< ciso
brief />
Tag Banner

All news with #malware tag

899 articles · page 9 of 45

ThreatsDay: SMS blaster busts and supply‑chain shocks

🔍 This ThreatsDay bulletin highlights a week of converging risks: Canadian authorities dismantled an SMS blaster operation that spoofed cellular towers, while a malicious npm brandsquat (published as tanstack) exfiltrated local .env files during install. Researchers also flagged networks of browser extensions legally selling browsing and viewing data, the first documented abuse of the Komari admin agent in intrusions, and mass exposure of RDP/VNC servers—underscoring the importance of basic hygiene, credential rotation, and coordinated defensive response.
read more →

Stealthy Python RAT 'DEEP#DOOR' Uses Public Tunneling

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.
read more →

EtherRAT Campaign Spoofs Admin Tools via GitHub SEO

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.
read more →

Researchers uncover industrial sabotage malware from 2005

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.
read more →

Popular WordPress Redirect Plugin Hid Dormant Backdoor

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.
read more →

Fake VS Code Extensions Linked to GlassWorm Surge Escalation

🛡️ Security researchers at Socket uncovered 73 additional fraudulent Open VSX extensions impersonating trusted developer tools; many now include benign code to evade scanners and later fetch a GlassWorm loader. The extensions act as thin loaders, sometimes bundling native binaries, and connect to newly created repositories to download malicious updates. Of the 73, small subsets were activated in staged waves; Socket notified the Eclipse Foundation, and most have been removed.
read more →

LofyGang Returns Targeting Minecraft with LofyStealer

🛡️ A Brazil-based cybercrime group known as LofyGang has resurfaced after more than three years, deploying a new infostealer called LofyStealer (aka GrabBot) that specifically targets Minecraft players. The malware is disguised as a game cheat called 'Slinky' and uses a JavaScript loader to drop and execute chromelevator.exe in memory to harvest browser data. It captures cookies, passwords, tokens, payment cards and IBANs across multiple browsers and exfiltrates them to a C2 at 24.152.36[.]241. ZenoX highlights a strategic shift to a malware-as-a-service model with free and premium tiers and warns that attackers are increasingly abusing GitHub, SEO-poisoned lures and other trusted platforms to distribute malicious payloads.
read more →

GlassWorm Returns via 73 OpenVSX Sleeper Extensions

🚨 A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 'sleeper' extensions that upload as benign clones of legitimate listings and later deliver malicious payloads via updates. Socket researchers say six extensions have already been activated to install malware, while the other packages are considered suspicious or dormant. The attackers use thin loaders that fetch secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript to retrieve and install payloads at runtime. Developers who installed any listed extensions should rotate all secrets and clean their development environments.
read more →

73 Fake VS Code Extensions Linked to GlassWorm Campaign

🔍 Cybersecurity researchers have flagged 73 cloned Microsoft Visual Studio Code extensions on the Open VSX repository tied to the persistent GlassWorm campaign. Six packages are confirmed malicious, while the remainder behave as sleeper implants that build trust until a subsequent update delivers a secondary payload hosted on GitHub. The extensions act as innocuous loaders that retrieve a VSIX payload and install it into all detected IDEs using --install-extension, enabling data theft, remote access trojans, and a rogue Chromium extension. Socket is tracking this activity as GlassWorm v2, with more than 320 artifacts identified since December 21, 2025.
read more →

Fake CAPTCHA IRSF Scam and Keitaro Abuse Findings Report

🔍 Cybersecurity researchers from Infoblox disclosed an international revenue‑share fraud campaign that uses multi‑step fake CAPTCHA pages to trick users into sending premium SMS messages. The scheme leverages traffic distribution systems and JavaScript back‑button hijacking to force multiple prefilled SMS sends to dozens of international numbers, with charges often appearing weeks later. Operators also repurpose Keitaro TDS instances and compromised licenses to scale cloaking, tracking, and delivery of scams and malware.
read more →

