Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Infostealer. Show all posts
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Microsoft
Infostealer Lumma Stealer Malicious Campaign malware Microsoft

Microsoft Uncover Password Stealer Malware on 4 lakh Windows PCs

 

Microsoft's Digital Crimes Unit (DCU) and global partners have halted Lumma Stealer, one of cybercriminals' most common info-stealing malware tools. On May 13, Microsoft and law enforcement agencies seized nearly 2,300 domains that comprise Lumma's infrastructure, inflicting a significant blow to cybercrime networks targeting sensitive private and institutional data. 

Lumma is a Malware-as-a-Service (MaaS) that has been advertised on underground forums since 2022. It specialises in siphoning passwords, banking credentials, cryptocurrency wallets, and other information. Its victims include individual consumers, schools, banks, and critical service providers. Between March and May 2025, Microsoft found about 394,000 Lumma-infected Windows systems. The majority of these systems were located in Brazil, the United States, and other parts of Europe.

The operation, which was permitted by the US District Court for the Northern District of Georgia, involved Microsoft, the US Department of Justice, Europol, and Japan's Cybercrime Control Centre. The DOJ removed Lumma's command infrastructure, while law enforcement assisted in the suspension of local networks that supported the malware. 

Microsoft is sending over 1,300 confiscated or transferred domains to its "sinkholes"—a defensive infrastructure that intercepts malicious traffic in order to detect and prevent further attempts. The insights gained from these sinkholes will help public and private cybersecurity operations to investigate, track, and neutralise Lumma-related threats. 

Lumma, which is designed to avoid detection, has been popular among ransomware gangs such as Octo Tempest (also known as Scattered Spider). It spreads via phishing attacks, malvertising, and impersonation frauds, such as a recent attack that used Booking.com to perpetrate financial theft. Lumma has been used against sectors like healthcare, telecom, and logistics in addition to financial fraud, highlighting the wide-ranging and persistent threat it poses.

“We know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users,” noted Microsoft in a blog post.
Read more »
Noodlophile
AI Video Generator Deepfake Infostealer malware Noodlophile

Cybercriminals Employ Fake AI tools to Propagate the Infostealer Noodlophile

 

A new family of malware that steals information, dubbed 'Noodlophile,' is being spread using fake AI-powered video generating tools that pose as generated media content.

The websites are promoted on Facebook groups with a high level of visibility and use catchy names like the "Dream Machine" to make themselves seem like sophisticated artificial intelligence tools that create videos from user files that are uploaded. The latest effort by Morphisec adds a new infostealer to the mix, even though the idea of using AI tools to spread malware is not new and has been used by experienced hackers. 

Morphisec claims that Noodlophile is a new malware-as-a-service enterprise associated with Vietnamese-speaking operators because it is being offered for sale on dark web forums, often in conjunction with "Get Cookie + Pass" services. 

Once the victim visits the malicious website and submits their files, they are given a ZIP folder that is intended to include an artificial intelligence film. Instead, the ZIP includes a fraudulently called application (Video Dream MachineAI.mp4.exe) as well as a hidden folder containing numerous files required for following phases. If a Windows user disables file extensions (which should never be done), the file will appear to be an MP4 video file. 

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," notes Morphisec."Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”

Double-clicking on the fraudulent MP4 will open a sequence of executables, culminating in the launch of a batch script (Document.docx/install.bat). The script uses the genuine Windows program 'certutil.exe' to decode and extract a base64-encoded password-protected RAR package masquerading as a PDF document. At the same time, it creates a new registry key for persistence.

Subsequently, the script runs'srchost.exe,' which executes an obfuscated Python script (randomuser2025.txt) retrieved from a hardcoded remote server address, ultimately executing the Noodlophile Stealer in memory. If Avast is found on the infected system, PE hollowing is employed to inject the payload into RegAsm.exe. Shellcode injection is used for in-memory execution. 

