< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 8 of 45

VoidStealer Bypasses Chrome App-Bound Encryption Exploit

🔓 Researchers found that a new infostealer, VoidStealer, can bypass Chrome’s App-Bound Encryption by attaching to the browser process as a debugger and setting breakpoints at decryption routines. At the moment the browser decrypts data, the malware reads the master key directly from memory, enabling theft of session cookies and other secrets. The technique affects other Chromium-based browsers and is available as malware-as-a-service, increasing its reach. Users should combine secure practices and endpoint defenses rather than rely solely on built-in protections.
read more →

Quasar Linux (QLNX) Turns Linux Hosts into P2P Mesh

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.
read more →

Quasar Linux: Stealthy implant targets developer systems

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.
read more →

Forced-Momentum Autodownload Phishing via Cloud Links

📎 Modern phishing now prioritizes speed over persuasion. By forcing immediate downloads via trusted cloud providers (for example Dropbox?s dl=1), attackers remove the preview step and exploit double extensions and hidden OS behavior to disguise executables. Cortex Email Security applies deep static analysis, behavioral signals, and LLM-based intent classification to detect forced-download parameters, identity-bound cloaking, and rotating social-engineering lures before they reach endpoints.
read more →

DAEMON Tools Installers Trojanized in Supply-Chain Attack

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.
read more →

Supply-Chain Attack Compromises DAEMON Tools Installers

🛡️ Kaspersky has identified a supply-chain compromise that trojanized installers for DAEMON Tools, distributed from the vendor’s official site and signed with developer certificates. The affected builds (12.5.0.2421–12.5.0.2434) have been backdoored since April 8, 2026, with three core binaries modified to deploy an implant. The implant contacts an observed C2 domain (env-check.daemontools.cc) to receive shell commands that download and execute follow-on payloads, including a .NET collector and a loader/backdoor pair. Kaspersky observed thousands of initial infection attempts worldwide while more advanced payloads were selectively delivered to a small number of targets in Russia, Belarus, and Thailand; AVB Disc Soft has been notified.
read more →

North Korean APT Trojanizes Yanbian Gaming Platform

🔎 A North Korea-aligned espionage group has trojanized Windows and Android clients on a regional Yanbian gaming site, according to ESET. The campaign, attributed to ScarCruft (APT37), delivered an Android port of the BirdCall backdoor (internally named zhuagou) and a trojanized mono.dll on Windows to deploy RokRAT and BirdCall. The malware harvests contacts, SMS, files, screenshots and audio, and routes command-and-control through cloud storage accounts.
read more →

Supply Chain Attack via DAEMON Tools Compromises Installers

⚠️ Kaspersky researchers discovered a large-scale supply chain attack that trojanized DAEMON Tools installers; the malicious executables are signed with a valid AVB Disc Soft digital signature and have been distributed since April 8, 2026. Once installed the malware runs at startup, collects system and network information, and contacts a command-and-control server that can deliver additional payloads. In some cases attackers deployed a backdoor and a more advanced implant, QUIC RAT, capable of in-memory execution and process injection; users should audit systems and use reliable security solutions.
read more →

Malware Abuses Microsoft Phone Link to Steal SMS OTPs

🔒 Cisco Talos has identified a stealthy campaign using a CloudZ remote access trojan and a custom Pheno plugin to siphon SMS one‑time passwords and other sensitive mobile data mirrored via Microsoft Phone Link on Windows endpoints. Rather than compromising phones, attackers exploit the PC‑to‑phone trust relationship to access the Phone Link SQLite data stored locally. The malware establishes persistence, performs anti‑analysis checks, fetches plugin modules, and monitors active Phone Link processes to capture OTPs and notifications. Talos published detection signatures, hashes, C2 indicators and Snort rules; attribution is unconfirmed.
read more →

