< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 2 of 45

Weekly Cyber Recap: Kernel Flaws and AI Risks

🛡️ This week’s recap highlights how seemingly small mistakes — missed patches, old access paths, or unprivileged namespaces — can yield significant compromises. New findings include the DirtyClone Linux kernel flaw allowing local privilege escalation, active exploitation of a critical PTC Windchill vulnerability, and novel macOS malware designed to deceive AI analysis tools. The briefing also covers disruptive takedowns, trending CVEs, and emerging AI-model risks.
read more →

236,000 DCloud Uni‑App Sites Fuel Investment Scams

🛡️ Infoblox reports that over 236,000 domains use DCloud Uni‑App templates to power investment scams, including fake crypto exchanges, wallet drainers, gambling sites, and WhatsApp phishing pages. The malicious sites span continents, target multiple languages, and have been active since mid‑2022, with some operators stripping framework fingerprints to evade detection. While many domains use mainstream hosting providers, a subset relies on bulletproof hosting and centralized template sales may explain coordinated activity.
read more →

US seizes nearly 400 illegal FIFA World Cup domains

⚖️ The U.S. Justice Department has seized nearly 400 domains tied to illegal live streams of FIFA World Cup 2026 matches. The operation, coordinated via the ICHIP Network and partners, targeted servers and domains across multiple countries, including Peru and Bulgaria. Authorities acted with support from FIFA, broadcasters and industry groups to disrupt piracy and warn of malware and fraud risks to viewers.
read more →

Hijacked npm and Go packages deploy cross‑platform stealer

🛡️ Cybersecurity researchers discovered two malicious npm packages and a cluster of Go packages that deploy a Python-based information stealer targeting Windows, Linux, and macOS. The attack hides execution in a VS Code task that runs when a project folder is opened and retrieves encrypted JavaScript from blockchain transaction data to configure a socket.io backdoor. The campaign uses a disguised font file to deliver multi-stage payloads and ultimately installs a Python infostealer that exfiltrates credentials, wallets, and developer artifacts.
read more →

macOS 'Gaslight' malware targets AI analysis tools

🛡️ Researchers uncovered a macOS malware family named macOS.Gaslight that embeds fabricated error messages and debugging data inside a Rust binary to mislead AI-assisted analysis tools. The 3.5 KB payload contains 38 fake system messages — including memory dumps, token-expiration warnings, and build errors — designed to appear as legitimate developer logs. SentinelOne attributes the sample with high confidence to a North Korean-linked actor and notes the strings aim to prompt-inject LLM pipelines, causing them to abort or distrust their session. The malware retains standard backdoor and data-stealing capabilities alongside the deceptive messaging tactic.
read more →

Gaslight macOS implant uses AI prompt injection

🛡️ A new Rust-based macOS implant named Gaslight embeds a prompt-injection payload aimed at misleading AI-assisted analysis tools into aborting or refusing to analyze the sample. SentinelOne attributes the tool with high confidence to North Korea–aligned actors and notes its Telegram-based C2 implements an interactive shell with commands like shell, upload, and kill. The implant uses a LaunchAgent for persistence and includes a Base64-encoded Python stealer that harvests browser data, Terminal histories, Keychain contents, and system profiles before compressing and exfiltrating via Telegram.
read more →

Mistic backdoor tied to initial access broker activity

🔍 Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more →

Malicious Edge extension leverages native messaging

🛡️ A malicious Microsoft Edge extension named Edgecution was used to bypass the browser sandbox and deploy a Python-based backdoor by abusing the Chrome Native Messaging protocol. Attackers lured victims via fake Microsoft update pages and social engineering on Microsoft Teams, delivering a malformed ZIP with an embedded Python runtime and two components: a headless Edge extension and a native Python backdoor. Zscaler links the activity to an IAB associated with the Payouts Kings ransomware operation and provides IoCs and mitigation recommendations.
read more →

International takedown of Amadey and StealC networks

🛡️ A multinational law enforcement operation, coordinated with private-sector partners such as Bitdefender, ESET, and Microsoft, dismantled infrastructure powering the Amadey and StealC malware ecosystems. Authorities identified and restricted over $47 million in criminal cryptocurrency, recovered 27 million stolen credentials, and dismantled hundreds of servers and domains. The action disrupted loader-and-stealer chains used to fuel ransomware and fraud.
read more →

Operation Endgame disrupts Amadey and StealC malware

🔎 Microsoft, Europol, and international partners executed Operation Endgame to disrupt infrastructure used by the Amadey and StealC malware families. The coordinated takedown targeted servers, domains, and related resources, seizing cryptocurrency and recovering millions of stolen credentials. Private-sector partners including Microsoft, ESET, Proofpoint, and IBM X-Force supported law enforcement actions across several countries. The effort also targeted SocGholish loaders and follows prior phases that disrupted other malware families.
read more →

macOS Gaslight backdoor uses prompt injection tactics

🛡️ SentinelLabs uncovered a North Korea-linked macOS backdoor, tracked as macOS.Gaslight, that embeds 38 fabricated system messages to manipulate AI-assisted malware triage. The Rust implant carries an infostealer and interactive backdoor that exfiltrates browser data, terminal histories and the macOS login keychain, using Telegram Bot API with certificate pinning for command and control. Researchers noted novel tradecraft including runtime staging of a standalone Python interpreter and self-scrubbing of the Telegram bot token from logs. SentinelLabs warned analysts to treat sample contents as adversarial input and to isolate hostile content from LLM-based tools.
read more →

