< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 30 of 46

ClayRat Android Spyware Upgraded with Greater Control

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.
read more →

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.
read more →

CISA: PRC-linked BRICKSTORM Backdoor Targets vSphere

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.
read more →

CISA Alerts on BrickStorm Backdoors in VMware vSphere

🔒 CISA warns that Chinese threat actors have used Brickstorm malware to backdoor VMware vSphere servers, creating hidden rogue virtual machines and exfiltrating cloned VM snapshots to harvest credentials. A joint analysis with the NSA and Canada's Cyber Security Centre examined eight samples and documents layered evasion including nested TLS, WebSockets, SOCKS proxying and DNS-over-HTTPS. CISA provides YARA and Sigma rules, advises blocking unauthorized DoH providers, inventorying edge devices, segmenting DMZ-to-internal traffic, and reporting detections as required.
read more →

False-Flag Teams Lure Delivers ValleyRAT via SEO Poisoning

🚨 ReliaQuest attributes a false-flag SEO poisoning campaign to the actor known as Silver Fox, which has been active since November 2025 and aims to masquerade as a Russian group to mislead investigators. The campaign pushes a malicious Teams installer packaged as "MSTчamsSetup.zip" from an Alibaba Cloud URL, drops a trojanized Setup.exe, establishes exclusions in Microsoft Defender, and writes a staged installer "Verifier.exe" to the AppData profile. The loader scans for security processes, injects a malicious DLL into rundll32.exe, and reaches out to a remote server to retrieve the final ValleyRAT payload.
read more →

UDPGangster Backdoor Campaigns Target Turkey, Israel

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.
read more →

BRICKSTORM Backdoor Targets VMware vSphere and Windows

🛡️ CISA, NSA, and the Canadian Centre for Cyber Security report that PRC state-sponsored actors deployed the BRICKSTORM backdoor to gain long-term persistence on VMware vSphere (vCenter/ESXi) and Windows hosts. The analysis of eight samples includes YARA and Sigma detection content plus scanning guidance for vCenter filesystems and SIEMs. Organizations should apply the provided IOCs and detection signatures, hunt for modified init scripts, DoH resolver requests, and hidden API endpoints, and report any findings immediately.
read more →

PRC State-Sponsored Actors Use BRICKSTORM Malware Campaigns

🔒 CISA warns that PRC state-sponsored actors are deploying the BRICKSTORM backdoor to maintain stealthy, long-term access on VMware vSphere and Windows hosts. The malware leverages nested TLS/WebSockets, DNS-over-HTTPS, and a SOCKS proxy for encrypted C2, lateral movement, and tunneling, and implements a self‑healing persistence mechanism. CISA urges defenders to hunt with provided YARA/Sigma rules, block unauthorized DoH, inventory edge devices, and enforce DMZ segmentation.
read more →

ThreatsDay: Wi‑Fi Hack, npm Worm, DeFi Theft and More

🔒This week's ThreatsDay roundup highlights a string of high-impact incidents, from a $9 million DeFi drain and an npm-based self-replicating worm to airport Wi‑Fi evil‑twin attacks and mass camera compromises. Researchers and vendors including Fortinet, Microsoft, and TruffleHog disclosed evolving malware techniques, supply-chain abuse, and widespread credential exposure. Practical protections include minimizing long-lived secrets, enforcing CI/CD safeguards, updating detection for eBPF-based threats, and applying MFA and phishing-resistant controls.
read more →

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.
read more →

Brazil Hit by WhatsApp Worm and RelayNFC Fraud Campaign

🔒 Water Saci has shifted to a layered infection chain that uses HTA files and malicious PDFs delivered via WhatsApp to deploy a banking trojan in Brazil. The actors moved from PowerShell to a Python-based worm that propagates through WhatsApp Web, while an MSI/AutoIt installer and process-hollowing techniques load the trojan only on Portuguese (Brazil) systems. Trend Micro links the behavior to Casbaneiro-style features and notes possible use of code-translation or AI tools to port scripts. In parallel, a React Native Android strain named RelayNFC executes real-time NFC APDU relays to enable contactless payment fraud.
read more →

