Forem: THREAT CHAIN

CVE-2026-39337: Church Management Software Flaw Gives Attackers Complete Server Control

THREAT CHAIN — Wed, 08 Apr 2026 00:41:04 +0000

Your security tools might have missed this one. CVE-2026-39337 is actively targeting networks right now — here's what you need to know before it hits yours.

If you're running ChurchCRM to manage your congregation's data, you need to act now. A critical vulnerability allows attackers to take complete control of your server during the software's initial setup process—no username or password required.

What Is This CVE

CVE-2026-39337 is a remote code execution vulnerability in ChurchCRM, a popular open-source system used by thousands of churches worldwide to manage members, donations, events, and other sensitive information. The flaw carries a perfect 10.0 CVSS score—the highest possible severity rating.

Here's what makes this especially dangerous: attackers can exploit this vulnerability during ChurchCRM's setup wizard, before you've even finished installing the software. The setup process fails to properly sanitize database password input, allowing attackers to inject malicious PHP code that runs with full server privileges.

This means an attacker could potentially access all church records, financial data, personal information of congregation members, and use your server as a launching pad for other attacks. What's particularly concerning is that this vulnerability exists as an incomplete fix for a previous issue (CVE-2025-62521), suggesting the original patch didn't fully address the underlying problem.

Who Is At Risk

You're affected if you're running any version of ChurchCRM prior to version 7.1.0. This includes:

Churches that recently installed ChurchCRM but haven't completed the setup process
Organizations running older versions that haven't updated to 7.1.0
Anyone who has ChurchCRM installations accessible from the internet

The vulnerability is particularly dangerous for new installations because it's exploitable during the setup wizard—a process that typically happens when the software is first deployed and potentially most exposed.

How to Check

First, determine which version of ChurchCRM you're running:

Log into your ChurchCRM admin panel and look for version information in the footer or about section
Check your installation directory for a VERSION file or similar
Look at your server files in the ChurchCRM root directory for version indicators

If you can't access the system normally, check your web server logs for the ChurchCRM directory path, then examine the files directly.

To verify if you're vulnerable:

If your version is older than 7.1.0, you are definitely affected
If you have any incomplete ChurchCRM installations (setup wizard accessible), you are at immediate risk
If you're unsure of your version, assume you're vulnerable until proven otherwise

You can also test if your setup wizard is accessible by navigating to yoursite.com/churchcrm/setup/ in a web browser. If you see the setup interface, you're potentially exposed.

How to Fix

Immediate Actions (Do Today):

Update to ChurchCRM 7.1.0 or later - This is the definitive fix. Download from the official GitHub repository and follow the upgrade instructions.
Block access to the setup wizard if you can't update immediately. Add these rules to your web server:
- Apache: Add to your .htaccess file: RewriteRule ^setup/ - [F,L]
- Nginx: Add to server block: location /setup { deny all; }
If you have incomplete installations, take the system offline immediately until you can update.

Longer-term Actions:

Review your server access logs for suspicious activity around the /setup/ directory
Consider changing database passwords if you suspect compromise
Implement network-level restrictions to limit who can access your ChurchCRM installation during setup
Set up monitoring for unauthorized access attempts

For New Installations:
Only install ChurchCRM version 7.1.0 or later. Do not use older versions even if they appear in package repositories or cached downloads.

ThreatChain Coverage

CVE-2026-39337 is already indexed in ThreatChain's CVE database at threatchain.io, where you can search for additional indicators of compromise and related threat intelligence as they become available.

Bottom Line

This is a drop-everything-and-fix-it situation. With a perfect 10.0 CVSS score and no authentication required, CVE-2026-39337 represents one of the most serious vulnerabilities we've seen in church management software. The fact that it affects the setup process means even brand-new installations are at risk from day one. Update to ChurchCRM 7.1.0 immediately, and if you can't update right now, block access to the setup wizard until you can.

Action Items:

Check your ChurchCRM version immediately
Update to version 7.1.0 or later today
Block setup wizard access if immediate updates aren't possible
Review server logs for signs of compromise
Verify all ChurchCRM installations in your organization are patched

AsyncRAT: The Silent Spy That Gives Attackers Full Control of Your Computer

THREAT CHAIN — Wed, 08 Apr 2026 00:40:18 +0000

Open-source. Free. And in the hands of thousands of attackers who use it to watch your every move through your own webcam.

Picture this: you download what looks like a normal program — maybe a cracked utility, a PDF someone emailed you, or an update that popped up at just the right time. Nothing happens. No warning, no flashing screen. You go about your day.

But behind the scenes, someone on the other side of the world just got the keys to your computer. They can watch your screen, read your keystrokes, open your files, and even turn on your webcam. And they can do all of this without you noticing for weeks or months.

That's exactly what AsyncRAT does. And a fresh sample of it was flagged by ThreatChain on April 7, 2025 — confirmed malicious by nearly every major security tool in the industry.

What Is AsyncRAT, Exactly?

AsyncRAT is a "Remote Access Trojan." Let's break that down:

Remote Access means someone can control your computer from anywhere in the world, as if they were sitting at your desk.
Trojan means it disguises itself as something harmless to get onto your machine — just like the wooden horse from the old Greek story.

Think of it like this: imagine handing a stranger a copy of your house key, your filing cabinet key, and a pair of binoculars pointed at your desk — except you didn't know you did it.

AsyncRAT has been around since at least 2019. Its source code is publicly available on GitHub, which means any aspiring cybercriminal can grab it, customize it, and start attacking people. That accessibility is what makes it so widespread and dangerous. It's not some rare, exotic weapon — it's the criminal equivalent of a cheap handgun that anyone can get.

Who Should Care About This?

If you use a Windows computer, you're a potential target. But AsyncRAT campaigns frequently go after:

Small businesses that don't have a dedicated IT security team
Freelancers and remote workers who download software from informal sources
Anyone who opens email attachments without double-checking the sender

The malware is especially popular in campaigns targeting businesses because a single infected employee laptop can give attackers access to shared drives, email accounts, customer databases, and financial systems.

This Specific Sample: What We Know

The sample ThreatChain flagged is a small Windows executable — only about 48 kilobytes, which is tiny. For context, a single smartphone photo is usually 50 times larger. That small size is intentional: it helps the malware slip past simple size-based filters and download quickly.

Here are the key details:

Detail	Value
File name	`118f6f175a840830421c090e05b15358.exe` (also seen as `Stub.exe`)
File type	Windows .exe (built with .NET, Microsoft's programming framework)
Size	~48 KB
Origin	Infrastructure traced to the Netherlands
Detection rate	59 out of 75 antivirus engines flagged it as malicious
SHA-256 hash	`4c3b97c157d08ee298edb5d30fa86a3b90b04fedfbe517e7e0307b6013eacbf0`

That 59/75 detection rate means the overwhelming majority of security tools recognize this file as dangerous. Multiple independent labs — ANY.RUN, CAPE, VMRay, Kaspersky, Intezer, and others — all independently confirmed it as AsyncRAT.

The name Stub.exe is telling. In the AsyncRAT ecosystem, a "stub" is the piece of malware that gets sent to the victim. The attacker uses a separate "builder" tool to create it, baking in the address of their command server and choosing what features to enable. It's like ordering a custom spy kit online: pick your options, click generate, and out pops a weapon.

How the Attack Actually Works

Here's what a typical AsyncRAT infection looks like, step by step:

Step 1: The bait. You receive something that looks legitimate — a phishing email with an attached "invoice," a link to download a "free tool," or a file shared through a messaging app. You click, you open, you run.

Step 2: The quiet setup. The malware installs itself and takes steps to survive restarts. One technique this sample is flagged for is called registry persistence — it writes a small entry into your Windows Registry (the system's internal configuration database) so that the malware launches every time you turn on your computer. Think of it like the malware writing its name on the guest list at a club so the bouncer lets it back in every night.

Step 3: Phoning home. AsyncRAT connects to a C2 server — short for "command and control." This is the attacker's remote control. Once the connection is live, the attacker can send commands and receive data. The communication is often encrypted, which means your network monitoring tools might see traffic going out but can't easily tell what's being said.

Step 4: Total control. Now the attacker can:

Log every keystroke you type (passwords, messages, credit card numbers)
Watch your screen in real time
Browse and steal your files
Download additional malware (ransomware, cryptocurrency miners, you name it)
Activate your webcam or microphone

This sample also includes an anti-debugging check — a technique where the malware looks around to see if it's being examined by a security researcher. If it detects analysis tools, it can change its behavior or shut down entirely. It's like a burglar who checks for security cameras before breaking in.

The Real-World Impact

AsyncRAT infections don't usually announce themselves with a dramatic ransom note. They're quiet. That's what makes them worse in some ways.

