https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 16:07:382026-04-01 16:07:38Toy Giant Hasbro Hit by Cyberattack
While this post comes out on April 1, the threat described has little to do with April Fools’ Day — except for the fact that the CrystalX malicious RAT, discovered by Kaspersky experts, can do more than just gain remote access to a victim’s device, steal cryptocurrency and credentials from browsers and apps, or conduct actual surveillance. It can also flip the victim’s screen, swap mouse buttons, write nonsense directly onto the screen, and even block keyboard input. Furthermore, it’s advertised as malware-as-a-service (MaaS) — meaning it’s subscription-based — on Telegram and through instructional videos on YouTube.
In this post, we explain some basics as to how this new malware was built, what makes it difficult to detect, and what to do so you don’t end up among its victims.
A Swiss army knife for attackers
In March 2026, our experts discovered previously unknown malware circulating on private Telegram channels. Borrowing from classic marketing tactics, the Trojan was offered for purchase via three different subscription tiers. Its capabilities cover a fairly broad spectrum: judge for yourself what it can do to a victim’s computer:
Change desktop wallpaper to an image from a specified link
Rotate the screen by 90, 180, or 270 degrees
Simply shut down the computer
Swap mouse button assignments
Chat with the victim
Block both keyboard input and monitor output
Display any notification text chosen by the attacker
Disable specific components, such as Task Manager, the command prompt, and the Windows taskbar
Yet that’s only the harmless side of the malware — the prank functionality that harks back to the joke viruses of past decades. The real damage from CrystalX comes from its stealing login credentials for Steam, Discord, Telegram, and all Chromium-based browsers. It can also monitor and change the contents of the clipboard; typically, attackers watch for a crypto wallet address to be copied, and then swap it with their own. This is a popular scheme for stealing crypto: while intending to make a legitimate transfer, the victim copies the recipient’s wallet address, but ends up pasting the scammers’ address instead.
But there’s more: a keylogger feature and full device control with remote access to the screen, camera, and microphone — including video and sound recording capabilities.
The malware was first mentioned in January 2026 in a private Telegram chat for RAT developers. At that time, this Windows Trojan was called WebCrystal RAT and, based on technical details, was revealed to be a clone of another RAT known as WebRat. A short time later, the author of WebCrystal rebranded it as CrystalX RAT, and began touting the Trojan on a newly created Telegram channel.
The initial infection vector for this stealer is currently unknown, but according to telemetry the victims at the time of writing are predominantly located in Russia. And since we’re continuing to find new versions of the malware, we deem it a rapidly growing and evolving threat.
Anyone can become a hacker
Developing any complex cyberattack used to come with a steep learning curve. You needed to understand cryptography and network protocols, and know how to write code that could fool antivirus solutions. It was a high bar to clear, but the malware-as-a-service model has been changing the game.
These days, an attacker only needs basic computer literacy to rent a ready-made platform with a user-friendly user interface. The threat is becoming widespread specifically because malware creators aren’t carrying out the attacks themselves anymore — they’re selling shovels during a gold rush. They focus on supporting their customers, improving the user interface, and pouring money into aggressive marketing.
CrystalX malware control panel
Hackers are even setting up YouTube channels where they use the pretext of “for educational and entertainment purposes” to explain how to manage the Trojan from the control panel. Instructional videos that were once buried in the dark web have gone mainstream, putting hacking techniques in front of a broad, general audience.
How CrystalX bypasses security
No matter how technically advanced a hacking app’s code is, it will die as a project without a constant stream of new clients. This makes marketing efforts vital to its survival — even if they significantly increase the risk of the developer ending up behind bars. However, the creators of CrystalX have figured out how to protect their creation.
The control panel allows clients to build their own unique versions of the Trojan with extensive configuration options. For example, they can enable location filtering to target users in specific countries, choose an icon for the executable file, and toggle anti-analysis features. The finished Trojan is compressed using zlib and then encrypted with a ChaCha20 stream cipher using a 256-bit key and a 96-bit nonce. This ensures that every customer receives a unique version of the malware.
