Phoenix backdoor v4 and FakeUpdate loader activity
Malware Activity
Summary
Hide ▲
Show ▼
Phoenix backdoor v4 was delivered through malicious Word documents that wrote the FakeUpdate loader to disk, giving the malware a foothold for persistence and follow-on execution. The payload then decrypted the backdoor, established Registry-based persistence, and began beaconing to C2 over WinHTTP. That matters because the backdoor can profile victims, launch a shell, and move files, while a separate infostealer tried to harvest browser credentials from Chrome, Opera, Brave, and Edge.
Related Happenings
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
PyTorch Lightning hit by network compromise
Incident
First: 04.05.2026 20:15
Last: 04.05.2026 20:15
Sources 1
About this happening:
A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
PyTorch Lightning hit by network compromise
IncidentAbout this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
Fake Claude PlugX phishing campaign
Campaign
First: 13.04.2026 12:52
Last: 13.04.2026 12:52
Sources 1
About this happening:
A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Fake Claude PlugX phishing campaign
CampaignAbout this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Latest development: 07.05.2026 13:02
A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.
Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
CampaignAbout this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
QuickLens and ShotBird malicious Chrome extension update chain
Malware Activity
First: 09.03.2026 12:28
Last: 09.03.2026 12:28
Sources 1
About this happening:
The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
QuickLens and ShotBird malicious Chrome extension update chain
Malware ActivityAbout this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
Timeline
-
23.10.2025 00:19 1 articles · 7mo ago
MuddyWater phishing campaign starts through compromised NordVPN account
Exploitation ObservedStarting August 19, 2025, MuddyWater launched a phishing campaign from a compromised account accessed through the NordVPN service and sent malicious emails to government and international organizations in the Middle East and North Africa, with embassies, diplomatic missions, foreign affairs ministries, and consulates among the main targets.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
-
23.10.2025 00:19 1 articles · 7mo ago
Campaign server and server-side C2 are taken down
Technical Analysis UpdateOn August 24, 2025, the campaign's server and server-side command-and-control component were taken down, indicating a shift toward other tools and malware for collecting information from compromised systems.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
-
23.10.2025 00:19 2 articles · 7mo ago
Group-IB discloses MuddyWater FakeUpdate and Phoenix v4 campaign
Initial DisclosureOn October 22, 2025, Group-IB disclosed that MuddyWater, also tracked as Static Kitten, Mercury, and Seedworm, targeted more than 100 government entities in the Middle East and North Africa with phishing emails carrying malicious Word documents that wrote the FakeUpdate loader and decrypted Phoenix backdoor version 4.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19