All news with #malware tag

🔐 Unit 42 identified 01flip, a new Rust‑based ransomware family observed in June 2025 that targets both Windows and Linux via Rust cross‑compilation. The malware enumerates writable directories, drops RECOVER-YOUR-FILE.TXT ransom notes, renames files with a .01flip extension, and encrypts victims with AES‑128‑CBC while protecting session keys with an embedded RSA‑2048 public key. Observed victims are a limited set in the Asia‑Pacific region, and an alleged data dump appeared on a dark‑web forum after at least one infection.

🧠 Polymorphic AI malware is more hype than breakthrough: attackers are experimenting with LLMs, but practical advantages over traditional polymorphic techniques remain limited. AI mainly accelerates tasks—debugging, translating samples, generating boilerplate, and crafting convincing phishing lures—reducing the skill barrier and increasing campaign tempo. Many AI-assisted variants are unstable or detectable in practice; defenders should focus on behavioral detection, identity protections, and response automation rather than fearing instant, reliable self‑rewriting malware.

🛡️ The Shai-Hulud 2.0 campaign is a widescale npm supply-chain compromise that injects malicious preinstall scripts to execute a bundled Bun runtime and harvest cloud credentials. Microsoft Defender observed attackers installing GitHub Actions runners named SHA1HULUD, using TruffleHog to locate secrets, and exfiltrating stolen credentials to public repositories. The guidance outlines detections, hunting queries, and prioritized mitigations for developers, maintainers, and cloud defenders.

🛡️Recorded Future's Insikt Group attributes rapid expansion of a modular loader ecosystem to an actor named GrayBravo, noting the distribution of a loader called CastleLoader under a malware-as-a-service model. The report identifies four distinct operational clusters that employ phishing, ClickFix campaigns, malvertising, and impersonation to deliver CastleLoader and secondary payloads such as CastleRAT and NetSupport RAT. These campaigns target logistics and enterprise software users and leverage multi-tiered C2 infrastructure and fraudulent platform accounts to increase credibility and resilience.

🛡️Kaspersky researchers uncovered a macOS campaign in which attackers used paid search ads to point victims to a public shared chat on ChatGPT that contained a fake installation guide for an “Atlas” browser. The guide instructs users to paste a single Terminal command that downloads a script from atlas-extension.com and requests system credentials. Executing it deploys the AMOS infostealer and a persistent backdoor that exfiltrates browser data, crypto wallets and files. Users should not run unsolicited commands and must use updated anti‑malware and careful verification before following online guides.

🔒 Security researchers uncovered malicious extensions on the Microsoft Visual Studio Code Marketplace that delivered stealer malware while posing as a dark theme and an AI assistant. Koi Security reported the extensions downloaded additional payloads, captured screenshots, and siphoned emails, Slack messages, Wi‑Fi passwords, clipboard contents and browser sessions to attacker servers. Microsoft removed the packages in early December 2025 after investigators linked them to a publisher using multiple similarly named packages.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🛡️ Two malicious Visual Studio Code extensions on Microsoft's Marketplace, Bitcoin Black and Codo AI, were found delivering an information-stealing payload that can capture screenshots, harvest credentials and crypto wallets, and hijack browser sessions. Published under the developer name 'BigBlack', Codo AI remained live with under 30 downloads at the time of reporting while Bitcoin Black showed a single install. Researchers at Koi Security observed that Bitcoin Black uses a wildcard activation and executes PowerShell or a hidden batch script to download a DLL and executable that leverage DLL hijacking to run the infostealer as 'runtime.exe'.

🔍 Securonix has detailed a campaign named JS#SMUGGLER that leverages compromised websites and an obfuscated JavaScript loader to deliver the NetSupport RAT. Attackers chain a hidden iframe and a remote HTA executed via mshta.exe to run encrypted PowerShell stagers and fetch the RAT. The loader applies device-aware branching and a visit-tracking mechanism to trigger payloads only on first visits, reducing detection risk. Temporary stagers are removed and payloads execute in-memory to minimize forensic artifacts.

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.

🔒 CISA warns that Chinese threat actors have used Brickstorm malware to backdoor VMware vSphere servers, creating hidden rogue virtual machines and exfiltrating cloned VM snapshots to harvest credentials. A joint analysis with the NSA and Canada's Cyber Security Centre examined eight samples and documents layered evasion including nested TLS, WebSockets, SOCKS proxying and DNS-over-HTTPS. CISA provides YARA and Sigma rules, advises blocking unauthorized DoH providers, inventorying edge devices, segmenting DMZ-to-internal traffic, and reporting detections as required.

🚨 ReliaQuest attributes a false-flag SEO poisoning campaign to the actor known as Silver Fox, which has been active since November 2025 and aims to masquerade as a Russian group to mislead investigators. The campaign pushes a malicious Teams installer packaged as "MSTчamsSetup.zip" from an Alibaba Cloud URL, drops a trojanized Setup.exe, establishes exclusions in Microsoft Defender, and writes a staged installer "Verifier.exe" to the AppData profile. The loader scans for security processes, injects a malicious DLL into rundll32.exe, and reaches out to a remote server to retrieve the final ValleyRAT payload.

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.

🛡️ CISA, NSA, and the Canadian Centre for Cyber Security report that PRC state-sponsored actors deployed the BRICKSTORM backdoor to gain long-term persistence on VMware vSphere (vCenter/ESXi) and Windows hosts. The analysis of eight samples includes YARA and Sigma detection content plus scanning guidance for vCenter filesystems and SIEMs. Organizations should apply the provided IOCs and detection signatures, hunt for modified init scripts, DoH resolver requests, and hidden API endpoints, and report any findings immediately.

🔒 CISA warns that PRC state-sponsored actors are deploying the BRICKSTORM backdoor to maintain stealthy, long-term access on VMware vSphere and Windows hosts. The malware leverages nested TLS/WebSockets, DNS-over-HTTPS, and a SOCKS proxy for encrypted C2, lateral movement, and tunneling, and implements a self‑healing persistence mechanism. CISA urges defenders to hunt with provided YARA/Sigma rules, block unauthorized DoH, inventory edge devices, and enforce DMZ segmentation.

🔒This week's ThreatsDay roundup highlights a string of high-impact incidents, from a $9 million DeFi drain and an npm-based self-replicating worm to airport Wi‑Fi evil‑twin attacks and mass camera compromises. Researchers and vendors including Fortinet, Microsoft, and TruffleHog disclosed evolving malware techniques, supply-chain abuse, and widespread credential exposure. Practical protections include minimizing long-lived secrets, enforcing CI/CD safeguards, updating detection for eBPF-based threats, and applying MFA and phishing-resistant controls.

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.

🔒 Water Saci has shifted to a layered infection chain that uses HTA files and malicious PDFs delivered via WhatsApp to deploy a banking trojan in Brazil. The actors moved from PowerShell to a Python-based worm that propagates through WhatsApp Web, while an MSI/AutoIt installer and process-hollowing techniques load the trojan only on Portuguese (Brazil) systems. Trend Micro links the behavior to Casbaneiro-style features and notes possible use of code-translation or AI tools to port scripts. In parallel, a React Native Android strain named RelayNFC executes real-time NFC APDU relays to enable contactless payment fraud.