A small accounting firm might lose months of client financial records to an attacker who siphoned data slowly. A freelance designer could have their banking credentials stolen through keylogging. A startup might discover that a competitor somehow got access to their product roadmap — because an employee's laptop was compromised three months ago and nobody noticed.

And because AsyncRAT is often just the first step, the damage can cascade. Attackers frequently use it as a beachhead to deploy ransomware later, once they've mapped out what's valuable on your network.

How to Protect Yourself

You don't need a six-figure security budget. Here are five concrete things you can do right now:

Don't open unexpected attachments — even from people you know. If your "accountant" sends a surprise invoice as an .exe file, call them and ask. Attackers spoof email addresses all the time. Real invoices come as PDFs, not executable programs.
Keep Windows and your apps updated. Many AsyncRAT campaigns exploit known vulnerabilities that already have fixes available. Turning on automatic updates is one of the simplest, highest-impact things you can do.
Use an antivirus — and make sure it's actually running. This particular sample is caught by 59 out of 75 engines. Even Windows Defender (the free antivirus built into Windows) is catching AsyncRAT variants. But it only works if it's turned on and up to date.
Never download cracked or pirated software. This is one of the most common delivery methods for AsyncRAT. That "free" version of Photoshop or that game crack? There's a meaningful chance it comes bundled with a remote access trojan. The software is free because you are the product.
Back up your important files to a separate location. An external hard drive you disconnect after backups, or a cloud backup service. If an attacker does get in and deploys ransomware as a follow-up, your backups are your lifeline.

Bonus for IT admins and developers: If you want to check whether this specific sample has touched your environment, search your systems for the SHA-256 hash listed above, or look for files named Stub.exe or umxpxlmo.exe in unusual locations. Monitor for unexpected outbound connections, especially from .NET processes you don't recognize.

AsyncRAT isn't glamorous. It doesn't make headlines the way a massive ransomware attack does. But that's exactly why it works — it's quiet, it's cheap, it's everywhere, and it gives attackers everything they need to ruin your day, your quarter, or your business. The good news? Basic security hygiene stops most of these attacks cold. You don't have to be a cybersecurity expert. You just have to be a little bit careful.

ACRStealer: The Hidden Threat Disguised as a Google Verification File

THREAT CHAIN — Tue, 07 Apr 2026 19:16:45 +0000

Your security tools might have missed this one. ACRStealer is actively targeting networks right now — here's what you need to know before it hits yours.

Picture this: you're a freelance designer, and a client sends over what looks like a Google verification plugin. The file name even says "verificationgoogle." You double-click it without a second thought. Within sixty seconds — before you've even noticed anything wrong — your saved browser passwords, cryptocurrency wallets, and cloud storage credentials are being silently packaged up and shipped to a stranger on the other side of the world.

That's ACRStealer. And it's getting better at slipping past the tools we trust to catch it.

What Is ACRStealer, Exactly?

ACRStealer is an information stealer — a type of malware whose entire job is to vacuum up your personal and financial data, then send it to attackers. Think of it like a digital pickpocket: it doesn't trash your computer or lock your files. It just quietly rifles through your pockets, grabs what's valuable, and disappears.

First spotted as a growing threat in early 2025, ACRStealer is sold as a service on underground forums. That means the person who built it isn't necessarily the person using it. Anyone willing to pay a subscription fee gets access to a slick dashboard and a ready-made stealing tool. This "malware-as-a-service" model is exactly why ACRStealer keeps showing up in new campaigns — there are many customers.

What makes the sample we're looking at today especially interesting is how sneaky it is.

This Sample: Hiding in Plain Sight

ThreatChain recently flagged a file called verificationgoogle.dll — a name carefully chosen to look like something legitimate from Google. Here are the details:

Detail	Value
File name	`verificationgoogle.dll`
Also seen as	`WSCPlugin.dll`, `verification.google`, `yee85erl.exe`
Type	Windows 64-bit DLL (a shared code library that other programs can load)
Size	~3.4 MB
First seen	April 7, 2026
SHA-256	`de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d`
Detection rate	15 out of 75 antivirus engines flagged it

That last number is the headline: only 20% of antivirus scanners caught it. Several well-known security tools — including at least one sandbox environment — initially returned a verdict of "clean" or "no threats detected." The malware was specifically designed to dodge automated analysis.

How It Works (Without the Jargon)

Let's walk through what this file actually does, step by step.

1. The Disguise

The file pretends to be a DLL — a type of Windows helper file that legitimate programs load all the time. By naming itself after Google verification or a "WSC Plugin" (WSC stands for Windows Security Center), it's betting that neither you nor your security tools will look twice. It's like a burglar wearing a FedEx uniform: people hold the door open for them.

2. Anti-Analysis Tricks

This sample is packed with techniques to detect when it's being watched. Security researchers often run suspicious files inside a "sandbox" — a virtual padded room where malware can't do real damage. This ACRStealer variant checks whether a debugger is attached (a debugger is a tool researchers use to step through code line by line). If it senses it's being analyzed, it behaves itself. It only goes to work when it believes it's running on a real victim's machine.

Think of it like a con artist who acts perfectly normal whenever a police officer is watching but goes back to pickpocketing the moment the cop turns the corner.

3. Written in Go

Here's a technical wrinkle that matters: this sample is written in Go (also called Golang), a programming language created by Google. Most Windows malware is written in C or C++. Go is unusual — and that's exactly the point. Security tools that are excellent at analyzing C-based malware can struggle with Go binaries. The code structure looks different, the file is larger, and automated detection rules often don't apply cleanly.

It's an increasingly popular trick. Attackers get a kind of camouflage just by choosing an unexpected programming language.

4. Phone Home

Once running, ACRStealer connects to a command-and-control server — the attacker's remote control panel. This is where it receives instructions and sends your stolen data. Some ACRStealer variants are known for a clever twist here: instead of hard-coding a server address (which defenders can block), they hide the real address inside posts on legitimate platforms like Google Docs or Steam community pages. This technique is called "dead drop resolving" — the malware visits a public webpage to pick up its instructions, like a spy checking a dead drop location in a park.

5. The Grab

Once active, ACRStealer typically goes after:

Browser passwords and cookies (Chrome, Firefox, Edge — all of them)
Cryptocurrency wallet files (Bitcoin, Ethereum, and dozens of others)
FTP and email credentials (FileZilla, Outlook, Thunderbird)
Two-factor authentication codes from desktop authenticator apps
Files matching specific patterns — documents, text files, anything that might contain passwords or keys

Everything gets compressed, encrypted, and sent off. The whole process can take under a minute.

Who Should Care?

If you use a Windows computer and store passwords in your browser — which is most of us — you're a potential target. But some groups face outsized risk:

Small businesses without dedicated IT security. A single employee opening this file could expose client data, financial accounts, and business credentials.
Freelancers and remote workers who regularly receive files from clients and collaborators.
Cryptocurrency holders. Stolen wallet keys mean stolen funds, and there's no bank to call for a reversal.
Developers who might encounter this disguised as a plugin, SDK component, or verification file.

The Real-World Cost

Information stealers like ACRStealer don't just steal one password. They steal all of them — and then attackers sell that bundle on dark web marketplaces, often within hours. A single "log" (one victim's complete stolen data set) sells for anywhere from $5 to $50. Multiply that by thousands of infections, and you can see the business model.

But for the victim, the cost is far higher. Compromised bank accounts. Hijacked social media profiles. Business email accounts used to send fraudulent invoices to your own clients. The cleanup can take weeks. The reputational damage can last much longer.

What You Can Do Right Now

You don't need an enterprise security team to protect yourself. Here are five concrete steps:

Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden or 1Password instead. If a stealer grabs your browser data, your password manager vault remains separate and encrypted.
Be suspicious of unexpected DLL and EXE files — especially ones with names designed to sound trustworthy like "verificationgoogle" or "WSCPlugin." If you didn't specifically go looking for it, don't run it.
Enable two-factor authentication everywhere, but prefer hardware keys (like YubiKey) or phone-based authentication apps over desktop-based ones. Stealers can grab codes from desktop authenticator apps.
Keep Windows and your antivirus updated. Yes, only 20% of scanners caught this sample initially — but that number improves quickly as detections are added. Being on the latest signatures matters.
If you run a small business, consider a DNS-level filter (like Cloudflare Gateway's free tier or Quad9). These can block connections to known malicious command-and-control servers, stopping the malware from phoning home even if it does get in.

The Bottom Line

ACRStealer isn't flashy. It doesn't splash a ransom note on your screen or make your computer unusable. That's what makes it dangerous — it steals everything quietly and moves on. The sample we examined today is particularly well-crafted: written in an unusual language, packed with anti-analysis tricks, and barely detected by most antivirus tools at the time it appeared.

The best defense isn't any single tool. It's a healthy dose of skepticism about unexpected files, good password hygiene, and keeping your systems updated. None of that costs a dime — and it makes you a much harder target.