CrystalX is also capable of detecting virtual machines and checking if it’s running in a test or debugging environment, which complicates discovery. You can read more about the structure and functionality of this new Trojan in our Securelist story.
The good news for Kaspersky users is that our security solutions both detect and neutralize CrystalX.
How to avoid becoming a victim
Here are a few simple tips to help you avoid infection by CrystalX and other similar malware:
Pay attention if your computer starts acting up. Spontaneous screen rotation, the keyboard or mouse behaving erratically or locking up, and random notifications or chat windows can all be signs of a CrystalX infection. If anything like that happens, kill the internet connection immediately by physically unplugging the Ethernet cable or toggling off the Wi-Fi. Then, use a flash drive to install our security suite to root out the virus.
Make sure you download software only from official websites and trusted marketplaces. Avoid pirated software, license key generators, and free versions of paid applications: these builds are the most common hiding spots for Trojans.
Don’t fall for “tutorial” videos that push questionable tools for “administration”, “optimization”, or “security testing”. If the blogger says you should disable your antivirus to complete installation, that’s a major red flag and a reason to stop watching.
Be careful with files you receive through messaging apps. Password-protected archives containing “important documents” or “cool private builds” are typical containers for malicious software.
Regularly update your operating system and apps. Fresh patches plug security holes that let malware slip onto your system silently and without any interaction from your side.
Use a reliable security suite, such as Kaspersky Premium. It detects and blocks Trojan installation or download attempts.
Read more about remote access Trojans, miners, crypto-stealers, and other digital nasties:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 16:07:312026-04-01 16:07:31CrystalX RAT: a Trojan for pranks, remote access, and cryptocurrency theft | Kaspersky official blog
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 14:08:332026-04-01 14:08:33FBI Warns of Data Security Risks From China-Made Mobile Apps
March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. ANY.RUN analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient botnet infrastructure affecting organizations across industries.
From Microsoft 365 token abuse and registry-hidden RAT delivery to card theft, macOS backdoor activity, and multi-vector DDoS operations, the threat landscape in March showed how much harder early detection has become for security teams.
Key Business Risks That Stood Out in March Attacks
Trusted services and normal-looking workflows were repeatedly used to hide malicious activity, increasing the risk of delayed detection across enterprise email, cloud, payment, and endpoint environments.
Attacks observed in March affected industries including government, finance, healthcare, technology, education, manufacturing, and energy, with risks extending beyond initial access into token abuse, remote access, card theft, and broader malware deployment.
Stealthy, multi-stage delivery methods made early signals weaker and investigations slower, raising the likelihood of escalation before security teams could confirm malicious behavior.
For organizations, the business impact was not limited to infection alone, but included fraud, downtime, deeper compromise, and higher operational costs tied to delayed response.
Reduce the risk of delayed detection
Help your team investigate faster and respond earlier
ANY.RUN analysts observed a sharp rise in EvilTokens, a phishing campaign abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week. Instead of stealing credentials on a fake login page, attackers trick victims into entering a verification code on microsoft[.]com/devicelogin, which causes Microsoft to issue OAuth tokens directly to the attacker.
Execution chain of EvilTokens
This makes EvilTokens especially dangerous for organizations relying on traditional phishing detection. The user signs in through a legitimate Microsoft page, completes MFA, and never submits credentials to the phishing site. As a result, the compromise shifts from password theft to token abuse, giving attackers access to Microsoft 365 resources while blending into normal authentication activity.
Because the workflow runs over encrypted HTTPS and uses legitimate Microsoft infrastructure, key attack signals are often hidden from security teams. That delays validation, extends investigations, and increases the chance of escalation before analysts can confirm what happened.
