All news with #malware tag

North Korean Hackers Merge BeaverTail and OtterCookie

🔐 Cisco Talos reports that a North Korean-linked threat cluster has blended features of its BeaverTail and OtterCookie JavaScript malware families, with recent OtterCookie variants adding keylogging, screenshot capture, and clipboard monitoring. The intrusion chain observed involved a trojanized Node.js application called Chessfi and a malicious npm dependency published on August 20, 2025 that executed postinstall hooks to launch multi-stage payloads. Talos tied the activity to the Contagious Interview recruitment scam and highlighted continued modularization and abuse of legitimate open-source packages and public Git hosting to distribute malicious code.

Smart Contracts Abused to Serve Malware on WordPress

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

Researchers Warn RondoDox Botnet Expands Exploitation

🔍 Trend Micro warns that RondoDox botnet campaigns have significantly expanded their targeting, exploiting more than 50 vulnerabilities across over 30 vendors to compromise routers, DVR/NVR systems, CCTV devices, web servers and other networked infrastructure. First observed by Trend Micro on June 15, 2025 via exploitation of CVE-2023-1389, and first documented by Fortinet FortiGuard Labs in July 2025, the threat now leverages a loader-as-a-service model that co-packages RondoDox with Mirai/Morte payloads, accelerating automated, multivector intrusions. The campaign includes 56 tracked flaws—18 without CVEs—spanning major vendors and underscores urgent detection and remediation needs.

ClayRat Android Spyware Uses Fake Apps to Spread in Russia

📱 A new Android spyware campaign known as ClayRat has been observed targeting users in Russia through fake app installers and Telegram channels. Operators impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into sideloading APKs or running lightweight droppers that reveal hidden encrypted payloads. Once active, the malware requests default SMS status and can exfiltrate SMS, call logs, notifications, device details, take photos, and even send messages or place calls while automatically propagating to contacts. Zimperium reports roughly 600 samples and 50 droppers detected in the last 90 days, with continuous obfuscation to evade defenses.

Hackers Inject Redirecting JavaScript via WordPress Themes

🔒 Security researchers warn of an active campaign that modifies WordPress theme files (notably functions.php) to inject malicious JavaScript that redirects visitors to fraudulent verification and malware distribution pages. The injected loader uses obfuscated references to advertising services but posts to a controller domain that serves a remote script from porsasystem[.]com and an iframe mimicking Cloudflare assets. The activity has ties to the Kongtuke traffic distribution system and highlights the need to patch themes, enforce strong credentials, and scan for persistent backdoors.

OpenAI Disrupts Malware Abuse by Russian, DPRK, China

🛡️ OpenAI said it disrupted three clusters that misused ChatGPT to assist malware development, including Russian-language actors refining a RAT and credential stealer, North Korean operators tied to Xeno RAT campaigns, and Chinese-linked accounts targeting semiconductor firms. The company also blocked accounts used for scams, influence operations, and surveillance assistance and said actors worked around direct refusals by composing building-block code. OpenAI emphasized that models often declined explicit malicious prompts and that many outputs were not inherently harmful on their own.

Beware of threats lurking in booby-trapped PDF files

📄 PDF files are a ubiquitous, convenient format that cybercriminals increasingly abuse as lures, with ESET telemetry placing PDFs among the top malicious attachment types. Attack techniques include embedded scripts, hidden links, malformed objects that exploit reader vulnerabilities, and files that merely masquerade as .pdf while actually being executables or archives. Verify sender context, enable Protected View or sandboxing, consider disabling JavaScript in your PDF reader, and scan or sandbox suspicious attachments before opening; when in doubt, confirm via a separate channel.

WhatsApp-Based Self-Spreading Malware Hits Brazil Nationwide

⚠️ Trend Micro has uncovered a self-propagating malware campaign named SORVEPOTEL that primarily targets Brazilian Windows users via WhatsApp. The attack is delivered through convincing phishing messages with malicious ZIP attachments that contain LNK shortcuts which trigger PowerShell to download a batch payload. The payload establishes persistence by copying itself to the Windows Startup folder and contacts a command-and-control server, and if WhatsApp Web is active the malware automatically forwards the infected ZIP to contacts and groups, causing rapid spread and frequent account bans. Researchers report no evidence of data exfiltration or file encryption so far.

Android Spyware Posing as Signal Plugin and ToTok Pro

⚠️ Researchers at ESET have uncovered two Android spyware campaigns, ProSpy and ToSpy, that masquerade as a Signal encryption plugin and a ToTok Pro upgrade to target users in the U.A.E. Distributed via fake websites and social engineering, these apps require manual installation and request extensive permissions to persist and exfiltrate contacts, messages, media and device data. Users are advised to avoid installing apps from unofficial sources and to disable installations from unknown origins.

