< ciso
brief />
Tag Banner

All news with #malware tag

900 articles · page 23 of 45

341 Malicious ClawHub Skills Target OpenClaw Users

⚠️ A security audit by Koi Security found 341 malicious skills among 2,857 listings on the ClawHub marketplace, many deploying a macOS stealer tracked as Atomic Stealer in a campaign dubbed ClawHavoc. Attackers used fake prerequisites and social engineering to trick users into running installers or terminal scripts that fetch next-stage payloads from attacker-controlled infrastructure. The malicious skills include typosquats, crypto tools, YouTube utilities and backdoors that exfiltrate bot credentials and keys, exposing OpenClaw users to significant supply-chain risks.
read more →

Stealthy Windows RAT Enables Live Operator Conversations

🔒 Security researchers at Point Wild’s Lat61 team disclosed a Windows campaign that uses a multi-stage chain to establish persistent, memory-resident access and steal sensitive data. The attack starts with a small batch script that creates a per-user Registry Run key and launches a PowerShell loader which decodes Donut-generated shellcode and injects a heavily obfuscated .NET payload into memory. The modular Pulsar RAT supports live, interactive operator control alongside a parallel stealer, with stolen data exfiltrated as ZIP archives via Discord webhooks and Telegram bots.
read more →

Android RAT Abuses Hugging Face to Host Malware Campaign

🔒 A new Android remote access trojan (RAT) leverages the AI hosting platform Hugging Face to store and deliver malicious APK payloads, researchers at Bitdefender report. The campaign distributes a dropper app called TrustBastion that uses fake update dialogs to trick users into downloading an updater which redirects to repositories hosting polymorphic RAT APKs. Operators made frequent commits and shifted repositories to avoid takedowns, while the malware requests Accessibility and screen-recording permissions to capture credentials and relay data to command-and-control servers.
read more →

eScan Antivirus Update Servers Compromised, Deliver Malware

⚠ MicroWorld Technologies confirmed unknown attackers compromised the update infrastructure for its eScan antivirus and pushed a malicious update that deployed a multi-stage downloader to enterprise and consumer endpoints. The rogue update replaced the legitimate reload.exe with a binary signed by a fake or invalid signature; it executes three Base64-encoded PowerShell stages, includes an AMSI bypass and prevents automatic remediation. Kaspersky and Morphisec report hundreds of attempted infections mainly in India and neighboring countries. MicroWorld isolated affected update servers for hours and released a remediation package; impacted customers should contact the vendor for the fix.
read more →

Open VSX Supply Chain Attack Leveraged Dev Account

🛡️ On January 30, 2026, threat actors used a compromised developer account to publish malicious updates to four Open VSX extensions, embedding the GlassWorm loader. The extensions — previously legitimate utilities with over 22,000 combined downloads — were removed after discovery. The loader decrypts and execute payloads at runtime, employing EtherHiding and Solana memos for C2 rotation. It targets macOS credentials and cryptocurrency wallets.
read more →

Chrome Extensions Inject Affiliate Tags, Steal Tokens

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.
read more →

Hugging Face Hosting Abused to Distribute Android RAT

🛡️ Bitdefender Labs reports a large-scale Android malware campaign that leveraged Hugging Face's public hosting to deliver a remote access trojan (RAT). The operation begins with a scareware dropper disguised as a security app, TrustBastion, which tricks users via fake infection alerts into downloading a second-stage APK from a Hugging Face dataset. Attackers automated payload generation with thousands of unique APKs and frequent commits to evade signature-based detection. The installed RAT requests high-risk permissions — Accessibility Services, screen recording, casting, and overlay rights — enabling credential harvesting, screen capture, persistent control, and exfiltration; Bitdefender notified Hugging Face and the malicious datasets were removed, though variants resurfaced elsewhere.
read more →

AI-assisted 'RedKitten' Malware Targets Iranian Protesters

🚨 French cybersecurity firm HarfangLab uncovered a January 2026 campaign dubbed RedKitten that leverages emotionally charged, forged forensic files to deliver a .NET implant called SloppyMIO. The attack begins with a password-protected 7z archive containing malicious Excel spreadsheets that prompt users to enable macros and drop a C# payload. SloppyMIO hijacks a legitimate Windows binary to run stealthily, establishes persistence via scheduled tasks, fetches modules from GitHub and Google Drive, and uses Telegram as its command-and-control channel. Researchers noted multiple traces of LLM-assisted development and assessed the campaign as aligned with Iranian government security interests.
read more →

Badges, Bytes and Blackmail: Law Enforcement Trends

🛡️ Orange Cyberdefense compiled a dataset of 418 publicly reported law enforcement actions from 2021 to mid-2025 to clarify how agencies address cybercrime. The study shows extortion (including ransomware), malware, and hacking are the most targeted offenses, while arrests (29%), takedowns (17%) and charges (14%) are the predominant responses. The U.S. DOJ and FBI are most visible, with extensive public–private collaboration supporting operations.
read more →

