< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 24 of 46

EncystPHP Web Shell Exploits FreePBX Endpoint Manager

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.
read more →

Disrupting IPIDEA: Takedown of Major Proxy Network

🏠 This week Google Threat Intelligence Group led coordinated legal, technical, and platform actions to disrupt the IPIDEA residential proxy network, a large global provider of exit-node infrastructure. Actions included domain takedowns, sharing SDK and infrastructure intelligence with platform providers and law enforcement, and enforcing Google Play Protect to remove and block offending apps. These steps materially degraded IPIDEA’s operations and reduced the pool of available exit-node devices by millions while enabling broader partner remediation.
read more →

AI-Generated Code and Emojis Found in PureRAT Malware

🤖 Researchers report that the PureRAT remote access trojan is being produced with the assistance of AI, with leftover AI-authored comments and even emojis appearing in the malware’s code. Analysis by Symantec and the Carbon Black Threat Hunter Team ties these artifacts to scripts distributed via phishing emails posing as job opportunities. The presence of explicit AI instructions, debug messages and Vietnamese-language strings — including references to Hanoi — suggests a likely Vietnam-based operator. Despite the sloppy leftovers, PureRAT remains a capable infostealer enabling persistent remote access and data exfiltration.
read more →

Mustang Panda Deploys Updated COOLCLIENT for Data Theft

🚨 Kaspersky reports that China-linked Mustang Panda used an updated COOLCLIENT backdoor in 2025 to exfiltrate data from government targets across Myanmar, Mongolia, Malaysia, and Russia. The implant was deployed as a secondary backdoor alongside PlugX and LuminousMoth, delivered via encrypted loaders and abusing DLL side-loading of legitimately signed binaries. COOLCLIENT harvests keystrokes, clipboard data, files, and HTTP proxy credentials, can establish reverse tunnels, and loads in-memory plugins; recent waves also incorporated browser credential stealers and a previously unseen rootkit.
read more →

Sicarii Ransomware Discards Keys, Risks Permanent Data Loss

⚠️ Halcyon researchers report a Sicarii ransomware variant that generates a fresh RSA key pair on each execution and immediately discards the private key, leaving encrypted files unrecoverable even if victims pay or use a provided decryptor. Analysts attribute the defect to poor key management or immature development, possibly involving AI-assisted tooling. Affected organizations should prioritize containment, isolate systems, and restore only from known-good, offline, or immutable backups rather than relying on ransom-based recovery.
read more →

Surge in Malicious Open-Source Packages Raises Alarm

🔔 Sonatype's 2026 State of the Software Supply Chain report warns of a sharp rise in malicious open-source packages, finding 454,648 new malicious components in 2025 across Maven Central, PyPI, npm and NuGet. The vendor says developers downloaded components 9.8 trillion times last year and that threats have evolved from stunts into industrialized, multi-stage supply chain intrusions. The report highlights AI-related risks, typosquatting and namespace mimicry as primary enablers.
read more →

Fake ChatGPT Chrome Extensions Steal Session Tokens

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.
read more →

Growing Android Threats in 2026: Fake Apps and NFC Risks

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.
read more →

US Charges 31 More Suspects in ATM Malware Jackpotting

🔐 A Nebraska federal grand jury indicted 31 additional defendants accused of participating in an ATM jackpotting operation that used Ploutus malware to steal millions from U.S. ATMs. Authorities say many suspects are Venezuelan or Colombian nationals tied to the gang Tren de Aragua, an organization recently designated by OFAC as a Foreign Terrorist Organization. Investigators allege attackers opened ATM housings, swapped or connected drives to load malware, deleted evidence, and forced machines to dispense cash; the stolen proceeds were split and laundered. The Justice Department has charged 87 TdA members in related cases over the past six months.
read more →

New MaaS 'Stanley' enables phishing Chrome extensions

⚠️Researchers at Varonis warn of a new malware‑as‑a‑service named Stanley that sells malicious browser extensions engineered to pass review and appear on the Chrome Web Store. The extensions overlay a full‑screen iframe with attacker-controlled phishing content while leaving the address bar intact, and claim silent auto‑installation on Chromium browsers. Stanley offers subscription tiers, including a Luxe Plan that assists with publishing extensions, and provides operator controls for targeting, notifications, and session correlation.
read more →

