All news with #malware tag

🔒 Zscaler ThreatLabz disclosed a new malware family named YiBackdoor that shares notable source-code overlaps with IcedID and Latrodectus. First observed in June 2025 with limited deployments, YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and load encrypted plugins to expand capabilities. It uses anti-analysis checks, injects into svchost.exe, persists via a Run registry entry that invokes regsvr32.exe with a randomized name, and fetches commands from an embedded encrypted configuration over HTTP. Zscaler warns it could be leveraged to gain initial access for follow-on exploitation, including ransomware.

🚨 Attackers are creating convincing GitHub Pages that impersonate well-known brands to trick macOS users into installing the Atomic infostealer. Using SEO poisoning, malicious repositories are promoted in search results and funnel victims through multiple redirects to pages that instruct users to paste a Terminal curl command. That command decodes a base64 URL and executes a script that fetches and runs the Atomic payload. LastPass published IoCs and requested takedowns, but warns the campaign remains active.

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.

🔒 A malicious npm package named fezbox was recently discovered using a QR code embedded in an image to retrieve a second-stage, cookie-stealing payload from the attacker's server. The package's minified code (notably in dist/fezbox.cjs) delays execution, avoids development environments, then decodes a reversed URL to fetch a dense JPG QR image containing obfuscated JavaScript. When the payload finds credentials in document.cookie it extracts username and password and exfiltrates them via an HTTPS POST; the package accrued at least 327 downloads before registry removal.

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

🛡️ SentinelOne researchers disclosed MalTerminal, a Windows binary that integrates OpenAI GPT-4 via a deprecated chat completions API to dynamically generate either ransomware or a reverse shell. The sample, presented at LABScon 2025 and accompanied by Python scripts and a defensive utility called FalconShield, appears to be an early — possibly pre-November 2023 — example of LLM-embedded malware. There is no evidence it was deployed in the wild, suggesting a proof-of-concept or red-team tool. The finding highlights operational risks as LLMs are embedded into offensive tooling and phishing chains.

🛡️ Lumen Technologies' Black Lotus Labs reports that SystemBC, a C-based SOCKS5 proxy malware, powers roughly 80% of the REM Proxy network and averages about 1,500 compromised hosts per day. The botnet operates through more than 80 C2 servers and mainly targets VPS instances from major commercial providers, often via dropped shell scripts that install the proxy implant. REM Proxy also advertises pools of compromised Mikrotik routers and open proxies and has been used by actors tied to TransferLoader and the Morpheus ransomware group.

🔒 Researchers have identified CountLoader, a multi‑language malware loader used by Russian ransomware affiliates and initial access brokers to deploy post‑exploit tools such as Cobalt Strike, AdaptixC2 and the commercial PureHVNC RAT. Appearing in .NET, PowerShell and JavaScript flavors, the loader has been observed in PDF phishing campaigns targeting Ukraine and employs LOLBins and multiple download/execution methods to evade detection. The JavaScript variant is most feature‑complete, offering diverse downloaders, execution paths and persistence via a Google‑update‑named scheduled task.

🎮 Several incidents show attackers distributing malware via trusted gaming channels, including a compromised Endgame Gear OP1w utility, infected early-access Steam titles, and malicious skins on the official Minecraft site. The Endgame Gear installer likely contained the XRed backdoor, while Steam cases involved infostealers such as Trojan.Win32.Lazzzy.gen that harvested cookies and credentials. Users suffered account takeovers and data loss; recommended defenses include up-to-date antivirus, cautious vetting of downloads, and using gaming security modes that minimize disruption.

⚠️ Zscaler ThreatLabz researchers discovered two malicious Python packages, sisaws and secmeasure, that were designed to deliver the SilentSync remote access trojan to Windows hosts. Both packages, uploaded by a user identified as 'CondeTGAPIS' and since removed from PyPI, contained downloader logic that retrieved a second-stage Python payload (via Pastebin) and executed code in memory. SilentSync can execute commands, harvest browser credentials and cookies, capture screenshots, and exfiltrate files, while offering persistence mechanisms across Windows, Linux and macOS.

🪱 Palo Alto Networks Unit 42 is investigating an active supply chain attack in the npm ecosystem driven by a novel self-replicating worm tracked as "Shai-Hulud." The malware has compromised more than 180 packages, including high-impact libraries such as @ctrl/tinycolor, and automates credential theft, repository creation, and propagation across maintainers' packages. Unit 42 assesses with moderate confidence that an LLM assisted in authoring the malicious bash payload. Customers are protected through Cortex Cloud, Prisma Cloud, Cortex XDR and Advanced WildFire, and Unit 42 recommends immediate credential rotation, dependency audits, and enforcement of MFA.

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

🔍 Huntress analysts observed an uptick in attacks that combine classic ClickFix social engineering with more advanced deployment techniques over the past fifteen business days. A fake AnyDesk installer used a Cloudflare Turnstile lure that opened Windows File Explorer via the search-ms protocol to deliver an LNK payload disguised as a PDF and install an MSI that dropped MetaStealer. Separately, operators deployed Cephalus ransomware using DLL sideloading through the legitimate SentinelOne host binary, illustrating evolving tradecraft that mixes manual user interaction and technical evasion.

🦠 On the evening of September 15 a worm-like supply-chain attack began targeting popular npm components, compromising nearly 150 packages including @ctrl/tinycolor. Malicious code was added as a cross-platform postinstall script (bundle.js) that harvests credentials using a bundled TruffleHog, validates tokens via npm and GitHub APIs, and — where possible — publishes trojanized package updates. Harvested secrets are exfiltrated by creating public GitHub repositories and by deploying GitHub Actions that forward data to an attacker-controlled webhook.

🔍 A coordinated ad and click-fraud operation named SlopAds ran 224 Android apps that amassed roughly 38 million downloads across 228 countries, according to HUMAN's Satori Threat Intelligence and Research Team. The campaign generated up to 2.3 billion bid requests per day and primarily targeted traffic from the U.S., India, and Brazil. Google removed the offending apps from the Play Store after the investigation, which found sophisticated evasion tactics including steganography and conditional payloads.