Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC1549 SSL.com-signed malware binaries targeting European organizations

Malware Activity
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

The UNC1549 malware operation now uses valid SSL.com code-signing certificates, making its backdoors and infostealers harder to detect and raising risk for European organizations. The signed binaries caused a drastic decrease in detections, with many samples remaining hidden from multiple malware engines. The abuse appears to have continued for several months in 2025, and some observed certificates were still valid.

Related Happenings

DigiCert hit by network compromise

Incident
First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...

Latest development: 04.05.2026 15:46

By April 17, DigiCert revoked 60 certificates tied to the support-portal compromise, including 27 explicitly linked to the threat actor and 11 used to sign Zhong Stealer, and canceled pending orders to close attacker access. DigiCert also enforced multi-factor authentication for administrative workflows, blocked access to initialization codes from proxied support users, restricted file types for support chat and Salesforce case attachments, and improved logging.

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

VENON Rust-based banking malware targeting Brazilian Windows users

Malware Activity
First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....

Open Happening

Dindoor backdoor activity in MuddyWater operations

Malware Activity
First: 06.03.2026 17:15 Last: 06.03.2026 17:15 Sources 1

About this happening: Researchers identified **Dindoor**, a previously unknown backdoor, on targeted networks tied to **MuddyWater**, showing the group was using a new intrusion toolset. The malware ap...

Open Happening

UNC6353 and UNC6691 Coruna iOS exploit campaign

Campaign
First: 04.03.2026 21:06 Last: 04.03.2026 21:06 Sources 1

About this happening: The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used...

Open Happening

Timeline

  1. 26.09.2025 18:28 2 articles · 8mo ago

    UNC1549 SSL.com-signed malware binaries targeting European organizations

    Initial Disclosure

    In **May 2025**, UNC1549 appears to have started signing malware with **SSL.com** certificates. The initial phase focused on making new binaries look trustworthy so they would slip past detection.

    Show sources
    Open in new tab