< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 25 of 46

Malicious PyPI Package Impersonates SymPy, Deploys Miner

🔍 A malicious PyPI package named sympy-dev was found impersonating SymPy, copying the legitimate project's description to trick users; it has been downloaded over 1,100 times since its January 17, 2026 publication. Socket's analysis shows select symbolic-math routines were modified to retrieve a remote JSON configuration and download an ELF payload that launches an XMRig miner. The backdoor executes the ELF binary directly in memory via memfd_create and /proc/self/fd to reduce on-disk artifacts and only triggers when specific polynomial functions are invoked to remain stealthy.
read more →

Android Click-Fraud Malware Uses AI to Tap Hidden Ads

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.
read more →

VoidLink: AI-Generated Linux Malware Targets Cloud Servers

🧠 Check Point researchers say VoidLink, a modular Linux malware family targeting cloud servers, appears to have been largely generated and orchestrated by AI. The toolkit contains over 30 plugins for persistence, stealth and remote control. An exposed development plan and timestamps suggest a single operator used AI agents to plan sprints, generate design documents, probe guardrails and iteratively produce working code within weeks.
read more →

VoidLink: AI-Assisted Linux Malware Framework Revealed

🛡️ Check Point Research and Sysdig examined a sophisticated Linux malware framework called VoidLink and concluded a single developer used an AI coding agent to accelerate development. The Zig-based project grew to over 88,000 lines by December 2025 and exhibits systematic artifacts — consistent debug formatting, placeholder data like "John Doe", uniform _v3 API patterns, and exhaustive JSON templates — that suggest heavy LLM involvement. No real-world infections have been observed, but researchers warn this case demonstrates how AI can rapidly lower the barrier to creating advanced offensive tooling.
read more →

VoidLink cloud malware shows clear signs of AI generation

🧠 Check Point Research reports that the VoidLink Linux cloud malware framework displays clear evidence of being developed predominantly with AI assistance. The actor used an AI-centric IDE, TRAE, and its assistant TRAE SOLO to produce specification documents, sprint plans, and large portions of source code, which reached a working state within days. Exposed development artifacts — including TRAE helper files and an open directory of source and docs — allowed researchers to match generated specs to the recovered code and reproduce the development workflow, leading Check Point to conclude this is a notable example of AI-driven malware development.
read more →

Multi-Stage Windows Malware Campaign Abusing Defendnot

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.
read more →

VoidLink Signals a New Era in AI-Generated Malware

🤖 Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.
read more →

PDFSider Windows Backdoor Targeted Fortune 100 Firm

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.
read more →

PDFSIDER: Encrypted Backdoor Uses DLL Side-Loading Toolkit

🔒 Resecurity researchers have identified a sophisticated backdoor called PDFSIDER, delivered via DLL side-loading from a trojanized, digitally signed PDF utility. The malware embeds the Botan crypto library and uses AES-256-GCM for an encrypted C2 channel, executing commands via cmd.exe entirely in memory and returning output over anonymous pipes. It performs anti-VM and debugger checks, exfiltrates data (including over DNS/53), and is assessed as targeted tradecraft that evades many AV and EDR products.
read more →

Weekly Recap: Fortinet Exploits, RedLine & Emerging Threats

⚡ This week’s roundup highlights active exploitation of a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) that can lead to full appliance compromise, alongside new malware and supply-chain concerns. Researchers also disclosed a clipboard‑hijacking campaign distributed by RedLineCyber and a Reprompt attack that targeted Microsoft Copilot via P2P prompt injection. Other notable items include a cloud-native Linux framework called VoidLink, disruption of the RedVDS criminal service, and an AWS CodeBuild misconfiguration that raised supply‑chain risks. Defenders should prioritize patching high-severity CVEs, harden CI/CD configurations, and treat AI/chatbot integrations and exposed devices as part of the attack surface.
read more →

Malicious Google Chrome Extensions Hijack Workday and Netsuite

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.
read more →

CrashFix Chrome Extension Delivers ModeloRAT Payload

⚠️ Researchers disclosed an active campaign, tracked as KongTuke and codenamed CrashFix, that used a malicious Chrome extension posing as an ad blocker to deliberately crash browsers and coerce victims into running commands. The fake add-on, “NexShield – Advanced Web Guardian,” impersonated uBlock Origin Lite, garnered 5,000+ installs, and implements delayed execution, DoS crash loops, and anti-analysis controls. The lure prompts users to paste a pre-copied command into the Windows Run dialog that abuses finger.exe to fetch a PowerShell chain, ultimately delivering the previously undocumented ModeloRAT. Huntress warns the technique weaponizes user frustration to create a persistent, self-sustaining infection loop that can hand victims off to other threat actors.
read more →

Credential-stealing Chrome extensions target HR platforms

🔒 Socket discovered malicious Chrome extensions on the Web Store that mimicked productivity and security tools for enterprise HR and ERP systems and had been installed over 2,300 times. The five extensions targeted Workday, NetSuite, and SAP SuccessFactors, employing cookie exfiltration, DOM manipulation to block admin pages, and cookie injection to enable session hijacking. Google removed the extensions after notification; affected users should report use to administrators, perform incident response, and change credentials on impacted platforms.
read more →

GhostPoster Extensions Removed After 840K Installations

⚠️ LayerX researchers identified 17 malicious browser extensions tied to the GhostPoster campaign that collectively recorded about 840,000 installs across Chrome, Firefox, and Edge. The extensions concealed heavily obfuscated JavaScript inside image files and icons to monitor browsing activity, implant a backdoor, hijack affiliate links, and inject invisible iframes for ad and click fraud. A more advanced variant in an Instagram Downloader extension used staged execution and bundled image payloads to evade detection; stores have removed the listed extensions, but installed users may still be compromised.
read more →

GootLoader Employs Malformed ZIPs to Bypass Detection

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.
read more →

Chrome Extensions Impersonating Workday and NetSuite

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.
read more →

Malicious DLL Sideloading Campaign Impersonating Vendors

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.
read more →

LOTUSLITE Backdoor Targets U.S. Policy and Diplomacy

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.
read more →

Gootloader Abuses 1,000-Part ZIPs to Evade Detection

🛡️ Gootloader operators now deliver malformed ZIP archives that concatenate up to 1,000 parts to evade analysis and detection. The archived JScript unpacks successfully with Windows' built-in extractor while tools relying on 7-Zip and WinRAR often crash. Samples employ truncated EOCD entries, randomized disk fields, metadata mismatches and XOR-encoded blobs appended client-side. Researchers devised a YARA rule and advise changing the default .js opener to Notepad and blocking wscript.exe/cscript.exe where possible.
read more →

ThreatsDay Weekly: Redis RCE, RMM Abuse, AI Voice Brief

🛡️ This week’s ThreatsDay covers a broad set of active risks: a critical Redis XACKDEL stack‑overflow RCE (CVE‑2025‑62507, CVSS 8.8) with ~2,924 servers affected, signed malware campaigns by BaoLoader, and surging abuse of legitimate RMM tools delivered by phishing. Researchers also disclosed RCE in AI/ML libraries via Hydra.instantiate() misuse and a new voice‑cloning evasion technique, VocalBridge. Multiple OT, Wi‑Fi, and smart‑contract incidents — and law‑enforcement activity — round out this week’s notable developments. Prioritize patches, certificate vetting, and account hygiene.
read more →