All news with #credential dumping tag

🔎 Ukrainian and German law enforcement raided residences in Lviv and Ivano‑Frankivsk on 15 January, seizing digital storage devices and cryptocurrency assets linked to two suspected members of the Black Basta ransomware group. Investigators say the men acted as 'hash crackers,' extracting passwords to escalate access, steal data and deploy ransomware across corporate networks. The operation involved the Ukrainian National Police and Germany's BKA and formed part of a wider international probe coordinated by Europol. Authorities also identified alleged founder Oleg Evgenievich Nefedov, who has been placed on Europol’s EU Most Wanted and Interpol Red Notice lists.

🔐 Mandiant and Google Cloud published a comprehensive dataset of Net-NTLMv1 rainbow tables to accelerate defender validation and mitigation of this long-deprecated protocol. The tables make known-plaintext attacks trivial, enabling recovery of authenticating password hashes in under 12 hours on consumer hardware costing less than $600. The release includes SHA512 checksums, usage guidance with tools like rainbowcrack and ntlmv1-multi, and prescriptive remediation steps to disable Net-NTLMv1 and monitor for coercion-based authentications.

🚨A cybercrime gang known as Black Cat has been linked to an SEO poisoning campaign that tricks users with fake download pages for popular programs such as Google Chrome and Notepad++. Visitors are redirected to a GitHub‑mimicking host where a ZIP delivers an installer that creates a desktop shortcut which side‑loads a malicious DLL and deploys a backdoor. The backdoor contacts a hard‑coded C2 and can steal browser data, log keystrokes and capture clipboard contents. Users should avoid clicking unknown search results and download software only from official sources.

🔒 Blockchain investigator TRM Labs says a series of cryptocurrency thefts were traced back to the 2022 LastPass breach, where encrypted vault backups containing private keys and seed phrases were stolen. Attackers appear to have slowly decrypted vaults for users with weak or reused master passwords, draining wallets in waves months or years later. TRM also reported that stolen funds were converted to Bitcoin and laundered through Wasabi Wallet CoinJoin mixes before cash‑out via Russian-linked exchanges.

🚨 The fourth wave of the GlassWorm campaign is targeting macOS developers by distributing malicious VS Code/OpenVSX extensions that deliver trojanized cryptocurrency wallet applications. The extensions embed an AES-256-CBC-encrypted payload in compiled JavaScript, execute after a 15-minute delay using AppleScript, and persist via LaunchAgents. The malware harvests developer credentials, browser and Keychain data, supports VNC and SOCKS proxying, and includes a mechanism to replace Ledger Live and Trezor Suite with trojanized versions. Users should remove the identified extensions, reset credentials, revoke tokens, and inspect or reinstall affected macOS systems.

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.

🔒 Researchers warn that the React2Shell flaw (CVE-2025-55182) is being actively exploited to deploy sophisticated Linux backdoors and harvest credentials. Palo Alto Networks Unit 42 and NTT Security report active use of KSwapDoor and ZnDoor, which provide interactive shells, file operations, lateral scanning, and stealthy mesh networking. Attackers are also abusing Cloudflare Tunnels and secret-scraping tools to extract cloud and AI tokens. Organizations should prioritize discovery, credential rotation, and removal of dropped backdoors and follow vendor mitigations immediately.

🔒 Askul Corporation confirmed that the RansomHouse extortion group stole approximately 740,000 customer and partner records during an October ransomware incident. Compromised data types include business and individual customer service records, partner data, and employee information. Askul says attackers likely used compromised administrator credentials for an outsourced partner that lacked MFA, disabled EDR, moved laterally, deployed multiple ransomware variants, and wiped backups. The company has isolated affected networks, enforced MFA, reset admin passwords, begun individual notifications and established long-term monitoring.

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

🔒 ESET reports Iranian-aligned MuddyWater has deployed a previously undocumented backdoor named MuddyViper against Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and utilities, as well as one Egyptian technology company. The intrusions began with spear-phishing PDFs and exploitation of VPN and remote-access vulnerabilities to deliver loaders called Fooder, which decrypt and execute the C/C++ backdoor or drop tunneling proxies and browser-data collectors. MuddyViper implements about 20 commands for reconnaissance, file transfer, command execution, and exfiltration of Windows credentials and browser data; several Fooder variants masquerade as the Snake game and use delayed execution to evade detection.

