< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 11 of 19

GootLoader Employs Malformed ZIPs to Bypass Detection

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.
read more →

TamperedChef malvertising drops trojanised PDFs globally

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.
read more →

Malicious DLL Sideloading Campaign Impersonating Vendors

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.
read more →

c-ares DLL Side-Loading Enables Malware Deployment

🔒 Researchers detail an active campaign abusing a DLL side-loading flaw in the open-source c-ares runtime to evade defenses and deploy commodity trojans and stealers. Attackers pair a malicious libcares-2.dll with signed copies of ahost.exe (commonly from GitKraken) placed in the same folder to hijack load order and achieve code execution. The operation distributes families including Agent Tesla, CryptBot, Formbook, Vidar, Lumma, Remcos and others using invoice- and RFQ-themed lures in multiple languages targeting finance, procurement and admin roles.
read more →

Malicious Chrome Extension Steals MEXC API Keys in Web Store

⚠ A malicious Chrome extension named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) has been found on the Chrome Web Store and is designed to create and steal API keys for the MEXC exchange. Published Sept 1, 2025 by a developer using the handle "jorjortan142," the add-on programmatically generates API keys with withdrawal permissions and hides the enabled permission in the UI. The extension injects a content script on MEXC's API management page, captures the Access and Secret keys when created, and exfiltrates them via HTTPS to a hard-coded Telegram bot. Socket researcher Kirill Boychenko reported 29 downloads and warns the threat remains active as long as stolen keys are valid.
read more →

Malicious email campaign mimics government services

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.
read more →

Malicious npm Packages Target n8n in Supply-Chain Attack

🔐 Endor Labs discovered malicious npm packages this week that impersonated community nodes for the n8n workflow automation platform, harvesting OAuth tokens and API keys when installed. The deceptive packages presented legitimate-looking configuration screens while executing code to decrypt credentials from n8n’s credential store and exfiltrate them to attacker-controlled C2 servers. Because n8n treats installed nodes as trusted code with full access to the workflow environment, these packages bypass typical supply-chain monitoring and can perform arbitrary network requests and host interactions. Endor recommends preferring built-in integrations, auditing package source and metadata, monitoring outbound traffic from automation hosts, and using isolated, least-privilege service accounts.
read more →

WhatsApp Worm Deploys Astaroth Banking Trojan in Brazil

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.
read more →

NodeCordRAT Found in Bitcoin-Themed Malicious npm Packages

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.
read more →

Ghost Tap Malware Drives Remote NFC Payment Fraud Surge

📱 Group-IB researchers have documented Android malware enabling unauthorized tap-to-pay transactions by remotely relaying NFC card data. Malicious APK samples—over 54 identified—are distributed in Chinese-language Telegram cybercrime communities and often disguise themselves as legitimate financial apps. Attackers use smishing and vishing to get victims to install a 'reader' app and tap their card; a criminal 'tapper' app and illicit POS terminals then complete the payment. Prominent vendors, including TX-NFC, X-NFC and NFU Pay, sell access via subscriptions and support.
read more →

ownCloud Urges MFA after Credential Theft Reports Globally

🔒 ownCloud has urged users to enable multi-factor authentication (MFA) after reports that threat actors used credentials stolen via infostealer malware to access self-hosted file-sharing instances. The company said the platform was not breached via a zero-day or vulnerability; attackers reused credentials harvested by malware such as RedLine, Lumma, and Vidar. ownCloud recommends enabling MFA, resetting passwords, invalidating sessions, and reviewing access logs to protect data.
read more →

Infostealer Exploits Lack of MFA to Breach Cloud Accounts

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.
read more →

Cloud file-sharing breaches selling corporate data

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.
read more →

VVS Stealer Employs Advanced Obfuscation Targeting Discord

🛡️ VVS Stealer is a Python-based credential-stealing malware distributed as a PyInstaller package and protected with Pyarmor obfuscation in BCC mode to hinder analysis. It targets Discord tokens and browser-stored credentials, injects malicious JavaScript into the Discord client, and exfiltrates data via Discord webhooks. The sample persists by copying itself to the Windows startup folder and displays fake error messages to evade detection.
read more →

VVS Stealer: Python info-stealer targets Discord now

🐍 Researchers disclosed a new Python-based information stealer called VVS Stealer that harvests Discord tokens, account data and browser credentials. The malware, sold on Telegram with subscription and one-time tiers, is obfuscated with Pyarmor and packaged via PyInstaller to hinder analysis. It persists by adding itself to the Windows Startup folder and shows fake "Fatal Error" pop-ups. VVS injects into Discord and uses a downloaded obfuscated JavaScript payload to monitor traffic via the Chrome DevTools Protocol for session hijacking.
read more →

Trust Wallet Links $8.5M Crypto Theft to Shai-Hulud Attack

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.
read more →

Technical Analysis of VVS Stealer Targeting Discord

🔍 Unit 42 provides a detailed technical analysis of VVS stealer, a Python-based malware family that targets Discord users and Chromium/Firefox browsers to exfiltrate tokens, credentials, and browser data. The report explains distribution as PyInstaller packages protected with Pyarmor (observed v9.1.4) and documents the deobfuscation steps used to recover bytecode, AES keys, and encrypted strings. It summarizes runtime behaviors including Discord client injection via modified Electron files, webhook-based exfiltration, persistence in %APPDATA%, and sample indicators defenders can monitor.
read more →

DarkSpectre Browser Extension Campaigns Hit Millions

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.
read more →

ErrTraffic Automates ClickFix Attacks via Fake Glitches

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.
read more →

Zoom Stealer Extensions Harvest Corporate Meeting Data

🔍 Koi Security researchers uncovered a campaign named Zoom Stealer that abused 18 Chrome, Firefox, and Edge extensions installed by about 2.2 million users to harvest meeting-related data. The extensions — often offering legitimate features like audio capture or video download — collected meeting URLs, IDs, topics, participant details, and embedded passwords. Collected data was streamed via WebSockets in real time and could enable corporate espionage or sales intelligence.
read more →