ClickFix attacks abuse Windows App-V to deliver Amatera

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.
read more →

eScan update breach distributes multi-stage malware

🛡️ Morphisec Threat Labs has identified a critical supply-chain compromise of MicroWorld Technologies’ eScan antivirus discovered on 20 January 2026, in which malicious updates were delivered via the vendor's legitimate update infrastructure. The trojanized 32-bit executable, allegedly signed with a compromised certificate, deployed a downloader and a 64-bit backdoor, established persistence and implemented anti-remediation controls to block further updates. Morphisec reported blocking the activity on protected systems and urged immediate investigative and remediation actions for affected organizations.
read more →

Tax Phishing Targets Indian Users to Deliver Blackmoon

🧾 Cybersecurity researchers uncovered a phishing campaign impersonating India's Income Tax Department that delivers a multi-stage backdoor to targeted users. The attackers distribute a ZIP containing an executable that sideloads a malicious DLL, performs anti-analysis checks, and fetches further payloads, ultimately deploying a Blackmoon variant alongside a repurposed SyncFuture TSM RMM tool. The operation employs UAC bypass, process masquerading, antivirus exclusion manipulation, and numerous helper scripts to establish persistent, covert access for long-term monitoring and data exfiltration.
read more →

Investigation Ties Badbox 2.0 Control to Chinese Firms

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.
read more →

Malicious VS Code AI Extensions Exfiltrate Developer Data

⚠️ Koi Security researchers uncovered two malicious Microsoft Visual Studio Code extensions marketed as AI coding assistants that also exfiltrate developer files to China-based servers. The extensions — ChatGPT - 中文版 (whensunset.chatgpt-china, 1,340,869 installs) and ChatGPT - ChatMoss(CodeMoss) (zhukunpeng.chat-moss, 151,751 installs) — function normally while encoding every opened file and edits in Base64 and sending them to aihao123[.]cn. The campaign, dubbed MaliciousCorgi, includes remote-triggered bulk exfiltration and a hidden zero-pixel iframe that loads Chinese analytics SDKs to fingerprint users. Remove suspicious extensions, audit workspaces, and follow supply-chain hardening guidance.
read more →

Weekly Recap: Firewall Flaws, AI-Built Malware, CVEs

⚡ This weekly recap highlights shifting attack patterns and urgent fixes: an incomplete patch in Fortinet firewalls (CVE-2025-59718/59719) is being actively abused, while the VoidLink Linux malware appears largely produced with AI assistance. Researchers also disclosed a critical GNU InetUtils telnetd flaw (CVE-2026-24061) that can yield root shells. Other notable trends include vishing campaigns targeting major IdPs, malvertising that crashes browsers to deliver a Python RAT, and supply-chain/package compromises; administrators should prioritize exploitable, public-PoC, and KEV-class vulnerabilities.
read more →

Malicious AI VSCode Extensions Exfiltrate Developer Data

⚠️ Researchers from Koi found two malicious AI-style extensions on the VSCode Marketplace — ChatGPT – 中文版 and ChatMoss — that together have 1.5 million installs and silently transmit developer files to China-based servers. The extensions implement three distinct data-collection methods: real-time file reads and Base64 exfiltration via hidden webviews, a server-controlled file-harvest command that can steal up to 50 files, and a zero-pixel iframe that loads commercial analytics SDKs for fingerprinting and behavioral tracking. At publication both extensions were still available and Microsoft had not responded to inquiries.
read more →

US to deport Venezuelans who emptied bank ATMs using malware

🏧 South Carolina prosecutors said two Venezuelan nationals pleaded guilty to conspiracy and computer crimes after using malware to force ATMs to dispense cash across the southeastern United States. They targeted older ATM models, installing a Ploutus variant by connecting laptops, using external drives, or swapping hard drives to trigger unauthorized withdrawals. Both defendants were sentenced, ordered to pay restitution, and face deportation following their terms.
read more →

Threatsday Bulletin: Supply, Ads, Zero-Click, Scans

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.
read more →

VoidLink: Malware Largely Created by AI in Record Time

⚠️ Check Point Research says VoidLink, a modular Linux malware framework, appears to have been planned, structured, and largely written by AI rather than solely by human developers. Analysts found programmatically generated sprint-style plans, detailed technical specifications, and repetitive code patterns consistent with automated generation. The project reportedly grew to tens of thousands of lines of code in under a week, compressing months of work into days. That speed and planning raise concerns that AI can significantly lower the barrier to producing sophisticated, cloud- and container-focused threats.
read more →