[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1VlEDmIAp81VT7dV_sH_pwBSyKTEPBJtAwYTft6eU2I":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"66a8e10e-0c31-44e8-bda7-12b8b6905f6b","ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories","threatsday-game-cheat-spyware-24-hour-ransomware-chrome-sync-stalking-12-more-st-3c8f9f","A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess.","This week's security digest covers multiple active threat campaigns including 11 malicious NuGet packages masquerading as game cheats that deploy pepesoft.exe spyware, UAT-11795 distributing Starland RAT and WLDR C2 implant via trojanized installers, and Spirals ransomware encrypting victim networks within 24 hours. The threats exploit common attack vectors—trusted-looking repos, familiar software installers, and sync settings—to deliver credential theft, cryptocurrency wallet theft, and lateral movement capabilities.","Weekly roundup: Game cheat spyware, 24-hour ransomware, Chrome sync stalking, and 12 additional threat campaigns.","ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories Ravie LakshmananJul 16, 2026Hacking News \u002F Cybersecurity News A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess. Game cheats drop spyware 11 Malicious NuGet Tools Masquerade as Game Cheats to Drop Windows Surveillance Payload Cybersecurity researchers 11 malicious NuGet packages published as .NET command-line tools that present themselves as game utilities, bots, and \"panels,\" each of which act as a first-stage downloader responsible for fetching and executing a second-stage Python payload named \"pepesoft.exe\" from GitHub Releases and Hugging Face paths under the username \"pepegit666,\" along with a dormant BitTorrent fallback mechanism built into it. \"The recovered payloads use downloader-supplied AWS-style key material to retrieve remote configuration, authenticate to Google Sheets, bind activations to hardware, and honor a remote HWID\u002FUUID ban-list,\" Socket said. \"In the three direct-bytecode payloads, the larger game-automation application also exposes Telegram bot commands that can send screenshots back to the configured chat.\" Fake installers deploy RATs UAT-11795 Deploys Starland RAT and Bespoke WLDR C2 Implant UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary, has been observed conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. The activity delivers a Python-based remote access tool (RAT) dubbed Starland RAT and a command-and-control (C2) memory implant known as WLDR agent using trojanized installer lures for software like developer tooling, IT administration utilities, enterprise collaboration platforms, and consumer gaming applications (e.g., MobaXterm, WebEx, Zoom, DBeaver, and FaceIT). \"The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads,\" Cisco Talos said. Alternatively, UAT-11795 has been linked to the deployment of CastleStealer and Remcos RAT. The malware is designed to target victims' credentials and cryptocurrency wallet assets, harvest Active Directory information, and establish a persistent connection to the victims' machines from the C2 server, likely with an aim to deliver and execute further payloads. The majority of the infections are in the U.S., with fewer potential impacts recorded in Germany, Romania, and Venezuela. The attack chain makes use of ClickFix lures to distribute HTA scripts, which then download and run trojanized installers to deliver Starland RAT, which then uses \"curl.exe\" to execute a PowerShell stager for decrypting and running WLDR agent. In recent weeks, ClickFix has also served as a conduit for TELEPUZ, a modular malware, and ClickLock Stealer, a macOS-focused information and cryptocurrency wallet stealer targeting users in Europe, North America, and MEA. \"ClickLock Stealer targets data from 8 browsers, 31 crypto wallet browser extensions, 7 password manager extensions, 8 desktop wallet applications, extracts blockchain addresses across 6 chains, macOS Keychain, shell history, and FTP credentials,\" Group-IB said. Network encrypted within hours New Spirals Ransomware Encrypts Victim Network Within 24 Hours An IT services company in South Asia was targeted by a previously undocumented ransomware family called Spirals in June 2026. \"The Rust-based payload is either a new ransomware threat or one purpose-built for this attack,\" Broadcom's Symantec and Carbon Black Threat Hunter Team said. \"Less than 24 hours after the initial breach, the ransomware payload was being pushed to machines on the network.