Researchers Uncover pre-Stuxnet Lua Sabotage Tool fast16

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.
read more →

Shai-Hulud Worm Elevates npm Supply-Chain Risk Globally

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.
read more →

Firestarter Backdoor Survives Cisco Firewall Patches

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.
read more →

Npm Supply-Chain Malware Uses Worm-Like Propagation

🐛Researchers from Socket have identified malicious npm packages that execute during installation to harvest credentials and developer artifacts, then attempt worm-like propagation across ecosystems. The payload targets cloud and CI/CD tokens, SSH keys, .npmrc files, browser profiles and crypto wallets, exfiltrating data via HTTPS webhooks and ICP endpoints. It attempts to republish compromised packages using stolen npm tokens and can also generate PyPI payloads via .pth injection. The campaign leverages blockchain-hosted canisters for C2 and remains under active investigation.
read more →

UNC6692 Uses Microsoft Teams to Deploy SNOW Malware

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.
read more →

Tax Season Phishing Targets Individuals and Crypto Users

🛡️Scammers are creating convincing fake tax authority websites worldwide to harvest credentials, steal personal data, and distribute malware embedded in downloaded “documents.” These portals also run fraudulent paid services that collect taxpayer identifiers and financial details for later abuse. Cryptocurrency holders are specifically targeted with fake verification flows that request seed phrases or wallet connections, leading to immediate theft. Kaspersky cautions against using cloud-hosted AI for tax preparation and recommends sticking to verified official channels, encrypting sensitive files, and employing reputable security tools.
read more →

GopherWhisper APT Abuses Outlook, Slack, Discord in Attacks

🔐 A previously undocumented state-linked threat cluster dubbed GopherWhisper has been observed using a Go-based toolkit and legitimate services such as Microsoft 365 Outlook (via the Microsoft Graph API), Slack, and Discord to perform command-and-control and payload delivery. ESET identified the campaign targeting a Mongolian government entity and uncovered multiple backdoors — including LaxGopher, RatGopher, and BoxOfFriends — plus an exfiltration utility that uploads stolen archives to file.io. Analysts recovered thousands of Slack and Discord messages from attacker accounts, and telemetry including UTC+8 activity helped link the group to China.
read more →

GopherWhisper: China-aligned APT uses Go-based malware

🐿️ ESET researchers identified a previously undocumented China‑aligned APT group they named GopherWhisper, which targeted a Mongolian governmental entity and employed a broad toolkit of custom, mostly Go‑based malware. The group used injectors, loaders and multiple backdoors (notably LaxGopher, RatGopher and BoxOfFriends) and abused legitimate services—Slack, Discord, Microsoft 365 Outlook and file.io—for C&C and exfiltration. Recovery of attacker-operated Slack and Discord channels and Outlook draft messages provided extensive visibility into operator activity, development references and an operational cadence consistent with UTC+8.
read more →

Malicious KICS Docker Images and VS Code Extensions

⚠️ Cybersecurity researchers warn that unknown actors pushed malicious images to the official checkmarx/kics Docker Hub repository, overwriting tags and introducing a non-official release. Socket's analysis shows the bundled KICS binary was modified to collect, encrypt, and exfiltrate uncensored scan reports to an external endpoint, posing a high risk for IaC scans that may include credentials. Related Checkmarx Microsoft Visual Studio Code extensions (versions 1.17.0 and 1.19.0) were also found to contain code that downloads and runs a remote addon via the Bun runtime using a hardcoded GitHub URL without integrity checks. Organizations that used the affected images or extensions should assume exposed secrets are compromised and treat the event as a broader supply chain compromise.
read more →

Supply-Chain Worm Hijacks npm Packages to Steal Tokens

🔐 Researchers warn of a self-propagating supply-chain worm that infected multiple npm packages to harvest developer credentials and reuse stolen npm tokens to publish poisoned releases. Tracked as CanisterSprawl by Socket and StepSecurity, the campaign uses malicious postinstall hooks and exfiltrates data to both an HTTPS webhook and an ICP canister. The malware also includes PyPI propagation via a .pth payload that runs on interpreter start; JFrog reported compromised xinference Python packages with a Base64 second-stage collector. Recommended mitigations include restricting token scope, rotating and revoking exposed tokens, avoiding unsafe CI triggers like pull_request_target, and monitoring package publishes and postinstall behavior.
read more →