Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WhirlCoil Python loader remote tunnel backdoor

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The WhirlCoil Python loader now has confirmed Visual Studio Code remote tunnel persistence, giving operators backdoor access and the ability to execute arbitrary commands on compromised hosts. It also harvests system information and user-directory contents, increasing exposure on targeted systems. The activity matters because the tunnel provides durable remote control through a legitimate developer feature rather than a one-off payload run.

Related Happenings

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

AsyncRAT distribution via TryCloudflare, Dropbox, and WSH infection chain

Malware Activity
First: 14.01.2026 16:18 Last: 14.01.2026 16:18 Sources 1

About this happening: A **multi-stage phishing chain** is distributing **AsyncRAT** through **TryCloudflare tunnels** and **Dropbox ZIP links**, creating a persistent **Windows** infection path that en...

Open Happening

TA415 phishing campaign targeting US policy entities

Campaign
First: 17.09.2025 15:59 Last: 17.09.2025 15:59 Sources 1

About this happening: The **TA415** phishing campaign targeted **US government, think tank, and academic organizations** in **July and August 2025**, raising the risk of **persistent remote access** to...

Open Happening

Warlock ransomware SharePoint credential-dumping and deployment activity

Malware Activity
First: 21.08.2025 00:04 Last: 21.08.2025 00:04 Sources 1

About this happening: The **Warlock ransomware** operation is compromising **exposed on-premises SharePoint servers**, creating risk of **credential theft**, **lateral movement**, and **disruptive rans...

Open Happening

Timeline

  1. 17.09.2025 15:56 2 articles · 8mo ago

    Initial report: WhirlCoil Python loader remote tunnel backdoor

    Initial Disclosure

    Initial execution begins when a hidden batch script launches the **WhirlCoil** Python loader from a password-protected archive. A decoy PDF is shown to the user while the loader prepares persistence on the host.

    Show sources
    Open in new tab