TAMECAT PowerShell backdoor deployment and exfiltration
Malware Activity
Summary
Hide ▲
Show ▼
TAMECAT is being used as a PowerShell backdoor to maintain persistent access on compromised hosts and move data out through HTTPS, Discord, and Telegram. The malware matters because it adds remote control, reconnaissance, browser theft, mailbox collection, and screenshot capture to the operator's intrusion toolkit.
Related Happenings
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityAbout this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
About this happening:
A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityAbout this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware Activity
H score65
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware ActivityAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
Timeline
-
14.11.2025 16:40 2 articles · 7mo ago
TAMECAT PowerShell backdoor deployment and exfiltration
Initial DisclosureThe initial stage centers on **TAMECAT** being delivered as a **PowerShell backdoor** after a malicious link chain reaches a loader. This phase establishes the foothold needed for **persistent access** and follow-on exfiltration.
Show sources
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40