< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 4 of 45

Miasma worm source code briefly leaked on GitHub

🛡️ The Miasma credential-stealing worm, an evolution of the Shai-Hulud toolkit, was briefly published on GitHub after threat actors uploaded it to multiple compromised accounts. The framework steals developer build and cloud credentials, compromises package registries and repositories, and propagates autonomously without C2 by abusing GitHub. Researchers note destructive 'dead-man switch' behavior and a build pipeline that randomizes payloads to evade detection, increasing supply-chain risk.
read more →

NFCShare Android malware spreads via fake app updates

🛡️ New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub, targeting customers across Europe. The campaign tricks victims into performing an NFC ‘verification’ that captures card data and a 4-digit PIN via Android’s IsoDep interface, then exfiltrates it to a C2 server over WebSocket. D3Lab, which first documented NFCShare in January 2026, notes the malware uses malformed APK packaging to hinder automated analysis and that repositories have hosted dozens of spoofed banking APKs for Italian and Spanish banks.
read more →

Weekly cyber recap: supply chain worm and hacks

⚠️ Last week saw a range of high-impact incidents, from the Miasma worm compromising 73 Microsoft GitHub repositories to targeted mailbox espionage and an Instagram account compromise via an AI support tool. Vendors patched active Android flaws, researchers flagged malicious npm packages and a compromised Hola Browser installer, and U.S. agencies disrupted transnational investment fraud. Multiple threat clusters, including China-linked espionage groups and financially motivated actors, broadened their geographic scope and tactics, while many critical CVEs remain urgent for defenders to patch.
read more →

Miasma worm compromises 73 Microsoft GitHub repos

🛡️ Microsoft's GitHub organizations — including Azure, Azure-Samples, Microsoft, and MicrosoftDocs — were hit by the self-replicating Miasma supply chain campaign that affected 73 repositories, prompting GitHub to disable access. The incident notably re-compromised the durabletask package previously infected by TeamPCP, suggesting lingering credential exposure. Miasma, a variant of the Mini Shai-Hulud worm, has mutated rapidly and pushed malicious payloads both to registries and directly to GitHub source repos, leveraging AI coding tools and developer workflows to execute payloads. Security firms warn the campaign exploits trust in maintainers and signing rather than platform vulnerabilities, allowing widespread propagation across the open-source ecosystem.
read more →

Asin Android spyware targets Arabic-speaking users

🛡️ ESET has identified a new Android spyware family named Asin that targets Arabic-speaking users through multiple campaigns observed since early 2025. The malware was distributed via fake websites impersonating a government news source, a PDF editor, and a live war map, and was promoted on social platforms like Facebook and Telegram. Infections require manual APK installation and permission grants, with samples found on devices in Türkiye and on Xiaomi devices running Android 15. Attribution and precise objectives remain unknown, though journalists and OSINT researchers are likely targets.
read more →

Prototype AI-Powered Worm Raises New Security Risks

🔒 Researchers have demonstrated a prototype AI-powered internet worm that autonomously propagates and carries its own local LLM to run on compromised machines. The prototype echoes early theoretical concepts of self-replicating code and shows how generative models can be embedded into malware to extend functionality. This proof-of-concept highlights evolving threats and the need for updated defensive strategies and policy responses.
read more →

AI tools surge in underground ransomware marketplaces

🔍 Analysis by Halcyon shows a rapid rise in AI-based tools sold across Telegram channels, dark web forums, and underground markets, with posts increasing from 38 in December 2025 to 1,486 by February 2026. The offerings fall into four groups: weaponized LLMs, AI-enabled identity fraud, AI-augmented malware/infrastructure, and jailbroken or stolen AI services. Ransomware operations are professionalising with tiered services, automation and freemium models, lowering the skill barrier for new actors while law enforcement takedowns and better enterprise defenses remain critical.
read more →

FIFA World Cup 2026: Rising ticket and streaming scams

🛡️ Security researchers and law enforcement warn that FIFA-themed fraud is already targeting World Cup 2026 fans ahead of the June 11 kickoff. Threat actors have registered thousands of lookalike domains, deployed phishing kits that clone FIFA's login pages, and hidden banking trojans inside pirate streaming apps. Scams include counterfeit ticket sales, fake merchandise shops, malicious streaming apps that install banking malware, and social-media ad campaigns driving victims to phishing pages.
read more →

ThreatsDay bulletin: escalating cyber intrusion trends

🛡️ Cisco patched a high-severity SSRF in Unified Communications Manager, while Russia reported large-scale mobile spyware targeting officials and ongoing investigations. Threat actors continue to distribute VIP Keylogger via layered social engineering and JavaScript loaders, and DriveSurge operates a widespread malware delivery network using ClickFix and FakeUpdates. U.S. sanctions hit major Iranian crypto exchanges; RMM and trusted tools are increasingly abused for persistence and privilege escalation.
read more →

Microsoft warns on AI-enabled malware risks

🔒 Microsoft’s Detection and Response Team (DART) warns that AI adoption has introduced new attack surfaces, with threat actors weaponizing AI tools in social engineering and supply chains. A highlighted campaign, ‘JustAskJacky’, disguised a malicious AI assistant that installed a Java backdoor and persistence tasks. Experts urge organisations to assess nonstandard AI apps, enforce security reviews, and make AI risk a board-level priority.
read more →

