All news with #information stealer tag

Tsundere Botnet Expands Using Game Lures and Node.js

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.

Operation Endgame Takedown Disrupts Major Malware Campaign

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.

Malicious npm Packages Steal Developer Credentials

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.

RedTiger Infostealer Used to Steal Discord Accounts

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

Researchers Expose SVG and PureRAT Phishing Threats

📧 Fortinet FortiGuard Labs and other researchers detailed phishing campaigns that weaponize malicious SVG attachments to initiate downloads of password-protected ZIP archives and Compiled HTML Help (CHM) files. Those CHM files activate loader chains that deliver CountLoader as a distribution stage for Amatera Stealer and the stealthy .NET miner PureMiner, both run filelessly via .NET AOT and memory-loading techniques. Separately, Huntress attributes a Vietnamese-speaking operator using copyright-themed lures that escalate from PXA Stealer to the modular backdoor PureRAT.

Noisy Bear Targets Kazakhstan Energy Firm with Phishing

🚨 Operation BarrelFire, attributed to a group Seqrite Labs calls Noisy Bear, targeted Kazakhstan's national oil company KazMunaiGas in May 2025 using tailored phishing. Attackers sent ZIP attachments containing an .LNK downloader, a decoy document, and a README in Russian and Kazakh instructing use of a fake KazMunayGaz_Viewer. The chain deployed a malicious batch, a PowerShell loader named DOWNSHELL, and a 64-bit DLL implant that executes shellcode to open a reverse shell. Infrastructure was linked to Russia-based bulletproof host Aeza Group, which has been sanctioned.

TAG-150 Develops CastleRAT: Python and C Variants Now

🛡️ Recorded Future links the activity of TAG-150 to a new remote access trojan, CastleRAT, available in both Python and C variants that collect system data, fetch additional payloads, and execute commands via CMD and PowerShell. The Python build is tracked as PyNightshade, while eSentire and others refer to related tooling as NightshadeC2. Researchers observed Steam-profile dead drops, a multi-tiered C2 layout, and distribution through CastleLoader-assisted phishing and fake GitHub repositories. Operators use Cloudflare-themed "ClickFix" lures and deceptive domains to deliver loaders and downstream stealers and RATs.