All news with #infostealer tag

🔒Two malicious Rust crates published to Crates.io scanned developer systems at runtime to harvest cryptocurrency private keys and other secrets. The packages, faster_log and async_println, mimicked a legitimate logging crate to avoid detection and contained a hidden payload that searched files and environment variables for Ethereum-style hex keys, Solana-style Base58 strings, and bracketed byte arrays. Discovered by Socket, both crates were removed and the publisher accounts suspended; affected developers are advised to clean systems and move assets to new wallets.

🛡️ Huntress researchers uncovered a multi-stage phishing operation that began with a Python-based infostealer and culminated in the deployment of PureRAT. The campaign used a ZIP lure containing a signed PDF reader and a malicious version.dll to achieve DLL sideloading, then progressed through ten staged loaders that shifted from obfuscated Python to compiled .NET binaries. Attackers used process hollowing against RegAsm.exe, patched Windows defenses (AMSI and ETW), and ultimately unpacked PureRAT, which communicates over encrypted C2 channels and can load additional modules. Metadata linking the activity to the handle @LoneNone and to the PXA Stealer family, plus a C2 server traced to Vietnam, supports attribution to Vietnamese threat actors.

🔒 A Vietnamese threat group has evolved its custom PXA Stealer campaign into a multi-layered delivery chain that ultimately deploys PureRAT, a feature-rich remote access trojan. Huntress analysts describe a ten-stage sequence beginning with a phishing copyright lure and proceeding through obfuscated Python loaders, layered encoding (Base84, AES, RC4, XOR), and .NET reflective loading. The chain includes AMSI and ETW patching, TLS certificate pinning, registry persistence, and hallowing techniques to evade detection. Huntress linked the activity to the Telegram handle @LoneNone and Vietnamese C2 infrastructure and remediated an intrusion before full module deployment.

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

🚨 Attackers are creating convincing GitHub Pages that impersonate well-known brands to trick macOS users into installing the Atomic infostealer. Using SEO poisoning, malicious repositories are promoted in search results and funnel victims through multiple redirects to pages that instruct users to paste a Terminal curl command. That command decodes a base64 URL and executes a script that fetches and runs the Atomic payload. LastPass published IoCs and requested takedowns, but warns the campaign remains active.

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.

🔒 A malicious npm package named fezbox was recently discovered using a QR code embedded in an image to retrieve a second-stage, cookie-stealing payload from the attacker's server. The package's minified code (notably in dist/fezbox.cjs) delays execution, avoids development environments, then decodes a reversed URL to fetch a dense JPG QR image containing obfuscated JavaScript. When the payload finds credentials in document.cookie it extracts username and password and exfiltrates them via an HTTPS POST; the package accrued at least 327 downloads before registry removal.

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

🎮 Several incidents show attackers distributing malware via trusted gaming channels, including a compromised Endgame Gear OP1w utility, infected early-access Steam titles, and malicious skins on the official Minecraft site. The Endgame Gear installer likely contained the XRed backdoor, while Steam cases involved infostealers such as Trojan.Win32.Lazzzy.gen that harvested cookies and credentials. Users suffered account takeovers and data loss; recommended defenses include up-to-date antivirus, cautious vetting of downloads, and using gaming security modes that minimize disruption.

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

🔍 Acronis researchers warn of a campaign using a FileFix variant to deliver the StealC information stealer via a multilingual, heavily obfuscated phishing site. The lure mimics a Facebook security notice and hijacks the clipboard to implant a multi-stage PowerShell command that victims are tricked into executing through File Explorer. Attackers store encoded payload components as images on Bitbucket, decode them locally with a Go-based loader, and ultimately unpack shellcode that launches StealC. The infrastructure uses junk code, fragmentation and other anti-analysis techniques to evade detection and complicate forensic analysis.

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.

🔍 Security researchers at FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search results to steer Chinese-speaking Microsoft Windows users to spoofed download sites. Attackers registered lookalike domains and used subtle character substitutions to present compromised installers that bundled legitimate apps with hidden malware such as Hiddengh0st and Winos. The operation used a redirection script known as nice.js, anti-analysis checks in components like EnumW.dll, and persistence mechanisms including registry changes and TypeLib hijacking. FortiGuard warns the final payloads supported monitoring, keystroke and clipboard capture, Telegram interception, and cryptocurrency wallet theft.

⚠️ A threat actor known as WhiteCobra has been publishing malicious VSIX extensions across VS Code Marketplace and OpenVSX, targeting users of VSCode, Cursor, and Windsurf with professionally crafted listings. The campaign comprises at least 24 identified extensions and remains active as the actor quickly re-uploads packages after takedown. Installed extensions execute a small loader that fetches platform-specific payloads; on Windows this chain leads to deployment of LummaStealer, while macOS builds execute a malicious Mach-O. Researchers warn that polished icons, forged descriptions, and inflated download counts were used to lend credibility and trick developers into installing the packages.

🛡️ In August 2025, FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search rankings to lure Chinese-speaking users to lookalike download sites mimicking legitimate software, notably a DeepL spoof. Victims downloaded a bundled MSI installer that combined genuine application installers with malicious components (EnumW.dll, fragmented ZIPs and a packed vstdlib.dll) and used anti-analysis, timing checks and parent-process validation to evade sandboxes. The in-memory payload implements Heartbeat, Monitor and C2 modules, exfiltrates system and user data, and supports plugins for screen capture, keylogging, Telegram proxy removal and crypto wallet targeting. Fortinet detections and network protections are updated; organizations are advised to apply patches, scan affected systems, and contact incident response if compromise is suspected.