MatrixPDF toolkit converts PDFs into phishing lures

📄 MatrixPDF is a newly observed toolkit that converts ordinary PDFs into interactive phishing and malware lures, researchers report. First seen advertised on cybercrime forums and promoted via Telegram, it embeds blurred content, fake "Secure Document" prompts, clickable overlays and JavaScript actions that redirect users to external payloads. Varonis testing showed these PDFs can bypass Gmail filters because they contain no embedded binaries and rely on user clicks to fetch malicious content. Sellers offer subscriptions from $400/month to $1,500/year.

Vane Viper Exposed as Major Malvertising Adtech Actor

🛡️ Infoblox, together with Guardio and Confiant, has identified Vane Viper (also known as Omnatuor) as an adtech platform that has enabled malvertising, ad fraud, and malware distribution for more than a decade. The operator used a web of shell companies and subsidiaries reportedly linked to PropellerAds and AdTech Holding to broker malicious traffic and to run its own campaigns. Researchers describe persistence tactics such as abusing browser push-notification permissions and service workers to spawn headless browser processes that continue to redirect users. Infoblox estimates Vane Viper generated roughly 1 trillion DNS queries across about half of its customer networks over the past year.

Lighthouse and Lucid PhaaS Linked to 17,500 Phishing Domains

🔍 Netcraft reports that the PhaaS platforms Lucid and Lighthouse are linked to more than 17,500 phishing domains impersonating 316 brands across 74 countries. Lucid, first documented by PRODAFT in April, supports smishing via Apple iMessage and RCS and is tied to the Chinese-speaking XinXin group. Both services offer customizable templates, real-time victim monitoring, and granular targeting controls (User-Agent, proxy country, configured paths) that restrict access to intended victims. Lighthouse subscriptions run from $88 per week to $1,588 per year, underscoring the commercial scale of these offerings.

Microsoft Takedown Disrupts RaccoonO365 Phishing Service

🛡️ Microsoft's Digital Crimes Unit has seized 338 domains to dismantle the Phishing‑as‑a‑Service platform RaccoonO365, which enabled low‑skilled actors to deploy convincing Microsoft login pages. The DCU reports the service compromised more than 5,000 accounts across 94 countries since July 2024 and could bypass MFA to maintain persistent access. Operators marketed AI enhancements to scale attacks and collected at least $100,000 in cryptocurrency, prompting legal action to disrupt the infrastructure and seize control of the platform.

China-linked APT41 Targets U.S. Trade Policy Networks

🔒 The House Select Committee on China warned of an ongoing series of targeted cyber-espionage campaigns tied to the PRC that aim at organizations involved in U.S.–China trade talks. Attackers impersonated Rep. John Robert Moolenaar in phishing emails that delivered malware via attachments and links, abusing cloud services and software to conceal activity. The campaign, attributed to APT41, affected trade groups, law firms, think tanks, U.S. government agencies and at least one foreign government.

Actors Hide Behind Tor in Exposed Docker API Campaign

🛡️ Attackers are exploiting exposed Docker APIs (port 2375) by launching containers that install Tor and retrieve secondary payloads from hidden services. Researchers at Trend Micro and Akamai observed the activity evolve from opportunistic cryptomining into a more capable dropper that establishes persistent SSH access, creates cron jobs to block API access, and executes a Go-based agent that scans and propagates to additional hosts. The agent also removes competitor containers and contains dormant logic for Telnet and Chrome remote debugging exploitation.

VirusTotal Uncovers SVG-based Judicial Portal Phishing

🔍 VirusTotal's AI Code Insight detected a sophisticated phishing campaign that hid malicious JavaScript inside SVG images to impersonate Colombia's judicial system. The SVGs rendered fake portal pages with a bogus download progress bar and displayed a password for a protected ZIP archive that contained malware artifacts. The archive included a renamed Comodo Dragon executable, a malicious DLL, and two encrypted files; when the executable runs the DLL is sideloaded to install further malware. After adding SVG support, VirusTotal found 523 related SVGs that had evaded traditional antivirus detection.

Cybercriminals Exploit X's Grok to Amplify Malvertising

🔍 Cybersecurity researchers have flagged a technique dubbed Grokking that attackers use to bypass X's promoted-ads restrictions by abusing the platform AI assistant Grok. Malvertisers embed a hidden link in a video's "From:" metadata on promoted video-card posts and then tag Grok in replies asking for the video's source, prompting the assistant to display the link publicly. The revealed URLs route through a Traffic Distribution System to drive users to fake CAPTCHA scams, malware, and deceptive monetization networks. Guardio Labs observed hundreds of accounts posting at scale before suspension.

Android droppers now pushing SMS stealers and spyware

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.

Malicious Go Module Poses as SSH Brute-Force Tool, Steals

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.