All news with #malware tag

🔍 Cybersecurity researchers uncovered 28 fraudulent Android apps on the official Google Play Store that claimed to show call, SMS and WhatsApp histories for any number but instead pushed paid subscriptions that delivered fabricated, hard‑coded data. The apps, labeled CallPhantom by ESET, amassed over 7.3 million downloads—one exceeded 3 million—primarily targeting users in India and the Asia‑Pacific region before removal. Payments were processed via Google Play billing, UPI apps (including Google Pay, PhonePe and Paytm), or in‑app card forms, limiting refund options for non‑Play transactions. The apps requested few permissions, used simple UIs and even displayed deceptive notifications to coerce payments.

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.

⚠️ A new banking trojan named TCLBanker is being distributed via a trojanized MSI installer for Logitech AI Prompt Builder and targets 59 banking, fintech, and cryptocurrency platforms, with initial activity observed mainly in Brazil. Researchers at Elastic Security Labs report the malware uses DLL side-loading and strong anti-analysis defenses, runs persistent watchdogs to detect debuggers, and monitors the browser address bar to trigger theft routines. It provides remote-control capabilities (live streaming, screenshots, keylogging, clipboard theft, and shell execution) and uses WPF overlays to capture credentials. Uniquely, TCLBanker includes worm modules that hijack WhatsApp Web sessions and abuse Microsoft Outlook to self-propagate to contacts, increasing the risk of rapid spread.

🐛 PCPJack is a new worm that targets exposed cloud infrastructure to harvest credentials while actively removing traces of rival group TeamPCP. It infects Linux systems via a shell script (bootstrap.sh), establishes persistence (monitor.py), and propagates by scanning for exposed Docker, Kubernetes, Redis, MongoDB and RayML services. Stolen credentials are encrypted with X25519/ChaCha20-Poly1305 and exfiltrated to Telegram channels; researchers recommend MFA, IMDSv2 and least-privilege controls.

🔒 A fraudulent imitation of Anthropic's Claude hosted at claude-pro[.]com distributed a roughly 505 MB ZIP claiming to contain a "Claude-Pro Relay" tool, according to Sophos X-Ops. The MSI installer drops three items into the startup folder: a signed G DATA updater renamed NOVupdate.exe, an encrypted data file and a malicious avk.dll; when the updater runs it sideloads avk.dll, which decrypts shellcode and uses DonutLoader to load the Beagle backdoor. Sophos traced related samples to February–March 2026 and noted the campaign used Cloudflare for distribution while hosting C2 infrastructure on Alibaba Cloud.

⚠️ A fake Claude website pushed a 505MB archive named 'Claude-Pro-windows-x64.zip' that installs a trojanized MSI and drops three Startup files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos and Malwarebytes analysis shows the signed G Data updater is abused to sideload avk.dll and an encrypted payload, which decrypts an in-memory DonutLoader that deploys the new Beagle backdoor. Beagle runs in memory, communicates with C2 at license.claude-pro[.]com (8.217.190[.]58) over TCP/443 or UDP/8080 using a hardcoded AES key, and supports basic file and command operations.

🛡️ Disc Soft has confirmed that certain Daemon Tools Lite installers were Trojanized and released in a compromised build (version 12.5.1) after unauthorized interference in its build environment. The company released a malware-free update, Version 12.6, within 12 hours of notification and says the incident is contained. Users who installed the impacted release are advised to uninstall the application, run a full system scan with trusted security software, and reinstall only the verified package from the official site.

🛡️ Kaspersky researchers found three malicious PyPI wheel packages — uuid32-utils, colorinal and termncolor — that covertly delivered a new malware family named ZiChatBot to Windows and Linux hosts. The packages drop platform-specific loaders (terminate.dll or terminate.so) that persist via a Registry autorun entry or a crontab and act as droppers for the main payload. ZiChatBot uses public Zulip REST APIs as its command-and-control channel, executes shellcode received from the service, and signals success by sending a heart emoji. The packages were uploaded in July 2025 and have been removed; organizations should audit dependencies, verify build environments, and monitor the published indicators.

