< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 16 of 19

Google Ads Promote Fake Homebrew, LogMeIn, TradingView Sites

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.
read more →

Security Teams Must Deploy Anti-Infostealer Defenses Now

🔒 Infostealers are fuelling today’s ransomware wave and the resulting stealer logs are widely available on the dark web, sometimes for as little as $10. At ISACA Europe 2025, Tony Gee of 3B Data Security urged security teams to adopt targeted technical controls in addition to baseline measures like zero trust and network segmentation. He recommended six practical defenses — including regular password rotation, FIDO2-enabled MFA, forced authentication, shorter session tokens, cookie replay detection and impossible-travel monitoring — to reduce the usefulness of stolen credentials and session data.
read more →

North Korean Group Adopts EtherHiding for Malware Campaign

🔐 Google Threat Intelligence has linked a campaign to UNC5342, a cluster tied to North Korea, that now uses EtherHiding to distribute malware via smart contracts on public blockchains such as BNB Smart Chain and Ethereum. The attackers lure developers through LinkedIn recruitment ruses, move conversations to Telegram or Discord, and deliver npm-package downloaders that chain into BeaverTail, JADESNOW, and the Python backdoor InvisibleFerret. By embedding payloads in on-chain contracts, the group turns blockchains into tamper-resistant dead-drops that are hard to takedown and easy to update, enabling sustained cryptocurrency theft and long-term espionage.
read more →

Smart Contracts Abused to Serve Malware on WordPress

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.
read more →

DPRK Hackers Adopt EtherHiding to Conceal Malware Campaigns

🔒 Google Threat Intelligence Group (GTIG) reports that a DPRK-aligned threat actor tracked as UNC5342 has employed EtherHiding since February to host and deliver malware via smart contracts on Ethereum and the BNB Smart Chain. Campaigns begin with fake technical interviews that trick developers into running a JavaScript downloader named JADESNOW, which fetches a JavaScript build of InvisibleFerret for in-memory espionage and credential theft. The method offers anonymity, takedown resistance, and low-cost, stealthy payload updates.
read more →

DPRK Actor UNC5342 Employs EtherHiding for Crypto Theft

🧩 GTIG reports that DPRK-linked UNC5342 has adopted EtherHiding, using smart contracts on public blockchains to store and deliver malicious JavaScript payloads. The actor leverages social engineering—fake recruiter lures and technical interviews—to deploy the JADESNOW downloader, which fetches and decrypts on-chain payloads and stages the Python backdoor INVISIBLEFERRET. Google recommends enterprise controls and Chrome management policies to disrupt this resilient, decentralized C2 method.
read more →

UNC5142 EtherHiding: Smart-Contract Malware Distribution

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.
read more →

Merged BeaverTail and OtterCookie Tooling Observed in Attacks

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.
read more →

Minecraft mods — how malicious mods put players at risk

🛡️ Minecraft mods can enhance gameplay but also serve as vectors for malware. This article explains how threat actors disguise Trojans, infostealers, ransomware and cryptominers as mods or cheat tools and distribute them via GitHub, mod repositories and forums. It outlines practical precautions — sourcing mods from trusted repositories, checking developer reputation and file types, using non-admin accounts, backups and security software — and steps to take if a mod is suspected malicious.
read more →

PhantomVAI Loader Delivers Multiple Infostealers Worldwide

🛡️The Unit 42 report details a multi-stage phishing campaign that leverages heavily obfuscated JavaScript/VBS and PowerShell to load a C# .NET loader named PhantomVAI, which hides DLL payloads inside image files via steganography. The loader's VAI routine performs virtual-machine detection, establishes persistence (scheduled tasks, wscript, Run keys) and retrieves payloads by process hollowing into legitimate host processes. Observed final payloads include Katz Stealer, AsyncRAT and FormBook. Palo Alto Networks' Advanced WildFire, Cortex XDR and XSIAM have updated protections and indicators of compromise.
read more →

Keyloggers: Keyboard Monitoring Tools, Uses and Risks

🔑 Keyloggers are monitoring tools that record keyboard input and exfiltrate captured data to third parties. They appear as hardware devices between a keyboard and host or as software installed legitimately or via malware; advanced variants also capture screenshots, clipboard contents and mobile data such as GPS or audio. While criminals deploy keyloggers to steal credentials and financial information, enterprises and law enforcement sometimes use them for troubleshooting, compliance and surveillance. Mitigation requires layered defenses: updated AV/anti-rootkit tools, behavioral monitoring, restricted privileges, virtual keyboards where appropriate and strong authentication.
read more →

