All news with #credential dumping tag

🔍 Group-IB researchers reveal a multi-year ATM fraud campaign by UNC2891 that targeted two Indonesian banks and extended well beyond a Raspberry Pi infiltration. The campaign combined sophisticated malware — including the CAKETAP rootkit — with an extensive money-mule operation that recruited via Google ads and Telegram. Cloned card equipment was shipped to mules, who withdrew cash with real-time TeamViewer support or phone coordination. Group-IB warns banks to reassess ATM security and monitoring.

🔒 This advisory describes a cryptographic weakness in Schneider Electric's EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio that could allow credential recovery from project files. An attacker with read access to Edge project or offline cache files can brute-force weak hashes to recover app-native or Active Directory passwords (CVE-2025-9317); the flaw requires local/file access and is not remotely exploitable. Apply 2023.1 Patch 1 immediately or implement recommended mitigations such as strict ACLs, strong project master passwords, removing embedded passwords, and following ICS cybersecurity best practices.

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

🚨 A multi-stage supply-chain campaign published ten typosquatted npm packages on July 4 that collectively reached nearly 10,000 downloads before removal, according to Socket. Each package abused npm’s postinstall lifecycle to open a new terminal, present a fake CAPTCHA prompt, and retrieve a PyInstaller-packed binary that harvests credentials from browsers, OS keyrings, SSH keys, tokens and cloud configuration files. The JavaScript installers combined four layers of obfuscation with social engineering to evade detection and delay scrutiny while exfiltrating collected secrets to the attacker’s host.

⚠️ Koi Security has identified a supply-chain campaign dubbed PhantomRaven that inserted malicious code into 126 npm packages, collectively installed more than 86,000 times, by pointing dependencies to an attacker-controlled host (packages.storeartifact[.]com). The packages include preinstall lifecycle hooks that fetch and execute remote dynamic dependencies, enabling immediate execution on developers' machines. The payloads are designed to harvest GitHub tokens, CI/CD secrets, developer emails and system fingerprints, and exfiltrate the results, while typical scanners and dependency analyzers miss the remote dependencies because npmjs.com does not follow those external URLs.

🐦 The PhantomRaven campaign distributes dozens of malicious npm packages that steal authentication tokens, CI/CD secrets, and GitHub credentials. Discovered by Koi Security, the activity began in August and involved 126 packages with over 86,000 downloads. The packages use a remote dynamic dependency mechanism to fetch and execute payloads during npm install, enabling stealthy credential exfiltration. Developers should verify package provenance and avoid unvetted LLM-generated package suggestions.

🕵️ Researchers at Koi Security uncovered an ongoing npm credential-harvesting campaign called PhantomRaven, active since August 2025, that steals npm tokens, GitHub credentials and CI/CD secrets. The attacker hides malicious payloads using Remote Dynamic Dependencies (RDD), fetching code from attacker-controlled servers at install time to bypass static scans. The campaign leveraged slopsquatting—typo variants that exploit AI hallucinations—to increase installs; Koi found 126 infected packages with about 20,000 downloads and at least 80 still live at publication.

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

🔒 LastPass warns customers of a sophisticated phishing campaign that uses fake inheritance emails claiming a family member uploaded a death certificate to request emergency access to a user's vault. The messages include an agent ID and a link that redirects victims to a fraudulent page on lastpassrecovery[.]com where the victim is prompted to enter their master password. In some incidents attackers also called victims while posing as LastPass staff. The campaign, active since mid‑October and attributed to financially motivated group CryptoChameleon (UNC5356), has expanded to target passkeys as well.

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

🔒 Resecurity warns that legacy Windows name-resolution protocols continue to expose organisations to credential theft when attackers share the same local network. By poisoning LLMNR and NBT-NS broadcasts using tools such as Responder, attackers can capture usernames, domain context and password hashes without exploiting a software vulnerability. Recommended mitigations include disabling these protocols via Group Policy, blocking UDP 5355, enforcing SMB signing, reducing NTLM, and monitoring for anomalous traffic.

🔒 ParkMobile has settled a class action tied to its 2021 data breach, offering affected users a $1 in-app credit as part of a $32.8 million resolution. Threat actors leaked a 4.5 GB CSV exposing nearly 22 million customers' names, contact details, bcrypt-hashed passwords, mailing addresses, license plates and vehicle information. Claimants must manually apply promo code P@rkMobile-$1 (most codes expire Oct 8, 2026; California codes do not), and the company warns of continuing SMS phishing campaigns targeting users.

🔒 Google researchers warn that the Go-based Brickstorm backdoor was used in prolonged espionage against U.S. technology, legal, SaaS, and BPO organizations, averaging a 393-day dwell time. Suspected activity from the UNC5221 cluster involved deploying the malware on appliances lacking EDR protection such as VMware vCenter/ESXi, where it acted as a web server, SOCKS proxy, file dropper, and remote shell. Operators used techniques like a malicious Java Servlet Filter (Bricksteal), VM cloning, and startup-script modifications to capture credentials and move laterally, then tunneled to exfiltrate emails via Microsoft Entra ID Enterprise Apps. Mandiant published a scanner and YARA rules to aid detection but cautions it may not catch all variants or persistence.

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

🔒 The Python Software Foundation warns of a phishing campaign using a convincing fake PyPI site at pypi-mirror[.]org that asks users to 'verify their email address' and threatens account suspension. If you clicked the link and submitted credentials, change your password immediately, inspect your account's Security History, and report suspicious activity to security@pypi.org. Maintainers should avoid clicking links in unsolicited emails, use password managers that auto-fill only on matching domains, and enable phishing-resistant 2FA such as hardware security keys.

🔍 Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that likely leveraged AI-generated code to obfuscate its payload inside an SVG attachment. The malicious SVG imitated a PDF and hid JavaScript within invisible, business-themed elements and a long sequence of business terms that the embedded script decoded into redirects, browser fingerprinting, and session tracking. Microsoft Defender for Office 365 blocked the activity by correlating infrastructure, behavioral, and message-context signals, while Security Copilot flagged the code as likely LLM-generated.

🔒 PRODAFT links a recruitment-themed espionage campaign to an Iran-affiliated cluster tracked as Subtle Snail and attributed to UNC1549 (aka TA455), reporting infiltration of 34 devices across 11 telecommunications organizations in Canada, France, the UAE, the UK and the US. Operators posed as HR recruiters on LinkedIn and delivered a ZIP-based dropper that uses DLL side-loading to install the modular backdoor MINIBIKE, which harvests credentials, browser data, screenshots, keystrokes and system details. MINIBIKE communicates with C2 infrastructure proxied through Azure services, employs anti-analysis measures and achieves persistence via registry modifications to enable long-term access and data exfiltration.

🔎Huntress analysts discovered a threat actor inadvertently exposing their workflows after installing the vendor's security agent on their own machine. The agent logged three months of activity, revealing heavy use of AI text and spreadsheet generators, automation platforms like Make.com, proxy services and Telegram Bot APIs to streamline operations. Investigators linked the infrastructure to thousands of compromised identities while many attempts were blocked by existing detections.

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.