< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 17 of 45

China-linked APT Targets South American Telecoms Networks

🛰️ Cisco Talos says a China-linked APT tracked as UAT-9244 has been targeting critical South American telecommunications since 2024, deploying three undocumented implants: TernDoor for Windows, PeerTime for Linux, and BruteEntry on edge devices. TernDoor uses DLL side-loading via wsprint.exe and a rogue BugSplatRc64.dll to execute payloads in memory and embed a driver to control processes. PeerTime is a multi-architecture P2P backdoor (ARM, AARCH64, PPC, MIPS) that uses BitTorrent for C2 and comes in C/C++ and Rust builds, while BruteEntry turns compromised edge hardware into brute-force proxy nodes targeting Postgres, SSH and Tomcat.
read more →

Microsoft: ClickFix Uses Windows Terminal to Deploy Malware

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.
read more →

Chinese State Hackers Target Telcos with New Malware Toolkit

🛡️ Cisco Talos researchers report that a China-linked APT cluster tracked as UAT-9244 has been targeting telecommunication providers in South America since 2024, compromising Windows, Linux, and network-edge devices. The campaign uses three previously undocumented malware families: TernDoor (Windows backdoor), PeerTime (ELF BitTorrent-based Linux backdoor), and BruteEntry (brute-force scanner and proxy builder). Talos published a technical report with capabilities, deployment methods, persistence techniques, and IoCs for detection and mitigation.
read more →

Bing AI Promoted Fake OpenClaw GitHub Installers and Malware

⚠️ Researchers at Huntress found that Microsoft Bing’s AI-enhanced search suggested malicious GitHub repositories posing as installers for OpenClaw, instructing users to run commands that deployed information-stealing and proxy malware. The fake repos were tied to newly created GitHub accounts and mimicked legitimate projects to appear trustworthy. Windows and macOS installers delivered Rust-based loaders, the Atomic Stealer family, Vidar, and a GhostSocks backconnect proxy. Huntress reported the repositories to GitHub and recommends using official project portals and bookmarked download sources rather than search results.
read more →

Wikipedia hit by self-propagating JavaScript worm

🛡️ The Wikimedia Foundation experienced a security incident after a self‑propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. The malicious code, traced to a user script User:Ololoshka562/test.js uploaded in March 2024, injected loaders into both user-level and global MediaWiki:Common.js. Engineers temporarily restricted editing, reverted malicious edits, rolled back affected user scripts, and removed the injected code, but a full post‑incident report has not yet been published.
read more →

ThreatsDay Bulletin: Emerging Campaigns and Policy Shifts

📰 This ThreatsDay bulletin summarizes a fast-moving week of cyber activity, covering phishing, malware, large-scale scraping, privacy actions, and research that changes operational risk. Notable items include a CERT-UA–reported phishing campaign delivering SHADOWSNIFF, SALATSTEALER, and a Go backdoor; a DDR5 scraping operation used for scalping RAM inventory; and a new Chrome two‑week release cadence. The update also highlights regulatory action against Reddit and privacy steps by Samsung.
read more →

Dust Specter Targets Iraqi Officials with Novel Malware

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.
read more →

Hacked Prayer App Linked to US/Israeli Campaign Against Iran

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.
read more →

Multi-Stage BadPaw Malware Campaign Targets Ukraine

🐾 ClearSky researchers uncovered a multi-stage malware campaign named BadPaw that leverages emails from the Ukrainian provider ukr.net to lure recipients to a ZIP download. The archive contains an HTA disguised as HTML that displays a decoy document while launching hidden components. BadPaw checks system age to evade sandboxes, extracts payloads, and uses a scheduled task plus steganography to persist. A staged C2 flow ultimately deploys a multi-layered backdoor, MeowMeowProgram.exe, with low AV detection.
read more →

Fake Laravel Packages on Packagist Deploy Cross-Platform RAT

🔴 Security researchers identified malicious Packagist PHP packages posing as Laravel utilities that install a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux. The actor published nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger, with lara-swagger pulling the helper as a Composer dependency to trigger installation. The embedded payload phones home to a reported C2 at helper.leuleu[.]net:2096, supports extensive remote commands, and activates at application boot or via autoloading, exposing application credentials and environment secrets.
read more →

