All news with #infostealer tag

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.

🔐 Kaspersky researchers say Chinese espionage group Mustang Panda has updated its CoolClient backdoor to steal browser login data, monitor the clipboard, and sniff HTTP proxy credentials. The upgraded variant has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and was distributed via legitimate Sangfor software. New plugins add a remote shell, enhanced file and service management, and in-memory plugin execution; researchers also noted a previously unseen rootkit used in some intrusions.

🔒 Blackpoint researchers describe a campaign that chains ClickFix-style fake CAPTCHA prompts with a signed Microsoft App-V script to proxy PowerShell and deliver the Amatera information stealer. Victims are tricked into pasting a command into the Windows Run dialog that abuses SyncAppvPublishingServer.vbs to load an in-memory loader, which pulls configuration from a public Google Calendar and retrieves a PNG containing an encrypted PowerShell payload. The attack targets systems with App-V enabled (Enterprise/Education), relies on manual user interaction, and uses living-off-the-land techniques and trusted services to frustrate detection and automated analysis.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

⚠️ Trend Micro detailed a campaign using a new information stealer, Evelyn Stealer, that abuses the Visual Studio Code extension ecosystem to harvest developer secrets. Malicious extensions drop a downloader DLL (Lightshot.dll) which launches a staged executable (runtime.exe) and injects the stealer into a legitimate process (grpconv.exe) to run in memory. The malware collects credentials, cookies, crypto wallets, screenshots, Wi‑Fi data and system metadata, then exfiltrates compressed archives to an attacker-controlled FTP server.

🔍 CyberArk researchers disclosed they exploited a cross-site scripting (XSS) vulnerability in the web panel of the StealC infostealer to retrieve active session cookies and operational metadata. Researcher Ari Novick used the weakness to link a StealC customer, dubbed YouTubeTA, to the theft of roughly 390,000 passwords and over 30 million cookies from victims seeking cracked Adobe software on YouTube. Analysis of hardware fingerprints, language settings, time zones and IP addresses indicated the operator used an Apple Pro with an M3 chip, supported English and Russian, operated in an Eastern European time zone and connected via Ukrainian ISP TRK Cable TV, underscoring how weaknesses in criminal tooling can expose both victims and customers to supply-chain risk.

🔍 Cybersecurity researchers disclosed an XSS vulnerability in the web-based control panel used by operators of the StealC information stealer. By exploiting it they collected system fingerprints, monitored active sessions, and stole session cookies from the infrastructure itself, according to CyberArk researcher Ari Novick. The panel's leaked source code and the stealer's distribution through the YouTube Ghost Network and other lures amplified the operational insights researchers gained. Full technical details were withheld to avoid enabling copycats.

🔒 A cross-site scripting (XSS) flaw in the web control panel for the StealC info‑stealer allowed researchers to observe active operator sessions, capture session cookies and harvest browser and hardware fingerprints. CyberArk exploited the issue to identify an operator’s location and device details after a panel user failed to route traffic through a VPN. The company withheld technical disclosure to avoid a quick fix and said the finding may disrupt StealC’s MaaS ecosystem.

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.

🔒 Researchers detail an active campaign abusing a DLL side-loading flaw in the open-source c-ares runtime to evade defenses and deploy commodity trojans and stealers. Attackers pair a malicious libcares-2.dll with signed copies of ahost.exe (commonly from GitKraken) placed in the same folder to hijack load order and achieve code execution. The operation distributes families including Agent Tesla, CryptBot, Formbook, Vidar, Lumma, Remcos and others using invoice- and RFQ-themed lures in multiple languages targeting finance, procurement and admin roles.

⚠ A malicious Chrome extension named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) has been found on the Chrome Web Store and is designed to create and steal API keys for the MEXC exchange. Published Sept 1, 2025 by a developer using the handle "jorjortan142," the add-on programmatically generates API keys with withdrawal permissions and hides the enabled permission in the UI. The extension injects a content script on MEXC's API management page, captures the Access and Secret keys when created, and exfiltrates them via HTTPS to a hard-coded Telegram bot. Socket researcher Kirill Boychenko reported 29 downloads and warns the threat remains active as long as stolen keys are valid.

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.

🔐 Endor Labs discovered malicious npm packages this week that impersonated community nodes for the n8n workflow automation platform, harvesting OAuth tokens and API keys when installed. The deceptive packages presented legitimate-looking configuration screens while executing code to decrypt credentials from n8n’s credential store and exfiltrate them to attacker-controlled C2 servers. Because n8n treats installed nodes as trusted code with full access to the workflow environment, these packages bypass typical supply-chain monitoring and can perform arbitrary network requests and host interactions. Endor recommends preferring built-in integrations, auditing package source and metadata, monitoring outbound traffic from automation hosts, and using isolated, least-privilege service accounts.

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.

📱 Group-IB researchers have documented Android malware enabling unauthorized tap-to-pay transactions by remotely relaying NFC card data. Malicious APK samples—over 54 identified—are distributed in Chinese-language Telegram cybercrime communities and often disguise themselves as legitimate financial apps. Attackers use smishing and vishing to get victims to install a 'reader' app and tap their card; a criminal 'tapper' app and illicit POS terminals then complete the payment. Prominent vendors, including TX-NFC, X-NFC and NFU Pay, sell access via subscriptions and support.

🔒 ownCloud has urged users to enable multi-factor authentication (MFA) after reports that threat actors used credentials stolen via infostealer malware to access self-hosted file-sharing instances. The company said the platform was not breached via a zero-day or vulnerability; attackers reused credentials harvested by malware such as RedLine, Lumma, and Vidar. ownCloud recommends enabling MFA, resetting passwords, invalidating sessions, and reviewing access logs to protect data.

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.