🔍 ESET Research uncovered a cluster of fraudulent Android apps, dubbed CallPhantom, that promised call histories, SMS records and WhatsApp logs for any phone number but delivered fabricated entries and charged users for access. The apps collectively amassed over 7.3 million downloads on Google Play before ESET reported them on 16 December 2025 and the identified packages were removed. Operators used varied payment flows—official Play subscriptions, third‑party UPI links and embedded card checkouts—making refunds and cancellations difficult for many victims.

🛡️ Hunt.io has uncovered a Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to conscript them into DDoS campaigns. The malware supports 21 flood variants across TCP, UDP, and raw protocols and is offered as a DDoS-for-hire service aimed at game servers and Minecraft hosts. It targets devices with ADB enabled by default—such as Android TV boxes, set-top boxes, smart TVs—and includes multi-architecture binaries for routers and IoT hardware. The bot probes device bandwidth to tier victims and uses a "killer" subsystem to evict competing malware.

🔒 Disc Soft confirmed a supply-chain compromise that trojanized installers for DAEMON Tools Lite and has released a clean build. The company says it secured its infrastructure and published version 12.6 (May 5) which no longer exhibits malicious behavior. Users who installed the free 12.5.1 build since April 8 should uninstall, run a full antivirus scan, and reinstall the latest release. Kaspersky found backdoors and a two-stage payload deployed to thousands of systems across 100+ countries.

🔓 Researchers found that a new infostealer, VoidStealer, can bypass Chrome’s App-Bound Encryption by attaching to the browser process as a debugger and setting breakpoints at decryption routines. At the moment the browser decrypts data, the malware reads the master key directly from memory, enabling theft of session cookies and other secrets. The technique affects other Chromium-based browsers and is available as malware-as-a-service, increasing its reach. Users should combine secure practices and endpoint defenses rather than rely solely on built-in protections.

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.

📎 Modern phishing now prioritizes speed over persuasion. By forcing immediate downloads via trusted cloud providers (for example Dropbox?s dl=1), attackers remove the preview step and exploit double extensions and hidden OS behavior to disguise executables. Cortex Email Security applies deep static analysis, behavioral signals, and LLM-based intent classification to detect forced-download parameters, identity-bound cloaking, and rotating social-engineering lures before they reach endpoints.

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.

🛡️ Kaspersky has identified a supply-chain compromise that trojanized installers for DAEMON Tools, distributed from the vendor’s official site and signed with developer certificates. The affected builds (12.5.0.2421–12.5.0.2434) have been backdoored since April 8, 2026, with three core binaries modified to deploy an implant. The implant contacts an observed C2 domain (env-check.daemontools.cc) to receive shell commands that download and execute follow-on payloads, including a .NET collector and a loader/backdoor pair. Kaspersky observed thousands of initial infection attempts worldwide while more advanced payloads were selectively delivered to a small number of targets in Russia, Belarus, and Thailand; AVB Disc Soft has been notified.

🔎 A North Korea-aligned espionage group has trojanized Windows and Android clients on a regional Yanbian gaming site, according to ESET. The campaign, attributed to ScarCruft (APT37), delivered an Android port of the BirdCall backdoor (internally named zhuagou) and a trojanized mono.dll on Windows to deploy RokRAT and BirdCall. The malware harvests contacts, SMS, files, screenshots and audio, and routes command-and-control through cloud storage accounts.

⚠️ Kaspersky researchers discovered a large-scale supply chain attack that trojanized DAEMON Tools installers; the malicious executables are signed with a valid AVB Disc Soft digital signature and have been distributed since April 8, 2026. Once installed the malware runs at startup, collects system and network information, and contacts a command-and-control server that can deliver additional payloads. In some cases attackers deployed a backdoor and a more advanced implant, QUIC RAT, capable of in-memory execution and process injection; users should audit systems and use reliable security solutions.

🔒 Cisco Talos has identified a stealthy campaign using a CloudZ remote access trojan and a custom Pheno plugin to siphon SMS one‑time passwords and other sensitive mobile data mirrored via Microsoft Phone Link on Windows endpoints. Rather than compromising phones, attackers exploit the PC‑to‑phone trust relationship to access the Phone Link SQLite data stored locally. The malware establishes persistence, performs anti‑analysis checks, fetches plugin modules, and monitors active Phone Link processes to capture OTPs and notifications. Talos published detection signatures, hashes, C2 indicators and Snort rules; attribution is unconfirmed.