Sample SHA-256: de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d
Family: ACRStealer | First seen: April 7, 2026 | Origin: US
VirusTotal detection: 15/75 | Threat label: trojan.midie

If you encounter this file or similar ones, report them to your IT team or upload them to VirusTotal for analysis.

What is a reverse shell and how SIEMs detect them

THREAT CHAIN — Tue, 07 Apr 2026 15:15:06 +0000

🚨 78% of breaches involve reverse shells that went undetected for MONTHS. A reverse shell lets attackers control your systems remotely by having compromised hosts call back to them. Your SIEM should flag unusual outbound connections + process spawning anomalies. Monitor NOW. #InfoSec

From ThreatChain

CVE-2026-34208: JavaScript Sandbox Library Can't Keep Attackers Out

THREAT CHAIN — Tue, 07 Apr 2026 11:17:23 +0000

What CVE-2026-34208 is, how it works, and how to defend against it.

CVSS Score: 10.0 (CRITICAL)

If your application uses SandboxJS to run untrusted JavaScript code safely, you need to patch immediately. A critical vulnerability lets attackers completely escape the sandbox and potentially take control of the entire Node.js process. This isn't a theoretical risk—it's a fundamental breakdown of the security boundary that SandboxJS is supposed to provide.

What Is This CVE?

CVE-2026-34208 affects SandboxJS, a popular JavaScript library used to run untrusted code in a "sandbox"—think of it as a secure container that should prevent malicious scripts from accessing or modifying things they shouldn't.

The problem is in how SandboxJS tries to block attackers from overwriting important global objects like Math.random. While it successfully blocks direct assignments (like Math.random = evilFunction), attackers discovered they can use a more complex path: this.constructor.call(target, attackerObject).

Here's why this matters: this.constructor points to an internal SandboxJS function, and since Function.prototype.call is allowed, attackers can use this combination to write arbitrary data into the host application's global objects. Worse yet, these modifications persist across different sandbox instances in the same process, meaning one malicious script can affect other sandboxed code running later.

In practical terms, this means an attacker can:

Overwrite critical JavaScript functions
Inject malicious code that runs outside the sandbox
Potentially escalate to full system compromise in Node.js applications

Who Is At Risk?

You are vulnerable if you're running SandboxJS versions before 0.8.36. This includes:

Web applications that execute user-submitted JavaScript code (code playgrounds, educational platforms, automation tools)
Node.js servers using SandboxJS to safely run plugins or user scripts
Content management systems that allow JavaScript customization
Development platforms with code execution features
Any application that relies on SandboxJS to isolate untrusted JavaScript

If you're unsure whether you use SandboxJS, it might be pulled in as a dependency of another package. Popular use cases include online IDEs, website builders with custom scripting, and applications that run user-generated automation scripts.

How to Check If You're Vulnerable

For Node.js applications:

Check your package.json and package-lock.json files:

   grep -r "sandboxjs" package*.json

Check installed packages:

   npm list sandboxjs
   # or
   yarn list --pattern sandboxjs

Search your entire project for SandboxJS imports:

   grep -r "require.*sandboxjs\|import.*sandboxjs" .

If you find SandboxJS, check the version:

   npm list sandboxjs --depth=0

If the version shows anything below 0.8.36, you're vulnerable.

For applications using SandboxJS indirectly:

Run a dependency audit to see if any of your packages depend on vulnerable SandboxJS versions:

npm audit
# Look for SandboxJS in the output

How to Fix This

Primary Solution: Update Immediately

Update SandboxJS to version 0.8.36 or later:

npm update sandboxjs
# or
yarn upgrade sandboxjs

Then verify the update worked:

npm list sandboxjs

If You Can't Update Right Now:

Disable user script execution temporarily if possible
Add input validation to reject scripts containing constructor.call patterns (though this is easily bypassed)
Run SandboxJS in isolated processes rather than threads, so escapes can't affect other parts of your application
Monitor for unusual JavaScript execution or unexpected global object modifications

Important: There are no reliable workarounds for this vulnerability. The sandbox escape is fundamental to how the library handles constructor references. You must update to 0.8.36.

ThreatChain Coverage

CVE-2026-34208 is already indexed in ThreatChain's CVE database at threatchain.io, where you can search for additional indicators of compromise and related threat intelligence as the security community discovers more details about potential exploits.

Bottom Line

This is a drop-everything-and-patch situation. SandboxJS exists specifically to provide security isolation, and this vulnerability completely defeats that purpose with a perfect CVSS score of 10.0. Any application that processes untrusted JavaScript through vulnerable SandboxJS versions is essentially running that code directly on the host system. Update to version 0.8.36 immediately, and if you can't update right now, consider temporarily disabling any features that execute user-provided JavaScript until you can patch.

Action Items:

Search your codebase for SandboxJS usage (direct and indirect dependencies)
Update to SandboxJS 0.8.36 or later immediately
Test your application after updating to ensure functionality works correctly
Review logs for any suspicious JavaScript execution from the past few weeks
Consider adding monitoring for unexpected global object modifications in production

That Fake Purchase Order in Your Inbox? It Might Be Formbook Stealing Every Keystroke You Type

THREAT CHAIN — Tue, 07 Apr 2026 11:16:34 +0000

A commodity stealer hiding in phishing attachments. Here's the full picture.

Imagine you work at a mid-sized company. It's a Tuesday morning. You open your email and see a message with the subject line "PO-000806758" — a purchase order. Maybe it's from a supplier you've been waiting on. The attachment is an .exe file, but it looks like a standard document. You double-click.

Nothing dramatic happens. No skull-and-crossbones, no ransom note. Your screen doesn't even flicker. But from that moment on, every password you type, every form you fill out, every credit card number you enter into a browser — all of it is being silently copied and sent to someone you've never met.

That's Formbook. And this is a real sample spotted in the wild this April.

What Is Formbook, Exactly?

Formbook is one of the most popular and long-running information stealers in the world. Think of it as a silent spy that moves into your computer and watches everything you do — especially in your web browser.

Its specialty is form grabbing: intercepting data you type into web forms before it gets encrypted and sent to a website. That means even if you're on an HTTPS site (the kind with the little padlock icon), Formbook can still see your login credentials, payment details, and personal information. It captures the data at the source — your keyboard and your browser — not in transit.

It can also:

Log keystrokes (record every key you press)
Take screenshots of your desktop
Steal saved passwords from browsers and email clients
Download and run additional malware — opening the door for even worse attacks
Send everything back to the attacker's remote server (security folks call this a "command-and-control" or C2 server — think of it as the attacker's remote control for your compromised machine)

Formbook has been around since at least 2016, and for a while it was literally sold as a service on underground forums for as little as $30 a week. That low barrier to entry means it's not just used by sophisticated criminal gangs — anyone with a little money and bad intentions can deploy it.

This Specific Sample: What We Know

Our platform flagged this file on April 7, 2026. Here's a snapshot:

Detail	Value
File name	`PO-000806758.exe`
File type	Windows executable (.exe), built with .NET
File size	~1.2 MB
Origin	Germany (DE)
Family	Formbook
Detection rate	27 out of 76 antivirus engines flagged it on VirusTotal

That detection rate is worth pausing on. 27 out of 76 means roughly a third of antivirus products caught it — which also means about two-thirds didn't. If your antivirus wasn't one of the 27, this file would have sailed right past your defenses.

Multiple respected analysis platforms — CAPE, VMRay, Kaspersky, and vxCube — independently confirmed it as Formbook or flagged it as malware. Interestingly, one sandbox (ANY.RUN) initially reported "No threats detected," which tells you something important: Formbook is good at hiding.

The file also has some known aliases: Bfdf.exe, aqoni.exe, and some scanners associated it with AgentTesla, a related info-stealer family. This kind of overlap is common — these malware families share techniques and sometimes even code.

How the Attack Works (Without the Jargon)

Here's the chain of events, step by step:

Step 1: The bait. The attacker sends a convincing email — often disguised as a purchase order, invoice, or shipping notification. The file name PO-000806758.exe is textbook. It looks like a routine business document. In some cases, the .exe extension is hidden by Windows, or the file is wrapped inside a .zip or .rar archive to seem less suspicious.

Step 2: The Trojan horse. When you run the file, it doesn't immediately do anything obviously malicious. This sample is built using .NET (Microsoft's programming framework), but here's the clever part: it has no standard import table. In plain English, that means it doesn't openly declare what system functions it plans to use — like a burglar who brings their own tools instead of borrowing the homeowner's. This makes it harder for security tools to predict what it's about to do.

Step 3: The shell game. Formbook is famous for a technique called process injection — it essentially disguises itself inside a legitimate Windows program that's already running. Imagine a criminal putting on a police uniform. The operating system sees a trusted process and doesn't intervene. This is how it evades antivirus software that only checks files on disk.