Fake verification granting access to external client
Inside ANY.RUN Sandbox, automatic SSL decryption revealed the hidden JavaScript and backend communication used to orchestrate the phishing flow. In this case, analysts uncovered high-confidence network indicators such as:
/api/device/start
/api/device/status/*
X-Antibot-Token
When seen in HTTP requests to non-legitimate hosts, these artifacts become strong hunting signals for identifying related phishing infrastructure and improving detection coverage.
To investigate similar activity and validate detection logic, use this TI Lookup query:
Targeted industries and countries displayed in TI Lookup
TI Lookup helps teams quickly assess the broader attack landscape around EvilTokens and related OAuth phishing activity. Recent submissions show notable targeting across Technology, Education, Manufacturing, and Government & Administration, especially in the United States and India, while other regions are also affected.
Get broader visibility into malware and phishing activity
Use TI Lookup to track related infrastructure and IOCs
This gives SOC teams access to related sandbox analyses, IOCs, and behavioral patterns they can use to strengthen detections and hunting. For CISOs, that means earlier visibility into relevant campaigns, better prioritization of response efforts, and a stronger ability to reduce the business impact of Microsoft 365 account takeover.
ANY.RUN analysts identified a macOS-specific ClickFix campaign targeting users of AI tools such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. In the observed case, attackers used a redirect from Google Ads to a fake Claude Code documentation page, where a ClickFix flow pushed the victim to run a terminal command that ultimately delivered AMOS Stealer.
Fake Claude Code documentation page used as a lure
Once executed, the infection chain moved beyond credential theft. The malware collected browser data, saved credentials, Keychain contents, and sensitive files, then deployed a backdoor that provided continued access to the infected Mac. This makes the attack more serious than a one-time stealer infection, especially in enterprise environments where macOS systems often hold developer access, internal documentation, and business-critical credentials.
How the attack unfolds:
Google Ads redirect sends the victim to a fake Claude Code documentation page
ClickFix lures the user into running a terminal command
The command downloads and executes an encoded script
The updated ~/.mainhelper module enables an interactive reverse shell over WebSocket with PTY support
AMOS Stealer detected by ANY.RUN
A key finding in this case was the evolution of the backdoor module ~/.mainhelper. Previously described as a more limited implant, the updated variant now supports a fully interactive reverse shell, giving attackers persistent, hands-on access to the infected system in real time.
For defenders, that changes the risk significantly. What starts as a phishing-style ClickFix infection can quickly turn into long-term remote access, data theft, and broader compromise. Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components also break visibility into weaker signals, which can slow validation and delay escalation.
macOS ClickFix campaign details discovered by ANY.RUN
ANY.RUN Sandbox helps teams investigate macOS, Windows, Linux, and Android threats with visibility into execution flow, attacker behavior, persistence mechanisms, and dropped artifacts. In cases like this, this cross-platform threat analysis helps analysts confirm malicious activity faster, attribute the intrusion with greater confidence, and strengthen detection logic before the compromise expands further.
Expand your SOC’s cross-platform threat visibility
Reduce breach risk with analysis across 4 major operating systems
ANY.RUN analysts detected RUTSSTAGER, a stealthy malware stager that hides a DLL inside the Windows registry in hexadecimal form, making the payload harder to spot during early triage. In the observed chain, the stager led to the deployment of OrcusRAT, followed by an additional binary that helped maintain persistence, ran PowerShell-based system checks, and relaunched the RAT when needed.
What makes this threat notable is the way it avoids a straightforward on-disk delivery path. By storing the DLL in the registry instead of dropping it as a conventional file, the malware reduces its visibility and gives defenders fewer obvious artifacts to catch at first glance. The follow-on activity then helps stabilize the infection and keep remote access available on the compromised system.
Inside ANY.RUN Sandbox, behavioral analysis exposed how the infection unfolded across stages, while file system and process monitoring helped reveal the relationship between the stager, the deployed RAT, and the persistence component. Process synchronization events were especially useful here, showing that the payload components were not acting independently but as part of a coordinated, multi-stage execution chain.
