Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Active c-ares DLL sideloading malware campaign targeting finance and supply chain staff

Campaign
First reported
Last updated
Happening score
H score 48
2 unique sources, 2 articles

Summary

Hide ▲

An active campaign tied to TA584 uses Tsundere Bot alongside XWorm to gain network access that could lead to ransomware. Proofpoint says the operation, tracked since 2020, has increased in volume in late 2025 and now uses a continuous attack chain with hundreds of compromised, aged accounts, SendGrid, Amazon SES, ClickFix lures, and PowerShell execution to deliver payloads. The targeting has expanded beyond North America and the UK/Ireland to include Germany, other European countries, and Australia.

Related Happenings

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

LeakNet ransomware gang ClickFix and Deno in-memory loader activity

Malware Activity
First: 17.03.2026 14:09 Last: 17.03.2026 14:09 Sources 1

About this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...

Open Happening

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

Timeline

  1. 14.01.2026 16:18 3 articles · 4mo ago

    c-ares DLL sideloading campaign targets business staff

    Initial Disclosure

    An active malware campaign abuses a malicious libcares-2.dll beside signed GitKraken ahost.exe binaries to bypass security controls and deliver commodity trojans and stealers, including Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm. The operation targets employees in finance, procurement, supply chain, and administration roles across commercial and industrial sectors such as oil and gas and import and export, using multilingual invoice and RFQ-themed lures to get victims to execute the rogue DLL-loading binary.

    Show sources
    Open in new tab