Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
TrendAI™ Research monitoring found weekly campaigns since April 8, with each week introducing new pages, keyword, and geographic targeting. Wave...
Trend Micro Research : Research
Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
We track the binary payload chain (CVE-2025-8088 to LNK to PowerShell to result.dll) under SHADOW-EARTH-066, our temporary designation for the...
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Conclusion This case is a concrete demonstration that blockchain-based payload delivery has graduated from a proof-of-concept curiosity to an operational...
Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware
Based on technical artifacts and TTPs as well as code and infrastructure overlaps with BeaverTail and InvisibleFerret, TrendAI™ Research attributes...
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign
StellarMonSetup.exe is in fact GoToResolve, a legitimate unattended remote-administration tool. Once installed, it gives the actor a persistent remote desktop...
Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
The 21 shell reconnaissance commands include hostname, whoami, uname -a, ip addr, ip route, printenv, env | grep AWS_, kubectl...
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
The server-side controllers for these tools were both implemented as Python-based servers. The Python source code contained comprehensive comments, structured...
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Trend Micro (US) Content has been added...
Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities
Conclusion The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any...
Kuse Web App Abused to Host Phishing Document
Kuse Web App Abused to Host Phishing Document | Trend Micro (US) Content has been added to your Folio Go...
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
In some compromised repositories, we observed both techniques being present simultaneously (i.e., the malicious .vscode/tasks.json alongside the appended obfuscated JavaScript)....
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
Key takeaways: Attackers rapidly leveraged the Claude Code packaging error incident to distribute credential-stealing malware using fake GitHub repositories. This demonstrates how quickly threat actors can...
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
While the immediate threat is the social engineering campaign delivering Vidar, the leaked source code itself presents a distinct and...
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM
The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply‑chain activity, with adjustments to tooling, delivery...
Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities
Attribution analysis Based on technical artifacts, infrastructure overlaps, and victimology, TrendAI™ Research attributes this campaign to Pawn Storm with high confidence. This...