The best defence against malware is to stay away from files downloaded and run from unidentified websites. Always check file extensions before opening them, and run an antivirus scan on any downloaded files before running them.
Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
ZeroTrust
2FA AIsecurity credentialstuffing CyberCrime Darkweb Data Breach GenZ Infostealer passwordmanager Passwords phishing Ransomware ZeroTrust

Infostealer Malware Soars 500% as 1.7 Billion Passwords Leak on Dark Web

 

A new report has exposed a staggering 500% rise in infostealer malware attacks, with over 1.7 billion passwords leaked on the dark web in 2024 alone. Despite the growing threat, poor password hygiene continues to be a critical issue, especially among Gen Z users. Cybersecurity experts are now calling for a complete rethink of digital safety practices, urging organizations and individuals to adopt zero-trust frameworks, AI-driven defenses, and reform in user behavior.

Infostealer malware is gaining traction as a preferred tool among cybercriminals. These lightweight, silent programs are often embedded in pirated software or spread via phishing attacks. Once inside a system, they exfiltrate sensitive data including stored credentials, autofill data, cookies, and even crypto wallet details without raising alarms. This stolen information is then compiled into massive combo lists—datasets of usernames and passwords—that are sold or traded on dark web forums. These lists power credential-stuffing attacks that enable hackers to take control of accounts on a mass scale.

Underground marketplaces have reportedly listed over 100 billion compromised credentials, marking a 42% increase from the previous year. Cybercrime syndicates such as BestCombo, BloddyMery, and ValidMail have become notorious for brokering access to stolen identities, fueling everything from account takeovers to financial fraud, ransomware deployment, and corporate espionage.

Yet, despite repeated warnings, user behavior remains worryingly casual. The 2025 World Password Day Survey revealed that 72% of Gen Z users admit to reusing passwords across multiple services. Even more strikingly, 79% acknowledge the risks of reuse, while 59% continue to use the same credentials even after a breach. Shockingly, only 10% reported updating their passwords consistently after being informed of a compromise. Additionally, 38% of Gen Z respondents said they only alter one character when prompted to update a password, and 30% frequently forget their credentials—despite the availability of password recovery features and password managers.

Although 46% of Gen Z users claim to use password managers, their actual habits—like sharing credentials via body text, screenshots, or in conversation—undermine any security those tools provide. This gap between intention and action continues to weaken overall cyber defense.

On the enterprise front, the situation is no better. According to a cybersecurity expert, 27% of businesses still do not enforce basic password policies. Even among organizations that do, users often respond to frequent password change requirements with insecure workarounds, such as reusing slightly modified passwords.

A data privacy solicitor commented, “If your system allows users to bypass complexity rules or reuse old passwords, your policy is meaningless,” she warned.

Experts also note that even strong password practices can't address all threats. Vulnerabilities like device-level breaches, session hijacking, and social engineering tactics necessitate broader security strategies. Resta advises that organizations should go beyond password policies and invest in multi-layered defenses:
“Organizations must maintain robust incident response plans alongside 2FA, AI-driven anomaly detection, and Zero Trust Architecture (ZTA).”
Read more »
Russia-Ukraine War
GammaSteel Infostealer malware Russia Hackers Russia-Ukraine War

Russian Attackers Target military mission in Ukraine With Info-Stealing Malware

 

Gamaredon, a Russia-backed threat group renowned for distributing malware via phishing emails, recently appears to have utilised an infected portable drive to target a Ukrainian-based military mission of an undisclosed Western country.

The malware was an updated version of GammaSteel, a data-stealing tool, according to Symantec researchers who analyzed the recent attacks. The report stated that the campaign was active in February and March. 

However, the researchers did not describe the detachable drive. Following the infection, Gamaredon employed novel strategies to disguise its activities from both researchers and sufferers. Symantec says GammaSteel was deployed using a complicated, multi-stage attack chain. 

Gamaredon, also known as Shuckworm and BlueAlpha, has been active since at least 2013 and is thought to operate from the Russian-annexed Crimean Peninsula under the supervision of Russia's Federal Security Service (FSB). Since the start of the Russian invasion, the organisation has repeatedly targeted Ukraine. In 2023 alone, the country identified 277 cyber incidents linked to the group. 

