All news with #malware tag

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

📄 PDF files are a ubiquitous, convenient format that cybercriminals increasingly abuse as lures, with ESET telemetry placing PDFs among the top malicious attachment types. Attack techniques include embedded scripts, hidden links, malformed objects that exploit reader vulnerabilities, and files that merely masquerade as .pdf while actually being executables or archives. Verify sender context, enable Protected View or sandboxing, consider disabling JavaScript in your PDF reader, and scan or sandbox suspicious attachments before opening; when in doubt, confirm via a separate channel.

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

🛡️ Infoblox links a threat actor dubbed Detour Dog to campaigns distributing the Strela Stealer, using compromised WordPress sites to host first-stage backdoors such as StarFish. The actor leverages DNS TXT records and modified name servers to deliver Base64-encoded commands and delivery URLs, selectively triggering redirects or remote execution to minimize detection. Infoblox and Shadowserver sinkholed multiple C2 domains in July–August 2025.

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

🔍 A Chinese-speaking cybercrime group tracked as UAT-8099 is hijacking trusted Microsoft IIS servers worldwide to run SEO scams that redirect users to unauthorized adverts and illegal gambling sites. According to Cisco Talos, attackers exploit server vulnerabilities, upload web shells, and conduct reconnaissance before enabling the guest account, escalating privileges and activating RDP. For persistence they deploy SoftEther VPN, EasyTier and the FRP reverse proxy and install the BadIIS malware variants designed to evade detection.

⚠️ Trend Micro has uncovered a self-propagating malware campaign named SORVEPOTEL that primarily targets Brazilian Windows users via WhatsApp. The attack is delivered through convincing phishing messages with malicious ZIP attachments that contain LNK shortcuts which trigger PowerShell to download a batch payload. The payload establishes persistence by copying itself to the Windows Startup folder and contacts a command-and-control server, and if WhatsApp Web is active the malware automatically forwards the infected ZIP to contacts and groups, causing rapid spread and frequent account bans. Researchers report no evidence of data exfiltration or file encryption so far.

📄 Researchers at Varonis have identified a sophisticated phishing toolkit called MatrixPDF that embeds prompts, JavaScript, and external redirects inside seemingly legitimate PDF files to target Gmail users. Attackers exploit Gmail's preview and desktop PDF readers: a blurred preview displays a prompt to 'open secure document' that directs victims to external payloads, while embedded scripts can fetch malware if a user grants permission. Because the malicious content is only retrieved after user interaction, Gmail's automated scanners and attachment sandboxes can be bypassed. Security experts recommend stronger webmail controls, robust attachment sandboxing, endpoint detection, and frequent, realistic user awareness training.

⚠️ Cybersecurity researchers flagged a malicious PyPI package named soopsocks that claimed to provide a SOCKS5 proxy while delivering stealthy backdoor functionality on Windows. The package, uploaded by user 'soodalpie' on September 26, 2025, had 2,653 downloads before removal and used VBScript or an executable (_AUTORUN.VBS/_AUTORUN.EXE) to bootstrap additional payloads. Analysts at JFrog reported the executable is a compiled Go binary that runs PowerShell, adjusts firewall rules, elevates privileges, performs reconnaissance and exfiltrates data to a hard-coded Discord webhook.

🔐 FortiGuard Labs documents the Confucius espionage group’s shift from document-stealing malware to a stealthy Python-based backdoor targeting Microsoft Windows. Recent campaigns used spear-phishing with weaponized Office PPSX files, malicious LNK loaders, and staged PowerShell installers to deploy runtimes and execute AnonDoor modules. The actor leveraged DLL side-loading, scheduled tasks, and HKCU registry Load persistence to maintain stealth and periodic execution. Fortinet urges layered defenses, updated signatures, and user training to mitigate these threats.

🔒 Two newly identified Android spyware campaigns, dubbed ProSpy and ToSpy, impersonate Signal and ToTok to trick users into installing malicious APKs masquerading as a Signal encryption plugin or a Pro ToTok build. The malware requests standard messenger permissions and exfiltrates contacts, SMS, media, app lists and ToTok backups. ESET found distribution via cloned websites and noted persistence techniques to survive reboots. Users in the UAE appear to be targeted; download apps only from official stores or publishers and keep Play Protect enabled.