\" The attacker is said to have obtained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Over the next three hours, they established persistent access, conducted reconnaissance, uninstalled endpoint security software, dumped the Security Account Manager (SAM) hive, and set up covert remote access prior to deploying the payload across the network using PsExec. The ransom note seeks to apply pressure by threatening to publish stolen data after six days if a ransom is not paid and directs victims to a Tor portal for negotiations. The actor behind the attack remains unknown. Actively exploited flaws CISA Adds Oracle and KNX Association KNX Protocol Flaws to KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-46817, an improper privilege management vulnerability in Oracle E-Business Suite, and CVE-2023-4346, an overly restrictive account lockout mechanism vulnerability in KNX Association KNX Protocol Connection Authorization Option 1, to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by July 18 and 29, 2026, respectively. Reports about active exploitation of CVE-2026-46817 emerged late last month. It's currently not known how the KNX Protocol flaw is being abused and by whom. New rules for vulnerability reports CISA Publishes Guidance on Responding to Vulnerability Reports CISA, in partnership with the National Security Agency (NSA), Japan Computer Emergency Response Team Coordination Center (JPCERT\u002FCC), Netherlands' National Cyber Security Centre (NCSC-NL), and United Kingdom's National Cyber Security Centre (NCSC-UK), has published joint guidance to \"helps software manufacturers and online service providers collaborate effectively with security researchers who identify weaknesses in software, networks, and hardware in a structured, transparent framework.\" The agency said a \"well-defined coordinated vulnerability disclosure (CVD) program enables software manufacturers and online service providers to better assess potential risk, improve their vulnerability management processes, and make informed decisions that improve product security for their customers.\" 700-person scam network dismantled Dutch Authorities Dismantle Global Cryptocurrency Investment Scam Authorities from the Netherlands have arrested a 46-year-old man with Israeli and Polish citizenship, who is alleged to be behind an international criminal organization with more than 700 employees who were employed at about 20 fraudulent call centers. These individuals posed as financial advisors to conduct investment fraud. \"By maintaining regular contact, sometimes over a period of months, these scammers build a bond of trust with their victims,\" the Dutch police said. \"The initial deposit is always a relatively small amount that yields an immediate profit. The online platform where victims can view their investments is indistinguishable from the real thing, yet in reality, no actual investments are being made. Scammers use a friendly approach and cunning tactics to manipulate victims into depositing ever-larger sums. The money – often cryptocurrency – that victims believe they are investing ends up in the scammers' pockets.\" The operation has also led to the arrest of four \"financial advisors.\" €140M fraud network disrupted Spanish Police Take Down €140M Cybercrime Network Spanish National Police have disrupted a cybercrime network accused of stealing and laundering about €140 million through fake investment platforms, CEO fraud, invoice fraud, and adversary-in-the-middle attacks across Europe. Four people have been apprehended in connection with the operation: two in Portugal, one in Spain, and one in Panama. \"The suspects established and managed a network of over 800 bank accounts to receive substantial sums of illicit money swindled from numerous victims; these funds were immediately","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fthreatsday-game-cheat-spyware-24-hour.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEioBa_Q-TYfQvhOH0gqZxwAzgn_QnC9YSD6GYI3-z53LVjJSL1MDl4Af_DSeuIA33luHnEkGIGe9eXbCGvyWZ2zfOELZLhLAJtAcCTzIrpEPPU2f-7hvztkeHhA89Fb3aTq7b-0HHHVSPUsmUKXOPbX17rwMGjB75yG_r4-9vyarYK77pmdgzy3YeIn46M4\u002Fs1600\u002Fthreatsday-recap.jpg","2026-07-16T15:41:15+00:00","2026-07-16T16:00:13.362629+00:00",9,[18,21,23,26,28,30],{"name":19,"type":20},"UAT-11795","threat_actor",{"name":22,"type":20},"Group-IB",{"name":24,"type":25},"Socket","vendor",{"name":27,"type":25},"Cisco Talos",{"name":29,"type":25},"Broadcom",{"name":31,"type":32},"NuGet","product","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":33,"icon":35,"name":36,"slug":37},null,"Threat Intelligence","threat-intelligence",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[60,63,66,69,72,75,78,81,84],{"type":58,"value":61,"context":62},"pepesoft.exe","Python-based second-stage payload delivered by malicious NuGet packages",{"type":58,"value":64,"context":65},"Starland RAT","Python-based remote access tool deployed by UAT-11795 via trojanized installers",{"type":58,"value":67,"context":68},"WLDR agent","PowerShell-based C2 memory implant with encrypted beaconing and task queuing",{"type":58,"value":70,"context":71},"CastleStealer","Credential and crypto wallet stealer deployed by UAT-11795",{"type":58,"value":73,"context":74},"Remcos RAT","Remote access trojan deployed by UAT-11795",{"type":58,"value":76,"context":77},"TELEPUZ","Modular malware distributed via ClickFix lures",{"type":58,"value":79,"context":80},"ClickLock Stealer","macOS-focused information and cryptocurrency wallet stealer targeting browsers, wallets, and password managers",{"type":58,"value":82,"context":83},"Spirals","Rust-based ransomware family that encrypts victim networks within 24 hours",{"type":58,"value":85,"context":86},"ClickFix","Lure mechanism delivering HTA scripts and trojanized installers"]