< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 41 of 45

Roblox executors: cheat tools that bring security risks

⚠️ Downloading third-party Roblox "executors" — tools that inject and run unauthorized scripts in games — can lead to account bans and serious security incidents. Malicious actors distribute fake or trojanised versions of popular tools such as Synapse X and Solara, sometimes bundling ransomware or backdoors. These installers may ask users to disable antivirus protections, which is a clear warning sign. Parents should steer children toward official features and avoid unverified downloads to keep accounts and devices safe.
read more →

Microsoft: New XCSSET macOS Variant Targets Xcode Developers

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.
read more →

Malicious npm 'postmark-mcp' Release Exfiltrated Emails

📧 A malicious npm package posing as the official postmark-mcp project quietly added a single line of code to BCC all outgoing emails to an external address. Koi Security found the backdoor in version 1.0.16 after prior releases through 1.0.15 were verified clean. The tainted release was available for about a week and logged roughly 1,500 downloads. Users are advised to remove the package, rotate potentially exposed credentials, and run MCP servers in isolated containers before upgrading.
read more →

Talos: New PlugX Variant Targets Telecom and Manufacturing

🔍 Cisco Talos revealed a new PlugX malware variant active since 2022 that targets telecommunications and manufacturing organizations across Central and South Asia. The campaign leverages abuse of legitimate software, DLL-hijacking techniques and stealthy persistence to evade detection, and it shares technical fingerprints with the RainyDay and Turian backdoors. Talos describes the activity as sophisticated and ongoing. Organizations should update endpoint, email and network protections, review DLL-hijack mitigations and proactively hunt for related indicators.
read more →

Vane Viper Exposed as Major Malvertising Adtech Actor

🛡️ Infoblox, together with Guardio and Confiant, has identified Vane Viper (also known as Omnatuor) as an adtech platform that has enabled malvertising, ad fraud, and malware distribution for more than a decade. The operator used a web of shell companies and subsidiaries reportedly linked to PropellerAds and AdTech Holding to broker malicious traffic and to run its own campaigns. Researchers describe persistence tactics such as abusing browser push-notification permissions and service workers to spawn headless browser processes that continue to redirect users. Infoblox estimates Vane Viper generated roughly 1 trillion DNS queries across about half of its customer networks over the past year.
read more →

Malicious Rust crates on Crates.io exfiltrate crypto keys

🔒Two malicious Rust crates published to Crates.io scanned developer systems at runtime to harvest cryptocurrency private keys and other secrets. The packages, faster_log and async_println, mimicked a legitimate logging crate to avoid detection and contained a hidden payload that searched files and environment variables for Ethereum-style hex keys, Solana-style Base58 strings, and bracketed byte arrays. Discovered by Socket, both crates were removed and the publisher accounts suspended; affected developers are advised to clean systems and move assets to new wallets.
read more →

XCSSET Evolves: New Clipboard, Firefox, Persistence Modules

🔍 Microsoft Threat Intelligence describes a new XCSSET variant that infects Xcode projects and expands capabilities to include clipboard hijacking, Firefox data theft, and additional persistence via LaunchDaemon entries. The actor uses run-only compiled AppleScripts, AES-based encryption, and layered obfuscation to evade analysis. A bnk submodule monitors and can replace wallet addresses in the clipboard while a new Mach-O binary targets Firefox data. Organizations are advised to patch promptly, inspect Xcode project sources, and deploy Microsoft Defender for Endpoint.
read more →

Playing Offside: Threat Actors Targeting FIFA 2026

⚽ As the 2026 FIFA World Cup approaches, threat actors are already preparing by registering thousands of event-related domains and staging deception campaigns. In the two months since 1 August 2025, researchers identified over 4,300 newly registered domains referencing FIFA, the World Cup, or host cities; many look innocuous but present risks including phishing, fake ticketing, and malware delivery. The findings underline the need for proactive domain monitoring, stronger email and web defenses, and coordinated threat intelligence sharing among organizers, sponsors, and security teams to protect fans and partners.
read more →

Threatsday Bulletin: Rootkits, Supply Chain, and Arrests

🛡️ SonicWall released firmware 10.2.2.2-92sv for SMA 100-series appliances to add file checks intended to remove an observed rootkit, and moved SMA 100 end-of-support to 31 October 2025. The bulletin also flags an unpatched OnePlus SMS permission bypass (CVE-2025-10184), a GeoServer RCE compromise affecting a U.S. federal agency, and ongoing npm supply-chain and RAT campaigns. Defenders are urged to apply patches, rotate credentials, and enforce phishing-resistant MFA.
read more →

YiBackdoor Linked to IcedID and Latrodectus Code Overlaps

🔒 Zscaler ThreatLabz disclosed a new malware family named YiBackdoor that shares notable source-code overlaps with IcedID and Latrodectus. First observed in June 2025 with limited deployments, YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and load encrypted plugins to expand capabilities. It uses anti-analysis checks, injects into svchost.exe, persists via a Run registry entry that invokes regsvr32.exe with a randomized name, and fetches commands from an embedded encrypted configuration over HTTP. Zscaler warns it could be leveraged to gain initial access for follow-on exploitation, including ransomware.
read more →

GitHub Pages SEO Poisoning Delivers Atomic Stealer

🚨 Attackers are creating convincing GitHub Pages that impersonate well-known brands to trick macOS users into installing the Atomic infostealer. Using SEO poisoning, malicious repositories are promoted in search results and funnel victims through multiple redirects to pages that instruct users to paste a Terminal curl command. That command decodes a base64 URL and executes a script that fetches and runs the Atomic payload. LastPass published IoCs and requested takedowns, but warns the campaign remains active.
read more →

QR Codes Used to Hide JavaScript Backdoor in npm Package

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.
read more →

SonicWall SMA100 Firmware Removes OVERSTEP Rootkit

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.
read more →

NPM package uses QR code to fetch cookie-stealing malware

🔒 A malicious npm package named fezbox was recently discovered using a QR code embedded in an image to retrieve a second-stage, cookie-stealing payload from the attacker's server. The package's minified code (notably in dist/fezbox.cjs) delays execution, avoids development environments, then decodes a reversed URL to fetch a dense JPG QR image containing obfuscated JavaScript. When the payload finds credentials in document.cookie it extracts username and password and exfiltrates them via an HTTPS POST; the package accrued at least 327 downloads before registry removal.
read more →

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.
read more →

ComicForm and SectorJ149 Deploy FormBook via Phishing

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.
read more →

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.
read more →

Verified Steam Game Drains Streamer's Crypto Donations

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.
read more →

LastPass Alerts: Fake GitHub Repos Deliver macOS Infostealer

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.
read more →

Researchers Find GPT-4-Powered MalTerminal Malware

🛡️ SentinelOne researchers disclosed MalTerminal, a Windows binary that integrates OpenAI GPT-4 via a deprecated chat completions API to dynamically generate either ransomware or a reverse shell. The sample, presented at LABScon 2025 and accompanied by Python scripts and a defensive utility called FalconShield, appears to be an early — possibly pre-November 2023 — example of LLM-embedded malware. There is no evidence it was deployed in the wild, suggesting a proof-of-concept or red-team tool. The finding highlights operational risks as LLMs are embedded into offensive tooling and phishing chains.
read more →