< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 18 of 19

ComicForm and SectorJ149 Deploy FormBook via Phishing

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.
read more →

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.
read more →

Verified Steam Game Drains Streamer's Crypto Donations

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.
read more →

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.
read more →

LastPass Alerts: Fake GitHub Repos Deliver macOS Infostealer

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.
read more →

Malware Distributed Through Trusted Gaming Resources

🎮 Several incidents show attackers distributing malware via trusted gaming channels, including a compromised Endgame Gear OP1w utility, infected early-access Steam titles, and malicious skins on the official Minecraft site. The Endgame Gear installer likely contained the XRed backdoor, while Steam cases involved infostealers such as Trojan.Win32.Lazzzy.gen that harvested cookies and credentials. Users suffered account takeovers and data loss; recommended defenses include up-to-date antivirus, cautious vetting of downloads, and using gaming security modes that minimize disruption.
read more →

FileFix Campaign Uses Steganography and Multistage Payloads

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.
read more →

New FileFix Variant Delivers StealC via Multilingual Phish

🔍 Acronis researchers warn of a campaign using a FileFix variant to deliver the StealC information stealer via a multilingual, heavily obfuscated phishing site. The lure mimics a Facebook security notice and hijacks the clipboard to implant a multi-stage PowerShell command that victims are tricked into executing through File Explorer. Attackers store encoded payload components as images on Bitbucket, decode them locally with a Go-based loader, and ultimately unpack shellcode that launches StealC. The infrastructure uses junk code, fragmentation and other anti-analysis techniques to evade detection and complicate forensic analysis.
read more →

FileFix Steganography Attack Drops StealC Infostealer

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.
read more →

SEO Poisoning Targets Chinese Windows Users at Scale

🔍 Security researchers at FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search results to steer Chinese-speaking Microsoft Windows users to spoofed download sites. Attackers registered lookalike domains and used subtle character substitutions to present compromised installers that bundled legitimate apps with hidden malware such as Hiddengh0st and Winos. The operation used a redirection script known as nice.js, anti-analysis checks in components like EnumW.dll, and persistence mechanisms including registry changes and TypeLib hijacking. FortiGuard warns the final payloads supported monitoring, keystroke and clipboard capture, Telegram interception, and cryptocurrency wallet theft.
read more →

WhiteCobra Floods VSCode Market with Malicious Extensions

⚠️ A threat actor known as WhiteCobra has been publishing malicious VSIX extensions across VS Code Marketplace and OpenVSX, targeting users of VSCode, Cursor, and Windsurf with professionally crafted listings. The campaign comprises at least 24 identified extensions and remains active as the actor quickly re-uploads packages after takedown. Installed extensions execute a small loader that fetches platform-specific payloads; on Windows this chain leads to deployment of LummaStealer, while macOS builds execute a malicious Mach-O. Researchers warn that polished icons, forged descriptions, and inflated download counts were used to lend credibility and trick developers into installing the packages.
read more →

SEO Poisoning Targets Chinese Users via Fake Software

🛡️ In August 2025, FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search rankings to lure Chinese-speaking users to lookalike download sites mimicking legitimate software, notably a DeepL spoof. Victims downloaded a bundled MSI installer that combined genuine application installers with malicious components (EnumW.dll, fragmented ZIPs and a packed vstdlib.dll) and used anti-analysis, timing checks and parent-process validation to evade sandboxes. The in-memory payload implements Heartbeat, Monitor and C2 modules, exfiltrates system and user data, and supports plugins for screen capture, keylogging, Telegram proxy removal and crypto wallet targeting. Fortinet detections and network protections are updated; organizations are advised to apply patches, scan affected systems, and contact incident response if compromise is suspected.
read more →

Largest npm Supply Chain Attack Injects Crypto Malware

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.
read more →

Massive NPM Supply-Chain Attack Yielded Little Profit

🚨 A phishing attack against maintainer Josh Junon (qix) led to a widespread compromise of highly popular npm packages, including chalk and debug-js, whose combined footprint exceeds billions of weekly downloads. The attacker pushed malicious updates that attempted to steal cryptocurrency by swapping wallet addresses, but the community discovered and removed the tainted releases within two hours. According to Wiz, the compromised modules reached roughly 10% of cloud environments in that short window, yet the actor ultimately profited only minimally as the injected payload targeted browser crypto-signing and yielded just a few hundred dollars at most.
read more →

AI-powered Nx malware exposes 2,180 GitHub accounts

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.
read more →

Malicious npm Packages Impersonate Flashbots, Steal Keys

🔑 Researchers found four malicious npm packages impersonating Flashbots and common cryptographic utilities to harvest Ethereum wallet credentials. Uploaded by user "flashbotts" between September 2023 and August 19, 2025, the libraries exfiltrate private keys and mnemonic seed phrases to a Telegram bot and transmit environment data via Mailtrap SMTP. One package also redirects unsigned transactions to an attacker-controlled wallet.
read more →

macOS AMOS Stealer Uses Cracked Apps to Bypass Gatekeeper

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.
read more →

Malicious npm Package Mimics Nodemailer, Targets Wallets

🛡️ Researchers found a malicious npm package named nodejs-smtp that impersonated the nodemailer mailer to avoid detection and entice installs. On import the module uses Electron tooling to unpack an app.asar, replace a vendor bundle with a payload, repackage the application, and erase traces to inject a clipper into Windows desktop wallets. The backdoor redirects BTC, ETH, USDT, XRP and SOL transactions to attacker-controlled addresses while retaining legitimate mailer functionality as a cover.
read more →

Android droppers now pushing SMS stealers and spyware

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.
read more →

Brokewell Android Malware Spread via Fake TradingView Ads

⚠️Cybercriminals are abusing Meta advertising to distribute a malicious Android app impersonating TradingView Premium. Bitdefender says the campaign, active since at least July 22, redirects Android users to a counterfeit site that serves a trojanized tw-update.apk and requests accessibility rights while simulating an OS update to capture PINs. The installed Brokewell variant escalates privileges to exfiltrate credentials and 2FA codes, hijack SMS, record screens and audio, and accept remote commands for theft and device control.
read more →