Spyware embeds forbidden text to disrupt AI analysis

🛡️ A malware developer has begun embedding provocative text about nuclear and biological weapons inside large JavaScript block comments in spyware payloads to confuse AI-based scanners. The commented header is ignored at runtime but aims to trigger refusals or misclassification in naive LLM-powered triage systems that ingest file starts without isolating untrusted content. Traditional detection methods—YARA, entropy checks, AST parsing, and behavioral analysis—remain effective, but the technique is a practical anti-analysis tactic against weak AI-first pipelines.
read more →

AI Enables Faster, Cheaper, Harder-to-Detect Attacks

🛡️ A ReliaQuest report finds AI is making cyber-attacks cheaper, faster to scale, easier to customize and harder to spot while not fundamentally altering attacker tradecraft. Initially used for polishing phishing and basic scripting in 2024, by mid-2025 AI had expanded into deepfakes, AI-assisted scripts and an underground market for tools. Today AI appears embedded in workflows—generating phishing pages, web shells, and obfuscating code—and as the lure itself, with attackers leveraging trusted AI brands to trick users.
read more →

PowerShell stealer targets Telegram sessions

🛡️ Researchers discovered a PowerShell script masquerading as a Windows telemetry update that steals Telegram for Windows session data. The script collects system info, closes Telegram to access the tdata folder, zips its contents, and sends the archive to an attacker-controlled bot before removing traces. The sample was found on Pastebin and appears to be a prototype, with no confirmed successful exfiltration yet. Users are advised to use robust endpoint security and enable Telegram Two‑Step Verification or passkeys.
read more →

JaredFromSubway MEV bot suffers $15M crypto theft

🔒 The JaredFromSubway Ethereum MEV bot lost $15 million after an attacker fed it fake pools and tokens to manipulate its opportunity detection and gain ERC-20 approvals. Blockaid detected the drain and JaredFromSubway confirmed the attacker deployed deceptive contracts that tricked the bot into issuing allowances to attacker-controlled helper contracts. The attacker used staged, benign-looking transactions to validate the bot’s routines, later exploiting open approvals via transferFrom to withdraw WETH, USDC, and USDT.
read more →

North Korean Supply Chain Attack Hits Mastra Packages

🔐 Microsoft attributed a large-scale npm supply chain attack on the open-source Mastra TypeScript project to North Korea’s Sapphire Sleet group. The threat actor abused a compromised npm maintainer account to publish poisoned packages that disabled TLS verification and contacted attacker C2 servers to deploy cross-platform malware. The payload sought cryptocurrency wallet extensions and performed system reconnaissance, posing a significant risk to developers and downstream users. Microsoft advised auditing dependencies, checking for the malicious easy-day-js package and pinning known-good package versions.
read more →

AryStinger malware converts legacy routers into relays

🔍 QiAnXin XLab has identified a new malware family named AryStinger that has infected at least 4,300 legacy home routers, turning them into a distributed reconnaissance and proxy network rather than a typical DDoS botnet. The campaign targets routers using Realtek RTL819X chips via old vulnerabilities (CVE-2013-3307, CVE-2016-5681) and favors D-Link DIR-850L units, with infections concentrated in South Korea and China. A second strain targeting QNAP NAS devices via CVE-2025-11837 was also observed; both builds support scanning, tunneling, and remote task execution. Defenders are advised to check for C2 connections, suspicious binaries and processes, retire unsupported devices, and disable remote administration.
read more →

Prinz Eugen ransomware targets recent files first

🛡️ Threatdown and Malwarebytes researchers detail a new hands-on-keyboard ransomware called Prinz Eugen that prioritizes recently modified files for encryption and leaves no ransom note on compromised systems. Initial access is likely via stolen RDP credentials, with attackers manually deploying a payload named servertool.exe and sometimes using legitimate RMM tools like RemotePC for persistence. The Go-based malware encrypts files recursively without exclusions, uses ChaCha20-Poly1305 and Argon2id-derived keys, and self-deletes while overwriting keys to hinder recovery and forensics.
read more →

Gentlemen RaaS standardizes EDR-killer suite

🛡️ ESET researchers say the Gentlemen ransomware-as-a-service (RaaS) operation supplies affiliates with a standardized suite of EDR killers, centered on a framework named GentleKiller, to disable security tooling prior to encryption. The tooling mimics legitimate security products and leverages abused vulnerable drivers through a BYOVD technique, incorporating third-party killers like HexKiller and ThrottleBlood. The group rapidly operationalizes public proof-of-concept exploits, and ESET also found a Rust-based credential stealer called OxideHarvest in use.
read more →

Gentlemen Ransomware Deploys Multiple EDR Killers

🛡️ ESET researchers report the Gentlemen RaaS actively develops and deploys multiple EDR-killing tools, led by a primary utility named GentleKiller with at least eight variants. These tools use BYOVD techniques and vulnerable drivers to obtain kernel privileges and disable security products from dozens of vendors. The framework permits easy driver swaps, is protected by commercial packers, and is supplemented by external tools like HexKiller, ThrottleBlood, and HavocKiller.
read more →