Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Infostealer. Show all posts
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Microsoft
Infostealer Lumma Stealer Malicious Campaign malware Microsoft

Microsoft Uncover Password Stealer Malware on 4 lakh Windows PCs

 

Microsoft's Digital Crimes Unit (DCU) and global partners have halted Lumma Stealer, one of cybercriminals' most common info-stealing malware tools. On May 13, Microsoft and law enforcement agencies seized nearly 2,300 domains that comprise Lumma's infrastructure, inflicting a significant blow to cybercrime networks targeting sensitive private and institutional data. 

Lumma is a Malware-as-a-Service (MaaS) that has been advertised on underground forums since 2022. It specialises in siphoning passwords, banking credentials, cryptocurrency wallets, and other information. Its victims include individual consumers, schools, banks, and critical service providers. Between March and May 2025, Microsoft found about 394,000 Lumma-infected Windows systems. The majority of these systems were located in Brazil, the United States, and other parts of Europe.

The operation, which was permitted by the US District Court for the Northern District of Georgia, involved Microsoft, the US Department of Justice, Europol, and Japan's Cybercrime Control Centre. The DOJ removed Lumma's command infrastructure, while law enforcement assisted in the suspension of local networks that supported the malware. 

Microsoft is sending over 1,300 confiscated or transferred domains to its "sinkholes"—a defensive infrastructure that intercepts malicious traffic in order to detect and prevent further attempts. The insights gained from these sinkholes will help public and private cybersecurity operations to investigate, track, and neutralise Lumma-related threats. 

Lumma, which is designed to avoid detection, has been popular among ransomware gangs such as Octo Tempest (also known as Scattered Spider). It spreads via phishing attacks, malvertising, and impersonation frauds, such as a recent attack that used Booking.com to perpetrate financial theft. Lumma has been used against sectors like healthcare, telecom, and logistics in addition to financial fraud, highlighting the wide-ranging and persistent threat it poses.

“We know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users,” noted Microsoft in a blog post.
Read more »
Noodlophile
AI Video Generator Deepfake Infostealer malware Noodlophile

Cybercriminals Employ Fake AI tools to Propagate the Infostealer Noodlophile

 

A new family of malware that steals information, dubbed 'Noodlophile,' is being spread using fake AI-powered video generating tools that pose as generated media content.

The websites are promoted on Facebook groups with a high level of visibility and use catchy names like the "Dream Machine" to make themselves seem like sophisticated artificial intelligence tools that create videos from user files that are uploaded. The latest effort by Morphisec adds a new infostealer to the mix, even though the idea of using AI tools to spread malware is not new and has been used by experienced hackers. 

Morphisec claims that Noodlophile is a new malware-as-a-service enterprise associated with Vietnamese-speaking operators because it is being offered for sale on dark web forums, often in conjunction with "Get Cookie + Pass" services. 

Once the victim visits the malicious website and submits their files, they are given a ZIP folder that is intended to include an artificial intelligence film. Instead, the ZIP includes a fraudulently called application (Video Dream MachineAI.mp4.exe) as well as a hidden folder containing numerous files required for following phases. If a Windows user disables file extensions (which should never be done), the file will appear to be an MP4 video file. 

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," notes Morphisec."Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”

Double-clicking on the fraudulent MP4 will open a sequence of executables, culminating in the launch of a batch script (Document.docx/install.bat). The script uses the genuine Windows program 'certutil.exe' to decode and extract a base64-encoded password-protected RAR package masquerading as a PDF document. At the same time, it creates a new registry key for persistence.

Subsequently, the script runs'srchost.exe,' which executes an obfuscated Python script (randomuser2025.txt) retrieved from a hardcoded remote server address, ultimately executing the Noodlophile Stealer in memory. If Avast is found on the infected system, PE hollowing is employed to inject the payload into RegAsm.exe. Shellcode injection is used for in-memory execution. 

The best defence against malware is to stay away from files downloaded and run from unidentified websites. Always check file extensions before opening them, and run an antivirus scan on any downloaded files before running them.
Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
ZeroTrust
2FA AIsecurity credentialstuffing CyberCrime Darkweb Data Breach GenZ Infostealer passwordmanager Passwords phishing Ransomware ZeroTrust

Infostealer Malware Soars 500% as 1.7 Billion Passwords Leak on Dark Web

 

A new report has exposed a staggering 500% rise in infostealer malware attacks, with over 1.7 billion passwords leaked on the dark web in 2024 alone. Despite the growing threat, poor password hygiene continues to be a critical issue, especially among Gen Z users. Cybersecurity experts are now calling for a complete rethink of digital safety practices, urging organizations and individuals to adopt zero-trust frameworks, AI-driven defenses, and reform in user behavior.

