< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 26 of 46

VoidLink: Advanced Modular Malware for Linux Cloud

🛡️ Researchers at Check Point disclosed VoidLink, a sophisticated modular malware framework targeting Linux servers and containers in cloud environments. Written primarily in Zig with supporting components in Go, C, and JavaScript, the platform uses a two-stage loader and an extensible plugin ecosystem (37 built-in modules) delivered via a professional web-based C2 dashboard to harvest credentials and access source code systems. It detects major cloud providers and container runtimes, adapts evasion strategies based on detected EDR and kernel hardening, and employs rootkits and covert C2 channels to maintain stealthy, long-term access.
read more →

Kimwolf/AISURU Botnet Infects Over Two Million Devices

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.
read more →

c-ares DLL Side-Loading Enables Malware Deployment

🔒 Researchers detail an active campaign abusing a DLL side-loading flaw in the open-source c-ares runtime to evade defenses and deploy commodity trojans and stealers. Attackers pair a malicious libcares-2.dll with signed copies of ahost.exe (commonly from GitKraken) placed in the same folder to hijack load order and achieve code execution. The operation distributes families including Agent Tesla, CryptBot, Formbook, Vidar, Lumma, Remcos and others using invoice- and RFQ-themed lures in multiple languages targeting finance, procurement and admin roles.
read more →

VoidLink: Advanced Linux Malware Framework Targets Cloud

🔍 A newly identified cloud-native Linux malware framework named VoidLink targets modern cloud and container environments, providing custom loaders, implants, rootkits, and memory-loaded plugins. According to Check Point, it is written in Zig, Go, and C and adapts behavior based on Kubernetes, Docker, and cloud metadata queries. Communications can use HTTP, WebSocket, DNS tunneling, or ICMP encapsulated in a custom encrypted layer VoidStream, and the framework includes extensive anti-forensics and runtime protections. Analysts assess it appears under active development and may be a commercial or customer-targeted framework rather than evidence of a current widespread campaign.
read more →

Malicious Chrome Extension Steals MEXC API Keys in Web Store

⚠ A malicious Chrome extension named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) has been found on the Chrome Web Store and is designed to create and steal API keys for the MEXC exchange. Published Sept 1, 2025 by a developer using the handle "jorjortan142," the add-on programmatically generates API keys with withdrawal permissions and hides the enabled permission in the UI. The extension injects a content script on MEXC's API management page, captures the Access and Secret keys when created, and exfiltrates them via HTTPS to a hard-coded Telegram bot. Socket researcher Kirill Boychenko reported 29 downloads and warns the threat remains active as long as stolen keys are valid.
read more →

Chinese Linux Malware Framework Targets Cloud and Containers

🔎 Check Point Research has identified a modular Linux malware framework, VoidLink, linked to Chinese-speaking developers and designed to target cloud and container environments. The framework includes custom loaders, implants, rootkits and over 30 plugins supporting reconnaissance, lateral movement, persistence and anti-forensic techniques. It detects AWS, GCP, Azure, Alibaba and Tencent and can enumerate containers, hypervisors and orchestration platforms. No live infections have been confirmed, but documentation suggests commercial intent and active development.
read more →

VoidLink: Cloud-Native Linux Malware Framework Unveiled

🛡️ Check Point Research describes VoidLink, a cloud-native Linux malware framework built to maintain long-term, stealthy access to cloud infrastructure rather than targeting individual endpoints. Its modular, plug-in-driven design enables attackers to extend capabilities over time while remaining quiet. Adaptive stealth allows the framework to alter behavior based on defensive visibility, prioritizing evasion in monitored environments and speed where visibility is limited.
read more →

VoidLink: Advanced Linux Cloud-Native Malware Framework

🛡️ Check Point Research disclosed a previously undocumented Linux malware framework named VoidLink, designed for long-term stealthy access to cloud and container environments. The cloud-native toolkit is highly modular, written in Zig, and comprises custom loaders, implants, rootkits, and an in-memory plugin system with more than 30 modules. It supports diverse C2 channels (HTTP/HTTPS, WebSocket, ICMP, DNS), peer-to-peer mesh networking, and automated cloud discovery across AWS, GCP, Azure, Alibaba, and Tencent. Check Point assesses the framework as actively maintained and attributes it to China-affiliated actors, warning of significant credential-theft and supply-chain risks for cloud-native ecosystems.
read more →