⚠️ Researchers at ESET have uncovered two Android spyware campaigns, ProSpy and ToSpy, that masquerade as a Signal encryption plugin and a ToTok Pro upgrade to target users in the U.A.E. Distributed via fake websites and social engineering, these apps require manual installation and request extensive permissions to persist and exfiltrate contacts, messages, media and device data. Users are advised to avoid installing apps from unofficial sources and to disable installations from unknown origins.

🔒 ESET researchers uncovered two previously undocumented Android spyware families—Android/Spy.ProSpy and Android/Spy.ToSpy—distributed via deceptive websites that impersonate Signal, ToTok and even app stores. Both families require manual APK installation from third‑party sites and maintain persistence while exfiltrating contacts, media, documents and chat backups. ToSpy notably seeks .ttkmbackup files and uses AES‑CBC encryption with a hardcoded key; several C&C servers remained active. Google Play Protect already blocks known variants, and ESET shared findings with Google.

📄 Researchers at Varonis have discovered MatrixPDF, a toolkit that disguises malicious web redirects and scripts inside seemingly benign PDFs to bypass Gmail filters. The files use blurred content, overlays and convincing prompts such as “Open Secure Document” to trick users into opening external sites. In some cases embedded JavaScript can auto-fetch payloads when a reader grants permission. Because Gmail treats preview clicks as user-initiated, these PDFs often evade email scanners and sandboxes.

🔒 Klopatra is a newly observed Android banking and remote access trojan distributed via a sideloaded dropper app called Modpro IP TV + VPN that has infected over 3,000 devices across Europe. The malware abuses Android Accessibility to capture inputs, exfiltrate clipboard content, simulate taps and gestures, and monitor screens. A concealed black‑screen VNC mode lets operators interact with devices and perform manual bank transactions while the device appears idle. Cleafy notes extensive anti-analysis protections, use of commercial packers, and active development since March 2025.

📎 BlackPoint researchers tracked a campaign that distributes credential-themed ZIP archives containing malicious Windows shortcut (.lnk) files. When opened, the shortcuts launch minimized, obfuscated PowerShell that downloads DLL payloads disguised as .ppt files, saves them to the user profile and invokes them via rundll32.exe. The dropper assembles commands from byte arrays, probes for antivirus processes and uses quiet flags to minimize visible indicators. Recommended mitigations include blocking LNKs in archives, enforcing Mark of the Web, denying execution from user-writable locations, and enabling PowerShell script block logging and AMSI.

🔒 Cleafy has uncovered Klopatra, a previously undocumented Android banking trojan that has infected over 3,000 devices—predominantly in Spain and Italy. The malware leverages Hidden VNC for remote device control and dynamic overlays to harvest credentials, while integrating the commercial Virbox protection suite and native libraries to evade detection and analysis. Operators distribute Klopatra via social-engineered IPTV droppers, abuse Android accessibility permissions to persist and perform actions, and use a black-screen VNC mode and stolen PINs or patterns to unlock devices and execute rapid fraudulent transfers.

⚠ The Computer Emergency Response Team of Ukraine (CERT‑UA) warns of targeted attacks using a new backdoor dubbed CABINETRAT distributed via malicious Excel add-ins (XLL) concealed inside ZIP archives shared over Signal. The XLL implants an EXE in Startup, places BasicExcelMath.xll in the Excel XLSTART folder and drops a PNG that hides shellcode. It employs registry persistence and robust anti-VM checks, and the C-based backdoor performs reconnaissance, remote command execution, file operations and data exfiltration over TCP.

📄 MatrixPDF is a newly observed toolkit that converts ordinary PDFs into interactive phishing and malware lures, researchers report. First seen advertised on cybercrime forums and promoted via Telegram, it embeds blurred content, fake "Secure Document" prompts, clickable overlays and JavaScript actions that redirect users to external payloads. Varonis testing showed these PDFs can bypass Gmail filters because they contain no embedded binaries and rely on user clicks to fetch malicious content. Sellers offer subscriptions from $400/month to $1,500/year.

⚠️ Cleafy's Threat Intelligence team discovered a previously unknown Android Remote Access Trojan named Klopatra in late August 2025, actively targeting financial institutions across Spain and Italy. The malware leverages commercial-grade protection (notably Virbox) and shifts much of its functionality into native code to evade detection and frustrate reverse engineering. Operators use Hidden VNC, dynamic overlays and abuse of Accessibility Services to harvest credentials and perform unauthorized transactions while victims remain unaware.