< ciso
brief />
Tag Banner

All news with #malware tag

899 articles

Injective SDK npm package used to steal wallet keys

🔒 Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
read more →

GodDamn ransomware uses signed PoisonX kernel driver

🛡️ GodDamn is a newly observed ransomware family that employs a signed PoisonX kernel driver and a Symantec‑masquerading user‑mode tool to disable endpoint protections. First spotted on May 21, 2026, Broadcom's Threat Hunter Team attributes the lineage to the Hyadina developer and links it to earlier Beast and Monster variants. Attacks used AnyDesk, PsExec, credential harvesters and lateral movement to compromise multiple hosts before deploying the encryptor.
read more →

Rise of Malicious AI Agents Threatens Organizations

🤖 ESET analysis shows cybercriminals increasingly use AI agents and chatbots to autonomously plan and execute attacks. Researchers reviewed 900,000 AI skills in public repositories and found tens of thousands of suspicious and thousands of malicious toolsets, expanding the attack surface. These agentic tools can exfiltrate data, execute malware, override instructions, and be repurposed from legitimate utilities into harmful capabilities. ESET urges organizations to enforce policies and caution users about downloading free tools from untrusted sources.
read more →

China-linked APT expands relay network and malware

🔍 Cisco Talos reports a China-nexus APT tracked as UAT-7810 has expanded a network of hijacked routers and devices called Operational Relay Boxes (ORBs) to hide other attackers' traffic. The group maintained a long-running LapDogs relay infrastructure and exploited unpatched Ruckus and ASUS router vulnerabilities to recruit devices. Researchers uncovered an upgraded backdoor, LONGLEASH, plus two new tools, DOGLEASH and JARLEASH, with evidence suggesting Chinese-speaking operators. Talos says the group's servers and malware remain active.
read more →

RedWing malware: Android bank-fraud service rental

🛡️ RedWing is a commercially rented Android malware operation sold via Telegram that enables low-skill criminals to take over victims' phones and harvest banking credentials and one-time codes. Zimperium's zLabs links it to an earlier rent-a-malware family and says a Telegram bot builds custom malicious apps on demand. Infection begins with phishing to a fake app-store page that persuades users to sideload and authorize intrusive permissions like Accessibility and default SMS handling. Once installed, RedWing can present overlays, read SMS OTPs, forward calls, stream the screen, record input, and exfiltrate files and location.
read more →

Gentlemen ransomware tests identity and recovery controls

🔍 The Gentlemen ransomware highlights challenges for CISOs in stopping attackers after an initial foothold. Researchers report the malware self-propagates using legitimate Windows management tools while attempting to disable security and recovery systems. Picus Security notes the encryptor, written in Go and obfuscated with Garble, leverages multiple lateral-movement methods and targets backups, EDR, and virtualization services to hinder recovery.
read more →

Monday Recap: Proxy Botnets, Browser Ransomware

⚡ Google and partners disrupted the NetNut residential proxy network (aka Popa), which abused smart home devices and preinstalled SDKs to route malicious traffic through an estimated 2 million devices. Other incidents this week include fake PoC repos delivering the ChocoPoC RAT via a dependency, a 19-year-old alleged Scattered Spider suspect extradited to the U.S., and a Brazilian Ousaban banking trojan targeting Spain and Portugal. Check Point flagged AI-generated browser ransomware leveraging the File System Access API, illustrating AI can autonomously devise working attack techniques.
read more →

New Java-based QuimaRAT MaaS Targets All Platforms

🛡️ Cybersecurity researchers have identified QuimaRAT, a modular Java-based remote access trojan offered as malware-as-a-service that targets Windows, Linux, and macOS. The kit includes a builder, loader, dropper, and the RAT itself, with subscription tiers from $150 to $1,200. QuimaRAT uses encrypted plugins, native libraries via JNA, and multiple persistence and delivery techniques to evade protections and maintain robust C2 connectivity.
read more →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

Avalon modular malware framework and CrownX ransomware

🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Google Disrupts NetNut Residential Proxy Network