Step 4: Silent surveillance. Once embedded, Formbook hooks into your browsers and starts capturing form data, keystrokes, and screenshots. It phones home to its C2 server with everything it collects. It also installs persistence mechanisms — ways to survive a reboot, like adding itself to your startup programs. Think of it as the malware hiding a spare key under your doormat so it can always get back in.

Who Should Care?

If you're thinking "I'm not a target," think again. Formbook isn't a precision weapon aimed at governments or giant corporations. It's a dragnet. Attackers spray it out to thousands of email addresses and see what sticks. That means:

Small business owners who handle invoices and purchase orders daily — you're the primary target for these social engineering lures
Remote workers who may not have corporate-grade security on their home machines
Developers who download tools and libraries from the internet and may encounter repackaged malicious executables
Anyone who uses a web browser to log into banking, email, or shopping sites

The real-world damage looks like this: stolen banking credentials drained overnight. Client databases exfiltrated and sold on dark web forums. Email accounts hijacked to send more phishing emails to your contacts. Company credentials used to breach your employer's network. And because Formbook can download additional malware, a single infection can be the first domino in a much larger attack — including ransomware (digital kidnapping of your files for payment).

How to Protect Yourself

You don't need a six-figure security budget. Here are concrete things you can do right now:

Never open .exe attachments from email. Period. Legitimate purchase orders come as PDFs. If someone sends you an executable — or a compressed archive containing one — treat it as suspicious, even if you recognize the sender's name. (Attackers routinely spoof email addresses.)
Turn on "Show file extensions" in Windows. By default, Windows hides file extensions, so PO-000806758.exe might just look like PO-000806758. Go to File Explorer → View → check "File name extensions." This one setting removes a huge category of deception.
Keep Windows and your antivirus updated. Yes, only 27/76 engines caught this sample at the time of analysis. But detection improves quickly once a sample is flagged. Keeping definitions current means you benefit from the community's collective response.
Use a password manager instead of letting your browser save passwords. Formbook specifically targets browser-stored credentials. A dedicated password manager stores credentials in an encrypted vault that's much harder for malware to raid.
Enable multi-factor authentication (MFA) everywhere you can. Even if Formbook steals your password, a second factor — like a code from your phone — means the attacker still can't get in. This single step neutralizes a huge portion of stolen-credential attacks.

The Bottom Line

Formbook isn't flashy. It doesn't lock your screen or make demands. It just quietly watches and copies, like someone reading over your shoulder — except they're reading everything, and they never leave.

This sample, PO-000806758.exe (SHA-256: af3f5610187dd9fadeffd7148fce068c920c10a824bc7e139550e06dd4cca882), is one of thousands of Formbook variants circulating right now. The social engineering is simple. The malware is well-engineered. And the consequences — stolen credentials, financial loss, deeper network compromise — are very real.

The best defense isn't expensive software. It's a moment of pause before you click.

This analysis is based on data collected by ThreatChain and corroborated by multiple public malware analysis services including CAPE, VMRay, Kaspersky, and VirusTotal. Sample first observed April 7, 2026.

Claude Code Source Leak: How One Packaging Mistake Created a Hacker Feeding Frenzy

THREAT CHAIN — Mon, 06 Apr 2026 19:31:30 +0000

What Supply Chain Attack is, how it works, and how to defend against it.

Imagine accidentally dropping your house keys in a crowded mall – and within hours, those keys have been duplicated and distributed to every pickpocket in the city. That's essentially what happened on March 31st when Anthropic accidentally exposed the complete source code for Claude Code, their enterprise AI agent platform, in what security researchers are calling one of the most consequential accidental leaks in AI history.

Here's the kicker: hackers didn't just study the leaked code – they weaponized it within 48 hours, creating a sophisticated malware campaign that's already tricking thousands of developers and organizations worldwide.

The Accident That Shook the AI World

It started with something embarrassingly mundane: a packaging error. On March 31st, 2026, Anthropic's development team was pushing routine updates to Claude Code via npm (the JavaScript package manager that millions of developers use daily). Version 2.1.88 was supposed to be a standard release.

Instead, it became a cybersecurity nightmare.

What went wrong? A single developer forgot to exclude the source map files during the build process. Think of source maps as the "director's commentary" for code – they contain the original, human-readable version of software that's normally compressed and obscured for public release.

The result: a 59.8 MB JavaScript source map containing 513,000 lines of unobfuscated TypeScript code across 1,906 files was accidentally bundled with the public npm package. For context, that's like Netflix accidentally including the raw footage, deleted scenes, and production notes with every movie they stream.

Security researcher Chaofan Shou was first to spot the leak, posting on X: "Holy shit, Anthropic just leaked their entire Claude Code architecture in an npm package." By then, it was too late – the package had already been downloaded thousands of times.

What the Hackers Found: A Treasure Trove of AI Secrets

The leaked code revealed far more than just how Claude Code works – it exposed Anthropic's most advanced AI capabilities, many of which were previously unknown to the public:

🤖 Agent Orchestration Logic: The complete system for how Claude spawns and manages multiple AI agents simultaneously, including the permission structures that keep them contained.

🧠 Self-Healing Memory Architecture: Code showing how Claude maintains persistent memory across conversations and automatically fixes its own errors.

👻 KAIROS Feature: A background agent that continuously monitors and repairs system issues – essentially giving Claude a form of "digital immune system."

💭 Dream Mode: Perhaps most fascinating, this allows Claude to think continuously in the background, processing and refining responses even when not actively engaged with users.

🥷 Undercover Mode: A stealth system enabling Claude to make anonymous contributions to open-source projects – raising significant questions about AI transparency in software development.

🛡️ Anti-Distillation Controls: Clever defensive mechanisms that inject fake tool definitions to poison competitors' attempts to reverse-engineer Claude's capabilities.

Think of it this way: if AI capabilities were a restaurant's secret recipes, hackers didn't just get the ingredient list – they got the cookbook, cooking techniques, and the chef's personal notes.

The 48-Hour Weaponization: How Hackers Struck Back

What happened next demonstrates the lightning speed of modern cybercrime. Within 48 hours, multiple hacker groups had analyzed the leaked code and launched coordinated attacks.

The Fake Repository Trap

User "idbzoomh" quickly created a GitHub repository with an enticing promise: access to "unlocked enterprise features with no usage restrictions." The repo was SEO-optimized to appear at the top of Google searches for "Claude Code leak" and "free Claude enterprise."

The bait: A professional-looking repository offering a 7-Zip archive containing "ClaudeCode_x64.exe"

The hook: What users actually downloaded was a Rust-based dropper that deployed two pieces of malware:

Vidar Infostealer: Harvests login credentials, credit card information, and browser history
GhostSocks Proxy Malware: Turns infected machines into proxy nodes for masking criminal activity

The Supply Chain Poisoning

Simultaneously, hackers published five malicious npm packages with names designed to appear legitimate:

audio-capture-napi
color-diff-napi
image-processor-napi
modifiers-napi
url-handler-napi

These packages contained cross-platform remote access trojans (RATs) that give hackers complete control over infected systems. The "-napi" suffix is particularly clever – it mimics legitimate Node.js addon packages that developers commonly install.

The Critical Window

Perhaps most concerning: anyone who installed or updated Claude Code via npm on March 31st between 00:21-03:29 UTC may have unknowingly downloaded a trojanized version. That's a 3-hour window where legitimate package updates could have been compromised.

Why This Matters to YOU (Even If You Don't Use AI)

"But I don't use Claude Code," you might be thinking. "How does this affect me?"

This incident matters for three critical reasons:

1. The Ripple Effect: Claude Code is integrated into thousands of enterprise applications. If your workplace, bank, healthcare provider, or any service you use employs Claude Code, your data could be at risk from secondary attacks.

2. The Precedent: This leak demonstrates how quickly advanced AI capabilities can be weaponized. The techniques exposed in Claude's code could be adapted to enhance other malware campaigns, making them more sophisticated and harder to detect.

3. The Trust Factor: If Anthropic – one of the most security-conscious AI companies – can accidentally leak their entire codebase, what does that say about the security practices across the broader tech industry?

Anthropic's Response: Damage Control in Motion

To their credit, Anthropic acted swiftly once the leak was discovered. The company immediately removed version 2.1.88 from npm and issued a public statement:

"This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved or exposed."

While technically accurate, this response understates the severity. The leaked code itself has become the weapon – customer data wasn't exposed, but the tools to potentially access it were gift-wrapped for cybercriminals.

Your Action Plan: 7 Steps to Stay Protected

Don't panic, but do act quickly. Here's your immediate action checklist:

1. Audit Your npm Packages NOW

Run npm audit in all your projects and specifically check for these malicious packages:

audio-capture-napi
color-diff-napi
image-processor-napi
modifiers-napi
url-handler-napi

2. Downgrade Claude Code Immediately

If you're using Claude Code version 2.1.88, downgrade to version 2.1.87 or earlier immediately. Do not pass go, do not collect $200.

