• unclassified-pe64-clipper: af6e1f46 — MinGW-w64 infostealer with wallet regex, Telegram user ID, and screenshot capture 2026-06-16 unclassified-pe64-clipper
• 341165a42115 2026-06-16 hippamsascom
• hippamsascom: c20bbb80 — Olson Group masquerade, 502 semantic export flood, self-loading dropper 2026-06-15 hippamsascom
• 8eddf076bf8b 2026-06-15 hippamsascom
• connectwise: 7145e8 — Self-contained MSI-based ScreenConnect client installer, hardcoded C2 at 134.122.4.2:8041 2026-06-15 connectwise
• Phorpiex x64 CPlApplet PNG Payload Dropper 2026-06-15 phorpiex
• 177bfc846a77 2026-06-15 netsupport-inno-dropper
• acrstealer: d5655568 — Fourth signed Go 1.26.2 sibling, module JPYhJIzovpOdAaG, custom PE parser + multi-pass decoder 2026-06-09 acrstealer
• phorpiex: bb77ef06 — $500 USD sextortion spam bot, earliest known May-22 campaign build 2026-06-07 phorpiex
• connectwise: 81adbf9a — Authenticode-backed ClickOnce runner for ScreenConnect remote-access deployment 2026-06-07 connectwise
• quasar 2026-06-07 quasar
• phorpiex: 025f5798 — MSVC9 thin HTTP downloader, earlier build (13:06 UTC) missing 15.exe payload 2026-06-07 phorpiex
• unclassified-pe32-nfe-loader: ded59ec4 — MinGW AES-like dropper, Brazilian NFe lure 2026-06-06 unclassified-pe32-nfe-loader
• unclassified-pe32-nfe-loader: ac20be18 — 4 KB MinGW launcher stub for core.dll 2026-06-06 unclassified-pe32-nfe-loader
• xenorat: 6133cd0b — .NET Framework 4.8 RAT, LZNT1 compression, async C2 node architecture 2026-06-06 xenorat
• coinminer: 359fcf01 — PyInstaller bootloader sibling, Sep 2018 MSVC build, AES-encrypted overlay with weak QWERTY key 2026-06-06 coinminer
• hippamsascom: 1cf56da3 — Mayer-Ondricka CSS matrix self-loading dropper 2026-06-06 hippamsascom
• quasar 2026-06-06 quasar
• remcos: c6193af6 — v1.7 Pro, enlarged 593-byte SETTINGS RCData 2026-06-05 remcos
• 4bf14434ef61 2026-06-05 unclassified-dotnet-bitmap-stego-loader
• silverfox: e772de93 — C x64 stub with Sangfor EDR masquerade and dual-lang .rsrc icon set 2026-06-04 silverfox
• remcos: 5a1e57f7b0 — v1.7 Pro sibling, 531-byte SETTINGS RCData 2026-06-04 remcos
• silverfox: 452e085f — MSVC C++ x64 process hollowing injector with LZSS decompressor and privilege escalation 2026-06-04 silverfox
• 027aeb2eb483 2026-06-04 unclassified-pe32
• cae0056acc2f 2026-06-03 unclassified-batch-powershell-dropper
• phorpiex: 6b8527a7 — MSVC9 thin HTTP downloader with mutex-gated payload branching 2026-06-03 phorpiex
• remcos: 0f723826 — v1.7 Pro, Jan 2017, no packer 2026-06-03 remcos
• nanocore: fe81691f — VB.NET ConfuserEx dropper, NanoCore v1.2.2.0 RAT 2026-06-02 nanocore
• 54e64e: c8db13c1 — UPX-packed x64 sibling with modified packer, zero readable strings, Amadey-dropper pedigree 2026-06-02 54e64e
• 9d2ca3: a7b9f3dd — Go 1.25.4 PE64 infostealer with randomized module path and fabricated Authenticode 2026-06-02 9d2ca3
• coinminer: 640ed5b5 — PyInstaller bootloader sibling, 735 KB, September 2018 cluster 2026-06-02 coinminer
• coinminer: 5047235c — PyInstaller bootloader sibling with appended sub-PE, 1.8 MB overlay 2026-06-02 coinminer
• unclassified-js-dropper: 0e4141aa — WScript→PowerShell→.NET assembly loader with debugger/sandbox gate 2026-06-02 unclassified-js-dropper
• maskgramstealer: abeaa63b — MinGW-w64 PE64 infostealer with runtime API resolution and wallet-seed regex 2026-06-01 maskgramstealer
• 54e64e: 3b13b28c — MSVC C++ certpert dropper with fake diagnostic masquerade, Defender exclusion, and HTTP payload fetch 2026-06-01 54e64e
• 9d2ca3: 2d39ed5e — Amadey-dropper, MinGW-w64 x64 with 2.55 MB encrypted .data payload 2026-06-01 9d2ca3
• lummastealer: e03dd36f — x64 sibling, fraudulent cert, runtime API decoding 2026-05-31 lummastealer
• ayrseushop: 5a5b3373 — MSVC x64 infostealer with runtime string-decryption, clipboard+screenshot harvesting 2026-05-31 ayrseushop
• 0c9e772d8730 2026-05-31 hippamsascom
• pyinstaller-pyarmor-dropper: d297973f — PyInstaller single-file bootloader with PyArmor-obfuscated Python 3.13 payload 2026-05-30 pyinstaller-pyarmor-dropper
