Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.
Read more…
Source: Rapid7
Related:
- SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
November 3, 2025
Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as ...
- Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
October 29, 2025
Palo Alto Unit 42 researchers have discovered a new Windows-based malware family they’ve named Airstalk, which is available in both PowerShell and .NET variants. Unit 42 assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. The researchers have created the threat activity cluster CL-STA-1009 to identify ...
- Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
October 27, 2025
Trend Research is continuously tracking the aggressive malware campaign it identified as Water Saci, which uses WhatsApp as its primary infection vector. In our previous blog, the Water Saci campaign, with its malware identified as SORVEPOTEL, automatically distributes the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account for ...
- Mem3nt0 mori – The Hacking Team is back!
October 27, 2025
n March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough. The malicious links were personalized and extremely short-lived to avoid detection. ...
- Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
October 22, 2025
Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. MuddyWater accessed the compromised mailbox through NordVPN(a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence. By exploiting the trust and ...
- Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities
October 21, 2025
On October 6, 2025, the developer known as “Loadbaks” announced the release of Vidar Stealer v2.0 on underground forums. This new version features a complete transition from C++ to a pure C implementation, allegedly enhancing performance and efficiency. Its release coincides with a decline in activity surrounding the Lumma Stealer, suggesting cybercriminals under its operation ...