All news with #malware tag

🛡️ Morphisec Threat Labs has identified a critical supply-chain compromise of MicroWorld Technologies’ eScan antivirus discovered on 20 January 2026, in which malicious updates were delivered via the vendor's legitimate update infrastructure. The trojanized 32-bit executable, allegedly signed with a compromised certificate, deployed a downloader and a 64-bit backdoor, established persistence and implemented anti-remediation controls to block further updates. Morphisec reported blocking the activity on protected systems and urged immediate investigative and remediation actions for affected organizations.

🧾 Cybersecurity researchers uncovered a phishing campaign impersonating India's Income Tax Department that delivers a multi-stage backdoor to targeted users. The attackers distribute a ZIP containing an executable that sideloads a malicious DLL, performs anti-analysis checks, and fetches further payloads, ultimately deploying a Blackmoon variant alongside a repurposed SyncFuture TSM RMM tool. The operation employs UAC bypass, process masquerading, antivirus exclusion manipulation, and numerous helper scripts to establish persistent, covert access for long-term monitoring and data exfiltration.

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.

⚠️ Koi Security researchers uncovered two malicious Microsoft Visual Studio Code extensions marketed as AI coding assistants that also exfiltrate developer files to China-based servers. The extensions — ChatGPT - 中文版 (whensunset.chatgpt-china, 1,340,869 installs) and ChatGPT - ChatMoss（CodeMoss） (zhukunpeng.chat-moss, 151,751 installs) — function normally while encoding every opened file and edits in Base64 and sending them to aihao123[.]cn. The campaign, dubbed MaliciousCorgi, includes remote-triggered bulk exfiltration and a hidden zero-pixel iframe that loads Chinese analytics SDKs to fingerprint users. Remove suspicious extensions, audit workspaces, and follow supply-chain hardening guidance.

⚡ This weekly recap highlights shifting attack patterns and urgent fixes: an incomplete patch in Fortinet firewalls (CVE-2025-59718/59719) is being actively abused, while the VoidLink Linux malware appears largely produced with AI assistance. Researchers also disclosed a critical GNU InetUtils telnetd flaw (CVE-2026-24061) that can yield root shells. Other notable trends include vishing campaigns targeting major IdPs, malvertising that crashes browsers to deliver a Python RAT, and supply-chain/package compromises; administrators should prioritize exploitable, public-PoC, and KEV-class vulnerabilities.

⚠️ Researchers from Koi found two malicious AI-style extensions on the VSCode Marketplace — ChatGPT – 中文版 and ChatMoss — that together have 1.5 million installs and silently transmit developer files to China-based servers. The extensions implement three distinct data-collection methods: real-time file reads and Base64 exfiltration via hidden webviews, a server-controlled file-harvest command that can steal up to 50 files, and a zero-pixel iframe that loads commercial analytics SDKs for fingerprinting and behavioral tracking. At publication both extensions were still available and Microsoft had not responded to inquiries.

🏧 South Carolina prosecutors said two Venezuelan nationals pleaded guilty to conspiracy and computer crimes after using malware to force ATMs to dispense cash across the southeastern United States. They targeted older ATM models, installing a Ploutus variant by connecting laptops, using external drives, or swapping hard drives to trigger unauthorized withdrawals. Both defendants were sentenced, ordered to pay restitution, and face deportation following their terms.

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.

⚠️ Check Point Research says VoidLink, a modular Linux malware framework, appears to have been planned, structured, and largely written by AI rather than solely by human developers. Analysts found programmatically generated sprint-style plans, detailed technical specifications, and repetitive code patterns consistent with automated generation. The project reportedly grew to tens of thousands of lines of code in under a week, compressing months of work into days. That speed and planning raise concerns that AI can significantly lower the barrier to producing sophisticated, cloud- and container-focused threats.

🔍 A malicious PyPI package named sympy-dev was found impersonating SymPy, copying the legitimate project's description to trick users; it has been downloaded over 1,100 times since its January 17, 2026 publication. Socket's analysis shows select symbolic-math routines were modified to retrieve a remote JSON configuration and download an ELF payload that launches an XMRig miner. The backdoor executes the ELF binary directly in memory via memfd_create and /proc/self/fd to reduce on-disk artifacts and only triggers when specific polynomial functions are invoked to remain stealthy.

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.

🧠 Check Point researchers say VoidLink, a modular Linux malware family targeting cloud servers, appears to have been largely generated and orchestrated by AI. The toolkit contains over 30 plugins for persistence, stealth and remote control. An exposed development plan and timestamps suggest a single operator used AI agents to plan sprints, generate design documents, probe guardrails and iteratively produce working code within weeks.

🛡️ Check Point Research and Sysdig examined a sophisticated Linux malware framework called VoidLink and concluded a single developer used an AI coding agent to accelerate development. The Zig-based project grew to over 88,000 lines by December 2025 and exhibits systematic artifacts — consistent debug formatting, placeholder data like "John Doe", uniform _v3 API patterns, and exhaustive JSON templates — that suggest heavy LLM involvement. No real-world infections have been observed, but researchers warn this case demonstrates how AI can rapidly lower the barrier to creating advanced offensive tooling.

🧠 Check Point Research reports that the VoidLink Linux cloud malware framework displays clear evidence of being developed predominantly with AI assistance. The actor used an AI-centric IDE, TRAE, and its assistant TRAE SOLO to produce specification documents, sprint plans, and large portions of source code, which reached a working state within days. Exposed development artifacts — including TRAE helper files and an open directory of source and docs — allowed researchers to match generated specs to the recovered code and reproduce the development workflow, leading Check Point to conclude this is a notable example of AI-driven malware development.

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

🤖 Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.

🔒 Resecurity researchers have identified a sophisticated backdoor called PDFSIDER, delivered via DLL side-loading from a trojanized, digitally signed PDF utility. The malware embeds the Botan crypto library and uses AES-256-GCM for an encrypted C2 channel, executing commands via cmd.exe entirely in memory and returning output over anonymous pipes. It performs anti-VM and debugger checks, exfiltrates data (including over DNS/53), and is assessed as targeted tradecraft that evades many AV and EDR products.

⚡ This week’s roundup highlights active exploitation of a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) that can lead to full appliance compromise, alongside new malware and supply-chain concerns. Researchers also disclosed a clipboard‑hijacking campaign distributed by RedLineCyber and a Reprompt attack that targeted Microsoft Copilot via P2P prompt injection. Other notable items include a cloud-native Linux framework called VoidLink, disruption of the RedVDS criminal service, and an AWS CodeBuild misconfiguration that raised supply‑chain risks. Defenders should prioritize patching high-severity CVEs, harden CI/CD configurations, and treat AI/chatbot integrations and exposed devices as part of the attack surface.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.