< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 27 of 46

Malicious Chrome Extensions Steal ChatGPT and DeepSeek Data

🔍 OX Security researchers uncovered two malicious Chrome extensions — Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude, and more — installed by over 900,000 users. The add-ons scrape ChatGPT and DeepSeek conversation content and all open tab URLs, then batch-upload harvested data to attacker-controlled servers. Operators used hosted privacy pages and impersonation to obscure activity; users should remove these extensions and audit exposed data immediately.
read more →

ClickFix Campaign Uses Fake BSOD to Trick Hospitality Staff

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.
read more →

Russia-Aligned Hackers Abuse Viber to Deploy Malware

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.
read more →

VVS Stealer Employs Advanced Obfuscation Targeting Discord

🛡️ VVS Stealer is a Python-based credential-stealing malware distributed as a PyInstaller package and protected with Pyarmor obfuscation in BCC mode to hinder analysis. It targets Discord tokens and browser-stored credentials, injects malicious JavaScript into the Discord client, and exfiltrates data via Discord webhooks. The sample persists by copying itself to the Windows startup folder and displays fake error messages to evade detection.
read more →

Weekly Recap: IoT Botnets, Extension Supply-Chain Risk

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.
read more →

VVS Stealer: Python info-stealer targets Discord now

🐍 Researchers disclosed a new Python-based information stealer called VVS Stealer that harvests Discord tokens, account data and browser credentials. The malware, sold on Telegram with subscription and one-time tiers, is obfuscated with Pyarmor and packaged via PyInstaller to hinder analysis. It persists by adding itself to the Windows Startup folder and shows fake "Fatal Error" pop-ups. VVS injects into Discord and uses a downloaded obfuscated JavaScript payload to monitor traffic via the Chrome DevTools Protocol for session hijacking.
read more →

Kimwolf Botnet Exploits Residential Proxies and TVs

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.
read more →

ThreatsDay: GhostAd, macOS Supply-Chain, Proxy Botnets

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.
read more →

Modified Shai Hulud Strain Found in npm Package Dec

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.
read more →

ErrTraffic Automates ClickFix Attacks via Fake Glitches

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.
read more →

Suspect Arrested in KMSAuto Clipper Campaign — 2.8M Infected

🚨 South Korean authorities arrested a 29-year-old Lithuanian accused of distributing a clipboard-stealing clipper embedded in a trojanized KMSAuto activation tool that was downloaded 2.8 million times worldwide. The suspect was extradited from Georgia after investigators traced about KRW 1.7 billion (~$1.2M) diverted in 8,400 transactions. Devices seized in a December 2024 raid yielded evidence leading to the April 2025 arrest. Officials warn against using unofficial activators and unsigned executables.
read more →

Malware Installed Onboard: Italian Ferry IoT Compromise

🚢 A reported compromise affected an Italian ferry; investigators say the malware appears to have been installed physically on board rather than via a remote intrusion. Operators are assessing systems and safety impacts. Details remain limited while authorities investigate.
read more →

ThreatsDay: Stealth Loaders, AI Abuse, and Trusted Tools

🔍 This week's ThreatsDay bulletin documents how attackers increasingly hide malicious activity inside everyday tools, trusted applications, and AI assistants. Investigations highlight abuse of open-source monitoring tools like Nezha, an 87% rise in NFC‑abusing Android malware, late‑2025 GuLoader waves, and prompt‑injection flaws in AI chat frontends. The report underscores the need for layered defenses, strict input validation, and rapid patching.
read more →

Typosquatted MAS domain spread Cosmali PowerShell malware

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.
read more →

Webrat Lures Researchers with Fake GitHub Exploit PoCs

🐀 Attackers are hosting counterfeit proof-of-concept exploit repositories on GitHub to deliver the Webrat backdoor to unsuspecting users. Kaspersky analysts observed polished, likely machine-generated README files that mask a password-protected ZIP; the archive password is hidden in filenames and often missed. Inside are decoy DLLs, batch loaders and executables (e.g., rasmanesc.exe) that disable Windows Defender, escalate privileges, and fetch the real payload from hardcoded C2 servers. The campaign, active since at least September 2025, appears tuned to catch novice researchers and students who analyze PoCs outside isolated environments.
read more →

WebRAT Distributed via Fake PoC Exploits on GitHub

🛡️ Kaspersky researchers found WebRAT backdoor being distributed through GitHub repositories that posed as proof‑of‑concept exploits for recently disclosed vulnerabilities. The malicious packages were delivered as password‑protected ZIPs containing a corrupted decoy DLL, a batch script, and a main dropper named rasmanesc.exe that elevates privileges, disables Defender, and downloads WebRAT. All identified repositories have been removed, but developers are urged to verify PoC sources and test untrusted code in isolated environments.
read more →

Signed macOS Dropper: New MacSync Stealer Variant Emerges

🚨 Jamf Threat Labs uncovered a reworked macOS infostealer masquerading as a legitimate signed app. The Swift dropper is code‑signed and notarized, delivered in a 25.5MB disk image posing as a messaging installer, and silently fetches and executes an encoded script through a helper. It runs mainly in memory, removes quarantine attributes, enforces a ~3600s delay before execution, and cleans up traces; Jamf reported the developer certificate and Apple revoked it.
read more →

MacSync Stealer Bypasses Gatekeeper, Targets macOS Users

⚠️ Researchers at Jamf report that MacSync Stealer now arrives as a code-signed, notarized Swift utility that can execute with minimal user interaction. The dropper fetches a payload script from a command-and-control server after installation. Because the app appears signed and notarized, Gatekeeper does not display extra warnings, allowing attackers to exploit a window before certificate revocation. This behavior highlights limitations in Apple’s automated notarization checks.
read more →

Malicious Chrome Extensions Route Traffic to Steal Data

🔒 Two Chrome extensions in the Web Store, both published as Phantom Shuttle, are malicious plugins that hijack browser traffic and have been active since at least 2017, researchers report. Targeting users in China, the extensions pose as proxy and network-speed tools and prepend obfuscated code to the jQuery library to route requests through attacker-controlled proxies using hardcoded credentials and a PAC script. The plugins dynamically reconfigure Chrome proxy settings and route traffic for over 170 high-value domains, intercepting HTTP authentication challenges to capture form credentials, session cookies and API tokens while excluding local networks and the command-and-control domain to limit detection. At the time of reporting the extensions remained in Chrome's official marketplace; users are advised to install only extensions from reputable publishers and review requested permissions carefully.
read more →

New MacSync Dropper Bypasses macOS Gatekeeper Checks

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.
read more →