< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 13 of 19

Phantom Stealer delivered via ISO-based phishing chain

📧 Seqrite Labs has uncovered a Russian-origin phishing campaign, tracked as Operation MoneyMount-ISO, that delivers the Phantom information stealer through a multi-stage attachment chain. Attackers distribute a ZIP containing an ISO that auto-mounts and displays a disguised executable; running it triggers a loader that decrypts a malicious DLL and injects the stealer into memory while performing extensive anti-analysis checks. The campaign targets Russian-speaking finance, procurement and HR roles, harvesting passwords, cookies, crypto wallets, keystrokes and Discord tokens, then exfiltrating data via Telegram bots, Discord webhooks and FTP.
read more →

Phantom Stealer Delivered via ISO Phishing in Russia

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.
read more →

19 VS Code Extensions Embedding Malware in Dependencies

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.
read more →

Google Ads Lead to ChatGPT/Grok Guides Installing AMOS

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.
read more →

Malicious Blender 3D Model Files Spread Infostealer

⚠️ Researchers observed threat actors distributing the StealC V2 infostealer hidden inside free .blend files on marketplaces like CGTrader. When Blender’s Auto Run Python Scripts setting is enabled, opening these models executes embedded Python that fetches a loader via Cloudflare Workers and runs a PowerShell chain to deploy payloads. The campaign exfiltrated browser and wallet data and abused a UAC bypass. Disable autorun and restrict unvetted tools.
read more →

Malicious VS Code Extensions Steal Credentials via DLL

🛡️ Researchers from Koi Security have uncovered two malicious Visual Studio Code extensions, Bitcoin Black and Codo AI, that delivered a DLL-based infostealer via a disguised Lightshot executable. The campaign used social engineering and evolving technical methods—initially complex PowerShell and passworded ZIPs, later streamlined to hidden batch scripts—to harvest screenshots, clipboard data, Wi‑Fi credentials and browser sessions. One extension posed as a theme while the other offered legitimate AI coding features, helping both evade suspicion on the VS Code Marketplace.
read more →

AMOS infostealer uses ChatGPT share to spread macOS malware

🛡️Kaspersky researchers uncovered a macOS campaign in which attackers used paid search ads to point victims to a public shared chat on ChatGPT that contained a fake installation guide for an “Atlas” browser. The guide instructs users to paste a single Terminal command that downloads a script from atlas-extension.com and requests system credentials. Executing it deploys the AMOS infostealer and a persistent backdoor that exfiltrates browser data, crypto wallets and files. Users should not run unsolicited commands and must use updated anti‑malware and careful verification before following online guides.
read more →

Malicious VS Code Extensions and Supply‑Chain Packages

🔒 Security researchers uncovered malicious extensions on the Microsoft Visual Studio Code Marketplace that delivered stealer malware while posing as a dark theme and an AI assistant. Koi Security reported the extensions downloaded additional payloads, captured screenshots, and siphoned emails, Slack messages, Wi‑Fi passwords, clipboard contents and browser sessions to attacker servers. Microsoft removed the packages in early December 2025 after investigators linked them to a publisher using multiple similarly named packages.
read more →

Malicious VSCode Extensions on Marketplace Drop Infostealers

🛡️ Two malicious Visual Studio Code extensions on Microsoft's Marketplace, Bitcoin Black and Codo AI, were found delivering an information-stealing payload that can capture screenshots, harvest credentials and crypto wallets, and hijack browser sessions. Published under the developer name 'BigBlack', Codo AI remained live with under 30 downloads at the time of reporting while Bitcoin Black showed a single install. Researchers at Koi Security observed that Bitcoin Black uses a wildcard activation and executes PowerShell or a hidden batch script to download a DLL and executable that leverage DLL hijacking to run the infostealer as 'runtime.exe'.
read more →

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.
read more →

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.
read more →

Malicious Chrome and Edge Extensions Abused by ShadyPanda

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.
read more →

ShadyPanda Converts Popular Browser Extensions into Spyware

🔒 A threat actor tracked as ShadyPanda operated a seven-year browser-extension campaign that amassed over 4.3 million installs by converting popular add-ons into data-stealing spyware. Koi Security reports that five extensions were modified in mid-2024 to run hourly remote code execution, download arbitrary JavaScript, and exfiltrate encrypted browsing histories and full browser fingerprints. Notable victims include Clean Master — once verified by Google — and WeTab, which still had millions of installs. Users should remove affected extensions and rotate credentials immediately while marketplaces review post-approval update controls.
read more →

