All news with #malware tag

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.

🛡️ Blackpoint discovered a lightweight Node.js implant named RoadK1ll that uses an outbound WebSocket reverse tunnel to convert compromised hosts into relay points. It forwards TCP traffic on demand, supports multiple concurrent connections, and implements a small set of commands (CONNECT, DATA, CONNECTED, CLOSE, ERROR) to manage proxied sessions. RoadK1ll lacks traditional registry or scheduled-task persistence and runs only while its process remains active. Its stealthy outbound-only design helps attackers pivot to internal systems and bypass perimeter controls.

🔒 ReliaQuest researchers detail a new malware loader, DeepLoad, distributed via an ClickFix social-engineering lure that tricks users into pasting PowerShell commands into the Windows Run dialog. The chain leverages mshta.exe to execute an obfuscated PowerShell loader that likely uses AI-assisted obfuscation and conceals its payload in a LockAppHost.exe process while disabling PowerShell history to reduce traces. DeepLoad compiles transient C# DLLs in Temp, uses APC injection to run shellcode in suspended trusted processes without writing decoded payloads to disk, steals browser credentials and sessions, drops a persistent malicious browser extension, copies itself to USB devices via deceptive shortcuts, and employs WMI event subscriptions to reinfect cleaned systems.

⚠️ DeepLoad is a newly detailed malware campaign combining the ClickFix social-engineering trick with AI-assisted code padding to hide credential-stealing payloads and evade file-based scanners. ReliaQuest, on March 30, warned the campaign targets enterprise accounts, hides inside the Windows lock screen process, and can persist via a WMI-based reactivation three days after removal. Researchers also observed USB propagation and recommend enabling PowerShell Script Block Logging, auditing WMI subscriptions, and changing affected user passwords.

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔒 Hambardzum Minasyan, an Armenian national, was extradited to the United States and charged with helping administer the RedLine infostealer operation. U.S. prosecutors allege he registered virtual private servers, domains, a cryptocurrency account used for affiliate payments, and file-sharing repositories that distributed the malware. He is accused of managing command-and-control infrastructure, assisting affiliates, and conspiring to launder proceeds, and faces multiple federal counts with a potential prison term if convicted.

🔒 Threat actors are exploiting interest in OpenClaw with a GitHub phishing campaign that lures developers with fake 'CLAW' token airdrops promising thousands of dollars. Attackers open issues, tag developers, and redirect victims to cloned sites that prompt users to connect their crypto wallets. Researchers at OX Security found obfuscated wallet‑stealing code and a C2 server used to collect addresses and drain funds. Recommended actions include blocking the phishing domain and revoking suspicious wallet approvals.

🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.

🛡️ Security researchers have warned of malicious Chrome extensions that silently monitor and exfiltrate users' AI chat content. According to Expel, extensions watch open tabs and capture prompts and responses via API interception or DOM scraping before sending the data to external servers. Attackers either impersonate popular tools or convert legitimate extensions into malicious ones after building a user base. Organisations are urged to block unvetted AI extensions and centrally manage and audit extension use.

⚠️ A large-scale malvertising campaign since January 2026 uses Google Ads to deliver rogue installers for ConnectWise ScreenConnect, ultimately installing a BYOVD EDR killer named HwAudKiller that disables security tools. The actor stacks commercial cloaking services (Adspect and JustCloakIt) and abuses a legitimately signed Huawei audio driver to terminate AV processes from kernel mode. Huntress observed over 60 malicious ScreenConnect sessions and multiple RMM backdoors, indicating pre-ransomware or initial access broker behavior.

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.

🛡️ The FBI has attributed a sustained campaign of targeted malware and hack-and-leak operations to the Iranian-linked threat actor Handala, noting activity against dissidents, journalists and opposition groups dating to autumn 2023. The group claimed responsibility for a wiper attack on US medtech firm Stryker and used a multi-stage payload that disguises itself as legitimate Windows applications. Investigators observed social engineering lures, PowerShell-based evasion, and a Telegram-based command-and-control channel enabling remote access and data exfiltration, and urged standard hardening and reporting measures.

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.

🛡️ The actors behind the Trivy supply-chain compromise are now suspected of seeding a self-propagating worm called CanisterWorm, which uses an ICP canister (Internet Computer blockchain smart contract) as a decentralized dead drop for command-and-control. The chain abuses an npm postinstall hook to drop a Python backdoor and establishes persistence via a masquerading systemd user service that restarts automatically. A new variant harvests local npm tokens during postinstall and launches an automated propagation routine, turning compromised developers and CI pipelines into unwitting distributors.

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.