🛡️ Google says its Threat Intelligence Group, working with FBI and industry partners, has degraded NetNut (aka Popa), a large residential proxy network that turns home devices into rented relays. GTIG estimates NetNut controlled at least 2 million devices, including smart TVs and streaming boxes, which can be used to route criminals' traffic through private home connections. NetNut is linked to publicly traded Alarum Technologies, which denies wrongdoing and says its software provides consented bandwidth sharing. Researchers found many apps did not show consent prompts, and Google warns the network is resilient through reseller arrangements and may reappear under different brands.
read more →

Google Disrupts Major Residential Proxy Network

🛡️ Today Google, working with the FBI, Lumen, and other partners, disrupted the NetNut (Popa) residential proxy network, building on earlier action against IPIDEA. Google disabled accounts used for NetNut C2, shared technical intelligence on SDKs and backend infrastructure, and ensured Play Protect warned users and disabled apps with NetNut SDKs. The disruption reduced NetNut’s available device pool by millions, though Google expects proxy operators to adapt and resell capacity.
read more →

Ousaban banking trojan targets Spain and Portugal

🛡️ Fortinet's FortiGuard Labs uncovered a May 2026 campaign deploying the Brazilian banking trojan Ousaban against Windows users who bank in Spain and Portugal. The attack begins with a deceptive PDF that either prompts victims to click an "Atualizar" button or auto-opens a malicious page; successful targets download a steganographic image that conceals a ZIP containing the malware. Ousaban monitors browser activity for over two dozen Iberian banks and can capture keystrokes, screenshots, tamper with the clipboard, display fake messages, and grant remote control to attackers.
read more →

Phantom squatting: AI-hallucinated domains abused

🛡️ Palo Alto Networks' Unit 42 warns attackers are registering AI-hallucinated domains and using them for phishing and malware distribution. The report shows models invent millions of links, many unregistered, and attackers are preemptively purchasing and cloning brand sites. Because new domains lack reputation data, they evade blocklists until damage is done. Unit 42 documents several real-world cases and offers mitigation steps for defenders and users.
read more →

Silent Swap clipper exploits browser extensions

🛡️ McAfee Labs uncovered an active campaign, dubbed Silent Swap, that deploys malicious Chromium extensions masquerading as a 'Google Notes' utility to intercept and replace cryptocurrency wallet addresses copied to the clipboard. The installers, observed in .NET and Golang variants, inject the extension into Chromium-based browsers by modifying protected preferences and recalculating security hashes to bypass store installation. The threat uses an EtherHiding technique to resolve C2 domains via the blockchain and performs dynamic, server-side wallet mappings to redirect funds to attacker-controlled addresses. Telemetry shows global infections, with higher concentration in India.
read more →

Counterfeit USBs Infected JGSDF Networks Nearly Year

🔍 Leaked documents reveal that counterfeit USB flash drives carrying malware entered Japan's Ground Self-Defense Force (JGSDF) networks after being distributed during 2024 earthquake relief operations. The malicious drives, traced to sellers in China and priced below market rates, were discovered in February 2025 and found on over 50 computers, nearly half handling classified data. Investigators linked the malware to a strain previously associated with a China-linked hacking group, while authorities maintain the infection showed only self-replication behavior.
read more →

Malicious Perplexity-themed Chrome Extension Captured Searches

🔍 Microsoft discovered a malicious Chrome extension posing as Perplexity that logged every search query and each character typed in the address bar by routing input through an attacker-controlled server before redirecting to legitimate results. The extension, named "Search for perplexity ai" and using a look-alike domain, set itself as the default search engine and redirected queries and live suggestion traffic to the attacker domain, collecting headers, IPs, and user agent data. Microsoft reported the extension to Google, which removed it from the Chrome Web Store; defenders are urged to remove the extension and verify search settings immediately.
read more →

Chromium extension spoofs AI brand to hijack searches

🔍 Microsoft Threat Intelligence discovered a malicious Chromium extension impersonating Perplexity AI to intercept Omnibox queries and real-time search suggestions. The extension used MV3, declarativeNetRequest rules, and a typosquatted domain (perplexity-ai[.]online) to route searches through attacker infrastructure before redirecting to expected providers. Google removed the extension after responsible disclosure. Microsoft provides indicators, dynamic analysis findings, and mitigation guidance.
read more →