< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 18 of 45

APT37 Deploys Ruby Jumper to Bridge Air-Gapped Networks

🛡️ Zscaler researchers uncovered a toolkit named Ruby Jumper used by North Korea–linked APT37 to bridge internet-connected and air-gapped systems via removable drives. The campaign begins with a malicious LNK that launches a PowerShell script, a decoy document, and the RESTLEAF implant, which fetches encrypted shellcode via Zoho WorkDrive and loads the Ruby-based loader SNAKEDROPPER. The threat persists by installing a Ruby runtime masked as usbspeed.exe and weaponizes USB media to relay commands and exfiltrate data.
read more →

CISA: RESURGE Malware Can Remain Dormant on Ivanti Devices

🔒 CISA warns that the RESURGE implant can remain latent on Ivanti Connect Secure devices, evading detection by awaiting a specific inbound TLS connection rather than beaconing to a command-and-control server. The 32-bit Linux Shared Object libdsupgrade.so hooks the web process, inspects TLS packets using a CRC32 fingerprint, and authenticates attackers with a forged Ivanti certificate. The agency notes related tools like liblogblock.so for log tampering and a kernel extraction script, and it urges administrators to use updated IoCs and hashes to discover and remove dormant infections.
read more →

Malicious Go crypto module steals passwords, deploys Rekoobe

🔒 A malicious Go module, github.com/xinfeisoft/crypto, impersonating the legitimate golang.org/x/crypto mirror, was found to exfiltrate terminal-entered secrets and deliver a Linux backdoor. The injected backdoor hooks ssh/terminal/terminal.go so calls to ReadPassword() capture interactive passwords and send them to a remote endpoint, which responds with a shell script. That script appends an SSH key to /home/ubuntu/.ssh/authorized_keys, relaxes iptables defaults, and downloads two payloads—one that probes connectivity and contacts 154.84.63.184:443, and the other identified as the Rekoobe trojan. The Go security team has blocked the package, but researchers warn this low-effort impersonation pattern will likely be reused against other credential-edge libraries.
read more →

North Korean Phishing Targets Programming Job Seekers

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.
read more →

US Authorities Penalize Sellers of Malware and Spyware

🔒 US authorities have taken swift action against sellers of cyberweapons, sentencing Australian national Peter Williams to 87 months in prison after he sold sensitive exploit components for up to $4 million in cryptocurrency. The Treasury’s OFAC also sanctioned Sergey Sergeyevich Zelenyuk and Matrix LLC (trading as Operation Zero) for acquiring and distributing proprietary US cyber tools. Sanctions block US-held assets and may trigger criminal charges for prohibited transactions.
read more →

Trojanized Gaming Tools Spread Java RAT, Evade Detection

🎮 Microsoft Threat Intelligence warns that threat actors are distributing trojanized gaming utilities via browsers and chat platforms to deliver a Java-based remote access trojan (RAT). A malicious downloader stages a portable Java runtime and executes a jd-gui.jar, leveraging PowerShell and LOLBins like cmstp.exe for stealth and self-deletion while configuring Microsoft Defender exclusions. Persistence is achieved with a scheduled task and a startup script named world.vbs, and the final payload phones home to 79.110.49[.]15 for command-and-control.
read more →

Dohdoor DoH Backdoor Targeting Education and Healthcare

🚨 Cisco Talos reports an ongoing campaign by UAT-10027 using a new backdoor called Dohdoor since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control, downloads and executes payloads within legitimate Windows processes, and employs phishing, PowerShell abuse, and DLL sideloading. The campaign targets U.S. education and health care organizations with C2 infrastructure hidden behind reputable services.
read more →

Fake Next.js Repos Deliver In-Memory JS Backdoors Campaign

⚠️ A coordinated developer-targeting campaign uses fake Next.js repositories and job-assessment lures to trick engineers into executing attacker-controlled JavaScript at runtime. Microsoft and third-party researchers identified three execution paths — VS Code workspace tasks (runOn: "folderOpen"), dev-server builds, and backend startup — that all fetch loaders from staging services like Vercel. The in-memory payload profiles hosts, polls for an instanceId and executes server-supplied code to maintain persistent C2 while minimizing disk artifacts.
read more →

Steaelite RAT Unifies Data Theft and Ransomware Tools

⚠️ Steaelite is a browser-based remote access trojan marketed on underground forums that consolidates remote access, credential harvesting, data exfiltration, and a planned ransomware module into a single management pane. Researchers at BlackFog say the toolkit includes live screen streaming, webcam and microphone access, password recovery, Defender-disable capabilities, and persistence options, and it’s been available since last November. The seller offers access as malware-as-a-service (about $200/month), and defenders are urged to prioritize stopping data exfiltration over relying solely on perimeter defenses.
read more →

Fake Next.js Interview Repos Deliver JavaScript Backdoor

⚠️ A coordinated campaign impersonating Next.js job interview materials uses malicious repositories to achieve remote code execution on developers' machines. Repositories trigger payloads via VS Code workspace opening, npm dev server startup, or backend initialization, downloading and executing an in-memory JavaScript backdoor. The staged malware profiles hosts, registers with a C2 infrastructure, and supports file enumeration and staged exfiltration. Microsoft advises enforcing VS Code Workspace Trust, reducing secrets on endpoints, and using short-lived, least-privilege tokens.
read more →

