All news with #infostealer tag

🔒 CTM360 reports attackers are abusing Google Groups and Google-hosted redirectors to distribute credential-stealing malware, leveraging over 4,000 malicious groups and 3,500 hosted URLs to target organizations worldwide. The campaign uses industry-focused posts and shortened or Docs/Drive redirect links to lure victims and deliver OS-specific payloads. On Windows, victims receive a padded archive that reconstructs an AutoIt-based loader and a memory-resident Lumma infostealer; on Linux, users are served a trojanized Chromium-branded "Ninja Browser" with covert extensions and silent persistence. CTM360 advises inspecting redirect chains, blocking IoCs, auditing browser extensions, and monitoring scheduled tasks and endpoint activity.

⚠️ Threat actors are abusing public Claude artifacts and manipulated Google Search results to trick macOS users into running malicious Terminal commands. These commands download and execute a loader that installs the MacSync infostealer, which harvests keychain data, browser credentials, and crypto wallets, then exfiltrates the data to a hardcoded command-and-control server. Researchers warn users not to run unverified shell commands and to verify safety before executing them.

🔒 Researchers uncovered multiple malicious Chrome extensions that exfiltrate sensitive data from business and social media accounts, including a Meta‑focused add‑on named CL Suite that steals TOTP seeds, one‑time codes and Business Manager exports. Other campaigns detailed include a large‑scale VK Styles hijack of VKontakte accounts and the AiFrame cluster of AI‑themed add‑ons that siphon emails and page content. A Q Continuum study also found hundreds of extensions leaking browsing history to data brokers. Experts recommend strict extension controls, frequent audits, and allowlisting to reduce risk.

🔒 Flare and other researchers describe the AMOS macOS infostealer and its use of AI-focused distribution channels to harvest credentials and crypto data. Recent ClawHavoc activity shows attackers poisoning the popular OpenClaw skill marketplace to bundle AMOS into seemingly legitimate add-ons. Campaigns also abused search-engine SEO, fraudulent GitHub repositories, and one-line Terminal installers, enabling rapid credential and session theft at scale.

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.

🔒 A fake 7-Zip website (7zip[.]com) distributes a trojanized installer that installs the legitimate archiver along with proxyware that enrolls infected hosts as residential proxy nodes. The installer drops Uphero.exe, hero.exe and hero.dll, creates a SYSTEM service and modifies firewall rules. Malwarebytes found C2 domains using Cloudflare, TLS and DoH, and recommends obtaining software from official sites instead of following links from videos or search ads.

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.

⚠️ Security researcher Paul McCarty (aka 6mile) has identified 386 malicious OpenClaw "skills" on the ClawHub repository that impersonate crypto trading tools. The add-ons use social engineering to trick users into executing commands that deploy infostealers on macOS and Windows, harvesting exchange API keys, wallet private keys, SSH credentials and browser passwords. The discovered skills share a common C2 IP (91.92.242.30) and many remain available, with the most active uploader accounting for nearly 7,000 downloads.

🐛 A new GlassWorm campaign distributed through compromised OpenVSX extensions is targeting macOS systems to steal passwords, crypto-wallet data, and developer credentials and configurations. Malicious updates pushed from the hijacked oorzc account on January 30 trojanized four packages with roughly 22,000 cumulative downloads and established persistence via a LaunchAgent while excluding Russian-locale systems. Socket's analysis shows broad data collection across browsers, wallets, macOS Keychain, Apple Notes, developer secrets, and exfiltration to 45.32.150[.]251; affected releases were removed and tokens revoked, but users are advised to perform full system clean-up and rotate secrets.

🛡️ Microsoft Defender Experts report a cross-platform surge in infostealers that now target macOS, leverage Python toolchains, and abuse trusted platforms and utilities to deliver credential-stealing malware at scale. Since late 2025, macOS campaigns such as DigitStealer, MacSync, and AMOS have used social engineering, malicious DMGs, AppleScript, and fileless execution to harvest browser credentials, keychain secrets, developer keys, and crypto wallets. Phishing campaigns have delivered Python-based stealers like PXA Stealer, while platform-abuse activity has weaponized WhatsApp and fake PDF installers to propagate Eternidade Stealer and malicious Crystal PDF installers. Microsoft outlines Defender XDR detections, hunting queries, and mitigations to help organizations detect, contain, and remediate these evolving threats.

🔒 OpenClaw (formerly Moltbot/ClawdBot) has had over 230 malicious skills published in less than a week, with many near-identical clones gaining thousands of downloads. The packages impersonate legitimate utilities but include a disguised AuthTool installer that delivers info-stealing malware, including a macOS variant of NovaStealer. Researchers found hundreds of exposed admin interfaces and numerous typosquat registries, and warn users to sandbox the assistant, restrict permissions, secure remote access, and thoroughly vet any third-party skills before installation.

⚠️ A security audit by Koi Security found 341 malicious skills among 2,857 listings on the ClawHub marketplace, many deploying a macOS stealer tracked as Atomic Stealer in a campaign dubbed ClawHavoc. Attackers used fake prerequisites and social engineering to trick users into running installers or terminal scripts that fetch next-stage payloads from attacker-controlled infrastructure. The malicious skills include typosquats, crypto tools, YouTube utilities and backdoors that exfiltrate bot credentials and keys, exposing OpenClaw users to significant supply-chain risks.

⚠️A new report alleges two popular AI coding assistants, together used by roughly 1.5 million developers, are quietly copying everything they ingest to servers in China. Security researchers say the extensions capture editor content, code snippets, and related telemetry without clear user disclosure. The behavior appears systematic and persistent rather than incidental. Until vendors provide transparent remediation, developers and organizations should avoid unvetted extensions and perform immediate audits and containment.

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.

🔒 Cybersecurity researcher Jeremiah Fowler uncovered a publicly accessible database containing 149 million login credentials, including usernames, plaintext passwords and direct login URLs. Affected accounts span major tech and streaming providers, with about 48 million Gmail entries, 17 million Facebook and 6.5 million Instagram records. Fowler attributes the collection to keyloggers and infostealer malware and warns the dataset enables automated credential-stuffing, targeted fraud and convincing phishing campaigns.

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.

🔍 ESET researchers disclosed a targeted Android espionage campaign (published 28 Jan 2026) that used a fake dating app called GhostChat (detected as Android/Spy.GhostChat.A) to lure victims in Pakistan. The app, never on Google Play and requiring manual install from unknown sources, presents locked female profiles with hardcoded access codes and embedded WhatsApp numbers to drive victims into operator-controlled chats. Once executed it requests broad permissions, immediately exfiltrates device identifiers, contacts and a wide range of files, and continues to upload newly created images and documents on a scheduled basis. ESET linked related Windows activity using the same C2 infrastructure, published IoCs and sample hashes (for example SHA-1 B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A), and shared findings with Google; known variants are blocked by Play Protect on devices with Google Play Services.