Old Playbook, New Scale: Attackers Optimize the Basics

🔐 Attackers in 2025 are not inventing wholly new techniques but refining long‑standing ones—supply‑chain compromise, credential theft, and malware in official stores—at vastly greater scale. AI has lowered the barrier to entry, enabling small teams or individuals to publish trusted packages, automate phishing, and pivot them to malicious behavior. Gaps in permission models and slow supply‑chain mitigation let these campaigns cascade through dependencies. Defenders should prioritize fundamentals: fix permissions, harden verification, and make phishing‑resistant authentication the default.
read more →

SHADOW#REACTOR Delivers Remcos RAT via Evasive Chain

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.
read more →

Malicious email campaign mimics government services

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.
read more →

Weekly Recap: Automation, Exploits, and Rapid Escalation

🔐 This week's recap highlights how small oversights and automation conveniences have become widespread attack vectors, enabling rapid, large-scale compromise. Key incidents include a maximum-severity RCE in n8n (Ni8mare, CVE-2026-21858) affecting self-hosted instances, the 2M-device Kimwolf Android botnet, and malicious Chrome extensions that exfiltrated AI conversations. The report catalogs numerous trending CVEs and active campaigns, emphasizing that familiar tools and exposed services are the biggest risks today.
read more →

Who Benefited From the Aisuru and Kimwolf Botnets: Findings

🔍 This analysis traces how the Aisuru and Kimwolf botnets turned millions of unsecured Android TV streaming boxes into residential proxies and DDoS participants. Investigators linked proxy traffic and control infrastructure to a Utah hosting firm, Resi Rack, a Discord marketplace (resi.to), and vendors including Plainproxies/ByteConnect and Maskify. Operators hardened control with the Ethereum Name Service to evade takedowns. Owners of affected TV boxes are urged to disconnect and replace them.
read more →

GoBruteforcer Botnet Bruteforces Exposed Linux Services

🔒 Check Point Research (CPR) reports that the GoBruteforcer botnet is actively targeting internet‑facing Linux servers, using large‑scale brute‑force attacks against services such as FTP, MySQL, PostgreSQL and phpMyAdmin. The latest Go‑based variant, observed since mid‑2025, introduces heavier obfuscation, stronger persistence and techniques to hide malicious processes. Compromised hosts become scanning and attack nodes, enabling data theft, backdoors, resale of access and further propagation. Analysts also recovered tools used to sweep TRON and Binance Smart Chain assets, underscoring a financial motive behind some campaigns.
read more →

WhatsApp Worm Deploys Astaroth Banking Trojan in Brazil

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.
read more →

ThreatsDay: Weekly roundup — hacks, vulnerabilities, trends

🛡️ This week's ThreatsDay highlights a critical RustFS gRPC authentication flaw with a hard-coded token (CVSS 9.8) that allowed network attackers to perform privileged operations and was patched in 1.0.0-alpha.78. Other notable stories include GeoServer-based XMRig miners, an evolution in Iran-linked MuddyWater custom backdoors, a surge in Taiwanese infrastructure attacks, and CISA's KEV catalog expansion. Organizations should apply patches, enable MFA, and monitor credentials and exposed services.
read more →

UAT-7290: China-Nexus APT Targeting Telecom Edge Devices

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.
read more →

NodeCordRAT Found in Bitcoin-Themed Malicious npm Packages

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.
read more →

Black Cat SEO Poisoning Campaign Distributes Backdoor

🚨A cybercrime gang known as Black Cat has been linked to an SEO poisoning campaign that tricks users with fake download pages for popular programs such as Google Chrome and Notepad++. Visitors are redirected to a GitHub‑mimicking host where a ZIP delivers an installer that creates a desktop shortcut which side‑loads a malicious DLL and deploys a backdoor. The backdoor contacts a hard‑coded C2 and can steal browser data, log keystrokes and capture clipboard contents. Users should avoid clicking unknown search results and download software only from official sources.
read more →

pkr_mtsi Loader Used in Malvertising to Deploy Payloads

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.
read more →