Find notable cyber news and cases, enriched with sources, timelines, and signals.

AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling

Malware Activity
First reported
Last updated
Happening score
H score 23
2 unique sources, 2 articles

Summary

Hide ▲

The AI-generated PowerShell malware is targeting blockchain developers and engineers in the Asia-Pacific region, raising the risk of credential and wallet theft on infected hosts. A Discord-hosted link delivers a ZIP archive with a PDF lure and a malicious LNK that starts the loader chain. The payload unpacks a DOCX document, a CAB archive, and a PowerShell backdoor that sets up persistence and polls a command-and-control server. The runtime checks for analysis environments and can execute returned PowerShell code asynchronously.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

DEEP#DOOR Python backdoor framework

Malware Activity
H score28 First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Timeline

  1. 24.01.2026 17:23 2 articles · 5mo ago

    Konni targets blockchain developers with AI-generated PowerShell malware

    Technical Analysis Update

    Konni (Opal Sleet, TA406) is targeting blockchain developers and engineers with AI-generated PowerShell malware in a campaign focused on Asia-Pacific targets; the delivery chain starts with a Discord-hosted link that drops a ZIP archive containing a PDF lure and malicious LNK shortcut, then unpacks a DOCX document and CAB archive holding a PowerShell backdoor, batch files, and a UAC bypass executable, while the backdoor uses anti-analysis checks, a masquerading OneDrive scheduled task, XOR-encrypted scripting, and C2 polling to execute returned PowerShell code.

    Show sources