Infostealer malware is gaining traction as a preferred tool among cybercriminals. These lightweight, silent programs are often embedded in pirated software or spread via phishing attacks. Once inside a system, they exfiltrate sensitive data including stored credentials, autofill data, cookies, and even crypto wallet details without raising alarms. This stolen information is then compiled into massive combo lists—datasets of usernames and passwords—that are sold or traded on dark web forums. These lists power credential-stuffing attacks that enable hackers to take control of accounts on a mass scale.

Underground marketplaces have reportedly listed over 100 billion compromised credentials, marking a 42% increase from the previous year. Cybercrime syndicates such as BestCombo, BloddyMery, and ValidMail have become notorious for brokering access to stolen identities, fueling everything from account takeovers to financial fraud, ransomware deployment, and corporate espionage.

Yet, despite repeated warnings, user behavior remains worryingly casual. The 2025 World Password Day Survey revealed that 72% of Gen Z users admit to reusing passwords across multiple services. Even more strikingly, 79% acknowledge the risks of reuse, while 59% continue to use the same credentials even after a breach. Shockingly, only 10% reported updating their passwords consistently after being informed of a compromise. Additionally, 38% of Gen Z respondents said they only alter one character when prompted to update a password, and 30% frequently forget their credentials—despite the availability of password recovery features and password managers.

Although 46% of Gen Z users claim to use password managers, their actual habits—like sharing credentials via body text, screenshots, or in conversation—undermine any security those tools provide. This gap between intention and action continues to weaken overall cyber defense.

On the enterprise front, the situation is no better. According to a cybersecurity expert, 27% of businesses still do not enforce basic password policies. Even among organizations that do, users often respond to frequent password change requirements with insecure workarounds, such as reusing slightly modified passwords.

A data privacy solicitor commented, “If your system allows users to bypass complexity rules or reuse old passwords, your policy is meaningless,” she warned.

Experts also note that even strong password practices can't address all threats. Vulnerabilities like device-level breaches, session hijacking, and social engineering tactics necessitate broader security strategies. Resta advises that organizations should go beyond password policies and invest in multi-layered defenses:
“Organizations must maintain robust incident response plans alongside 2FA, AI-driven anomaly detection, and Zero Trust Architecture (ZTA).”
Read more »
Russia-Ukraine War
GammaSteel Infostealer malware Russia Hackers Russia-Ukraine War

Russian Attackers Target military mission in Ukraine With Info-Stealing Malware

 

Gamaredon, a Russia-backed threat group renowned for distributing malware via phishing emails, recently appears to have utilised an infected portable drive to target a Ukrainian-based military mission of an undisclosed Western country.

The malware was an updated version of GammaSteel, a data-stealing tool, according to Symantec researchers who analyzed the recent attacks. The report stated that the campaign was active in February and March. 

However, the researchers did not describe the detachable drive. Following the infection, Gamaredon employed novel strategies to disguise its activities from both researchers and sufferers. Symantec says GammaSteel was deployed using a complicated, multi-stage attack chain. 

Gamaredon, also known as Shuckworm and BlueAlpha, has been active since at least 2013 and is thought to operate from the Russian-annexed Crimean Peninsula under the supervision of Russia's Federal Security Service (FSB). Since the start of the Russian invasion, the organisation has repeatedly targeted Ukraine. In 2023 alone, the country identified 277 cyber incidents linked to the group. 

While Gamaredon is primarily responsible for cyberespionage activities targeting Ukrainian security and defence services, it has also been tied to at least one catastrophic cyberattack on an unidentified information infrastructure institution. Symantec did not reveal the targeted organisation, the extent of the GammaSteel campaign, or the nature of data the hackers attempted to steal. 

Gamaredon, which has historically been regarded as less proficient than other Russian threat actors, seems to have become more sophisticated in the most recent episode. The gang appears to be constantly altering its code, leveraging reliable online services, and adding obfuscation layers. 

