< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 10 of 19

ZeroDayRAT Spyware Offers Full Remote Control of Devices

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.
read more →

Microsoft: Python-based infostealers targeting macOS

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.
read more →

Nearly 400 Malicious OpenClaw Crypto Trading Skills

⚠️ Security researcher Paul McCarty (aka 6mile) has identified 386 malicious OpenClaw "skills" on the ClawHub repository that impersonate crypto trading tools. The add-ons use social engineering to trick users into executing commands that deploy infostealers on macOS and Windows, harvesting exchange API keys, wallet private keys, SSH credentials and browser passwords. The discovered skills share a common C2 IP (91.92.242.30) and many remain available, with the most active uploader accounting for nearly 7,000 downloads.
read more →

GlassWorm campaign targets macOS via OpenVSX extensions

🐛 A new GlassWorm campaign distributed through compromised OpenVSX extensions is targeting macOS systems to steal passwords, crypto-wallet data, and developer credentials and configurations. Malicious updates pushed from the hijacked oorzc account on January 30 trojanized four packages with roughly 22,000 cumulative downloads and established persistence via a LaunchAgent while excluding Russian-locale systems. Socket's analysis shows broad data collection across browsers, wallets, macOS Keychain, Apple Notes, developer secrets, and exfiltration to 45.32.150[.]251; affected releases were removed and tokens revoked, but users are advised to perform full system clean-up and rotate secrets.
read more →

Infostealers Expand to macOS, Python, and Platform Abuse

🛡️ Microsoft Defender Experts report a cross-platform surge in infostealers that now target macOS, leverage Python toolchains, and abuse trusted platforms and utilities to deliver credential-stealing malware at scale. Since late 2025, macOS campaigns such as DigitStealer, MacSync, and AMOS have used social engineering, malicious DMGs, AppleScript, and fileless execution to harvest browser credentials, keychain secrets, developer keys, and crypto wallets. Phishing campaigns have delivered Python-based stealers like PXA Stealer, while platform-abuse activity has weaponized WhatsApp and fake PDF installers to propagate Eternidade Stealer and malicious Crystal PDF installers. Microsoft outlines Defender XDR detections, hunting queries, and mitigations to help organizations detect, contain, and remediate these evolving threats.
read more →

Malicious OpenClaw skills used to deliver password stealers

🔒 OpenClaw (formerly Moltbot/ClawdBot) has had over 230 malicious skills published in less than a week, with many near-identical clones gaining thousands of downloads. The packages impersonate legitimate utilities but include a disguised AuthTool installer that delivers info-stealing malware, including a macOS variant of NovaStealer. Researchers found hundreds of exposed admin interfaces and numerous typosquat registries, and warn users to sandbox the assistant, restrict permissions, secure remote access, and thoroughly vet any third-party skills before installation.
read more →

341 Malicious ClawHub Skills Target OpenClaw Users

⚠️ A security audit by Koi Security found 341 malicious skills among 2,857 listings on the ClawHub marketplace, many deploying a macOS stealer tracked as Atomic Stealer in a campaign dubbed ClawHavoc. Attackers used fake prerequisites and social engineering to trick users into running installers or terminal scripts that fetch next-stage payloads from attacker-controlled infrastructure. The malicious skills include typosquats, crypto tools, YouTube utilities and backdoors that exfiltrate bot credentials and keys, exposing OpenClaw users to significant supply-chain risks.
read more →

AI Coding Assistants Secretly Exfiltrate Developers' Code

⚠️A new report alleges two popular AI coding assistants, together used by roughly 1.5 million developers, are quietly copying everything they ingest to servers in China. Security researchers say the extensions capture editor content, code snippets, and related telemetry without clear user disclosure. The behavior appears systematic and persistent rather than incidental. Until vendors provide transparent remediation, developers and organizations should avoid unvetted extensions and perform immediate audits and containment.
read more →

Roblox Mod Downloads Becoming Major Infostealer Risk

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.
read more →

Massive Data Leak Exposes 149M Login Credentials Worldwide

🔒 Cybersecurity researcher Jeremiah Fowler uncovered a publicly accessible database containing 149 million login credentials, including usernames, plaintext passwords and direct login URLs. Affected accounts span major tech and streaming providers, with about 48 million Gmail entries, 17 million Facebook and 6.5 million Instagram records. Fowler attributes the collection to keyloggers and infostealer malware and warns the dataset enables automated credential-stuffing, targeted fraud and convincing phishing campaigns.
read more →

