< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 28 of 46

Android SMS Stealer and Droppers Unite in Scaled Attacks

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.
read more →

Infy APT Resurfaces with Updated Foudre and Tonnerre

🔍 SafeBreach has linked renewed operations to the Iranian APT known as Infy (Prince of Persia), revealing updated Foudre downloader and Tonnerre implants active across Iran, Iraq, Turkey, India, Canada and parts of Europe. The campaign, tracked through September 2025 samples, shifts from macro-laced Excel to embedded executables and employs a DGA plus RSA-signed C2 validation. SafeBreach identified C2 folders including a 'key' directory and a Telegram integration used selectively via a tga.adr file. Analysts warn Infy remains active and dangerous to high-value targets.
read more →

US DOJ Indicts 54 in Multi-Million ATM Jackpotting Scheme

💰The U.S. Department of Justice has indicted 54 individuals tied to a large-scale ATM jackpotting conspiracy that used the Ploutus malware to force machines to dispense cash. Prosecutors allege members of the Venezuelan gang Tren de Aragua, designated a Foreign Terrorist Organization, recruited operatives who conducted surveillance, opened ATM hoods and installed malware by replacing drives or using removable media. Two related indictments returned in October and December 2025 charge bank fraud, burglary, computer fraud and money laundering, exposing an operation that siphoned millions and laundered proceeds to fund other criminal and terrorist activities.
read more →

Prince of Persia APT Returns with New Malware, C2 Ops

🛡️ Researchers have observed renewed activity from the Prince of Persia threat actor, long linked to Iran, after an apparent 2022 hiatus. SafeBreach found updated Foudre and Tonnerre variants, a new domain generation algorithm and altered delivery using Excel files with embedded SFX payloads alongside legacy malicious macros. Select victims can now be controlled via the Telegram API, and identified targets are predominantly in Iran with some victims across Europe, Iraq, Turkey, India and Canada.
read more →

CountLoader and GachiLoader Campaigns Abuse Cracked Software

🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.
read more →

CISA Update: BRICKSTORM Backdoor Analysis Release Notice

🛡️ Today, CISA, the NSA, and the Canadian Centre for Cyber Security released an update to the Malware Analysis Report for the BRICKSTORM backdoor. The update adds indicators of compromise (IOCs) and two new YARA detection signatures to cover additional samples, including Rust-based variants. Analysts observed advanced persistence and defense-evasion behaviors (including running as background services) and improved command-and-control via encrypted WebSocket channels. Organizations are strongly urged to deploy the updated IOCs and signatures, follow the detection guidance to scan and remediate affected systems, and report suspected infections to CISA’s 24/7 Operations Center.
read more →

US Indicts 54 in ATM 'Jackpotting' Scheme Using Ploutus

💰 Federal prosecutors announced indictments against 54 individuals accused of using Ploutus malware to carry out ATM 'jackpotting' attacks across the United States. Two separate grand jury indictments in the District of Nebraska charge 22 and 32 defendants with installing malware, removing or replacing ATM hard drives, and forcing cash dispensals. Authorities allege total losses reached $40.73m and tie some activity to the Venezuelan syndicate Tren de Aragua.
read more →

France Arrests Crew Member Over Malware on Italian Ferry

🚨 French authorities arrested a Latvian crew member after discovery of a remote access tool aboard the Italian passenger ferry Fantastic, owned by Grandi Navi Veloci. A Bulgarian crewmember was released without charge. The malware was detected and neutralized by GNV while the ship was docked in Sète, and France's DGSI seized items for forensic analysis. Investigators are treating the case as suspected foreign interference and continue cooperation with Italian authorities.
read more →

Stealka infostealer targets Windows users’ data, wallets

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.
read more →

ThreatsDay Bulletin: Emerging Tactics and Notable Incidents

🔔 This week's ThreatsDay Bulletin highlights a rapid reshaping of old tools and fresh abuse of familiar systems across fraud, malware, and infrastructure. Notable incidents include a cross-border scam ring dismantled in Ukraine that defrauded hundreds for over €10 million, the modular SantaStealer infostealer sold as malware-as-a-service, and a WhatsApp device-linking hijack dubbed GhostPairing. Security teams should verify linked sessions, reduce exposed management endpoints, and prioritize timely patching and credential hygiene.
read more →

