All news with #malware tag

🔒 Speagle is a newly identified malware that subverts the client and infrastructure of the legitimate document protection product Cobra DocGuard to harvest and exfiltrate sensitive information while masquerading as normal client-server traffic. Researchers at Symantec and Carbon Black (Broadcom) say the 32-bit .NET binary verifies the DocGuard installation, collects system and browser artefacts, and uses a compromised Cobra server for command-and-control and data theft. Tracked as Runningcrab, the activity appears narrowly targeted to environments running the security software and may stem from a supply-chain compromise; attribution remains unknown.

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.

🤖 Between January and February 2026, AI-assisted malware development matured from experimentation into operational capabilities that materially change attack economics. What once required coordinated teams can now be executed by a single experienced developer using an AI-powered IDE, accelerating weaponization, iteration, and delivery of attacks. Enterprise productivity and development tools have become enlarged attack surfaces, while automation and agentic workflows enable faster, more evasive intrusion chains. Defenders must shift toward behavior-based detection, robust telemetry, and secure development and supply chain controls.

🔐 Researchers at ThreatFabric have discovered a new Android malware family called Perseus that scans user note-taking apps to steal passwords, recovery phrases, and financial data. Distributed via sideloaded IPTV-themed apps, Perseus abuses Accessibility Services to gain full remote control, capture screenshots, and deploy overlays and keyloggers. The threat uses a dropper capable of bypassing Android 13+ sideloading restrictions and performs extensive anti-analysis checks before exfiltration. Users are advised to avoid sideloading APKs, keep Play Protect enabled, and install apps only from the Google Play Store.

⚠️ Unit 42 examines real-world instances where malware calls external LLMs for decision making or cosmetic effect. The researchers present two representative cases: a trio of obfuscated .NET infostealers that call OpenAI GPT-3.5-Turbo but largely perform "AI theater" by logging model outputs without functional integration, and a Go dropper that queries GPT-4 to gate Sliver payload execution. The report highlights detection opportunities and recommends Advanced Threat Prevention, Advanced WildFire, and Cortex XDR/XSIAM to monitor telemetry and IOCs.

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.

🎮 Acronis TRU found hundreds of GitHub repositories posing as "free" game cheats that deliver the Vidar 2.0 infostealer, warning the true number of malicious repos could be in the thousands. Campaigns begin in game-focused Discord and Reddit communities and use PS2EXE-compiled PowerShell loaders to evade basic detections. Loaders add Windows Defender exclusions, fetch secondary payload URLs from Pastebin linking to GitHub-hosted binaries, and deploy a Themida-packed Vidar executable that establishes persistence via scheduled tasks. The payload then harvests credentials, tokens and files and exfiltrates them through C2 infrastructure masked by Telegram bots and Steam dead-drop resolvers.

🪲 The GlassWorm supply‑chain campaign has resurfaced, compromising 433 packages, repositories, and extensions across GitHub, npm, and VSCode/OpenVSX. Researchers from Aikido, Socket, Step Security and the OpenSourceMalware community link the activity to a single actor using the same Solana address, identical payloads, and shared infrastructure. Malicious commits employ invisible Unicode to hide obfuscated JavaScript that polls the Solana blockchain for memos and downloads a Node.js runtime to execute an information stealer; developers should search for the marker lzcdrtfxyqiplpd and inspect for persistence artefacts.

🧬 Security researchers say a GlassWorm offshoot, tracked as ForceMemo, uses stolen GitHub tokens to inject obfuscated malware into hundreds of Python repositories by appending code to entry files like setup.py, main.py, and app.py. Attackers steal tokens via malicious VS Code and Cursor extensions, then rebase and force-push rewritten commits to preserve author metadata and hide traces. The appended payload uses a Solana transaction memo to fetch additional payloads and includes locale checks that skip execution on Russian-language systems. Downstream users who pip install or run compromised projects risk executing encrypted JavaScript that can steal cryptocurrency and sensitive data.

🐛 Researchers at Socket say attackers are abusing dependency relationships in the Open VSX registry to deliver a loader linked to GlassWorm. Since Jan 31, 2026, Socket identified at least 72 malicious listings that pose as developer utilities and later add dependencies to fetch payload extensions. By using VS Code features like extensionPack and extensionDependencies, threat actors turn trusted-looking extensions into transitive delivery vehicles during updates. Mitigations include auditing extension dependencies, monitoring updates, and restricting installs to trusted publishers.

🕵️ The FBI’s Seattle Division is asking gamers who unintentionally downloaded malware via the Steam platform to assist an ongoing investigation into a campaign active between May 2024 and January 2026. Investigators say several titles — including BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova — have been identified as distribution points and are requesting affected users complete a short questionnaire. The FBI is collecting information on pre- and post-download communications, financial losses, and crypto wallet or bank account details; responses are voluntary, may result in follow-up contact, and victims’ identities will be kept confidential.

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.

🛡️ The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated JavaScript that intercepts cryptocurrency wallet inputs and replaces them with attacker-controlled addresses, diverting funds. Profero researchers identified the malicious payload being served from websdk.appsflyer.com between March 9 and March 11. AppsFlyer says the mobile SDK was not affected, the incident has been contained, and an investigation with external forensics is ongoing.

🔒 Cybersecurity researchers have identified a significant escalation in the GlassWorm campaign, which has abused at least 72 extensions in the Open VSX registry to target developers, Socket reports. The actor leverages extensionPack and extensionDependencies to turn benign-looking extensions into transitive delivery vehicles that install malicious packages after trust is established. The malicious listings impersonated common developer tools and used heavier obfuscation, invisible Unicode characters, Solana transactions as dead drops, and rotating wallets to evade detection. Open VSX has removed the flagged extensions while vendors and researchers continue their analysis.

🎮 The FBI's Seattle Division is seeking information from gamers who installed Steam titles later found to contain malware between May 2024 and January 2026. Identified titles include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The agency's questionnaire targets cryptocurrency theft and account hijacking and requests transaction details, compromised account information, and screenshots of communications to help trace stolen funds and those who distributed the malware.

🔒 The FBI has issued guidance warning organizations and consumers about the growing use of residential proxies by cybercriminals, which reroute traffic through compromised home devices to mask malicious activity. By taking over IoT devices, smartphones, and home routers, attackers can make illegal traffic appear to originate from legitimate residential connections. The FBI recommends timely patching, strict device policies, network segmentation, blocking IPs tied to residential proxy networks, and stronger firewall rules to mitigate risk.

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.

🔎 Atos researchers disclosed a ClickFix variation that leverages the Run dialog to execute a 'net use' command, map a remote WebDAV share, and run a hosted batch file. The chain downloads a ZIP that unpacks a trojanized WorkFlowy Electron app whose app.asar contains an obfuscated main.js acting as a persistent C2 beacon and dropper. The campaign evaded Microsoft Defender for Endpoint and was detected through targeted hunting of RunMRU registry activity.

🔒 A PowerShell backdoor called Slopoly, likely generated with an LLM, was used in an Interlock ransomware intrusion that allowed attackers to persist on a compromised server for over a week and exfiltrate data. IBM X-Force observed developer-style comments, structured logging, clear variable names, and robust error handling that suggest AI-assisted creation. Deployed to C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly beacons to a C2 endpoint, polls for commands, executes them via cmd.exe, and establishes persistence as a scheduled task.

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.