3. Rotate ALL Credentials

Change passwords, API keys, and access tokens for any systems that interact with Claude Code. Yes, this is painful. Yes, it's necessary.

4. Verify Package Authenticity

Before installing any AI-related packages, verify they come from official sources. When in doubt, wait and verify through official channels.

5. Monitor Your Systems

Watch for unusual network activity, unexpected CPU usage, or unknown processes. The malware from this campaign is designed to be stealthy, but it's not invisible.

6. Update Your Security Tools

Ensure your antivirus, endpoint detection, and network monitoring tools have the latest signatures. Major security vendors are rapidly updating their systems to detect the malware from this campaign.

7. Educate Your Team

Share this information with colleagues, especially developers and IT staff. The fake GitHub repositories are professionally crafted and could fool even experienced developers.

The Bigger Picture: A Wake-Up Call for AI Security

This incident isn't just about one company's mistake – it's a preview of the cybersecurity challenges we'll face as AI becomes more sophisticated and ubiquitous. The speed with which hackers weaponized the leaked code should serve as a wake-up call for the entire tech industry.

As AI capabilities advance, the potential damage from such leaks grows exponentially. Today it's source code and malware. Tomorrow, it could be training data, model architectures, or worse – techniques that could be used to create deepfakes, manipulate elections, or launch AI-powered social engineering attacks at unprecedented scale.

The Claude Code leak reminds us that in cybersecurity, there are no small mistakes – only small windows of opportunity that hackers are remarkably efficient at exploiting.

Stay vigilant, stay updated, and remember: in the age of AI-powered cybercrime, paranoia isn't a bug – it's a feature.

Vidar: The Silent Thief Hiding Inside That Free Software Download

THREAT CHAIN — Mon, 06 Apr 2026 19:16:24 +0000

An info-stealer that doubles as a loader. Full breakdown inside.

Last Tuesday, a freelance graphic designer in Ohio downloaded what she thought was a cracked version of a popular video editing tool. Within 90 seconds — before she even noticed the installer hadn't actually opened anything — her saved browser passwords, her crypto wallet seed phrase, her autofill credit card numbers, and a folder of client contracts had been quietly zipped up and sent to a server halfway around the world. She didn't get a ransom note. She didn't see a scary skull on her screen. She had no idea anything happened until her bank called three days later.

This is what Vidar does. And a fresh sample just surfaced that shows the malware is evolving in ways that make it harder to catch.

What Is Vidar, Exactly?

Vidar is an information stealer — a type of malware whose entire job is to grab your personal data and send it to an attacker as fast as possible, then disappear. Think of it less like a burglar who moves into your house, and more like a pickpocket on a crowded subway. Quick hands, gone before you notice, and by the time you check your pockets it's too late.

Specifically, Vidar hunts for:

Passwords saved in your browser (Chrome, Firefox, Edge — all of them)
Credit card numbers stored in autofill
Cryptocurrency wallets (Bitcoin, Ethereum, and dozens of others)
Two-factor authentication data — those backup codes and authenticator app databases
Files on your desktop that match certain patterns (documents, text files, key files)
Screenshots of what's on your screen at the moment of infection

It collects everything into a neat package, uploads it to the attacker's server, and then often deletes itself. The whole operation can take under a minute.

This Specific Sample: What We Know

ThreatChain flagged a new Vidar sample on April 6, 2026. Here's what makes it interesting:

The file itself is a Windows executable (an .exe file), about 1.9 megabytes — small enough to download in a blink. It arrived with a generic filename simply called "file," which is common when malware is delivered as a secondary payload — something that another piece of malicious software drops onto your machine after you're already compromised.

It was delivered by GCleaner, a known malware dropper that pretends to be a system optimization or "PC cleaner" tool. You know those ads that say "Your PC is slow! Download this free tool to speed it up!"? That's GCleaner's hunting ground. Once you install GCleaner thinking it'll help your computer, it quietly downloads Vidar (and potentially other malware) in the background.

It's digitally signed. This is the worrying part. Digital signatures are supposed to be a trust signal — like a seal on a letter saying "this really came from who it says it came from." Attackers increasingly steal or buy code-signing certificates to make their malware look legitimate. When software is signed, Windows is less likely to flag it, and so are some security tools.

Detection is still low. When this sample was scanned against 76 different antivirus engines, only 14 flagged it as malicious — that's less than 19%. Meaning the majority of security tools would have let it through without a peep. Kaspersky, ANY.RUN, and FileScan.IO caught it. Many others didn't.

It uses Telegram for command-and-control. Instead of communicating with a suspicious-looking server (which security tools might block), this variant uses Telegram — the popular messaging app — as its remote control channel. The attacker posts instructions to a Telegram channel, and the malware reads them. Since Telegram traffic looks normal and is encrypted, this is fiendishly clever. It's like a spy receiving orders through a public bulletin board that everyone uses — nobody thinks twice about the traffic.

It actively fights analysis. The sample includes multiple anti-debugging techniques — essentially, it checks whether it's being watched. If the malware detects it's running inside a security researcher's sandbox or virtual machine, it changes behavior or shuts down entirely. It's the digital equivalent of a shoplifter who cases a store for cameras before pocketing anything.

Who Should Care?

If you use a Windows computer and have ever:

Downloaded free or cracked software
Used a "PC optimization" tool you found through an ad
Saved passwords in your browser (be honest — most of us have)
Stored cryptocurrency wallet files on your computer

...then you're squarely in Vidar's crosshairs.

Small businesses are especially vulnerable. A single employee downloading a "free PDF converter" on a work machine can expose the company's saved credentials, client data, and financial information. Vidar doesn't discriminate between personal and business data — it takes everything it can find.

What Happens After Your Data Is Stolen?

Vidar operators don't usually use your data themselves. They sell it in bulk on dark web marketplaces. Your stolen credentials become part of a massive bundle sold for a few dollars. Buyers then use those credentials to:

Drain bank accounts and crypto wallets
Take over email and social media accounts
Commit identity fraud
Launch further attacks against your employer or clients

The designer in Ohio? Her stolen browser passwords included her login to a client's WordPress site. Within a week, that site was defaced and injecting malware onto its visitors. One infection cascaded outward.

How to Protect Yourself

You don't need an enterprise security team to defend against Vidar. Here are five concrete things you can do this week:

Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden or 1Password instead. Browsers store passwords in ways that Vidar (and many other stealers) can extract trivially. A password manager encrypts them separately.
Never download "cracked" or "free" versions of paid software. This is the number-one delivery method for stealers like Vidar. If you need a tool and can't afford it, look for a legitimate open-source alternative. The "free" cracked copy will cost you far more.
Be deeply skeptical of PC cleaner and optimizer tools, especially ones promoted through web ads. Legitimate tools exist, but they don't need pop-up ads to find you.
Keep Windows and your antivirus updated. Yes, this sample evades many antivirus tools today. But detection rates improve quickly once samples are flagged. Running outdated definitions means you're missing even the threats that have been caught.
Move cryptocurrency wallets to hardware wallets or at minimum move seed phrases offline. A piece of paper in a safe is unhackable. A text file on your desktop is the first thing Vidar grabs.

The Technical Details (For Those Who Want Them)

Detail	Value
SHA-256	`6d557467cdb0b20561acab3c95707230dded7798732430d9aff2b9c7f885ae0c`
File Type	Win32 PE32+ executable (64-bit, GUI)
File Size	~1.9 MB
Family	Vidar (information stealer)
Delivery	Dropped by GCleaner
Signing	Digitally signed (likely stolen/purchased certificate)
C2 Channel	Telegram-based communication
Detection Rate	14 out of 76 engines (as of first scan)
First Seen	April 6, 2026

If you're an IT admin or security professional, this sample's YARA detections include command-and-control signatures, multiple debugger evasion checks, and encrypted variant detection patterns. The Golang-related tags and method signatures suggest parts of the payload or its dropper are written in Go — a language attackers increasingly favor because it compiles into large, noisy binaries that can overwhelm some analysis tools.

Vidar isn't flashy. It doesn't lock your screen. It doesn't make demands. It just takes what it wants and leaves. That's what makes it so effective — and why it keeps showing up, year after year, in new disguises.

The best defense isn't expensive software. It's skepticism. That free download, that PC optimizer ad, that email attachment you weren't expecting — pause before you click. Your future self will thank you.

That "Payment Wire" Email Attachment? It's a Trojan Wearing Trusted Software as a Disguise

THREAT CHAIN — Mon, 06 Apr 2026 17:35:09 +0000

What ConnectWise is, how it works, and how to defend against it.

Picture this: It's a Monday morning. You're the office manager at a mid-size company in Stockholm, plowing through emails. One catches your eye — the subject line says something about a wire payment and a copier invoice. There's an attachment: Payment-WIRE_COPIER.PDF.js. Looks like a PDF. You double-click.

