All news with #malware tag

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.

🛡️ Cisco Talos describes VoidLink as a modular implant management framework focused on Linux, providing advanced persistence, evasion, and plugin-based extensibility. The framework implements RBAC, mesh P2P communications, compile-on-demand plugins, and kernel-level components to hide implants and C2 infrastructure. Talos attributes VoidLink use to an actor tracked as UAT-9921, notes rapid AI-assisted development, and highlights cloud-aware scanning and broad targeting.

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.

🔒 A fake 7-Zip website (7zip[.]com) distributes a trojanized installer that installs the legitimate archiver along with proxyware that enrolls infected hosts as residential proxy nodes. The installer drops Uphero.exe, hero.exe and hero.dll, creates a SYSTEM service and modifies firewall rules. Malwarebytes found C2 domains using Cloudflare, TLS and DoH, and recommends obtaining software from official sites instead of following links from videos or search ads.

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.

⚠️ The NCSC has issued an urgent alert to critical national infrastructure (CNI) providers after December's coordinated malware attacks against Poland's energy sector, urging operators to act now to defend UK assets. Director Jonathan Ellison stressed the need to follow recent NCSC guidance on monitoring, situational awareness and hardening network defences. Recommended measures include patching, access controls and MFA, secure-by-design management and robust resilience and recovery plans.

🔍 New analysis by Ontinue details VoidLink, a Linux-based command-and-control framework that generates implant binaries for credential theft, data exfiltration and stealthy persistence across cloud and enterprise hosts. The agent fingerprints AWS, GCP, Azure, Alibaba and Tencent environments and adapts its behavior, loading modular plugins for container escape and kernel-level stealth. Researchers identified unusual development artefacts — structured "Phase X:" labels, duplicated numbering, verbose debug logs and embedded documentation — that suggest parts of the implant were written or assisted by a large language model coding agent with limited human review.

🔒 OpenClaw has integrated VirusTotal malware scanning into its ClawHub skills marketplace to automatically vet published skills. Packages are hashed and analyzed with Code Insight (powered by Gemini); benign skills are auto-approved, suspicious ones receive warnings, and confirmed malicious skills are blocked and re-scanned daily. The move responds to documented malicious extensions and unauthorized enterprise deployments, though OpenClaw stresses scanning is not a complete defense against prompt injection or logic abuse.

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.

⚠️ Cybersecurity researchers disclosed a supply chain attack that replaced legitimate dYdX packages on npm and PyPI with malicious releases designed to steal wallet credentials and enable remote code execution. Malicious code ran during normal use, exfiltrating seed phrases, device data and calling back to a command-and-control endpoint. dYdX and researchers advise isolating affected hosts, moving funds from clean systems and rotating credentials.

🛡️ Ransomware groups are abusing virtual machines provisioned by ISPsystem to host and deliver malware at scale. Sophos researchers found identical Windows VM hostnames and system identifiers reused from default VMmanager templates, enabling operators such as LockBit, Qilin, Conti, BlackCat/ALPHV and others to hide malicious infrastructure among legitimate hosts. The tactic complicates attribution and slows takedown efforts, and Sophos tied most malicious VMs to a small cluster of poorly reputed hosting providers.

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.

🛡️ Hackers linked to the Chinese government trojanized the Notepad++ update supply chain to deliver a backdoor to selected users. The vendor reports the hosting provider's infrastructure remained compromised until September 2, and attackers retained credentials through December 2, enabling continued redirection of chosen update traffic to malicious servers. The threat actor explicitly targeted insufficient update verification controls in older releases and attempted to re-exploit a flaw after it was fixed. Users are advised to run at least version 8.9.1 and verify update integrity.

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.

📰 In episode 453 of Smashing Security, Graham Cluley and guest Tricia Howard examine how sloppy redaction and a mix of AI and open social profiles can deanonymise documents once thought obscured. They discuss real-world incidents including malware delivery via a compromised Notepad++ installer, a sex-addiction app leaking intimate user data, and a problematic AV update used to distribute malware. The episode also highlights insider-threat risks after a senior US cybersecurity official uploaded sensitive government material into a public ChatGPT instance, and explores how broken trust can have lasting reputational consequences for vendors and organisations.

🔁 Researchers at DataDog Security Labs uncovered a campaign in which threat actors compromise NGINX servers and Baota-managed hosting panels to inject malicious 'location' blocks into configuration files, rerouting user requests through attacker-controlled backends. The attackers preserve headers like Host, X-Real-IP, User-Agent, and Referer to blend traffic with legitimate requests. The injection toolkit runs in five scripted stages and exfiltrates a map of hijacked domains to a C2 at 158.94.210[.]227.

⚠️ Researchers at Datadog Security Labs report that threat actors are exploiting the React2Shell vulnerability to compromise servers running NGINX managed via Boato Panel and to hijack web traffic. Attackers deploy multi-stage scripts that discover targets, establish persistence, and generate malicious configuration files to redirect users or deliver malware. The campaign targets primarily Asian domains and Chinese hosting infrastructure, and unpatched React server components remain at high risk.