< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 11 of 45

EssentialPlugin WordPress Suite Compromised, Malware Push

🔐 More than 30 plugins in the EssentialPlugin package were found to contain a backdoor that grants unauthorized access to sites. The malicious code was introduced after the project's acquisition in August 2025 but remained dormant until recently, when updates delivered a downloader that injects malware into wp-config.php. The payload selectively displayed spam to Googlebot and used an Ethereum-based C2 for evasion. WordPress.org closed the affected plugins and issued a forced update, though configuration files may still be infected.
read more →

Signed Adware Used to Deploy Antivirus-Killing Scripts

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.
read more →

Signed Adware Operation Disables Antivirus on 23,000 Hosts

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.
read more →

108 Malicious Chrome Extensions Target Google, Telegram

🔒 Researchers at Socket uncovered 108 malicious Google Chrome extensions that collectively amassed about 20,000 installs and reported to a single command-and-control server. Published under five publisher identities, the add-ons posed as games, Telegram sidebars, and enhancement tools while exfiltrating Google account data, hijacking Telegram Web sessions, opening arbitrary URLs, and injecting ads and scripts. Some source files contained Russian-language comments; attribution remains unconfirmed. Users should remove any identified extensions and log out of Telegram Web sessions immediately.
read more →

n8n Abuse: Threat Actors Weaponize AI Workflow Platforms

⚠️ Cisco Talos details how attackers are misusing the AI workflow automation platform n8n to run sophisticated phishing and malware campaigns. Between October 2025 and March 2026, researchers observed a sharp increase in emails containing n8n webhook URLs that serve dynamic HTML payloads and CAPTCHA-protected bait to initiate downloads. These flows mask malicious payloads behind trusted domains and have been used to deploy modified RMM tools and to fingerprint recipients. Talos urges behavioral detection, IOC sharing, and AI-enhanced email defenses to mitigate this abuse.
read more →

Over 100 Chrome Extensions Steal Accounts and Data

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.
read more →

Fake Ledger Live macOS App Stole $9.5M in Crypto from Users

🔒 A malicious macOS app impersonating Ledger Live on the Apple App Store drained approximately $9.5 million in cryptocurrency from 50 users after they were tricked into entering their seed/recovery phrases. Blockchain investigator ZachXBT traced funds moved across multiple chains (Bitcoin, Ethereum, Tron, Solana, Ripple) and funneled through more than 150 deposit addresses tied to a centralized mixer called "AudiA6" on KuCoin. Apple removed the fraudulent app after multiple reports, and KuCoin says it has frozen the implicated accounts pending further action. Ledger provides a Mac app on its website but not through the App Store; users are urged to download only from official vendor channels.
read more →

AI-Powered Pushpaganda Scam Hijacks Google Discover

🔔 Researchers uncovered 'Pushpaganda', an ad fraud campaign that uses search engine poisoning and AI-generated content to surface deceptive stories in Google Discover and trick Android and Chrome users into enabling persistent browser notifications. Once enabled, the alerts deliver scareware-style legal threats and redirect victims through actor-controlled domains that generate illicit ad revenue and funnel users to financial scams. HUMAN's findings link the operation to hundreds of domains and hundreds of millions of bid requests, and Google has deployed a fix.
read more →

Campaign of 108 Malicious Chrome Extensions Exposes Data

🚨Research by Socket uncovered a coordinated campaign of 108 malicious Chrome extensions that affected about 20,000 users. Distributed across gaming, social media and translation categories, these extensions appear legitimate while quietly harvesting sensitive data, including Google profiles and active web sessions. Operators used a single command-and-control infrastructure and shared code, complicating detection and enabling a Malware-as-a-Service model.
read more →

108 Malicious Chrome Extensions Linked to Single Backend

🔔 Cybersecurity researchers have uncovered a coordinated campaign of 108 malicious Google Chrome extensions that share a common command-and-control backend and have accumulated roughly 20,000 installs. The add-ons, published under five publisher identities, exfiltrate credentials and session data, inject ads and arbitrary JavaScript, and can force-load attacker-controlled sessions. Many abuse OAuth2, strip security headers, and periodically harvest Telegram Web sessions. Users should remove suspicious extensions and log out of Telegram Web sessions to invalidate any stolen tokens.
read more →

JanelaRAT Targets Latin American Banks, 14,739 Hits

🔒 Researchers report that the JanelaRAT malware, a modified BX RAT, extensively targeted banks and financial services across Latin America, with telemetry showing 14,739 attack attempts in Brazil and 11,695 in Mexico during 2025. The trojan steals banking and cryptocurrency credentials, captures keystrokes, screenshots and system metadata, and uses custom title-bar detection to trigger actions on matched sites. Attackers shifted delivery from VBScript ZIPs to rogue MSI installers and DLL side-loading, often installing a malicious Chromium extension for persistence and data exfiltration. Vendors including Kaspersky, KPMG, and Zscaler documented multi-stage chains and robust C2 capabilities.
read more →

