All news with #malware tag

🛡️ IBM X-Force researchers have linked a PowerShell backdoor called Slopoly to financially motivated group Hive0163 and report indicators that portions of the script were likely produced with a large language model. The builder-delivered payload establishes persistence via a scheduled task named Runtime Broker and was used to maintain access for more than a week in a 2026 ransomware incident. Slopoly beacons system details every 30 seconds, polls for commands every 50 seconds, executes via cmd.exe and returns results to a C2 server. Although the script lacks true self-modifying polymorphism, its comments, logging and naming conventions demonstrate how AI can accelerate malware development.

🛡️ U.S. and European law enforcement, assisted by Lumen’s Black Lotus Labs and private partners, disrupted the SocksEscort proxy network that relied on Linux-targeting AVRecon malware to compromise edge devices. The takedown seized domains and servers, froze about $3.5 million in cryptocurrency, and disconnected listed infected routers from the service. Authorities say SocksEscort sold access to hundreds of thousands of IPs and was tied to multimillion-dollar frauds. Investigations and remediation efforts continue.

🔒 PixRevolution is an Android banking trojan uncovered by Zimperium that silently monitors devices and redirects funds during Brazil's PIX instant payments. It abuses Android accessibility permissions to stream screens to an attacker-controlled server, detects payment activity, and replaces recipient keys while displaying a fake loading overlay. The campaign relies on an agent-in-the-loop model with human operators intervening in near real time and spreads via fraudulent download pages impersonating legitimate Brazilian apps.

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.

🛡️ Endor Labs has identified 88 additional malicious npm packages tied to the PhantomRaven supply-chain campaign, published between November 2025 and February 2026, with 81 still live and two active C2 servers. The operation uses Remote Dynamic Dependencies (RDD) to fetch credential-stealing payloads from attacker-controlled URLs during npm install. The payload harvests developer and CI/CD credentials and exfiltrates data via HTTP and WebSocket channels, while attackers rotate accounts, domains, and package metadata to evade takedowns.

🔍 GitLab research outlines a North Korean campaign that impersonated recruiters in the 'Contagious Interview' scheme and resulted in the banning of 131 attributed accounts. Many GitLab projects served as obfuscated loaders for malware such as BeaverTail and Ottercookie, with payloads hosted outside repositories. Operators used consumer VPNs, VPSs and laptop farms and shifted to invite-only projects, NPM dependency abuse, sandbox detection and AI-generated personas to scale fake IT worker and freelance scams.

🛡️Researchers report six Android malware families targeting Pix payments, banking apps, and cryptocurrency wallets. The threats — including PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT — rely on fake Google Play Store pages, accessibility and MediaProjection abuse, screen overlays, and remote control to harvest credentials and hijack transfers. Campaigns use Firebase or custom TCP/9000 C2s, include miners or RAT payloads, and some samples experiment with large language model components to refine targeting.

🧟 Researchers disclosed a technique called 'Zombie ZIP' that manipulates ZIP headers to hide DEFLATE-compressed payloads so scanners treat them as uncompressed, producing widespread false negatives in antivirus and EDR tools. The author, Chris Aziz of Bombadil Systems, published proof-of-concept archives showing scanners trust the ZIP Method field and therefore scan raw bytes instead of compressed data. CERT/CC assigned CVE-2026-0866 and recommends stricter archive validation; end users should delete archives that raise 'unsupported method' or extraction errors.

🐛 A dormant self‑propagating JavaScript worm that hadn't been active since 2024 was accidentally reawakened by a Wikipedia security engineer, briefly vandalising pages with giant woodpecker images. In a separate case, a contractor entrusted with US Marshals' seized cryptocurrency is accused of stealing about $46 million and allegedly boasted on a recorded Telegram call. Host Graham Cluley and guest Tricia Howard discuss these incidents alongside wider cybercrime takedowns and industry security lessons.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.

