Cybereason Security Services identified Tangerine Turkey, a cryptomining campaign first reported in late 2024, leveraging VBScript and batch files to deploy XMRig cryptocurrency mining payloads across victim environments. The campaign spreads globally, targeting organizations indiscriminately across multiple industries through infected USB drives containing malicious VBScript files. The attack begins when wscript.exe executes malicious VBScript x817994.vbs from a removable drive mounted on the victim system, which spawns cmd.exe to run secondary batch file x966060.bat. The campaign demonstrates defense evasion by creating a masqueraded directory C:\Windows \System32\ with a trailing space character, distinguishing it from the legitimate C:\Windows\System32 directory. The batch file abuses legitimate Windows binary printui.exe as a living-off-the-land binary to sideload malicious library svculdr64.dat alongside printui.dll, while simultaneously launching explorer.exe to open the USB Drive directory as user distraction. The malware uses xcopy.exe to copy printui.exe and payload components x209791.dat into the fake System32 directory. The attack chain continues with printui.exe spawning cmd.exe to execute obfuscated PowerShell commands that add Windows Defender exclusions for the System32 directory using Add-MpPreference -ExclusionPath “C:\Windows\System32”, blinding security controls from detecting further malicious activity. The malware attempts cleanup by deleting staging file svculdr64.dat and issuing rmdir /s /q “C:\Windows ” command, though the trailing space in the path prevents actual deletion of the operating system directory while highlighting destructive intent.

Impact: The VBScript worm spreads laterally across environments via removable USB drives, enabling rapid infection of multiple systems within organizations through physical device sharing. The abuse of living-off-the-land binaries including wscript.exe and printui.exe allows the malware to execute within trusted Windows processes, evading application whitelisting and behavioral detection mechanisms. Windows Defender exclusion additions prevent antivirus scanning of the System32 directory where malicious payloads reside, significantly reducing detection probability. The XMRig cryptocurrency miner consumes CPU and GPU resources for unauthorized Monero mining, degrading system performance, increasing electricity costs, and potentially causing hardware damage through sustained high utilization. The directory masquerading technique using trailing spaces complicates manual investigation and automated remediation efforts by creating visually identical paths that differ programmatically.

Recommendation: Block or strictly limit USB mass storage device usage through Group Policy configurations, disabling autorun features and restricting execution of .vbs and .bat files from removable media. Implement Device Control solutions to prevent unauthorized USB drive connections and enforce approval workflows for legitimate removable media requirements. Deploy application control using AppLocker or Windows Defender Application Control to restrict abnormal usage of wscript.exe and printui.exe, particularly when launching from removable drives or non-standard directories. Scan for file paths containing C:\Windows \System32\ with trailing spaces and investigate any scheduled tasks or services pointing to executables in non-standard System32 directories. Monitor for printui.exe process execution outside of legitimate printer configuration scenarios and investigate any DLL sideloading attempts. Block execution of files matching patterns x#####.vbs, x#####.bat, and x#####.dat from removable drives and temporary directories. Conduct user awareness training emphasizing USB hygiene and risks of connecting unknown removable media to corporate systems.

Palo Alto Networks’ Unit 42 has identified a new Windows-based malware family named Airstalk, available in PowerShell and .NET variants. The malware is assessed with medium confidence to be associated with a suspected nation-state actor and linked to a supply chain attack tracked as CL-STA-1009. Airstalk uses VMware’s AirWatch (Workspace ONE) MDM API to establish covert command-and-control (C2) channels. It is capable of exfiltrating browser data such as cookies, bookmarks, history, and screenshots. The malware communicates via the /api/mdm/devices/ endpoint using custom device attributes to exchange serialized JSON messages. The .NET variant includes multi-threaded C2 communication, versioning, and beaconing, and supports a broader set of tasks than the PowerShell variant. Both variants use signed binaries, including certificates that appear to be stolen and later revoked. The malware also manipulates timestamps and mimics legitimate applications to evade detection.

