Full Report
A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess.
Analysis Summary
# Morning News Roll-up July 16, 2026
## Overview
This week’s threat landscape is defined by deceptive "close-enough" lures, including malicious NuGet packages, trojanized software installers, and rapid-deployment ransomware. Attackers are increasingly leveraging trusted ecosystems like GitHub and Hugging Face to distribute surveillance tools and RATs, with some campaigns moving from initial access to full network encryption in under 24 hours.
## Top Stories
### Malicious NuGet Packages Drop "Pepesoft" Spyware
- **Summary:** Researchers identified 11 malicious NuGet packages masquerading as .NET command-line game cheats and bots. These packages act as first-stage downloaders for a second-stage Python payload titled "pepesoft.exe." The malware supports surveillance features including screenshot capture via Telegram bot commands and uses BitTorrent as a dormant fallback communication mechanism.
- **Source:** hxxps://socket[.]dev/blog/11-malicious-nuget-tools-pose-as-game-cheats
### UAT-11795 Deploys Starland RAT and WLDR Agent
- **Summary:** A Russian-speaking financially motivated adversary, UAT-11795, is using "ClickFix" lures and trojanized installers for popular tools (Zoom, MobaXterm) to deploy the Starland RAT. The campaign targets credentials and crypto wallets, utilizing a sophisticated PowerShell-based memory implant called "WLDR agent" for encrypted C2 communication.
- **Source:** hxxps://blog[.]talosintelligence[.]com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/
### Spirals Ransomware Encrypts Networks Within 24 Hours
- **Summary:** A new ransomware strain dubbed "Spirals" has been observed targeting IT services in South Asia. The threat is notable for its speed, achieving full network encryption within 24 hours of initial compromise, highlighting a trend toward accelerated "speed-to-damage" attack timelines.
- **Source:** hxxps://www[.]security[.]com/threat-intelligence/ransomware-spirals-extortion
---
# Multi-Vector Campaign Lures (NuGet, ClickFix, and RATs)
A collection of high-velocity campaigns leveraging developer ecosystems and trojanized installers to deploy surveillance tools and financially motivated malware.
## Key Points
- **Ecosystem Abuse:** Attackers are using NuGet (the .NET package manager) and Hugging Face to host malicious payloads, bypassing traditional perimeter defenses.
- **ClickFix Evolution:** The "ClickFix" social engineering tactic is being used to distribute HTA scripts that lead to the installation of trojanized versions of legitimate enterprise software (Zoom, WebEx).
- **Advanced Stealth:** The use of memory-only implants (WLDR agent) and PowerShell stagers minimizes the on-disk footprint of the attack.
- **Rapid Escalation:** Ransomware variants like "Spirals" are compressing the time between entry and impact to less than a single day.
## Threat Actors
- **UAT-11795:** A sophisticated, Russian-speaking, financially motivated actor active since at least June 2025.
- **"pepegit666":** GitHub/Hugging Face persona associated with the distribution of the Pepesoft spyware.
## TTPs
- **Social Engineering:** ClickFix lures and trojanized installers for IT/Admin tools.
- **Living-off-the-Land (LotL):** Use of `curl.exe` to fetch payloads and PowerShell for memory injection.
- **C2 Mechanisms:** Telegram bot commands for data exfiltration; encrypted beaconing via WLDR agent; BitTorrent fallback.
- **Execution:** HTA scripts used as initial vectors to trigger downloader chains.
## Affected Systems
- **Windows OS:** Primary target for Starland RAT, Pepesoft, and NuGet-based malware.
- **macOS:** Targeted by ClickLock Stealer via browser extensions.
- **Platforms:** Users of MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.
- **Sectors:** US and European critical users, South Asian IT services.
## Mitigations
- **Package Integrity:** Implement software composition analysis (SCA) to vet NuGet and other third-party dependencies.
- **Application Whitelisting:** Restrict the execution of HTA scripts and unverified PowerShell stagers.
- **Credential Protection:** Use hardware-based MFA to prevent credential harvesting from info-stealers.
- **Network Monitoring:** Monitor for unusual outbound traffic to Telegram API endpoints and known Hugging Face/GitHub download paths used for staging.
## Conclusion
The current threat environment shows a shift toward high-speed exploitation and the weaponization of developer tools. Organizations must move beyond basic perimeter defense to focus on supply chain integrity and rapid response capabilities, as the window between initial infection and total network encryption has narrowed to a matter of hours.