< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 15 of 45

DRILLAPP JavaScript Backdoor Targets Ukrainian Systems

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.
read more →

AppsFlyer Web SDK Temporarily Hijacked to Steal Crypto

🛡️ The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated JavaScript that intercepts cryptocurrency wallet inputs and replaces them with attacker-controlled addresses, diverting funds. Profero researchers identified the malicious payload being served from websdk.appsflyer.com between March 9 and March 11. AppsFlyer says the mobile SDK was not affected, the incident has been contained, and an investigation with external forensics is ongoing.
read more →

GlassWorm Escalates via 72 Malicious Open VSX Extensions

🔒 Cybersecurity researchers have identified a significant escalation in the GlassWorm campaign, which has abused at least 72 extensions in the Open VSX registry to target developers, Socket reports. The actor leverages extensionPack and extensionDependencies to turn benign-looking extensions into transitive delivery vehicles that install malicious packages after trust is established. The malicious listings impersonated common developer tools and used heavier obfuscation, invisible Unicode characters, Solana transactions as dead drops, and rotating wallets to evade detection. Open VSX has removed the flagged extensions while vendors and researchers continue their analysis.
read more →

FBI Seeks Victims After Malware-Embedded Games on Steam

🎮 The FBI's Seattle Division is seeking information from gamers who installed Steam titles later found to contain malware between May 2024 and January 2026. Identified titles include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The agency's questionnaire targets cryptocurrency theft and account hijacking and requests transaction details, compromised account information, and screenshots of communications to help trace stolen funds and those who distributed the malware.
read more →

FBI Warns on Residential Proxy Abuse Targeting Devices

🔒 The FBI has issued guidance warning organizations and consumers about the growing use of residential proxies by cybercriminals, which reroute traffic through compromised home devices to mask malicious activity. By taking over IoT devices, smartphones, and home routers, attackers can make illegal traffic appear to originate from legitimate residential connections. The FBI recommends timely patching, strict device policies, network segmentation, blocking IPs tied to residential proxy networks, and stronger firewall rules to mitigate risk.
read more →

INTERPOL Disrupts 45,000 Malicious IPs and Servers

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.
read more →

New ClickFix Variant Uses WebDAV and Trojanized Electron App

🔎 Atos researchers disclosed a ClickFix variation that leverages the Run dialog to execute a 'net use' command, map a remote WebDAV share, and run a hosted batch file. The chain downloads a ZIP that unpacks a trojanized WorkFlowy Electron app whose app.asar contains an obfuscated main.js acting as a persistent C2 beacon and dropper. The campaign evaded Microsoft Defender for Endpoint and was detected through targeted hunting of RunMRU registry activity.
read more →

AI-Generated Slopoly Backdoor Used in Interlock Attack

🔒 A PowerShell backdoor called Slopoly, likely generated with an LLM, was used in an Interlock ransomware intrusion that allowed attackers to persist on a compromised server for over a week and exfiltrate data. IBM X-Force observed developer-style comments, structured logging, clear variable names, and robust error handling that suggest AI-assisted creation. Deployed to C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly beacons to a C2 endpoint, polls for commands, executes them via cmd.exe, and establishes persistence as a scheduled task.
read more →

Rust-based VENON banking malware targets 33 banks in Brazil

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.
read more →

Hive0163 Deploys AI-Assisted Slopoly in Ransomware Ops

🛡️ IBM X-Force researchers have linked a PowerShell backdoor called Slopoly to financially motivated group Hive0163 and report indicators that portions of the script were likely produced with a large language model. The builder-delivered payload establishes persistence via a scheduled task named Runtime Broker and was used to maintain access for more than a week in a 2026 ransomware incident. Slopoly beacons system details every 30 seconds, polls for commands every 50 seconds, executes via cmd.exe and returns results to a C2 server. Although the script lacks true self-modifying polymorphism, its comments, logging and naming conventions demonstrate how AI can accelerate malware development.
read more →

U.S., Europe Disrupt SocksEscort Linux Proxy Network

🛡️ U.S. and European law enforcement, assisted by Lumen’s Black Lotus Labs and private partners, disrupted the SocksEscort proxy network that relied on Linux-targeting AVRecon malware to compromise edge devices. The takedown seized domains and servers, froze about $3.5 million in cryptocurrency, and disconnected listed infected routers from the service. Authorities say SocksEscort sold access to hundreds of thousands of IPs and was tied to multimillion-dollar frauds. Investigations and remediation efforts continue.
read more →

