All news with #infostealer tag

Half a Million FTSE 100 Credentials Discovered Online

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.

Rhadamanthys infostealer disrupted after server access loss

🔒 The Rhadamanthys infostealer operation has reportedly been disrupted, with multiple customers saying they no longer have SSH access to their web panels. Affected users report servers now require certificate-based logins instead of root passwords, prompting some to wipe and power down infrastructure. Researchers g0njxa and Gi7w0rm observed the outage and noted Tor onion sites for the operation are also offline. The developer and several customers suspect German law enforcement, and some analysts link the event to the broader Operation Endgame disruptions.

Vidar 2.0 Emerges as Lumma Stealer Declines, Upgraded

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.

SnakeStealer Infostealer Surges to Top of Detections

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

Security Teams Must Deploy Anti-Infostealer Defenses Now

🔒 Infostealers are fuelling today’s ransomware wave and the resulting stealer logs are widely available on the dark web, sometimes for as little as $10. At ISACA Europe 2025, Tony Gee of 3B Data Security urged security teams to adopt targeted technical controls in addition to baseline measures like zero trust and network segmentation. He recommended six practical defenses — including regular password rotation, FIDO2-enabled MFA, forced authentication, shorter session tokens, cookie replay detection and impossible-travel monitoring — to reduce the usefulness of stolen credentials and session data.

PhantomVAI Loader Delivers Multiple Infostealers Worldwide

🛡️The Unit 42 report details a multi-stage phishing campaign that leverages heavily obfuscated JavaScript/VBS and PowerShell to load a C# .NET loader named PhantomVAI, which hides DLL payloads inside image files via steganography. The loader's VAI routine performs virtual-machine detection, establishes persistence (scheduled tasks, wscript, Run keys) and retrieves payloads by process hollowing into legitimate host processes. Observed final payloads include Katz Stealer, AsyncRAT and FormBook. Palo Alto Networks' Advanced WildFire, Cortex XDR and XSIAM have updated protections and indicators of compromise.

Microsoft: New XCSSET macOS Variant Targets Xcode Developers

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.

macOS AMOS Stealer Uses Cracked Apps to Bypass Gatekeeper

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.

New DarkCloud Stealer Infection Chain Uses ConfuserEx

🔒 Unit 42 observed a new DarkCloud Stealer infection chain in early April 2025 that employs ConfuserEx-based obfuscation and a final Visual Basic 6 payload. Phishing TAR/RAR/7Z archives deliver obfuscated JavaScript or WSF downloaders which retrieve a PowerShell stage from open directories and drop a ConfuserEx-protected executable. The loaders are heavily protected with javascript-obfuscator and the variant follows prior AutoIt-based deliveries. Palo Alto Networks notes that Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM can help detect and mitigate these stages and recommends contacting Unit 42 for incident response.

Hidden Risks of Browser Extensions and How to Stay Safe

🔒 Browser extensions can provide useful features but also expose users and organizations to significant risk. Malicious or compromised add-ons may steal credentials, session cookies, and browsing data, inject ads or malware, redirect users, or run background tasks like cryptomining. Scrutinize developer credentials and permissions, prefer official web stores, keep browsers updated, and enable security software and MFA.

Rogue CAPTCHAs: Phony Verification Pages Spread Malware

🔒 Phony CAPTCHA pages are being used to trick users into running commands that invoke legitimate Windows tools like PowerShell or mshta.exe, which then download and install malware. Threat actors—including those using the social engineering method ClickFix—deploy infostealers, remote access trojans, ransomware and cryptominers through deceptive verification prompts that appear legitimate. Users should avoid executing pasted commands, keep systems and security software updated, and consider ad blockers to reduce exposure.