Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
An active campaign was identified spreading malware through WhatsApp via ZIP file attachments. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to propagate further by automatically sending malicious messages to the victim's contacts. The self-propagating nature enables rapid spread through trust networks. The research details the infection chain, persistence mechanisms, WhatsApp API abuse for propagation, and C2 communication protocols targeting Brazilian users.
Related Research
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Uncovered AI-generated fake GitHub repositories distributing SmartLoader and LummaStealer through convincing but malicious code projects.
PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
Investigated a supply chain attack in which an attacker hijacked the lead Axios npm maintainer's account and published two malicious versions containing a phantom dependency that deployed a cross-platform RAT on macOS, Windows, and Linux while erasing forensic evidence by replacing itself with clean decoy files.
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
Documented an active campaign in which threat actors exploited the Anthropic Claude Code npm packaging error to distribute Vidar, GhostSocks, and PureLog Stealer via a fake "leaked-claude-code" GitHub repository, with over 533 confirmed payload downloads as of April 7, 2026.