< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 3 of 45

ThreatsDay: AI Abuse, Fileless Mac Attacks, and More

📰 This week's ThreatsDay roundup highlights a range of active campaigns and emerging risks, from DoH adoption in Windows Server 2025 to search-hijacking Chrome extensions and fileless macOS infections. Researchers uncovered abuse of shared AI chat features to deliver credential stealers, large-scale WhatsApp booking fraud, and memory-only stealers targeting banks. Vendors and agencies are responding with mitigations, advisories, and new product timelines to address quantum and AI-driven threats.
read more →

Law enforcement disrupts SocGholish infections at scale

🛡️ International law enforcement agencies cleaned nearly 15,000 WordPress sites and took down over 100 servers tied to the SocGholish botnet and the Evil Corp cybercrime group as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany removed malware and backdoors from 14,971 compromised sites, advised remediation steps, and decommissioned 106 servers and domains. The action aims to deny criminals access, limit malware spread, and reduce risks to critical infrastructure.
read more →

Cybercriminals Worried AI Will Displace Roles

🔎 Sophos CTU research finds cybercriminals debating the risks and benefits of AI tools across underground forums, marketplaces and messaging apps. Sellers are offering AI kits for phishing, malware automation, deepfake creation and social engineering, while some threat actors fear losing work to automated toolsets. The research highlights divided views, a spike in discussion after the release of Claude Mythos Preview, and advice for defenders to prioritize patching, MFA and visibility.
read more →

Spyware embeds forbidden text to foil AI analysis

🛡️ At least one malware author is inserting large comment blocks with policy-triggering content about nuclear and biological weapons into JavaScript payloads to disrupt AI-driven analysis. The decoy text sits inside comments so execution is unchanged while early-stage LLM-based triage can be confused or refuse to process the file. Traditional detection methods like YARA rules, entropy checks, and deobfuscation remain effective. This tactic targets naive pipelines that expose untrusted file starts to language models.
read more →

ESET analysis of Gentlemen’s EDR-killer suite

🔎 ESET researchers detail the EDR-killing toolset used by the ransomware-as-a-service gang Gentlemen, which rose to prominence in early 2026. The group provides affiliates with an operator-maintained suite centered on an in-house framework dubbed GentleKiller plus integrated third-party tools like HexKiller and HavocKiller. A May 2026 internal leak and long-term incident visibility enabled deep linkage between leaked data, actual samples, and the gang’s TTPs.
read more →

Fake Reputation Campaign Pushes Crypto Clipper

🛡️ Check Point Research found a coordinated campaign using paid posts, fake accounts, and a WordPress phishing hub to promote malicious warez. The operators pushed a Rust-based clipboard hijacker hidden in Solana and sniper bot packages targeting Windows and macOS, replacing crypto wallet addresses to steal funds. They used GitHub, SourceForge, YouTube, VirusTotal manipulation, and press release services to fabricate trust and inflate metrics.
read more →

Fake Reputation Economy Behind Crypto Clipboard Hijackers

🔍 Check Point Research uncovered a coordinated campaign that built a cross-platform false reputation to push a crypto clipboard hijacker. The actor used WordPress phishing hubs, multiple GitHub and SourceForge projects, AI-narrated YouTube tutorials, and forum posts to manufacture trust and inflate engagement. The campaign targeted Windows and macOS, including a macOS persistence mechanism, and manipulated reputation systems like VirusTotal to make malicious files appear safe.
read more →

Mastra npm packages compromised in supply-chain attack

🛡️ Multiple npm packages under the @mastra/* namespace were mass-published with a malicious dependency on June 16–17, 2026, enabling a supply-chain campaign named easy-day-js. The injected library, easy-day-js, executes an obfuscated postinstall payload that downloads a second-stage trojan from attacker infrastructure and disables TLS validation. Victims should treat any systems that installed the affected versions as potentially compromised, roll back to safe releases, rotate secrets, and audit hosts for signs of the stealer.
read more →

Rokarolla Android trojan targets 217 financial apps

🛡️ A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and supports 137 commands. Distributed via malicious sites posing as Chrome or TikTok installers, it requests Accessibility and other sensitive permissions to gain near-complete control of infected devices. Researchers at Zimperium report it harvests SMS, contacts, keystrokes, screenshots, and lock-screen credentials while displaying phishing overlays and disabling protections like Google Play Protect.
read more →

Malicious Steam Workshop wallpapers used to deliver malware

🛡️ Researchers at Kaspersky report threat actors abusing Steam Workshop to distribute malware via the Wallpaper Engine app. Attackers upload malicious application-type wallpapers that execute payloads when installed, leading to account theft, backdoors, miners, and information stealers. Valve removed the identified items, but users are advised to only download from trusted creators and scan Workshop content with up-to-date antivirus.
read more →

ClickFix campaigns expand modular malware delivery

🛡️ Multiple ClickFix campaigns have been linked to three distinct loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — delivering information stealers, backdoors, RATs, and other payloads against diverse sectors. The attacks rely on social-engineered ClickFix lures that trick victims into running PowerShell or command sequences, then use staged techniques such as hidden PowerShell, DLL side-loading, in-memory shellcode, and external payload storage to evade detection. Researchers from Morphisec, BlueVoyant, and Huntress attribute the campaigns to evolving, modular loader frameworks that separate delivery, storage, execution, and payload deployment for greater stealth.
read more →