• dolphin: ca6be0bf — Rust x64 polymorphic RAT/stealer with 80+ task types, WebSocket C2, masquerading as NVIDIA Display Container LS 2026-05-30 dolphin
• silverfox: 82d42551 — Lean C-based x64 stub (50K) sharing stream-cipher constants and thunk dispatch 2026-05-30 silverfox
• menomoushop: 3aca18df — Go 1.25.4 PE64 infostealer, Authenticode signed CN=maybe.us, randomized function names 2026-05-30 menomoushop
• 129ef9250b91 2026-05-30 spamita
• euone: 0c9236cf — Delphi VCL installer with embedded 202 KB RCData payload 2026-05-30 euone
• acrstealer: f93d8d79 — Signed Go 1.26.2 sibling with stripped .rsrc, module gesiimdPYMojqEh 2026-05-29 acrstealer
• silverfox: ed1a0047 — Rust x64 dropper with LZSS payload extraction and ntdll unhooking 2026-05-29 silverfox
• prometei: e6ce5dd2d422 — UPX-packed ELF64 systemd dropper, HTTP CGI C2 2026-05-29 prometei
• lummastealer: d5647efd — Go 1.25.4 signed PE32, no .rsrc, certificate www.sjabr.org 2026-05-29 lummastealer
• neuralpulsecore5sbs: 47a2204d — First x64 sibling, Sectigo-signed, no hardcoded C2 2026-05-29 neuralpulsecore5sbs
• Deep Analysis: 1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c 2026-05-29 acrstealer
• acrstealer: 16a4344d — Signed Go 1.26.2 PE32, module hlHtIOAoWQhvCrI, cert CN=me.muz.li 2026-05-29 acrstealer
• asgardprotector: d59dc2f2 — IExpress SFX dropper embedding AutoIt3 + compiled A3X script 2026-05-27 asgardprotector
• asgardprotector: d364a2f6 — IExpress SFX dropper embedding AutoIt3 + Dayton.a3x script 2026-05-27 asgardprotector
• acrstealer: c577c6c8 — Signed Go 1.26.2 PE32 sibling, randomized module PfeYrYvazVUGgZq 2026-05-27 acrstealer
• coinminer: c4ac7426 — Signed 7-Zip SFX dropper, VC++ redist masquerade, password-protected archive 2026-05-26 coinminer
• coinminer: 801fbba1 — PyInstaller bootloader, Sep 2018 MSVC build, embedded Python payload 2026-05-26 coinminer
• acrstealer: 6871848b — Signed Go 1.26.2 PE32, randomized module names, C2 5.252.155.72 2026-05-26 acrstealer
• meterpreter: 5da21aa2 — x64 reverse_tcp stager with inline sockaddr, zero IAT 2026-05-26 meterpreter
• coinminer: 39b67a79 — PyInstaller bootloader sibling, 4.3 MB with 94% zlib overlay 2026-05-26 coinminer
• chacha8: svchost.exe — ChaCha20 stream-cipher file encryptor with in-place overwrite, no C2 2026-05-26 chacha8
• nfedigitalcom - ffdd7105 nfedigitalcom
• sunwukong — fa16b64a — Semantic export obfuscation and PEB-walking API resolution sunwukong
• unclassified-batch-powershell-dropper: eda47a53 — pastefy/GitLab variant, Sostsenrer2 C2 unclassified-batch-powershell-dropper
• ebceb9dbc06f mirai
• d5b11a1cb3ad unclassified-pe32-dotnet
• eu0file: d46e2b49 — False positive: legitimate Windows 8.1 mspaint.exe mis-tagged in gcleaner distribution context eu0file
• d3bb6eb48a3f asyncrat
• 54e64e (misattributed): cc4aa789 — Go 1.25.4 x64 signed infostealer, randomized main functions, no hardcoded C2 54e64e
• silverfox: beb3a9d9 — Authenticode-signed C x64 sibling with LZSS .rdata payload and process enumeration silverfox
• abf498a10e71 asyncrat
• 9a3c18be3957 hippamsascom
• Phorpiex spam dropper — screensaver-masqueraded MSVCR90 stub with .rsrc payload staging phorpiex
• 710f15302859 remotepe
• orderreshop: 6f6f0525 — Go infostealer with custom PE parser and multi-pass string decoder orderreshop
• 6b33d2019626 remotepe
• 630202e68560 hippamsascom
• 62e040a32aac remotepe
• 624f52cc31cd acrstealer
• 59cbfe5c — Unclassified JS Dropper
• unclassified-go-pe64: 589af0f8 — Signed Go GUI binary with MD5 hash function, DV cert on maybe.us unclassified-go-pe64
• nfedigitalcom: 4eb1fbf2 — Delphi NFe certificate plugin DLL, May 2026 nfedigitalcom
• 4818d00fee9f
• 9d2ca3: 29149758 — Go 1.25.4 x64 signed infostealer with randomized module path and fused-string API decoding 9d2ca3
• Phorpiex sextortion spam bot — MSVCR90 SMTP engine, ZIP constructor, HTTP downloader phorpiex
• Phorpiex sextortion spam bot — MSVCR90 stub with SMTP engine, ZIP constructor, and hardcoded BTC wallet phorpiex
• SilverFox RC4 Loader silverfox
• 0bc60a0e1158
• 0b6a849a68a4 unclassified-pe32plus