< ciso
brief />
Tag Banner

All news with #malware tag

900 articles · page 21 of 45

Malicious Chrome Extensions Exfiltrate Business Data

🔒 Researchers uncovered multiple malicious Chrome extensions that exfiltrate sensitive data from business and social media accounts, including a Meta‑focused add‑on named CL Suite that steals TOTP seeds, one‑time codes and Business Manager exports. Other campaigns detailed include a large‑scale VK Styles hijack of VKontakte accounts and the AiFrame cluster of AI‑themed add‑ons that siphon emails and page content. A Q Continuum study also found hundreds of extensions leaking browsing history to data brokers. Experts recommend strict extension controls, frequent audits, and allowlisting to reduce risk.
read more →

Fake AI Chrome Extensions Steal Credentials and Spy

🛡️ Over 260,000 Google Chrome users downloaded fake AI assistant extensions that delivered malicious functionality capable of harvesting credentials, monitoring Gmail and granting remote access to attackers. Researchers at LayerX identified more than 30 malicious extensions—collectively labeled AiFrame—many of which mimicked ChatGPT, Claude, Grok and Gemini and were even featured in the Chrome Web Store, increasing exposure. The campaign used "extension spraying" and a full‑screen iframe that loads remote content to evade detection and exfiltrate data; although many extensions have been removed, affected users remain at risk.
read more →

Microsoft: LNK Shortcut Spoofing Issues Not Considered Bugs

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.
read more →

Lazarus Group plants malicious packages in npm and PyPI

🔴 ReversingLabs attributes a coordinated supply-chain campaign, codenamed graphalgo, to the North Korea–linked Lazarus Group, active since May 2025. Attackers set up a fake recruiting front (Veltrix Capital), staged GitHub coding assessments in Python and JavaScript, and published dozens of malicious dependencies to npm and PyPI to infect candidates. One npm package, bigmathutils, accrued over 10,000 downloads before a malicious update; the payload delivers a token-based RAT that performs reconnaissance and file operations. Researchers also disclosed separate npm threats — duer-js (Bada Stealer) and the extortionist XPACK ATTACK — and urge auditing dependencies and verifying package provenance.
read more →

AMOS Infostealer Targets macOS via AI App Supply Chain

🔒 Flare and other researchers describe the AMOS macOS infostealer and its use of AI-focused distribution channels to harvest credentials and crypto data. Recent ClawHavoc activity shows attackers poisoning the popular OpenClaw skill marketplace to bundle AMOS into seemingly legitimate add-ons. Campaigns also abused search-engine SEO, fraudulent GitHub repositories, and one-line Terminal installers, enabling rapid credential and session theft at scale.
read more →

Fake AI Chrome extensions steal credentials, emails

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.
read more →

World Leaks Adds Stealthy RustyRocket Malware to Arsenal

🔐 Accenture has uncovered a novel malware named RustyRocket deployed by the World Leaks extortion group to maintain stealthy persistence and proxy exfiltration across Windows and Linux environments. Written in Rust, the tool uses multi-layer encrypted tunnels, heavy obfuscation and a pre-encrypted runtime configuration guardrail that makes activity difficult to detect and monitor. Accenture advises monitoring anomalous outbound transfers and enforcing network segmentation to limit lateral movement.
read more →

LummaStealer Spike Linked to CastleLoader and ClickFix

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.
read more →

North Korean actors use ClickFix and macOS backdoors

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.
read more →

SSHStalker Botnet Uses IRC C2 to Control Linux Systems

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.
read more →

Spoofed PDF Deliveries Enable New AsyncRAT Campaign

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.
read more →

VoidLink: Modular Linux Implant Framework Rising Activity

🛡️ Cisco Talos describes VoidLink as a modular implant management framework focused on Linux, providing advanced persistence, evasion, and plugin-based extensibility. The framework implements RBAC, mesh P2P communications, compile-on-demand plugins, and kernel-level components to hide implants and C2 infrastructure. Talos attributes VoidLink use to an actor tracked as UAT-9921, notes rapid AI-assisted development, and highlights cloud-aware scanning and broad targeting.
read more →

New Linux botnet SSHStalker uses IRC for C2 comms campaign

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.
read more →

North Korean Hackers Use macOS Malware to Target Crypto

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.
read more →

Malicious 7-Zip Clone Distributes Installer with Proxyware

🔒 A fake 7-Zip website (7zip[.]com) distributes a trojanized installer that installs the legitimate archiver along with proxyware that enrolls infected hosts as residential proxy nodes. The installer drops Uphero.exe, hero.exe and hero.dll, creates a SYSTEM service and modifies firewall rules. Malwarebytes found C2 domains using Cloudflare, TLS and DoH, and recommends obtaining software from official sites instead of following links from videos or search ads.
read more →

Phorpiex Phishing Campaign Deploys Global Group Ransomware

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.
read more →

NCSC Warns CNI Operators of Severe Cyber-Attacks Now

⚠️ The NCSC has issued an urgent alert to critical national infrastructure (CNI) providers after December's coordinated malware attacks against Poland's energy sector, urging operators to act now to defend UK assets. Director Jonathan Ellison stressed the need to follow recent NCSC guidance on monitoring, situational awareness and hardening network defences. Recommended measures include patching, access controls and MFA, secure-by-design management and robust resilience and recovery plans.
read more →

VoidLink Linux Malware Targets Multi-Cloud Environments

🔍 New analysis by Ontinue details VoidLink, a Linux-based command-and-control framework that generates implant binaries for credential theft, data exfiltration and stealthy persistence across cloud and enterprise hosts. The agent fingerprints AWS, GCP, Azure, Alibaba and Tencent environments and adapts its behavior, loading modular plugins for container escape and kernel-level stealth. Researchers identified unusual development artefacts — structured "Phase X:" labels, duplicated numbering, verbose debug logs and embedded documentation — that suggest parts of the implant were written or assisted by a large language model coding agent with limited human review.
read more →

OpenClaw Adds VirusTotal Scanning to ClawHub Skills

🔒 OpenClaw has integrated VirusTotal malware scanning into its ClawHub skills marketplace to automatically vet published skills. Packages are hashed and analyzed with Code Insight (powered by Gemini); benign skills are auto-approved, suspicious ones receive warnings, and confirmed malicious skills are blocked and re-scanned daily. The move responds to documented malicious extensions and unauthorized enterprise deployments, though OpenClaw stresses scanning is not a complete defense against prompt injection or logic abuse.
read more →

DKnife AitM Framework Compromises Network Gateways

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.
read more →