Hexastrike Blog
Reddit TradingView Lures Leading to Vidar and AMOS Stealers
While handling recent stealer infections, we traced the initial compromise back to Reddit. A threat actor had been operating across several subreddits, some hijacked from legitimate communities and others purpose-built, using a mix of compromised and freshly created Reddit accounts to push malicious software disguised as cracked TradingView Premium builds. Based on overlapping language patterns, shared infrastructure and nearly identical post templates, we assess with high confidence that a single threat actor is behind this campaign. The infection chain itself
Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK
Executive Summary On March 27, 2026 at roughly 03:51 UTC, threat actor TeamPCP uploaded two malicious versions (4.87.1 and 4.87.2) of the telnyx Python SDK to PyPI. The package pulls approximately 750,000 monthly downloads, and the blast radius extends well beyond the package itself to every downstream project that depends on it. PyPI quarantined both versions after roughly four hours of exposure. The attack is surgical. A small amount of malicious code was injected into the package, and it executes
Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers
Executive Summary A multi-stage remote access trojan campaign is actively targeting Chinese-speaking users through a network of typosquatted domains impersonating trusted software brands. The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. All identified installer packages carry the same stolen Extended Validation code-signing certificate issued to a Vietnamese shell entity, lending them an appearance of legitimacy that