< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 19 of 45

Weekly Recap: Double-Tap Skimmers, AI Malware, 30Tbps DDoS

🛡️ This weekly recap highlights high‑impact incidents and emerging trends across devices, cloud services, and supply chains. Key items include a Dell RecoverPoint zero‑day (CVE‑2026‑22769) actively exploited to install web shells and backdoors and PromptSpy, an Android malware that leverages Google Gemini and accessibility services for persistence. The report also calls out a near‑30 Tbps DDoS surge, malicious Docker Hub images, and deceptive "double‑tap" skimmers targeting e‑commerce. Review the prioritized CVEs and advisories and map mitigations to your environment.
read more →

Arkanix stealer uses dual Python and C++ variants targeting

🔍 Kaspersky researchers uncovered a new infostealer named Arkanix that blends rapid, probable LLM-assisted development with a dual-language architecture. The malware is offered as a MaaS, giving customers a control panel to configure Python or C++ payloads and retrieve statistics. The Python variant prioritizes broad, fast data harvesting while the native C++ build focuses on stealth, performance, and persistence. Observed deployment mechanisms include configurable loaders, C2 domains and even Discord-based tests.
read more →

FBI: ATM Jackpotting Surge Costing Banks Over $20M

🛡️ The FBI reports over 700 ATM jackpotting incidents in 2025 that cost banks more than $20 million, and notes nearly 40% of US attacks since 2020 occurred last year. Attackers commonly deploy malware such as Ploutus to exploit the XFS API, allowing direct hardware commands to dispense cash and bypass bank authorization. The agency details physical intrusion techniques—generic keys, hard-drive removal or replacement with preloaded devices—and urges layered defenses including improved physical locks and sensors, hardware whitelisting, robust logging, IP whitelisting and endpoint detection to detect and prevent rapid cash-outs.
read more →

MuddyWater Targets MENA with New Rust Backdoor CHAR

🔒 Group-IB reports that Iranian APT MuddyWater launched Operation Olalampo, using new and updated implants to target organizations across the MENA region. Attacks beginning January 26, 2026 employed malicious Office macros to deliver downloaders like GhostFetch and HTTP_VIP, a Rust backdoor CHAR, and a second-stage implant GhostBackDoor. The campaign leverages C2 servers, a Telegram-controlled bot, and signs of AI-assisted development.
read more →

How Attackers Use Generative AI to Exploit Systems

🔐 Cybercriminals increasingly employ generative AI to automate and scale established attack techniques, from highly convincing phishing and deepfakes to AI-assisted malware creation and accelerated vulnerability exploitation. Adversaries are building custom LLMs, hijacking cloud LLM resources, and orchestrating multi-agent campaigns that speed reconnaissance and weaponization. Organizations should adopt layered defenses, monitor API and AI usage, tighten identity and access, and leverage AI-based detection to mitigate these evolving threats.
read more →

Arkanix Stealer: Short-Lived AI-Assisted Info Stealer

🔍 Kaspersky researchers analyzed a short-lived information stealer called Arkanix, promoted on dark web forums in late 2025 and likely developed with LLM assistance. The project included a control panel, a Discord community, and two tiers: a Python-based basic build and a VMProtect-wrapped C++ premium variant with enhanced AV evasion and wallet injection. Arkanix features modular data theft from browsers, wallets, Telegram and Discord, plus optional post-exploitation modules; the author removed infrastructure within two months, complicating detection and tracking.
read more →

Compromised npm Package Silently Installs OpenClaw Agent

⚠️ Researchers discovered that a compromised npm publish token allowed an attacker to push a modified release of the widely used Cline CLI that added a malicious postinstall script to fetch and run the AI agent OpenClaw. Aside from that new script, package contents and the CLI binary matched the legitimate prior release, making the change easy to miss. The malicious publish was live on the registry for about eight hours on February 17 before it was deprecated and corrected; developers who installed during that window are advised to update Cline and remove OpenClaw if it was not intentionally installed.
read more →

Cline CLI Supply-Chain Update Installed OpenClaw Unexpected

⚠️ On February 17, 2026, the npm package cline was maliciously published as cline@2.3.0 using a compromised publish token; the release added a postinstall hook that executed npm install -g openclaw@latest. Installations between 03:26–11:30 PT pulled OpenClaw onto developer machines. Cline has released 2.4.0, deprecated 2.3.0, revoked the token and updated publishing to support OIDC; users are advised to upgrade and remove any unexpected OpenClaw installs, though researchers say overall impact is low since OpenClaw is not inherently malicious and no Gateway daemon was started.
read more →

Android malware uses Gemini AI to persist on devices

🔐 ESET researchers have identified an Android implant, dubbed PromptSpy, that leverages generative AI to maintain persistence on victims' devices and represents an evolution of earlier VNCSpy samples. The implant sends serialized UI snapshots to Google's Gemini, receives step-by-step Accessibility Service actions to keep the malicious app pinned in Recent Apps, and executes those actions while a VNC module provides remote viewing and control. The initial dropper impersonated JPMorgan Argentina and distributed via mgardownload[.]com; communications use AES-encrypted VNC to a hardcoded C2 at 54.67.2[.]84. PromptSpy also overlays invisible UI elements to block uninstallation; the only reliable removal is rebooting into Safe Mode.
read more →

