< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 8 of 19

Rust-based VENON banking malware targets 33 banks in Brazil

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.
read more →

PixRevolution Trojan Hijacks Brazil's PIX Transfers

🔒 PixRevolution is an Android banking trojan uncovered by Zimperium that silently monitors devices and redirects funds during Brazil's PIX instant payments. It abuses Android accessibility permissions to stream screens to an attacker-controlled server, detects payment activity, and replaces recipient keys while displaying a fake loading overlay. The campaign relies on an agent-in-the-loop model with human operators intervening in near real time and spreads via fraudulent download pages impersonating legitimate Brazilian apps.
read more →

Fake AI Agent Ads Deliver AMOS and Amatera Infostealers

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.
read more →

Six Android Malware Families Target Pix, Banking, Crypto

🛡️Researchers report six Android malware families targeting Pix payments, banking apps, and cryptocurrency wallets. The threats — including PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT — rely on fake Google Play Store pages, accessibility and MediaProjection abuse, screen overlays, and remote control to harvest credentials and hijack transfers. Campaigns use Firebase or custom TCP/9000 C2s, include miners or RAT payloads, and some samples experiment with large language model components to refine targeting.
read more →

WordPress sites abused to deliver ClickFix infostealers

🔒 Rapid7 has identified a widespread campaign that compromises legitimate WordPress websites to infect visitors with infostealer malware. Attackers display a convincing fake Cloudflare CAPTCHA and use the ClickFix social‑engineering trick to prompt victims to paste commands into Windows Run, initiating staged downloads. Observed payloads include Vidar, Impure, Vodka and Double Donut. Site administrators are urged to update components, enable MFA, use strong passwords and avoid executing untrusted code on credential-bearing devices.
read more →

Malicious npm Package Deploys RAT, Steals macOS Credentials

🚨 JFrog researchers found a malicious npm package, @openclaw-ai/openclawai, uploaded on March 3, 2026 and downloaded 178 times, that masquerades as an OpenClaw installer to deploy a remote access trojan and harvest sensitive macOS data. It uses a postinstall hook and a global reinstallation to expose a CLI entry point, and the staged GhostLoader payload is delivered encrypted from a C2 server and run as a detached background process. The installer displays a polished fake CLI and an iCloud Keychain prompt to capture system passwords and prompts users for Full Disk Access to unlock Apple Notes, iMessage, Safari history and Mail. Collected files — Keychain databases, browser cookies, crypto wallets, SSH and cloud credentials — are archived and exfiltrated via direct upload, the Telegram Bot API and GoFile.io, while the RAT maintains persistence, clipboard monitoring and browser session cloning.
read more →

Fake Claude Code install guides push InstallFix attacks

🛡️ Researchers at Push Security detail an InstallFix scheme that clones legitimate CLI install pages to trick users into running malicious 'curl-to-bash' and PowerShell commands. A mirrored Claude Code documentation page was found delivering encoded download commands that launch mshta.exe and related processes to retrieve a binary. The active payload is Amatera, an info-stealer sold as a MaaS, and the phony pages are being promoted through Google Ads and hosted on legitimate platforms, increasing their evasiveness.
read more →

Microsoft: ClickFix Uses Windows Terminal to Deploy Malware

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.
read more →

Bing AI Promoted Fake OpenClaw GitHub Installers and Malware

⚠️ Researchers at Huntress found that Microsoft Bing’s AI-enhanced search suggested malicious GitHub repositories posing as installers for OpenClaw, instructing users to run commands that deployed information-stealing and proxy malware. The fake repos were tied to newly created GitHub accounts and mimicked legitimate projects to appear trustworthy. Windows and macOS installers delivered Rust-based loaders, the Atomic Stealer family, Vidar, and a GhostSocks backconnect proxy. Huntress reported the repositories to GitHub and recommends using official project portals and bookmarked download sources rather than search results.
read more →

Spyware-grade Coruna iOS exploit kit used in crypto theft

🔒 Google researchers disclosed a previously undocumented iOS exploit kit named Coruna, comprising 23 exploits and five full exploit chains that target iOS 13.0 through 17.2.1. Observed by the Google Threat Intelligence Group in 2025, the framework fingerprints devices, avoids targets in Lockdown Mode or private browsing, and delivers a stager loader called PlasmaLoader that injects into the iOS root daemon. Post-exploitation modules specifically target cryptocurrency wallets to extract BIP39 recovery phrases and other sensitive text, encrypting stolen data and using a DGA seeded with "lazarus" for resilience.
read more →