PixRevolution Trojan Hijacks Brazil's PIX Transfers

🔒 PixRevolution is an Android banking trojan uncovered by Zimperium that silently monitors devices and redirects funds during Brazil's PIX instant payments. It abuses Android accessibility permissions to stream screens to an attacker-controlled server, detects payment activity, and replaces recipient keys while displaying a fake loading overlay. The campaign relies on an agent-in-the-loop model with human operators intervening in near real time and spreads via fraudulent download pages impersonating legitimate Brazilian apps.
read more →

Fake AI Agent Ads Deliver AMOS and Amatera Infostealers

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.
read more →

PhantomRaven resurfaces on npm with 88 malicious packages

🛡️ Endor Labs has identified 88 additional malicious npm packages tied to the PhantomRaven supply-chain campaign, published between November 2025 and February 2026, with 81 still live and two active C2 servers. The operation uses Remote Dynamic Dependencies (RDD) to fetch credential-stealing payloads from attacker-controlled URLs during npm install. The payload harvests developer and CI/CD credentials and exfiltrates data via HTTP and WebSocket channels, while attackers rotate accounts, domains, and package metadata to evade takedowns.
read more →

North Korean Fake IT Worker Tradecraft Revealed 2026

🔍 GitLab research outlines a North Korean campaign that impersonated recruiters in the 'Contagious Interview' scheme and resulted in the banning of 131 attributed accounts. Many GitLab projects served as obfuscated loaders for malware such as BeaverTail and Ottercookie, with payloads hosted outside repositories. Operators used consumer VPNs, VPSs and laptop farms and shifted to invite-only projects, NPM dependency abuse, sandbox detection and AI-generated personas to scale fake IT worker and freelance scams.
read more →

Six Android Malware Families Target Pix, Banking, Crypto

🛡️Researchers report six Android malware families targeting Pix payments, banking apps, and cryptocurrency wallets. The threats — including PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT — rely on fake Google Play Store pages, accessibility and MediaProjection abuse, screen overlays, and remote control to harvest credentials and hijack transfers. Campaigns use Firebase or custom TCP/9000 C2s, include miners or RAT payloads, and some samples experiment with large language model components to refine targeting.
read more →

Zombie ZIP attack evades AV and EDR by header abuse

🧟 Researchers disclosed a technique called 'Zombie ZIP' that manipulates ZIP headers to hide DEFLATE-compressed payloads so scanners treat them as uncompressed, producing widespread false negatives in antivirus and EDR tools. The author, Chris Aziz of Bombadil Systems, published proof-of-concept archives showing scanners trust the ZIP Method field and therefore scan raw bytes instead of compressed data. CERT/CC assigned CVE-2026-0866 and recommends stricter archive validation; end users should delete archives that raise 'unsupported method' or extraction errors.
read more →

Podcast: JavaScript Worm Wakes and $46M Crypto Theft

🐛 A dormant self‑propagating JavaScript worm that hadn't been active since 2024 was accidentally reawakened by a Wikipedia security engineer, briefly vandalising pages with giant woodpecker images. In a separate case, a contractor entrusted with US Marshals' seized cryptocurrency is accused of stealing about $46 million and allegedly boasted on a recorded Telegram call. Host Graham Cluley and guest Tricia Howard discuss these incidents alongside wider cybercrime takedowns and industry security lessons.
read more →

Resumes with Malicious ISO Attachments Target HR Teams

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.
read more →

PhantomRaven npm Campaign Steals Developer Data via 88 pkgs

🔒 Endor Labs identified a new PhantomRaven npm campaign wave that published 88 malicious packages across 50 disposable accounts, many using slopsquatting to mimic popular projects and names suggested by LLMs. The packages use Remote Dynamic Dependencies in package.json so malware is fetched from attacker-hosted URLs at install time, exfiltrating .gitconfig, .npmrc, environment variables and CI/CD tokens to C2 servers. Researchers note consistent EC2-hosted 'artifact' domains without TLS, an almost unchanged payload across waves, and 81 packages still available; developers should verify publishers and avoid unvetted AI suggestions.
read more →