Discover and explore attack flows created by the cybersecurity community
eSentire’s TRU found that attackers were using ClickFix in late 2025 to deliver Amatera Stealer and NetSupport RAT. Amatera is essentially a rebranded version of the ACR (AcridRain) Stealer, whose source code was sold in 2024. It enables wide-ranging data theft from browsers and crypto wallets to messaging and email apps, and includes advanced evasion techniques like WoW64 SysCalls to bypass common security defenses. Research from @YungBinary https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
Large-scale cyberattack executed with minimal human intervention. Chinese state-sponsored group GTG-1002 used Claude Code to autonomously conduct reconnaissance, vulnerability discovery, exploitation, and data exfiltration against ~30 entities including tech companies and government agencies. The AI performed 80-90% of tactical operations independently, marking a fundamental shift in threat actor capabilities.
https://www.huntress.com/blog/obscura-ransomware-variant
The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has been actively targeting organizations since July 2022, with over 84 victims per month in August and September 2025.
This flow addresses a security vulnerability in the newly released OpenAI ChatGPT Atlas web browser, which can be tricked into executing hidden commands through prompt injection attacks. Attackers can disguise malicious instructions as seemingly harmless URLs, leading the browser's AI agent to perform unintended actions, such as redirecting users to phishing sites or executing harmful commands.
This attack flow maps a sophisticated social engineering campaign by ShinyHunters and Scattered Spider targeting major corporations including Google, Adidas, and Louis Vuitton. The threat actors leverage voice phishing (vishing) combined with domain impersonation to manipulate Salesforce OAuth authorization mechanisms, establishing persistent access to CRM platforms for large-scale data exfiltration. The campaign concludes with delayed extortion demands ranging from 4 to 20 Bitcoin.
This flow details the Blue Locker ransomware campaign targeting Pakistan's oil and gas sector through phishing emails with malicious attachments. The attack employs a PowerShell-based loader to establish persistence via registry modification, escalate privileges by bypassing UAC, and evade detection through obfuscation and timestomping techniques. The ransomware ultimately encrypts victim files with a '.Blue' extension after deleting system backups using WMIC commands.