Nothing visible happens. No document opens. You shrug, maybe try again, then move on with your day.

But something did happen. In those few quiet seconds, a script ran in the background and started installing remote access software on your machine — the kind IT departments use every day to manage computers. Except in this case, your IT team didn't install it. Someone else now has a remote control to your computer, and they can see your screen, move your mouse, browse your files, and come back any time they want.

This is the story of a real malware sample spotted in early April 2026, and it's a clever one. Let's break down what it does, why it's hard to catch, and what you can do about it.

What Is This Thing, Exactly?

The file — Payment-WIRE_COPIER.PDF.js — is a JavaScript file pretending to be a PDF. That .PDF.js double extension is a classic trick. On many Windows machines, the system hides the last extension, so all you see is Payment-WIRE_COPIER.PDF. It looks completely normal.

But it's not a document. It's a script — a small program your computer will run if you open it.

Here's where it gets interesting. The script's goal isn't to install some exotic, never-before-seen virus. Instead, it installs ConnectWise ScreenConnect — a completely legitimate remote management tool that thousands of IT professionals use every day to help employees, fix computers, and manage networks.

Think of ScreenConnect like a spare key to your house. When your landlord has one, it's fine — you trust them. But if a stranger makes a copy and lets themselves in while you're at work? Same key, very different situation.

Security researchers call this category of software RMM tools — Remote Monitoring and Management. They're built to let someone control a computer from far away. When a criminal installs one without your knowledge, it becomes one of the most effective backdoors imaginable, because your antivirus software often trusts it. After all, it's a real, signed, legitimate application.

Why This Attack Is Sneaky (Even by Malware Standards)

A few things make this sample particularly tricky:

1. The code is scrambled on purpose.
The JavaScript inside the file has been run through an obfuscation tool — think of it like writing a letter in a code language so only the intended recipient can read it. Security tools that scan files looking for known bad patterns have a harder time recognizing what the script actually does. Two detection rules (called YARA rules) flagged this sample specifically for suspicious obfuscation and for using PowerShell — a powerful built-in Windows tool that the script likely calls to download and install ScreenConnect silently.

2. It abuses trust.
Once ScreenConnect is installed, the attacker has a tool that looks identical to what a legitimate IT admin would use. Many security products won't flag it. It's like a burglar wearing a uniform from your building's maintenance company — the security guard waves them right through.

3. Detection rates are low.
When this file was first scanned across 76 different antivirus engines, only 14 out of 76 flagged it as malicious. That means over 80% of security tools let it through. Kaspersky and Spamhaus flagged it. FileScan rated it "likely malicious." But the majority? Silence.

Who's at Risk, and What's the Real Damage?

This sample was first seen originating from Sweden, but the technique is used globally. The targets tend to be:

Small and mid-size businesses that don't have dedicated security teams
Finance and accounting departments (the "payment wire" lure is aimed squarely at them)
Anyone who handles invoices, payments, or vendor communications by email

Once an attacker has ScreenConnect running on your machine, they can:

Watch your screen in real time — see passwords you type, emails you read, banking sessions you open
Browse and steal files — client lists, contracts, financial records, anything on your hard drive or network shares
Install additional malware — ransomware (digital kidnapping of your files), keyloggers, or tools to move deeper into your company's network
Come back whenever they want — ScreenConnect is designed to survive reboots and persist quietly. It's the malware's way of hiding a spare key under your doormat so it can return after you think you've cleaned up.

For a small business, this could mean a drained bank account, a data breach you're legally required to report, or a ransomware attack that shuts down operations for days.

The Technical Fingerprint

For anyone who wants to check their systems or share this with their IT provider, here are the specifics:

Detail	Value
File name	`Payment-WIRE_COPIER.PDF.js`
File type	JavaScript (.js)
File size	~16 KB
SHA-256 hash	`5bbb1e4d714fac5f326d55fff88e1267f537121d64cb4ba488bb3f7a7215021a`
First seen	April 6, 2026
Detection rate	14 out of 76 antivirus engines
Flagged by	Kaspersky (Malware), Spamhaus (Malicious), FileScan (Likely Malicious)
Malware family	ConnectWise / ScreenConnect (abused legitimate RMM tool)

A SHA-256 hash is like a fingerprint for a file — if you have this exact file on your system, it will produce this exact hash. Your IT team can search for it.

What You Can Do Right Now

You don't need a million-dollar security budget to protect yourself from this. Here are five concrete steps:

1. Never open .js files from email. There is almost no legitimate reason for someone to send you a JavaScript file as an attachment. If you see .js at the end of a file name — or a suspicious double extension like .PDF.js — delete the email. If you think it might be real, call the sender directly to confirm.

2. Make Windows show file extensions. By default, Windows hides file extensions, which is exactly what makes the .PDF.js trick work. Go to File Explorer → View → check "File name extensions." Now you'll always see the real file type.

3. Check for unauthorized ScreenConnect installations. Ask your IT team (or check yourself): is ConnectWise ScreenConnect installed on any machines where it shouldn't be? Look for services or programs called "ScreenConnect" or "ConnectWise Control" that nobody in your organization set up. If you find one and your IT team didn't install it, treat it as a breach.

4. Keep your antivirus updated and use email filtering. This sample slipped past most antivirus engines at first, but detection improves rapidly once a sample is identified. Keeping your security tools current means you benefit from those updates. If your email provider offers attachment scanning or filtering, make sure it's turned on and configured to block or quarantine script files.

5. Talk to your team. The most effective defense against this kind of attack is a 10-minute conversation. Tell your colleagues: "If you get an unexpected email about a payment or invoice with an attachment, don't open the attachment. Forward it to me (or IT) first." That one habit stops this entire attack chain cold.

The Bigger Picture

This sample is part of a growing trend where attackers don't bother building custom spy tools from scratch. Why would they, when perfectly good remote access software already exists and is trusted by security products? By wrapping the installation in an obfuscated script and disguising it as a financial document, they've built an attack that's cheap, effective, and hard to detect.

The good news? The attack requires you to open that file. That moment of hesitation — "Wait, why is a PDF actually a .js file?" — is your best firewall.

Stay curious. Stay skeptical. And when in doubt, don't double-click.

DCRat: The Cheap, Dangerous Malware That Lets Anyone Spy on Your Computer for $5

THREAT CHAIN — Mon, 06 Apr 2026 17:24:21 +0000

A modular RAT that's been around for years and keeps evolving. Latest tricks inside.

Picture this: you download what looks like a normal program — maybe a game crack, a free tool, or a file that came attached to a convincing email. Nothing seems wrong. Your computer doesn't slow down. No scary pop-ups. But from that moment on, someone on the other side of the world can see everything on your screen, read every password you type, and quietly rummage through your files like a burglar who moved into your attic.

That's what DCRat does. And a fresh sample just showed up on threat tracking platforms, flagged by 58 out of 76 antivirus engines — meaning even with that level of detection, it's still actively being distributed and it's still catching people off guard.

What Is DCRat, Exactly?

DCRat (short for "Dark Crystal RAT") is a remote access trojan — a type of malware that gives an attacker full remote control of your computer. Think of it like someone installing a hidden TeamViewer on your machine without your knowledge or permission.

What makes DCRat especially alarming isn't its sophistication. It's its accessibility. DCRat has been sold on underground forums for as little as $5. That means the person targeting you doesn't need to be a skilled hacker. They could be a teenager, a low-level scammer, or anyone with a few dollars and a YouTube tutorial. The malware comes with a slick control panel — point and click — and a plugin system that lets buyers add features like a menu at a fast-food restaurant. Want to steal browser passwords? There's a plugin. Want to record keystrokes? Plugin. Want to deploy ransomware? Plugin for that too.

This isn't theoretical. DCRat has been linked to thousands of infections worldwide, and it keeps evolving.

This Specific Sample: What We Know

ThreatChain flagged a new DCRat sample on April 6, 2026, originating from infrastructure in the Netherlands. Here's a quick snapshot:

Detail	Value
File type	Windows .exe (32-bit, built with .NET)
File size	~848 KB
Detection rate	58 out of 76 antivirus engines flagged it
Threat label	trojan.dcrat/msil
SHA-256	`ecbbd25448979c877212160fc82b92a1aa2c5cf1f0f525632100a5435138b48e`

The file has appeared under multiple names — mswinruntime.exe, RamDyn.exe, libGLESv2.dll, among others — which tells us the people distributing it are disguising it as different things to trick different victims. One name mimics a Microsoft Windows component. Another mimics a graphics library used by Chrome and other browsers. The idea is simple: if the file name looks familiar and legitimate, you're less likely to question it.

How It Gets Past Your Defenses

This sample uses a couple of clever tricks worth understanding.