While Gamaredon is primarily responsible for cyberespionage activities targeting Ukrainian security and defence services, it has also been tied to at least one catastrophic cyberattack on an unidentified information infrastructure institution. Symantec did not reveal the targeted organisation, the extent of the GammaSteel campaign, or the nature of data the hackers attempted to steal. 

Gamaredon, which has historically been regarded as less proficient than other Russian threat actors, seems to have become more sophisticated in the most recent episode. The gang appears to be constantly altering its code, leveraging reliable online services, and adding obfuscation layers. 

Earlier in March, cybersecurity researchers at Cisco Talos warned that Gamaredon was conducting an ongoing operation to install a surveillance tool on Ukrainian computers. As part of this attack, Gamaredon infected users with phishing emails carrying harmful files relating to Ukrainian troop movements. 

According to Recorded Future's Insikt Group, the group was observed in December employing Cloudflare Tunnels — a service that helps mask the true location of servers or infrastructure — to infect targets with proprietary GammaDrop malware while remaining undetected. Earlier last year, two FSB-affiliated hackers were convicted in absentia to 15 years in prison in Ukraine for cyberattacks on governmental institutions. The pair is reportedly linked to Gamaredon.
Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Malwares
Arcane Cyber Attacks Data Safety User Data data security Data Stealer Discord Infostealer Infostealer Malware Kaspersky Malwares

Arcane Malware Steals VPN, Gaming, and Messaging Credentials in New Cyber Threat

 

A newly identified malware strain, Arcane, is making headlines for its ability to steal a vast range of user data. This malicious software infiltrates systems to extract sensitive credentials from VPN services, gaming platforms, messaging apps, and web browsers. Since its emergence in late 2024, Arcane has undergone several modifications, increasing its effectiveness and expanding its reach. 

Unlike other cyber threats with long-established histories, Arcane is not linked to previous malware versions carrying a similar name. Analysts at Kaspersky have observed that the malware primarily affects users in Russia, Belarus, and Kazakhstan. This is an unusual pattern, as many Russian-based cybercriminal groups tend to avoid targeting their home region to steer clear of legal consequences. 

Additionally, communications linked to Arcane’s operators suggest that they are Russian-speaking, reinforcing its likely origin. The malware spreads through deceptive content on YouTube, where cybercriminals post videos promoting game cheats and cracked software. Viewers are enticed into downloading files that appear legitimate but contain hidden malware. Once opened, these files initiate a process that installs Arcane while simultaneously bypassing Windows security settings. 

This allows the malware to operate undetected, giving hackers access to private information. Prior to Arcane, the same group used a different infostealer known as VGS, a modified version of an older trojan. However, since November 2024, they have shifted to distributing Arcane, incorporating a new tool called ArcanaLoader. This fake installer claims to provide free access to premium game software but instead delivers the malware. 

It has been heavily marketed on YouTube and Discord, with its creators even offering financial incentives to content creators for promoting it. Arcane stands out because of its ability to extract detailed system data and compromise various applications. It collects hardware specifications, scans installed software, and retrieves login credentials from VPN clients, communication platforms, email services, gaming accounts, and cryptocurrency wallets. Additionally, the malware captures screenshots, which can expose confidential information visible on the victim’s screen. 

Though Arcane is currently targeting specific regions, its rapid evolution suggests it could soon expand to a broader audience. Cybersecurity experts warn that malware of this nature can lead to financial theft, identity fraud, and further cyberattacks. Once infected, victims must reset all passwords, secure compromised accounts, and ensure their systems are thoroughly cleaned. 

To reduce the risk of infection, users are advised to be cautious when downloading third-party software, especially from unverified sources. Game cheats and pirated programs often serve as delivery methods for malicious software, making them a significant security threat. Avoiding these downloads altogether is the safest approach to protecting personal information.
Read more »
Subscribe to: Posts (Atom)