All news with #malware tag

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.

🔒 A multi-stage malware campaign leveraging GitHub as a covert C2 channel has been observed targeting users in South Korea, according to an advisory from Fortinet. Attackers distribute malicious .LNK shortcut files that drop decoy PDFs while executing obfuscated PowerShell and VBScript payloads silently in the background. Recent variants embed decoding routines directly within LNK arguments, remove identifying metadata, and exfiltrate system information and logs to GitHub repositories using hardcoded tokens. The campaign exemplifies modern living-off-the-land tactics that abuse legitimate Windows utilities and developer infrastructure to evade detection.

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.

🔒 A new malware-as-a-service called CrystalRAT (also marketed as CrystalX) has been active since January and is being promoted on Telegram and a dedicated YouTube channel, offering remote access, data theft, keylogging, clipboard hijacking and an extensive set of prankware functions. Kaspersky researchers found strong similarities to WebRAT (Salat Stealer), noting a Go-based codebase, matching panel design and a bot-driven sales system; the kit includes a builder, geoblocking, executable customization and anti-analysis protections. Payloads are zlib-compressed and ChaCha20-encrypted, connect to C2 over WebSocket, and the RAT supports CMD execution, VNC-backed remote control, audio/video capture, streaming keylogging and a clipboard clipper; the infostealer component targeting Chromium-based browsers and desktop apps is currently being upgraded. Users should avoid untrusted downloads and apply standard endpoint protections to reduce infection risk.

⚠️ On March 31, 2026 Microsoft identified two malicious npm releases of Axios (1.14.1 and 0.30.4) that introduced a trojan via a fake dependency plain-crypto-js@4.2.1 executing in a post-install hook to fetch platform-specific RAT payloads. Microsoft attributes the infrastructure and compromise to Sapphire Sleet. Immediate controls include reverting to safe Axios versions, pinning dependencies, rotating secrets, and using Microsoft Defender protections.

⚠ A compromised npm maintainer account led to malicious Axios releases (v1.14.1 and v0.30.4) that introduced a hidden dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan (RAT). The postinstall lifecycle script executed a heavily obfuscated Node.js dropper that retrieved platform-specific payloads from a C2 at sfrclak[.]com:8000. Payloads for macOS, Windows and Linux implement a unified RAT protocol with 60-second beacons and capabilities to run commands, inject binaries and remove themselves. Unit 42 recommends immediate isolation, rebuilds from known-good images, credential rotation, dependency pinning and network egress blocking to the C2.

📱 Researchers at McAfee uncovered NoVoice, an Android rootkit hidden in more than 50 Google Play apps that were downloaded at least 2.3 million times. The apps requested no suspicious permissions and used steganography to hide an encrypted APK payload that exploits historically patched kernel and driver vulnerabilities to gain root. Once rooted, the implant replaces system libraries, disables SELinux, and installs persistent recovery scripts and a watchdog so the rootkit survives factory resets. McAfee reported the apps and Google removed them, but previously infected devices should be considered compromised.

🛡️ Kaspersky researchers discovered CrystalX, a subscription-based Remote Access Trojan promoted on Telegram and YouTube that mixes disruptive "prank" capabilities with robust theft and surveillance features. The Trojan can rotate screens, swap mouse buttons, block keyboard input, display arbitrary messages, and disable system utilities, while also stealing credentials, hijacking clipboards to redirect crypto, logging keystrokes, and accessing screen, camera and microphone. Builds are uniquely encrypted per customer and include anti-analysis checks, complicating detection, and Kaspersky products detect and neutralize the threat. Users should avoid pirated software, be cautious with messaging attachments, enable 2FA, keep systems updated, and run reputable security solutions.

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.

⚠ Microsoft has alerted to a late-February 2026 campaign that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files which trigger a multi-stage infection chain. According to Microsoft Defender, the scripts create hidden folders under C:\ProgramData, drop renamed Windows utilities (for example, curl.exe as netapi.dll and bitsadmin.exe as sc.exe), and retrieve secondary payloads from trusted cloud providers. Attackers then attempt UAC tampering, modify registry entries, and install unsigned MSI packages to secure persistence and remote access, with some installers deploying legitimate remote‑access tools.

🛡️ Microsoft warns of a WhatsApp-distributed malware campaign that uses malicious Visual Basic Script (VBS) files to gain persistence and remote access on Windows systems. The VBS scripts perform delayed, multi-stage execution and deploy renamed legitimate utilities (for example, curl.exe and bitsadmin.exe) under misleading filenames to blend in. Payloads are hosted on reputable cloud providers and culminate in installing malicious Microsoft Installer (MSI) packages that act as backdoors. Microsoft recommends monitoring script and installer execution and watching for misuse of trusted system tools.

🔒 On March 31, 2026, threat actors used stolen maintainer credentials to compromise the widely used Axios npm package and distribute platform-specific variants of the ZshBucket implant. Observed samples target Linux, macOS and Windows and retain prior profiling and exfiltration behavior while adding a common JSON messaging protocol. The updated implants support binary injection, arbitrary script execution, file system enumeration and remote termination. CrowdStrike attributes the activity to STARDUST CHOLLIMA with moderate confidence based on ZshBucket linkage and infrastructure overlaps.

⚠️ Google Threat Intelligence Group (GTIG) observed a supply-chain attack on 2026-03-31 where attackers introduced a malicious dependency, plain-crypto-js, into legitimate axios releases (1.14.1 and 0.30.4). The package contains an obfuscated Node.js dropper (SILKBELL) that installs the multi-platform WAVESHAPER.V2 backdoor on Windows, macOS, and Linux. GTIG attributes the activity to UNC1069 and publishes IOCs and remediation steps for affected developers and organizations.

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.

🛠️ Check Point Research identified a zero-day (CVE-2026-3502, CVSS 7.8) in the TrueConf client update mechanism that was abused to deliver malware via legitimate software updates. Exploitation was observed in the wild targeting government entities in Southeast Asia and required no phishing or prior compromise. The attack chain culminated with deployment of Havoc, a powerful post-exploitation framework, and the vendor released a remediation after disclosure.