< ciso
brief />
Tag Banner

All news with #malware tag

900 articles · page 20 of 45

Massiv Android banking malware disguises as IPTV app

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.
read more →

AI platforms can be abused for stealthy malware communication

🛡️ Researchers at Check Point demonstrated that AI assistants with web browsing and URL-fetching capabilities can be abused as intermediaries for stealthy command-and-control (C2) communication. In their proof-of-concept, malware used Windows WebView2 to load AI services such as Grok and Microsoft Copilot, fetching attacker-controlled URLs whose content the assistant returned and the malware parsed for instructions. Because the PoC required no account or API keys, this relay can blend into trusted traffic and complicate network-level blocking and attribution; platform safeguards exist but can be evaded through obfuscation.
read more →

Cryptojacking Campaign Uses Signed Driver to Boost Monero

🛡️ Trellix uncovered a multi-stage cryptojacking campaign that spreads via pirated software installers and deploys a customized XMRig miner alongside a stateful controller. The dropper installs a primary Explorer.exe controller and multiple watchdog processes for persistence, with a hardcoded expiry of December 23, 2025. Attackers load a signed vulnerable driver (WinRing0x64.sys/CVE-2020-14979) to gain kernel access and disable CPU prefetchers, boosting Monero RandomX performance by an estimated 15–50%. Researchers observed connections to the Kryptex pool and recommend enabling Microsoft's vulnerable driver blocklist, restricting USB access and blocking known mining pool traffic.
read more →

Keenadu Preinstalled Android Malware Compromises Firmware

⚠️ Kaspersky researchers have uncovered Keenadu, a multifaceted Android malware family that can be embedded in device firmware and run with system-level privileges from first boot. Detected on more than 13,000 devices across multiple countries, the backdoor impersonates legitimate system components (including face-unlock and home-screen apps) and can infect other apps, install APKs, and harvest sensitive data. It may remain dormant under certain locales and lacks easy removal through standard user tools. Kaspersky recommends checking firmware updates, running security scans, disabling suspect apps, and coordinating with vendors to address supply chain integrity.
read more →

Chinese APT Exploited Dell RecoverPoint Zero-Day Since 2024

🔒 Dell has released a patch for a critical zero-day, CVE-2026-22769, in RecoverPoint for Virtual Machines after Mandiant reported exploitation by a suspected Chinese APT cluster since mid-2024. The flaw is a hardcoded credential that enables unauthenticated access to the underlying OS and potential root-level persistence on versions prior to 6.0.3.1 HF1. Mandiant links the intrusions to UNC6201, which deployed malware such as Slaystyle, Brickstorm and a native AOT C# backdoor called Grimbolt, and observed novel TTPs including VM "ghost NICs" and iptables-based single-packet authorization.
read more →

Keenadu Firmware Backdoor Infects Android Tablets Worldwide

🔒 Kaspersky researchers have identified a firmware-embedded backdoor named Keenadu that can run in the context of every Android app and grant remote control over infected tablets. The implant was discovered in Alldocube iPlay 50 mini Pro firmware dating to August 18, 2023, and the compromised images carried valid digital signatures. Kaspersky observed delivery via signed OTA updates, preinstalled system apps, and trojanized apps distributed through third-party stores and official marketplaces.
read more →

Keenadu backdoor found in Android firmware and apps

🛡️ Keenadu is a sophisticated Android backdoor discovered embedded in device firmware and in apps distributed through Google Play and other channels. Kaspersky reports multiple distribution vectors — compromised OTA firmware, system apps, modified APKs and even Play Store apps — with the firmware-integrated variant being the most powerful. That variant can operate inside every installed app, silently install APKs with broad permissions, and exfiltrate media, messages, credentials and location data. Kaspersky has confirmed roughly 13,000 infected devices and warns that firmware-resident instances cannot be removed by standard Android tools; users should reflash clean firmware or replace affected devices.
read more →

SmartLoader Trojans Oura MCP Server to Deliver StealC

🛡️Researchers at Straiker's AI Research (STAR) Labs disclosed a SmartLoader campaign that distributes a trojanized Oura Model Context Protocol (MCP) server to deploy the StealC infostealer. Attackers built a deceptive network of fake GitHub accounts and forks, added sham contributors, and submitted the malicious server to the MCP Market to exploit developer trust. The delivered ZIP runs an obfuscated Lua script that drops SmartLoader, which then installs StealC to exfiltrate credentials, browser passwords, and cryptocurrency wallet data. Organizations should inventory MCP servers, verify provenance before installation, and monitor for suspicious egress and persistence.
read more →

ZeroDayRAT toolkit sells cross-platform mobile spyware

📱 ZeroDayRAT is a commercially marketed, cross-platform spyware toolkit distributed openly via Telegram that targets Android and iOS devices. iVerify traced initial activity to 2 February and found the offering includes an APK for Android, an iOS payload, a web-based management panel, documentation, and customer support channels. The malware harvests messages, call logs, contacts, location, photos, files, notifications, and enumerates accounts across popular services, enabling sustained surveillance and potential financial theft. Infection relies on social engineering—sideloading or iOS provisioning profiles—so iVerify recommends mobile EDR, stricter controls on unauthorized installs, and detection across BYOD and managed fleets.
read more →