Earlier in March, cybersecurity researchers at Cisco Talos warned that Gamaredon was conducting an ongoing operation to install a surveillance tool on Ukrainian computers. As part of this attack, Gamaredon infected users with phishing emails carrying harmful files relating to Ukrainian troop movements. 

According to Recorded Future's Insikt Group, the group was observed in December employing Cloudflare Tunnels — a service that helps mask the true location of servers or infrastructure — to infect targets with proprietary GammaDrop malware while remaining undetected. Earlier last year, two FSB-affiliated hackers were convicted in absentia to 15 years in prison in Ukraine for cyberattacks on governmental institutions. The pair is reportedly linked to Gamaredon.
Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Malwares
Arcane Cyber Attacks Data Safety User Data data security Data Stealer Discord Infostealer Infostealer Malware Kaspersky Malwares

Arcane Malware Steals VPN, Gaming, and Messaging Credentials in New Cyber Threat

 

A newly identified malware strain, Arcane, is making headlines for its ability to steal a vast range of user data. This malicious software infiltrates systems to extract sensitive credentials from VPN services, gaming platforms, messaging apps, and web browsers. Since its emergence in late 2024, Arcane has undergone several modifications, increasing its effectiveness and expanding its reach. 

Unlike other cyber threats with long-established histories, Arcane is not linked to previous malware versions carrying a similar name. Analysts at Kaspersky have observed that the malware primarily affects users in Russia, Belarus, and Kazakhstan. This is an unusual pattern, as many Russian-based cybercriminal groups tend to avoid targeting their home region to steer clear of legal consequences. 

Additionally, communications linked to Arcane’s operators suggest that they are Russian-speaking, reinforcing its likely origin. The malware spreads through deceptive content on YouTube, where cybercriminals post videos promoting game cheats and cracked software. Viewers are enticed into downloading files that appear legitimate but contain hidden malware. Once opened, these files initiate a process that installs Arcane while simultaneously bypassing Windows security settings. 

This allows the malware to operate undetected, giving hackers access to private information. Prior to Arcane, the same group used a different infostealer known as VGS, a modified version of an older trojan. However, since November 2024, they have shifted to distributing Arcane, incorporating a new tool called ArcanaLoader. This fake installer claims to provide free access to premium game software but instead delivers the malware. 

It has been heavily marketed on YouTube and Discord, with its creators even offering financial incentives to content creators for promoting it. Arcane stands out because of its ability to extract detailed system data and compromise various applications. It collects hardware specifications, scans installed software, and retrieves login credentials from VPN clients, communication platforms, email services, gaming accounts, and cryptocurrency wallets. Additionally, the malware captures screenshots, which can expose confidential information visible on the victim’s screen. 

Though Arcane is currently targeting specific regions, its rapid evolution suggests it could soon expand to a broader audience. Cybersecurity experts warn that malware of this nature can lead to financial theft, identity fraud, and further cyberattacks. Once infected, victims must reset all passwords, secure compromised accounts, and ensure their systems are thoroughly cleaned. 

To reduce the risk of infection, users are advised to be cautious when downloading third-party software, especially from unverified sources. Game cheats and pirated programs often serve as delivery methods for malicious software, making them a significant security threat. Avoiding these downloads altogether is the safest approach to protecting personal information.
Read more »
Microsoft
Cyber Attacks GitHub Infostealer Malvertising Microsoft

Microsoft Warns of Malvertising Campaign Impacting Over 1 Million Devices Worldwide

 

Microsoft has revealed details of a large-scale malvertising campaign that is believed to have impacted over one million devices worldwide as part of an opportunistic attack aimed at stealing sensitive information. 

The tech giant, which discovered the activity in early December 2024, is tracking it under the broader Storm-0408 umbrella, which refers to a group of attackers known for distributing remote access or information-stealing malware via phishing, search engine optimisation (SEO), or malvertising.

"The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team stated. "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”

The campaign relied on GitHub to deliver initial access payloads, but payloads were also detected on Discord and Dropbox. The GitHub repositories were removed, but the number of such repositories was not disclosed. The Microsoft-owned code hosting service serves as a staging ground for dropper malware, which deploys a series of ads.

The Microsoft-owned code hosting site serves as a staging ground for dropper malware, which is in charge of launching a number of further programs such as Lumma Stealer and Doenerium, which can then collect system information. The assault also uses a sophisticated redirection chain with four to five layers, with the first redirector embedded in an iframe element on unlawful streaming websites that serve pirated content.

