All news with #infostealer tag

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.

🛡️ VVS Stealer is a Python-based credential-stealing malware distributed as a PyInstaller package and protected with Pyarmor obfuscation in BCC mode to hinder analysis. It targets Discord tokens and browser-stored credentials, injects malicious JavaScript into the Discord client, and exfiltrates data via Discord webhooks. The sample persists by copying itself to the Windows startup folder and displays fake error messages to evade detection.

🐍 Researchers disclosed a new Python-based information stealer called VVS Stealer that harvests Discord tokens, account data and browser credentials. The malware, sold on Telegram with subscription and one-time tiers, is obfuscated with Pyarmor and packaged via PyInstaller to hinder analysis. It persists by adding itself to the Windows Startup folder and shows fake "Fatal Error" pop-ups. VVS injects into Discord and uses a downloaded obfuscated JavaScript payload to monitor traffic via the Chrome DevTools Protocol for session hijacking.

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.

🔍 Unit 42 provides a detailed technical analysis of VVS stealer, a Python-based malware family that targets Discord users and Chromium/Firefox browsers to exfiltrate tokens, credentials, and browser data. The report explains distribution as PyInstaller packages protected with Pyarmor (observed v9.1.4) and documents the deobfuscation steps used to recover bytecode, AES keys, and encrypted strings. It summarizes runtime behaviors including Discord client injection via modified Electron files, webhook-based exfiltration, persistence in %APPDATA%, and sample indicators defenders can monitor.

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.

🔍 Koi Security researchers uncovered a campaign named Zoom Stealer that abused 18 Chrome, Firefox, and Edge extensions installed by about 2.2 million users to harvest meeting-related data. The extensions — often offering legitimate features like audio capture or video download — collected meeting URLs, IDs, topics, participant details, and embedded passwords. Collected data was streamed via WebSockets in real time and could enable corporate espionage or sales intelligence.

🚨 South Korean authorities arrested a 29-year-old Lithuanian accused of distributing a clipboard-stealing clipper embedded in a trojanized KMSAuto activation tool that was downloaded 2.8 million times worldwide. The suspect was extradited from Georgia after investigators traced about KRW 1.7 billion (~$1.2M) diverted in 8,400 transactions. Devices seized in a December 2024 raid yielded evidence leading to the April 2025 arrest. Officials warn against using unofficial activators and unsigned executables.

🔒 Trust Wallet says attackers who pushed a malicious Chrome extension release on Dec 24 exfiltrated sensitive data and drained roughly $7 million from 2,596 wallet addresses. The compromise involved a malicious JavaScript added to v2.68.0 that bypassed internal release controls; users were urged to update to v2.69. Trust Wallet has begun reimbursing verified victims and strongly warned users not to share seed phrases or private keys.

🔓 A threat actor using the handle 'Lovely' claims to have leaked an alleged WIRED subscriber database containing 2,366,576 records and offered access on hacking forums for roughly $2.30 in site credits. BleepingComputer validated multiple records and security researchers, including Alon Gal, corroborated the dataset via infostealer logs. The dataset includes email addresses, optional PII (names, addresses, birthdays, phone numbers), account timestamps spanning 1996–2025, and has been added to Have I Been Pwned for user checks.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.

🚨 Jamf Threat Labs uncovered a reworked macOS infostealer masquerading as a legitimate signed app. The Swift dropper is code‑signed and notarized, delivered in a 25.5MB disk image posing as a messaging installer, and silently fetches and executes an encoded script through a helper. It runs mainly in memory, removes quarantine attributes, enforces a ~3600s delay before execution, and cleans up traces; Jamf reported the developer certificate and Apple revoked it.

⚠️ Researchers at Jamf report that MacSync Stealer now arrives as a code-signed, notarized Swift utility that can execute with minimal user interaction. The dropper fetches a payload script from a command-and-control server after installation. Because the app appears signed and notarized, Gatekeeper does not display extra warnings, allowing attackers to exploit a window before certificate revocation. This behavior highlights limitations in Apple’s automated notarization checks.

⚠️ Security researchers discovered two malicious Google Chrome extensions named Phantom Shuttle that intercept and exfiltrate credentials and session data from more than 170 targeted domains. After users pay for a subscription the add-ons enable a proxy 'smarty' mode, inject hard-coded proxy credentials, and route selected traffic through attacker-controlled proxies to establish a persistent Man‑in‑the‑Middle position. A recurring heartbeat to a command-and-control server forwards VIP emails, plaintext passwords and version details, enabling continuous monitoring and credential theft.

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.