All news with #malware tag

🔍 Since April 2024 ESET documents the reactivation of Sednit’s advanced implant team, which now deploys paired implants BeardShell and Covenant to maintain resilient command-and-control through distinct cloud providers. A SlimAgent keylogger found in Ukraine shows clear code lineage to the 2010-era Xagent backdoor, while BeardShell executes PowerShell in a .NET runtime and communicates via Icedrive using an obfuscation pattern previously seen in Xtunnel. Covenant is a heavily modified open-source framework adapted for long-term espionage with cloud-backed protocols, and ESET maps observed behaviors to ATT&CK techniques and publishes IoCs.

🔐 Researchers at BlueVoyant describe a Microsoft Teams phishing campaign that social-engineers employees into initiating Quick Assist remote sessions to install a newly observed backdoor, A0Backdoor. Attackers deliver digitally signed MSI installers and use DLL sideloading with legitimate Microsoft binaries to load a malicious hostfxr.dll that decrypts and runs shellcode. The backdoor fingerprints hosts, communicates with command-and-control over DNS MX queries with encoded subdomains, and has been observed targeting financial and healthcare organizations.

🚨 JFrog researchers found a malicious npm package, @openclaw-ai/openclawai, uploaded on March 3, 2026 and downloaded 178 times, that masquerades as an OpenClaw installer to deploy a remote access trojan and harvest sensitive macOS data. It uses a postinstall hook and a global reinstallation to expose a CLI entry point, and the staged GhostLoader payload is delivered encrypted from a C2 server and run as a detached background process. The installer displays a polished fake CLI and an iCloud Keychain prompt to capture system passwords and prompts users for Full Disk Access to unlock Apple Notes, iMessage, Safari history and Mail. Collected files — Keychain databases, browser cookies, crypto wallets, SSH and cloud credentials — are archived and exfiltrated via direct upload, the Telegram Bot API and GoFile.io, while the RAT maintains persistence, clipboard monitoring and browser session cloning.

🔒 Two Google Chrome extensions were modified following apparent ownership transfers, allowing attackers to remotely deliver JavaScript payloads, inject code, and harvest sensitive data from users. The affected extensions — QuickLens (~7,000 users) and ShotBird (~800 users) — changed owners in early 2026 and began polling C2 servers for runtime payloads. The update to QuickLens stripped security headers to bypass cross-origin protections, while ShotBird used a fake Chrome-update lure to pivot from browser compromise to host-level execution. Users should remove these extensions, audit browsers, and enterprises should treat extensions as supply-chain risk.

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.

🤖 Microsoft’s Threat Intelligence report warns that threat actors are increasingly using generative AI across all stages of cyberattacks to accelerate execution and lower technical barriers. Attackers employ models to draft phishing lures, generate realistic fake identities and resumes, produce or debug malware, and scaffold infrastructure. Groups like Jasper Sleet and Coral Sleet have used AI in remote IT worker schemes, while operators test jailbreaking and agentic techniques. Microsoft advises treating these campaigns as insider risks and strengthening identity controls, credential monitoring, and protections around AI systems.

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.

⚠️ Bitdefender reveals that the Pakistan-aligned actor Transparent Tribe (APT36) has adopted AI-assisted coding to mass-produce disposable malware implants using niche languages like Nim, Zig, Crystal and Rust. The campaign targets Indian government entities and embassies while abusing trusted platforms such as Slack, Discord, Supabase, Google Sheets and Firebase to hide C2. Phishing via ZIP/ISO attachments or PDF lures delivers LNK shortcuts that run PowerShell in memory and fetch backdoors, often followed by deployment of Cobalt Strike and Havoc for post-compromise activity.

🛡️ Researchers at Push Security detail an InstallFix scheme that clones legitimate CLI install pages to trick users into running malicious 'curl-to-bash' and PowerShell commands. A mirrored Claude Code documentation page was found delivering encoded download commands that launch mshta.exe and related processes to retrieve a binary. The active payload is Amatera, an info-stealer sold as a MaaS, and the phony pages are being promoted through Google Ads and hosted on legitimate platforms, increasing their evasiveness.