Google Disrupts UNC2814 GRIDTIDE Campaign Targeting Telcos

🔒 Google and industry partners disrupted infrastructure used by suspected China-linked espionage group UNC2814, which deployed a C-based backdoor named GRIDTIDE that abuses the Google Sheets API to conceal command-and-control traffic. GRIDTIDE supports file upload/download and arbitrary shell execution and was observed on endpoints containing PII. Google terminated attacker-controlled Cloud projects, disabled abused accounts, and is notifying impacted organizations while offering support.
read more →

Chinese Cyberspies Used Google Sheets to Target Telecoms

🔐 Google’s Threat Intelligence Group, Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese actor tracked as UNC2814 that infiltrated telecom firms and government agencies across dozens of countries. The actor deployed a new C-based backdoor named GRIDTIDE that abused the Google Sheets API for covert command-and-control, authenticating with a hardcoded service account key and polling spreadsheet cells for instructions. GRIDTIDE supports execution, upload and download commands via URL-safe Base64 exchanges and hides output in sheet cells; Google and partners disabled cloud projects, revoked API access, sinkholed domains, and offered victim support.
read more →

Malicious NuGet Packages Exfiltrate ASP.NET Identity

🔒 Security researchers at Socket uncovered four malicious NuGet packages — NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ — that target ASP.NET developers to steal Identity data and manipulate authorization rules. The packages, published in August 2024 by user hamzazaheer and downloaded over 4,500 times before removal, deploy a localhost proxy and stage payloads to relay stolen data to an external C2. Separately, Tenable disclosed a malicious npm package ambar-src that used a preinstall hook to drop cross-platform malware (Windows, Linux, macOS), enabling full-system compromise and data exfiltration.
read more →

Job-themed repo lures target developers with backdoors

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.
read more →

Fake Zoom Meeting Installs Covert Employee Surveillance

🔒 Malwarebytes researchers warn of a convincing fake Zoom meeting page that silently downloads and installs a covert build of Teramind on Windows endpoints. Victims see scripted participants and an “Update Available” countdown that triggers a silent download while a fake Microsoft Store screen displays a staged installation. Because the payload is a repackaged commercial monitoring tool, many defenses may not flag it, so prompt verification and training are essential.
read more →

Types of Ransomware Attacks and Detection Methods Overview

🔒 This article profiles major ransomware varieties — including crypto, double extortion, encryptionless, locker, scareware and Ransomware-as-a-Service — and explains how they operate. It outlines common detection approaches such as behavioral, signature, heuristic, and deception techniques. The piece also situates ransomware within the broader malware landscape and describes how Huntress’ 24/7 human-led monitoring and containment reduce risk.
read more →

Developer-Targeting Campaign via Malicious Next.js Repos

⚠️ Microsoft Defender researchers discovered a coordinated developer-targeting campaign that used malicious repositories disguised as legitimate Next.js projects and recruiting assessments to achieve remote code execution. The malicious repositories employed multiple execution paths — editor automation, dev-server assets, and backend startup loaders — that all retrieved attacker-controlled JavaScript at runtime. The activity staged a lightweight registration bootstrap (Stage 1) before escalating to a persistent operator-controlled controller (Stage 2), enabling in-memory tasking, discovery, and staged exfiltration.
read more →

AI-enabled Cyber Attacks Nearly Double in 2025 - CrowdStrike

⚠️ CrowdStrike's Global Threat Report 2026 warns that AI-enabled cyber-attacks rose 89% in 2025 as adversaries used machine learning and LLMs to scale and refine phishing, disinformation and malware operations. Researchers observed LLMs producing multilingual, convincing phishing lures and automating campaign creation, while some actors embedded prompting into malware (eg, LameHug) for reconnaissance. CrowdStrike recommends strong identity controls, AI-focused awareness training and threat-intel monitoring to mitigate the accelerating threat.
read more →

The Evasive Adversary: Faster, Quieter, Cloud-Focused

🛡️ CrowdStrike reports that adversaries shifted in 2025 from expanding toolsets to prioritizing evasion, using AI to refine phishing, malware scripts, and reconnaissance while favoring malware-free techniques that blend with legitimate user activity. AI-enabled attacks rose 89% year over year and malware-free methods accounted for 82% of detections. Supply chain compromises, rapid zero-day weaponization, and cloud-focused intrusions amplified stealth, with big-game ransomware groups moving to remote encryption and credential abuse to minimize detection.
read more →

Fraud Investigation Reveals Sophisticated Python Malware

🔍 A fraud investigation by the Secuinfra Falcon Team uncovered a layered, Python-based malware deployment that led to unauthorised PayPal transfers and visible command output on the victim's desktop. Investigators found hidden PowerShell activity retrieving a PyInstaller-packed executable named svchoss.exe from an IP hosted in Tencent-associated networks, alongside startup scripts and a concealed Python runtime. Memory forensics with Volatility 3 and string extraction exposed heavy obfuscation, references to Cobalt Strike, XWorm RAT, HTran and attempts to harvest browser autofill and wallet data. Although the system was judged fully compromised, the initial infection vector remains unconfirmed, with social engineering and malicious downloads considered likely.
read more →