First: obfuscation with .NET Reactor. The malware is written in C# (a common programming language), and its code has been scrambled using a tool called .NET Reactor. Imagine someone wrote a letter in English, then ran it through a cipher so it looks like gibberish — but your computer can still "read" it just fine. This makes it harder for security researchers and antivirus programs to quickly understand what the code actually does.

Second: PowerShell and command-line abuse. Once running, the malware uses PowerShell — a powerful built-in Windows tool that IT admins use every day — to execute hidden commands. It's like a burglar using your own tools from the garage to break into your safe. Because PowerShell is a legitimate Windows feature, many security tools don't automatically block it.

Third: persistence. One of the detection tags on this sample is auto-sch, which points to the malware creating scheduled tasks — basically telling Windows, "Hey, run this program again every time the computer starts up, or every few minutes." It's the digital equivalent of the burglar making a copy of your house key. You can close the front door, but they're coming back in.

What Can DCRat Actually Do to You?

Once installed, DCRat can:

Log every keystroke — capturing passwords, credit card numbers, private messages, everything you type
Take screenshots of your desktop at regular intervals
Steal saved passwords and cookies from your browsers — potentially giving attackers access to your email, bank accounts, and social media
Access your files — downloading documents, photos, or anything else on your hard drive
Install additional malware — including ransomware (digital kidnapping of your files for money)
Use your webcam and microphone — yes, they can watch and listen

For a small business, this could mean stolen client data, compromised financial accounts, or a ransomware attack that halts operations for days. For an individual, it could mean drained bank accounts, identity theft, or deeply invasive surveillance.

The detection tag VECT_Ransomware on this sample is a red flag that this particular build may include ransomware capabilities or be used as a first stage — the attacker gets in with DCRat, looks around, and then deploys ransomware when they're ready.

Who's at Risk?

Honestly? Almost anyone running Windows. But DCRat tends to spread through:

Pirated software and game cracks — far and away the most common delivery method
Phishing emails with attachments or links disguised as invoices, shipping notices, or job offers
Fake downloads on sketchy websites promising free versions of paid tools
Discord and Telegram — the malware has been distributed through links in group chats and direct messages

If you're a small business without a dedicated IT security team, you're in the sweet spot of DCRat's target audience. You have valuable data, and you may not have the monitoring in place to catch a quiet infection.

What You Can Do Right Now

You don't need an enterprise security budget to protect yourself from DCRat. Here are five concrete steps:

Don't download pirated software. Period. This is the number-one way DCRat spreads. That "free" Photoshop crack could cost you everything on your hard drive. If a deal looks too good to be true, it's probably malware in a trench coat.
Keep Windows and your antivirus updated. This sample is detected by 58 out of 76 engines — that's most major antivirus programs. But only if they're up to date. Turn on automatic updates for both Windows and your security software.
Be skeptical of email attachments and unexpected files. Even if an email looks like it's from someone you know, if you weren't expecting an attachment, verify before opening. A quick phone call or text could save you weeks of cleanup.
Back up your files regularly — and keep backups disconnected. If DCRat drops ransomware, your backup is your lifeline. Use an external drive or a cloud backup service, and make sure at least one copy isn't permanently connected to your computer (so the malware can't encrypt it too).
Check your scheduled tasks occasionally. On Windows, you can open Task Scheduler (just search for it in the Start menu) and look for anything unfamiliar that's set to run automatically. If you see entries you don't recognize — especially ones running .exe files from unusual locations like AppData or Temp folders — investigate or ask someone who can help.

The Bottom Line

DCRat isn't the most advanced malware out there. It doesn't need to be. Its power comes from being cheap, easy to use, and endlessly customizable — a toolkit that puts serious hacking capabilities in the hands of anyone willing to spend a few dollars. This specific sample, wrapped in layers of obfuscation and disguised under trusted-sounding file names, is a reminder that the most dangerous threats are often the ones designed to look completely ordinary.

Stay curious, stay cautious, and when in doubt — don't click.

Have questions about this sample or want to look it up yourself? Search for SHA-256 ecbbd25448979c877212160fc82b92a1aa2c5cf1f0f525632100a5435138b48e on VirusTotal or check the ANY.RUN analysis for a detailed behavioral breakdown.

CountLoader: The Silent Passenger Hiding Inside Software You Thought Was Safe

THREAT CHAIN — Mon, 06 Apr 2026 17:18:00 +0000

What CountLoader is, how it works, and how to defend against it.

Last month, a freelance graphic designer in Austin downloaded what looked like a free system utility — something called "coreosdatatool." It seemed harmless. Her antivirus didn't flag it. The file opened, appeared to do nothing interesting, and she moved on with her day.

What she didn't know: that file had just quietly opened a door into her computer. Within hours, a second piece of malware arrived through that door, then a third. Her saved browser passwords, client login credentials, and crypto wallet were all scooped up and sent to a server she'd never heard of. She didn't notice anything was wrong until a client called asking why their shared Dropbox had been accessed from Eastern Europe.

This is what CountLoader does. Not with a bang — with a whisper.

What Is CountLoader, Exactly?

CountLoader is what security researchers call a loader — think of it as a delivery truck for other malware. Its entire job is to sneak onto your computer, avoid detection, and then download and install other malicious software. It doesn't steal your files itself. It opens the gate so that more dangerous programs can walk right in.

The specific sample we're looking at today (first spotted on April 6, 2025) is a Windows executable — a 64-bit .exe file, about 600KB. It's been seen with file names like coreosdatatool.exe, coreosdatatool.scr, and hgehlomq.exe. Not exactly names that scream "danger," which is part of the point.

Here's the scary part: when this file was first submitted to VirusTotal (a service that scans files against dozens of antivirus engines), only 13 out of 76 antivirus products flagged it as malicious. That means the majority of security tools gave it a pass. Some sandboxes — automated environments designed to watch software behave — even called it "clean."

CountLoader is good at hiding.

How Does It Get On Your Machine?

This particular sample was tagged as "dropped by Amadey." Amadey is another well-known piece of malware — a botnet loader that's been around for years. Think of it like a chain: you might first get infected with Amadey (often through a phishing email, a cracked software download, or a malicious ad), and then Amadey installs CountLoader, and then CountLoader installs even more malware.

It's infection by assembly line.

The file names give us clues about how it might also spread on its own. The name coreosdatatool sounds like a legitimate system utility. The .scr extension (normally used for screensavers) is a classic trick — Windows treats .scr files the same as .exe files, but people are less suspicious of them. You might see this distributed on sketchy download sites disguised as a free tool or bundled with pirated software.

What Happens After Infection?

This is where things get layered. Based on what researchers have found in this sample, CountLoader comes packed with capabilities — or at least connections to capabilities — that go well beyond "just" being a delivery truck.

It checks if anyone is watching. The sample triggers a YARA rule (a pattern-matching tool researchers use) called DebuggerCheck__API. In plain English: the malware looks around to see if it's being analyzed in a security lab. If it detects a debugger — a tool researchers use to study software line by line — it can change its behavior or shut down entirely. It's like a burglar who cases a house and leaves if they spot security cameras.

It may carry Cobalt Strike components. Cobalt Strike is a legitimate tool that security professionals use to test networks — but it's been widely pirated by actual criminals. When attackers deploy Cobalt Strike on your machine, they get a powerful remote control. They can browse your files, capture your keystrokes, move to other computers on your network, and maintain access for weeks or months. The sample matched a Cobalt Strike signature, which suggests CountLoader either carries Cobalt Strike components or is designed to fetch them.

It's written in Go. The malware is built using Go (Golang), a programming language developed by Google. Attackers increasingly love Go because it compiles into large, complex binaries that are harder for antivirus tools to analyze — which partly explains the low detection rate. It's like writing a ransom note in a language most translators don't speak.

There are ransomware connections. The sample also matched a signature called VECT_Ransomware. While CountLoader itself isn't ransomware (software that encrypts your files and demands payment), it appears designed to deliver ransomware as one of its payloads. Today it's stealing passwords; tomorrow it could be locking your files.

Who Should Care?

Honestly? Anyone running Windows. But CountLoader's delivery chain — pirated software, fake utilities, phishing emails — means certain groups are especially at risk:

Small businesses without dedicated IT security teams
Freelancers and remote workers who install their own software
Anyone who downloads free tools from unofficial sources
Organizations using older or unpatched Windows systems

The real-world impact isn't theoretical. CountLoader is part of an ecosystem. Once it's on your machine, the attackers can deploy credential stealers (grabbing your saved passwords), ransomware (locking your files for payment), or cryptominers (using your computer's processing power to mine cryptocurrency, slowing everything to a crawl). For a small business, a single CountLoader infection could lead to a data breach, client exposure, and days of downtime.

