Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Python-based malware deployment with XWorm and Cobalt Strike tooling

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A Python-based malware deployment was uncovered on a compromised Windows system, exposing persistence, obfuscation, and credential-theft activity tied to PayPal abuse and attempted wallet theft. Memory analysis linked the host to svchoss.exe, XWorm RAT v5.6, HTran, and Cobalt Strike Beacon. The compromise used hidden PowerShell with execution policy bypassed and planted startup-folder scripts to sustain access. Extracted strings pointed to Chromium autofill, cryptocurrency wallets, and Mozilla Firefox profiles as theft targets.

Related Happenings

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

Open Happening

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...

Open Happening

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Open Happening

Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store

Security Tool/Service
First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...

Open Happening

Timeline

  1. 23.02.2026 02:00 1 articles · 3mo ago

    VirusTotal flags svchoss.exe with 41/71 detections

    Detection Ioc Update

    VirusTotal detections for svchoss.exe reached 41 out of 71 engines as of December 5th 2025, marking the disguised executable as a malicious IOC.

    Show sources
    Open in new tab
  2. 23.02.2026 02:00 2 articles · 3mo ago

    Secuinfra Falcon Team uncovers Python-based malware during fraud investigation

    Initial Disclosure

    The Secuinfra Falcon Team identified a Python-based malware deployment on a victim system after a user reported unusual desktop behaviour and unauthorised PayPal transfers. Investigators found hidden PowerShell commands, startup-folder persistence scripts, a disguised payload named svchoss.exe, and memory evidence indicating the affected Windows host had been fully compromised.

    Show sources
    Open in new tab