FBI: $20M+ Stolen in Surge of ATM Malware Attacks in 2025

🔔 The FBI says Americans lost more than $20 million last year amid a sharp increase in ATM 'jackpotting' attacks that use malware to force cash machines to dispense money. These attacks—often leveraging Ploutus—target the ATM's software layer (the XFS interface) to bypass bank authorization and trigger withdrawals without cards. The agency urged institutions to audit ATMs for unauthorized removable storage and validate system images to detect physical intrusion and malware staging.
read more →

FBI: 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost

💰 The FBI warned that 1,900 ATM jackpotting incidents have been reported since 2020, with 700 occurring in 2025 and losses exceeding $20 million last year. Threat actors deploy specialized malware such as Ploutus, often gaining physical access using generic keys to open ATM faces and then replacing or modifying hard drives to install code. The malware exploits the Windows OS and the ATM's XFS layer to issue dispenser commands directly, bypassing bank authorization and enabling rapid cash-outs across multiple ATM models. The FBI advised operators to strengthen physical protections, change default credentials, enforce device allowlisting, maintain logs, and configure automatic shutdowns when compromise indicators are detected.
read more →

PromptSpy: First Android Malware Using Generative AI

🛡️ ESET researcher Lukas Stefanko has identified PromptSpy, the first known Android malware to call a generative AI model at runtime, leveraging Google's Gemini to adapt persistence on different devices. The malware submits an XML dump of the current UI plus a chat prompt to Gemini, receives JSON-formatted instructions, and uses the Accessibility Service to pin the app in Recent Apps in a loop until confirmed. Its primary payload is a VNC-based spyware module that can capture PINs, record unlock patterns and screen activity, take screenshots, and report foreground apps. To block removal it overlays invisible UI elements over uninstall or permission controls; victims must reboot into Safe Mode to remove it.
read more →

PromptSpy Android Malware Leverages Gemini to Persist

🛡️ ESET researchers disclosed PromptSpy, the first Android malware observed to integrate Google's Gemini generative AI into its execution flow and achieve persistence. The malware assigns Gemini the persona of an 'Android automation assistant,' sends an XML dump of the current screen, and receives JSON step-by-step instructions that are executed via accessibility services. PromptSpy captures lockscreen data, records screens and video, deploys a VNC module for remote access, and blocks uninstallation using invisible overlays while communicating with a hard-coded C2.
read more →

Google Blocks Over 1.75 Million Play Store App Submissions

🛡️ Google says it blocked more than 1.75 million apps from being published on Google Play in 2025 and denied over 255,000 apps access to sensitive user data. The company also banned over 80,000 developer accounts and strengthened detection by integrating generative AI into its review process to identify evolving malicious patterns. Play Protect scanned an estimated 350 billion app instances daily and flagged over 27 million malicious sideloaded apps, while the Play Integrity API processed more than 20 billion checks per day.
read more →

Google Play 2025: Strengthening App Ecosystem Security

🔒 In 2025 Google deployed advanced AI-powered defenses across Google Play to stop apps that cause real-world harm, preventing over 1.75 million policy-violating apps from being published and banning more than 80,000 malicious developer accounts. We expanded Google Play Protect to scan over 350 billion Android apps daily and rolled out real-time protections including in-call scam defenses. Together these measures strengthened the Play store and the broader Android ecosystem by prioritizing automated detection, rapid enforcement, and on-device user safety.
read more →

Remcos RAT gains real-time surveillance and evasion

🔍 Researchers at Point Wild have identified a Remcos RAT variant that shifts toward real-time espionage and enhanced evasion. The strain streams webcam footage and sends captured keystrokes directly to attacker-controlled servers while delivering modular DLL plugins on demand. It decrypts its C2 configuration only in memory, resolves Windows APIs dynamically to hinder static analysis and performs cleanup routines to remove logs, cookies and persistence artifacts. Defenders should watch for suspicious outbound connections and unauthorized registry changes.
read more →

Industrial-Scale Fake Coretax Apps Drive $2M Fraud

🔍 Group-IB uncovered a sophisticated campaign that impersonated Indonesia’s official Coretax service to distribute malicious Android APKs, causing an estimated $1.5m–$2m in losses nationwide. Attackers combined phishing sites, WhatsApp impersonation and vishing to coerce victims into installing RATs such as Gigabud.RAT and MMRat, enabling remote access and unauthorized banking transfers. The operation produced 996 phishing URLs, 228 new malware samples and used infrastructure that impersonated over 16 trusted brands, suggesting a scalable MaaS model.
read more →

PromptSpy: GenAI-driven Android malware abuses Gemini

🧠 ESET researchers have identified PromptSpy, the first known Android malware to integrate generative AI (Google's Gemini) into its execution flow. The malware sends serialized UI XML to Gemini and receives JSON-formatted tap, swipe, and long-press instructions to navigate device-specific interfaces. This enables robust persistence by programmatically locking the app in Recent Apps and deploying a VNC module for remote control and data exfiltration. Distribution appears limited and regionally focused, but the technique raises broader concerns about AI misuse.
read more →

Massiv Android Trojan Targets IPTV Users for DTO Attacks

🛡️ ThreatFabric has disclosed Massiv, a new Android trojan that impersonates IPTV apps to deliver device takeover (DTO) attacks aimed at financial theft. Distributed via SMS phishing droppers, Massiv abuses Android accessibility and MediaProjection APIs to stream screens, capture keystrokes and SMS, and deploy fake overlays that harvest banking credentials and KYC data. Operators have used stolen information to open accounts, launder money and remotely control infected devices while concealing malicious activity behind black-screen overlays.
read more →

Massiv Android banking malware disguises as IPTV app

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.
read more →