CloudZ RAT Abuses Microsoft Phone Link to Steal OTPs

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.
read more →

ScarCruft Supply-Chain Delivers BirdCall to Android, Windows

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.
read more →

PyTorch Lightning PyPI Release Backdoored with Stealer

⚠️A malicious PyTorch Lightning package (lightning==2.6.3) published to PyPI contained a hidden execution chain that triggers on import and silently spawns a background process. That process downloads the Bun JavaScript runtime (v1.3.13) and runs an 11.4 MB heavily obfuscated payload detected by Microsoft Defender as ShaiWorm. The payload steals .env files, API keys, GitHub tokens, and credentials from Chrome, Firefox, and Brave, and can query cloud APIs; Lightning AI reverted PyPI to 2.6.1 and urges immediate rotation of secrets.
read more →

Global Crackdown: 276 Arrested, $701M Seized, 9 Centers

🔒 A coordinated international operation led by Dubai Police alongside the FBI and China's Ministry of Public Security arrested 276 suspects, shut nine crypto scam centers, and restrained more than $701 million in cryptocurrency tied to investment fraud. The schemes employed pig butchering and romance-baiting lures and relied on trafficked workers forced to run scam compounds. Authorities seized hundreds of fraudulent domains and a Telegram recruitment channel, sanctioned Cambodian actors, flagged an Android Malware-as-a-Service, and credited Operation Level Up with notifying nearly 9,000 victims and saving about $562 million.
read more →

What Is a Botnet? Risks, Architecture, and Defenses

🤖 A botnet is a network of compromised internet-connected devices controlled by attackers to perform coordinated criminal tasks such as DDoS, spam, crypto-mining, or malware distribution. Modern botnets use distributed architectures — from centralized command-and-control servers to peer-to-peer propagation — and often hide control traffic via IRC, HTTP, Telnet, or even public platforms. Defenders combine user training, patching, IoT hardening, antivirus, traffic filtering and CDN services with threat hunting methods like flow analysis and malware reverse-engineering.
read more →

Telegram Mini Apps Abused for Crypto Scams, Malware

⚠️ Researchers uncovered a large-scale fraud operation leveraging Telegram Mini Apps to run crypto scams and distribute Android malware. The infrastructure, identified by the FEMITBOT API string, uses Telegram bots to launch embedded Mini Apps that present phishing pages inside the app's WebView and impersonate well-known brands. Campaigns display fake dashboards, countdowns, and withdrawal prompts that demand deposits or referrals, and some prompt users to download APKs hosted on the same domains to avoid mixed-content warnings; Android users should not sideload APKs and should be cautious with bots asking for funds or app installs.
read more →

Poisoned Ruby Gems and Go Modules Target Developers

🔒 A new supply chain campaign used sleeper Ruby gems and Go modules published by BufferZoneCorp to deploy post-install payloads that harvest credentials and establish persistence. The malicious Ruby packages exfiltrated environment variables, SSH keys, AWS secrets, .npmrc/.netrc files and developer configuration during install. The Go modules tampered with GitHub Actions by installing fake go wrappers, intercepting builds, and adding a hard-coded SSH key to ~/.ssh/authorized_keys. Users should remove affected packages, rotate exposed credentials, and inspect systems and CI runners for unauthorized SSH entries and outbound connections.
read more →

High-Risk GenAI Browser Extensions Targeting Users

🛡️ Unit 42 identified 18 malicious browser extensions posing as GenAI productivity tools that deliver RATs, infostealers and MitM capabilities. These extensions intercept prompts, exfiltrate credentials and proxy HTTPS responses, often using AI-generated code to accelerate development. Organizations should restrict extensions, scrutinize permissions and treat browsers as critical attack surfaces. Google removed or warned developers after disclosure.
read more →

Three Arrested Over Hacking of 610,000 Roblox Accounts

🔒 Ukrainian authorities have arrested three suspects accused of compromising more than 610,000 accounts on the online gaming platform Roblox. Investigators say the group used social engineering lures that delivered infostealer malware to harvest usernames, passwords and authentication tokens, then assessed accounts for rare items and Robux. At least 357 high‑value accounts were identified and sold on Russian websites for cryptocurrency, reportedly generating over $225,000. Searches at ten properties recovered computers, storage devices, mobile phones, bank cards, handwritten notes and cash; analysis is ongoing and the suspects face up to 15 years if convicted.
read more →

Deep#Door Python Backdoor Evades Detection On Windows

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.
read more →