Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ZgRAT malware delivery chain via Lovable-hosted invoice portals

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A zgRAT malware delivery chain abused Lovable-hosted invoice portals to distribute a staged payload, increasing the chance that email recipients would run the trojanized software. The chain delivered RAR archives from Dropbox containing a legitimate signed executable and a trojanized DLL. That DLL launched DOILoader, which ultimately loaded zgRAT.

Related Happenings

BADAUDIO first-stage downloader activity

Malware Activity
First: 21.11.2025 12:42 Last: 21.11.2025 12:42 Sources 1

About this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...

Open Happening

Zimbra Collaboration Suite XSS flaw (CVE-2025-27915)

Vulnerability
First: 05.10.2025 17:45 Last: 05.10.2025 17:45 Sources 1

About this happening: **CVE-2025-27915** was exploited as a **zero-day** in **Zimbra Collaboration Suite (ZCS 9.0, 10.0, and 10.1)**, exposing users to **JavaScript execution** inside authenticated web...

Open Happening

Timeline

  1. 21.08.2025 01:11 1 articles · 9mo ago

    Lovable-hosted invoice portals deliver zgRAT

    Technical Analysis Update

    Lovable-hosted invoice-portal links led to Dropbox-hosted RAR archives containing a legitimate signed executable and a trojanized DLL; the DLL launched DOILoader and ultimately loaded zgRAT. The activity was observed in email messages since February 2025 and described on August 20, 2025.

    Show sources
    Open in new tab