🔍 Securonix Threat Research has disclosed a multi-stage campaign named VOID#GEIST that leverages obfuscated batch scripts to stage a portable Python runtime and deploy encrypted RAT payloads including XWorm, AsyncRAT, and Xeno RAT. The chain retrieves ZIP archives from a TryCloudflare domain, extracts a Python loader (runn.py) and encrypted shellcode blobs, then decrypts and injects them directly into separate explorer.exe processes using Early Bird APC injection. The initial stage displays a decoy PDF while a hidden PowerShell relaunches the batch, and persistence is established at the user level via an auxiliary script placed in the Startup folder to minimize forensic artifacts.

🛡️ The Media Trust reports that online advertisements are increasingly exploited to deliver malware, and malvertising now surpasses email and direct hacks as the leading global delivery vector. Millions of infected creatives or scripts can propagate across publishers in seconds, and attackers are leveraging AI to produce adaptive malware that changes by location, browser, or device. Notable examples include Ghost Cat, Click Fix and SocGholish, while the company warns of emerging AI-assisted evasion and the abuse of adtech infrastructure.

🛰️ Cisco Talos says a China-linked APT tracked as UAT-9244 has been targeting critical South American telecommunications since 2024, deploying three undocumented implants: TernDoor for Windows, PeerTime for Linux, and BruteEntry on edge devices. TernDoor uses DLL side-loading via wsprint.exe and a rogue BugSplatRc64.dll to execute payloads in memory and embed a driver to control processes. PeerTime is a multi-architecture P2P backdoor (ARM, AARCH64, PPC, MIPS) that uses BitTorrent for C2 and comes in C/C++ and Rust builds, while BruteEntry turns compromised edge hardware into brute-force proxy nodes targeting Postgres, SSH and Tomcat.

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.

🛡️ Cisco Talos researchers report that a China-linked APT cluster tracked as UAT-9244 has been targeting telecommunication providers in South America since 2024, compromising Windows, Linux, and network-edge devices. The campaign uses three previously undocumented malware families: TernDoor (Windows backdoor), PeerTime (ELF BitTorrent-based Linux backdoor), and BruteEntry (brute-force scanner and proxy builder). Talos published a technical report with capabilities, deployment methods, persistence techniques, and IoCs for detection and mitigation.

⚠️ Researchers at Huntress found that Microsoft Bing’s AI-enhanced search suggested malicious GitHub repositories posing as installers for OpenClaw, instructing users to run commands that deployed information-stealing and proxy malware. The fake repos were tied to newly created GitHub accounts and mimicked legitimate projects to appear trustworthy. Windows and macOS installers delivered Rust-based loaders, the Atomic Stealer family, Vidar, and a GhostSocks backconnect proxy. Huntress reported the repositories to GitHub and recommends using official project portals and bookmarked download sources rather than search results.

🛡️ The Wikimedia Foundation experienced a security incident after a self‑propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. The malicious code, traced to a user script User:Ololoshka562/test.js uploaded in March 2024, injected loaders into both user-level and global MediaWiki:Common.js. Engineers temporarily restricted editing, reverted malicious edits, rolled back affected user scripts, and removed the injected code, but a full post‑incident report has not yet been published.

📰 This ThreatsDay bulletin summarizes a fast-moving week of cyber activity, covering phishing, malware, large-scale scraping, privacy actions, and research that changes operational risk. Notable items include a CERT-UA–reported phishing campaign delivering SHADOWSNIFF, SALATSTEALER, and a Go backdoor; a DDR5 scraping operation used for scalping RAM inventory; and a new Chrome two‑week release cadence. The update also highlights regulatory action against Reddit and privacy steps by Samsung.

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.

🐾 ClearSky researchers uncovered a multi-stage malware campaign named BadPaw that leverages emails from the Ukrainian provider ukr.net to lure recipients to a ZIP download. The archive contains an HTA disguised as HTML that displays a decoy document while launching hidden components. BadPaw checks system age to evade sandboxes, extracts payloads, and uses a scheduled task plus steganography to persist. A staged C2 flow ultimately deploys a multi-layered backdoor, MeowMeowProgram.exe, with low AV detection.