Impact: Airstalk enables unauthorized access to sensitive browser session data and system information, particularly in environments managed by third-party vendors such as BPOs. Its use of trusted APIs and signed binaries complicates detection and response efforts. If deployed successfully, it may allow attackers to impersonate users, access internal systems, and maintain long-term persistence across multiple organizations.

Recommendation: Monitor AirWatch/Workspace ONE API usage for unusual file upload and custom attribute activity. Track known IOCs and binaries with revoked or suspicious certificates, including those issued by Aoteng Industrial Automation. Enforce script execution restrictions for PowerShell and .NET scripts.

Socket Threat Research Team discovered malicious NuGet packages typosquatting Nethereum, the standard .NET library for Ethereum with tens of millions of downloads, to exfiltrate cryptocurrency wallet keys and transaction data. The primary package Netherеum.All, published October 16, 2025, employed a Cyrillic “e” character (U+0435) instead of Latin “e” in its name, appearing identical during casual inspection and in copyable install commands. Socket reported the package on October 18, 2025, and NuGet removed Netherеum.All and suspended publisher account nethereumgroup on October 20, 2025, resulting in a four-day exposure window. Investigators linked this sample to an earlier typosquat NethereumNet using identical exfiltration code, published by the same threat actor under NuGet aliases nethereumgroup and NethereumCsharp. The malicious code resides in EIP70221TransactionService.Shuffle method, which stores a 43-character seed string “jwwrs:./ronaoanettorkinstance[.]info/api/gads” and applies a 44-byte position-based XOR mask to decode the command-and-control endpoint hxxps://solananetworkinstance[.]info/api/gads at runtime. The method accepts caller-supplied data and transmits it via HTTPS POST with a single form field named “message” containing mnemonics, private keys, keystore JSON, or signed transaction data. The package references legitimate Nethereum libraries including Nethereum.Hex, Nethereum.Signer, Nethereum.RPC, and Nethereum.Util, ensuring normal NuGet restore operations and successful compilation while providing expected Ethereum functionality. The malware remains dormant during installation and activates only when wallet helpers invoke the Shuffle method directly or indirectly through transaction preparation, mnemonic import, keystore decryption, or transaction signing workflows. Both malicious packages displayed artificially inflated download counts reaching 11.6 million within days of publication through scripted download automation targeting v3 flat-container endpoints and rotating IP addresses, creating false legitimacy signals in NuGet search results sorted by relevance.

Impact: The homoglyph typosquat bypasses visual inspection and copy-paste verification, enabling developers to unknowingly install malicious packages believing they are adding legitimate Nethereum dependencies. The four-day dwell time between publication and takedown provided sufficient exposure for victims passing sensitive cryptographic material through compromised transaction workflows. Exfiltrated data includes mnemonics enabling complete wallet recovery, private keys granting direct asset access, keystore passwords unlocking encrypted wallet files, and signed transaction data revealing transaction details and potentially enabling transaction replay attacks. The XOR obfuscation conceals the command-and-control endpoint from static analysis and casual code review, while the integration with legitimate Nethereum libraries ensures applications compile and function normally, delaying detection. Download inflation artificially elevates package placement in search results and creates false social proof, increasing installation likelihood among developers evaluating packages by popularity metrics.

Recommendation: Scan NuGet package references for Netherеum.All and NethereumNet, removing any installations and treating exposed wallet keys, mnemonics, and transaction data as compromised. Rotate all cryptocurrency private keys and mnemonics that may have passed through systems running these malicious packages and transfer assets to newly generated wallets. Implement network monitoring for outbound connections to solananetworkinstance[.]info and alert on HTTPS POST requests containing form field “message” to unfamiliar domains. Monitor for methods containing position-based XOR operations applied to character arrays that decode URLs at runtime. Block NuGet publisher accounts nethereumgroup and NethereumCsharp and investigate any packages from these sources.