Infostealer Targets OpenClaw, Exfiltrating AI Agent Data

🔐 Security researchers have documented an infostealer attack that exposed sensitive files from local AI assistants, specifically OpenClaw. Hudson Rock reported the malware harvested configuration and key material—including openclaw.json, device.json, and agent memory files—allowing token theft, private key access, and capture of users' operational context. The incident underscores risks from plaintext secrets and permissive defaults in agentic tools.
read more →

OysterLoader: Updated C2 Infrastructure and Obfuscation

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.
read more →

Weekly Recap: Add-in Hijack, Zero-Days, and Cloud Abuse

🔒 This weekly recap shows how small, trusted gaps are becoming major entry points — from a hijacked Outlook add-in (AgreeTo) turned into a phishing kit that stole over 4,000 Microsoft credentials to multiple actively exploited zero-days in Chrome and Apple platforms. It also covers a critical BeyondTrust RCE under active exploitation, new Linux botnet activity abusing SSH, and cloud-focused campaigns targeting exposed Docker, Kubernetes, and Redis instances. Attackers are combining legacy techniques, cloud misconfigurations, and AI assistance to scale access and persistence.
read more →

Leaky Chrome Extensions Exposed Browsing Histories

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.
read more →

ZeroDayRAT: Commercial Mobile Spyware Targets Android, iOS

🕵️‍♂️ZeroDayRAT is a commercial mobile spyware platform advertised on Telegram that enables extensive data collection and real-time surveillance on Android and iOS devices. The developer offers a builder to generate malicious binaries and an online or self-hosted control panel that exposes device metadata, GPS location history, accounts and notification previews. Operators can capture keystrokes, SMS (including OTPs), live camera and microphone streams, and perform hands-on remote operations. Additional modules swap clipboard crypto addresses and target mobile payment apps to facilitate direct financial theft.
read more →

Google Groups Used to Deliver Lumma Stealer & Ninja Browser

🔒 CTM360 reports attackers are abusing Google Groups and Google-hosted redirectors to distribute credential-stealing malware, leveraging over 4,000 malicious groups and 3,500 hosted URLs to target organizations worldwide. The campaign uses industry-focused posts and shortened or Docs/Drive redirect links to lure victims and deliver OS-specific payloads. On Windows, victims receive a padded archive that reconstructs an AutoIt-based loader and a memory-resident Lumma infostealer; on Linux, users are served a trojanized Chromium-branded "Ninja Browser" with covert extensions and silent persistence. CTM360 advises inspecting redirect chains, blocking IoCs, auditing browser extensions, and monitoring scheduled tasks and endpoint activity.
read more →

QR Codes as an Attack Vector: Phishing, Deep Links

🔐 Unit 42 investigates the rising misuse of QR codes for phishing, in‑app deep‑link exploitation, and direct distribution of malicious Android APKs. Their telemetry shows an average of over 11,000 malicious QR-code detections per day, driven by tactics that mask destinations and exploit mobile app behavior. The report highlights QR shorteners, custom deep links, and APK hosting as key evasive techniques and recommends user education plus deployment of decoding and filtering controls such as Advanced URL Filtering and Prisma Browser to improve visibility and block threats.
read more →

Fake recruiter campaign hides RAT in dev coding tests

⚠️ A new variant of a fake recruiter campaign attributed to North Korean actors is targeting JavaScript and Python developers with cryptocurrency-themed coding tasks. Attackers publish seemingly legitimate job projects and embed malicious dependencies on npm and PyPI that install a remote access trojan reported as Graphalgo. The operation is modular and resilient, with 192 malicious packages identified and tactics such as delayed activation and token‑protected command channels. Affected developers are advised to rotate tokens and passwords and to reinstall compromised systems.
read more →

Claude LLM artifacts abused to deliver Mac infostealers

⚠️ Threat actors are abusing public Claude artifacts and manipulated Google Search results to trick macOS users into running malicious Terminal commands. These commands download and execute a loader that installs the MacSync infostealer, which harvests keychain data, browser credentials, and crypto wallets, then exfiltrates the data to a hardcoded command-and-control server. Researchers warn users not to run unverified shell commands and to verify safety before executing them.
read more →

UAT-9921 Deploys VoidLink Malware Targeting Tech and Finance

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.
read more →

Unzipping the Threat: Blocking Malware in ZIP Files

🔐 Cyber attackers are increasingly embedding malware inside password-protected ZIP archives and splitting the delivery chain by sending the archive via email while transmitting the password out-of-band (SMS or messaging apps). Traditional scanners struggle to inspect these encrypted attachments. New Threat Emulation capabilities can now inspect and block malicious ZIP files without requiring the password, closing the delivery gap. This reduces reliance on manual password sharing and strengthens perimeter defenses.
read more →