Stealit Infostealer Campaign Deploys via Fake VPN Apps

🛡️ FortiGuard Labs has identified a campaign distributing the Stealit infostealer via disguised game and VPN installers shared on file‑hosting sites and platforms like Discord. Attackers use Node.js Single Executable Apps (SEA) and PyInstaller bundles, heavy obfuscation and multiple anti‑analysis techniques to avoid detection. Once executed, Stealit harvests data from browsers, game clients, messaging apps and cryptocurrency wallets, and its operators rotate C2 domains while marketing the toolkit commercially.
read more →

Astaroth Banking Trojan Uses GitHub to Stay Operational

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.
read more →

Stealit Malware Uses Node.js SEA, Electron for Delivery

⚠️ Fortinet FortiGuard Labs has detailed an active campaign dubbed Stealit that uses Node.js Single Executable Application (SEA) packaging—and in some builds, the Electron framework—to deliver credential-stealing and remote-access payloads. Operators distribute counterfeit game and VPN installers via file-hosting sites and messaging platforms, which drop three primary executables that perform browser and messenger data theft, wallet extraction, and persistence with live screen streaming. Installers run anti-analysis checks, write a Base64 authentication key to %temp%\cache.json for C2 authentication, and configure Microsoft Defender exclusions to conceal downloaded components.
read more →

ClayRat Android spyware mimics popular apps to spread

📱 A new Android spyware campaign called ClayRat is tricking users by posing as well-known apps and services such as WhatsApp, Google Photos, TikTok, and YouTube and distributing APKs via Telegram channels and fraudulent websites. Researchers at Zimperium say they documented over 600 samples and 50 distinct droppers in three months, noting that some use a session-based installation and encrypted payloads to bypass Android defenses. Once installed, ClayRat can assume the default SMS handler, exfiltrate SMS and call logs, capture notifications and front-camera photos, make calls, send mass SMS for propagation, and communicate with C2 servers (recent versions use AES-GCM); Play Protect now blocks known variants.
read more →

ClayRat Android Spyware Uses Fake Apps to Spread in Russia

📱 A new Android spyware campaign known as ClayRat has been observed targeting users in Russia through fake app installers and Telegram channels. Operators impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into sideloading APKs or running lightweight droppers that reveal hidden encrypted payloads. Once active, the malware requests default SMS status and can exfiltrate SMS, call logs, notifications, device details, take photos, and even send messages or place calls while automatically propagating to contacts. Zimperium reports roughly 600 samples and 50 droppers detected in the last 90 days, with continuous obfuscation to evade defenses.
read more →

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.
read more →

ClayRat Android Spyware Turns Phones Into SMS Hubs

🔔 A fast-evolving Android spyware campaign dubbed ClayRat has produced over 600 samples and 50 droppers in three months, researchers say. The malware is distributed via phishing sites and Telegram channels that impersonate popular apps like TikTok, YouTube and Google Photos to trick users into sideloading infected APKs. Once granted SMS privileges, ClayRat can read and send messages, harvest contacts and call logs, take front-camera photos, exfiltrate data to C2 servers, and automatically text malicious links to all contacts, turning each compromised device into a propagation hub.
read more →

ClayRat Android Spyware Campaign Targets Russian Users

🛡️Researchers at Zimperium zLabs have identified a rapidly evolving Android spyware campaign, dubbed ClayRat, targeting users in Russia via Telegram channels and phishing sites. The malware is distributed inside fake apps impersonating services such as WhatsApp, TikTok, Google Photos and YouTube, and operators are using fake reviews, download counts and step-by-step guides to trick victims. Once granted privileges, ClayRat can exfiltrate SMS, call logs and notifications, take front-camera photos, and even send messages or place calls while abusing Android's SMS handler role. Security firms report over 600 samples and coordinated disclosure to Google resulted in Play Protect protections.
read more →

IUAM ClickFix Generator: Commoditizing Click-to-Run Phishing

🛡️ Unit 42 describes the IUAM ClickFix Generator, a phishing kit that automates creation of ClickFix-style pages which coerce victims into pasting and executing attacker-supplied commands. The kit creates OS-aware, highly customizable pages with clipboard injection, obfuscation, and mobile blocking to deliver infostealers and RATs such as DeerStealer and Odyssey. Unit 42 observed real campaigns, shared developer artifacts, and recommends user education and technical controls to block domains, IPs, and malware indicators.
read more →