< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 14 of 19

Shai-Hulud 2.0 Worm Spreads Through npm and GitHub

⚠️ Researchers at Wiz, JFrog and others are tracking a renewed campaign of the Shai‑Hulud credentials‑stealing worm spreading through the npm registry and GitHub. The new Shai‑Hulud 2.0 executes during the preinstall phase, exfiltrates developer and CI/CD secrets to randomized repositories, and injects malicious payloads into other packages. Widely used modules, including @asyncapi/specs, Zapier, Postman and others, have been compromised, prompting immediate remediation steps for affected developers and organizations.
read more →

Blender model files used to deliver StealC infostealer

⚠️ Researchers at Morphisec observed a Russian-linked campaign using malicious Blender .blend files uploaded to 3D model marketplaces to deliver the StealC V2 infostealer. The embedded Python in the .blend fetches a loader from a Cloudflare Workers domain, which runs a PowerShell script to download two ZIP archives, unpack them into %TEMP%, drop LNK shortcuts into the Startup folder for persistence, and deploy both the StealC payload and an auxiliary Python stealer. Users are advised to disable Blender's Auto Run for Python scripts and treat downloaded 3D assets like executables, testing unknown files in sandboxed environments.
read more →

ClickFix Uses Fake Windows Update to Deliver Malware

🔒 Researchers warn of ClickFix attack variants that display a realistic full‑screen fake Windows Update animation in the browser to trick users into pasting commands that execute malware. Operators use steganography to hide AES‑encrypted shellcode inside PNG pixel data and leverage mshta, PowerShell, and a .NET Stego Loader to reconstruct and run payloads. Huntress observed delivery of LummaC2 and Rhadamanthys info stealers and a dynamic evasion ctrampoline technique to hinder analysis. A law enforcement takedown in November disrupted payload delivery on some fake update domains.
read more →

Shai-Hulud Malware Hits Hundreds of npm Packages, Leaks Secrets

⚠️ Hundreds of trojanized versions of popular npm packages — including toolkits linked to Zapier, ENS Domains, PostHog and others — have been published in a renewed Shai‑Hulud supply‑chain campaign designed to steal developer and CI/CD secrets. The malware runs during pre‑install, collects credentials into files like cloud.json and environment.json, and posts encoded data to quickly created GitHub repositories. Researchers at Aikido Security, Wiz and Step Security identified obfuscated payloads in setup_bun.js and a large, heavily obfuscated bun_environment.js dropper.
read more →

StealC V2 Spread Through Malicious Blender .blend Files

🛠️ Morphisec researchers have uncovered a six-month campaign embedding StealC V2 inside weaponized Blender .blend files distributed via marketplaces such as CGTrader. When opened with Blender's Auto Run enabled, concealed Python scripts fetch loaders from workers.dev domains and initiate a multistage infection that deploys PowerShell components and Python-based stealers. The malware establishes persistence with LNK files and communicates with Pyramid-linked C2 servers to retrieve encrypted payloads. Morphisec says its deception-based protection thwarts credential theft by injecting decoy credentials and terminating processes before exfiltration.
read more →

Second Sha1-Hulud npm Wave Hits 25,000+ Repositories

⚠ Multiple security vendors report a second Sha1-Hulud campaign that has trojanized hundreds of npm packages and affected over 25,000 repositories. The attack leverages a preinstall script ("setup_bun.js") to install or locate the Bun runtime and execute a bundled payload ("bun_environment.js") that harvests credentials. The malware registers hosts as self-hosted GitHub runners named "SHA1HULUD", drops a vulnerable workflow (.github/workflows/discussion.yaml) to run arbitrary commands via repository discussions, exfiltrates secrets as artifacts, and then removes traces; when exfiltration fails it can attempt destructive wiping of the user home directory.
read more →

Operation Endgame 3.0 Disrupts Rhadamanthys Infostealer

🔒Operation Endgame 3.0, coordinated by Europol with over 30 national and private partners, dismantled more than 1,000 servers and seized 20 domains tied to the Rhadamanthys infostealer, VenomRAT and the Elysium botnet. Authorities say the disrupted infrastructure harboured hundreds of thousands of infected computers and millions of stolen credentials, with the Rhadamanthys operator allegedly accessing over 100,000 crypto wallets. The action included 11 searches and at least one arrest; users are advised to check accounts via national breach-check services or HaveIBeenPwned and to maintain strong defences as criminals can rebuild.
read more →

TamperedChef Malware Uses Fake Installers in Global Campaign

⚠️ Acronis Threat Research Unit (TRU) reports an ongoing global malvertising campaign, dubbed TamperedChef, that employs counterfeit installers masquerading as popular utilities and product manuals to deploy an information-stealer and obfuscated JavaScript backdoors. Operators use SEO poisoning, malicious ads, and abused code-signing certificates from shell companies in the U.S., Panama, and Malaysia to increase trust and evade detection. Installers drop an XML file to create a scheduled task that launches the JavaScript backdoor, which exfiltrates encrypted, Base64-encoded JSON over HTTPS. Infections concentrate in the U.S. and have also been observed in Israel, Spain, Germany, India, and Ireland, with healthcare, construction, and manufacturing among the most affected sectors.
read more →