Hugging Face abused to host thousands of Android malware

🚨Researchers at Bitdefender found an Android campaign using the Hugging Face platform to host and serve thousands of malicious APK variants. A scareware dropper called TrustBastion lures victims with fake Google Play update prompts, redirects to a Hugging Face dataset, and downloads the payload via the platform's CDN. The RAT aggressively abuses Android Accessibility Services to present overlays, capture screens, impersonate login UIs for services such as Alipay and WeChat, block uninstall, and exfiltrate credentials; Hugging Face removed the malicious datasets after notification.
read more →

Google Disrupts IPIDEA Residential Proxy Network at Scale

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.
read more →

Researchers Find 175,000 Publicly Accessible Ollama Hosts

🔍 A joint investigation by SentinelOne SentinelLABS and Censys identified 175,000 publicly reachable Ollama hosts across 130 countries, spanning cloud and residential networks. Nearly half of observed instances advertise tool-calling capabilities that can execute code, access APIs, and interact with external systems, significantly raising the threat profile. Researchers warn these unmanaged LLM deployments lack standard authentication and monitoring, enabling active LLMjacking campaigns and resale of illicit access.
read more →

Google and Partners Disrupt Major Residential Proxy Network

🔍 Google and industry partners have disrupted IPIDEA, a large residential proxy network used to conceal malicious activity. The operation combined court action to seize domains with intelligence-sharing and platform enforcement, including expanded protections in Google Play Protect that remove apps embedding IPIDEA SDKs and block further installs. Google reports these steps have reduced the pool of proxy devices by millions and expect knock-on effects across reseller-linked services. The network’s SDKs were tied to multiple botnets and used by numerous threat actors to obscure follow-on attacks.
read more →

Roblox Mod Downloads Becoming Major Infostealer Risk

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.
read more →

Interlock Ransomware: New Techniques, Same Old Tricks

🔒 Fortinet's FortiGuard Incident Response describes a protracted Interlock intrusion that targeted education organizations, linking MintLoader initial access to NodeSnakeRAT and Interlock RAT implants. The report highlights a novel process-killer, Hotta Killer, that abuses a signed but vulnerable gaming anti-cheat driver (CVE-2025-61155) in a BYOVD technique to terminate security processes. Operators exfiltrated about 250 GB using AZCopy before deploying JavaScript and ELF ransomware across Windows and Nutanix hosts. FortiGuard recommends blocking unnecessary remote-access tools, restricting PowerShell egress, and monitoring anomalous driver installations.
read more →

Google Disrupts IPIDEA Residential Proxy Network Operations

🚨 Google said it disrupted IPIDEA, a large residential proxy service, seizing dozens of domains and rendering the IPIDEA site inaccessible after legal action. The company said the network advertised more than 6.1 million daily updated IPs and 69,000 daily new addresses and had been leveraged by over 550 distinct threat groups for cybercrime, espionage, and APT activity. Google reported about 7,400 Tier Two servers, flagged thousands of trojanized Windows binaries and roughly 600 Android apps tied to the service, and updated Google Play Protect to warn or remove apps containing IPIDEA code.
read more →

YouTuber wins landmark ruling after Pegasus phone hack

📱 In episode 452 Graham Cluley and guest Joe Tidy discuss a London-based YouTuber who has won a landmark UK ruling after his phone was compromised by Pegasus spyware, illustrating how a single malicious SMS can enable continuous, covert surveillance. They also investigate dark-web services, including a reported portal offering hitmen, and cover headlines such as Microsoft Patch Tuesday problems, alleged Russian wiper activity against Poland’s grid, and US charges tied to ATM malware.
read more →

eScan Confirms Update Server Breach That Pushed Malware

⚠️ MicroWorld Technologies, maker of eScan, confirmed a breach of a regional update server that delivered an unauthorized, later-analyzed malicious update to a subset of customers during a two-hour window on January 20, 2026. The company says it isolated and rebuilt the affected infrastructure, rotated credentials, and issued a remediation tool. Security firm Morphisec published a technical analysis linking a modified Reload.exe to multi-stage malware and a backdoor named CONSCTLX.exe, and the vendors dispute who reported the incident first.
read more →

Fake Moltbot VS Code Extension Deploys Remote Access

⚠️ A malicious Visual Studio Code extension impersonating Moltbot, published as 'ClawdBot Agent - AI Coding Assistant' (clawdbot.clawdbot-agent), was distributed on the official Marketplace and has since been removed by Microsoft. The add-on auto-executes on IDE launch, fetches a remote config.json and installs a binary that deploys an ConnectWise ScreenConnect client connecting to attacker infrastructure. It includes DLL sideload and batch-script fallbacks and hard-coded payload URLs. Researchers warn exposed Moltbot instances and insecure defaults increase the risk of credential theft and remote compromise.
read more →

EncystPHP Web Shell Exploits FreePBX Endpoint Manager

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.
read more →