All news with #malware tag

🔒 A recent PPI survey of 50 banks and 53 insurers in Germany reports a sixfold rise in cyberattacks compared with 2021. Sixty-four percent of respondents now view cyberattacks as the sector's top challenge, ahead of digitization, credit quality and regulation. Firms cite low employee awareness and difficulty with real-time detection; malware installation and IT disruption are the most frequent attack types.

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

⚠️ Check Point researchers uncovered a long-running operation that uploaded and promoted over 3,000 YouTube videos linking to malware downloads. The network, dubbed the YouTube Ghost Network, has been active since 2021 and saw its volume triple this year, using hacked channels and a role-based structure to sustain distribution. Videos offering pirated software and Roblox cheats pointed users to cloud-hosted files or phishing pages that deployed stealers and Node.js loaders, and Google has removed the majority of identified content.

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.

🛡️ Check Point Research uncovered the YouTube Ghost Network, a large-scale operation that used fake and compromised accounts to distribute infostealers like Rhadamanthys and Lumma. More than 3,000 malicious videos — often disguised as cracked software or game hacks — were reported and removed after being linked to password-protected archives that carried the malware. Compromised accounts, coordinated comment manipulation, and false endorsements were used to build trust and drive downloads.

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.

🔐 The Russian state-backed Star Blizzard group (aka ColdRiver/UNC4057) has shifted to modular, evolving malware families — NOROBOT, YESROBOT, and MAYBEROBOT — delivered through deceptive ClickFix pages that coerce victims into executing a fake "I am not a robot" CAPTCHA. NOROBOT is a malicious DLL executed via rundll32 that establishes persistence through registry changes and scheduled tasks, stages components (including a Windows Python 3.8 install), and, after iteration, primarily delivers a PowerShell backdoor. Google Threat Intelligence Group and Zscaler observed the transition from May through September and reported that ColdRiver abandoned the previously exposed LostKeys tooling shortly after disclosure. GTIG has published IoCs and YARA rules to help defenders detect these campaigns.

🛡️ Google Threat Intelligence Group (GTIG) has observed the Russian-linked Coldriver group deploying a new, staged malware ecosystem tracked as NoRobot, YesRobot and MaybeRobot. GTIG's October 20, 2025 report shows the campaign replaces the previously disclosed LostKeys strain and begins with a 'ClickFix-style' ColdCopy phishing lure that tricks victims into running a malicious DLL via rundll32.exe. NoRobot functions as a downloader using split-key cryptography and staged payloads; operators briefly used a Python-based backdoor (YesRobot) before switching to a more flexible PowerShell backdoor (MaybeRobot) to reduce detection.

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.

🛡️ A sophisticated supply-chain campaign called GlassWorm is propagating through OpenVSX and Microsoft VS Code extensions and is estimated to have about 35,800 active installs. The malware conceals malicious scripts using invisible Unicode characters, then steals developer credentials and cryptocurrency wallet data while deploying SOCKS proxies and hidden VNC clients for covert access. Operators rely on the Solana blockchain for resilient C2, with Google Calendar and direct-IP fallbacks.

🤖 Google Threat Intelligence Group (GTIG) attributes a rapid malware retooling to the Russia-aligned COLDRIVER group after the May 2025 LOSTKEYS disclosure. The campaign uses a COLDCOPY “ClickFix” lure that coerces users to run a malicious DLL via rundll32; the DLL family is tracked as NOROBOT. Early NOROBOT variants fetched a noisy Python backdoor named YESROBOT, which was quickly replaced by a lighter, extensible PowerShell backdoor called MAYBEROBOT. GTIG published IOCs, YARA rules, and protective measures including Safe Browsing coverage and targeted alerts.