< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 6 of 45

npm supply-chain attack compromises AntV packages

🔒 The npm registry suffered a fast-moving supply-chain compromise on May 19 after attackers gained access to a high-privilege maintainer account (atool), pushing 637 malicious versions across 317 packages and infecting a large portion of the AntV namespace. The payload, a Mini-Shai-Hulud worm, steals npm/GitHub tokens and credentials and exfiltrates data to public GitHub repositories. AntV maintainers deleted infected versions, deprecated remaining packages, and advised users to audit, rotate credentials, and install known-safe releases.
read more →

Trapdoor Android Ad-Fraud Chain Fuels Malvertising

🔍 Researchers at HUMAN's Satori Threat Intelligence team disclosed "Trapdoor," a multi-stage Android ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-owned C2 domains. The campaign used utility-like apps to trick users into installing secondary apps that launch hidden WebViews, load HTML5 cashout domains, and perform automated touch-fraud. At its peak Trapdoor generated about 659 million bid requests per day, drove over 24 million app installs—mostly from U.S. traffic—and Google removed the identified apps after disclosure.
read more →

Microsoft Disrupts Fox Tempest Malware Signing Network

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.
read more →

Legacy MSHTA Utility Still Widely Abused by Malware

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.
read more →

Agentic AI Drives Surge in Mobile App Cyberattacks

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.
read more →

Tracking demo.pdb BadIIS: Commodity IIS Malware Toolset

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.
read more →

INTERPOL Operation Ramz: 200+ Arrests and 53 Servers Seized

🔒 INTERPOL's Operation Ramz led to more than 200 arrests and the seizure of 53 servers used for phishing, malware, and online fraud, affecting at least 3,867 confirmed victims from nearly 8,000 intelligence packages. Authorities identified another 382 suspects across 13 MENA countries. INTERPOL partnered with private firms including Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI to track malicious infrastructure. The operation disrupted phishing-as-a-service platforms, dismantled investment scam rings, and disabled malware-infected servers.
read more →

SHub 'Reaper' macOS Infostealer Spoofs Apple Updates

🔔 SentinelOne researchers disclosed a new SHub macOS infostealer variant, dubbed Reaper, that lures victims with fake app installers and uses the applescript:// URL scheme to launch a malicious AppleScript. The payload displays a bogus Apple security update, requests the macOS password, and executes a shell script that harvests browser data, crypto wallets, passwords, iCloud and Telegram artifacts, and files from Desktop and Documents. Reaper also persists via a LaunchAgent, hijacks wallet apps by replacing core files, and clears quarantine flags to evade Gatekeeper.
read more →

Interpol leads major MENA cybercrime crackdown operation

🔎 Interpol coordinated a first-of-its-kind campaign, Operation Ramz, across 13 MENA countries from October 2025 to February 2026 to disrupt phishing, malware and scam networks. The campaign resulted in 201 arrests, identification of 382 additional suspects and 3,867 victims, and led to the seizure of 53 servers. Authorities also disseminated almost 8,000 pieces of data and intelligence to support follow-up investigations. Private-sector partners including Group-IB, Kaspersky, Team Cymru, Shadowserver and TrendAI supported operational visibility and takedown efforts.
read more →

Kazuar Evolves into Modular P2P Botnet by Secret Blizzard

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.
read more →

Gremlin Stealer Evolves into Modular, Stealthy Infostealer

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.
read more →

PawsRunner Steganography Delivers PureLogs Infostealer

🛡️ FortiGuard Labs details a phishing campaign that uses TXZ attachments and environment-variable obfuscation to execute a fileless .NET loader. The loader, tracked as PawsRunner, retrieves encrypted payloads hidden inside PNG images using steganography and delivers the PureLogs infostealer. The campaign abuses multiple network APIs, prioritizes image responses, and uses cat images as cover, with final-stage C2 communication via HTTPS.
read more →

