Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC
Executive Summary After someone impersonated one of our recent projects, PyrsistenceSniper, on GitHub, we uncovered a broader malware distribution campaign built around cloned open source repositories. The operator copies legitimate projects, republishes them under different accounts, strips the README of its technical content, and replaces it with prominent download buttons. Those buttons point to ZIP files […]
Reddit TradingView Lures Leading to Vidar and AMOS Stealers
While handling recent stealer infections, we traced the initial compromise back to Reddit. A threat actor had been operating across several subreddits, some hijacked from legitimate communities and others purpose-built, using a mix of compromised and freshly created Reddit accounts to push malicious software disguised as cracked TradingView Premium builds. Based on overlapping language patterns, […]
Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK
Executive Summary On March 27, 2026 at roughly 03:51 UTC, threat actor TeamPCP uploaded two malicious versions (4.87.1 and 4.87.2) of the telnyx Python SDK to PyPI. The package pulls approximately 750,000 monthly downloads, and the blast radius extends well beyond the package itself to every downstream project that depends on it. PyPI quarantined both […]
Trust the Tunnel, Get the Trojan: Silver Fox Delivers Atlas RAT via Weaponized VPN Installers
Executive Summary A multi-stage remote access trojan campaign is actively targeting Chinese-speaking users through a network of typosquatted domains impersonating trusted software brands. The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. […]
Silver Fox Exploiting BYOVD to Kill Endpoint Security
During threat-intelligence activities, we identified a new Silver Fox campaign distributing fake application installers (e.g., WinRAR, Telegram, and others). The installer drops multiple binaries; one stood out: a file named NVIDIA.exe (SHA-256: b4ac2e473c5d6c5e1b8430a87ef4f33b53b9ba0f585d3173365e437de4c816b2), which, during analysis, revealed the presence of an unknown driver used to support its operations. NVIDIA.exe’s main logic is deliberately simple. It […]