All news with #malware tag

🔐 This week's recap highlights how small oversights and automation conveniences have become widespread attack vectors, enabling rapid, large-scale compromise. Key incidents include a maximum-severity RCE in n8n (Ni8mare, CVE-2026-21858) affecting self-hosted instances, the 2M-device Kimwolf Android botnet, and malicious Chrome extensions that exfiltrated AI conversations. The report catalogs numerous trending CVEs and active campaigns, emphasizing that familiar tools and exposed services are the biggest risks today.

🔍 This analysis traces how the Aisuru and Kimwolf botnets turned millions of unsecured Android TV streaming boxes into residential proxies and DDoS participants. Investigators linked proxy traffic and control infrastructure to a Utah hosting firm, Resi Rack, a Discord marketplace (resi.to), and vendors including Plainproxies/ByteConnect and Maskify. Operators hardened control with the Ethereum Name Service to evade takedowns. Owners of affected TV boxes are urged to disconnect and replace them.

🔒 Check Point Research (CPR) reports that the GoBruteforcer botnet is actively targeting internet‑facing Linux servers, using large‑scale brute‑force attacks against services such as FTP, MySQL, PostgreSQL and phpMyAdmin. The latest Go‑based variant, observed since mid‑2025, introduces heavier obfuscation, stronger persistence and techniques to hide malicious processes. Compromised hosts become scanning and attack nodes, enabling data theft, backdoors, resale of access and further propagation. Analysts also recovered tools used to sweep TRON and Binance Smart Chain assets, underscoring a financial motive behind some campaigns.

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.

🛡️ This week's ThreatsDay highlights a critical RustFS gRPC authentication flaw with a hard-coded token (CVSS 9.8) that allowed network attackers to perform privileged operations and was patched in 1.0.0-alpha.78. Other notable stories include GeoServer-based XMRig miners, an evolution in Iran-linked MuddyWater custom backdoors, a surge in Taiwanese infrastructure attacks, and CISA's KEV catalog expansion. Organizations should apply patches, enable MFA, and monitor credentials and exposed services.

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.

🚨A cybercrime gang known as Black Cat has been linked to an SEO poisoning campaign that tricks users with fake download pages for popular programs such as Google Chrome and Notepad++. Visitors are redirected to a GitHub‑mimicking host where a ZIP delivers an installer that creates a desktop shortcut which side‑loads a malicious DLL and deploys a backdoor. The backdoor contacts a hard‑coded C2 and can steal browser data, log keystrokes and capture clipboard contents. Users should avoid clicking unknown search results and download software only from official sources.

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.

🔍 OX Security researchers uncovered two malicious Chrome extensions — Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude, and more — installed by over 900,000 users. The add-ons scrape ChatGPT and DeepSeek conversation content and all open tab URLs, then batch-upload harvested data to attacker-controlled servers. Operators used hosted privacy pages and impersonation to obscure activity; users should remove these extensions and audit exposed data immediately.

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.

🛡️ VVS Stealer is a Python-based credential-stealing malware distributed as a PyInstaller package and protected with Pyarmor obfuscation in BCC mode to hinder analysis. It targets Discord tokens and browser-stored credentials, injects malicious JavaScript into the Discord client, and exfiltrates data via Discord webhooks. The sample persists by copying itself to the Windows startup folder and displays fake error messages to evade detection.

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.

🐍 Researchers disclosed a new Python-based information stealer called VVS Stealer that harvests Discord tokens, account data and browser credentials. The malware, sold on Telegram with subscription and one-time tiers, is obfuscated with Pyarmor and packaged via PyInstaller to hinder analysis. It persists by adding itself to the Windows Startup folder and shows fake "Fatal Error" pop-ups. VVS injects into Discord and uses a downloaded obfuscated JavaScript payload to monitor traffic via the Chrome DevTools Protocol for session hijacking.

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.

🚨 South Korean authorities arrested a 29-year-old Lithuanian accused of distributing a clipboard-stealing clipper embedded in a trojanized KMSAuto activation tool that was downloaded 2.8 million times worldwide. The suspect was extradited from Georgia after investigators traced about KRW 1.7 billion (~$1.2M) diverted in 8,400 transactions. Devices seized in a December 2024 raid yielded evidence leading to the April 2025 arrest. Officials warn against using unofficial activators and unsigned executables.