Gremlin Stealer Evolution: Obfuscation and New Capabilities

🔐 This report analyzes a new Gremlin stealer variant that leverages advanced obfuscation, including a commercial packer with instruction virtualization and .NET resource XOR encoding, to conceal final-stage payloads. The malware harvests browser cookies, session tokens, clipboard contents and cryptocurrency wallet data, and has added modules for Discord token theft, WebSocket session hijacking and a clipboard crypto-clipper. The variant uses staged in-memory decryption and a numeric decoder routine to frustrate static analysis, and Palo Alto Networks recommends protective coverage via Cortex XDR, Advanced WildFire and network security controls, and contacting Unit 42 for incident response.
read more →

China-linked TencShell implant derived from Rshell C2

🔍 Cato Networks' Cyber Threats Research Lab (CTRL) identified an undocumented Go-based implant called TencShell while responding to an April 2026 intrusion attempt against the Indian branch of a global manufacturer. The operation used a first-stage dropper, Donut shellcode, a disguised .woff web-font resource, memory injection and web-like C2 traffic. Cato blocked the intrusion and published technical findings in a May 13 report, linking the implant to an altered Rshell C2 lineage and Tencent-like API impersonation.
read more →

Compromised node-ipc Releases Contain Stealer and Backdoor

⚠️ Researchers from Socket and StepSecurity warn that recently published versions of node-ipc (9.1.6, 9.2.3 and 12.0.1) contain an obfuscated stealer/backdoor triggered at runtime. The payload is appended as an IIFE to node-ipc.cjs, causing execution on every require('node-ipc') and avoiding npm lifecycle hooks. It fingerprints hosts, harvests up to 90 credential categories, compresses data, and exfiltrates via HTTPS to sh.azurestaticprovider[.]net and via DNS TXT records after overriding the resolver. The malicious builds were published by an unrelated maintainer account, prompting removal and secret rotation recommendations.
read more →

Kazuar: Anatomy of a Nation-State P2P Botnet Operations

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.
read more →

UK Fines Water Supplier £963,900 After Data Breach

🔒 The ICO fined South Staffordshire Water Plc and parent South Staffordshire Plc £963,900 after a cyberattack that exposed the personal data of 663,887 customers and employees. The incident, traced back to September 2020 and active mainly between May and July 2022, began with a phishing intrusion that enabled malware to remain undetected for 20 months. The regulator identified multiple security failures, including insufficient privilege controls, monitoring that covered only about 5% of the IT estate, use of obsolete software and poor vulnerability and patch management.
read more →

Mass npm and PyPI Supply-Chain Compromise Targets TanStack

🛡️ The TeamPCP group compromised 170 npm and PyPI packages on May 11, rapidly spreading malicious code across ecosystems including the @tanstack router and Mistral AI SDKs. Attackers abused GitHub Actions' pull_request_target trigger to harvest OIDC tokens and inject the Mini Shai-Hulud malware, which steals credentials and carries a destructive dead-man’s switch. Security vendors detected the compromise quickly; affected users should check lockfiles, pin known-good versions, and rotate exposed credentials.
read more →

Android 17 Expands Banking Call and Theft Protections

🔒Android 17, rolling out next month, expands security and privacy features to combat device theft, enhance threat detection, and block banking scam calls. The OS will work with banking apps to verify caller authenticity via app-level queries and bank-provided number lists, and will automatically terminate suspected scam calls. Initial partners include Revolut, Itaú Unibanco, and Nubank, and Google plans support back to Android 11. The release also broadens Live Threat Detection, strengthens Advanced Protection, and adds biometric Mark as lost locking and other anti-theft measures.
read more →

TrickMo Variant Leverages TON for C2, Tunneling Capabilities

🔒A new TrickMo Android banking trojan variant, observed by ThreatFabric in January–February 2026, leverages the decentralized TON network for command-and-control communications and targets banking and cryptocurrency wallet users in France, Italy and Austria. The malware uses a runtime-loaded APK (dex.module) delivered via dropper apps and phasing websites, and embeds a native TON proxy to resolve .adnl endpoints. It adds network-oriented features — reconnaissance commands, SSH tunnelling and authenticated SOCKS5 proxying — enabling compromised devices to act as programmable network pivots and exit nodes.
read more →