All news with #malware tag

🦆 Researchers at Secure Annex warned of a malicious Open VSX extension, juan-bianco.solidity-vlang, that delivers a remote access trojan dubbed SleepyDuck. Originally published as a benign library on October 31, 2025, it was updated to a malicious release after reaching about 14,000 downloads. The extension triggers on opening a code editor window or selecting a .sol file, harvesting host details and polling an Ethereum-based contract to obtain and update its command server. It also contains fallback logic using multiple Ethereum RPC providers to recover C2 information if the domain is taken down; users should only install extensions from trusted publishers and follow vendor guidance.

🛡️ Microsoft DART researchers uncovered SesameOp, a novel .NET backdoor that leverages the OpenAI Assistants API as a covert command-and-control (C2) channel instead of traditional infrastructure. The implant includes a heavily obfuscated loader (Netapi64.dll) and a backdoor (OpenAIAgent.Netapi64) that persist via .NET AppDomainManager injection, using layered RSA/AES encryption and GZIP compression to fetch, execute, and exfiltrate commands. Microsoft and OpenAI investigated jointly and disabled the suspected API key; detections and mitigation guidance are provided for defenders.

🔒 Cybersecurity researchers CYFIRMA and independent analyst F6 have disclosed two active Android trojans—BankBot‑YNRK and DeliveryRAT—that harvest financial and device data from compromised phones. BankBot‑YNRK impersonates an Indonesian government app, performs device fingerprinting and anti-emulation checks, abuses accessibility services to steal credentials and automate transactions, and communicates with a command server. DeliveryRAT, promoted via a Telegram bot, lures Russian users with fake delivery and marketplace apps and delivers malware-as-a-service variants that collect notifications, SMS and call logs and can hide their launchers. Users should avoid untrusted APKs, review permissions, and keep devices updated—Android 14 reduces some accessibility-based abuses.

🔒 A Ukrainian man long accused of building and operating components of the Jabber Zeus banking trojan has been arrested in Italy and is now in U.S. custody. Prosecutors say 41-year-old Yuriy Igorevich Rybtsov, previously identified only by the handle MrICQ, was charged in a 2012 Nebraska indictment as a developer and notification handler for the group. Investigators allege Jabber Zeus used a custom ZeuS variant and a Leprechaun component to intercept credentials and bypass multi-factor protections, enabling large payroll thefts via recruited money mules.

🛡️ The Australian Signals Directorate (ASD) has issued a bulletin warning of ongoing attacks using a Lua-based implant dubbed BADCANDY to compromise unpatched Cisco IOS XE devices via CVE-2023-20198. ASD reports variations have been seen since October 2023 and estimates about 400 Australian devices were compromised since July 2025, with 150 infections in October. Operators are urged to apply patches, restrict public access to the web UI, and follow Cisco hardening guidance.

🛡️ Microsoft is adding a new scareware sensor to Edge that notifies Defender SmartScreen in real time to speed up indexing and global blocking of tech-support and full-screen scam pages. The sensor is included in Edge 142, disabled by default, and reports suspected scams immediately without sharing screenshots or extra data beyond SmartScreen’s usual telemetry. Edge’s local scareware blocker — introduced at Ignite 2024 and widely enabled since February — still warns users, exits full-screen, stops loud audio, shows a thumbnail, and offers an option to continue. Microsoft plans to enable the sensor for users who have SmartScreen enabled and will add more anonymous detection signals over time.

🛡️ Palo Alto Networks Unit 42 linked a suspected nation-state cluster (CL-STA-1009) to a new backdoor named Airstalk that abuses the AirWatch API (now Workspace ONE Unified Endpoint Management) as a covert command-and-control channel. The malware appears in PowerShell and more capable .NET variants and can capture screenshots, harvest browser cookies, history and bookmarks, and enumerate user files. Airstalk misuses MDM custom attributes as a dead-drop resolver and leverages the API blobs feature to exfiltrate large artifacts; some .NET samples were signed with a likely stolen certificate.

🔒 Russian authorities have arrested three individuals in Moscow accused of creating and operating the Meduza information‑stealing malware. Announced on Telegram by police general Irina Volk, investigators say the group developed and distributed Meduza via hacker forums around two years ago and offered it as a subscription-based service. The tool steals browser-stored credentials and cryptocurrency data and, since December 2023, can resurrect expired Chrome authentication cookies to facilitate account takeover. Authorities opened a criminal case after operators targeted an Astrakhan institution and seized confidential server data.

🔒 As October 2025 concludes, ESET Chief Security Evangelist Tony Anscombe reviews the month’s most significant cybersecurity developments and what they mean for defenders. He highlights that Windows 10 reached end of support on October 14 and outlines practical options for affected users and organizations. He also warns about info‑stealing malware spread through TikTok videos posing as free activation guides and summarizes Microsoft’s report that Russia, China, Iran and North Korea are increasingly using AI in cyberattacks — alongside China’s accusation of an NSA operation targeting its National Time Service Center.

🔍 Researchers at Koi Security uncovered a campaign, PhantomRaven, that has contaminated 126 packages in Microsoft's npm repository by embedding invisible HTTP URL dependencies. These remote links are not fetched or analyzed by typical dependency scanners or npmjs.com, making packages appear to have 0 Dependencies while fetching malicious code at install time. The attackers aim to exfiltrate developer credentials and environment details, and they also exploit AI hallucinations to create plausible package names.

📱Zimperium reports a sharp rise in Android apps abusing Host Card Emulation (HCE) to steal contactless payment card data across Eastern Europe. Researchers observed over 760 malicious APKs and 70+ command-and-control servers that capture EMV fields, respond to POS APDU commands, or forward requests to remote servers. Variants include data exfiltration to Telegram, relay toolkits, 'ghost-tap' real-time HCE manipulation, and fake payment apps impersonating Google Pay and regional banks. Users are advised to avoid sideloading APKs, restrict NFC permissions, run Play Protect, and disable NFC when not in use.

⚠️ Silent Push reports a surge in malicious use of AdaptixC2, an open-source adversarial emulation framework that researchers say is now being delivered by the CountLoader malware as part of active ransomware operations. Deployments accelerated after new detection signatures were released, and public incident reports show increased sightings across multiple intrusions. Analysts flagged the developer alias RalfHacker and issued indicators covering Golang C2 traffic and unknown C++/QT executables.

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

🛡️ The article explains how malicious SEO operations use keyword stuffing, purchased backlinks, cloaking and mass-produced content to bury legitimate sites in search results. It warns that generative AI now amplifies this threat by producing tens of thousands of spam articles, spinning up fake social accounts and enabling more sophisticated cloaking. Defenders must deploy AI-based detection, graph-level backlink analysis and network behavioral analytics to spot coordinated abuse. The piece emphasizes proactive, ecosystem-wide monitoring to protect trust and legitimate businesses online.

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.

🛡️ Atroposia is a new malware-as-a-service platform offering a modular remote access trojan for a $200 monthly subscription, combining persistent access, stealthy remote desktop, data theft, and a built-in local vulnerability scanner. Researchers at Varonis say the RAT can bypass UAC, perform host-level DNS hijacks, capture credentials and clipboard data, and compress and exfiltrate targeted files with minimal traces. Its vulnerability-audit plugin identifies missing patches and outdated software so attackers can prioritize exploits, making it particularly dangerous in corporate environments. Users should download only from official sources, avoid pirated software and torrents, and refrain from executing unfamiliar commands found online.

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.