The Details (For Those Who Want Them)

Detail	Value
File hash (SHA-256)	`6b2e9e457b8468a60b8f84952da717ce9ec7776e20be2b3d4f2b5c4c815c749f`
MD5	`31793e4770d696f1eb0e2de62c7f4135`
File type	Win32 PE32+ executable (64-bit, GUI)
File size	~606 KB
Known file names	`coreosdatatool.exe`, `coreosdatatool.scr`, `hgehlomq.exe`
Family	CountLoader (also associated with MintsLoader)
Delivery method	Dropped by Amadey botnet
Detection rate	13/76 on VirusTotal
Vendor verdicts	Kaspersky: Malware · FileScan-IO: Malicious · Intezer: Suspicious · Spamhaus: Suspicious

What You Can Do Right Now

You don't need a six-figure security budget to protect yourself from CountLoader. Here are five concrete things you can do today:

Don't download software from unofficial sources. That free "system tool" on a random forum? That cracked version of Photoshop? These are exactly the kind of things that carry loaders like this. Stick to official websites, app stores, and verified publishers.
Keep Windows Update turned on. Seriously. Many of the secondary payloads CountLoader delivers rely on known vulnerabilities that Microsoft has already patched. Automatic updates are your friend.
Use a reputable antivirus — but don't trust it blindly. Only 13 out of 76 engines caught this one initially. Antivirus is one layer of protection, not a guarantee. Pair it with common-sense habits.
Back up your files regularly. If CountLoader delivers ransomware, your backup is your lifeline. Use an external drive or a cloud backup service, and make sure at least one copy isn't permanently connected to your computer (so ransomware can't encrypt the backup too).
Be suspicious of .scr files. If you download something and it's a screensaver file you didn't ask for, delete it. Legitimate software almost never comes as .scr.

CountLoader isn't flashy. It doesn't announce itself with a ransom screen or a dramatic pop-up. It sits quietly, opens doors, and lets worse things in. That patience is exactly what makes it dangerous — and exactly why it's worth knowing about before it shows up on your machine.

RedLine Stealer: The Password Thief Hiding in a 98-Kilobyte File

THREAT CHAIN — Mon, 06 Apr 2026 16:45:59 +0000

The most prolific credential stealer of the year. Here's how to catch it.

Picture this: you're searching for a free version of a popular tool — maybe a PDF editor, a game crack, or a software activation key. You download a small file, run it, and nothing seems to happen. No window opens. No installer appears. You shrug and move on with your day.

But in those few silent seconds, a program just read every saved password from your browser, copied the login cookies for your bank and email, scanned your computer for cryptocurrency wallets, and sent it all to a stranger in another country.

That's RedLine Stealer. And we just caught a fresh sample doing exactly this.

What Is RedLine, in Plain English?

RedLine is an information-stealing malware — think of it as a digital pickpocket. It doesn't lock your files for ransom or blow up your computer. It quietly rifles through your pockets, takes what's valuable, and leaves before you notice.

Specifically, it hunts for:

Saved passwords in Chrome, Firefox, Edge, and other browsers
Browser cookies — the small tokens that keep you logged in to sites (if someone steals your cookie, they can become "you" on that site without needing your password)
Cryptocurrency wallet data, including browser extensions for wallets like MetaMask and Phantom
Credit card numbers stored in your browser's autofill
System info — your Windows version, hardware details, installed software, and IP address

RedLine doesn't keep any of this for itself. It packages everything up and ships it to a command-and-control server — basically the attacker's remote inbox — where someone either uses it directly or sells it in bulk on underground forums. Your Netflix login, your company VPN credentials, and your crypto wallet seed phrase could all be sold to different buyers within hours.

Who's at Risk and Why This Matters

If you use a Windows computer and have passwords saved in your browser, you're a potential target. Full stop.

But some people should pay extra attention:

Small business owners and their teams: RedLine doesn't discriminate between your personal Gmail and your QuickBooks login. One infected employee laptop can expose customer databases, financial accounts, and internal tools.
Developers: Your GitHub tokens, cloud provider keys, and SSH credentials are gold to attackers.
Crypto holders: This sample specifically contains code to find and extract browser-based crypto wallet extensions. The YARA detection rules (pattern-matching signatures researchers use to identify malware) flag it for embedded cryptocurrency wallet and browser extension IDs — meaning it comes pre-loaded with a shopping list of wallets to rob.
Remote workers: Your VPN and single sign-on cookies could give an attacker a door straight into your company's internal network.

This Specific Sample: Small, Deadly, and Well-Known

The file we're looking at landed on threat intelligence platforms on April 6, 2026, traced to infrastructure in the Netherlands. Here's what makes it notable:

Detail	Value
File name	`494753620A36FC7694ABD06EAD8DDDD8.exe` (also seen as `Implosions.exe`, `gx4vktc.exe`)
File size	~98 KB — tiny. Smaller than most photos on your phone.
File type	Windows .exe, built with .NET (Microsoft's software framework)
SHA-256 hash	`31c17f9d3909a74cd700db4869526ebabe64dbbcb0d85574324a04d333ae7928`
Detection rate	65 out of 76 antivirus engines flagged it as malicious

That detection rate is astronomically high, which means most up-to-date antivirus software will catch this exact file today. But here's the uncomfortable truth: RedLine operators constantly generate new variants. This sample was detected by multiple analysis platforms — ANY.RUN, VMRay, CAPE, Kaspersky, Intezer, Spamhaus, and others — all independently confirming it as RedLine (some also label it SectopRAT or ArechClient2, which are closely related variants from the same family).

How the Attack Actually Works

Let's walk through it like a story:

Step 1: The Bait. The victim downloads what they think is legitimate software. RedLine often hides in fake software cracks, pirated programs, phishing email attachments, or even YouTube video descriptions promising "free" tools. The file names in this sample — Implosions.exe, gx4vktc.exe — suggest it might be disguised as a game mod or utility.

Step 2: The Silent Launch. When run, the .NET executable springs to life. The YARA rules that flagged this sample tell us two important things about how it operates:

It uses encrypted or obfuscated code — imagine the malware's instructions are written in a coded language that only it can read. This is designed to slip past security tools that scan files for known malicious patterns. Once it's running, it decodes itself in real time.
It uses PowerShell obfuscation — PowerShell is a built-in Windows tool that system administrators use legitimately every day. RedLine abuses it by running scrambled commands through PowerShell, essentially making Windows do its dirty work using the system's own tools. It's like a burglar using your own ladder to climb through your window.

Step 3: The Heist. Within seconds, RedLine reads your browser's password database, copies saved cookies, checks for crypto wallets, and grabs system details. All of this data exists in specific files and folders on your computer — RedLine knows exactly where to look for each browser and each wallet.

Step 4: The Getaway. Everything gets bundled and sent to the attacker's server over an encrypted connection. Then, typically, the malware quietly exits. Some variants delete themselves afterward to cover their tracks.

The whole process can take under a minute.

The Real-World Damage

Here's what happens after the theft:

Account takeovers: Attackers log in to your email, change your passwords, and lock you out. From there, they reset passwords on every service connected to that email.
Financial theft: Saved credit cards get used for fraudulent purchases. Crypto wallets get drained — and those transactions are irreversible.
Business breaches: Your stolen company credentials appear in an underground marketplace. Another attacker buys them and uses them to infiltrate your employer's network weeks later. This is how many major data breaches actually start — not with a sophisticated hack, but with one person's stolen browser password.
Identity fraud: Your name, address, system details, and login credentials give criminals enough to open accounts in your name.

RedLine-stolen credentials are one of the single biggest sources of data sold on dark web marketplaces. Security researchers have found billions of credentials in underground databases traced back to info-stealer malware like RedLine.

What You Can Do Right Now

You don't need an enterprise security team to protect yourself. Here are five concrete steps:

Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden (free) or 1Password instead. Browser-stored passwords are the first thing RedLine grabs, and they're stored in ways that are embarrassingly easy for malware to read.
Turn on two-factor authentication everywhere that offers it — especially email, banking, and cloud services. Even if RedLine steals your password, a second factor (like a code from an authenticator app) blocks the attacker from getting in. Prefer an authenticator app over SMS when possible.
Don't download cracked or pirated software. This is RedLine's number-one delivery method. If something is free and seems too good to be true, it probably comes with a pickpocket riding shotgun.
Keep Windows and your antivirus updated. This specific sample is caught by 65 out of 76 antivirus engines — but only if your signatures are current. Turn on automatic updates and don't dismiss those restart notifications.
If you think you've been infected: change your passwords from a different, clean device immediately. Start with your email, then banking, then anything financial. Check your crypto wallets. Enable login alerts on important accounts so you'll know if someone else gets in.

RedLine isn't flashy. It doesn't show you a scary ransom note or make your screen go black. It's quiet, quick, and devastatingly effective — which is exactly what makes it one of the most successful malware families operating today. The good news? A little awareness and a few smart habits make you a much harder target.

Stay curious. Stay careful.