All news with #data theft tag

Google: Three New COLDRIVER Malware Families Identified

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.

Astaroth Banking Trojan Uses GitHub to Stay Operational

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.

FBI FLASH: UNC6040 and UNC6395 Target Salesforce

🔔 The FBI issued a FLASH advisory linking two threat clusters, UNC6040 and UNC6395, to intrusions of corporate Salesforce environments that resulted in data theft and extortion. Early campaigns relied on social engineering and malicious Data Loader OAuth apps to mass-exfiltrate Accounts and Contacts, while later activity used stolen Salesloft/Drift OAuth and refresh tokens to access support cases and harvest secrets. Multiple large enterprises were impacted and the FBI released IOCs to help organizations detect and mitigate compromise.