Catch multi-stage malware before it goes further
Expose hidden execution chains and speed up validation
To explore related activity, review relevant sandbox analyses and assess the broader threat landscape, use the following TI Lookup query: registryName:”^rutsdll32$”
ANY.RUN analysts identified phishing emails carrying HTM/HTML attachments disguised as PDF files. In the observed case, a file named pdf.htm opened a fake login page and sent submitted credentials in JSON format through an HTTP POST request to the Telegram Bot API.
Attack details discovered by ANY.RUN
The attack relies on a simple but effective disguise: the attachment looks like a document but actually launches a phishing page designed to collect login data. Some samples also include obfuscated scripts, which makes the credential theft logic less obvious during manual inspection and slows down triage.
Once a victim enters their credentials, attackers can use them to access business email, internal services, and other corporate systems tied to the compromised account. For security teams, this turns what may look like a routine attachment into a fast-moving account takeover risk.
Less than 1 minute required to reveal the phishing behavior inside ANY.RUN sandbox
Inside ANY.RUN Sandbox, the phishing behavior became visible in under 60 seconds, exposing the outbound communication, loaded scripts, and file contents involved in the theft flow. This helps teams quickly confirm whether an attachment is just suspicious or part of an active credential-harvesting attack, reducing review time and helping analysts act before the stolen access is used.
ANY.RUN analysts observed a phishing campaign targeting organizations in Colombia, particularly in government, finance, oil and gas, and healthcare. The attackers use Spanish-language phishing emails with an attached SVG file that acts as more than an image: it contains embedded JavaScript that rebuilds the next attack stage locally through SVG smuggling.
SVG smuggling campaign details revealed by ANY.RUN
Instead of downloading a payload from an external source right away, the SVG uses a blob URL to generate an intermediate HTML lure inside the browser. That lure imitates a document-related workflow and creates a password-protected ZIP archive for the victim to open, pushing the attack forward while reducing obvious early network signals.
This staged delivery makes the campaign harder to catch during initial triage. SVG smuggling, blob-generated content, and the later use of legitimate Windows components break the compromise into smaller artifacts that may look weak or unrelated on their own, slowing detection and investigation.
Inside ANY.RUN Sandbox, analysts were able to reconstruct the full flow:
SVG smuggling → Blob-based HTML lure → Password-protected ZIP → Notificacion Fiscal.js → radicado.hta → J0Ogv7Hf.ps1 → C2 communication
That visibility helps security teams connect scattered artifacts faster, uncover hidden delivery stages, and confirm malicious activity before the intrusion progresses further.
Catch hidden delivery chains before they lead to compromise
Give your team earlier visibility into multi-stage attacks
ANY.RUN analysts uncovered an active Magecart campaign targeting e-commerce websites, with a notable concentration in Spain. In the observed cases, attackers hijacked checkout flows, replaced legitimate payment steps with fake interfaces, and stole card data through WebSocket-based exfiltration.
WebSocket exfiltration code
What makes this campaign especially dangerous is its durability. The operation remained active for more than 24 months and relied on a large infrastructure of 100+ domains, using staged payload delivery, fallback domains, and payment-page mimicry to stay operational and avoid disruption. In Spain-focused cases, the attackers notably abused Redsys-themed payment context to make the fraudulent flow appear legitimate.
The campaign also stood out for how it blended card theft into trusted payment experiences. Instead of relying on a simple fake form, the malware dynamically adapted the checkout page, injected malicious elements, and transmitted stolen payment data outside normal HTTP flows, making detection harder for defenders and increasing fraud risk for banks and payment ecosystems.
PayPlug SAS payment window imitation displayed inside ANY.RUN sandbox
Inside ANY.RUN Sandbox, analysts exposed the multi-stage delivery logic, malicious script injection, fake payment overlays, and WebSocket-based card data exfiltration. This helps security teams understand how the skimmer operates, identify related infrastructure faster, and strengthen detections against long-running payment theft campaigns.
