Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

VOID#GEIST phishing-delivered multi-stage RAT campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The VOID#GEIST campaign is pushing phishing-delivered batch scripts through TryCloudflare to deliver encrypted RAT payloads, creating a fileless intrusion path that is harder to detect. The chain stages a legitimate Python runtime and injects shellcode into explorer.exe using Early Bird APC injection. It also uses AppInstallerPythonRedirector.exe and repeated in-memory injection to run XWorm, Xeno RAT, and AsyncRAT. The operation matters because its modular delivery design blends into normal user activity and reduces disk-based artifacts.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

Havoc Demon payload deployment and persistence operation

Malware Activity
First: 03.03.2026 19:15 Last: 03.03.2026 19:15 Sources 1

About this happening: A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

Timeline

  1. 06.03.2026 16:33 2 articles · 2mo ago

    VOID#GEIST phishing-delivered RAT campaign disclosure

    Initial Disclosure

    Securonix Threat Research disclosed VOID#GEIST, a multi-stage malware campaign that uses phishing-delivered batch scripts from a TryCloudflare domain to stage a legitimate Python runtime, decrypt shellcode, and inject encrypted payloads into explorer.exe with Early Bird APC injection. The chain delivers XWorm, Xeno RAT, and AsyncRAT through runn.py and AppInstallerPythonRedirector.exe, then sends a minimal HTTP beacon to attacker-controlled TryCloudflare C2 infrastructure; the affected organization is unknown and no successful compromise has been confirmed.

    Show sources
    Open in new tab