFix and trojanized DMG chains, and built to drain crypto holdings above $10,000. moonlock.com/notorious-ha...

eSentire TRU details STX RAT, a remote access trojan observed in late Feb 2026 targeting a financial services customer. The analysis highlights a custom unpacking chain, proprietary TCP protocol, & fallback support for both clearweb & Tor infrastructure. www.esentire.com/blog/stx-rat...

Ashley Shen at Cisco Talos uncovers UAT-10362 targeting Taiwanese NGOs and suspected universities with LucidRook, a sophisticated DLL-based stager delivered through spear phishing. blog.talosintelligence.com/new-lua-base...

Sakshi S Raut at Point Wild analyses DesckVB RAT, a highly active 2026 threat that starts with obfuscated JavaScript, deploys a PowerShell script, and then loads a .NET payload directly into memory. www.pointwild.com/threat-intel...

Virus Bulletin has launched VB ESA - M365, a new testing programme for solutions that enhance Microsoft 365 security with additional detection layers.

If you have such an overlay offering in your suite of products then this test is for you!

See more👉 www.virusbulletin.com/testing/vb-e...

FBI's yearly cybercrime report is out

Cybercrime losses passed $20b last year

PDF: www.ic3.gov/AnnualReport...

Quentin Bourgue & Sekoia TDR present the second part of an EvilTokens kit analysis, detailing the EvilTokens PhaaS operations on Telegram & the administration panel capabilities leveraged by affiliates, including AI-augmented features that facilitate BEC fraud. blog.sekoia.io/eviltokens-a...

Researchers at Gen Threat Labs analyse Remus, a new 64-bit infostealer variant attributed to the infamous Lumma Stealer family. Remus introduces additional anti-analysis checks and the use of EtherHiding to resolve C2s, replacing the use of Steam & Telegram. www.gendigital.com/blog/insight...

The Microsoft Threat Intelligence team delve into the attack techniques attributed to Storm-1175 over several years and provide insights into how organizations can harden and defend against attackers like Storm-1175. www.microsoft.com/en-us/securi...

VB2026 CFP closing now - last chance to submit (deadline April 9). VB2026 Seville 14-16 October.

The VB2026 Call for Papers closes in just 2 days.

If you have insights, research or real-world experiences to share with the security community, this is your last chance to submit your proposal for VB2026 Seville 🎤

Deadline: 9 April 2026

Click for more info ➡️ www.virusbulletin.com/conference/v...

SmartApeSG script injected into page from compromised website.

SmartApeSG fake CAPTCHA page with ClickFix instructions.

Malware delivered through SmartApeSG persistent on an infected Windows host.

2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

Indicators, a #pcap of the traffic, malware samples and other info available at malware-traffic-analysis.net/2026/04/06/i...

Researchers at DomainTools look into the current compartmentalization & diversity of the DPRK malware ecosystem. North Korea’s cyber programme evolved deliberately fragmented - optimized for mission specialization, operational resilience & attribution resistance. dti.domaintools.com/research/dpr...

Trend Micro's Jacob Santos, Sophia Nilette Robles & Jeffrey Francis Bonaobra show how an error in Anthropic’s Claude Code npm release was weaponized into an AI-themed campaign to distribute Vidar stealer and GhostSocks proxy malware. www.trendmicro.com/en_us/resear...

Rapid7 researchers discovered seven new variants of BPFDoor, a stealthy kernel-level backdoor that uses Berkeley Packet Filters (BPFs) to inspect traffic from right inside the operating system kernel. www.rapid7.com/blog/post/tr...

ASEC reports that Kimsuky has changed how it distributes malicious LNK files. While the end goal remains the same - execution of a Python-based backdoor or downloader - the group has reworked the intermediate stage into a more complex multi-step chain. asec.ahnlab.com/en/93151/