The entire infection sequence consists of several stages, including system discovery, information collecting, and the employment of follow-on payloads like NetSupport RAT and AutoIT scripts to assist more data theft. The remote access trojan also acts as a gateway for stealer malware. 

  • First stage: Establish a footing on target devices.
  • Second stage: system reconnaissance, collection, exfiltration, and payload delivery. 
  • Third stage: It involves command execution, payload delivery, defence evasion, persistence, command-and-control communications, and data exfiltration. 
  • Fourth stage: PowerShell script for configuring Microsoft Defender exclusions and running commands to download data from a remote server. 

Another feature of the assaults is the use of numerous PowerShell scripts to download NetSupport RAT, identify installed apps and security software, and scan for the presence of cryptocurrency wallets, which indicates possible financial data theft.

"Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host," Microsoft said. "The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.” 

The disclosure comes after Kaspersky reported that fake websites masquerading as DeepSeek and Grok artificial intelligence (AI) chatbots are being used to lure users into installing a previously unknown Python information stealer.

DeekSeek-themed decoy sites promoted by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been used to run a PowerShell script that leverages SSH to enable attackers remote access to the machine. 

"Cybercriminals use various schemes to lure victims to malicious resources,' the Russian cybersecurity company noted. "Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
Read more »
Malwares
Cyber Attacks cybercriminals data security Data Theft Hackers Infostealer Infostealer Malware Malware attacks Malwares

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.
Read more »
Visual Studio Code
Infostealer LNK File malware Phantom Goblin Visual Studio Code

Phantom Goblin: An Emerging Menace in Credential Theft and Remote System Access

 

A complex malware campaign dubbed "Phantom Goblin" has been discovered, which employs social engineering techniques to install information-stealing malware. The malware is distributed by RAR attachments in spam messages, which includes a poisoned shortcut file posing as a PDF. 

When executed, the LNK file launches a PowerShell operation to download further payloads from a GitHub repository, ensuring persistence by generating a registry entry that starts at system boot. These payloads, such as "updater.exe," "vscode.exe," and "browser.exe," spoof legitimate apps, which complicates detection. 

The malware primarily targets web browsers and development tools to steal sensitive data. It harvests cookies, login passwords, and browsing history by forcing browsers such as Chrome, Brave, and Edge to shut down. The "updater.exe" payload allows remote debugging to bypass Chrome's App Bound Encryption (ABE) and achieve covert data exfiltration. The stolen information is subsequently transferred to a Telegram channel via the Telegram Bot API. This approach allows cybercriminals to access data in real time without suspicion. 

Phantom Goblin also uses Visual Studio Code (VSCode) tunnels for remote unauthorised access. The "vscode.exe" payload downloads a legitimate version of VSCode, unpacks it, and creates a tunnel to maintain persistent control over compromised PCs. These connection credentials are passed to a Telegram bot, which allows remote access without triggering traditional security notifications. 

Prevention tips

Several best practices are recommended by experts to safeguard systems against Phantom Goblin and similar threats:

Email Filtering: Use advanced filtering techniques to block suspicious attachments, especially those in RAR, ZIP, or LNK format. Before opening any attachments, be sure they have been scanned with the latest antivirus software. 

Disabling VSCode tunnels: Enforce access controls and authentication measures to prevent unauthorised users from using Visual Studio Code tunnels. Limiting the ability to use VSCode on sensitive systems can help prevent remote access. 

PowerShell Restrictions: Disable or limit the use of PowerShell and script execution on computers unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as script execution from external sources, can assist detect and prevent malicious operations. 

Browser Security: Use strong browser security mechanisms to prevent unauthorised debugging and limit access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can assist to secure browser-based credentials.
Read more »
remote access
Data Leak Infostealer malware Microsoft Teams remote access

Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

 

Trend Micro security experts discovered a sophisticated cyberattack that included social engineering tactics and commonly employed remote access tools. The attack, which uses stealthy infostealer malware, gives thieves permanent access over vulnerable PCs and allows them to steal sensitive data.

According to Trend Micro Threat Intelligence, the majority of incidents since October 2024 have been concentrated in North America, with 21 breaches reported. The US was the most affected, with 17 cases, followed by Canada and the United Kingdom, each with five. Europe documented a total of 18 incidents. 

