All news with #malware tag

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

False-Flag Teams Lure Delivers ValleyRAT via SEO Poisoning

🚨 ReliaQuest attributes a false-flag SEO poisoning campaign to the actor known as Silver Fox, which has been active since November 2025 and aims to masquerade as a Russian group to mislead investigators. The campaign pushes a malicious Teams installer packaged as "MSTчamsSetup.zip" from an Alibaba Cloud URL, drops a trojanized Setup.exe, establishes exclusions in Microsoft Defender, and writes a staged installer "Verifier.exe" to the AppData profile. The loader scans for security processes, injects a malicious DLL into rundll32.exe, and reaches out to a remote server to retrieve the final ValleyRAT payload.

ShadyPanda Converts Popular Browser Extensions into Spyware

🔒 A threat actor tracked as ShadyPanda operated a seven-year browser-extension campaign that amassed over 4.3 million installs by converting popular add-ons into data-stealing spyware. Koi Security reports that five extensions were modified in mid-2024 to run hourly remote code execution, download arbitrary JavaScript, and exfiltrate encrypted browsing histories and full browser fingerprints. Notable victims include Clean Master — once verified by Google — and WeTab, which still had millions of installs. Users should remove affected extensions and rotate credentials immediately while marketplaces review post-approval update controls.

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.

Matrix Push C2 Uses Browser Notifications for Phishing

🔔 Matrix Push C2 is a browser-native, fileless C2 platform that leverages web push notifications, fake alerts, and link redirects to distribute phishing links across operating systems. Attackers social-engineer users into allowing notifications on malicious or compromised sites, then send branded, OS-like alerts with action buttons that redirect victims to fraudulent landing pages. Sold as a MaaS kit via Telegram and cybercrime forums, it includes a web dashboard, analytics, URL shortening, configurable templates (e.g., MetaMask, Netflix, PayPal), and tiered crypto-paid subscriptions.

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.

Sturnus Android Banking Trojan Targets Southern Europe

🛡️ ThreatFabric has detailed a new Android banking trojan named Sturnus that combines screen-capture, accessibility abuse, and overlays to steal credentials and enable full device takeover. The malware captures decrypted messages from WhatsApp, Telegram, and Signal by recording the device screen, serves region-specific fake banking login screens, and contacts operator servers via WebSocket/HTTP to receive encrypted payloads and enable remote VNC-style control. It resists cleanup by blocking uninstallation and leveraging administrator privileges.

Smashing Security Ep 444: Honest Breach and Hotel Phish

📰 In episode 444 of the Smashing Security podcast Graham Cluley and guest Tricia Howard examine a refreshingly candid breach response where a company apologised and redirected a ransom payment to cybersecurity research, illustrating how legacy systems can still magnify risk. They unpack a sophisticated hotel-booking malware campaign that abuses trust in apps and CAPTCHAs to deliver PureRAT. The hosts also discuss the rise of autonomous pen testing, AI-turbocharged cybercrime, and practical questions CISOs should be asking on Monday morning, with a featured interview featuring Snehal Antani from Horizon3.ai.

Fake Chrome Extension 'Safery' Exfiltrates Ethereum Seeds

🔒 A malicious Chrome extension posing as Safery: Ethereum Wallet was found to exfiltrate Ethereum wallet seed phrases by encoding mnemonics into synthetic Sui addresses. Socket security researcher Kirill Boychenko and Koi Security report the extension broadcasts micro-transactions (0.000001 SUI) from an attacker-controlled wallet to smuggle seed phrases on-chain without a traditional C2 server. Uploaded on September 29, 2025 and updated November 12, it remained available at the time of reporting. Users should stick to trusted wallet extensions and defenders should flag unexpected RPC calls and on-chain writes during wallet import or creation.

