WebSocket RAT and cptch Windows payload activity
Malware Activity
Summary
Hide ▲
Show ▼
A cptch download chain delivered a WebSocket RAT that enabled remote command execution and data exfiltration on Windows systems. The malware activity mattered because it turned a fake verification flow into full attacker control and data theft capability.
Related Happenings
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityAbout this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Python-based malware deployment with XWorm and Cobalt Strike tooling
Malware Activity
First: 23.02.2026 17:30
Last: 23.02.2026 17:30
Sources 1
About this happening:
A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...
Python-based malware deployment with XWorm and Cobalt Strike tooling
Malware ActivityAbout this happening: A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
Timeline
-
22.10.2025 16:37 2 articles · 7mo ago
WebSocket RAT and cptch Windows payload activity
Initial DisclosureThe first malware phase used a **PowerShell** command to download and run **cptch** after the fake CAPTCHA step. That stage acted as a reconnaissance and system-profiler utility before the RAT payload arrived.
Show sources
- PhantomCaptcha ClickFix attack targets Ukraine war relief orgs — www.bleepingcomputer.com — 22.10.2025 16:37
- PhantomCaptcha ClickFix attack targets Ukraine war relief orgs — www.bleepingcomputer.com — 22.10.2025 16:37