Modus operandi 

Threat actors utilise social engineering techniques to acquire initial access by deceiving victims into submitting credentials. Microsoft Teams is used for impersonation, and Quick Assist and other remote access applications allow attackers to escalate privileges. OneDriveStandaloneUpdater.exe, a genuine OneDrive update application, is used to sideload malicious DLLs and grant attackers network access.

Subsequently, the attackers install BackConnect malware, which allows them to keep control of affected systems. Malicious files are hosted and propagated via commercial cloud storage services, leveraging misconfigured or publicly available storage buckets. 

The BackConnect malware has been linked by researchers to QakBot, a loader malware that was the focus of the 2023 takedown effort called "Operation Duckhunt." Access to target computers by Black Basta ransomware attackers was made possible in large part via QakBot. After it was taken down, these threat actors switched to alternative methods to continue operating. 

Black Basta and Cactus ransomware link 

Trend Micro analysts recently investigated cases in which the Black Basta and Cactus ransomware perpetrators used the identical BackConnect malware. This malware allows cybercriminals to execute commands remotely, steal credentials, and steal financial information.

In 2023, Black Basta alone extorted $107 million from victims, with manufacturing the largest hit, followed by financial sectors and real estate. Attackers also utilised WinSCP, an open-source file transfer client, to move data within infected systems. The infected files were first acquired from a cloud storage provider before being repackaged and distributed using system vulnerabilities. 

Further investigation into Black Basta's internal chat breaches indicates that members of the gang are now using Cactus ransomware. Researchers believe that this transition will allow Cactus to remain a major threat by 2025.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
malware
fake ads Google Ads Infostealer Malicious Campaign malware

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

 

Hackers are once more exploiting Google advertisements to disseminate malware, using a fake Homebrew website to compromise Macs and Linux systems with an infostealer that harvests credentials, browsing data, and cryptocurrency wallets. 

Ryan Chenkie discovered the fraudulent Google ad campaign and warned on X regarding the potential of malware infection. The malware employed in this operation is AmosStealer (aka 'Atomic'), an infostealer intended for macOS devices and sold to malicious actors on a monthly subscription basis for $1,000. 

The malware recently appeared in various malvertising campaigns promoting bogus Google Meet conferencing pages, and it is now the preferred stealer for fraudsters targeting Apple customers. 

Targeting Homebrew customers 

Homebrew is a popular open-source package manager for macOS and Linux that lets you install, update, and manage software using the command line. 

A fraudulent Google advertising featured the correct Homebrew URL, "brew.sh," misleading even seasoned users into clicking it. However, the ad redirected users to a bogus Homebrew website hosted at "brewe.sh". Malvertisers have extensively exploited this URL strategy to trick users into visiting what appears to be a legitimate website for a project or organisation.

When the visitor arrives at the site, he or she is requested to install Homebrew by copying and pasting a command from the macOS Terminal or Linux shell prompt. The official Homebrew website provides a similar command for installing legitimate software. However, running the command displayed on the bogus website will download and execute malware on the device. 

Cybersecurity expert JAMESWT discovered that the malware injected in this case [VirusTotal] is Amos, a potent infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and online browser data. Mike McQuaid, Homebrew's project leader, indicated that the project is aware of the situation but that it is beyond its control, criticising Google's lack of oversight. 

"Mac Homebrew Project Leader here. This seems taken down now," McQuaid stated on X. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”

At the time of writing, the malicious ad has been removed, but the campaign could still run through other redirection domains, therefore Homebrew users should be aware of sponsored project adverts.

To mitigate the risk of malware infection, while clicking on a link in Google, make sure you are directed to the authentic site for a project or company before entering sensitive information or installing software. Another safe option is to bookmark official project websites that you need to visit frequently when sourcing software and utilise them instead of searching online every time.
Read more »
Telefónica
Data Breach Infostealer Private Data Telecom Firm Telefónica

Hackers Breach Telefónica's internal Ticketing System, Stealing 2.3GB of Sensitive Data

 

The hackers employed information stealer malware to steal the credentials of several Telefonica employees and gain access to the company's internal ticketing system.

The data breach was revealed last week when members of the Hellcat ransomware group (which had previously claimed responsibility for the Schneider Electric attack) boasted on the BreachForums cybercrime website about stealing customer data, ticket data, and hundreds of files from the Spain-based telecom provider.

