All news with #malware tag

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔍 A joint investigation by SentinelOne SentinelLABS and Censys identified 175,000 publicly reachable Ollama hosts across 130 countries, spanning cloud and residential networks. Nearly half of observed instances advertise tool-calling capabilities that can execute code, access APIs, and interact with external systems, significantly raising the threat profile. Researchers warn these unmanaged LLM deployments lack standard authentication and monitoring, enabling active LLMjacking campaigns and resale of illicit access.

🔍 Google and industry partners have disrupted IPIDEA, a large residential proxy network used to conceal malicious activity. The operation combined court action to seize domains with intelligence-sharing and platform enforcement, including expanded protections in Google Play Protect that remove apps embedding IPIDEA SDKs and block further installs. Google reports these steps have reduced the pool of proxy devices by millions and expect knock-on effects across reseller-linked services. The network’s SDKs were tied to multiple botnets and used by numerous threat actors to obscure follow-on attacks.

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.

🔒 Fortinet's FortiGuard Incident Response describes a protracted Interlock intrusion that targeted education organizations, linking MintLoader initial access to NodeSnakeRAT and Interlock RAT implants. The report highlights a novel process-killer, Hotta Killer, that abuses a signed but vulnerable gaming anti-cheat driver (CVE-2025-61155) in a BYOVD technique to terminate security processes. Operators exfiltrated about 250 GB using AZCopy before deploying JavaScript and ELF ransomware across Windows and Nutanix hosts. FortiGuard recommends blocking unnecessary remote-access tools, restricting PowerShell egress, and monitoring anomalous driver installations.

🚨 Google said it disrupted IPIDEA, a large residential proxy service, seizing dozens of domains and rendering the IPIDEA site inaccessible after legal action. The company said the network advertised more than 6.1 million daily updated IPs and 69,000 daily new addresses and had been leveraged by over 550 distinct threat groups for cybercrime, espionage, and APT activity. Google reported about 7,400 Tier Two servers, flagged thousands of trojanized Windows binaries and roughly 600 Android apps tied to the service, and updated Google Play Protect to warn or remove apps containing IPIDEA code.

📱 In episode 452 Graham Cluley and guest Joe Tidy discuss a London-based YouTuber who has won a landmark UK ruling after his phone was compromised by Pegasus spyware, illustrating how a single malicious SMS can enable continuous, covert surveillance. They also investigate dark-web services, including a reported portal offering hitmen, and cover headlines such as Microsoft Patch Tuesday problems, alleged Russian wiper activity against Poland’s grid, and US charges tied to ATM malware.

⚠️ MicroWorld Technologies, maker of eScan, confirmed a breach of a regional update server that delivered an unauthorized, later-analyzed malicious update to a subset of customers during a two-hour window on January 20, 2026. The company says it isolated and rebuilt the affected infrastructure, rotated credentials, and issued a remediation tool. Security firm Morphisec published a technical analysis linking a modified Reload.exe to multi-stage malware and a backdoor named CONSCTLX.exe, and the vendors dispute who reported the incident first.

⚠️ A malicious Visual Studio Code extension impersonating Moltbot, published as 'ClawdBot Agent - AI Coding Assistant' (clawdbot.clawdbot-agent), was distributed on the official Marketplace and has since been removed by Microsoft. The add-on auto-executes on IDE launch, fetches a remote config.json and installs a binary that deploys an ConnectWise ScreenConnect client connecting to attacker infrastructure. It includes DLL sideload and batch-script fallbacks and hard-coded payload URLs. Researchers warn exposed Moltbot instances and insecure defaults increase the risk of credential theft and remote compromise.

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.

🏠 This week Google Threat Intelligence Group led coordinated legal, technical, and platform actions to disrupt the IPIDEA residential proxy network, a large global provider of exit-node infrastructure. Actions included domain takedowns, sharing SDK and infrastructure intelligence with platform providers and law enforcement, and enforcing Google Play Protect to remove and block offending apps. These steps materially degraded IPIDEA’s operations and reduced the pool of available exit-node devices by millions while enabling broader partner remediation.

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.

🚨 Kaspersky reports that China-linked Mustang Panda used an updated COOLCLIENT backdoor in 2025 to exfiltrate data from government targets across Myanmar, Mongolia, Malaysia, and Russia. The implant was deployed as a secondary backdoor alongside PlugX and LuminousMoth, delivered via encrypted loaders and abusing DLL side-loading of legitimately signed binaries. COOLCLIENT harvests keystrokes, clipboard data, files, and HTTP proxy credentials, can establish reverse tunnels, and loads in-memory plugins; recent waves also incorporated browser credential stealers and a previously unseen rootkit.

⚠️ Halcyon researchers report a Sicarii ransomware variant that generates a fresh RSA key pair on each execution and immediately discards the private key, leaving encrypted files unrecoverable even if victims pay or use a provided decryptor. Analysts attribute the defect to poor key management or immature development, possibly involving AI-assisted tooling. Affected organizations should prioritize containment, isolate systems, and restore only from known-good, offline, or immutable backups rather than relying on ransom-based recovery.

🔔 Sonatype's 2026 State of the Software Supply Chain report warns of a sharp rise in malicious open-source packages, finding 454,648 new malicious components in 2025 across Maven Central, PyPI, npm and NuGet. The vendor says developers downloaded components 9.8 trillion times last year and that threats have evolved from stunts into industrialized, multi-stage supply chain intrusions. The report highlights AI-related risks, typosquatting and namespace mimicry as primary enablers.

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.

🔐 A Nebraska federal grand jury indicted 31 additional defendants accused of participating in an ATM jackpotting operation that used Ploutus malware to steal millions from U.S. ATMs. Authorities say many suspects are Venezuelan or Colombian nationals tied to the gang Tren de Aragua, an organization recently designated by OFAC as a Foreign Terrorist Organization. Investigators allege attackers opened ATM housings, swapped or connected drives to load malware, deleted evidence, and forced machines to dispense cash; the stolen proceeds were split and laundered. The Justice Department has charged 87 TdA members in related cases over the past six months.

⚠️Researchers at Varonis warn of a new malware‑as‑a‑service named Stanley that sells malicious browser extensions engineered to pass review and appear on the Chrome Web Store. The extensions overlay a full‑screen iframe with attacker-controlled phishing content while leaving the address bar intact, and claim silent auto‑installation on Chromium browsers. Stanley offers subscription tiers, including a Luxe Plan that assists with publishing extensions, and provides operator controls for targeting, notifications, and session correlation.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.