Malicious Chrome and Edge Extensions Abused by ShadyPanda

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.
read more →

Malicious Rust Crate Delivers Cross-Platform Backdoor

⚠️ Researchers identified a malicious Rust crate, evm-units, on crates.io that targeted developer machines running Windows, macOS, and Linux by posing as an Ethereum Virtual Machine helper. Uploaded in mid‑April 2025 and downloaded thousands of times, the package fetched OS-specific payloads from download.videotalks[.]xyz, wrote them to temporary directories, and executed them silently. A related package, uniswap-utils, included evm-units as a dependency, widening exposure; both packages have been removed and indicators released to help defenders.
read more →

Malicious Chrome and Edge Extensions Threaten Enterprises

🔍 Koi Security revealed a long-running surveillance campaign by an actor it calls 'ShadyPanda' that abused legitimate-seeming Chrome and Edge extensions to harvest browsing data, hijack search results, and deploy a backdoor enabling remote code execution. The group built trust by publishing useful extensions (including Clean Master) and then silently pushed malicious updates that bypassed marketplace re-approval. With an estimated 4.3 million infected browser instances, enterprises should treat browser extensions as high-risk assets and urgently audit and remediate add-ons on corporate and employee devices.
read more →

ShadyPanda Browser Extension Campaign Hits 4.3M Users

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.
read more →

GlassWorm Returns: 24 Malicious Extensions Target Developers

🔍 The GlassWorm supply-chain campaign has resurfaced with 24 malicious extensions distributed across the Microsoft Visual Studio Marketplace and Open VSX, impersonating popular developer tools such as Flutter, React and Tailwind. Researchers say attackers inflated download counts and slipped malicious updates after initial approval to evade filters. Analysis found Rust-based implants that load platform-specific libraries (os.node and darwin.node) to fetch Solana-based C2 details and download encrypted JavaScript payloads, while a Google Calendar fallback is also used. Developers and repository maintainers are urged to audit installed extensions and review update histories.
read more →

New eBPF Filters in Symbiote and BPFDoor Malware Variants

🛡️ FortiGuard Labs reports new Linux-focused eBPF malware updates in 2025, including 151 new BPFDoor samples and three new Symbiote samples. Both families abuse eBPF to install kernel-level packet filters that enable stealthy C2 channels; Symbiote is using UDP port-hopping across high ports while BPFDoor has added IPv6 and DNS-based filtering. Detection is difficult but Fortinet provides AV and IPS protections.
read more →

Glassworm Malware Surges in Third Wave of VS Code Extensions

🐛 The Glassworm campaign has resurfaced in a third wave, with 24 new malicious VS Code-compatible extensions appearing on both the Microsoft Visual Studio Marketplace and OpenVSX. Once installed, these extensions push updates that deploy Rust-based implants, use invisible Unicode to evade review, exfiltrate GitHub, npm, and OpenVSX credentials and cryptocurrency wallet data, and deploy a SOCKS proxy and an HVNC client for stealthy remote access. Researchers say attackers inflate download counts to blend with legitimate projects and manipulate search results; both vendors have been contacted about continued bypasses.
read more →

SmartTube Android TV App Breached, Malicious Update Pushed

⚠️ The popular open-source SmartTube YouTube client for Android TV was compromised after the developer's signing keys were stolen, allowing a malicious update to be distributed to users. A hidden native library, libalphasdk.so, was discovered in release builds and appears absent from the public source. The library runs silently, fingerprints devices, registers them with a remote backend, and exchanges encrypted configuration, while the developer has revoked the old signature and plans a rebuilt app under a new ID, though definitive safe versions and a full public post-mortem are not yet available.
read more →

ShadyPanda Converts Popular Browser Extensions into Spyware

🔒 A threat actor tracked as ShadyPanda operated a seven-year browser-extension campaign that amassed over 4.3 million installs by converting popular add-ons into data-stealing spyware. Koi Security reports that five extensions were modified in mid-2024 to run hourly remote code execution, download arbitrary JavaScript, and exfiltrate encrypted browsing histories and full browser fingerprints. Notable victims include Clean Master — once verified by Google — and WeTab, which still had millions of installs. Users should remove affected extensions and rotate credentials immediately while marketplaces review post-approval update controls.
read more →