All news with #credential dumping tag

🔐 Breakglass Intelligence reports that China-aligned APT41 is deploying an obfuscated Linux ELF backdoor to harvest cloud credentials across AWS, GCP, Azure and Alibaba Cloud. The implant uses a selective SMTP-based C2 over port 25 and typosquatted Alibaba-themed domains hosted in Singapore to exfiltrate tokens and metadata while avoiding scanners. The malware queries instance metadata endpoints (169.254.169.254), sends stolen IAM, service account and managed identity credentials, and emits periodic UDP broadcasts to 255.255.255.255:6006 to coordinate lateral movement. Defenders should monitor SMTP egress, unusual metadata access, unknown ELF binaries, and connections to Alibaba-lookalike domains.

🔒 Researchers report that the JanelaRAT malware, a modified BX RAT, extensively targeted banks and financial services across Latin America, with telemetry showing 14,739 attack attempts in Brazil and 11,695 in Mexico during 2025. The trojan steals banking and cryptocurrency credentials, captures keystrokes, screenshots and system metadata, and uses custom title-bar detection to trigger actions on matched sites. Attackers shifted delivery from VBScript ZIPs to rogue MSI installers and DLL side-loading, often installing a malicious Chromium extension for persistence and data exfiltration. Vendors including Kaspersky, KPMG, and Zscaler documented multi-stage chains and robust C2 capabilities.

🔒 TeamPCP's March 2026 compromise of LiteLLM packages on PyPI injected infostealer malware into versions 1.82.7 and 1.82.8 that ran during installs and updates. The malware harvested plaintext SSH keys, cloud credentials (AWS, Azure, GCP), Docker configs, IDE and agent memory files, and other local secrets, exploiting transitive dependencies. PyPI removed the packages within hours, but many downstream packages would have triggered execution. Use ggshield, pre-commit hooks, and filesystem scanning to detect and contain local secrets.

🛡️ Kaspersky researchers discovered CrystalX, a subscription-based Remote Access Trojan promoted on Telegram and YouTube that mixes disruptive "prank" capabilities with robust theft and surveillance features. The Trojan can rotate screens, swap mouse buttons, block keyboard input, display arbitrary messages, and disable system utilities, while also stealing credentials, hijacking clipboards to redirect crypto, logging keystrokes, and accessing screen, camera and microphone. Builds are uniquely encrypted per customer and include anti-analysis checks, complicating detection, and Kaspersky products detect and neutralize the threat. Users should avoid pirated software, be cautious with messaging attachments, enable 2FA, keep systems updated, and run reputable security solutions.

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.

🔐 Cisco has confirmed a breach of its internal development environment after threat actors leveraged credentials stolen in the recent Trivy supply-chain compromise. Attackers used a malicious GitHub Action to harvest CI/CD credentials and clone more than 300 repositories, including source for AI-powered products and some customer code. Multiple AWS keys were also taken and used in limited unauthorized activity. Cisco has isolated affected systems, begun reimaging, and is rotating credentials while investigating ongoing fallout tied to related supply-chain attacks.

🔐 Researchers at Wiz report that TeamPCP has been harvesting, validating, encrypting and exfiltrating cloud credentials, SSH keys, Kubernetes configs and other development secrets from compromised supply chain components to attacker-controlled domains. The group used typosquatting on PyPI to push credential-stealing malware into packages affecting Trivy, KICS, LiteLLM and Telnyx. Wiz warns this activity appears linked to, or at least shared with, extortion-focused actors such as Lapsus$, and vendors report claims of partnerships with ransomware affiliates, raising the risk of follow-on ransomware campaigns.

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.

⚠️A backdoored release of the Telnyx Python SDK on PyPI was used to deploy credential-stealing malware hidden inside WAV audio files. Security firms Aikido, Socket, and Endor Labs attribute the tampering to TeamPCP, which published versions 4.87.1 and 4.87.2; the latter contained a functioning payload. The malicious code executes on import from telnyx/_client.py and uses steganography to XOR-decode a WAV-hosted second stage that harvests SSH keys, cloud tokens, wallets, environment variables, and Kubernetes secrets. Developers are advised to revert to Telnyx 4.87.0 and treat any systems importing the affected releases as compromised.

⚠️ Researchers report that the threat actor TeamPCP compromised the official telnyx Python SDK on PyPI by publishing trojanized releases (4.87.1 and 4.87.2) that exfiltrate sensitive files. The payload executed at install time, stealing SSH private keys and bash history and sending them to an attacker-controlled HTTP endpoint. Socket, Endor Labs, Aikido Security and Wiz confirmed the findings and advise removing the malicious versions and rotating any exposed credentials.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔓 VoidStealer, an information stealer offered as MaaS since mid‑December 2025, uses a debugger-based technique to extract Chrome's v20_master_key directly from memory. The malware starts a suspended, hidden browser process, attaches as a debugger, and waits for the target chrome.dll to load before setting hardware breakpoints on an instruction that references the key. When the breakpoint triggers during startup decryption, VoidStealer reads the register pointer and uses ReadProcessMemory to capture the plaintext key without privilege escalation. Gen Digital reports this is the first infostealer observed in the wild using this approach.

⚠ The widely used Trivy vulnerability scanner and its official GitHub Actions were backdoored after attackers injected a credential‑stealing payload into official releases, the trivy-action and setup-trivy components, and published binaries. The malware harvests pipeline secrets by reading process memory and searching filesystems for SSH keys, cloud credentials, Kubernetes tokens, Docker configs, and wallets, exfiltrating encrypted data to a typosquatted domain or, failing that, by creating a public repository named tpcp-docs. Researchers say the intrusion followed an earlier compromise and incomplete credential rotation that let attackers regain access via insecure GitHub Actions; victims should rotate secrets immediately and pin Actions to full commit SHAs. Known safe versions include Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6.

🔒 The Trivy open-source scanner and its GitHub Actions integrations (aquasecurity/trivy-action and aquasecurity/setup-trivy) were compromised in March 2026 when an attacker force-pushed 75 version tags to point to malicious commits. The injected Python infostealer harvests CI/CD secrets from runners, attempts exfiltration to an attacker-controlled domain, and can stage stolen data using captured PATs if network exfiltration fails. Vendors advise immediate secret rotation, blocking the malicious domain/IP, and pinning Actions to full commit SHAs.

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.

🔔 Customers of restaurants using HungerRush, a provider of POS, online ordering, delivery, and payment services, reported receiving mass extortion emails claiming millions of customer records would be exposed if the company did not respond. The messages were delivered via Twilio SendGrid infrastructure and, according to headers, passed SPF, DKIM, and DMARC checks for the hungerrush.com domain. Security researchers also reported an earlier infostealer infection on an employee device that allegedly harvested corporate credentials, though a direct link to a confirmed breach has not been established. Customers should be vigilant for targeted phishing and SMS scams that may leverage any exposed data.

🔍 A fraud investigation by the Secuinfra Falcon Team uncovered a layered, Python-based malware deployment that led to unauthorised PayPal transfers and visible command output on the victim's desktop. Investigators found hidden PowerShell activity retrieving a PyInstaller-packed executable named svchoss.exe from an IP hosted in Tencent-associated networks, alongside startup scripts and a concealed Python runtime. Memory forensics with Volatility 3 and string extraction exposed heavy obfuscation, references to Cobalt Strike, XWorm RAT, HTran and attempts to harvest browser autofill and wallet data. Although the system was judged fully compromised, the initial infection vector remains unconfirmed, with social engineering and malicious downloads considered likely.

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.