< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 12 of 19

Suspect Arrested in KMSAuto Clipper Campaign — 2.8M Infected

🚨 South Korean authorities arrested a 29-year-old Lithuanian accused of distributing a clipboard-stealing clipper embedded in a trojanized KMSAuto activation tool that was downloaded 2.8 million times worldwide. The suspect was extradited from Georgia after investigators traced about KRW 1.7 billion (~$1.2M) diverted in 8,400 transactions. Devices seized in a December 2024 raid yielded evidence leading to the April 2025 arrest. Officials warn against using unofficial activators and unsigned executables.
read more →

Trust Wallet: $7M Stolen from 2,596 Wallets via Extension

🔒 Trust Wallet says attackers who pushed a malicious Chrome extension release on Dec 24 exfiltrated sensitive data and drained roughly $7 million from 2,596 wallet addresses. The compromise involved a malicious JavaScript added to v2.68.0 that bypassed internal release controls; users were urged to update to v2.69. Trust Wallet has begun reimbursing verified victims and strongly warned users not to share seed phrases or private keys.
read more →

Hacker Claims WIRED Subscriber Database Leak, 2.3M

🔓 A threat actor using the handle 'Lovely' claims to have leaked an alleged WIRED subscriber database containing 2,366,576 records and offered access on hacking forums for roughly $2.30 in site credits. BleepingComputer validated multiple records and security researchers, including Alon Gal, corroborated the dataset via infostealer logs. The dataset includes email addresses, optional PII (names, addresses, birthdays, phone numbers), account timestamps spanning 1996–2025, and has been added to Have I Been Pwned for user checks.
read more →

Trust Wallet Chrome Extension Exploit Drains $7M Patch Now

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.
read more →

Trust Wallet Extension Hack Led to $7M Crypto Theft

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.
read more →

Trust Wallet Chrome Extension Compromise Drains Millions

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.
read more →

MacSync macOS Stealer Uses Signed, Notarized Swift Installer

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.
read more →

Signed macOS Dropper: New MacSync Stealer Variant Emerges

🚨 Jamf Threat Labs uncovered a reworked macOS infostealer masquerading as a legitimate signed app. The Swift dropper is code‑signed and notarized, delivered in a 25.5MB disk image posing as a messaging installer, and silently fetches and executes an encoded script through a helper. It runs mainly in memory, removes quarantine attributes, enforces a ~3600s delay before execution, and cleans up traces; Jamf reported the developer certificate and Apple revoked it.
read more →

MacSync Stealer Bypasses Gatekeeper, Targets macOS Users

⚠️ Researchers at Jamf report that MacSync Stealer now arrives as a code-signed, notarized Swift utility that can execute with minimal user interaction. The dropper fetches a payload script from a command-and-control server after installation. Because the app appears signed and notarized, Gatekeeper does not display extra warnings, allowing attackers to exploit a window before certificate revocation. This behavior highlights limitations in Apple’s automated notarization checks.
read more →

Two Chrome Extensions Steal Credentials via Proxies

⚠️ Security researchers discovered two malicious Google Chrome extensions named Phantom Shuttle that intercept and exfiltrate credentials and session data from more than 170 targeted domains. After users pay for a subscription the add-ons enable a proxy 'smarty' mode, inject hard-coded proxy credentials, and route selected traffic through attacker-controlled proxies to establish a persistent Man‑in‑the‑Middle position. A recurring heartbeat to a command-and-control server forwards VIP emails, plaintext passwords and version details, enabling continuous monitoring and credential theft.
read more →

Trojanized npm WhatsApp API library steals data silently

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.
read more →

New MacSync Dropper Bypasses macOS Gatekeeper Checks

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.
read more →

Malicious npm WhatsApp API 'lotusbail' Steals Accounts

🔒 Koi Security disclosed a malicious npm package, lotusbail, masquerading as a WhatsApp API and designed to intercept authentication tokens, messages, contacts and media. Uploaded in May 2025 by the account "seiren_primrose", it has been downloaded over 56,000 times and remained available at the time of reporting. The library wraps the WebSocket client and contains a hard-coded pairing code that links the attacker's device to a victim's WhatsApp account, creating a persistent backdoor even after uninstallation. It also implements anti-debugging traps to freeze execution and hinder analysis.
read more →

Malicious NPM Package Steals WhatsApp Accounts and Messages

🔒 A malicious NPM package published as lotusbail and masquerading as a WhatsApp Web API library was found to exfiltrate authentication tokens, session keys, messages, contacts and media. Researchers at Koi Security report the package wraps the legitimate WebSocket client from the Baileys project so all traffic is intercepted and recorded. The malware encrypts captured data with layered obfuscation (Unicode tricks, LZString, AES and custom RSA) and establishes persistent access by pairing the attacker’s device to victims' WhatsApp accounts. Developers should remove the package, inspect linked devices, and monitor runtime behavior for unexpected outbound connections.
read more →

Android SMS Stealer and Droppers Unite in Scaled Attacks

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.
read more →

Stealka infostealer targets Windows users’ data, wallets

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.
read more →

Obfuscated BeaverTail Variant Linked to Lazarus Operations

🛡️ Darktrace links a newly observed, heavily obfuscated BeaverTail JavaScript variant to DPRK-associated Lazarus clusters, targeting cryptocurrency traders, developers and retail staff. The cross-platform loader and stealer harvests host details and retrieves follow-on payloads, with recent samples using layered Base64 and XOR encoding. Delivery has expanded via trojanized npm packages, fake interview platforms and command-injection lures.
read more →

Typosquatted NuGet Package Steals Stratis Wallets Silently

🔒 A malicious NuGet package named "Tracer.Fody.NLog" was published on February 26, 2020 and impersonates the legitimate Tracer.Fody maintainer to deliver a cryptocurrency wallet stealer. The embedded Tracer.Fody.dll scans the default Stratis wallet directory (%APPDATA%\StratisNode\stratis\StratisMain), reads *.wallet.json files and in-memory passwords, and exfiltrates data to 176.113.82[.]163. Socket researcher Kirill Boychenko highlighted multiple evasion tactics — a typosquatted publisher name, Cyrillic lookalikes in code, and a hidden routine inside a helper method that runs during normal execution while suppressing exceptions.
read more →

Urban VPN Extension Steals AI Chats from Users' Browsers

⚠️ Security researchers found that Urban VPN Proxy, a free browser extension with millions of installs, injected hidden scripts to capture full AI chat conversations from users’ browsers. The extension targeted multiple platforms including ChatGPT, Claude, Gemini and Perplexity, overriding browser network APIs to intercept prompts and responses. Captured data was packaged and sent to the extension operator’s backend even when VPN features were disabled. The extension marketed an “AI protection” feature that did not prevent this collection.
read more →

SantaStealer info-stealer targets browsers and wallets

⚠️Rapid7 researchers report a new malware-as-a-service called SantaStealer, advertised on Telegram and hacker forums as an in-memory info‑stealer designed to evade file-based detection. The operation appears to be a rebranding of BluelineStealer by a Russian-speaking developer and is being marketed with Basic ($175/month) and Premium ($300/month) tiers. Samples and an affiliate panel show 14 modular data-collection threads that harvest browser credentials, cookies, saved cards, messaging and gaming app data, crypto wallets and documents, bundle results into ZIPs in memory, and exfiltrate them in 10MB chunks to a hardcoded C2 on port 6767. Despite claims of stealth, leaked builds include symbol names and unencrypted strings that make analysis straightforward.
read more →