FlutterShell macOS backdoor spreads via malvertising

🛡️ Palo Alto Networks Unit 42 uncovered Operation FlutterBridge, a macOS malvertising campaign distributing a Flutter-built backdoor called FlutterShell. The campaign links to a cluster known as JSCoreRunner/FileRipple and an actor tracked as CL-CRI-1089, active since at least 2023. FlutterShell uses WebView and a JavaScript-to-native bridge to load malicious logic from attacker-controlled sites, supports command execution, file manipulation, and exfiltration, and has multiple evolving variants that passed Apple notarization.
read more →

Fake Sites Impersonate Open‑Source Tools to Deliver Malware

🛡️ Check Point researchers uncovered an operation that clones open-source and freeware project pages to funnel users through a Traffic Distribution System (TDS) that can deliver malware like Remus Stealer, AnimateClipper, and the SessionGate framework. The deceptive sites preserve real links and use CloudFront-hosted JavaScript to convert clicks into a gated redirection chain enforcing anti-bot and VPN checks. The campaign has been active since late 2025 and escalated to malware distribution in January 2026.
read more →

Inside C0XMO: Cross-Platform Gafgyt Propagation

🛡️ FortiGuard Labs details a new Gafgyt variant, C0XMO, which exploits CVE-2021-27137 in vulnerable DD-WRT firmware to gain remote control of devices. The malware separates scanning into a standalone Python scanner and distributes architecture-specific ELF payloads to multiple Linux platforms. C0XMO implements multi-stage persistence, kills competing botnets, supports extensive DDoS commands, and communicates with a C2 using a custom handshake. Organizations should update firmware, disable unnecessary remote services, and enforce strong credentials to mitigate risk.
read more →

AI-Driven Cybercrime Tools Surge Over 3800%

🔍 Halcyon research reveals a dramatic rise in AI-powered cybercrime tooling across underground markets, jumping from 38 mentions in December to 1,486 in February. Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center, detailed four product categories: weaponized LLMs, AI-enabled identity fraud, AI-augmented malware/infrastructure, and jailbroken or stolen AI services. She warned that automated distribution, freemium models and redundant channels have lowered the financial barrier to entry and increased resilience against takedown efforts.
read more →

Weedhack campaign targets Minecraft players via YouTube

🛡️ McAfee Labs reports a MaaS campaign called Weedhack that has been active since January 2026, using SEO poisoning and YouTube videos to trick Minecraft users into downloading malicious JAR files. The malware chain begins with a trojanized client and leverages the Ethereum blockchain for C2 resolution, ultimately delivering remote access and information-stealing payloads. The service is offered free and as a paid tier, enabling widespread abuse, account theft, and cyberbullying against younger victims.
read more →

WeedHack campaign infects over 116,000 Minecraft systems

🛡️ McAfee researchers report that a large-scale malware campaign named WeedHack has infected more than 116,000 systems by distributing malicious Minecraft mods, clients, cheats, and utilities via YouTube links and SEO poisoning. The operation provides a free, clear-net MaaS dashboard and a paid premium tier that adds remote control, keylogging, and webcam access, targeting session IDs, browsers, wallets, and gaming credentials. Victims are concentrated in the US, Germany, India, and the UK, and the campaign uses hundreds of distribution URLs and thousands of malicious JARs. Players are urged to only download from official sources and use the in-game Marketplace for safety.
read more →

Gamaredon leverages WinRAR flaw to deliver modular malware

🛡️ Gamaredon exploited CVE-2025-8088 in WinRAR to deploy an HTML Application payload named GammaPhish, which fetches a VBScript downloader called GammaLoad. Observed in January 2026 by Sekoia, the chain delivers multiple strains including a worm (GammaWorm) that persists via scheduled tasks and hides payloads using NTFS ADS, and a stealer (GammaSteel) that exfiltrates files to AWS S3 or fallback servers. The campaign targets Ukrainian entities and demonstrates a modular, highly obfuscated architecture likely to be reused.
read more →

Dutch Authorities Dismantle Massive Botnet Network

🛡️ Dutch authorities and the National Cyber Security Center announced the takedown of a botnet that had enlisted millions of devices, including computers, smartphones, tablets, and IoT gear. The network reportedly comprised at least 17 million infected devices and relied on more than 200 servers in the Netherlands for backend infrastructure. Police seized a subset of those servers from a hosting provider, which then took the botnet offline after it was used for criminal activity. Local reporting linked the operation to proxy services such as Asocks, previously associated with proxyware campaigns affecting Android devices.
read more →

Greyvibe: Russian-linked group using AI in attacks

🛡️ Researchers from WithSecure uncovered a Russian-aligned group dubbed Greyvibe that extensively leverages large language models across its campaigns targeting private, government, and military organizations in Ukraine. The group uses spear phishing, fake websites, malicious archives, and ClickFix-style CAPTCHAs to deliver custom malware such as PhantomRelay, LegionRelay, and Android spyware FallSpy. Observed tooling and infrastructure indicate systematic use of generative AI for lure creation, code development, and backend setup, blurring lines between state-aligned activity and cybercrime ecosystem actors.
read more →

Fake IPTV Android apps used to deliver malware

🛡️ Cybercriminals are exploiting demand for live sports streaming by distributing fake Android IPTV apps that hide malware. These malicious APKs often mimic legitimate services and load real sites in a built-in browser to avoid suspicion while performing background theft. Researchers observed strains like Massiv and the more advanced Perseus, which abuse Android Accessibility Services to steal banking and crypto credentials. Users in Portugal, Spain, France and Türkiye have been targeted; avoid third-party APKs and keep devices updated.
read more →