Spyware Campaign Mimics Israel's Red Alert App via SMS

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.
read more →

QuickLens Chrome Extension Compromised to Steal Crypto

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.
read more →

Malicious Go crypto module steals passwords, deploys Rekoobe

🔒 A malicious Go module, github.com/xinfeisoft/crypto, impersonating the legitimate golang.org/x/crypto mirror, was found to exfiltrate terminal-entered secrets and deliver a Linux backdoor. The injected backdoor hooks ssh/terminal/terminal.go so calls to ReadPassword() capture interactive passwords and send them to a remote endpoint, which responds with a shell script. That script appends an SSH key to /home/ubuntu/.ssh/authorized_keys, relaxes iptables defaults, and downloads two payloads—one that probes connectivity and contacts 154.84.63.184:443, and the other identified as the Rekoobe trojan. The Go security team has blocked the package, but researchers warn this low-effort impersonation pattern will likely be reused against other credential-edge libraries.
read more →

APT37 Ruby Jumper Campaign Expands Toolkit and USB Methods

🔎 APT37 has launched the 'Ruby Jumper' campaign using removable-media infection tools to compromise air‑gapped systems, researchers at Zscaler ThreatLabz found. The actor abused malicious .LNK shortcuts to run a PowerShell stager that extracts multiple embedded payloads and deploys a new implant, Restleaf, which uses Zoho WorkDrive for C2. Additional undocumented tools—SnakeDropper, ThumbSBD, VirusTask and FootWine—enable in‑memory execution, USB propagation and staged exfiltration.
read more →

Typosquatted NuGet Package Impersonates Stripe Library

⚠ A malicious NuGet package, StripeApi.Net, was uploaded on February 16, 2026 and impersonated Stripe.net by reusing the official icon, a near-identical README and inflated download counts across hundreds of versions. The package implemented legitimate payment functions but altered key methods to capture and exfiltrate Stripe API tokens while leaving payment processing appearing to work normally. ReversingLabs discovered and reported the package and it was removed from NuGet before wide impact.
read more →

Steaelite RAT Unifies Data Theft and Ransomware Tools

⚠️ Steaelite is a browser-based remote access trojan marketed on underground forums that consolidates remote access, credential harvesting, data exfiltration, and a planned ransomware module into a single management pane. Researchers at BlackFog say the toolkit includes live screen streaming, webcam and microphone access, password recovery, Defender-disable capabilities, and persistence options, and it’s been available since last November. The seller offers access as malware-as-a-service (about $200/month), and defenders are urged to prioritize stopping data exfiltration over relying solely on perimeter defenses.
read more →

Unmasking Agent Tesla: Multi-Stage Campaign Analysis

🔍 This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.
read more →

Shai-Hulud–Style Worm Hits npm Packages and AI Tools

🔒 Socket's Threat Research Team discovered a supply chain worm, tracked as SANDWORM_MODE, spreading via typosquatted npm packages and compromised GitHub accounts while also manipulating local AI coding assistants. The malware harvested developer and CI credentials, injected rogue MCP servers into tools like Claude Desktop and VS Code Continue, and exfiltrated API keys for multiple large language model providers. Affected packages were removed and infrastructure disabled; developers should rotate credentials and audit CI workflows and local AI configurations.
read more →

Arkanix stealer uses dual Python and C++ variants targeting

🔍 Kaspersky researchers uncovered a new infostealer named Arkanix that blends rapid, probable LLM-assisted development with a dual-language architecture. The malware is offered as a MaaS, giving customers a control panel to configure Python or C++ payloads and retrieve statistics. The Python variant prioritizes broad, fast data harvesting while the native C++ build focuses on stealth, performance, and persistence. Observed deployment mechanisms include configurable loaders, C2 domains and even Discord-based tests.
read more →

Supply Chain Worm Uses Malicious npm Packages to Steal Keys

🔐 Socket warns of an active supply-chain worm, codenamed SANDWORM_MODE, that abused at least 19 malicious npm packages to harvest developer credentials and cryptocurrency keys. The packages — many typosquatting legitimate modules and published by aliases official334 and javaorg — contain code to steal tokens, environment secrets and LLM API keys. The campaign also includes a weaponized GitHub Action, an optional home-directory wiper, and an McpInject component that targets AI coding assistants. Users should remove affected packages, rotate tokens, and audit repositories and CI workflows.
read more →