Signed Malware Mimics Workplace Apps to Deploy RMM Backdoors

🔒 In February 2026 Microsoft Defender Experts uncovered phishing campaigns that delivered digitally signed malware impersonating common workplace applications. The threat actor used an EV certificate issued to TrustConnect Software PTY LTD to sign trojanized installers (examples include msteams.exe, adobereader.exe, and invite.exe) that deployed RMM tools such as ScreenConnect, Tactical RMM, and MeshAgent. Executables reinforced legitimacy by copying to Program Files, registering services, creating Run keys, and executing encoded PowerShell to stage additional payloads and connect to attacker-controlled domains, enabling persistent remote access and lateral movement.
read more →

Fake IT Support Spam Delivers Havoc C2 via DLL Sideloader

🔒 Huntress researchers uncovered a campaign where attackers posed as IT support, using email spam and follow-up phone calls to coerce victims into granting remote access and visiting a counterfeit Microsoft page hosted on AWS. The fake site harvested credentials and prompted a download that executed a legitimate binary which sideloaded a malicious DLL to launch the Havoc Demon. The intrusions showed rapid lateral movement, scheduled-task persistence, and use of legitimate RMM tools as backup persistence.
read more →

Spyware Campaign Mimics Israel's Red Alert App via SMS

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.
read more →

AI and Deepfakes Accelerate Cybercriminal Capabilities

⚠️ A new Cloudflare Threat Report warns that widespread access to large language models and AI tools has lowered the barrier to entry for cybercriminals, enabling rapid, scalable attacks. Attackers are using LLMs to craft convincing phishing, generate malware, and map networks in real time, increasing impact and reach. The report highlights AI-generated deepfakes and fraudulent IDs used to bypass hiring filters and embed malicious insiders, with state actors like North Korea exploiting this vector. Cloudflare urges organisations to adopt real-time intelligence and proactive defenses to counter the industrialisation of cyber threats.
read more →

Microsoft Warns OAuth Redirect Abuse Targets Government Orgs

🔒 Microsoft warned on Mar 3, 2026 of phishing campaigns that leverage OAuth redirect URLs to bypass email and browser defenses and deliver malware to government and public-sector targets without directly stealing tokens. Attackers register malicious applications and manipulate identity providers like Entra ID and Google Workspace to craft redirect links sent in emails or embedded in PDFs. The delivery chain uses ZIP -> LNK-triggered PowerShell -> MSI -> DLL sideloading to execute in-memory payloads and contact external C2; some campaigns also used AitM kits such as EvilProxy. Microsoft removed identified malicious apps and recommends limiting consent, auditing app permissions, and removing unused or overprivileged applications.
read more →

SloppyLemming Hits Pakistan and Bangladesh With Dual Malware

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.
read more →

Fake Google Security PWA Steals OTPs, Wallets, Proxies

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.
read more →

North Korean StegaBin: 26 Malicious npm Packages Exposed

🔍 Researchers disclosed a new StegaBin iteration of the Contagious Interview campaign in which North Korean actors uploaded 26 malicious packages to the npm registry. The packages masqueraded as developer tools and used text steganography in Pastebin essays to encode Vercel-based C2 addresses, ultimately delivering a credential stealer and a cross-platform RAT. Install-time scripts fetch multi-stage components that enable persistence, credential harvesting, and exfiltration.
read more →

QuickLens Chrome Extension Compromised to Steal Crypto

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.
read more →

Monthly Security Roundup — February 2026 Highlights

🔒 In February 2026 ESET Chief Security Evangelist Tony Anscombe highlights a series of notable incidents: widespread misuse of commercial generative AI, a novel Android malware campaign, increased ATM jackpotting, and destructive attacks against critical infrastructure. Researchers tied more than 600 compromised FortiGate devices in 55 countries to exposed management ports and weak credentials, while ESET documented PromptSpy, the first known Android malware abusing generative AI for context-aware UI manipulation. The FBI warned US ATM operators about a rise in jackpotting, and ESET analyzed a DynoWiper case targeting an energy company. Businesses are urged to strengthen access controls, enforce MFA, close exposed management ports, and improve monitoring for GenAI-related abuse.
read more →