Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CHILLYHELL and ZynorRAT malware activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The discovery of CHILLYHELL and ZynorRAT expands cross-platform malware risk across macOS, Windows, and Linux with backdoor, RAT, persistence, and exfiltration functions. The two families add fresh remote access and command-and-control capability to active malware tooling. CHILLYHELL uses hard-coded C2 infrastructure and stealthy persistence, while ZynorRAT uses a Telegram bot for centralized control. Together, they show continued development of modular malware that can steal data, run commands, and maintain access.

Related Happenings

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
First: 02.04.2026 02:17 Last: 02.04.2026 02:17 Sources 1

About this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...

Open Happening

Amnesia RAT retrieved from Dropbox for data theft and remote control

Malware Activity
First: 24.01.2026 13:09 Last: 24.01.2026 13:09 Sources 1

About this happening: The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...

Open Happening

Tsundere botnet expanding on Windows

Malware Activity
First: 20.11.2025 18:57 Last: 20.11.2025 18:57 Sources 1

About this happening: The **Tsundere botnet** is actively expanding against **Windows users**, and its operators can make infected systems run arbitrary **JavaScript** from a **command-and-control serv...

Open Happening

TAMECAT PowerShell backdoor deployment and exfiltration

Malware Activity
First: 14.11.2025 16:40 Last: 14.11.2025 16:40 Sources 1

About this happening: **TAMECAT** is being used as a **PowerShell backdoor** to maintain **persistent access** on compromised hosts and move data out through **HTTPS, Discord, and Telegram**. The malwa...

Open Happening

GOVERSHELL multi-variant phishing-delivered malware activity

Malware Activity
First: 10.11.2025 18:00 Last: 10.11.2025 18:00 Sources 1

About this happening: The **GOVERSHELL** malware was observed in **five evolving variants**, raising the risk of **remote command execution** and **persistent access** on infected systems. The payload...

Open Happening

Timeline

  3. 10.09.2025 16:04 2 articles · 8mo ago

    CHILLYHELL and ZynorRAT analysis highlights cross-platform malware capabilities

    Technical Analysis Update

    CHILLYHELL was identified as a modular Apple macOS backdoor attributed to UNC4487, with LaunchAgent and LaunchDaemon persistence, shell-profile tampering, hard-coded HTTP or DNS C2, timestomping, reverse shell access, and password-cracking functions. ZynorRAT was identified as a Go-based RAT targeting Windows and Linux, centrally controlled through a Telegram bot, and built for file exfiltration, screenshot capture, persistence, and arbitrary command execution.

    Show sources
    Open in new tab