The Reveal Platform
May 28, 2026
Canndelta ClickFix Campaign Abusing Donut Shellcode to Deploy PureLogs Stealer
Threat Research
Executive Summary This research analyzes a ClickFix-based malware campaign distributing the .NET-based PureLogs stealer through the spoofed licensing-themed website canndelta[.]com. Victims are socially engineered into executing malicious PowerShell commands, initiating a multi-stage infection chain involving staged PowerShell loaders, Donut shellcode,…
Read More
May 20, 2026
Malicious Payload Delivery Discovered in Guardrails-AI PyPI Package
Threat Research
Executive Summary: During an investigation into recent AI-related software supply chain threats targeting the Python ecosystem, suspicious activity was identified involving the guardrails-ai PyPI package, specifically version 0.10.1. The package is a widely used AI validation framework designed to enforce…
Read More
May 20, 2026
ClickFix Abuse: Fake Google Meet Delivers SalatStealer
Threat Research
Introduction ClickFix-style social engineering campaigns continue to evolve as threat actors increasingly rely on legitimate Windows utilities and user-assisted execution to evade traditional security controls. In this campaign, attackers impersonate Google Meet through a fraudulent verification portal that tricks…
Read More
May 12, 2026
HWMonitor Trojanized to Deliver Multi-Stage STX RAT via DLL Sideloading
Threat Research
Introduction HWMonitor, a legitimate hardware monitoring utility developed by CPUID, was observed distributing a trojanized archive through a compromised download workflow. Analysis of a Reddit post led to the discovery of a malicious ZIP archive hosted on a Cloudflare…
Read More
May 7, 2026
ClickFix to PureHVNC: Multi-Stage Malware Delivery via Fake Booking Portal
Threat Research
Introduction This campaign leverages the ClickFix social-engineering technique through a fake Booking-themed verification portal hosted at hxxps://bkngpanelcntlrguest[.]com to trick users into manually executing malicious PowerShell commands. By abusing legitimate Windows utilities such as PowerShell, the attackers achieve user-assisted code execution and…
Read More
April 24, 2026
Xinference PyPI Supply Chain Attack: Credential Theft, Cloud Abuse, and Crypto Wallet Targeting
Threat Research
Executive Summary: This report analyzes a supply chain compromise involving malicious Xinference packages on PyPI, which were used to exfiltrate sensitive data, harvest cloud credentials, and target cryptocurrency wallets. On April 22, 2026, a user reported that Xinference version…
Read More
April 17, 2026
CrySome RAT: Multi-Layered Userland Evasion and Post-Exploitation Framework
Threat Research
Overview CrySome RAT is a .NET-based remote access trojan designed for post-compromise control, credential harvesting, and covert system interaction. The malware prioritizes persistence, defense evasion, and operator control over initial access techniques.
Read More
April 13, 2026
LiteLLM Supply Chain Compromise: Downstream Impact Analysis with Mercor Breach Case Study
Threat Research
Executive Summary Supply chain compromise affecting the LiteLLM library (versions v1.82.7 and v1.82.8) resulted in the distribution of malicious packages via PyPI. These packages contained embedded data exfiltration capabilities, enabling unauthorized data collection from downstream environments. Multiple organizations were…
Read More
April 8, 2026
Fake OpenClaw AI Tool Used to Deliver Infostealer via ClickFix Attack Chain
Threat Research
Overview This report analyzes a malware distribution campaign leveraging a spoofed OpenClaw platform to deliver an infostealer payload. The campaign relies on ClickFix-style social engineering to trick users into executing malicious commands manually, bypassing browser-based security controls. Once executed,…
Read More
April 1, 2026
Crypto Drainers: From Wallet Approval Abuse to Malware-Assisted Web3 Attacks
Threat Research
Introduction Crypto drainers represent a class of financially motivated threats targeting Web3 users by abusing blockchain transaction authorization mechanisms rather than exploiting software vulnerabilities. Instead of stealing credentials or deploying traditional malware, these attacks manipulate…
Read More
March 26, 2026
SURXRAT: MaaS Android RAT Leveraging Telegram and Firebase Infrastructure
Threat Research
Executive Summary SURXRAT is an Android-based Remote Access Trojan (RAT) operating under a Malware-as-a-Service (MaaS) model and distributed primarily through Telegram channels. The malware provides operators with full remote control over infected devices, enabling surveillance, data exfiltration, and device…
Read More
March 17, 2026
Detecting Oblivion Android RAT: Accessibility Abuse, OTP Interception, and Mobile Threat Behavior
Threat Research
Overview Oblivion is an Android Remote Access Trojan (RAT) advertised on underground forums as a comprehensive mobile surveillance and fraud toolkit. The malware is promoted with capabilities ranging from remote device interaction to credential theft and persistent access.
Read More