According to cybersecurity firm Hudson Rock, the attack was "facilitated by a combination of infostealer malware and sophisticated social engineering techniques". 

The attackers told Hudson Rock that they utilised custom infostealer malware to breach the credentials of over 15 Telefonica employees and get access to the firm's Jira platform. After getting access to the platform, the attackers apparently targeted two employees with administrator credentials, "tricking them into revealing the correct server for brute-forcing SSH access".

The perpetrators stole a list of 24,000 Telefonica staff emails and identities, 500,000 summaries of internal Jira issues, and 5,000 internal documents, which included internal email chats and other contents. The stolen data could expose Telefonica personnel to phishing and other forms of social engineering attacks, as well as operational details, security flaws in the company's infrastructure, strategic goals, and other sensitive internal information. 

Hudson Rock claims that last year, 531 employee PCs connected to Telefonica's network were infected with infostealers, possibly exposing company credentials on each machine. Additionally, it seems that the company did not implement corporate infrastructure password policies that were robust. 

“For the URL linked to the initial access, the passwords were even weaker, indicating that it wouldn’t have taken an infostealer infection for hackers to brute force their way in,” the cybersecurity firm noted.

In other cases of infostealer infections, Telefonica employees' credentials to third-party services such as Fortinet, Office 365, and Salesforce were stolen.

“These infections provide hackers with the necessary credentials to infiltrate systems and, as demonstrated in this case, can be leveraged to expand access further through sophisticated social engineering tactics. Infostealers serve as a stepping stone for more advanced attacks, making them a significant concern for organizations worldwide,” Hudson Rock added.

In response to a local media outlet's request, Telefonica confirmed the incident but declined to provide any other details on the potentially compromised data.

“We have become aware of an unauthorized access to an internal ticketing system which we use at Telefónica. We continue to investigate the extent of the incident but can confirm that Telefónica´s residential customers have not been affected. From the very beginning, we have taken the necessary steps to block any unauthorized access to the system,” Telefonica stated. 

Telefonica, a multinational telecommunications firm headquartered in Madrid, Spain, operates in a dozen countries worldwide under various brands such as Movistar, O2, Telefonica, Telxius, and Vivo.
Read more »
Trend Micro SafeBreach Vulnerability Attack Security
Cybersecurity Exploit FTP server Infostealer malware PowerShell Trend Micro SafeBreach Vulnerability Attack Security

Malicious GitHub PoC Exploit Spreads Infostealer Malware

 

A malicious GitHub repository disguises a proof-of-concept (PoC) exploit for CVE-2024-49113, also known as "LDAPNightmare," delivering infostealer malware that sends sensitive data to an external FTP server. Disguised as a legitimate PoC, the exploit tricks users into executing malware.

While using fake PoC exploits is not a new tactic, Trend Micro's discovery shows that cybercriminals continue to deceive unsuspecting users. This malicious repository appears to be a fork of SafeBreach Labs' original PoC for CVE-2024-49113, which was released on January 1, 2025.

CVE-2024-49113 is one of two vulnerabilities affecting the Windows Lightweight Directory Access Protocol (LDAP), which was patched by Microsoft during December 2024's Patch Tuesday. The other vulnerability, CVE-2024-49112, is a critical remote code execution (RCE) flaw.

SafeBreach's blog post initially mislabeled the vulnerability as CVE-2024-49112, which sparked interest in LDAPNightmare, potentially attracting threat actors looking to exploit this buzz.

The PoC from the malicious repository contains a UPX-packed executable, 'poc.exe,' which drops a PowerShell script in the victim's %Temp% folder upon execution. The script sets up a scheduled job that runs an encoded script, which fetches another script from Pastebin.

This final payload gathers information such as computer details, process lists, network data, and installed updates, which it then compresses into a ZIP file and uploads to an external FTP server using hardcoded credentials.

Users downloading PoCs from GitHub should exercise caution, trusting only reputable cybersecurity firms and researchers. Verifying repository authenticity and reviewing code before execution is essential. For added security, consider uploading binaries to VirusTotal and avoid anything that appears obfuscated.
Read more »
User Security
Banshee Stealer Infostealer macOS malware User Security

New Version of Banshee Malware Targets macOS Users

 

According to the latest study published this week, a new variant of the info-stealing malware known as "Banshee" has been targeting macOS users' passwords, cryptocurrency wallets, browser credentials, and other data for at least the past four months.

