Find notable cyber news and cases, enriched with sources, timelines, and signals.

BADAUDIO first-stage downloader activity

Malware Activity
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

The BADAUDIO malware is now documented as a first-stage downloader that can decrypt and execute AES-encrypted payloads from a hard-coded C2 server, increasing the risk of follow-on compromise on infected hosts. It has been seen in a nearly three-year operation that began in November 2022. Recent delivery chains use malicious DLLs and encrypted archives with VBS, BAT, and LNK files.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Beagle backdoor distributed via fake Claude site and DLL sideloading

Malware Activity
H score23 First: 07.05.2026 16:15 Last: 07.05.2026 16:15 Sources 1

About this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...

Ghost campaign remote access trojan payload

Malware Activity
H score30 First: 24.03.2026 16:30 Last: 24.03.2026 16:30 Sources 1

About this happening: A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...

Dohdoor backdoor activity on Windows endpoints

Malware Activity
H score23 First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...

UAT-10027 U.S. education and healthcare targeting campaign

Campaign
H score34 First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...

Timeline

  1. 21.11.2025 12:42 2 articles · 7mo ago

    BADAUDIO first-stage downloader activity

    Initial Disclosure

    At execution, BADAUDIO commonly appears as a **malicious DLL** or archive payload that uses **DLL Search Order Hijacking** to launch through legitimate software. It then reaches out to **C2** and pulls down the next stage.

    Show sources