< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 44 of 45

GhostRedirector Hits 65 Windows Servers with IIS Module

🔍 Researchers at ESET disclosed a previously undocumented campaign named GhostRedirector that has compromised at least 65 Windows servers mainly in Brazil, Thailand and Vietnam. The intruders deployed a passive C++ backdoor, Rungan, alongside a native IIS module, Gamshen, which selectively alters responses for Googlebot to perform SEO fraud. Initial access appears linked to SQL injection and abuse of xp_cmdshell, with subsequent PowerShell retrievals from a staging host.
read more →

GhostRedirector: China-aligned IIS SEO Fraud Campaign

🔍 ESET researchers identified GhostRedirector, a China-aligned threat group active since at least August 2024 that has compromised at least 65 Windows servers across multiple countries, notably Brazil, Thailand and Vietnam. The group deployed two novel tools: a C++ backdoor Rungan for remote command execution and a malicious IIS module Gamshen that manipulates search rankings to boost targeted sites. Operators also leveraged known privilege escalation exploits like BadPotato and EfsPotato to obtain administrator access and create persistent accounts. Organizations are advised to monitor IIS modules, patch promptly and audit high-privilege accounts and PowerShell activity.
read more →

North Korea-Linked Actors Target Cyber Threat Intel

🔍 Cybersecurity firm SentinelLabs and internet intelligence company Validin uncovered a coordinated effort by a North Korea-aligned cluster, tracked as Contagious Interview, to exploit CTI platforms between March and June 2025. The actors repeatedly created accounts on Validin’s portal, reused Gmail addresses tied to prior operations and registered new domains after takedowns. Investigators observed team-based coordination, probable Slack use, and operational slip-ups that exposed logs and directory structures. The probe also identified ContagiousDrop malware delivery applications that harvested details from more than 230 mostly cryptocurrency-sector victims, underscoring the campaign’s revenue-driven motive and the need for vigilance from job seekers and infrastructure providers.
read more →

GhostRedirector: IIS SEO Fraud and Windows Backdoors

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.
read more →

Malicious npm Packages Use Ethereum to Deliver Malware

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.
read more →

Malicious npm Packages Use Ethereum Smart Contracts

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.
read more →

Malicious npm Packages Use Ethereum Smart Contracts

🛡️A new campaign used malicious npm packages to hide command-and-control URLs inside Ethereum smart contracts, evading typical static detection. ReversingLabs researcher Karlo Zanki uncovered packages colortoolsv2 and mimelib2 that delivered second-stage payloads via blockchain-held URLs. The threat also included fake GitHub projects, such as solana-trading-bot-v2, built to appear legitimate. Developers are urged to vet dependencies and maintainers beyond superficial metrics.
read more →

They Know Where You Are: Geolocation Cyber Risks Evolving

📍 Geolocation data from smartphones, apps and IPs can be weaponized by threat actors to launch precise, geographically targeted attacks such as localized phishing and malware activation. These attacks can act as "floating zero days," remaining dormant until they reach a specific location, as seen with Stuxnet and modern campaigns like Astaroth. Organizations should adopt multilayered defenses — robust endpoint detection, decoys, location baselines and stronger multi-factor verification — to mitigate this evolving threat.
read more →

Russia-backed APT28 Deploys 'NotDoor' Outlook Backdoor

🛡️ Researchers at S2 Grupo’s LAB52 disclosed NotDoor, a VBA-based Outlook backdoor attributed to Russia-backed APT28 that monitors incoming mail for trigger phrases to exfiltrate data, upload files and execute arbitrary commands. The malware abuses Outlook event-driven macros, employs DLL side-loading via a signed OneDrive.exe to load a malicious SSPICLI.dll, and persists by disabling security prompts and enabling macros. Organizations are advised to disable macros by default, monitor Outlook activity and inspect email-based triggers.
read more →

Malicious npm Package Masquerades as Nodemailer Library

⚠️ A malicious npm package named nodejs-smtp impersonating the popular nodemailer library was discovered to both send mail and inject malware into Electron-based desktop cryptocurrency wallets. When imported, it unpacked and tampered with Atomic Wallet on Windows, replacing vendor files and repackaging the app to silently redirect transactions to attacker-controlled addresses. Socket's researchers prompted npm to remove the package and suspend the account.
read more →