Check Point researchers discovered that the latest version targets anyone using a Mac and can be downloaded mostly through malicious GitHub uploads, but also through other websites (GitHub's policies prohibit malware, but this does not mean there is no malware on GitHub). 

This latest Banshee malware often disguises itself as the Telegram messaging app or the Google Chrome browser, two popular apps that other malware attackers use to trick users. This version first surfaced in September last year and attempts to evade detection by using Apple's proprietary string encryption algorithm, XProtect.

This malware targets your browsing activities in Chrome, Brave, Edge, or Vivaldi. It also attempts to steal your cryptocurrency if you have any crypto wallet browser extensions installed, and it may show macOS victims fake login pages in an attempt to steal their usernames and passwords, which it then uses to steal accounts and funds. It will target your Coinbase, Ronin, Slope, TONNE, MetaMask, and other cryptocurrency wallet extensions if you have them. 

The source code for Banshee was leaked online in November. This could have helped antivirus companies ensure their software catches the sneakier version in the months since. Prior versions of this malware were marketed as "stealer-as-a-service" malware on cybercriminal channels, including attacker-controlled Telegram channels, for $3,000 per "license.” 

To stay protected from info-stealer malware, it's a good idea to consider getting a crypto hardware wallet like one from Ledger or Trezor if you have over $1,000 in crypto. In general, it's also a good practice to avoid storing more than $1,000 in any browser extension-based crypto wallet (you can also store funds with an exchange like Coinbase, Robinhood, or Kraken). 

Additionally, passwords should never be kept in an unsecured digital document on your computer (no Google Docs). Instead, think about keeping your crypto seed phrases on paper in a closed box or safe at home.
Read more »
OtterCookie
Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

 

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie. 

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret. 

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ. 

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie. 

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys. 

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy. 

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means. 

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.
Read more »
User Security
Data Theft Infostealer malware Python Package User Security

Fortinet Researchers Discover Two Malicious Python Packages

 

A new research published earlier this week by Fortinet Inc.'s FortiGuard Labs warns of two newly found malicious Python packages that indicate a major threat of credential theft, data exfiltration, and unauthorised system access.

The first flaw, Zebo-0.1.0, was discovered to exhibit sophisticated malware behaviour, including obfuscation tactics to hide its functionality and make it difficult for security tools to detect as malicious. The malware supports keylogging, screen capture, and the exfiltration of critical data to remote servers, posing a serious threat to user privacy and system integrity.

Zebo-0.1.0 makes use of libraries like pynput for keylogging and ImageGrab to take screenshots. This enables the malware to record every keystroke and regularly capture screenshots of the user's desktop, possibly exposing passwords, bank information, and other sensitive data. The malware stores the data locally before sending it to a Firebase database via obfuscated HTTP calls, allowing attackers to retrieve the stolen information undetected.

The malware also has a persistence technique to ensure that it is re-executed each time the infected system boots up. It accomplishes this by creating scripts and batch files in the Windows starting directory. They allow it to remain on the system without the user's knowledge, making it difficult to delete and enabling long-term data theft.

The second flaw, Cometlogger-0.1, includes a variety of malicious functionalities that target system credentials and user data. The virus dynamically injects webhooks into code during execution, allowing it to relay sensitive data, such as passwords and tokens, to remote attacker-controlled servers. 

Cometlogger-0.1 was also discovered to have features meant to evade discovery and disrupt analysis. One function, anti-virtual machine detection, looks for traces of sandbox environments, which are frequently employed by security researchers, and if it finds VM indicators, the malware stops running, allowing it to evade analysis and go unnoticed in live environments.

Though both types of malware have been flagged as dangerous, FortiGuard Lab experts state Cometlogger-0.1 takes things a step further by stealing a wide range of user data, including session cookies, saved passwords, and browsing history. It can also target data from services like Discord, X, and Steam, potentially leading to account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM,” the researchers explained. “While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.” 

The researchers believe that the most effective strategy to avoid infection is to always examine third-party scripts and executables before launching them. Organisations should also set up firewalls and intrusion detection systems to detect strange network activity, and personnel should be trained to recognise phishing attempts and avoid running unverified scripts.
Read more »
Subscribe to: Posts (Atom)