< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 22 of 46

DKnife AitM Framework Compromises Network Gateways

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.
read more →

DKnife toolkit hijacks routers to spy and deliver malware

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.
read more →

Phishing campaign hides AsyncRAT in fake disk-mounted PDFs

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.
read more →

Compromised dYdX npm and PyPI packages deliver malware

⚠️ Cybersecurity researchers disclosed a supply chain attack that replaced legitimate dYdX packages on npm and PyPI with malicious releases designed to steal wallet credentials and enable remote code execution. Malicious code ran during normal use, exfiltrating seed phrases, device data and calling back to a command-and-control endpoint. dYdX and researchers advise isolating affected hosts, moving funds from clean systems and rotating credentials.
read more →

Ransomware Actors Abuse ISPsystem VMs for Payload Delivery

🛡️ Ransomware groups are abusing virtual machines provisioned by ISPsystem to host and deliver malware at scale. Sophos researchers found identical Windows VM hostnames and system identifiers reused from default VMmanager templates, enabling operators such as LockBit, Qilin, Conti, BlackCat/ALPHV and others to hide malicious infrastructure among legitimate hosts. The tactic complicates attribution and slows takedown efforts, and Sophos tied most malicious VMs to a small cluster of poorly reputed hosting providers.
read more →

ClickFix 'CrashFix' Variant Deploys ModeloRAT via Python

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.
read more →

Notepad++ Update Infrastructure Compromised by Backdoor

🛡️ Hackers linked to the Chinese government trojanized the Notepad++ update supply chain to deliver a backdoor to selected users. The vendor reports the hosting provider's infrastructure remained compromised until September 2, and attackers retained credentials through December 2, enabling continued redirection of chosen update traffic to malicious servers. The threat actor explicitly targeted insufficient update verification controls in older releases and attempted to re-exploit a flaw after it was fixed. Users are advised to run at least version 8.9.1 and verify update integrity.
read more →

DKnife: China-nexus Gateway AitM Framework Revealed

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.
read more →

Smashing Security #453: Epstein Files Expose Risks Now

📰 In episode 453 of Smashing Security, Graham Cluley and guest Tricia Howard examine how sloppy redaction and a mix of AI and open social profiles can deanonymise documents once thought obscured. They discuss real-world incidents including malware delivery via a compromised Notepad++ installer, a sex-addiction app leaking intimate user data, and a problematic AV update used to distribute malware. The episode also highlights insider-threat risks after a senior US cybersecurity official uploaded sensitive government material into a public ChatGPT instance, and explores how broken trust can have lasting reputational consequences for vendors and organisations.
read more →

Attackers Modify NGINX Configurations to Redirect Traffic

🔁 Researchers at DataDog Security Labs uncovered a campaign in which threat actors compromise NGINX servers and Baota-managed hosting panels to inject malicious 'location' blocks into configuration files, rerouting user requests through attacker-controlled backends. The attackers preserve headers like Host, X-Real-IP, User-Agent, and Referer to blend traffic with legitimate requests. The injection toolkit runs in five scripted stages and exfiltrates a map of hijacked domains to a C2 at 158.94.210[.]227.
read more →

Threat Actors Hijack Web Traffic via React2Shell Exploit

⚠️ Researchers at Datadog Security Labs report that threat actors are exploiting the React2Shell vulnerability to compromise servers running NGINX managed via Boato Panel and to hijack web traffic. Attackers deploy multi-stage scripts that discover targets, establish persistence, and generate malicious configuration files to redirect users or deliver malware. The campaign targets primarily Asian domains and Chinese hosting infrastructure, and unpatched React server components remain at high risk.
read more →

Global SystemBC Botnet Active on Over 10,000 Systems

🛡️ Silent Push links the long-running SystemBC malware to more than 10,000 infected IP addresses worldwide, including hosts tied to government sites. SystemBC acts as a multi-platform SOCKS5 proxy, turning compromised machines into relays that help attackers hide infrastructure and maintain persistence, often appearing before ransomware is deployed. Researchers found infections concentrated in data centres, uncovered a Perl-based Linux variant undetected by 62 antivirus engines, and observed reliance on abuse-tolerant hosting for C2 operations.
read more →

AI Drives Rapid Doubling of Phishing Attacks in 2025

📨 Cofense reports that security filters caught a phishing email every 19 seconds in 2025 — more than double the 2024 rate of one every 42 seconds — as AI enables faster, larger-scale campaigns. The vendor's report, The New Era of Phishing: Threats Built in the Age of AI, warns that actors now use AI to generate highly personalized, polymorphic and multi-channel phishing that adapts per victim. It also highlights a 105% rise in remote access tool detections, a 19-fold spike in abuse of .es domains, and a 204% increase in email-delivered malware, urging post-delivery behavioral analysis and human validation.
read more →