Malicious npm Package Mimics Nodemailer, Targets Wallets

🛡️ Researchers found a malicious npm package named nodejs-smtp that impersonated the nodemailer mailer to avoid detection and entice installs. On import the module uses Electron tooling to unpack an app.asar, replace a vendor bundle with a payload, repackage the application, and erase traces to inject a clipper into Windows desktop wallets. The backdoor redirects BTC, ETH, USDT, XRP and SOL transactions to attacker-controlled addresses while retaining legitimate mailer functionality as a cover.
read more →

Android droppers now pushing SMS stealers and spyware

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.
read more →

Brokewell Android Malware Spread via Fake TradingView Ads

⚠️Cybercriminals are abusing Meta advertising to distribute a malicious Android app impersonating TradingView Premium. Bitdefender says the campaign, active since at least July 22, redirects Android users to a counterfeit site that serves a trojanized tw-update.apk and requests accessibility rights while simulating an OS update to capture PINs. The installed Brokewell variant escalates privileges to exfiltrate credentials and 2FA codes, hijack SMS, record screens and audio, and accept remote commands for theft and device control.
read more →

TamperedChef infostealer spread via fake PDF Editor ads

🔍 Threat actors used Google ads to promote a fraudulent AppSuite PDF Editor that silently delivered the TamperedChef infostealer. Multiple domains hosted signed installers with revoked certificates; the malicious payload was activated after a delay and is launched with the "-fullupdate" argument, checking for security agents and extracting browser secrets via DPAPI. Operators also pushed related apps such as OneStart, ManualFinder and Epibrowser, and in some cases converted hosts into residential proxies; Truesec and Expel published IoCs for detection.
read more →

Abandoned Sogou Zhuyin Update Server Used in Espionage

📡 Trend Micro reports that threat actors leveraged an abandoned Sogou Zhuyin update server to distribute multiple malware families, including C6DOOR, GTELAM, DESFY, and TOSHIS. The campaign, tracked as TAOTH and identified in June 2025, used hijacked automatic updates, spear-phishing, and fake cloud/login pages to target dissidents, journalists, researchers, and business figures across East Asia. The adversary registered the lapsed domain sogouzhuyin[.]com in October 2024 and exploited third-party cloud services like Google Drive to conceal callbacks and exfiltrate data.
read more →

Nx npm Package Hijacked to Exfiltrate Data via AI Toolchain

🛡️ Malicious updates to the Nx npm package were published on 26 August, briefly delivering AI-assisted data‑stealing malware to developer systems. The infected releases injected crafted prompts into local AI CLIs (Anthropic’s Claude, Google Gemini, Amazon Q) to locate GitHub/npm tokens, SSH keys, .env secrets and cryptocurrency wallets, then encoded and uploaded the harvest by creating public repositories under victims' accounts. StepSecurity says eight compromised versions were live for five hours and 20 minutes and that attackers subsequently weaponized stolen GitHub CLI OAuth tokens to expose and fork private organization repositories. Recommended mitigation includes revoking tokens and SSH/GPG keys, making exposed repos private, disconnecting affected users and following a full remediation plan.
read more →

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.
read more →

Supply-Chain Attacks on Nx and React Expose Dev Credentials

🔒 A coordinated supply-chain campaign compromised multiple npm packages — most notably the Nx build system — and used post-install scripts to harvest developer assets across enterprise environments. Wiz found the malware weaponized local AI CLI tools to exfiltrate filesystem contents, tokens, SSH keys, and environment variables. Separately, JFrog uncovered obfuscated malicious React packages designed to steal Chrome data. Vendors removed the packages and recommend rotating credentials, removing affected versions, and auditing developer and CI systems.
read more →

VS Code Marketplace Name Reuse Enables Malware Campaign

🔍 ReversingLabs has exposed a campaign in which malicious Visual Studio Code extensions exploited a name-reuse loophole on the VS Code Marketplace. A downloader extension named ahbanC.shiba executed the command shiba.aowoo to fetch a second payload that encrypted files and demanded one Shiba Inu token, although no wallet address was provided. The vulnerability arises because removed extensions free their names for reuse, contrary to Marketplace guidance that names are unique. Researchers demonstrated the issue by republishing test extensions under previously used names and warned developers to exercise greater caution when installing Marketplace packages.
read more →

ESET Finds PromptLock: First AI-Powered Ransomware

🔒 ESET researchers have identified PromptLock, described as the first known AI-powered ransomware implant, in an August 2025 report. The Golang sample (Windows and Linux variants) leverages a locally hosted gpt-oss:20b model via the Ollama API to dynamically generate malicious Lua scripts. Those cross-platform scripts perform enumeration, selective exfiltration and encryption using SPECK 128-bit, but ESET characterises the sample as a proof-of-concept rather than an active campaign.
read more →