< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 2 of 19

Rokarolla Android trojan isolates victims from banks

🔒 Researchers have detailed Rokarolla, an Android banking trojan that not only steals credentials but effectively seizes control of phones to isolate victims from banks. The malware spreads via fake sites posing as TikTok or Chrome and uses a dropper impersonating Google Play Protect to install a second-stage payload. Rokarolla abuses Android Accessibility Services, makes itself the default call and SMS handler, hides its icon, mutes alerts and captures screenshots and overlays fake login screens to harvest bank and crypto credentials.
read more →

Miasma worm source code briefly leaked on GitHub

🛡️ The Miasma credential-stealing worm, an evolution of the Shai-Hulud toolkit, was briefly published on GitHub after threat actors uploaded it to multiple compromised accounts. The framework steals developer build and cloud credentials, compromises package registries and repositories, and propagates autonomously without C2 by abusing GitHub. Researchers note destructive 'dead-man switch' behavior and a build pipeline that randomizes payloads to evade detection, increasing supply-chain risk.
read more →

Attackers Use Short-Form Videos to Spread Vidar Stealer

🎯 New research from ReversingLabs reveals threat actors are using TikTok and Instagram Reels to distribute the Vidar infostealer by posing as tutorials for unlocking premium software. Campaigns manipulate platform algorithms to boost saves and shares, driving viewers to lookalike domains that deliver Vidar via PowerShell or gateware-filled download sites. ReversingLabs recommends auditing install privileges and expanding phishing training to include social feeds.
read more →

NFCShare Android malware spreads via fake app updates

🛡️ New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub, targeting customers across Europe. The campaign tricks victims into performing an NFC ‘verification’ that captures card data and a 4-digit PIN via Android’s IsoDep interface, then exfiltrates it to a C2 server over WebSocket. D3Lab, which first documented NFCShare in January 2026, notes the malware uses malformed APK packaging to hinder automated analysis and that repositories have hosted dozens of spoofed banking APKs for Italian and Spanish banks.
read more →

Fake Sites Impersonate Open‑Source Tools to Deliver Malware

🛡️ Check Point researchers uncovered an operation that clones open-source and freeware project pages to funnel users through a Traffic Distribution System (TDS) that can deliver malware like Remus Stealer, AnimateClipper, and the SessionGate framework. The deceptive sites preserve real links and use CloudFront-hosted JavaScript to convert clicks into a gated redirection chain enforcing anti-bot and VPN checks. The campaign has been active since late 2025 and escalated to malware distribution in January 2026.
read more →

Chinese hackers deploy new Atlas RAT across Europe

🔍 Proofpoint attributes a surge of financially motivated campaigns to TA4922, a Chinese-speaking cybercrime group now targeting organizations in Germany, Italy, the UK, and South Africa. The actor uses localized phishing lures and messaging apps to deliver a growing arsenal that includes the newly observed Atlas RAT, multiple custom loaders such as RomulusLoader and SilentRunLoader, and the ValleyRAT family. Researchers warn the toolset supports reconnaissance, credential theft, keylogging, audio/video capture, and plugin payloads, and note operational expansion and possible use of LLMs in development.
read more →

Weedhack campaign targets Minecraft players via YouTube

🛡️ McAfee Labs reports a MaaS campaign called Weedhack that has been active since January 2026, using SEO poisoning and YouTube videos to trick Minecraft users into downloading malicious JAR files. The malware chain begins with a trojanized client and leverages the Ethereum blockchain for C2 resolution, ultimately delivering remote access and information-stealing payloads. The service is offered free and as a paid tier, enabling widespread abuse, account theft, and cyberbullying against younger victims.
read more →

WeedHack campaign infects over 116,000 Minecraft systems

🛡️ McAfee researchers report that a large-scale malware campaign named WeedHack has infected more than 116,000 systems by distributing malicious Minecraft mods, clients, cheats, and utilities via YouTube links and SEO poisoning. The operation provides a free, clear-net MaaS dashboard and a paid premium tier that adds remote control, keylogging, and webcam access, targeting session IDs, browsers, wallets, and gaming credentials. Victims are concentrated in the US, Germany, India, and the UK, and the campaign uses hundreds of distribution URLs and thousands of malicious JARs. Players are urged to only download from official sources and use the in-game Marketplace for safety.
read more →

