< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 40 of 45

Android Spyware Posing as Signal Plugin and ToTok Pro

⚠️ Researchers at ESET have uncovered two Android spyware campaigns, ProSpy and ToSpy, that masquerade as a Signal encryption plugin and a ToTok Pro upgrade to target users in the U.A.E. Distributed via fake websites and social engineering, these apps require manual installation and request extensive permissions to persist and exfiltrate contacts, messages, media and device data. Users are advised to avoid installing apps from unofficial sources and to disable installations from unknown origins.
read more →

Android spyware targeting Signal and ToTok users in UAE

🔒 ESET researchers uncovered two previously undocumented Android spyware families—Android/Spy.ProSpy and Android/Spy.ToSpy—distributed via deceptive websites that impersonate Signal, ToTok and even app stores. Both families require manual APK installation from third‑party sites and maintain persistence while exfiltrating contacts, media, documents and chat backups. ToSpy notably seeks .ttkmbackup files and uses AES‑CBC encryption with a hardcoded key; several C&C servers remained active. Google Play Protect already blocks known variants, and ESET shared findings with Google.
read more →

MatrixPDF: PDFs Weaponized to Evade Gmail Defenses

📄 Researchers at Varonis have discovered MatrixPDF, a toolkit that disguises malicious web redirects and scripts inside seemingly benign PDFs to bypass Gmail filters. The files use blurred content, overlays and convincing prompts such as “Open Secure Document” to trick users into opening external sites. In some cases embedded JavaScript can auto-fetch payloads when a reader grants permission. Because Gmail treats preview clicks as user-initiated, these PDFs often evade email scanners and sandboxes.
read more →

Android malware uses VNC to give attackers hands-on access

🔒 Klopatra is a newly observed Android banking and remote access trojan distributed via a sideloaded dropper app called Modpro IP TV + VPN that has infected over 3,000 devices across Europe. The malware abuses Android Accessibility to capture inputs, exfiltrate clipboard content, simulate taps and gestures, and monitor screens. A concealed black‑screen VNC mode lets operators interact with devices and perform manual bank transactions while the device appears idle. Cleafy notes extensive anti-analysis protections, use of commercial packers, and active development since March 2025.
read more →

Credential ZIP Lures Use Malicious LNKs to Deploy DLLs

📎 BlackPoint researchers tracked a campaign that distributes credential-themed ZIP archives containing malicious Windows shortcut (.lnk) files. When opened, the shortcuts launch minimized, obfuscated PowerShell that downloads DLL payloads disguised as .ppt files, saves them to the user profile and invokes them via rundll32.exe. The dropper assembles commands from byte arrays, probes for antivirus processes and uses quiet flags to minimize visible indicators. Recommended mitigations include blocking LNKs in archives, enforcing Mark of the Web, denying execution from user-writable locations, and enabling PowerShell script block logging and AMSI.
read more →

Klopatra Android Banking Trojan Hits 3,000+ Devices

🔒 Cleafy has uncovered Klopatra, a previously undocumented Android banking trojan that has infected over 3,000 devices—predominantly in Spain and Italy. The malware leverages Hidden VNC for remote device control and dynamic overlays to harvest credentials, while integrating the commercial Virbox protection suite and native libraries to evade detection and analysis. Operators distribute Klopatra via social-engineered IPTV droppers, abuse Android accessibility permissions to persist and perform actions, and use a black-screen VNC mode and stolen PINs or patterns to unlock devices and execute rapid fraudulent transfers.
read more →

Ukraine Alerts to CABINETRAT Backdoor Delivered via XLLs

⚠ The Computer Emergency Response Team of Ukraine (CERT‑UA) warns of targeted attacks using a new backdoor dubbed CABINETRAT distributed via malicious Excel add-ins (XLL) concealed inside ZIP archives shared over Signal. The XLL implants an EXE in Startup, places BasicExcelMath.xll in the Excel XLSTART folder and drops a PNG that hides shellcode. It employs registry persistence and robust anti-VM checks, and the C-based backdoor performs reconnaissance, remote command execution, file operations and data exfiltration over TCP.
read more →

MatrixPDF toolkit converts PDFs into phishing lures

📄 MatrixPDF is a newly observed toolkit that converts ordinary PDFs into interactive phishing and malware lures, researchers report. First seen advertised on cybercrime forums and promoted via Telegram, it embeds blurred content, fake "Secure Document" prompts, clickable overlays and JavaScript actions that redirect users to external payloads. Varonis testing showed these PDFs can bypass Gmail filters because they contain no embedded binaries and rely on user clicks to fetch malicious content. Sellers offer subscriptions from $400/month to $1,500/year.
read more →

Klopatra Android RAT Uses Commercial Protections in Europe

⚠️ Cleafy's Threat Intelligence team discovered a previously unknown Android Remote Access Trojan named Klopatra in late August 2025, actively targeting financial institutions across Spain and Italy. The malware leverages commercial-grade protection (notably Virbox) and shifts much of its functionality into native code to evade detection and frustrate reverse engineering. Operators use Hidden VNC, dynamic overlays and abuse of Accessibility Services to harvest credentials and perform unauthorized transactions while victims remain unaware.
read more →

Phantom Taurus: NET-STAR .NET IIS Backdoor Revealed

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.
read more →

Datzbro Android Trojan Targets Seniors for DTO Fraud

🛡️ThreatFabric disclosed a newly observed Android banking trojan named Datzbro that targets elderly users via Facebook groups promoting senior activities. Attackers lure victims to install purported community apps (Android APKs and placeholder iOS TestFlight links) via Messenger or WhatsApp; payloads either install Datzbro directly or use a Zombinder dropper to bypass Android 13+ protections. Datzbro abuses Android Accessibility services to perform device takeover, overlay attacks, keylogging and remote control, enabling credential theft and fraudulent transactions. The malware is tied to a Chinese-language desktop C2 and contains Chinese debug strings, suggesting origin and potential wider distribution.
read more →

