All news with #malware tag

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.

⚠️A malicious PyTorch Lightning package (lightning==2.6.3) published to PyPI contained a hidden execution chain that triggers on import and silently spawns a background process. That process downloads the Bun JavaScript runtime (v1.3.13) and runs an 11.4 MB heavily obfuscated payload detected by Microsoft Defender as ShaiWorm. The payload steals .env files, API keys, GitHub tokens, and credentials from Chrome, Firefox, and Brave, and can query cloud APIs; Lightning AI reverted PyPI to 2.6.1 and urges immediate rotation of secrets.

🔒 A coordinated international operation led by Dubai Police alongside the FBI and China's Ministry of Public Security arrested 276 suspects, shut nine crypto scam centers, and restrained more than $701 million in cryptocurrency tied to investment fraud. The schemes employed pig butchering and romance-baiting lures and relied on trafficked workers forced to run scam compounds. Authorities seized hundreds of fraudulent domains and a Telegram recruitment channel, sanctioned Cambodian actors, flagged an Android Malware-as-a-Service, and credited Operation Level Up with notifying nearly 9,000 victims and saving about $562 million.

🤖 A botnet is a network of compromised internet-connected devices controlled by attackers to perform coordinated criminal tasks such as DDoS, spam, crypto-mining, or malware distribution. Modern botnets use distributed architectures — from centralized command-and-control servers to peer-to-peer propagation — and often hide control traffic via IRC, HTTP, Telnet, or even public platforms. Defenders combine user training, patching, IoT hardening, antivirus, traffic filtering and CDN services with threat hunting methods like flow analysis and malware reverse-engineering.

⚠️ Researchers uncovered a large-scale fraud operation leveraging Telegram Mini Apps to run crypto scams and distribute Android malware. The infrastructure, identified by the FEMITBOT API string, uses Telegram bots to launch embedded Mini Apps that present phishing pages inside the app's WebView and impersonate well-known brands. Campaigns display fake dashboards, countdowns, and withdrawal prompts that demand deposits or referrals, and some prompt users to download APKs hosted on the same domains to avoid mixed-content warnings; Android users should not sideload APKs and should be cautious with bots asking for funds or app installs.

🔒 A new supply chain campaign used sleeper Ruby gems and Go modules published by BufferZoneCorp to deploy post-install payloads that harvest credentials and establish persistence. The malicious Ruby packages exfiltrated environment variables, SSH keys, AWS secrets, .npmrc/.netrc files and developer configuration during install. The Go modules tampered with GitHub Actions by installing fake go wrappers, intercepting builds, and adding a hard-coded SSH key to ~/.ssh/authorized_keys. Users should remove affected packages, rotate exposed credentials, and inspect systems and CI runners for unauthorized SSH entries and outbound connections.

🛡️ Unit 42 identified 18 malicious browser extensions posing as GenAI productivity tools that deliver RATs, infostealers and MitM capabilities. These extensions intercept prompts, exfiltrate credentials and proxy HTTPS responses, often using AI-generated code to accelerate development. Organizations should restrict extensions, scrutinize permissions and treat browsers as critical attack surfaces. Google removed or warned developers after disclosure.

🔒 Ukrainian authorities have arrested three suspects accused of compromising more than 610,000 accounts on the online gaming platform Roblox. Investigators say the group used social engineering lures that delivered infostealer malware to harvest usernames, passwords and authentication tokens, then assessed accounts for rare items and Robux. At least 357 high‑value accounts were identified and sold on Russian websites for cryptocurrency, reportedly generating over $225,000. Searches at ten properties recovered computers, storage devices, mobile phones, bank cards, handwritten notes and cash; analysis is ongoing and the suspects face up to 15 years if convicted.

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.

🔍 This ThreatsDay bulletin highlights a week of converging risks: Canadian authorities dismantled an SMS blaster operation that spoofed cellular towers, while a malicious npm brandsquat (published as tanstack) exfiltrated local .env files during install. Researchers also flagged networks of browser extensions legally selling browsing and viewing data, the first documented abuse of the Komari admin agent in intrusions, and mass exposure of RDP/VNC servers—underscoring the importance of basic hygiene, credential rotation, and coordinated defensive response.

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.

🛡️ Security researchers at Socket uncovered 73 additional fraudulent Open VSX extensions impersonating trusted developer tools; many now include benign code to evade scanners and later fetch a GlassWorm loader. The extensions act as thin loaders, sometimes bundling native binaries, and connect to newly created repositories to download malicious updates. Of the 73, small subsets were activated in staged waves; Socket notified the Eclipse Foundation, and most have been removed.

🛡️ A Brazil-based cybercrime group known as LofyGang has resurfaced after more than three years, deploying a new infostealer called LofyStealer (aka GrabBot) that specifically targets Minecraft players. The malware is disguised as a game cheat called 'Slinky' and uses a JavaScript loader to drop and execute chromelevator.exe in memory to harvest browser data. It captures cookies, passwords, tokens, payment cards and IBANs across multiple browsers and exfiltrates them to a C2 at 24.152.36[.]241. ZenoX highlights a strategic shift to a malware-as-a-service model with free and premium tiers and warns that attackers are increasingly abusing GitHub, SEO-poisoned lures and other trusted platforms to distribute malicious payloads.

🚨 A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 'sleeper' extensions that upload as benign clones of legitimate listings and later deliver malicious payloads via updates. Socket researchers say six extensions have already been activated to install malware, while the other packages are considered suspicious or dormant. The attackers use thin loaders that fetch secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript to retrieve and install payloads at runtime. Developers who installed any listed extensions should rotate all secrets and clean their development environments.

🔍 Cybersecurity researchers have flagged 73 cloned Microsoft Visual Studio Code extensions on the Open VSX repository tied to the persistent GlassWorm campaign. Six packages are confirmed malicious, while the remainder behave as sleeper implants that build trust until a subsequent update delivers a secondary payload hosted on GitHub. The extensions act as innocuous loaders that retrieve a VSIX payload and install it into all detected IDEs using --install-extension, enabling data theft, remote access trojans, and a rogue Chromium extension. Socket is tracking this activity as GlassWorm v2, with more than 320 artifacts identified since December 21, 2025.