Fantasy Hub: Android RAT sold on Telegram as MaaS service

🔒 Cybersecurity researchers disclosed a new Android remote access trojan, Fantasy Hub, marketed on Russian-speaking Telegram channels under a Malware-as-a-Service model. The MaaS offers turnkey builders, bot-driven subscriptions, custom trojanized APKs and a C2 panel to manage compromised devices and exfiltrate SMS, contacts, media and call logs. Sellers provide fake Google Play landing pages and instruction to abuse the default SMS handler and deploy overlays to intercept banking 2FA and harvest credentials.

GlassWorm Malware Found in Three VS Code Extensions

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

Hackers Use Hyper-V to Hide Linux VM and Evade EDR

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

BankBot-YNRK and DeliveryRAT: New Android Banking Threats

🔒 Cybersecurity researchers CYFIRMA and independent analyst F6 have disclosed two active Android trojans—BankBot‑YNRK and DeliveryRAT—that harvest financial and device data from compromised phones. BankBot‑YNRK impersonates an Indonesian government app, performs device fingerprinting and anti-emulation checks, abuses accessibility services to steal credentials and automate transactions, and communicates with a command server. DeliveryRAT, promoted via a Telegram bot, lures Russian users with fake delivery and marketplace apps and delivers malware-as-a-service variants that collect notifications, SMS and call logs and can hide their launchers. Users should avoid untrusted APKs, review permissions, and keep devices updated—Android 14 reduces some accessibility-based abuses.

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.

The AI Fix 74: AI Glasses, Deepfakes, and AGI Debate

🎧 In episode 74 of The AI Fix, hosts Graham Cluley and Mark Stockley survey recent AI developments including Amazon’s experimental delivery glasses, Channel 4’s AI presenter, and reports of LLM “brain rot.” They examine practical security risks — such as malicious browser extensions spoofing AI sidebars and AI browsers being tricked into purchases — alongside wider societal debates. The episode also highlights public calls to pause work on super-intelligence and explores what AGI really means.

Early Threat Detection: Protecting Growth and Revenue

🔎 Early detection turns cybersecurity from a reactive cost into a business enabler. Investing in continuous visibility, threat intelligence, and rapid detection reduces incident costs, preserves uptime, and protects revenue and reputation. Solutions such as ANY.RUN's Threat Intelligence Feeds and TI Lookup deliver real-time IOCs, context-enriched analyses, and STIX/TAXII-ready integrations so SOCs can prioritize and act faster, lowering MTTR and operational burden.

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

Analyzing ClickFix: Why Browser Copy-Paste Attacks Rise

🔐 ClickFix attacks trick users into copying and executing malicious code from a webpage—often presented as a CAPTCHA or a prompt to 'fix' an error—so the payload runs locally without a download. Researchers link the technique to Interlock and multiple public breaches and note delivery has shifted from email to SEO poisoning and malvertising. The articles says clipboard copying via JavaScript and heavy obfuscation let these pages evade scanners, and that traditional EDR and DLP often miss the attack. Push Security recommends browser-based copy-and-paste detection to block attacks before the endpoint is reached.

New .NET CAPI Backdoor Targets Russian Auto and E-commerce

🔒 Seqrite Labs uncovered a new .NET implant named CAPI Backdoor linked to a phishing campaign targeting Russian automobile and e-commerce organizations. The attack leverages a ZIP archive containing a decoy Russian tax notice and a Windows LNK that loads a malicious adobe.dll via the legitimate rundll32.exe. The backdoor gathers system and browser data, takes screenshots, and communicates with a remote C2 for commands and exfiltration. Persistence is achieved through scheduled tasks and a Startup LNK.

Silver Fox Expands Winos 4.0 Attacks to Japan, Malaysia

🔎 Silver Fox operators have expanded the Winos 4.0 (ValleyRAT) campaign from China and Taiwan to target Japan and Malaysia, and are also deploying a secondary RAT tracked as HoldingHands. The actors use phishing emails with booby‑trapped PDFs, SEO‑poisoned pages and targeted .LNK résumé lures to deliver multiple payloads, including Winos modules and HoldingHands. Observed techniques include DLL sideloading, Task Scheduler recovery abuse, anti‑VM checks and AV termination to maintain persistence and evade detection.