EvilAI Campaign: Malware Masquerading as AI Tools Worldwide

🛡️ Security researchers at Trend Micro detail a global campaign called EvilAI that distributes malware disguised as AI-enhanced productivity tools and legitimate applications. Attackers employ professional-looking interfaces, valid code-signing certificates issued to short-lived companies, and covert encoding techniques such as Unicode homoglyphs to hide malicious payloads and evade detection. The stager-focused malware — linked to families tracked as BaoLoader and TamperedChef — performs reconnaissance, exfiltrates browser data, maintains AES-encrypted C2 channels, and stages systems for follow-on payloads. Targets span manufacturing, government, healthcare, technology, and retail across Europe, the Americas and AMEA.
read more →

Weekly Recap: Cisco 0-day, Record DDoS, New Malware

🛡️ Cisco firewalls were exploited in active zero-day attacks that delivered previously undocumented malware families including RayInitiator and LINE VIPER by chaining CVE-2025-20362 and CVE-2025-20333. Infrastructure and cloud environments faced major pressure this week: Cloudflare mitigated a record 22.2 Tbps DDoS while misconfigured Docker instances enabled ShadowV2 bot operations. Researchers also disclosed Supermicro BMC flaws that could allow malicious firmware implants, and ransomware actors increasingly abuse exposed AWS keys. Prioritize patching, firmware updates, and cloud identity hygiene now.
read more →

XWorm Campaign Signals Rise in Fileless In-Memory Attacks

🔒 Forcepoint Labs describes a multi-stage phishing campaign that delivers the XWorm remote-access trojan via an Office .xlam attachment embedding an OLE native stream. An encrypted shellcode launches a .NET dropper that uses steganography and reflective DLL loading to unpack successive in-memory stages, minimizing on-disk artifacts. Attackers leverage API hashing, unhooked calls and layered encryption to evade sandboxes and traditional scanners; Forcepoint provides IoCs and detection recommendations.
read more →

First Malicious MCP Server Found in NPM Postmark Package

🛡️ Cybersecurity researchers at Koi Security reported the first observed malicious Model Context Protocol (MCP) server embedded in an npm package, a trojanized copy of the postmark-mcp library. The malicious change, introduced in version 1.0.16 in September 2025 by developer "phanpak", added a one-line backdoor that BCCs every outgoing email to phan@giftshop[.]club. Users who installed the package should remove it immediately, rotate any potentially exposed credentials, and review email logs for unauthorized BCC activity.
read more →

Fake Microsoft Teams Installer Delivers Oyster Backdoor

⚠️ Blackpoint SOC observed a malvertising and SEO-poisoning campaign that directs searches for Teams downloads to a fake site at teams-install[.]top offering a malicious MSTeamsSetup.exe. The signed installer uses certificates from "4th State Oy" and "NRM NETWORK RISK MANAGEMENT INC" to appear legitimate, then drops CaptureService.dll into %APPDATA%\Roaming and creates a scheduled task CaptureService to run every 11 minutes. The payload installs the Oyster backdoor. Administrators should download software only from verified vendor domains and avoid clicking search ads.
read more →

Researchers Expose SVG and PureRAT Phishing Threats

📧 Fortinet FortiGuard Labs and other researchers detailed phishing campaigns that weaponize malicious SVG attachments to initiate downloads of password-protected ZIP archives and Compiled HTML Help (CHM) files. Those CHM files activate loader chains that deliver CountLoader as a distribution stage for Amatera Stealer and the stealthy .NET miner PureMiner, both run filelessly via .NET AOT and memory-loading techniques. Separately, Huntress attributes a Vietnamese-speaking operator using copyright-themed lures that escalate from PXA Stealer to the modular backdoor PureRAT.
read more →

SVG Phishing Targets Ukraine with Amatera Stealer, PureMiner

⚠️ FortiGuard Labs observed a targeted phishing campaign impersonating Ukrainian authorities that used malicious SVG attachments to initiate a fileless infection chain. The SVG redirected victims to a password-protected archive containing a CHM that executed a hidden HTA loader (CountLoader). The loader retrieved and ran in-memory payloads, deploying Amatera Stealer for data theft and PureMiner for cryptomining.
read more →

New COLDRIVER ClickFix Campaign Uses BAITSWITCH, SIMPLEFIX

🔍 Zscaler details a new COLDRIVER ClickFix campaign that deploys two lightweight families: BAITSWITCH, a DLL downloader, and SIMPLEFIX, a PowerShell backdoor. Victims are lured to execute a malicious DLL via a fake CAPTCHA; BAITSWITCH fetches SIMPLEFIX while presenting a Google Drive decoy. The chain stores encrypted payloads in the Windows Registry, uses a PowerShell stager, and clears the Run dialog to erase traces. Zscaler notes the campaign targets NGOs, human-rights defenders, think tanks, and exiles connected to Russia.
read more →

New macOS XCSSET Variant Targets Browsers and Clipboard

🛡️ Microsoft Threat Intelligence reported a new macOS malware variant of XCSSET that introduces browser-targeting changes, clipboard hijacking, and additional persistence mechanisms. The update uses run-only compiled AppleScripts, enhanced obfuscation and encryption, and expands data theft to include Firefox. New modules implement clipper behavior and LaunchDaemon- and Git-based persistence. Users should inspect Xcode projects and avoid pasting sensitive clipboard content.
read more →