ShadyPanda Extensions Reach 4.3M Installs, Spyware

⚠️ Koi Security uncovered the long-running "ShadyPanda" operation that amassed over 4.3 million installs of Chrome and Edge browser extensions, many of which transitioned from legitimate tools to spyware. The campaign, active since 2018, progressed through phases—starting with affiliate-fraud injections, moving to search hijacking, and culminating in a remote backdoor capable of executing arbitrary JavaScript. Google has removed numerous extensions from the Chrome Web Store, but several high-install Edge add-ons remain available and continue to collect browsing data, keystrokes, cookies, and device fingerprints. Users are advised to remove suspect extensions immediately and reset account passwords.
read more →

Albiriox Android MaaS Targets 400+ Banking and Wallet Apps

📱 Cleafy researchers disclosed Albiriox, a new Android malware offered as a malware‑as‑a‑service that facilitates on‑device fraud, screen manipulation, and real‑time remote control. The family includes a hard‑coded list of over 400 banking, fintech, payment processor, exchange and wallet apps and is distributed via packed droppers and lookalike Google Play pages using social‑engineering lures. Infections often begin with German‑language SMS or fake PENNY app listings that deliver a dropper APK which requests installation permissions and then deploys the main payload. Albiriox uses an unencrypted TCP C2 and a VNC‑based remote module that abuses Android accessibility services to stream UI elements and bypass FLAG_SECURE, enabling overlays, credential harvesting, and hidden background fraud.
read more →

North Korean Actors Push 197 Malicious npm Packages in Campaign

🛡️ North Korean threat actors tied to the Contagious Interview campaign have uploaded 197 malicious npm packages designed to deliver a variant of OtterCookie that incorporates features of BeaverTail. Socket reports the packages have been downloaded over 31,000 times and include loader names such as bcryptjs-node, cross-sessions, json-oauth and tailwind-magic. The payload evades sandboxes and virtual machines, profiles hosts, fetches a cross-platform binary via a hard-coded Vercel URL, opens a C2 remote shell, and can steal clipboard contents, keystrokes, screenshots, browser credentials, documents and cryptocurrency seed phrases.
read more →

New ClickFix Attacks Use Fake Windows Update Lures

🛡️Huntress warns of an evolved ClickFix campaign that uses a convincing full‑screen Windows Update splash and steganographic PNGs to trick employees into pasting and running commands. Those commands deliver loaders that in turn deploy LummaC2 and Rhadamanthys infostealers. The firm reports a 313% increase in ClickFix incidents over six months and noted multiple active lure domains even after the Nov 13 Operation Endgame takedown. Primary mitigation advice is to disable the Windows Run dialog via Registry or GPO and pair user awareness with endpoint monitoring and EDR.
read more →

JackFix uses fake Windows update pop-ups to deliver stealers

⚠️ Cybersecurity researchers report a JackFix campaign that uses fake Windows Update pop-ups on cloned adult sites to trick users into running mshta.exe and PowerShell commands. According to Acronis and Huntress, the attack chain leverages obfuscation, privilege escalation and can deploy multiple stealers including Rhadamanthys, RedLine and Vidar. Organizations are advised to train users and consider disabling the Windows Run box via Group Policy or Registry changes to reduce risk.
read more →

Blender .blend Files Weaponized to Deliver StealC V2

🛡️ Cybersecurity researchers disclosed a campaign that leverages Blender .blend files hosted on public asset sites to deliver the information stealer StealC V2. Malicious .blend assets contain embedded Python scripts that execute when Blender's Auto Run is enabled, fetching PowerShell code and two ZIP archives — one deploying StealC V2 and the other a secondary Python stealer. Vendors advise keeping Auto Run disabled and verifying asset sources.
read more →

Shai-Hulud Worm Resurfaces, Infects Hundreds of npm Packages

🐛 Security teams have warned of a rapidly spreading secret-stealing worm, Shai-Hulud, that has resurfaced in the npm ecosystem and already infected hundreds of packages with tens of millions of downloads. First seen in September, attackers hijack developer accounts to publish trojanized packages that exfiltrate AWS keys and GitHub tokens to attacker-controlled repositories. Vendors including Wiz Security and Mondoo report explosive scaling—hundreds of new repos discovered every 30 minutes—and urge urgent dependency audits. Recommended mitigations include rotating credentials, disabling npm postinstall scripts in CI, enforcing MFA, pinning versions, and using tools like Safe-Chain to block malicious packages.
read more →