Cyware Daily Threat Intelligence, March 09, 2026

The classic "curl-to-bash" installation habit is being weaponized via InstallFix, a new social engineering tactic where attackers clone the documentation of popular developer tools to hijack the setup process. By using Google Ads to promote pixel-perfect replicas of the Claude Code CLI landing page, threat actors trick users into copying and pasting malicious one-liner commands into their terminals.

A new multi-stage malware operation, dubbed VOID#GEIST, is leveraging the legitimate TryCloudflare infrastructure to deliver a modular suite of RATs. The infection begins with an obfuscated batch script that displays a decoy PDF to distract the victim while hidden PowerShell commands establish a foothold within the current user's permissions.

Defensive security is finding a formidable ally in artificial intelligence, as evidenced by Anthropic’s Claude Opus 4.6 identifying 22 security vulnerabilities in the Firefox browser in just two weeks. This collaborative audit with Mozilla uncovered 14 high-severity flaws, including a critical use-after-free bug in the JavaScript engine that the AI detected within 20 minutes of scanning.

Top Malware Reported in the Last 24 Hours

Velvet Tempest exploits ClickFix for ransomware attacks

Ransomware group Velvet Tempest, also known as DEV-0504, has been observed using the ClickFix technique alongside legitimate Windows utilities to deploy DonutLoader malware and the CastleRAT backdoor. Velvet Tempest gained initial access through a malvertising campaign using a ClickFix and CAPTCHA mix, which tricked victims into executing obfuscated commands. The attackers employed cmd.exe chains, PowerShell, .NET components, and Python-based tools for persistence, ultimately deploying DonutLoader and CastleRAT backdoor.

Fake installation guides spread infostealers

Threat actors are employing a new social engineering technique called InstallFix to distribute infostealer by creating deceptive installation guides for popular command-line interface tools, such as Claude Code. These cloned pages closely resemble legitimate sites but contain altered instructions that lead users to execute malicious commands. The primary malware involved, Amatera Stealer, is designed to harvest sensitive data, including cryptocurrency wallets and credentials, from compromised systems. The malicious commands often utilize base64-encoded instructions to download and run the malware from attacker-controlled domains. Promoted through malvertising on platforms like Google Ads, these fake installation pages are difficult to detect as they often appear in sponsored search results.

Multi-stage VOID#GEIST malware drops more malware

Researchers have revealed a sophisticated multi-stage malware campaign, dubbed VOID#GEIST, which utilizes batch scripts to deliver various RATs, including XWorm, AsyncRAT, and Xeno RAT. The attack begins with a phishing email that distributes an obfuscated batch script from a TryCloudflare domain, which executes hidden PowerShell commands while displaying a decoy PDF to distract the user. This initial script establishes a foothold without escalating privileges, leveraging the current user's permissions. The malware then fetches additional payloads, including encrypted shellcode, using a Python-based loader that operates independently of the system’s Python installation. By employing Early Bird APC injection, the malware executes its payloads directly in memory, minimizing detection opportunities. This modular approach enhances flexibility and resilience, allowing for repeated injections into legitimate processes like "explorer.exe," while the ultimate targets of the campaign remain unidentified.

Top Vulnerabilities Reported in the Last 24 Hours

iOS flaws abused in crypto-theft attacks 

The CISA has alerted federal agencies to patch three critical iOS vulnerabilities that are being exploited by the Coruna exploit kit in cyberespionage and cryptocurrency theft attacks. This exploit kit targets 23 iOS flaws, allowing attackers to bypass security measures, execute remote code, and escalate privileges to Kernel level. Coruna has been utilized by various threat actors, including state-sponsored groups and financially motivated criminals, to steal cryptocurrency through fake gambling and crypto websites. 

Claude AI discovers 22 Firefox vulnerabilities 

Anthropic discovered 22 security vulnerabilities in the Firefox web browser using its Claude Opus 4.6 AI model. Among these, 14 were classified as high severity, seven moderate, and one low. The vulnerabilities were identified over a two-week period in January 2026 and addressed in Firefox 148. Notably, the AI model detected a use-after-free bug in JavaScript within just 20 minutes, validated by human researchers. Over 6,000 C++ files were scanned, resulting in 112 unique reports. While Claude successfully created exploits for only two vulnerabilities, this process demonstrated that identifying flaws is more cost-effective than exploiting them. Mozilla confirmed that the AI-assisted approach also uncovered 90 additional bugs.