< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 14 of 45

WebRTC-based Payment Skimmer Bypasses CSP Protections

🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.
read more →

Experts Warn of Browser Extensions Poaching AI Prompts

🛡️ Security researchers have warned of malicious Chrome extensions that silently monitor and exfiltrate users' AI chat content. According to Expel, extensions watch open tabs and capture prompts and responses via API interception or DOM scraping before sending the data to external servers. Attackers either impersonate popular tools or convert legitimate extensions into malicious ones after building a user base. Organisations are urged to block unvetted AI extensions and centrally manage and audit extension use.
read more →

Tax Search Ads Deliver ScreenConnect EDR Killer Campaign

⚠️ A large-scale malvertising campaign since January 2026 uses Google Ads to deliver rogue installers for ConnectWise ScreenConnect, ultimately installing a BYOVD EDR killer named HwAudKiller that disables security tools. The actor stacks commercial cloaking services (Adspect and JustCloakIt) and abuses a legitimately signed Huawei audio driver to terminate AV processes from kernel mode. Huntress observed over 60 malicious ScreenConnect sessions and multiple RMM backdoors, indicating pre-ransomware or initial access broker behavior.
read more →

NPM 'Ghost' Campaign Uses Fake Install Logs to Hide Malware

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.
read more →

StoatWaffle malware auto-executes via VS Code tasks

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.
read more →

FBI Links Handala Group to Targeted Spyware Campaign

🛡️ The FBI has attributed a sustained campaign of targeted malware and hack-and-leak operations to the Iranian-linked threat actor Handala, noting activity against dissidents, journalists and opposition groups dating to autumn 2023. The group claimed responsibility for a wiper attack on US medtech firm Stryker and used a multi-stage payload that disguises itself as legitimate Windows applications. Investigators observed social engineering lures, PowerShell-based evasion, and a Telegram-based command-and-control channel enabling remote access and data exfiltration, and urged standard hardening and reporting measures.
read more →

North Korean Actors Use VS Code Auto-Run for StoatWaffle

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.
read more →

CanisterWorm: npm Worm Spreads via Trivy Supply-Chain Attack

🛡️ The actors behind the Trivy supply-chain compromise are now suspected of seeding a self-propagating worm called CanisterWorm, which uses an ICP canister (Internet Computer blockchain smart contract) as a decentralized dead drop for command-and-control. The chain abuses an npm postinstall hook to drop a Python backdoor and establishes persistence via a masquerading systemd user service that restarts automatically. A new variant harvests local npm tokens during postinstall and launches an automated propagation routine, turning compromised developers and CI pipelines into unwitting distributors.
read more →

Apple Warns Older iPhones Vulnerable to Web Exploit Kits

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.
read more →

Speagle Malware Hijacks Cobra DocGuard in Targeted Campaign

🔒 Speagle is a newly identified malware that subverts the client and infrastructure of the legitimate document protection product Cobra DocGuard to harvest and exfiltrate sensitive information while masquerading as normal client-server traffic. Researchers at Symantec and Carbon Black (Broadcom) say the 32-bit .NET binary verifies the DocGuard installation, collects system and browser artefacts, and uses a compromised Cobra server for command-and-control and data theft. Tracked as Runningcrab, the activity appears narrowly targeted to environments running the security software and may stem from a supply-chain compromise; attribution remains unknown.
read more →

Tax season surge: Phishing and malware campaigns in 2026

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.
read more →

Agentic Era: How AI Is Reshaping the Cyber Threat Landscape

🤖 Between January and February 2026, AI-assisted malware development matured from experimentation into operational capabilities that materially change attack economics. What once required coordinated teams can now be executed by a single experienced developer using an AI-powered IDE, accelerating weaponization, iteration, and delivery of attacks. Enterprise productivity and development tools have become enlarged attack surfaces, while automation and agentic workflows enable faster, more evasive intrusion chains. Defenders must shift toward behavior-based detection, robust telemetry, and secure development and supply chain controls.
read more →

