< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 17 of 19

BatShadow Deploys Go-Based Vampire Bot Against Job Seekers

🔎 A Vietnam-linked group tracked as BatShadow is running a social-engineering campaign that lures job seekers and digital marketing professionals with faux job descriptions to deliver a previously undocumented Go-based malware, Vampire Bot. Attackers distribute ZIP archives containing decoy PDFs alongside malicious LNK or executable files that launch an embedded PowerShell script to fetch lure documents and remote-access tooling such as XtraViewer. The lure coerces victims into opening links in Microsoft Edge, triggering an automatic ZIP download that contains a deceptive executable padded to appear as a PDF; once executed, the Go binary profiles the host, exfiltrates data, captures screenshots, and maintains contact with a command-and-control server.
read more →

Detour Dog Using DNS to Distribute Strela Stealer Campaigns

🛡️ Infoblox links a threat actor dubbed Detour Dog to campaigns distributing the Strela Stealer, using compromised WordPress sites to host first-stage backdoors such as StarFish. The actor leverages DNS TXT records and modified name servers to deliver Base64-encoded commands and delivery URLs, selectively triggering redirects or remote execution to minimize detection. Infoblox and Shadowserver sinkholed multiple C2 domains in July–August 2025.
read more →

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.
read more →

Rhadamanthys 0.9.2 Stealer Introduces New Evasion Techniques

🔒 Check Point Research details the release of Rhadamanthys 0.9.2, a new build of a widely used information stealer that introduces multiple evasion and delivery changes. The update replaces previous loaders with a PNG-based payload delivery, updates encryption, refines sandbox checks, adds configurable process injection, and expands targeting to include Ledger Live crypto wallets. Operators have rebranded as RHAD Security / Mythical Origin Labs and launched a professional site, while CPR supplies updated signatures and tools to help defenders adapt.
read more →

Confucius Targets Pakistan with WooperStealer and Anondoor

🔒 Fortinet researchers attribute a renewed phishing campaign to Confucius, which has repeatedly targeted Pakistani government, military, and defense industry recipients using spear‑phishing and malicious documents. Attack chains observed from December 2024 through August 2025 delivered WooperStealer via DLL side‑loading using .PPSX and .LNK lures, and later introduced a Python implant, Anondoor. The group layered obfuscation and swapped tools and infrastructure to sustain credential theft, screenshot capture, file enumeration, and persistent exfiltration while evading detection.
read more →

Klopatra Android Banking Trojan Hits 3,000+ Devices

🔒 Cleafy has uncovered Klopatra, a previously undocumented Android banking trojan that has infected over 3,000 devices—predominantly in Spain and Italy. The malware leverages Hidden VNC for remote device control and dynamic overlays to harvest credentials, while integrating the commercial Virbox protection suite and native libraries to evade detection and analysis. Operators distribute Klopatra via social-engineered IPTV droppers, abuse Android accessibility permissions to persist and perform actions, and use a black-screen VNC mode and stolen PINs or patterns to unlock devices and execute rapid fraudulent transfers.
read more →

Datzbro Android Trojan Targets Seniors for DTO Fraud

🛡️ThreatFabric disclosed a newly observed Android banking trojan named Datzbro that targets elderly users via Facebook groups promoting senior activities. Attackers lure victims to install purported community apps (Android APKs and placeholder iOS TestFlight links) via Messenger or WhatsApp; payloads either install Datzbro directly or use a Zombinder dropper to bypass Android 13+ protections. Datzbro abuses Android Accessibility services to perform device takeover, overlay attacks, keylogging and remote control, enabling credential theft and fraudulent transactions. The malware is tied to a Chinese-language desktop C2 and contains Chinese debug strings, suggesting origin and potential wider distribution.
read more →

Fake Microsoft Teams Installer Delivers Oyster Backdoor

⚠️ Blackpoint SOC observed a malvertising and SEO-poisoning campaign that directs searches for Teams downloads to a fake site at teams-install[.]top offering a malicious MSTeamsSetup.exe. The signed installer uses certificates from "4th State Oy" and "NRM NETWORK RISK MANAGEMENT INC" to appear legitimate, then drops CaptureService.dll into %APPDATA%\Roaming and creates a scheduled task CaptureService to run every 11 minutes. The payload installs the Oyster backdoor. Administrators should download software only from verified vendor domains and avoid clicking search ads.
read more →

Researchers Expose SVG and PureRAT Phishing Threats

📧 Fortinet FortiGuard Labs and other researchers detailed phishing campaigns that weaponize malicious SVG attachments to initiate downloads of password-protected ZIP archives and Compiled HTML Help (CHM) files. Those CHM files activate loader chains that deliver CountLoader as a distribution stage for Amatera Stealer and the stealthy .NET miner PureMiner, both run filelessly via .NET AOT and memory-loading techniques. Separately, Huntress attributes a Vietnamese-speaking operator using copyright-themed lures that escalate from PXA Stealer to the modular backdoor PureRAT.
read more →

