Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Patchwork-linked StreamSpy Trojan adds WebSocket and HTTP C2

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

A Windows malware packer/loader named pkr_mtsi was first observed on April 24 2025 and is used in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers. Research from ReversingLabs says the loader masks itself as legitimate software such as PuTTY, Rufus, and Microsoft Teams, then deploys payloads including Oyster, Vidar, Vanguard Stealer and Supper. The activity matters because it supports initial access through fake download sites and paid-search abuse rather than compromised vendors.

Related Happenings

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

ClickFix compromised-site MIMICRAT campaign

Campaign
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...

Open Happening

Timeline

  1. 07.01.2026 18:45 1 articles · 4mo ago

    ReversingLabs first observes pkr_mtsi malware loader

    Initial Disclosure

    ReversingLabs identified pkr_mtsi as a flexible Windows malware packer and loader first seen on April 24 2025, used in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers masquerading as legitimate software and deliver Oyster, Vidar, Vanguard Stealer and Supper.

    Show sources
    Open in new tab
  2. 02.01.2026 15:52 2 articles · 4mo ago

    Patchwork-linked StreamSpy Trojan adds WebSocket and HTTP C2

    Initial Disclosure

    QiAnXin associated Patchwork, also called Maha Grass, with StreamSpy, a previously undocumented Windows RAT distributed through OPS-VII-SIR.zip and Annexure.exe that uses WebSocket and HTTP for command-and-control, supports persistence through the Windows Registry, scheduled tasks, or a Startup LNK file, and can harvest system information, transfer files, execute shell commands, delete or rename files, and enumerate folders; the same Annexure.exe sample was also flagged as ShadowAgent in November 2025.

    Show sources
    Open in new tab