< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 36 of 45

AdaptixC2 Abused by Ransomware Operators Worldwide

⚠️ Silent Push reports a surge in malicious use of AdaptixC2, an open-source adversarial emulation framework that researchers say is now being delivered by the CountLoader malware as part of active ransomware operations. Deployments accelerated after new detection signatures were released, and public incident reports show increased sightings across multiple intrusions. Analysts flagged the developer alias RalfHacker and issued indicators covering Golang C2 traffic and unknown C++/QT executables.
read more →

BlueNoroff Returns with GhostCall and GhostHire Campaigns

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.
read more →

Atroposia RAT Emerges on Dark Web with Modular Toolset

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.
read more →

New Airstalk Malware Abuses AirWatch for Covert C2

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.
read more →

Atroposia RAT Kit Lowers Barrier for Cybercriminals

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.
read more →

AI-Driven Malicious SEO and the Fight for Web Trust

🛡️ The article explains how malicious SEO operations use keyword stuffing, purchased backlinks, cloaking and mass-produced content to bury legitimate sites in search results. It warns that generative AI now amplifies this threat by producing tens of thousands of spam articles, spinning up fake social accounts and enabling more sophisticated cloaking. Defenders must deploy AI-based detection, graph-level backlink analysis and network behavioral analytics to spot coordinated abuse. The piece emphasizes proactive, ecosystem-wide monitoring to protect trust and legitimate businesses online.
read more →

Researchers Expose GhostCall and GhostHire Campaigns

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.
read more →

Atroposia RAT Adds Local Vulnerability Scanner, UAC Bypass

🛡️ Atroposia is a new malware-as-a-service platform offering a modular remote access trojan for a $200 monthly subscription, combining persistent access, stealthy remote desktop, data theft, and a built-in local vulnerability scanner. Researchers at Varonis say the RAT can bypass UAC, perform host-level DNS hijacks, capture credentials and clipboard data, and compress and exfiltrate targeted files with minimal traces. Its vulnerability-audit plugin identifies missing patches and outdated software so attackers can prioritize exploits, making it particularly dangerous in corporate environments. Users should download only from official sources, avoid pirated software and torrents, and refrain from executing unfamiliar commands found online.
read more →

Herodotus Android malware mimics human typing behavior

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.
read more →

Cybersecurity Becomes Top Challenge for Financial Sector

🔒 A recent PPI survey of 50 banks and 53 insurers in Germany reports a sixfold rise in cyberattacks compared with 2021. Sixty-four percent of respondents now view cyberattacks as the sector's top challenge, ahead of digitization, credit quality and regulation. Firms cite low employee awareness and difficulty with real-time detection; malware installation and IT disruption are the most frequent attack types.
read more →

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.
read more →

LeetAgent and Dante: ForumTroll Toolset Revealed Report

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.
read more →

RedTiger Infostealer Used to Steal Discord Accounts

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.
read more →

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.
read more →

3,000 YouTube Videos Used as Malware Traps in Ghost Network

⚠️ Check Point researchers uncovered a long-running operation that uploaded and promoted over 3,000 YouTube videos linking to malware downloads. The network, dubbed the YouTube Ghost Network, has been active since 2021 and saw its volume triple this year, using hacked channels and a role-based structure to sustain distribution. Videos offering pirated software and Roblox cheats pointed users to cloud-hosted files or phishing pages that deployed stealers and Node.js loaders, and Google has removed the majority of identified content.
read more →

GlassWorm self-spreading worm targets VS Code extensions

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.
read more →

YouTube Ghost Network: Disrupting a Massive Malware Campaign

🛡️ Check Point Research uncovered the YouTube Ghost Network, a large-scale operation that used fake and compromised accounts to distribute infostealers like Rhadamanthys and Lumma. More than 3,000 malicious videos — often disguised as cracked software or game hacks — were reported and removed after being linked to password-protected archives that carried the malware. Compromised accounts, coordinated comment manipulation, and false endorsements were used to build trust and drive downloads.
read more →

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.
read more →

Vidar 2.0 Emerges as Lumma Stealer Declines, Upgraded

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.
read more →

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.
read more →