< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 12 of 45

Attackers Hide Credit-Card Skimmer in 1×1 SVG Pixel

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.
read more →

APT28 Deploys PRISMEX Malware Against Ukraine Allies

🔍 Trend Micro links a targeted spear-phishing campaign to APT28 that delivers a previously undocumented malware suite called PRISMEX, active since at least September 2025. The operation blends steganography, COM DLL hijacking, and abuse of legitimate cloud services to retrieve and execute in-memory payloads. Researchers observed rapid weaponization of CVE-2026-21509 and CVE-2026-21513, with overlapping infrastructure such as "wellnesscaremed[.]com". The toolkit includes PrismexSheet, PrismexDrop, PrismexLoader and a COVENANT-based stager that has been associated with both espionage and destructive wiper activity.
read more →

LucidRook: Lua-Based Stager Targeting Taiwanese NGOs

🛡️ Cisco Talos disclosed a targeted spear‑phishing campaign delivering LucidRook, a Lua‑based stager that embeds a Lua 5.4 interpreter and Rust‑compiled libraries inside a DLL to fetch and run staged Lua bytecode. The threat actor delivered payloads via password‑protected archives and used decoy documents to distract victims while the dropper executed. Two delivery chains were observed — an LNK dropper LucidPawn and a .NET EXE masquerading as antivirus — both abusing public FTP services and OAST domains. Execution is gated to Traditional Chinese locales linked to Taiwan.
read more →

N. Korea-linked Campaign Pushes 1,700 Malicious Packages

🔒 Socket Security researchers say the North Korea-linked campaign known as Contagious Interview has published more than 1,700 malicious packages across npm, PyPI, Go, Rust and Packagist. The packages impersonate legitimate developer tooling and act as loaders that fetch platform-specific malware with infostealer and RAT capabilities. A Windows variant delivered through license-utils-kit behaves as a full implant, enabling command execution, keystroke logging, browser and wallet theft, file exfiltration and remote access via AnyDesk.
read more →

36 Malicious npm Packages Exploited Redis and PostgreSQL

SafeDep researchers disclosed 36 malicious npm packages masquerading as Strapi v3 plugins that execute payloads via the postinstall hook. Uploaded by four sockpuppet accounts over 13 hours, the packages weaponized Redis and PostgreSQL to deploy reverse shells, harvest credentials, and install a persistent implant targeting a hostname named prod-strapi. The postinstall script runs with the installing user's privileges, creating acute risk for CI/CD pipelines and containers. Users who installed any listed package are advised to assume compromise and rotate all credentials.
read more →

China-linked TA416 Targets European Diplomatic Networks

🔍 A China-aligned threat cluster identified as TA416 has resumed focused operations against European government and diplomatic entities since mid-2025, according to Proofpoint. The campaign combined web bugs and malware delivery to deploy the PlugX backdoor via Azure Blob, Google Drive, compromised SharePoint, and attacker-controlled domains. Attackers repeatedly altered infection chains—abusing Cloudflare Turnstile pages, OAuth redirection through Microsoft Entra ID, and MSBuild-based C# project files with DLL side-loading—to enhance stealth and persistence. The group also expanded targeting to Middle Eastern governments following the February 2026 regional conflict.
read more →

Axios npm Supply Chain Compromise Deploys Malicious Builds

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.
read more →

Microsoft: Cookie-Controlled PHP Web Shells on Linux

🍪 Microsoft Defender Security Research Team warns that threat actors are increasingly using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Instead of passing commands via URL parameters or request bodies, attackers gate execution and convey instructions through values accessible in the PHP $_COOKIE superglobal. This technique keeps malicious code dormant during normal application activity and activates only when specific cookie values are present, reducing observable indicators. Microsoft observed multiple obfuscated loaders and a cron-driven 'self-healing' persistence model that recreates loaders and minimizes forensic visibility.
read more →

New SparkCat Malware Variant Targets iOS and Android

🛡️Security researchers have discovered an updated SparkCat trojan on both the Apple App Store and Google Play Store, hiding inside seemingly benign apps such as enterprise messengers and food delivery services. Kaspersky said it found two infected iOS apps and one Android app that primarily target cryptocurrency users in Asia. The iOS variant scans photo galleries for English wallet mnemonic phrases, while the Android version employs code virtualization, cross-platform languages and regional keyword scanning for Japanese, Korean and Chinese. Both samples use an OCR module to exfiltrate images containing recovery phrases to attacker-controlled servers, underscoring a rapidly evolving threat.
read more →