7. Kamasers: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide
ANY.RUN published a detailed technical analysis of Kamasers, a multi-vector DDoS botnet designed to carry out both application-layer and transport-layer attacks while also supporting follow-on payload delivery. The research shows how the malware operates, how it receives commands, and why it creates risk beyond disruption alone.
Communication between the infected host and the C2 server observed inside ANY.RUN
Inside the sandbox, analysts observed the botnet retrieving command-and-control data, communicating with active infrastructure, executing DDoS-related commands, and in some cases downloading additional files for execution. This helps security teams confirm malicious behavior faster and understand whether an infected host is being used only for flooding activity or as part of a broader compromise.
Kamasers supports multiple attack methods, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. In addition, it can act as a loader, which increases the risk of further malware delivery, data theft, or ransomware.
Reduce the chance of data theft and financial loss
Help your team contain threats before the damage grows
Another notable finding was the botnet’s resilient Dead Drop Resolver design. Instead of depending on a single static C2 location, Kamasers uses legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and Etherscan to retrieve active command-and-control addresses, making disruption and early detection more difficult.
DDR links in the Kamasers codebase
For organizations, that means a single infected system can become both a source of external attacks and a foothold for deeper intrusion, increasing operational, financial, and reputational risk.
To review related sandbox analyses and broader activity, use the following TI Lookup query:
ANY.RUN analysts found MicroStealer, a fast-spreading infostealer that gained traction despite limited public detection. In observed activity, the malware appeared in 40+ sandbox sessions in less than a month, using a multi-stage chain to steal credentials, session data, screenshots, and wallet files.
Inside the sandbox, analysts were able to quickly confirm how the threat unfolds and what data it targets. This kind of visibility helps security teams move from an unclear file to a confident verdict faster, reducing review time and lowering the chance of missed credential theft.
How the attack unfolds:
NSIS installer delivers the initial payload
Electron loader requests elevated privileges and launches the next stage
Java module executes the main stealer logic
Browser credentials, session data, screenshots, and wallet files are collected
Stolen data is sent to attacker-controlled infrastructure
What makes MicroStealer notable is not only what it steals, but how it delays confident detection. The layered NSIS → Electron → Java execution chain, combined with obfuscation and anti-analysis checks, makes the malware harder to understand during early triage.
To review related sandbox analyses and broader activity, use the following; TI Lookup query:
ANY.RUN TI Lookup demonstrates relevant sandbox sessions with MicroStealer
For organizations, this risk goes beyond a single infected endpoint. Stolen browser credentials and active sessions can give attackers access to SaaS apps, internal systems, and cloud services, increasing the chance of account compromise and broader intrusion.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect threats earlier, investigate incidents faster, and build stronger response workflows. With Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, the company gives SOC and MSSP teams the visibility and context they need to move from alert to confident decision more quickly.
Today, more than 15,000 organizations and 600,000 security professionals worldwide rely on ANY.RUN. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 14:08:282026-04-01 14:08:28Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 13:06:582026-04-01 13:06:58I tested ChatGPT vs. Claude to see which is better – and if it’s worth switching
For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next.
Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 12:06:492026-04-01 12:06:493 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
New York, New York, April 1st, 2026, CyberNewswire
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 11:06:282026-04-01 11:06:28Cybersecurity Firm TAC Security Hits 10,000 Clients, Enters Top 5 in Global VM & AppSec
New research from Octagon Networks reveals a critical zero-day ImageMagick vulnerability that allows Remote Code Execution (RCE) via simple image uploads affecting Ubuntu, Amazon Linux, and WordPress. This magic byte shift bypasses even the most secure policies.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-01 11:06:272026-04-01 11:06:27ImageMagick Zero-Day Enables RCE on Linux and WordPress Servers
Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.
“No sensitive customer data or credentials were involved or exposed,” an Anthropic spokesperson said in a statement shared with CNBC News. “This was a release packaging issue caused by human error, not a security