GhostPoster campaign hides malware in 17 Firefox add‑ons

🚨 Koi Security uncovered the GhostPoster campaign that hid malicious JavaScript inside PNG logo files used by 17 Firefox add‑ons, collectively downloaded more than 50,000 times. The steganographic loader fetches secondary payloads from attacker-controlled servers only intermittently and uses long delays to avoid detection. Affected extensions — advertised as VPNs, ad blockers, translators, and utilities — have been removed from distribution.
read more →

Cellik Android MaaS Builds Malicious Play Store Apps

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.
read more →

GhostPoster: Malicious JavaScript Hidden in Firefox Add-ons

🕵️ Koi Security identified the GhostPoster campaign that hides JavaScript inside PNG logo images of malicious Firefox extensions, impacting more than 50,000 downloads. The dormant loader waits 48 hours, contacts hardcoded attacker domains and only fetches its payload about 10% of the time to evade detection. The decoded payload provides persistent, high-privilege access and enables affiliate hijacks, analytics injection, header stripping, CAPTCHA bypass and ad/click fraud. Users of flagged extensions should remove them and consider resetting critical account passwords.
read more →

Browser VPN Extension Found Harvesting AI Chat Data

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.
read more →

Parked Domains Increasingly Redirect Users to Malware

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.
read more →

SantaStealer info-stealer targets browsers and wallets

⚠️Rapid7 researchers report a new malware-as-a-service called SantaStealer, advertised on Telegram and hacker forums as an in-memory info‑stealer designed to evade file-based detection. The operation appears to be a rebranding of BluelineStealer by a Russian-speaking developer and is being marketed with Basic ($175/month) and Premium ($300/month) tiers. Samples and an affiliate panel show 14 modular data-collection threads that harvest browser credentials, cookies, saved cards, messaging and gaming app data, crypto wallets and documents, bundle results into ZIPs in memory, and exfiltrate them in 10MB chunks to a hardcoded C2 on port 6767. Despite claims of stealth, leaked builds include symbol names and unencrypted strings that make analysis straightforward.
read more →

Featured Chrome Extension Harvested Millions of AI Chats

🚨 A Google Chrome extension carrying a "Featured" badge, Urban VPN Proxy, has been found silently harvesting prompts and responses from major AI chat services and sending them to remote analytics servers. The extension — installed by roughly six million Chrome users and about 1.3 million Edge users — was updated on July 9, 2025 (v5.5.0) with AI capture enabled by default. Injected scripts override browser networking APIs to intercept chat data and exfiltrate conversation text, IDs, timestamps, session metadata, and model/platform information. The publisher's updated privacy policy admits collecting AI prompts and outputs for "Safe Browsing" and marketing while disclaiming a full guarantee of de-identification.
read more →

Browser Extension Risk Guide After ShadyPanda Campaign

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.
read more →

Phantom Stealer Delivered via ISO Phishing in Russia

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.
read more →

Fake GitHub Repos Deliver PyStoreRAT via HTA/JS Loaders

🛡️ Researchers warn that a wave of malicious GitHub repositories are distributing a newly observed JavaScript-based RAT called PyStoreRAT, delivered via minimal Python/JS loader stubs that fetch and execute remote HTA files through mshta.exe. The deceptive projects — marketed as OSINT utilities, DeFi bots, GPT wrappers, and developer tools — often exhibit non-functional or placeholder interfaces designed to build trust. Once executed, the multi-stage implant can run EXE, DLL, PowerShell, MSI, Python, and HTA modules and deploys a follow-on information stealer, Rhadamanthys. The initial stage also checks for security products such as CrowdStrike and Cybereason to reduce visibility and establishes persistence via a scheduled task masquerading as an NVIDIA update.
read more →