GhostTree attack uses NTFS junctions to hide malware

🛡️ Attackers abuse NTFS junctions to create recursive directory loops that generate effectively infinite file paths, causing recursive scans and EDR products to hang. With only write access, an attacker can create junctions that point back to parent folders, producing GhostBranch or the more expansive GhostTree structures. These loops multiply possible paths exponentially, preventing file scanners from reaching malicious files and enabling evasion. Microsoft was notified and later patched the issue.
read more →

Rokarolla Android trojan isolates victims from banks

🔒 Researchers have detailed Rokarolla, an Android banking trojan that not only steals credentials but effectively seizes control of phones to isolate victims from banks. The malware spreads via fake sites posing as TikTok or Chrome and uses a dropper impersonating Google Play Protect to install a second-stage payload. Rokarolla abuses Android Accessibility Services, makes itself the default call and SMS handler, hides its icon, mutes alerts and captures screenshots and overlays fake login screens to harvest bank and crypto credentials.
read more →

Windows SprySOCKS Variants Expand China‑linked Threat

🛡️ ESET researchers uncovered two Windows variants of the previously Linux-only backdoor SprySOCKS, internally tagged as WIN_DRV and WIN_PLUS. Both maintain the original C&C protocol and support TCP, UDP, and WebSocket channels, offering more than 30 commands for reconnaissance and remote control. WIN_DRV uses kernel drivers to hide activity and enable TCP traffic diversion, while WIN_PLUS abuses the Print Spooler to load the backdoor. Artifacts point to deployments between 2023–2024 against government targets in multiple countries, and there are limited indications of a UEFI bootkit being involved.
read more →

Supply-chain Attack Compromises Popular WordPress Plugins

🛡️ Dutch researcher Sansec revealed a supply-chain attack that tampered with JavaScript for three plugins from Awesome Motive — OptinMonster, TrustPulse and PushEngage. The malicious payload created rogue administrator accounts and installed a stealth backdoor plugin after detecting a logged-in admin, sending credentials to a lookalike service. Sansec observed brief exposure windows for some tampered scripts and urged site owners to check for unfamiliar admins and traffic to tidio[.]cc.
read more →

China-linked actors breach REDCap servers, steal research

🔒 Google Threat Intelligence Group attributes a long-running espionage campaign to UNC6508, a China-linked actor, which exploited exposed REDCap servers to deploy the custom Infinitered malware and exfiltrate sensitive medical research. The intrusion began in September 2023 and persisted through November 2025, with attackers harvesting credentials, maintaining persistent backdoors, and using enterprise email compliance rules to siphon data. Administrators are urged to update REDCap, enable MFA/2SV, and apply provided YARA rules and IoCs to detect infections.
read more →

152 Chrome wallpaper extensions found distributing PUPs

🔎 Cybersecurity researchers uncovered 152 Chrome wallpaper extensions that distribute a potentially unwanted program (PUP) family across 38 publisher accounts and three brand backends, collectively installed 105,000 times. Each listing claims not to collect data, but linked privacy policies admit logging IPs, ISPs, clicks, and referrers, shared with Google AdSense, DoubleClick, and third-party partners. Some extensions hard-code install and uninstall URLs to fake organic Google search referrals and include dormant code to enumerate and delete IndexedDB databases. Socket assesses the cluster as a financially motivated adware and traffic-fraud affiliate operation with possible ties to Turkey.
read more →

Former school IT worker jailed for prolonged hacks

🔒 A former senior IT support specialist for the Saydel Community School District in Iowa was sentenced to 21 months in prison for repeatedly accessing and sabotaging his former employer’s systems after his April 2023 departure. Prosecutors say he deleted the district’s Facebook page, stripped employees of access to educational platforms, and erased Apple School Manager and Gmail accounts, disrupting classes and causing tens of thousands in remediation costs. He pleaded guilty in January 2026 and must pay $59,668.81 in restitution and serve three years of supervised release with monitoring conditions.
read more →

Fake AI Guides Used to Deliver AsyncRAT Trojan

🛡️ Fortinet researchers uncovered a campaign where threat actors disguise malware as AI study guides and developer resources to deliver a multi-stage attack culminating in the AsyncRAT trojan. The booby-trapped archives contain shortcut (LNK) files and hidden documents that trigger staged scripts, using trusted system tools and AutoHotkey repurposed as an execution engine to evade detection. Attackers deploy scheduled tasks disguised as Realtek services, process hollowing to run payloads inside legitimate .NET processes, and hide components in decoy files to keep victims unaware while PowerShell stages execute silently.
read more →

Smashing Security Podcast Episode 471 Overview

🎙️ Smashing Security episode 471 features Graham Cluley with guest James Ball discussing recent AI-related cybersecurity stories. They explore Meta AI mishaps that exposed passwords and an adaptive AI worm developed by University of Toronto researchers. The episode also touches on worms' history, the WannaCry aftermath, and the shifting legal and practical impacts of AI in cyber defense and offense.
read more →