Python WhatsApp Worm Spreads Eternidade Stealer Across Brazil

📲 Trustwave SpiderLabs describes a Python-based WhatsApp worm that propagates a Delphi credential stealer named Eternidade Stealer across Brazilian devices. The campaign begins with an obfuscated Visual Basic Script dropper that installs both a Python WPPConnect-based propagator and an MSI/AutoIt installer which injects the stealer into svchost.exe. Operators use IMAP to fetch dynamic C2 addresses and apply Brazilian Portuguese geofencing to limit infections to the target region.
read more →

Eternidade Stealer: WhatsApp Worm Targets Brazil's Ecosystem

🔒 Trustwave SpiderLabs has identified Eternidade Stealer, a multi-component banking Trojan that combines a Python-based WhatsApp-propagating worm, a Delphi stealer and an MSI dropper to harvest financial credentials and spread laterally. The campaign uses an obfuscated VBScript to deliver two payloads, dynamically retrieves command-and-control via IMAP and activates only on systems using Brazilian Portuguese. Defenders should watch for unexpected MSI or script executions, suspicious WhatsApp messages and indicators linked to the campaign.
read more →

Job-test malware campaign shifts to public JSON dropboxes

🔎 The Contagious Interview campaign is delivering trojanized coding tests that fetch heavily obfuscated JavaScript from public JSON-storage services such as JSON Keeper, JSONSilo, and npoint.io. When executed in a Node.js test run the payloads decode and install the BeaverTail infostealer and then stage the InvisibleFerret RAT. NVISO Labs warns attackers are abusing developer trust and legitimate platforms and recommends sandboxing, auditing config files, and blocking suspicious outbound requests.
read more →

Fake Chrome Extension 'Safery' Exfiltrates Ethereum Seeds

🔒 A malicious Chrome extension posing as Safery: Ethereum Wallet was found to exfiltrate Ethereum wallet seed phrases by encoding mnemonics into synthetic Sui addresses. Socket security researcher Kirill Boychenko and Koi Security report the extension broadcasts micro-transactions (0.000001 SUI) from an attacker-controlled wallet to smuggle seed phrases on-chain without a traditional C2 server. Uploaded on September 29, 2025 and updated November 12, it remained available at the time of reporting. Users should stick to trusted wallet extensions and defenders should flag unexpected RPC calls and on-chain writes during wallet import or creation.
read more →

Operation Endgame Takedown Disrupts Major Malware Campaign

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.
read more →

Operation Endgame Disrupts Multiple Malware Networks

🛡️ A coordinated law enforcement operation led by Europol and Eurojust between November 10–13, 2025 disrupted major malware infrastructures, including Rhadamanthys Stealer, Venom RAT, and an Elysium botnet. Authorities seized 20 domains, took down more than 1,025 servers and arrested a primary suspect in Greece on November 3. Europol said the dismantled networks encompassed hundreds of thousands of infected machines and several million stolen credentials, and that the infostealer operator had access to roughly 100,000 cryptocurrency wallets.
read more →

Police Disrupt Rhadamanthys, VenomRAT and Elysium Botnets

🔒 Law enforcement from nine countries disrupted infrastructure used by the Rhadamanthys infostealer, VenomRAT remote access trojan and the Elysium botnet during a phase of Operation Endgame. Coordinated by Europol and Eurojust with private partners, officers seized 20 domains, took down 1,025 servers and executed searches at 11 locations between 10 and 14 November 2025. A key suspect linked to VenomRAT was arrested in Greece, and authorities warn that the dismantled infrastructure contained hundreds of thousands of infected machines and several million stolen credentials, plus access to over 100,000 crypto wallets.
read more →

Rhadamanthys infostealer disrupted after server access loss

🔒 The Rhadamanthys infostealer operation has reportedly been disrupted, with multiple customers saying they no longer have SSH access to their web panels. Affected users report servers now require certificate-based logins instead of root passwords, prompting some to wipe and power down infrastructure. Researchers g0njxa and Gi7w0rm observed the outage and noted Tor onion sites for the operation are also offline. The developer and several customers suspect German law enforcement, and some analysts link the event to the broader Operation Endgame disruptions.
read more →

Maverick Banking Malware Spreads via WhatsApp Web in Brazil

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.
read more →

GlassWorm Malware Found in Three VS Code Extensions

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.
read more →

GlassWorm Returns to OpenVSX with Three VSCode Extensions

⚠ The GlassWorm malware campaign has resurfaced on OpenVSX, delivering malicious payloads via three new VSCode extensions that have been reported as downloaded over 10,000 times. The extensions use invisible Unicode obfuscation to execute JavaScript and harvest credentials and cryptocurrency wallet data through Solana transactions. Koi Security says the attacker reused infrastructure with updated C2 endpoints and that investigators accessed an attacker server, recovering victim data and identifying multiple global victims.
read more →

Malicious VS Code Extension and Trojanized npm Packages

⚠️ Researchers flagged a malicious Visual Studio Code extension named susvsex that auto-zips, uploads and encrypts files on first launch and uses GitHub as a command-and-control channel. Uploaded on November 5, 2025 and removed from Microsoft's VS Code Marketplace the next day, the package embeds GitHub access tokens and writes execution results back to a repository. Separately, Datadog disclosed 17 trojanized npm packages that deploy the Vidar infostealer via postinstall scripts.
read more →