< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 38 of 45

DPRK Hackers Adopt EtherHiding to Conceal Malware Campaigns

🔒 Google Threat Intelligence Group (GTIG) reports that a DPRK-aligned threat actor tracked as UNC5342 has employed EtherHiding since February to host and deliver malware via smart contracts on Ethereum and the BNB Smart Chain. Campaigns begin with fake technical interviews that trick developers into running a JavaScript downloader named JADESNOW, which fetches a JavaScript build of InvisibleFerret for in-memory espionage and credential theft. The method offers anonymity, takedown resistance, and low-cost, stealthy payload updates.
read more →

DPRK Actor UNC5342 Employs EtherHiding for Crypto Theft

🧩 GTIG reports that DPRK-linked UNC5342 has adopted EtherHiding, using smart contracts on public blockchains to store and deliver malicious JavaScript payloads. The actor leverages social engineering—fake recruiter lures and technical interviews—to deploy the JADESNOW downloader, which fetches and decrypts on-chain payloads and stages the Python backdoor INVISIBLEFERRET. Google recommends enterprise controls and Chrome management policies to disrupt this resilient, decentralized C2 method.
read more →

UNC5142 EtherHiding: Smart-Contract Malware Distribution

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.
read more →

Attackers Use Cisco SNMP Flaw to Deploy Linux Rootkits

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.
read more →

Merged BeaverTail and OtterCookie Tooling Observed in Attacks

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.
read more →

ThreatsDay Bulletin: $15B Crypto Seizure, Weekly Risks

🔔 This week’s ThreatsDay bulletin highlights a historic U.S. DOJ seizure of roughly $15 billion in cryptocurrency linked to an alleged transnational fraud network, alongside active commodity malware, phishing-as-a-service, and novel abuses of legitimate tools. Notable incidents include the Brazil-distributed Maverick banking trojan spread via a WhatsApp worm, consumer-grade interception of geostationary satellite traffic, and UEFI BombShell flaws enabling bootkit persistence. Priorities: identity resilience, patching, and monitoring of remote-access and cloud services.
read more →

Minecraft mods — how malicious mods put players at risk

🛡️ Minecraft mods can enhance gameplay but also serve as vectors for malware. This article explains how threat actors disguise Trojans, infostealers, ransomware and cryptominers as mods or cheat tools and distribute them via GitHub, mod repositories and forums. It outlines practical precautions — sourcing mods from trusted repositories, checking developer reputation and file types, using non-admin accounts, backups and security software — and steps to take if a mod is suspected malicious.
read more →

Phishing Campaign Uses Fake LastPass/Bitwarden Breach Alerts

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.
read more →

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.
read more →

Keyloggers: Keyboard Monitoring Tools, Uses and Risks

🔑 Keyloggers are monitoring tools that record keyboard input and exfiltrate captured data to third parties. They appear as hardware devices between a keyboard and host or as software installed legitimately or via malware; advanced variants also capture screenshots, clipboard contents and mobile data such as GPS or audio. While criminals deploy keyloggers to steal credentials and financial information, enterprises and law enforcement sometimes use them for troubleshooting, compliance and surveillance. Mitigation requires layered defenses: updated AV/anti-rootkit tools, behavioral monitoring, restricted privileges, virtual keyboards where appropriate and strong authentication.
read more →

Malicious VSCode Extensions Resurface on OpenVSX Registry

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.
read more →

TA585 Deploys MonsterV2 Malware With Sophisticated Delivery

🔍 Proofpoint researchers uncovered TA585, a cybercriminal group that operates its own phishing, delivery and malware infrastructure rather than outsourcing. The actor distributes MonsterV2, a subscription-based RAT/stealer/loader that avoids CIS systems and offers modules like HVNC. Early 2025 campaigns used ClickFix social engineering and compromised sites with fake CAPTCHAs to filter victims and deliver payloads, and organisations should train users to spot ClickFix and restrict PowerShell for non-admins.
read more →

Malicious npm, PyPI and RubyGems Packages Use Discord C2

⚠️ Researchers at a software supply chain security firm found multiple malicious packages across npm, PyPI, and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate developer secrets. Examples include npm packages that siphon config files and a Ruby gem that sends host files like /etc/passwd to a hard-coded webhook. The investigators warn that webhook-based C2 is cheap, fast, and blends into normal traffic, enabling early-stage compromise via install-time hooks and build scripts. The disclosure also links a large North Korean campaign that published hundreds of malicious packages to deliver stealers and backdoors.
read more →

Spain Arrests Leader of GXC Team Phishing Operation

🚨 Spanish authorities have arrested a 25-year-old Brazilian national accused of leading the GXC Team, a Crime-as-a-Service operation that sold phishing kits, Android malware and AI-based tools to cybercriminals. The Guardia Civil detained the suspect known as "GoogleXcoder" after a year-long investigation and six coordinated raids across Spain. Investigators seized devices containing source code, client communications and cryptocurrency records, and identified six suspected accomplices. The probe, supported by Group-IB and Brazil's Federal Police, remains ongoing as authorities disable the group's online infrastructure.
read more →

Stealit Infostealer Campaign Deploys via Fake VPN Apps

🛡️ FortiGuard Labs has identified a campaign distributing the Stealit infostealer via disguised game and VPN installers shared on file‑hosting sites and platforms like Discord. Attackers use Node.js Single Executable Apps (SEA) and PyInstaller bundles, heavy obfuscation and multiple anti‑analysis techniques to avoid detection. Once executed, Stealit harvests data from browsers, game clients, messaging apps and cryptocurrency wallets, and its operators rotate C2 domains while marketing the toolkit commercially.
read more →

Astaroth Banking Trojan Uses GitHub to Stay Operational

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.
read more →

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.
read more →

Spain Dismantles GXC Team Cybercrime Syndicate, Leader Held

🔒 Spanish Guardia Civil have dismantled the GXC Team cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as GoogleXcoder. The group operated a crime-as-a-service platform on Telegram and a Russian-speaking forum, selling AI-driven phishing kits, Android malware that intercepted SMS/OTPs, and voice-scam tools. Authorities seized devices, source code, communication logs, and recovered stolen cryptocurrency. Nationwide raids on May 20 led to channel takedowns and the identification of additional suspects; the investigation remains ongoing.
read more →

Stealit Campaign Abuses Node.js Single Executable Packaging

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.
read more →

ClayRat Android spyware mimics popular apps to spread

📱 A new Android spyware campaign called ClayRat is tricking users by posing as well-known apps and services such as WhatsApp, Google Photos, TikTok, and YouTube and distributing APKs via Telegram channels and fraudulent websites. Researchers at Zimperium say they documented over 600 samples and 50 distinct droppers in three months, noting that some use a session-based installation and encrypted payloads to bypass Android defenses. Once installed, ClayRat can assume the default SMS handler, exfiltrate SMS and call logs, capture notifications and front-camera photos, make calls, send mass SMS for propagation, and communicate with C2 servers (recent versions use AES-GCM); Play Protect now blocks known variants.
read more →