Storm infostealer exfiltrates browser and wallet data

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.
read more →

DPRK-Linked LNK Campaigns Leveraging GitHub for C2

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.
read more →

GitHub Used as Covert Channel in Multi-Stage Malware

🔒 A multi-stage malware campaign leveraging GitHub as a covert C2 channel has been observed targeting users in South Korea, according to an advisory from Fortinet. Attackers distribute malicious .LNK shortcut files that drop decoy PDFs while executing obfuscated PowerShell and VBScript payloads silently in the background. Recent variants embed decoding routines directly within LNK arguments, remove identifying metadata, and exfiltrate system information and logs to GitHub repositories using hardcoded tokens. The campaign exemplifies modern living-off-the-land tactics that abuse legitimate Windows utilities and developer infrastructure to evade detection.
read more →

REF1695: Fake Installers Deliver RATs and Miners Campaign

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.
read more →

Qilin EDR Killer: Multi-Stage msimg32.dll Loader Analysis

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.
read more →

WhatsApp Alerts 200 Users After Fake iOS App Spyware

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.
read more →

CrystalRAT malware adds RAT, stealer, and prankware features

🔒 A new malware-as-a-service called CrystalRAT (also marketed as CrystalX) has been active since January and is being promoted on Telegram and a dedicated YouTube channel, offering remote access, data theft, keylogging, clipboard hijacking and an extensive set of prankware functions. Kaspersky researchers found strong similarities to WebRAT (Salat Stealer), noting a Go-based codebase, matching panel design and a bot-driven sales system; the kit includes a builder, geoblocking, executable customization and anti-analysis protections. Payloads are zlib-compressed and ChaCha20-encrypted, connect to C2 over WebSocket, and the RAT supports CMD execution, VNC-backed remote control, audio/video capture, streaming keylogging and a clipboard clipper; the infostealer component targeting Chromium-based browsers and desktop apps is currently being upgraded. Users should avoid untrusted downloads and apply standard endpoint protections to reduce infection risk.
read more →

Mitigating the Axios npm Supply Chain Compromise Guidance

⚠️ On March 31, 2026 Microsoft identified two malicious npm releases of Axios (1.14.1 and 0.30.4) that introduced a trojan via a fake dependency plain-crypto-js@4.2.1 executing in a post-install hook to fetch platform-specific RAT payloads. Microsoft attributes the infrastructure and compromise to Sapphire Sleet. Immediate controls include reverting to safe Axios versions, pinning dependencies, rotating secrets, and using Microsoft Defender protections.
read more →

Axios npm Supply Chain Attack Injects Cross-Platform RAT

⚠ A compromised npm maintainer account led to malicious Axios releases (v1.14.1 and v0.30.4) that introduced a hidden dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan (RAT). The postinstall lifecycle script executed a heavily obfuscated Node.js dropper that retrieved platform-specific payloads from a C2 at sfrclak[.]com:8000. Payloads for macOS, Windows and Linux implement a unified RAT protocol with 60-second beacons and capabilities to run commands, inject binaries and remove themselves. Unit 42 recommends immediate isolation, rebuilds from known-good images, credential rotation, dependency pinning and network egress blocking to the C2.
read more →

NoVoice Android Malware on Google Play Infects Millions

📱 Researchers at McAfee uncovered NoVoice, an Android rootkit hidden in more than 50 Google Play apps that were downloaded at least 2.3 million times. The apps requested no suspicious permissions and used steganography to hide an encrypted APK payload that exploits historically patched kernel and driver vulnerabilities to gain root. Once rooted, the implant replaces system libraries, disables SELinux, and installs persistent recovery scripts and a watchdog so the rootkit survives factory resets. McAfee reported the apps and Google removed them, but previously infected devices should be considered compromised.
read more →

CrystalX RAT: Prankware MaaS with Full Spy Tools and Theft

🛡️ Kaspersky researchers discovered CrystalX, a subscription-based Remote Access Trojan promoted on Telegram and YouTube that mixes disruptive "prank" capabilities with robust theft and surveillance features. The Trojan can rotate screens, swap mouse buttons, block keyboard input, display arbitrary messages, and disable system utilities, while also stealing credentials, hijacking clipboards to redirect crypto, logging keystrokes, and accessing screen, camera and microphone. Builds are uniquely encrypted per customer and include anti-analysis checks, complicating detection, and Kaspersky products detect and neutralize the threat. Users should avoid pirated software, be cautious with messaging attachments, enable 2FA, keep systems updated, and run reputable security solutions.
read more →