🐛 The Glassworm campaign has resurfaced in a third wave, with 24 new malicious VS Code-compatible extensions appearing on both the Microsoft Visual Studio Marketplace and OpenVSX. Once installed, these extensions push updates that deploy Rust-based implants, use invisible Unicode to evade review, exfiltrate GitHub, npm, and OpenVSX credentials and cryptocurrency wallet data, and deploy a SOCKS proxy and an HVNC client for stealthy remote access. Researchers say attackers inflate download counts to blend with legitimate projects and manipulate search results; both vendors have been contacted about continued bypasses.

🛡️ A new Android malware family, Albiriox, has emerged on Russian-speaking cybercrime forums as a Malware-as-a-Service offering full device takeover and real-time fraud capabilities. Cleafy says it already targets more than 400 banking and cryptocurrency applications and combines VNC-style remote control with accessibility-driven UI automation, overlays and black-screen fraud techniques. Initial subscriptions were advertised at $650–$720 per month and the developers promote crypting to evade detection.

🛡️ Socket researchers detail a sophisticated NPM supply-chain campaign that uses fake coding interviews to trick developers into installing trojanized packages. Attackers operate a

🔍 Group-IB researchers reveal a multi-year ATM fraud campaign by UNC2891 that targeted two Indonesian banks and extended well beyond a Raspberry Pi infiltration. The campaign combined sophisticated malware — including the CAKETAP rootkit — with an extensive money-mule operation that recruited via Google ads and Telegram. Cloned card equipment was shipped to mules, who withdrew cash with real-time TeamViewer support or phone coordination. Group-IB warns banks to reassess ATM security and monitoring.

🔒 This advisory describes a cryptographic weakness in Schneider Electric's EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio that could allow credential recovery from project files. An attacker with read access to Edge project or offline cache files can brute-force weak hashes to recover app-native or Active Directory passwords (CVE-2025-9317); the flaw requires local/file access and is not remotely exploitable. Apply 2023.1 Patch 1 immediately or implement recommended mitigations such as strict ACLs, strong project master passwords, removing embedded passwords, and following ICS cybersecurity best practices.

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

🚨 A multi-stage supply-chain campaign published ten typosquatted npm packages on July 4 that collectively reached nearly 10,000 downloads before removal, according to Socket. Each package abused npm’s postinstall lifecycle to open a new terminal, present a fake CAPTCHA prompt, and retrieve a PyInstaller-packed binary that harvests credentials from browsers, OS keyrings, SSH keys, tokens and cloud configuration files. The JavaScript installers combined four layers of obfuscation with social engineering to evade detection and delay scrutiny while exfiltrating collected secrets to the attacker’s host.

⚠️ Koi Security has identified a supply-chain campaign dubbed PhantomRaven that inserted malicious code into 126 npm packages, collectively installed more than 86,000 times, by pointing dependencies to an attacker-controlled host (packages.storeartifact[.]com). The packages include preinstall lifecycle hooks that fetch and execute remote dynamic dependencies, enabling immediate execution on developers' machines. The payloads are designed to harvest GitHub tokens, CI/CD secrets, developer emails and system fingerprints, and exfiltrate the results, while typical scanners and dependency analyzers miss the remote dependencies because npmjs.com does not follow those external URLs.

🐦 The PhantomRaven campaign distributes dozens of malicious npm packages that steal authentication tokens, CI/CD secrets, and GitHub credentials. Discovered by Koi Security, the activity began in August and involved 126 packages with over 86,000 downloads. The packages use a remote dynamic dependency mechanism to fetch and execute payloads during npm install, enabling stealthy credential exfiltration. Developers should verify package provenance and avoid unvetted LLM-generated package suggestions.

🕵️ Researchers at Koi Security uncovered an ongoing npm credential-harvesting campaign called PhantomRaven, active since August 2025, that steals npm tokens, GitHub credentials and CI/CD secrets. The attacker hides malicious payloads using Remote Dynamic Dependencies (RDD), fetching code from attacker-controlled servers at install time to bypass static scans. The campaign leveraged slopsquatting—typo variants that exploit AI hallucinations—to increase installs; Koi found 126 infected packages with about 20,000 downloads and at least 80 still live at publication.