< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 13 of 45

Venom Stealer MaaS Automates Continuous Credential Theft

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.
read more →

Casbaneiro Phishing Targets Latin America and Europe

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.
read more →

Microsoft Warns: WhatsApp-Delivered VBS Campaign Surfaces

⚠ Microsoft has alerted to a late-February 2026 campaign that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files which trigger a multi-stage infection chain. According to Microsoft Defender, the scripts create hidden folders under C:\ProgramData, drop renamed Windows utilities (for example, curl.exe as netapi.dll and bitsadmin.exe as sc.exe), and retrieve secondary payloads from trusted cloud providers. Attackers then attempt UAC tampering, modify registry entries, and install unsigned MSI packages to secure persistence and remote access, with some installers deploying legitimate remote‑access tools.
read more →

WhatsApp VBS Malware Campaign Delivers MSI Backdoors

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.
read more →

STARDUST CHOLLIMA Likely Compromises Axios npm Package

🔒 On March 31, 2026, threat actors used stolen maintainer credentials to compromise the widely used Axios npm package and distribute platform-specific variants of the ZshBucket implant. Observed samples target Linux, macOS and Windows and retain prior profiling and exfiltration behavior while adding a common JSON messaging protocol. The updated implants support binary injection, arbitrary script execution, file system enumeration and remote termination. CrowdStrike attributes the activity to STARDUST CHOLLIMA with moderate confidence based on ZshBucket linkage and infrastructure overlaps.
read more →

Axios supply-chain compromise adds malicious dependency

⚠️ Google Threat Intelligence Group (GTIG) observed a supply-chain attack on 2026-03-31 where attackers introduced a malicious dependency, plain-crypto-js, into legitimate axios releases (1.14.1 and 0.30.4). The package contains an obfuscated Node.js dropper (SILKBELL) that installs the multi-platform WAVESHAPER.V2 backdoor on Windows, macOS, and Linux. GTIG attributes the activity to UNC1069 and publishes IOCs and remediation steps for affected developers and organizations.
read more →

Axios npm Account Compromised to Deliver Cross-Platform RATs

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.
read more →

WhatsApp-delivered VBS Campaign Installs MSI Backdoors

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.
read more →

TrueConf Update Zero-Day Used to Deliver Malware at Scale

🛠️ Check Point Research identified a zero-day (CVE-2026-3502, CVSS 7.8) in the TrueConf client update mechanism that was abused to deliver malware via legitimate software updates. Exploitation was observed in the wild targeting government entities in Southeast Asia and required no phishing or prior compromise. The attack chain culminated with deployment of Havoc, a powerful post-exploitation framework, and the vendor released a remediation after disclosure.
read more →

Axios Supply Chain Attack Pushes Cross-Platform RAT

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.
read more →

RoadK1ll WebSocket Implant Enables Network Pivoting

🛡️ Blackpoint discovered a lightweight Node.js implant named RoadK1ll that uses an outbound WebSocket reverse tunnel to convert compromised hosts into relay points. It forwards TCP traffic on demand, supports multiple concurrent connections, and implements a small set of commands (CONNECT, DATA, CONNECTED, CLOSE, ERROR) to manage proxied sessions. RoadK1ll lacks traditional registry or scheduled-task persistence and runs only while its process remains active. Its stealthy outbound-only design helps attackers pivot to internal systems and bypass perimeter controls.
read more →

DeepLoad Loader Uses ClickFix Lure and WMI Persistence

🔒 ReliaQuest researchers detail a new malware loader, DeepLoad, distributed via an ClickFix social-engineering lure that tricks users into pasting PowerShell commands into the Windows Run dialog. The chain leverages mshta.exe to execute an obfuscated PowerShell loader that likely uses AI-assisted obfuscation and conceals its payload in a LockAppHost.exe process while disabling PowerShell history to reduce traces. DeepLoad compiles transient C# DLLs in Temp, uses APC injection to run shellcode in suspended trusted processes without writing decoded payloads to disk, steals browser credentials and sessions, drops a persistent malicious browser extension, copies itself to USB devices via deceptive shortcuts, and employs WMI event subscriptions to reinfect cleaned systems.
read more →

DeepLoad Malware Uses ClickFix and AI to Evade Detection

⚠️ DeepLoad is a newly detailed malware campaign combining the ClickFix social-engineering trick with AI-assisted code padding to hide credential-stealing payloads and evade file-based scanners. ReliaQuest, on March 30, warned the campaign targets enterprise accounts, hides inside the Windows lock screen process, and can persist via a WMI-based reactivation three days after removal. Researchers also observed USB propagation and recommend enabling PowerShell Script Block Logging, auditing WMI subscriptions, and changing affected user passwords.
read more →

Russian 'CTRL' RAT Distributed via Malicious LNK Files

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.
read more →

Infinity Stealer targets macOS using ClickFix and Nuitka

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.
read more →

Fake VS Code Security Alerts on GitHub Spread Malware

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.
read more →

China-Linked Red Menshen Uses Stealthy BPFDoor Implants

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.
read more →

EtherRAT Uses Ethereum Contracts to Evade Takedowns

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.
read more →

Suspected RedLine Infostealer Administrator Extradited

🔒 Hambardzum Minasyan, an Armenian national, was extradited to the United States and charged with helping administer the RedLine infostealer operation. U.S. prosecutors allege he registered virtual private servers, domains, a cryptocurrency account used for affiliate payments, and file-sharing repositories that distributed the malware. He is accused of managing command-and-control infrastructure, assisting affiliates, and conspiring to launder proceeds, and faces multiple federal counts with a potential prison term if convicted.
read more →

GitHub Phishing Uses Fake OpenClaw Tokens to Drain Wallets

🔒 Threat actors are exploiting interest in OpenClaw with a GitHub phishing campaign that lures developers with fake 'CLAW' token airdrops promising thousands of dollars. Attackers open issues, tag developers, and redirect victims to cloned sites that prompt users to connect their crypto wallets. Researchers at OX Security found obfuscated wallet‑stealing code and a C2 server used to collect addresses and drain funds. Recommended actions include blocking the phishing domain and revoking suspicious wallet approvals.
read more →