All news with #malware tag

⚠️Fortinet researchers observed a campaign exploiting a command injection flaw (CVE-2024-3721) in TBK DVR systems to deploy a Mirai-based, multi-architecture botnet called Nexcorium. Attackers deliver a downloader via crafted HTTP requests that retrieves ARM, MIPS and x86-64 payloads and executes them with elevated privileges. The malware leverages an XOR-encoded configuration, embedded credential lists for brute-force access and multiple persistence mechanisms, and network traffic includes a custom HTTP header referencing Nexus Team that may indicate the actor.

⚠️ CISA alerts organizations to a software supply chain compromise impacting the Axios npm package. On March 31, 2026, axios@1.14.1 and axios@0.30.4 introduced a malicious dependency plain-crypto-js@4.2.1 that fetches multi-stage payloads, including a remote access trojan. The agency recommends detection and remediation steps such as downgrading to axios@1.14.0 or axios@0.30.3, removing node_modules/plain-crypto-js/, rotating exposed credentials, hardening npm configuration (set ignore-scripts=true and min-release-age=7), and conducting EDR hunts and network monitoring to confirm no remaining indicators of compromise.

🚨 Darktrace researchers disclosed ZionSiphon, a newly observed malware family tailored to Israeli water treatment and desalination systems. The June 29, 2025 sample establishes persistence, escalates privileges, propagates via removable media, and scans local subnets for OT services, probing Modbus, DNP3 and S7comm devices. It contains routines to alter chlorine dosing and pressure parameters but appears unfinished or misconfigured; non-target hosts trigger a self-destruct sequence.

🔒 Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report that threat actors are exploiting a command injection flaw, CVE-2024-3721, in TBK DVR devices to deliver a Mirai-family loader tracked as Nexcorium. The loader installs architecture-specific binaries, establishes persistence via crontab and systemd, and uses hard-coded credential lists plus an exploit for CVE-2017-17215 to spread to Huawei HG532 devices. Unit 42 also observed automated scans targeting EoL TP-Link routers via CVE-2023-33538, though initial attempts were flawed and did not achieve compromise. Researchers warn that unpatched, unsupported IoT devices and default credentials continue to enable large-scale DDoS botnets and recommend replacing EoL hardware and removing default passwords.

💧 Researchers at Darktrace identified ZionSiphon, a new operational technology malware engineered to sabotage water treatment and desalination environments. The sample includes routines to increase chlorine dosing, force valves open, and raise RO pressure by appending fixed configuration entries, and it propagates via USB as a hidden svchost.exe. A faulty IP verification routine currently prevents activation, but attackers could correct the logic to enable dangerous OT manipulation.

🔒 Cisco Talos researchers disclosed a previously undocumented botnet named PowMix that has been active against workers in the Czech Republic since at least December 2025. The campaign uses malicious ZIP attachments containing a Windows LNK that launches a PowerShell loader to extract and run the malware in memory while opening decoy compliance-themed documents. PowMix establishes persistence via a scheduled task, verifies process trees to avoid duplicate instances, and uses randomized beaconing intervals and REST-like C2 URL paths that embed encrypted heartbeat data and unique victim identifiers to evade network detections. The bot supports remote code execution, dynamic C2 migration, and self-deletion commands.

⚠️ Cleafy researchers report that attackers are deliberately creating malformed Android packages to evade static analysis, with over 3,000 affected samples across families such as Teabot, TrickMo, Godfather and SpyNote. The technique exploits inconsistencies between ZIP Local File Headers and the Central Directory so that tools like JADX crash while the Android installer still accepts and runs the app. Observed tactics include directory-file name collisions, unsupported compression methods, corrupted AndroidManifest.xml entries and non-ASCII filenames in assets that confound decompilers. To counter this, Cleafy published Malfixer, an open-source Python utility that detects and repairs malformed APKs for conventional reverse engineering workflows.

🛡️ A novel social engineering campaign abused the Obsidian note-taking app to deliver a previously undocumented Windows remote access trojan dubbed PHANTOMPULSE. Elastic Security Labs tracked the activity as REF6598, reporting attackers lured financial and cryptocurrency professionals via LinkedIn and Telegram before asking them to open a cloud-hosted Obsidian vault. By convincing victims to enable the Installed community plugins sync, actors leveraged legitimate Shell Commands and Hider plugins to execute malicious JSON-configured payloads and run signed Electron-based loaders that hand off execution. The campaign underscores the risk of trusted applications and targeted social engineering as initial access vectors.