SVG Phishing Targets Ukraine with Amatera Stealer, PureMiner

⚠️ FortiGuard Labs observed a targeted phishing campaign impersonating Ukrainian authorities that used malicious SVG attachments to initiate a fileless infection chain. The SVG redirected victims to a password-protected archive containing a CHM that executed a hidden HTA loader (CountLoader). The loader retrieved and ran in-memory payloads, deploying Amatera Stealer for data theft and PureMiner for cryptomining.
read more →

New macOS XCSSET Variant Targets Browsers and Clipboard

🛡️ Microsoft Threat Intelligence reported a new macOS malware variant of XCSSET that introduces browser-targeting changes, clipboard hijacking, and additional persistence mechanisms. The update uses run-only compiled AppleScripts, enhanced obfuscation and encryption, and expands data theft to include Firefox. New modules implement clipper behavior and LaunchDaemon- and Git-based persistence. Users should inspect Xcode projects and avoid pasting sensitive clipboard content.
read more →

Microsoft: New XCSSET macOS Variant Targets Xcode Developers

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.
read more →

Malicious Rust crates on Crates.io exfiltrate crypto keys

🔒Two malicious Rust crates published to Crates.io scanned developer systems at runtime to harvest cryptocurrency private keys and other secrets. The packages, faster_log and async_println, mimicked a legitimate logging crate to avoid detection and contained a hidden payload that searched files and environment variables for Ethereum-style hex keys, Solana-style Base58 strings, and bracketed byte arrays. Discovered by Socket, both crates were removed and the publisher accounts suspended; affected developers are advised to clean systems and move assets to new wallets.
read more →

Phishing-to-PureRAT: Vietnamese Actor Upgrades Stealer

🛡️ Huntress researchers uncovered a multi-stage phishing operation that began with a Python-based infostealer and culminated in the deployment of PureRAT. The campaign used a ZIP lure containing a signed PDF reader and a malicious version.dll to achieve DLL sideloading, then progressed through ten staged loaders that shifted from obfuscated Python to compiled .NET binaries. Attackers used process hollowing against RegAsm.exe, patched Windows defenses (AMSI and ETW), and ultimately unpacked PureRAT, which communicates over encrypted C2 channels and can load additional modules. Metadata linking the activity to the handle @LoneNone and to the PXA Stealer family, plus a C2 server traced to Vietnam, supports attribution to Vietnamese threat actors.
read more →

PXA Stealer Upgrades to Multi-Layer Chain Deploying PureRAT

🔒 A Vietnamese threat group has evolved its custom PXA Stealer campaign into a multi-layered delivery chain that ultimately deploys PureRAT, a feature-rich remote access trojan. Huntress analysts describe a ten-stage sequence beginning with a phishing copyright lure and proceeding through obfuscated Python loaders, layered encoding (Base84, AES, RC4, XOR), and .NET reflective loading. The chain includes AMSI and ETW patching, TLS certificate pinning, registry persistence, and hallowing techniques to evade detection. Huntress linked the activity to the Telegram handle @LoneNone and Vietnamese C2 infrastructure and remediated an intrusion before full module deployment.
read more →

Malicious Rust crates stole Solana and Ethereum keys

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.
read more →

Malicious npm Package Uses QR Code to Steal Cookies

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.
read more →

GitHub Pages SEO Poisoning Delivers Atomic Stealer

🚨 Attackers are creating convincing GitHub Pages that impersonate well-known brands to trick macOS users into installing the Atomic infostealer. Using SEO poisoning, malicious repositories are promoted in search results and funnel victims through multiple redirects to pages that instruct users to paste a Terminal curl command. That command decodes a base64 URL and executes a script that fetches and runs the Atomic payload. LastPass published IoCs and requested takedowns, but warns the campaign remains active.
read more →

QR Codes Used to Hide JavaScript Backdoor in npm Package

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.
read more →

NPM package uses QR code to fetch cookie-stealing malware

🔒 A malicious npm package named fezbox was recently discovered using a QR code embedded in an image to retrieve a second-stage, cookie-stealing payload from the attacker's server. The package's minified code (notably in dist/fezbox.cjs) delays execution, avoids development environments, then decodes a reversed URL to fetch a dense JPG QR image containing obfuscated JavaScript. When the payload finds credentials in document.cookie it extracts username and password and exfiltrates them via an HTTPS POST; the package accrued at least 327 downloads before registry removal.
read more →