AI-Generated Code and Emojis Found in PureRAT Malware

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.
read more →

GhostChat romance-scam: targeted Android spyware in Pakistan

🔍 ESET researchers disclosed a targeted Android espionage campaign (published 28 Jan 2026) that used a fake dating app called GhostChat (detected as Android/Spy.GhostChat.A) to lure victims in Pakistan. The app, never on Google Play and requiring manual install from unknown sources, presents locked female profiles with hardcoded access codes and embedded WhatsApp numbers to drive victims into operator-controlled chats. Once executed it requests broad permissions, immediately exfiltrates device identifiers, contacts and a wide range of files, and continues to upload newly created images and documents on a scheduled basis. ESET linked related Windows activity using the same C2 infrastructure, published IoCs and sample hashes (for example SHA-1 B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A), and shared findings with Google; known variants are blocked by Play Protect on devices with Google Play Services.
read more →

Fake ChatGPT Chrome Extensions Steal Session Tokens

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.
read more →

Mustang Panda Updates CoolClient Backdoor with Infostealers

🔐 Kaspersky researchers say Chinese espionage group Mustang Panda has updated its CoolClient backdoor to steal browser login data, monitor the clipboard, and sniff HTTP proxy credentials. The upgraded variant has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and was distributed via legitimate Sangfor software. New plugins add a remote shell, enhanced file and service management, and in-memory plugin execution; researchers also noted a previously unseen rootkit used in some intrusions.
read more →

ClickFix Uses Signed App-V Scripts to Deploy Amatera

🔒 Blackpoint researchers describe a campaign that chains ClickFix-style fake CAPTCHA prompts with a signed Microsoft App-V script to proxy PowerShell and deliver the Amatera information stealer. Victims are tricked into pasting a command into the Windows Run dialog that abuses SyncAppvPublishingServer.vbs to load an in-memory loader, which pulls configuration from a public Google Calendar and retrieves a PNG containing an encrypted PowerShell payload. The attack targets systems with App-V enabled (Enterprise/Education), relies on manual user interaction, and uses living-off-the-land techniques and trusted services to frustrate detection and automated analysis.
read more →

ClickFix attacks abuse Windows App-V to deliver Amatera

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.
read more →

Evelyn Stealer Targets VS Code Extensions, Harvests Data

⚠️ Trend Micro detailed a campaign using a new information stealer, Evelyn Stealer, that abuses the Visual Studio Code extension ecosystem to harvest developer secrets. Malicious extensions drop a downloader DLL (Lightshot.dll) which launches a staged executable (runtime.exe) and injects the stealer into a legitimate process (grpconv.exe) to run in memory. The malware collects credentials, cookies, crypto wallets, screenshots, Wi‑Fi data and system metadata, then exfiltrates compressed archives to an attacker-controlled FTP server.
read more →

Researchers Exploit XSS in StealC Panel to Gather Evidence

🔍 CyberArk researchers disclosed they exploited a cross-site scripting (XSS) vulnerability in the web panel of the StealC infostealer to retrieve active session cookies and operational metadata. Researcher Ari Novick used the weakness to link a StealC customer, dubbed YouTubeTA, to the theft of roughly 390,000 passwords and over 30 million cookies from victims seeking cracked Adobe software on YouTube. Analysis of hardware fingerprints, language settings, time zones and IP addresses indicated the operator used an Apple Pro with an M3 chip, supported English and Russian, operated in an Eastern European time zone and connected via Ukrainian ISP TRK Cable TV, underscoring how weaknesses in criminal tooling can expose both victims and customers to supply-chain risk.
read more →

XSS Flaw in StealC Panel Lets Researchers Monitor Operators

🔍 Cybersecurity researchers disclosed an XSS vulnerability in the web-based control panel used by operators of the StealC information stealer. By exploiting it they collected system fingerprints, monitored active sessions, and stole session cookies from the infrastructure itself, according to CyberArk researcher Ari Novick. The panel's leaked source code and the stealer's distribution through the YouTube Ghost Network and other lures amplified the operational insights researchers gained. Full technical details were withheld to avoid enabling copycats.
read more →

Researchers Hijack StealC Panels via XSS, Expose Operators

🔒 A cross-site scripting (XSS) flaw in the web control panel for the StealC info‑stealer allowed researchers to observe active operator sessions, capture session cookies and harvest browser and hardware fingerprints. CyberArk exploited the issue to identify an operator’s location and device details after a panel user failed to route traffic through a VPN. The company withheld technical disclosure to avoid a quick fix and said the finding may disrupt StealC’s MaaS ecosystem.
read more →