Perseus Android Malware Harvests Secrets from Notes

🔐 Researchers at ThreatFabric have discovered a new Android malware family called Perseus that scans user note-taking apps to steal passwords, recovery phrases, and financial data. Distributed via sideloaded IPTV-themed apps, Perseus abuses Accessibility Services to gain full remote control, capture screenshots, and deploy overlays and keyloggers. The threat uses a dropper capable of bypassing Android 13+ sideloading restrictions and performs extensive anti-analysis checks before exfiltration. Users are advised to avoid sideloading APKs, keep Play Protect enabled, and install apps only from the Google Play Store.
read more →

Analyzing Current Use of AI in Malware: Unit 42 Report

⚠️ Unit 42 examines real-world instances where malware calls external LLMs for decision making or cosmetic effect. The researchers present two representative cases: a trio of obfuscated .NET infostealers that call OpenAI GPT-3.5-Turbo but largely perform "AI theater" by logging model outputs without functional integration, and a Go dropper that queries GPT-4 to gate Sliver payload execution. The report highlights detection opportunities and recommends Advanced Threat Prevention, Advanced WildFire, and Cortex XDR/XSIAM to monitor telemetry and IOCs.
read more →

EDR killers explained: Beyond vulnerable drivers and tactics

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.
read more →

Vidar Stealer 2.0 Delivered via Fake Game Cheats on GitHub

🎮 Acronis TRU found hundreds of GitHub repositories posing as "free" game cheats that deliver the Vidar 2.0 infostealer, warning the true number of malicious repos could be in the thousands. Campaigns begin in game-focused Discord and Reddit communities and use PS2EXE-compiled PowerShell loaders to evade basic detections. Loaders add Windows Defender exclusions, fetch secondary payload URLs from Pastebin linking to GitHub-hosted binaries, and deploy a Themida-packed Vidar executable that establishes persistence via scheduled tasks. The payload then harvests credentials, tokens and files and exfiltrates them through C2 infrastructure masked by Telegram bots and Steam dead-drop resolvers.
read more →

GlassWorm Compromise Hits 400+ Repos Across Platforms

🪲 The GlassWorm supply‑chain campaign has resurfaced, compromising 433 packages, repositories, and extensions across GitHub, npm, and VSCode/OpenVSX. Researchers from Aikido, Socket, Step Security and the OpenSourceMalware community link the activity to a single actor using the same Solana address, identical payloads, and shared infrastructure. Malicious commits employ invisible Unicode to hide obfuscated JavaScript that polls the Solana blockchain for memos and downloads a Node.js runtime to execute an information stealer; developers should search for the marker lzcdrtfxyqiplpd and inspect for persistence artefacts.
read more →

GlassWorm offshoot ForceMemo injects malware in Python repos

🧬 Security researchers say a GlassWorm offshoot, tracked as ForceMemo, uses stolen GitHub tokens to inject obfuscated malware into hundreds of Python repositories by appending code to entry files like setup.py, main.py, and app.py. Attackers steal tokens via malicious VS Code and Cursor extensions, then rebase and force-push rewritten commits to preserve author metadata and hide traces. The appended payload uses a Solana transaction memo to fetch additional payloads and includes locale checks that skip execution on Russian-language systems. Downstream users who pip install or run compromised projects risk executing encrypted JavaScript that can steal cryptocurrency and sensitive data.
read more →

GlassWorm Abuses Open VSX Extension Dependencies Campaign

🐛 Researchers at Socket say attackers are abusing dependency relationships in the Open VSX registry to deliver a loader linked to GlassWorm. Since Jan 31, 2026, Socket identified at least 72 malicious listings that pose as developer utilities and later add dependencies to fetch payload extensions. By using VS Code features like extensionPack and extensionDependencies, threat actors turn trusted-looking extensions into transitive delivery vehicles during updates. Mitigations include auditing extension dependencies, monitoring updates, and restricting installs to trusted publishers.
read more →

FBI Seeks Help from Gamers Over Steam Malware Campaign

🕵️ The FBI’s Seattle Division is asking gamers who unintentionally downloaded malware via the Steam platform to assist an ongoing investigation into a campaign active between May 2024 and January 2026. Investigators say several titles — including BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova — have been identified as distribution points and are requesting affected users complete a short questionnaire. The FBI is collecting information on pre- and post-download communications, financial losses, and crypto wallet or bank account details; responses are voluntary, may result in follow-up contact, and victims’ identities will be kept confidential.
read more →