🔍 Cisco Talos identified an active PowerShell-based botnet dubbed PowMix, operating since at least December 2025 and targeting organizations and job applicants in the Czech Republic. The campaign deploys phishing ZIP archives containing LNK shortcuts that launch an obfuscated PowerShell loader which bypasses AMSI and executes a decrypted payload in memory. Talos observed tactical overlap with ZipLine and published IOCs and detection guidance.

🛡️CERT-UA has disclosed a campaign, dubbed UAC-0247, that between March and April 2026 targeted government and municipal healthcare organizations — primarily clinics and emergency hospitals — to deliver credential-stealing malware. Attacks begin with spear-phishing links leading to compromised or AI-generated sites that drop a Windows Shortcut (LNK) executing an HTA via mshta.exe, which loads multi-stage loaders and payloads such as RAVENSHELL, AGINGFLY, and the PowerShell-based SILENTLOOP. The intrusions enable reconnaissance, lateral movement, and theft of data from Chromium-based browsers and WhatsApp; CERT-UA advises restricting execution of LNK/HTA/JS, limiting use of abused utilities, and blocking suspicious connections.

⚠️ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.

🔐 More than 30 plugins in the EssentialPlugin package were found to contain a backdoor that grants unauthorized access to sites. The malicious code was introduced after the project's acquisition in August 2025 but remained dormant until recently, when updates delivered a downloader that injects malware into wp-config.php. The payload selectively displayed spam to Googlebot and used an Ethereum-based C2 for evasion. WordPress.org closed the affected plugins and issued a forced update, though configuration files may still be infected.

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.

🔒 Researchers at Socket uncovered 108 malicious Google Chrome extensions that collectively amassed about 20,000 installs and reported to a single command-and-control server. Published under five publisher identities, the add-ons posed as games, Telegram sidebars, and enhancement tools while exfiltrating Google account data, hijacking Telegram Web sessions, opening arbitrary URLs, and injecting ads and scripts. Some source files contained Russian-language comments; attribution remains unconfirmed. Users should remove any identified extensions and log out of Telegram Web sessions immediately.

⚠️ Cisco Talos details how attackers are misusing the AI workflow automation platform n8n to run sophisticated phishing and malware campaigns. Between October 2025 and March 2026, researchers observed a sharp increase in emails containing n8n webhook URLs that serve dynamic HTML payloads and CAPTCHA-protected bait to initiate downloads. These flows mask malicious payloads behind trusted domains and have been used to deploy modified RMM tools and to fingerprint recipients. Talos urges behavioral detection, IOC sharing, and AI-enhanced email defenses to mitigate this abuse.

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.

🔒 A malicious macOS app impersonating Ledger Live on the Apple App Store drained approximately $9.5 million in cryptocurrency from 50 users after they were tricked into entering their seed/recovery phrases. Blockchain investigator ZachXBT traced funds moved across multiple chains (Bitcoin, Ethereum, Tron, Solana, Ripple) and funneled through more than 150 deposit addresses tied to a centralized mixer called "AudiA6" on KuCoin. Apple removed the fraudulent app after multiple reports, and KuCoin says it has frozen the implicated accounts pending further action. Ledger provides a Mac app on its website but not through the App Store; users are urged to download only from official vendor channels.

🔔 Researchers uncovered 'Pushpaganda', an ad fraud campaign that uses search engine poisoning and AI-generated content to surface deceptive stories in Google Discover and trick Android and Chrome users into enabling persistent browser notifications. Once enabled, the alerts deliver scareware-style legal threats and redirect victims through actor-controlled domains that generate illicit ad revenue and funnel users to financial scams. HUMAN's findings link the operation to hundreds of domains and hundreds of millions of bid requests, and Google has deployed a fix.

🚨Research by Socket uncovered a coordinated campaign of 108 malicious Chrome extensions that affected about 20,000 users. Distributed across gaming, social media and translation categories, these extensions appear legitimate while quietly harvesting sensitive data, including Google profiles and active web sessions. Operators used a single command-and-control infrastructure and shared code, complicating detection and enabling a Malware-as-a-Service model.