< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 15 of 19

Vidar Infostealer Delivered Through Malicious npm Packages

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.
read more →

BankBot-YNRK and DeliveryRAT: New Android Banking Threats

🔒 Cybersecurity researchers CYFIRMA and independent analyst F6 have disclosed two active Android trojans—BankBot‑YNRK and DeliveryRAT—that harvest financial and device data from compromised phones. BankBot‑YNRK impersonates an Indonesian government app, performs device fingerprinting and anti-emulation checks, abuses accessibility services to steal credentials and automate transactions, and communicates with a command server. DeliveryRAT, promoted via a Telegram bot, lures Russian users with fake delivery and marketplace apps and delivers malware-as-a-service variants that collect notifications, SMS and call logs and can hide their launchers. Users should avoid untrusted APKs, review permissions, and keep devices updated—Android 14 reduces some accessibility-based abuses.
read more →

Russian Police Arrest Suspected Meduza Stealer Operators

🔒 Russian authorities have arrested three individuals in Moscow accused of creating and operating the Meduza information‑stealing malware. Announced on Telegram by police general Irina Volk, investigators say the group developed and distributed Meduza via hacker forums around two years ago and offered it as a subscription-based service. The tool steals browser-stored credentials and cryptocurrency data and, since December 2023, can resurrect expired Chrome authentication cookies to facilitate account takeover. Authorities opened a criminal case after operators targeted an Astrakhan institution and seized confidential server data.
read more →

Typosquatted npm Packages Deliver Cross-Platform Stealer

🚨 A multi-stage supply-chain campaign published ten typosquatted npm packages on July 4 that collectively reached nearly 10,000 downloads before removal, according to Socket. Each package abused npm’s postinstall lifecycle to open a new terminal, present a fake CAPTCHA prompt, and retrieve a PyInstaller-packed binary that harvests credentials from browsers, OS keyrings, SSH keys, tokens and cloud configuration files. The JavaScript installers combined four layers of obfuscation with social engineering to evade detection and delay scrutiny while exfiltrating collected secrets to the attacker’s host.
read more →

PhantomRaven: Malware in 126 npm Packages Steals Tokens

⚠️ Koi Security has identified a supply-chain campaign dubbed PhantomRaven that inserted malicious code into 126 npm packages, collectively installed more than 86,000 times, by pointing dependencies to an attacker-controlled host (packages.storeartifact[.]com). The packages include preinstall lifecycle hooks that fetch and execute remote dynamic dependencies, enabling immediate execution on developers' machines. The payloads are designed to harvest GitHub tokens, CI/CD secrets, developer emails and system fingerprints, and exfiltrate the results, while typical scanners and dependency analyzers miss the remote dependencies because npmjs.com does not follow those external URLs.
read more →

Typosquatted npm Packages Deploy Cross-Platform Infostealer

🚨 Ten typosquatted packages on npm were found delivering a 24 MB PyInstaller infostealer that targets Windows, Linux, and macOS. Uploaded on July 4 and downloaded nearly 10,000 times, the packages used heavy obfuscation and a fake CAPTCHA to evade detection. Researchers at Socket say the malware harvests keyrings, browser credentials, SSH keys and API tokens, then exfiltrates data to a remote server. Developers who installed these packages should remove them, perform remediation, and rotate all secrets.
read more →

Malicious npm Packages Steal Developer Credentials

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.
read more →

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.
read more →

Herodotus Android malware mimics human typing behavior

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.
read more →

Google Refutes False Claims of Massive Gmail Breach

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.
read more →

RedTiger Infostealer Used to Steal Discord Accounts

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.
read more →

GlassWorm self-spreading worm targets VS Code extensions

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.
read more →

YouTube Ghost Network: Disrupting a Massive Malware Campaign

🛡️ Check Point Research uncovered the YouTube Ghost Network, a large-scale operation that used fake and compromised accounts to distribute infostealers like Rhadamanthys and Lumma. More than 3,000 malicious videos — often disguised as cracked software or game hacks — were reported and removed after being linked to password-protected archives that carried the malware. Compromised accounts, coordinated comment manipulation, and false endorsements were used to build trust and drive downloads.
read more →

Vidar 2.0 Emerges as Lumma Stealer Declines, Upgraded

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.
read more →

Typosquatted Nethereum NuGet Package Steals Wallet Keys

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.
read more →

SnakeStealer Infostealer Surges to Top of Detections

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.
read more →

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.
read more →

Vidar Stealer 2.0 Rewritten in C with Multi-Threading

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.
read more →

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.
read more →

TikTok Videos Push Infostealers via ClickFix Activation Scams

🔒 Cybercriminals are using TikTok videos disguised as free activation guides for software such as Windows, Adobe, Spotify, and Discord to distribute info‑stealing malware via a ClickFix technique. The videos instruct users to run a short PowerShell command that fetches a script from slmgr.win, which then downloads a variant of Aura Stealer and an additional payload from Cloudflare Pages. Victims should assume credentials are compromised, reset passwords, and avoid running copied commands in shells or terminal windows.
read more →