🔒 Endor Labs identified a new PhantomRaven npm campaign wave that published 88 malicious packages across 50 disposable accounts, many using slopsquatting to mimic popular projects and names suggested by LLMs. The packages use Remote Dynamic Dependencies in package.json so malware is fetched from attacker-hosted URLs at install time, exfiltrating .gitconfig, .npmrc, environment variables and CI/CD tokens to C2 servers. Researchers note consistent EC2-hosted 'artifact' domains without TLS, an almost unchanged payload across waves, and 81 packages still available; developers should verify publishers and avoid unvetted AI suggestions.

🔍 Aryaka Threat Research Lab has identified a campaign that distributes resume-like attachments to target HR and recruiting staff, deploying a component named BlackSanta that attempts to disable endpoint detection and response. The multi-stage infection chain performs system reconnaissance, sandbox and VM checks, and geographic and language filtering before downloading further payloads. Attackers appear Russian-speaking and leverage routine hiring workflows to increase success, while encrypted communications and data exfiltration help maintain persistence.

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.

🛡️ Researchers at Aryaka uncovered a Russian-speaking threat actor using targeted spear-phishing emails that delivered ISO attachments masquerading as resumes to deploy a new EDR-killing module named BlackSanta. The multi-stage infection leverages a malicious .LNK to launch a PowerShell script that extracts hidden code via steganography and runs payloads in memory. The chain also uses DLL sideloading with a legitimate SumatraPDF executable and a malicious DWrite.dll, and performs extensive fingerprinting and environment checks to evade sandboxes. BlackSanta disables and terminates security tooling, adjusts Microsoft Defender settings and suppresses notifications to minimize user alerts.

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.

🧟 A new 'Zombie ZIP' technique hides malware by declaring compressed entries as uncompressed, causing many AV and EDR engines to misinterpret DEFLATE data as raw bytes and miss signatures. Researcher Chris Aziz reported it bypassed 50 of 51 VirusTotal engines and published a PoC with sample archives. CERT/CC assigned CVE-2026-0866 and advises vendors to validate compression method fields and implement integrity checks.

🛡️ Cybersecurity researchers at Black Lotus Labs have identified a novel malware family, KadNap, that has infected over 14,000 edge devices — primarily Asus routers — since first observed in August 2025. KadNap uses a custom Kademlia-based DHT to conceal its control infrastructure and build a resilient peer-to-peer botnet. Infected devices are being offered as resident proxies by a service named Doppelgänger, complicating attribution and abuse tracking.

🔒 KadNap is a newly observed botnet that compromises primarily ASUS routers and other edge devices to assemble a distributed proxy network. Since August 2025 it has grown to roughly 14,000 nodes and uses a modified Kademlia Distributed Hash Table (DHT) protocol to conceal command-and-control infrastructure and complicate takedowns. Infections begin when a malicious script (aic.sh) is fetched from 212.104.141.140, which installs an ELF binary named kad and establishes persistence via a cron job that runs every 55 minutes. Researchers at Black Lotus Labs link KadNap to the Doppelganger/Faceless proxy service that sells access to infected devices, and Lumen has blocked related traffic on its network while preparing indicators of compromise.

🛡️ Modern malware increasingly uses mathematical and timing checks to avoid analysis. The Picus Red Report™ 2026 found Virtualization/Sandbox Evasion (T1497) surged to the #4 technique in 2025, appearing in 20% of samples. Threats like Blitz and LummaC2 use system profiling, trigonometry-based mouse analysis, and CPU timing comparisons to detect sandboxes and abort execution. Organizations should shift from file analysis to continuous behavioral validation using AEV and BAS.

⚠️ JFrog researchers discovered a malicious npm package published as "@openclaw-ai/openclawai" that impersonates an OpenClaw installer and executes a multi-stage infection chain delivering a remote access trojan. During installation a postinstall script places a binary on the PATH, which runs an obfuscated setup that simulates a legitimate CLI installer and prompts for administrator credentials. The second-stage payload, internally named GhostLoader, installs persistently, harvests credentials, browser data, wallets, SSH keys and Apple Keychain entries, and exposes a SOCKS5 proxy for remote operators.