Nearly 400 Malicious OpenClaw Crypto Trading Skills

⚠️ Security researcher Paul McCarty (aka 6mile) has identified 386 malicious OpenClaw "skills" on the ClawHub repository that impersonate crypto trading tools. The add-ons use social engineering to trick users into executing commands that deploy infostealers on macOS and Windows, harvesting exchange API keys, wallet private keys, SSH credentials and browser passwords. The discovered skills share a common C2 IP (91.92.242.30) and many remain available, with the most active uploader accounting for nearly 7,000 downloads.
read more →

Hackers Exploit Metro4Shell RCE in React Native CLI

🔒 VulnCheck observed active exploitation of CVE-2025-11953 (Metro4Shell), a critical RCE in the @react-native-community/cli Metro Development Server first seen on December 21, 2025. With a CVSS score of 9.8, the flaw enables unauthenticated remote command execution and was weaponized to deliver a Base64-encoded PowerShell loader that adds Microsoft Defender exclusions. The loader opens a raw TCP channel to 8.218.43.248:60124 to fetch and execute a Rust-based binary with anti-analysis checks; VulnCheck links the activity to multiple attacker IPs and describes it as operational exploitation.
read more →

Hackers Exploit React Native Metro Bug to Breach Systems

🔓 Security researchers warn that attackers are exploiting the critical CVE-2025-11953 flaw in the React Native Metro server to drop malicious Windows and Linux payloads. The issue abuses the development-only /open-url HTTP endpoint, which accepts POST requests and can pass a user-supplied URL unsanitized to the system open() call. JFrog disclosed the bug and it was fixed in @react-native-community/cli-server-api v20.0.0+, but active exploitation (Metro4Shell) has been observed delivering base64 PowerShell stagers and UPX-packed binaries.
read more →

Notepad++ Updates Hijacked in Chinese APT Supply-Chain

🔒 The open-source editor Notepad++ was the target of a sophisticated supply‑chain attack after threat actors compromised its shared hosting provider and redirected selective update traffic to malicious servers between June and December 2025. Researchers say the campaign is likely Chinese state‑sponsored; Rapid7 identified a custom backdoor called Chrysalis and observed Cobalt Strike and Metasploit activity. Notepad++ has migrated hosting and improved its WinGup updater to verify certificates and signatures, with enforcement planned in forthcoming releases.
read more →

GlassWorm campaign targets macOS via OpenVSX extensions

🐛 A new GlassWorm campaign distributed through compromised OpenVSX extensions is targeting macOS systems to steal passwords, crypto-wallet data, and developer credentials and configurations. Malicious updates pushed from the hijacked oorzc account on January 30 trojanized four packages with roughly 22,000 cumulative downloads and established persistence via a LaunchAgent while excluding Russian-locale systems. Socket's analysis shows broad data collection across browsers, wallets, macOS Keychain, Apple Notes, developer secrets, and exfiltration to 45.32.150[.]251; affected releases were removed and tokens revoked, but users are advised to perform full system clean-up and rotate secrets.
read more →

Infostealers Expand to macOS, Python, and Platform Abuse

🛡️ Microsoft Defender Experts report a cross-platform surge in infostealers that now target macOS, leverage Python toolchains, and abuse trusted platforms and utilities to deliver credential-stealing malware at scale. Since late 2025, macOS campaigns such as DigitStealer, MacSync, and AMOS have used social engineering, malicious DMGs, AppleScript, and fileless execution to harvest browser credentials, keychain secrets, developer keys, and crypto wallets. Phishing campaigns have delivered Python-based stealers like PXA Stealer, while platform-abuse activity has weaponized WhatsApp and fake PDF installers to propagate Eternidade Stealer and malicious Crystal PDF installers. Microsoft outlines Defender XDR detections, hunting queries, and mitigations to help organizations detect, contain, and remediate these evolving threats.
read more →

OpenClaw skills become a new malware delivery channel

🔍 VirusTotal has identified a surge of malicious OpenClaw skills being used as a delivery channel for droppers, backdoors, infostealers and remote access tools, turning automation workflows into a supply‑chain risk. VT added native support in Code Insight to analyze OpenClaw skill packages (including ZIPs) using Gemini 3 Flash, flagging behaviors like downloading and executing external code, network operations, and sensitive data access. The report highlights prolific abuse by a single publisher and provides concrete recommendations for users and marketplaces to reduce exposure.
read more →