Mirax Android Trojan Turns Devices into Proxy Nodes

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.
read more →

GlassWorm Uses Zig Dropper to Infect Multiple IDEs

🐛 A new phase of the GlassWorm campaign uses a Zig-compiled native Node addon embedded in a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker, impersonating WakaTime, to gain OS-level access and stealthily install additional payloads. The addon (installed as win.node on Windows and mac.node on macOS) runs outside the JavaScript sandbox, locates IDEs that support VS Code extensions, downloads a malicious VSIX from an attacker-controlled GitHub account, and silently installs it across detected editors. The second-stage extension then reads commands from the Solana blockchain to obtain its C2, exfiltrates sensitive data, and deploys a RAT that ultimately installs an information-stealing Chrome extension; affected users should assume compromise and rotate secrets.
read more →

CPUID Supply-Chain Attack Distributes Malware to Users

⚠️ Hackers altered an API on the CPUID website and replaced official download links to serve trojanized installers for CPU-Z and HWMonitor, distributing a malicious file labeled HWiNFO_Monitor_Setup. The package launches a Russian installer wrapped with Inno Setup and was delivered via Cloudflare R2, while original signed binaries appear intact. Security researchers report a multi-stage, mostly in-memory loader that uses proxying of NTDLL calls from a .NET assembly to evade EDR/AV detection. CPUID says the secondary API was compromised for roughly six hours (April 9–10) and that the breach has been fixed.
read more →

Unpatched Adobe Reader Bug Exploited in Recon Campaign

⚠️ A vulnerability in Adobe Reader has been quietly exploited for months, using malicious PDFs with embedded JavaScript that executes when opened to fingerprint hosts and exfiltrate system details. Researcher Haifei Li traced samples back to at least November and confirmed recent variants still run on current Reader builds. The campaign appears focused on reconnaissance and data theft but could enable remote code execution. Mitigations include disabling Acrobat/Reader JavaScript, filtering non‑standard PDFs, marking external attachments, and reinforcing user training.
read more →

LucidRook Lua Malware Targets NGOs and Universities

🛡️ Cisco Talos has identified a new Lua-based backdoor called LucidRook used in October 2025 spear-phishing operations targeting NGOs and universities in Taiwan. Attackers delivered payloads via password-protected archives and deployed either an LNK shortcut chain that dropped a loader named LucidPawn or a fake antivirus EXE. LucidPawn sideloads a malicious DLL (DismCore.dll) and embeds a Lua interpreter to fetch obfuscated bytecode, enabling modular updates while reducing forensic visibility. Collected reconnaissance is RSA-encrypted and exfiltrated via FTP; a related tool, LucidKnight, was observed abusing Gmail GMTP for data exfiltration.
read more →

Smart Slider update system hijacked to push malware

🔒 Smart Slider 3 Pro update infrastructure was hijacked to push a malicious 3.5.1.35 release to WordPress and Joomla sites. The tampered update preserved normal slider functionality while installing multiple backdoors, creating a hidden administrator account, and exfiltrating credentials. The vendor urges immediate upgrade to 3.5.1.36 (or restoring to 3.5.1.34 or earlier) and advises treating affected sites as fully compromised.
read more →

ThreatsDay: Hybrid P2P Botnet and Old Flaws Resurface

🛡️ A concise roundup of the week's notable incidents: a resilient hybrid variant of Phorpiex combines HTTP C2 polling with a P2P protocol to survive takedowns, while a 13‑year‑old chainable flaw in Apache ActiveMQ (CVE-2026-34197) can yield stealthy RCE if left unpatched. Industry data show record cyber‑fraud losses and a spike in AI‑assisted DDoS tactics. Multiple supply‑chain and platform abuses—from trojanized developer tools to malicious PyPI packages and SaaS notification phishing—underscore the need to patch, audit, and harden AI integrations.
read more →

ClickFix variant uses one-click Script Editor exploit

🛡️ Researchers at Jamf Threat Labs report a ClickFix campaign that opens Script Editor via the applescript:// URL scheme, preloading a malicious script with a single browser click. This bypasses Terminal paste protections introduced in macOS Tahoe 26.4 and removes a major user decision point. The lightweight script decodes a hidden URL, uses curl to retrieve a payload, and launches a new Atomic Stealer variant. Script Editor behavior can vary by macOS version; recent builds may prompt to save before execution.
read more →

Atomic Stealer ClickFix Shift Targets macOS Script Editor

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.
read more →