All news with #infostealer tag

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.

🛡️ A coordinated law enforcement operation led by Europol and Eurojust between November 10–13, 2025 disrupted major malware infrastructures, including Rhadamanthys Stealer, Venom RAT, and an Elysium botnet. Authorities seized 20 domains, took down more than 1,025 servers and arrested a primary suspect in Greece on November 3. Europol said the dismantled networks encompassed hundreds of thousands of infected machines and several million stolen credentials, and that the infostealer operator had access to roughly 100,000 cryptocurrency wallets.

🔒 Law enforcement from nine countries disrupted infrastructure used by the Rhadamanthys infostealer, VenomRAT remote access trojan and the Elysium botnet during a phase of Operation Endgame. Coordinated by Europol and Eurojust with private partners, officers seized 20 domains, took down 1,025 servers and executed searches at 11 locations between 10 and 14 November 2025. A key suspect linked to VenomRAT was arrested in Greece, and authorities warn that the dismantled infrastructure contained hundreds of thousands of infected machines and several million stolen credentials, plus access to over 100,000 crypto wallets.

🔒 The Rhadamanthys infostealer operation has reportedly been disrupted, with multiple customers saying they no longer have SSH access to their web panels. Affected users report servers now require certificate-based logins instead of root passwords, prompting some to wipe and power down infrastructure. Researchers g0njxa and Gi7w0rm observed the outage and noted Tor onion sites for the operation are also offline. The developer and several customers suspect German law enforcement, and some analysts link the event to the broader Operation Endgame disruptions.

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

⚠ The GlassWorm malware campaign has resurfaced on OpenVSX, delivering malicious payloads via three new VSCode extensions that have been reported as downloaded over 10,000 times. The extensions use invisible Unicode obfuscation to execute JavaScript and harvest credentials and cryptocurrency wallet data through Solana transactions. Koi Security says the attacker reused infrastructure with updated C2 endpoints and that investigators accessed an attacker server, recovering victim data and identifying multiple global victims.

⚠️ Researchers flagged a malicious Visual Studio Code extension named susvsex that auto-zips, uploads and encrypts files on first launch and uses GitHub as a command-and-control channel. Uploaded on November 5, 2025 and removed from Microsoft's VS Code Marketplace the next day, the package embeds GitHub access tokens and writes execution results back to a repository. Separately, Datadog disclosed 17 trojanized npm packages that deploy the Vidar infostealer via postinstall scripts.

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.

🔒 Cybersecurity researchers CYFIRMA and independent analyst F6 have disclosed two active Android trojans—BankBot‑YNRK and DeliveryRAT—that harvest financial and device data from compromised phones. BankBot‑YNRK impersonates an Indonesian government app, performs device fingerprinting and anti-emulation checks, abuses accessibility services to steal credentials and automate transactions, and communicates with a command server. DeliveryRAT, promoted via a Telegram bot, lures Russian users with fake delivery and marketplace apps and delivers malware-as-a-service variants that collect notifications, SMS and call logs and can hide their launchers. Users should avoid untrusted APKs, review permissions, and keep devices updated—Android 14 reduces some accessibility-based abuses.

🔒 Russian authorities have arrested three individuals in Moscow accused of creating and operating the Meduza information‑stealing malware. Announced on Telegram by police general Irina Volk, investigators say the group developed and distributed Meduza via hacker forums around two years ago and offered it as a subscription-based service. The tool steals browser-stored credentials and cryptocurrency data and, since December 2023, can resurrect expired Chrome authentication cookies to facilitate account takeover. Authorities opened a criminal case after operators targeted an Astrakhan institution and seized confidential server data.

🚨 A multi-stage supply-chain campaign published ten typosquatted npm packages on July 4 that collectively reached nearly 10,000 downloads before removal, according to Socket. Each package abused npm’s postinstall lifecycle to open a new terminal, present a fake CAPTCHA prompt, and retrieve a PyInstaller-packed binary that harvests credentials from browsers, OS keyrings, SSH keys, tokens and cloud configuration files. The JavaScript installers combined four layers of obfuscation with social engineering to evade detection and delay scrutiny while exfiltrating collected secrets to the attacker’s host.

⚠️ Koi Security has identified a supply-chain campaign dubbed PhantomRaven that inserted malicious code into 126 npm packages, collectively installed more than 86,000 times, by pointing dependencies to an attacker-controlled host (packages.storeartifact[.]com). The packages include preinstall lifecycle hooks that fetch and execute remote dynamic dependencies, enabling immediate execution on developers' machines. The payloads are designed to harvest GitHub tokens, CI/CD secrets, developer emails and system fingerprints, and exfiltrate the results, while typical scanners and dependency analyzers miss the remote dependencies because npmjs.com does not follow those external URLs.

🚨 Ten typosquatted packages on npm were found delivering a 24 MB PyInstaller infostealer that targets Windows, Linux, and macOS. Uploaded on July 4 and downloaded nearly 10,000 times, the packages used heavy obfuscation and a fake CAPTCHA to evade detection. Researchers at Socket say the malware harvests keyrings, browser credentials, SSH keys and API tokens, then exfiltrates data to a remote server. Developers who installed these packages should remove them, perform remediation, and rotate all secrets.

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.