Find notable cyber news and cases, enriched with sources, timelines, and signals.

GOVERSHELL multi-variant phishing-delivered malware activity

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

The GOVERSHELL malware was observed in five evolving variants, raising the risk of remote command execution and persistent access on infected systems. The payload was delivered through malware-laden archive files that paired a legitimate-looking executable with a hidden DLL. Later variants added encrypted WebSocket and HTTPS channels, indicating a more capable remote-access toolset.

Related Happenings

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
H score19 First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

SloppyLemming BurrowShell and Rust-based keylogger activity

Malware Activity
H score26 First: 03.03.2026 08:53 Last: 03.03.2026 08:53 Sources 1

About this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...

LummaStealer infection surge via CastleLoader

Malware Activity
H score30 First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Timeline

  1. 10.11.2025 18:00 2 articles · 8mo ago

    GOVERSHELL multi-variant phishing-delivered malware activity

    Initial Disclosure

    In the earliest observed phase, **GOVERSHELL** was delivered through phishing archives that bundled a legitimate-looking executable with a hidden malicious **DLL**. Opening the archive triggered **search order hijacking**, giving the attacker remote access.

    Show sources