< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 5 of 45

Malicious NuGet package steals Sicoob banking credentials

🔍 Security researchers found a malicious NuGet package named Sicoob.Sdk that impersonated a C# SDK for Brazil's Sicoob banking APIs and exfiltrated client IDs and PFX certificates. Versions 2.0.0–2.0.4 encoded PFX files and sent them, along with PFX passwords and client IDs, to a hardcoded third‑party Sentry endpoint while also capturing raw Boleto API responses. The package has been blocked by NuGet after responsible disclosure, and organizations are urged to rotate affected credentials and audit logs.
read more →

BTMOB MaaS Android trojan targets Latin America

🛡️ BTMOB is an Android remote access trojan offered as malware-as-a-service with a builder that generates customized APKs tailored to phishing lures. The platform lets customers choose permissions, hide icons, disable Google Play, and configure behaviors to evade removal. ESET and other researchers link campaigns to Brazil and Latin America and note distribution via fake streaming and crypto mining sites. Subscriptions are sold through private Telegram channels.
read more →

Malicious Packages Move Beyond Classic Typosquatting

🔍 Sonatype's analysis of 4,309 malicious open source packages shows attackers favor naming-variant tactics over simple misspellings. 91% used suffixes, prefixes, embedded terms and dependency-confusion patterns to appear as plausible plugins, configs or SDKs. These packages often perform host and secrets exfiltration, droppers and backdoors, converting routine installs into compromise. Security teams are urged to scrutinize framework-adjacent components and assess publisher and campaign behavior, as typo detection alone is insufficient.
read more →

MacOS Supply-Chain Attacks Target Crypto Developers

🔍 Wiz has attributed a cluster named Jinx-0164 to a campaign targeting cryptocurrency firms with custom macOS malware, recruiter-themed lures and supply-chain tampering. The actor relies on LinkedIn-based social engineering and lookalike meeting domains to deliver a Python stealer/remote access tool called Audiofix, which poses as an audio driver and harvests keys, credentials and wallet data. They also abuse stolen GitHub tokens to inject backdoors into CI/CD repositories, causing builds to propagate the malware across development environments.
read more →

GPU-mining campaign uses SEO and AI for delivery

🛡️ Microsoft uncovered a targeted cryptojacking campaign that lures owners of high-performance PCs to malicious download pages for utilities like CrystalDiskInfo and HWMonitor. The attackers used SEO poisoning and, in some cases, manipulated AI chatbots to surface attacker-controlled download links. Infected ZIP archives include legitimate utilities and a malicious DLL that installs the ScreenConnect remote access tool, enabling persistent access and deployment of a process-hollowing loader that ultimately launches GPU miners.
read more →

Malicious npm package stole files from AI tool

🛡️ Researchers uncovered a malicious npm package named mouse5212-super-formatter that exfiltrates files from the /mnt/user-data directory used by Anthropic's Claude AI. OX Security describes the campaign, codenamed Malware-Slop, as a postinstall script that authenticates to GitHub using environment or hard-coded tokens, creates or targets a repository, and uploads local files to an attacker-controlled account. The package has been downloaded hundreds of times, and the linked GitHub account—created shortly before the package appeared—has since disappeared. Analysts noted the actor leaked a private token, suggesting poor OPSEC and possibly AI-assisted malware creation.
read more →

Microsoft warns of AI‑assisted cryptojacking campaign

🛡️ Microsoft warns of an active cryptojacking campaign that leverages AI chatbot interactions to surface malicious download sites. The attacks impersonate legitimate utilities and target high-performance GPU systems, using ZIP archives with sideloaded rogue DLLs to install ScreenConnect and deliver GPU miners. The campaign establishes persistent remote access, configures Defender exclusions, and supports multiple miners while evading analysis tools.
read more →

BTMOB Android RAT: No-Code Builder Spreads Globally

🛡️ ESET researchers identified a no-code Android remote access trojan (RAT) named BTMOB that is distributed via phishing campaigns and fake app stores. The malware includes an APK builder so buyers can produce customized payloads quickly and retool lures for different countries without coding. BTMOB abuses Android Accessibility Services to escalate permissions and enable data theft, screenshots, activity recording and full remote control. Sold as a malware-as-a-service offering with relatively low pricing, it lowers the barrier for criminals and allows rapid variant turnover.
read more →

Weekly Cyber Recap: Supply Chain and Active Flaws

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.
read more →

Chromium flaw allows persistent Service Worker abuse

🛡️ Chromium contains an unpatched vulnerability that lets attackers keep a Service Worker alive across restarts and execute JavaScript persistently. Reported by researcher Lyra Rebane, the bug abuses the Background Fetch API and a race that creates and aborts background fetches to evade UI visibility. Although some UI fixes were applied in 2023, the deeper issue—preventing indefinite Service Worker lifetimes—remains unresolved and can enable tracking, crypto mining, and browser-based bots.
read more →

The Art of Being Ungovernable: Career and Threats

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.
read more →

Inside modern crypto drainers and spotting signs

🔍 Flare researchers analyzed ~700 underground posts on the "Lucifer DaaS" between Jan 2025 and early 2026 to reveal how modern crypto drainers evolved into professionalized, service-like platforms. The study highlights affiliate-driven distribution, automation, website cloning, Permit2 abuse, and multichain support, showing how DaaS lowers technical barriers and increases resilience. It also lists practical indicators to help users avoid wallet-draining scams.
read more →

Android Malware Signs Victims Up to Carrier Billing

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.
read more →

Mini Shai-Hulud Hits Hundreds of AntV npm Packages

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.
read more →

Webworm Adds EchoCreep and GraphWorm Using Discord

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.
read more →

SHub Reaper: macOS infostealer impersonates vendors

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.
read more →

GitHub Confirms Breach After Malicious VS Code Extension

🔒 GitHub confirmed that a third party accessed roughly 3,800 internal repositories after a likely “poisoned” Visual Studio Code extension was found on an employee device on May 19. The intrusion was claimed by the TeamPCP group, which posted on the Breached forum and linked the access to private source code. GitHub says it has contained the incident, removed the malicious extension, isolated the endpoint and prioritized rotation of critical secrets. The company will publish a more detailed report when its investigation is complete.
read more →

Tracking TamperedChef: Malicious Productivity Software

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.
read more →

Microsoft Disrupts Malware Code-Signing Service Ring

🔒 Microsoft has disrupted the infrastructure behind a major malware code-signing service, seizing the group's site signspace[.]cloud and revoking more than 1,000 abused certificates. The company removed hundreds of attacker-controlled Azure virtual machines and linked the operation to a group it calls Fox Tempest. The service sold malware signing-as-a-service to ransomware affiliates, letting signed malicious installers evade Windows warnings and deploy backdoors, infostealers, and ransomware.
read more →

Microsoft Disrupts Malware-Signing Service Abusing Artifact

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation that abused its Azure Artifact Signing platform to generate fraudulent short-lived code-signing certificates used by ransomware gangs and other cybercriminals. The actor, tracked as Fox Tempest, created over 1,000 certificates and hundreds of Azure tenants and subscriptions. Microsoft seized the signspace[.]cloud domain, took virtual machines offline, revoked certificates, and filed a lawsuit in the Southern District of New York.
read more →