Malicious npm Package Targets OpenAI Codex Users

🛡️ Researchers discovered a malicious npm package named codexui-android that impersonated an OpenAI Codex UI and exfiltrated developer authentication tokens. The package was published to npm with malicious code absent from the project's public GitHub repository, highlighting risks in artifact distribution. Security experts warn this pattern exploits trust in legitimate-looking developer tooling and reveals blind spots in software supply chain controls.
read more →

Fake IPTV Android apps used to deliver malware

🛡️ Cybercriminals are exploiting demand for live sports streaming by distributing fake Android IPTV apps that hide malware. These malicious APKs often mimic legitimate services and load real sites in a built-in browser to avoid suspicion while performing background theft. Researchers observed strains like Massiv and the more advanced Perseus, which abuse Android Accessibility Services to steal banking and crypto credentials. Users in Portugal, Spain, France and Türkiye have been targeted; avoid third-party APKs and keep devices updated.
read more →

Phishing Delivers JavaScript-Driven PureLogs Variant

🛡️ FortiGuard Labs uncovered a phishing campaign using purchase-order-themed emails to deliver a RAR attachment containing an obfuscated JavaScript file that drops and executes a PowerShell script. The PowerShell payload employs fileless techniques and process hollowing to load .NET modules into a suspended MsBuild.exe process, which then extracts and runs a downloader module. The downloader retrieves a fileless PureLogs plugin from a C2 server to harvest credentials, browser data, Discord tokens, and cryptocurrency wallet information before encrypting and exfiltrating it.
read more →

Fraud Schemes Target Formula 1 Fans Worldwide

🚨 A Bitdefender report warns that cybercriminals have built extensive ecosystems to scam Formula 1 fans, exploiting the sport’s fast-moving digital culture. Scams include counterfeit merchandise, fake grand prix tickets, illegal streaming apps and boxes, social media fraud and distribution of infostealer malware. Fans may also be coerced into botnets for DDoS attacks. Bitdefender urges vigilance and recommends anti-phishing and antivirus tools to reduce risk.
read more →

GitHub Internal Repositories Breached via VS Code Extension

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.
read more →

Ukrainian Police ID Infostealer Operator Behind Massive Theft

🔍 Ukrainian cyberpolice, working with U.S. law enforcement, say they identified an 18-year-old from Odesa suspected of running an infostealer operation that infected customers of a California online store between 2024 and 2025. The malware harvested browser sessions, credentials, and payment information, compromising 28,000 accounts. Attackers used 5,800 accounts to make unauthorized purchases totaling about $721,000, and authorities executed searches seizing phones, computers, storage media, bank cards, and cryptocurrency-related evidence while the investigation continues.
read more →

SHub Reaper: macOS infostealer impersonates vendors

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.
read more →

Tracking TamperedChef: Malicious Productivity Software

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.
read more →

Why Security Fixes Often Miss Vulnerability Dashboards

🔍 On April 22 a trojanized Bitwarden CLI briefly appeared on npm, harvesting developer tokens via a compromised GitHub Action tied to the Checkmarx supply‑chain incident. Bitwarden later issued CVE‑2026‑42994, but the author notes the CVE was retroactive and did not imply a patchable defect. The piece argues CVE’s artifact‑centric model struggles with agentic and model‑mediated threats that mutate behaviorally and often evade dashboards.
read more →

Microsoft Disrupts Fox Tempest Malware Signing Network

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.
read more →

Compromised Nx Console Extension Delivers Credential Stealer

🛡️ A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) published to the Microsoft VS Code Marketplace delivered a multi-stage credential stealer and supply-chain poisoning payload to developers' machines. The obfuscated 498 KB payload, pulled from an orphaned commit in the official nrwl/nx GitHub repo, installs the Bun runtime and a Python backdoor on macOS while exfiltrating secrets via HTTPS, GitHub API and DNS tunneling. The maintainers traced the incident to a developer whose GitHub credentials were exposed, revoked access, and advised users to update to v18.100.0 or later and rotate exposed tokens and keys.
read more →

Mini Shai-Hulud Infects @antv npm Ecosystem at Scale

🐛 Researchers have uncovered a software supply chain campaign—part of the Mini Shai-Hulud wave—that pushed trojanized updates across the @antv npm ecosystem. The compromise traces to the maintainer account "atool" and affected popular modules including echarts-for-react and many @antv packages. The stealer harvests a wide range of cloud, developer and payment credentials and abuses stolen tokens to republish malicious versions, creating broad downstream exposure for organizations that automatically update dependencies.
read more →