< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 19 of 19

TamperedChef infostealer spread via fake PDF Editor ads

🔍 Threat actors used Google ads to promote a fraudulent AppSuite PDF Editor that silently delivered the TamperedChef infostealer. Multiple domains hosted signed installers with revoked certificates; the malicious payload was activated after a delay and is launched with the "-fullupdate" argument, checking for security agents and extracting browser secrets via DPAPI. Operators also pushed related apps such as OneStart, ManualFinder and Epibrowser, and in some cases converted hosts into residential proxies; Truesec and Expel published IoCs for detection.
read more →

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.
read more →

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.
read more →

ShadowCaptcha Exploits WordPress Sites to Spread Malware

🔒 ShadowCaptcha is a large-scale campaign abusing over 100 compromised WordPress sites to push visitors to fake Cloudflare or Google CAPTCHA pages using the ClickFix social‑engineering lure. Injected JavaScript initiates redirection chains, employs anti‑debug techniques, and silently copies commands to the clipboard to coerce users into running built‑in Windows tools or saving and executing HTA files. Attackers weaponize LOLBins and DLL side‑loading to deliver installers and payloads — observed outcomes include credential stealers (Lumma, Rhadamanthys), Epsilon Red ransomware, and XMRig cryptocurrency miners — with some miner variants fetching configs from Pastebin and dropping a vulnerable driver (WinRing0x64.sys) to seek kernel access. Affected sites span multiple countries and sectors, underscoring the importance of timely WordPress hardening, network segmentation, user training, and MFA.
read more →

Fake macOS Help Sites Spread SHAMOS Infostealer via Ads

🔒 CrowdStrike disrupted a malvertising campaign that redirected users to counterfeit macOS help pages and urged them to run a malicious one-line installation command. Observed between June and August 2025, the operation sought to deliver the SHAMOS variant of the Atomic macOS Stealer (AMOS), a Mach-O binary distributed by MaaS operator Cookie Spider. The installer decoded a Base64 string, executed a Bash script that captured credentials and fetched the payload from icloudservers[.]com.
read more →

Malicious Go Module Poses as SSH Brute-Force Tool, Steals

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.
read more →

QuirkyLoader Deploys Agent Tesla, AsyncRAT and Keyloggers

🛡️ Researchers disclosed a new .NET-based DLL loader named QuirkyLoader that's been used since November 2024 to deliver information stealers, keyloggers and RATs via email spam. IBM X-Force says attackers send malicious archives from both legitimate providers and self-hosted servers; each archive contains a DLL, an encrypted payload and a real executable used for DLL side-loading. The loader uses process hollowing to inject decrypted payloads into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. Operators compile the .NET DLL with ahead-of-time (AOT) compilation so the resulting binary resembles native C/C++ code and is harder to attribute.
read more →

Malvertising Campaign Delivers PS1Bot Multi-Stage Malware

🔍 Cisco Talos reports an active malvertising campaign delivering a multi-stage PowerShell/C# malware framework dubbed PS1Bot. The modular framework executes modules in-memory to minimize artifacts and supports information theft, keylogging, screenshot capture and cryptocurrency wallet exfiltration. Delivery begins with SEO-poisoning archives containing a downloader that writes a polling PowerShell script to C:\ProgramData and executes received code with Invoke-Expression.
read more →

Is Your Phone Spying on You? Inside Modern Spyware

🔍 In this Unlocked 403 episode host Becks speaks with ESET malware researcher Lukas Stefanko to explain how modern spyware operates and why commonplace apps can become surveillance tools. They examine ESET’s discovery of BadBazaar, describe common infection vectors, persistence techniques and permissions abuse, and note that some tools can compromise devices without any user interaction. Lukas outlines practical detection signals and step‑by‑step removal advice. The conversation also points listeners to a prior episode for deeper Android threat analysis.
read more →