All news with #malware tag

🛡️ ThreatFabric has identified a new Android remote access trojan, RatOn, that combines NFC relay attacks with automated money-transfer (ATS) and overlay capabilities to target cryptocurrency wallets and conduct device fraud. Attackers distribute droppers via fake Play Store listings (masquerading as a TikTok 18+ app) aimed at Czech and Slovak users, then request accessibility and device-admin permissions. RatOn deploys a third-stage NFSkate module for Ghost Tap NFC relays, presents overlay or ransom-style screens, captures PINs and seed phrases, records keystrokes, and exfiltrates sensitive data to attacker servers to drain accounts.

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.

🔍 VirusTotal's AI Code Insight detected a sophisticated phishing campaign that hid malicious JavaScript inside SVG images to impersonate Colombia's judicial system. The SVGs rendered fake portal pages with a bogus download progress bar and displayed a password for a protected ZIP archive that contained malware artifacts. The archive included a renamed Comodo Dragon executable, a malicious DLL, and two encrypted files; when the executable runs the DLL is sideloaded to install further malware. After adding SVG support, VirusTotal found 523 related SVGs that had evaded traditional antivirus detection.

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.

🛡️ Recorded Future links the activity of TAG-150 to a new remote access trojan, CastleRAT, available in both Python and C variants that collect system data, fetch additional payloads, and execute commands via CMD and PowerShell. The Python build is tracked as PyNightshade, while eSentire and others refer to related tooling as NightshadeC2. Researchers observed Steam-profile dead drops, a multi-tiered C2 layout, and distribution through CastleLoader-assisted phishing and fake GitHub repositories. Operators use Cloudflare-themed "ClickFix" lures and deceptive domains to deliver loaders and downstream stealers and RATs.

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.

⚠️ Cybersecurity researchers warn of a phishing campaign using Scalable Vector Graphics (SVG) files that embed JavaScript to decode and inject a Base64-encoded HTML page impersonating Colombia's Fiscalía General de la Nación. VirusTotal identified 44 unique SVG samples that evaded antivirus detection and reported a total of 523 SVGs seen in the wild, with the earliest from August 14, 2025. Attackers relied on obfuscation, polymorphism, and large volumes of junk code to bypass static detections and used a fake progress/download flow to trigger a background ZIP download. The disclosure coincides with separate macOS-focused campaigns distributing the AMOS information stealer via cracked-software lures and Terminal-based installers that attempt to circumvent Gatekeeper protections.

🔐 Mandiant observed attackers exploiting a zero‑day ViewState deserialization flaw (CVE-2025-53690) in legacy Sitecore deployments that reused a sample ASP.NET machineKey. Adversaries delivered a WeepSteel reconnaissance backdoor to collect system and network data and disguised exfiltration as normal ViewState traffic. Sitecore advises replacing and encrypting static machineKey values and instituting regular key rotation to mitigate further risk.

🔍 Researchers at ESET disclosed a previously undocumented campaign named GhostRedirector that has compromised at least 65 Windows servers mainly in Brazil, Thailand and Vietnam. The intruders deployed a passive C++ backdoor, Rungan, alongside a native IIS module, Gamshen, which selectively alters responses for Googlebot to perform SEO fraud. Initial access appears linked to SQL injection and abuse of xp_cmdshell, with subsequent PowerShell retrievals from a staging host.

🔍 ESET researchers identified GhostRedirector, a China-aligned threat group active since at least August 2024 that has compromised at least 65 Windows servers across multiple countries, notably Brazil, Thailand and Vietnam. The group deployed two novel tools: a C++ backdoor Rungan for remote command execution and a malicious IIS module Gamshen that manipulates search rankings to boost targeted sites. Operators also leveraged known privilege escalation exploits like BadPotato and EfsPotato to obtain administrator access and create persistent accounts. Organizations are advised to monitor IIS modules, patch promptly and audit high-privilege accounts and PowerShell activity.

🔍 Cybersecurity firm SentinelLabs and internet intelligence company Validin uncovered a coordinated effort by a North Korea-aligned cluster, tracked as Contagious Interview, to exploit CTI platforms between March and June 2025. The actors repeatedly created accounts on Validin’s portal, reused Gmail addresses tied to prior operations and registered new domains after takedowns. Investigators observed team-based coordination, probable Slack use, and operational slip-ups that exposed logs and directory structures. The probe also identified ContagiousDrop malware delivery applications that harvested details from more than 230 mostly cryptocurrency-sector victims, underscoring the campaign’s revenue-driven motive and the need for vigilance from job seekers and infrastructure providers.

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.

🛡️A new campaign used malicious npm packages to hide command-and-control URLs inside Ethereum smart contracts, evading typical static detection. ReversingLabs researcher Karlo Zanki uncovered packages colortoolsv2 and mimelib2 that delivered second-stage payloads via blockchain-held URLs. The threat also included fake GitHub projects, such as solana-trading-bot-v2, built to appear legitimate. Developers are urged to vet dependencies and maintainers beyond superficial metrics.

📍 Geolocation data from smartphones, apps and IPs can be weaponized by threat actors to launch precise, geographically targeted attacks such as localized phishing and malware activation. These attacks can act as "floating zero days," remaining dormant until they reach a specific location, as seen with Stuxnet and modern campaigns like Astaroth. Organizations should adopt multilayered defenses — robust endpoint detection, decoys, location baselines and stronger multi-factor verification — to mitigate this evolving threat.

🛡️ Researchers at S2 Grupo’s LAB52 disclosed NotDoor, a VBA-based Outlook backdoor attributed to Russia-backed APT28 that monitors incoming mail for trigger phrases to exfiltrate data, upload files and execute arbitrary commands. The malware abuses Outlook event-driven macros, employs DLL side-loading via a signed OneDrive.exe to load a malicious SSPICLI.dll, and persists by disabling security prompts and enabling macros. Organizations are advised to disable macros by default, monitor Outlook activity and inspect email-based triggers.