Threat Research

A multi-stage campaign linked to AsyncRAT abuses trusted infrastructure to evade detection and ensure reliable payload delivery. Threat actors leverage Cloudflare free-tier services and TryCloudflare tunnels to host WebDAV servers, while phishing emails delivered via Dropbox use double-extension files to trick victims....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL....

XWorm is a widely used and evolving remote access trojan (RAT) known for features like keylogging, remote access, and data theft. Its modular design, ease of use, and regular updates make it attractive to cybercriminals. Threat actors often use XWorm in attacks on the software supply chain and gaming sectors....

Creation of .conf files associated with VenomRAT, AsyncRAT, and Lummac samples observed in the wild....