All news with #malware tag

🔒 A malicious Chrome extension posing as Safery: Ethereum Wallet was found to exfiltrate Ethereum wallet seed phrases by encoding mnemonics into synthetic Sui addresses. Socket security researcher Kirill Boychenko and Koi Security report the extension broadcasts micro-transactions (0.000001 SUI) from an attacker-controlled wallet to smuggle seed phrases on-chain without a traditional C2 server. Uploaded on September 29, 2025 and updated November 12, it remained available at the time of reporting. Users should stick to trusted wallet extensions and defenders should flag unexpected RPC calls and on-chain writes during wallet import or creation.

⚠️ Quokka's assessment of the Uhale Android platform used in many consumer digital picture frames found devices that download and execute malware on boot. The tested units update to Uhale app 4.2.0, install a JAR/DEX payload from China-based servers, and persistently load it at every reboot. Devices were rooted, shipped with SELinux disabled and signed with AOSP test-keys, increasing exposure. Quokka disclosed 17 vulnerabilities (11 with CVEs) including remote code execution, command injection, an unauthenticated file server and insecure WebViews; researchers linked artifacts to Vo1d and Mezmess while the vendor did not respond to notifications.

🔒 Operation Endgame 3.0 targeted and dismantled infrastructure supporting three prominent malware families — Rhadamanthys, VenomRAT and the Elysium botnet — in coordinated actions carried out between 10 and 13 November. Authorities disrupted or seized more than 1,025 servers and 20 domains, searched 11 locations across multiple countries and arrested a suspected VenomRAT operator in Greece. The initiative was led by Europol with Eurojust, national law enforcement partners and over 30 private cybersecurity organizations.

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.

📦 Researchers warn a large-scale spam campaign has flooded the npm registry with over 46,000 fake packages since early 2024, a coordinated, long-lived effort dubbed IndonesianFoods. The packages harbor a dormant worm in a single JavaScript file that only runs if a user manually executes commands like node auto.js, enabling automated self-publishing of thousands of junk packages. The campaign appears designed to waste registry resources, pollute search results, and possibly monetize via the Tea protocol; GitHub says it has removed the offending packages.

🔁 Zscaler ThreatLabz has observed a new DanaBot variant (v669) returning to Windows systems after a six-month disruption caused by Operation Endgame. The rebuilt command-and-control infrastructure uses Tor .onion domains and 'backconnect' nodes, and operators are collecting stolen funds via multiple cryptocurrency addresses (BTC, ETH, LTC, TRX). Organizations should add Zscaler's IoCs to blocklists, update detection tools, and harden email and web defenses against malspam, SEO poisoning, and malvertising.

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.

🐛 Researchers have found a renewed wave of the GlassWorm supply-chain worm targeting Visual Studio Code extensions and GitHub repositories after it was previously declared contained. The malware hides JavaScript payloads in undisplayable Unicode characters, making malicious code invisible in editors, and uses blockchain memos on Solana to publish remote C2 endpoints. Koi researchers identified three newly compromised OpenVSX extensions and observed credential theft and AI-styled commits used to propagate the worm.

🔒 FileFix is a social‑engineering technique that tricks users into pasting a malicious command into the Windows File Explorer address bar instead of the Run dialog. Attackers hide a long payload before a benign-looking file path using leading spaces so only the harmless path is visible, then invoke a PowerShell script (for example via conhost.exe) to retrieve and run malware. Defenses emphasize robust endpoint protection and ongoing employee awareness training, since blocking shortcuts alone is insufficient.

🔒 Security researcher Secure Annex discovered a malicious extension in the Microsoft Marketplace that embeds "Ransomvibe" ransomware for Visual Studio Code. Once the extension activates, a zipUploadAndEcnrypt routine runs, applying typical ransomware techniques and using hard-coded C2 URLs, encryption keys and bundled decryption tools. The package appears to be a test build, limiting immediate impact, but researchers warn it can be updated or triggered remotely. Microsoft has removed the extension and says it will blacklist and uninstall malicious extensions.

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

⚠ The GlassWorm malware campaign has resurfaced on OpenVSX, delivering malicious payloads via three new VSCode extensions that have been reported as downloaded over 10,000 times. The extensions use invisible Unicode obfuscation to execute JavaScript and harvest credentials and cryptocurrency wallet data through Solana transactions. Koi Security says the attacker reused infrastructure with updated C2 endpoints and that investigators accessed an attacker server, recovering victim data and identifying multiple global victims.

⚠️ Researchers found nine NuGet packages published under the developer name shanhai666 that combine legitimate .NET libraries with a small sabotage payload set to trigger between 2027 and 2028. The malicious code uses C# extension methods to intercept database and PLC operations and probabilistically terminate processes or corrupt writes. Socket advises immediate audits, removal from CI/CD pipelines, and verification of package provenance.

⚠️ Socket has identified nine malicious NuGet packages published in 2023–2024 by the account "shanhai666" that contain time‑delayed logic bombs intended to sabotage database operations and industrial control systems. The most dangerous, Sharp7Extend, bundles the legitimate Sharp7 PLC library and uses C# extension methods plus an encrypted configuration to trigger probabilistic process terminations (≈20%) and silent PLC write failures (≈80% after 30–90 minutes). Several SQL-related packages are set to activate on staged dates in August 2027 and November 2028, and the packages were collectively downloaded 9,488 times. All nine malicious packages have been removed from NuGet; attribution remains uncertain.

⚠️ A proof-of-concept ransomware strain dubbed Ransomvibe was published as a Visual Studio Code extension and remained available in the VSCode Marketplace after being reported. Secure Annex analysts found the package included blatant indicators of malicious functionality — hardcoded C2 URLs, encryption keys, compression and exfiltration routines — alongside included decryptors and source files. The extension used a private GitHub repository as a command-and-control channel, and researchers say its presence highlights failures in Microsoft’s marketplace review process.

⚠️ Researchers flagged a malicious Visual Studio Code extension named susvsex that auto-zips, uploads and encrypts files on first launch and uses GitHub as a command-and-control channel. Uploaded on November 5, 2025 and removed from Microsoft's VS Code Marketplace the next day, the package embeds GitHub access tokens and writes execution results back to a repository. Separately, Datadog disclosed 17 trojanized npm packages that deploy the Vidar infostealer via postinstall scripts.

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.

🔒 A malicious VS Code extension named susvsex, published by 'suspublisher18', was listed on Microsoft's official marketplace and included basic ransomware features such as AES-256-CBC encryption and exfiltration to a hardcoded C2. Secure Annex researcher John Tuckner identified AI-generated artifacts in the code and reported it, but Microsoft did not remove the extension. The extension also polled a private GitHub repo for commands using a hardcoded PAT.