< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 5 of 19

Formbook Campaigns Use DLL Sideloading and JS Obfuscation

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.
read more →

Mass iOS Exploits DarkSword and Coruna Threaten Users

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.
read more →

108 Malicious Chrome Extensions Target Google, Telegram

🔒 Researchers at Socket uncovered 108 malicious Google Chrome extensions that collectively amassed about 20,000 installs and reported to a single command-and-control server. Published under five publisher identities, the add-ons posed as games, Telegram sidebars, and enhancement tools while exfiltrating Google account data, hijacking Telegram Web sessions, opening arbitrary URLs, and injecting ads and scripts. Some source files contained Russian-language comments; attribution remains unconfirmed. Users should remove any identified extensions and log out of Telegram Web sessions immediately.
read more →

Over 100 Chrome Extensions Steal Accounts and Data

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.
read more →

Mirax Android Trojan Turns Devices into Proxy Nodes

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.
read more →

Storm infostealer hijacks sessions, decrypts server-side

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.
read more →

CPUID Site Briefly Served STX RAT via Trojanized Tools

🛡️Kaspersky and analysts observed unknown actors briefly compromise CPUID, swapping legitimate download links for trojanized installers of CPU‑Z and HWMonitor for under 24 hours. The malicious packages contained a signed executable alongside a malicious CRYPTBASE.dll that leveraged DLL side‑loading, performed anti‑sandbox checks and fetched additional payloads. The campaign deployed STX RAT, a feature‑rich RAT with HVNC and extensive infostealer and remote‑control capabilities, impacting individuals and organizations in multiple sectors.
read more →

GlassWorm Uses Zig Dropper to Infect Multiple IDEs

🐛 A new phase of the GlassWorm campaign uses a Zig-compiled native Node addon embedded in a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker, impersonating WakaTime, to gain OS-level access and stealthily install additional payloads. The addon (installed as win.node on Windows and mac.node on macOS) runs outside the JavaScript sandbox, locates IDEs that support VS Code extensions, downloads a malicious VSIX from an attacker-controlled GitHub account, and silently installs it across detected editors. The second-stage extension then reads commands from the Solana blockchain to obtain its C2, exfiltrates sensitive data, and deploys a RAT that ultimately installs an information-stealing Chrome extension; affected users should assume compromise and rotate secrets.
read more →

Chrome 146 Adds Hardware-Bound Protection for Cookies

🔐 Google has introduced Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows to block infostealer malware from harvesting session cookies. The feature cryptographically ties session cookies to hardware-backed keys stored in the Trusted Platform Module (TPM) on Windows, with macOS support planned for a future release. Because the per-session private keys are generated by a security chip and cannot be exported, exfiltrated cookies become useless without proof of key possession. The protocol is privacy-conscious, uses distinct keys per session to avoid cross-site correlation, and was developed with industry input including Microsoft.
read more →

Atomic Stealer ClickFix Shift Targets macOS Script Editor

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.
read more →

macOS Atomic Stealer campaign leverages Script Editor

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.
read more →

Why Simple Breach Monitoring Is No Longer Enough in 2026

🔒 Organizations must move beyond checkbox breach monitoring to defend against fast-moving infostealers. Ran Geva (CEO, Webz.io & Lunar) warns that monthly scans and reliance on MFA, EDR, or zero-trust alone often miss stolen credentials, session cookies, and stealer logs. With 4.17 billion compromised credentials observed in 2025 and high breach costs, enterprises need continuous, forensic-grade monitoring, automated triage, and integrations that can reset credentials and invalidate sessions quickly.
read more →

LiteLLM Supply-Chain Turns Dev Machines into Vaults

🔒 TeamPCP's March 2026 compromise of LiteLLM packages on PyPI injected infostealer malware into versions 1.82.7 and 1.82.8 that ran during installs and updates. The malware harvested plaintext SSH keys, cloud credentials (AWS, Azure, GCP), Docker configs, IDE and agent memory files, and other local secrets, exploiting transitive dependencies. PyPI removed the packages within hours, but many downstream packages would have triggered execution. Use ggshield, pre-commit hooks, and filesystem scanning to detect and contain local secrets.
read more →

New SparkCat Malware Variant Targets iOS and Android

🛡️Security researchers have discovered an updated SparkCat trojan on both the Apple App Store and Google Play Store, hiding inside seemingly benign apps such as enterprise messengers and food delivery services. Kaspersky said it found two infected iOS apps and one Android app that primarily target cryptocurrency users in Asia. The iOS variant scans photo galleries for English wallet mnemonic phrases, while the Android version employs code virtualization, cross-platform languages and regional keyword scanning for Japanese, Korean and Chinese. Both samples use an OCR module to exfiltrate images containing recovery phrases to attacker-controlled servers, underscoring a rapidly evolving threat.
read more →

Claude Code leak used to push infostealer malware on GitHub

⚠️ Threat actors are exploiting the recent Claude Code source-code leak to distribute the Vidar infostealer via fake GitHub repositories. Anthropic accidentally exposed a 59.8 MB JavaScript source map on March 31 that revealed 513,000 lines of TypeScript across 1,906 files, and copies rapidly proliferated on GitHub. Zscaler found a malicious repo optimized for search that lures users to download a 7‑Zip archive containing a Rust dropper, ClaudeCode_x64.exe, which deploys Vidar and the GhostSocks proxy. The archive is updated frequently and may carry additional payloads.
read more →

Storm infostealer exfiltrates browser and wallet data

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.
read more →

CrystalRAT malware adds RAT, stealer, and prankware features

🔒 A new malware-as-a-service called CrystalRAT (also marketed as CrystalX) has been active since January and is being promoted on Telegram and a dedicated YouTube channel, offering remote access, data theft, keylogging, clipboard hijacking and an extensive set of prankware functions. Kaspersky researchers found strong similarities to WebRAT (Salat Stealer), noting a Go-based codebase, matching panel design and a bot-driven sales system; the kit includes a builder, geoblocking, executable customization and anti-analysis protections. Payloads are zlib-compressed and ChaCha20-encrypted, connect to C2 over WebSocket, and the RAT supports CMD execution, VNC-backed remote control, audio/video capture, streaming keylogging and a clipboard clipper; the infostealer component targeting Chromium-based browsers and desktop apps is currently being upgraded. Users should avoid untrusted downloads and apply standard endpoint protections to reduce infection risk.
read more →

Venom Stealer MaaS Automates Continuous Credential Theft

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.
read more →

Casbaneiro Phishing Targets Latin America and Europe

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.
read more →

Alleged RedLine Malware Developer Extradited to U.S.

🚨 Hambardzum Minasyan has been extradited to the United States and charged over his alleged role as a principal developer of RedLine, a prolific infostealing malware. Prosecutors say he set up virtual servers, domains and a cryptocurrency account to distribute and monetize the malware and provided customer support to affiliates. The arrest follows the international Operation Magnus seizure of RedLine infrastructure, which yielded a database that aided investigators. Authorities urge organizations and individuals to strengthen cybersecurity and review the Operation Magnus resources to check for exposed credentials.
read more →