All news with #malware tag

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.

🔒 This weekly recap shows how small, trusted gaps are becoming major entry points — from a hijacked Outlook add-in (AgreeTo) turned into a phishing kit that stole over 4,000 Microsoft credentials to multiple actively exploited zero-days in Chrome and Apple platforms. It also covers a critical BeyondTrust RCE under active exploitation, new Linux botnet activity abusing SSH, and cloud-focused campaigns targeting exposed Docker, Kubernetes, and Redis instances. Attackers are combining legacy techniques, cloud misconfigurations, and AI assistance to scale access and persistence.

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.

🕵️‍♂️ZeroDayRAT is a commercial mobile spyware platform advertised on Telegram that enables extensive data collection and real-time surveillance on Android and iOS devices. The developer offers a builder to generate malicious binaries and an online or self-hosted control panel that exposes device metadata, GPS location history, accounts and notification previews. Operators can capture keystrokes, SMS (including OTPs), live camera and microphone streams, and perform hands-on remote operations. Additional modules swap clipboard crypto addresses and target mobile payment apps to facilitate direct financial theft.

🔒 CTM360 reports attackers are abusing Google Groups and Google-hosted redirectors to distribute credential-stealing malware, leveraging over 4,000 malicious groups and 3,500 hosted URLs to target organizations worldwide. The campaign uses industry-focused posts and shortened or Docs/Drive redirect links to lure victims and deliver OS-specific payloads. On Windows, victims receive a padded archive that reconstructs an AutoIt-based loader and a memory-resident Lumma infostealer; on Linux, users are served a trojanized Chromium-branded "Ninja Browser" with covert extensions and silent persistence. CTM360 advises inspecting redirect chains, blocking IoCs, auditing browser extensions, and monitoring scheduled tasks and endpoint activity.

🔐 Unit 42 investigates the rising misuse of QR codes for phishing, in‑app deep‑link exploitation, and direct distribution of malicious Android APKs. Their telemetry shows an average of over 11,000 malicious QR-code detections per day, driven by tactics that mask destinations and exploit mobile app behavior. The report highlights QR shorteners, custom deep links, and APK hosting as key evasive techniques and recommends user education plus deployment of decoding and filtering controls such as Advanced URL Filtering and Prisma Browser to improve visibility and block threats.

⚠️ A new variant of a fake recruiter campaign attributed to North Korean actors is targeting JavaScript and Python developers with cryptocurrency-themed coding tasks. Attackers publish seemingly legitimate job projects and embed malicious dependencies on npm and PyPI that install a remote access trojan reported as Graphalgo. The operation is modular and resilient, with 192 malicious packages identified and tactics such as delayed activation and token‑protected command channels. Affected developers are advised to rotate tokens and passwords and to reinstall compromised systems.

⚠️ Threat actors are abusing public Claude artifacts and manipulated Google Search results to trick macOS users into running malicious Terminal commands. These commands download and execute a loader that installs the MacSync infostealer, which harvests keychain data, browser credentials, and crypto wallets, then exfiltrates the data to a hardcoded command-and-control server. Researchers warn users not to run unverified shell commands and to verify safety before executing them.

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.

🔐 Cyber attackers are increasingly embedding malware inside password-protected ZIP archives and splitting the delivery chain by sending the archive via email while transmitting the password out-of-band (SMS or messaging apps). Traditional scanners struggle to inspect these encrypted attachments. New Threat Emulation capabilities can now inspect and block malicious ZIP files without requiring the password, closing the delivery gap. This reduces reliance on manual password sharing and strengthens perimeter defenses.

🔒 Researchers uncovered multiple malicious Chrome extensions that exfiltrate sensitive data from business and social media accounts, including a Meta‑focused add‑on named CL Suite that steals TOTP seeds, one‑time codes and Business Manager exports. Other campaigns detailed include a large‑scale VK Styles hijack of VKontakte accounts and the AiFrame cluster of AI‑themed add‑ons that siphon emails and page content. A Q Continuum study also found hundreds of extensions leaking browsing history to data brokers. Experts recommend strict extension controls, frequent audits, and allowlisting to reduce risk.

🛡️ Over 260,000 Google Chrome users downloaded fake AI assistant extensions that delivered malicious functionality capable of harvesting credentials, monitoring Gmail and granting remote access to attackers. Researchers at LayerX identified more than 30 malicious extensions—collectively labeled AiFrame—many of which mimicked ChatGPT, Claude, Grok and Gemini and were even featured in the Chrome Web Store, increasing exposure. The campaign used "extension spraying" and a full‑screen iframe that loads remote content to evade detection and exfiltrate data; although many extensions have been removed, affected users remain at risk.

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.

🔴 ReversingLabs attributes a coordinated supply-chain campaign, codenamed graphalgo, to the North Korea–linked Lazarus Group, active since May 2025. Attackers set up a fake recruiting front (Veltrix Capital), staged GitHub coding assessments in Python and JavaScript, and published dozens of malicious dependencies to npm and PyPI to infect candidates. One npm package, bigmathutils, accrued over 10,000 downloads before a malicious update; the payload delivers a token-based RAT that performs reconnaissance and file operations. Researchers also disclosed separate npm threats — duer-js (Bada Stealer) and the extortionist XPACK ATTACK — and urge auditing dependencies and verifying package provenance.

🔒 Flare and other researchers describe the AMOS macOS infostealer and its use of AI-focused distribution channels to harvest credentials and crypto data. Recent ClawHavoc activity shows attackers poisoning the popular OpenClaw skill marketplace to bundle AMOS into seemingly legitimate add-ons. Campaigns also abused search-engine SEO, fraudulent GitHub repositories, and one-line Terminal installers, enabling rapid credential and session theft at scale.

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.

🔐 Accenture has uncovered a novel malware named RustyRocket deployed by the World Leaks extortion group to maintain stealthy persistence and proxy exfiltration across Windows and Linux environments. Written in Rust, the tool uses multi-layer encrypted tunnels, heavy obfuscation and a pre-encrypted runtime configuration guardrail that makes activity difficult to detect and monitor. Accenture advises monitoring anomalous outbound transfers and enforcing network segmentation to limit lateral movement.

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.