All news with #infostealer tag

🔒 Koi Security disclosed a malicious npm package, lotusbail, masquerading as a WhatsApp API and designed to intercept authentication tokens, messages, contacts and media. Uploaded in May 2025 by the account "seiren_primrose", it has been downloaded over 56,000 times and remained available at the time of reporting. The library wraps the WebSocket client and contains a hard-coded pairing code that links the attacker's device to a victim's WhatsApp account, creating a persistent backdoor even after uninstallation. It also implements anti-debugging traps to freeze execution and hinder analysis.

🔒 A malicious NPM package published as lotusbail and masquerading as a WhatsApp Web API library was found to exfiltrate authentication tokens, session keys, messages, contacts and media. Researchers at Koi Security report the package wraps the legitimate WebSocket client from the Baileys project so all traffic is intercepted and recorded. The malware encrypts captured data with layered obfuscation (Unicode tricks, LZString, AES and custom RSA) and establishes persistent access by pairing the attacker’s device to victims' WhatsApp accounts. Developers should remove the package, inspect linked devices, and monitor runtime behavior for unexpected outbound connections.

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.

🛡️ Darktrace links a newly observed, heavily obfuscated BeaverTail JavaScript variant to DPRK-associated Lazarus clusters, targeting cryptocurrency traders, developers and retail staff. The cross-platform loader and stealer harvests host details and retrieves follow-on payloads, with recent samples using layered Base64 and XOR encoding. Delivery has expanded via trojanized npm packages, fake interview platforms and command-injection lures.

🔒 A malicious NuGet package named "Tracer.Fody.NLog" was published on February 26, 2020 and impersonates the legitimate Tracer.Fody maintainer to deliver a cryptocurrency wallet stealer. The embedded Tracer.Fody.dll scans the default Stratis wallet directory (%APPDATA%\StratisNode\stratis\StratisMain), reads *.wallet.json files and in-memory passwords, and exfiltrates data to 176.113.82[.]163. Socket researcher Kirill Boychenko highlighted multiple evasion tactics — a typosquatted publisher name, Cyrillic lookalikes in code, and a hidden routine inside a helper method that runs during normal execution while suppressing exceptions.

⚠️ Security researchers found that Urban VPN Proxy, a free browser extension with millions of installs, injected hidden scripts to capture full AI chat conversations from users’ browsers. The extension targeted multiple platforms including ChatGPT, Claude, Gemini and Perplexity, overriding browser network APIs to intercept prompts and responses. Captured data was packaged and sent to the extension operator’s backend even when VPN features were disabled. The extension marketed an “AI protection” feature that did not prevent this collection.

⚠️Rapid7 researchers report a new malware-as-a-service called SantaStealer, advertised on Telegram and hacker forums as an in-memory info‑stealer designed to evade file-based detection. The operation appears to be a rebranding of BluelineStealer by a Russian-speaking developer and is being marketed with Basic ($175/month) and Premium ($300/month) tiers. Samples and an affiliate panel show 14 modular data-collection threads that harvest browser credentials, cookies, saved cards, messaging and gaming app data, crypto wallets and documents, bundle results into ZIPs in memory, and exfiltrate them in 10MB chunks to a hardcoded C2 on port 6767. Despite claims of stealth, leaked builds include symbol names and unencrypted strings that make analysis straightforward.

📧 Seqrite Labs has uncovered a Russian-origin phishing campaign, tracked as Operation MoneyMount-ISO, that delivers the Phantom information stealer through a multi-stage attachment chain. Attackers distribute a ZIP containing an ISO that auto-mounts and displays a disguised executable; running it triggers a loader that decrypts a malicious DLL and injects the stealer into memory while performing extensive anti-analysis checks. The campaign targets Russian-speaking finance, procurement and HR roles, harvesting passwords, cookies, crypto wallets, keystrokes and Discord tokens, then exfiltrating data via Telegram bots, Discord webhooks and FTP.

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.

⚠️ Researchers observed threat actors distributing the StealC V2 infostealer hidden inside free .blend files on marketplaces like CGTrader. When Blender’s Auto Run Python Scripts setting is enabled, opening these models executes embedded Python that fetches a loader via Cloudflare Workers and runs a PowerShell chain to deploy payloads. The campaign exfiltrated browser and wallet data and abused a UAC bypass. Disable autorun and restrict unvetted tools.

🛡️ Researchers from Koi Security have uncovered two malicious Visual Studio Code extensions, Bitcoin Black and Codo AI, that delivered a DLL-based infostealer via a disguised Lightshot executable. The campaign used social engineering and evolving technical methods—initially complex PowerShell and passworded ZIPs, later streamlined to hidden batch scripts—to harvest screenshots, clipboard data, Wi‑Fi credentials and browser sessions. One extension posed as a theme while the other offered legitimate AI coding features, helping both evade suspicion on the VS Code Marketplace.

🛡️Kaspersky researchers uncovered a macOS campaign in which attackers used paid search ads to point victims to a public shared chat on ChatGPT that contained a fake installation guide for an “Atlas” browser. The guide instructs users to paste a single Terminal command that downloads a script from atlas-extension.com and requests system credentials. Executing it deploys the AMOS infostealer and a persistent backdoor that exfiltrates browser data, crypto wallets and files. Users should not run unsolicited commands and must use updated anti‑malware and careful verification before following online guides.

🔒 Security researchers uncovered malicious extensions on the Microsoft Visual Studio Code Marketplace that delivered stealer malware while posing as a dark theme and an AI assistant. Koi Security reported the extensions downloaded additional payloads, captured screenshots, and siphoned emails, Slack messages, Wi‑Fi passwords, clipboard contents and browser sessions to attacker servers. Microsoft removed the packages in early December 2025 after investigators linked them to a publisher using multiple similarly named packages.

🛡️ Two malicious Visual Studio Code extensions on Microsoft's Marketplace, Bitcoin Black and Codo AI, were found delivering an information-stealing payload that can capture screenshots, harvest credentials and crypto wallets, and hijack browser sessions. Published under the developer name 'BigBlack', Codo AI remained live with under 30 downloads at the time of reporting while Bitcoin Black showed a single install. Researchers at Koi Security observed that Bitcoin Black uses a wildcard activation and executes PowerShell or a hidden batch script to download a DLL and executable that leverage DLL hijacking to run the infostealer as 'runtime.exe'.

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.