All news with #credential dumping tag

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.

⚠️A backdoored release of the Telnyx Python SDK on PyPI was used to deploy credential-stealing malware hidden inside WAV audio files. Security firms Aikido, Socket, and Endor Labs attribute the tampering to TeamPCP, which published versions 4.87.1 and 4.87.2; the latter contained a functioning payload. The malicious code executes on import from telnyx/_client.py and uses steganography to XOR-decode a WAV-hosted second stage that harvests SSH keys, cloud tokens, wallets, environment variables, and Kubernetes secrets. Developers are advised to revert to Telnyx 4.87.0 and treat any systems importing the affected releases as compromised.

⚠️ Researchers report that the threat actor TeamPCP compromised the official telnyx Python SDK on PyPI by publishing trojanized releases (4.87.1 and 4.87.2) that exfiltrate sensitive files. The payload executed at install time, stealing SSH private keys and bash history and sending them to an attacker-controlled HTTP endpoint. Socket, Endor Labs, Aikido Security and Wiz confirmed the findings and advise removing the malicious versions and rotating any exposed credentials.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔓 VoidStealer, an information stealer offered as MaaS since mid‑December 2025, uses a debugger-based technique to extract Chrome's v20_master_key directly from memory. The malware starts a suspended, hidden browser process, attaches as a debugger, and waits for the target chrome.dll to load before setting hardware breakpoints on an instruction that references the key. When the breakpoint triggers during startup decryption, VoidStealer reads the register pointer and uses ReadProcessMemory to capture the plaintext key without privilege escalation. Gen Digital reports this is the first infostealer observed in the wild using this approach.

⚠ The widely used Trivy vulnerability scanner and its official GitHub Actions were backdoored after attackers injected a credential‑stealing payload into official releases, the trivy-action and setup-trivy components, and published binaries. The malware harvests pipeline secrets by reading process memory and searching filesystems for SSH keys, cloud credentials, Kubernetes tokens, Docker configs, and wallets, exfiltrating encrypted data to a typosquatted domain or, failing that, by creating a public repository named tpcp-docs. Researchers say the intrusion followed an earlier compromise and incomplete credential rotation that let attackers regain access via insecure GitHub Actions; victims should rotate secrets immediately and pin Actions to full commit SHAs. Known safe versions include Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6.

🔒 The Trivy open-source scanner and its GitHub Actions integrations (aquasecurity/trivy-action and aquasecurity/setup-trivy) were compromised in March 2026 when an attacker force-pushed 75 version tags to point to malicious commits. The injected Python infostealer harvests CI/CD secrets from runners, attempts exfiltration to an attacker-controlled domain, and can stage stolen data using captured PATs if network exfiltration fails. Vendors advise immediate secret rotation, blocking the malicious domain/IP, and pinning Actions to full commit SHAs.

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.

🔔 Customers of restaurants using HungerRush, a provider of POS, online ordering, delivery, and payment services, reported receiving mass extortion emails claiming millions of customer records would be exposed if the company did not respond. The messages were delivered via Twilio SendGrid infrastructure and, according to headers, passed SPF, DKIM, and DMARC checks for the hungerrush.com domain. Security researchers also reported an earlier infostealer infection on an employee device that allegedly harvested corporate credentials, though a direct link to a confirmed breach has not been established. Customers should be vigilant for targeted phishing and SMS scams that may leverage any exposed data.

🔍 A fraud investigation by the Secuinfra Falcon Team uncovered a layered, Python-based malware deployment that led to unauthorised PayPal transfers and visible command output on the victim's desktop. Investigators found hidden PowerShell activity retrieving a PyInstaller-packed executable named svchoss.exe from an IP hosted in Tencent-associated networks, alongside startup scripts and a concealed Python runtime. Memory forensics with Volatility 3 and string extraction exposed heavy obfuscation, references to Cobalt Strike, XWorm RAT, HTran and attempts to harvest browser autofill and wallet data. Although the system was judged fully compromised, the initial infection vector remains unconfirmed, with social engineering and malicious downloads considered likely.

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.

🔐 Researchers at Flare Systems uncovered a botnet, dubbed SSHStalker, that brute-forces weak SSH passwords and had compromised an estimated 7,000 Linux servers by the end of January, with roughly half located in the United States. The toolkit combines fileless malware, rootkits, log cleaners and a library of kernel exploits — some dating to 2009 — and can harvest AWS credentials. Flare characterizes it as a "scale-first" operation focused on persistence; observed capabilities include DDoS and cryptomining, though monetization has not yet been seen. Immediate mitigations include disabling SSH password authentication, switching to key-based or short-lived credentials, and restricting and rate-limiting SSH access.

🛡️ UNC1069, a North Korea-linked threat actor, has used AI-generated video lures and compromised Telegram accounts to target cryptocurrency firms and personnel. According to Google Mandiant, attackers staged fake Zoom meetings via Calendly invites and delivered a ClickFix-style troubleshooting vector that dropped multiple payloads on Windows and macOS. The intrusion employed at least seven malware families — including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH and SILENCELIFT — to harvest credentials, browser data and session tokens to facilitate financial theft.

🔒 Security researchers at Point Wild’s Lat61 team disclosed a Windows campaign that uses a multi-stage chain to establish persistent, memory-resident access and steal sensitive data. The attack starts with a small batch script that creates a per-user Registry Run key and launches a PowerShell loader which decodes Donut-generated shellcode and injects a heavily obfuscated .NET payload into memory. The modular Pulsar RAT supports live, interactive operator control alongside a parallel stealer, with stolen data exfiltrated as ZIP archives via Discord webhooks and Telegram bots.

🛡️ On January 30, 2026, threat actors used a compromised developer account to publish malicious updates to four Open VSX extensions, embedding the GlassWorm loader. The extensions — previously legitimate utilities with over 22,000 combined downloads — were removed after discovery. The loader decrypts and execute payloads at runtime, employing EtherHiding and Solana memos for C2 rotation. It targets macOS credentials and cryptocurrency wallets.

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.

⚠️ Trend Micro detailed a campaign using a new information stealer, Evelyn Stealer, that abuses the Visual Studio Code extension ecosystem to harvest developer secrets. Malicious extensions drop a downloader DLL (Lightshot.dll) which launches a staged executable (runtime.exe) and injects the stealer into a legitimate process (grpconv.exe) to run in memory. The malware collects credentials, cookies, crypto wallets, screenshots, Wi‑Fi data and system metadata, then exfiltrates compressed archives to an attacker-controlled FTP server.

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.