Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Campaign. Show all posts
Vulnerabilities and Exploits
ASUS Routers Botnet GreyNoise Malicious Campaign Vulnerabilities and Exploits

Thousands of ASUS Routers Affected by Stealthy Persistent Backdoor

 

It seems like someone, possibly nation-state hackers, is building a botnet out of thousands of Asus routers that can withstand firmware patches and reboots. Researchers report that about 9,000 routers have been infiltrated, and the figure is still rising. 

GreyNoise, a security firm, warned on Tuesday that attackers utilise a combination of known and previously undisclosed vulnerabilities to attack routers, including a command injection vulnerability identified as CVE-2023-39780. The tradecraft involved implies "a well-resourced and highly capable adversary," maybe building an operable relay box. 

ORBs are a strategy used by advanced persistent threat groups, including intelligence agencies around the world, to conceal malicious behaviour by routing internet traffic through a network of compromised Internet of Things devices. One cybersecurity firm characterises them as the offspring of a VPN and a botnet.

GreyNoise discovered the effort on March 18 and named the technique employed to backdoor the routers "AyySSHush." The intrusion chain starts with brute-force login attempts and two authentication bypass methods with no corresponding CVEs. After gaining access, attackers use CVE-2023-39780 to activate a security mechanism included into Asus routers by TrendMicro. 

The functionality enables "Bandwidth SQLlite Logging," which lets perpetrators feed a string directly into a system() call. With that power, attackers can enable a secure shell and connect it to a TCP port, along with an attacker-controlled public key. That is the step that renders firmware updates ineffective against the hack. 

"Because this key was introduced using official ASUS features, the configuration change is retained across firmware upgrades. "If you've been exploited before, upgrading your firmware will NOT remove the SSH backdoor," Remacle warned. As of publication, Censys' search had identified 8,645 infected routers. 

ASUS addressed CVE-2023-39780 in recent firmware upgrades. However, machines compromised prior to patching may still contain the backdoor unless administrators verify SSH setups and remove the attacker's key from them. For potential compromises, GreyNoise recommends performing a full factory reset.
Read more »
Microsoft
Infostealer Lumma Stealer Malicious Campaign malware Microsoft

Microsoft Uncover Password Stealer Malware on 4 lakh Windows PCs

 

Microsoft's Digital Crimes Unit (DCU) and global partners have halted Lumma Stealer, one of cybercriminals' most common info-stealing malware tools. On May 13, Microsoft and law enforcement agencies seized nearly 2,300 domains that comprise Lumma's infrastructure, inflicting a significant blow to cybercrime networks targeting sensitive private and institutional data. 

Lumma is a Malware-as-a-Service (MaaS) that has been advertised on underground forums since 2022. It specialises in siphoning passwords, banking credentials, cryptocurrency wallets, and other information. Its victims include individual consumers, schools, banks, and critical service providers. Between March and May 2025, Microsoft found about 394,000 Lumma-infected Windows systems. The majority of these systems were located in Brazil, the United States, and other parts of Europe.

The operation, which was permitted by the US District Court for the Northern District of Georgia, involved Microsoft, the US Department of Justice, Europol, and Japan's Cybercrime Control Centre. The DOJ removed Lumma's command infrastructure, while law enforcement assisted in the suspension of local networks that supported the malware. 

Microsoft is sending over 1,300 confiscated or transferred domains to its "sinkholes"—a defensive infrastructure that intercepts malicious traffic in order to detect and prevent further attempts. The insights gained from these sinkholes will help public and private cybersecurity operations to investigate, track, and neutralise Lumma-related threats. 

Lumma, which is designed to avoid detection, has been popular among ransomware gangs such as Octo Tempest (also known as Scattered Spider). It spreads via phishing attacks, malvertising, and impersonation frauds, such as a recent attack that used Booking.com to perpetrate financial theft. Lumma has been used against sectors like healthcare, telecom, and logistics in addition to financial fraud, highlighting the wide-ranging and persistent threat it poses.

“We know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users,” noted Microsoft in a blog post.
Read more »
Polymorphic Attack
Chrome Extension Cyber Attacks Data Safety Malicious Campaign Polymorphic Attack

Malicious Chrome Extensions Spoof Password Managers in Novel Polymorphic Attack

 

Cybersecurity experts have uncovered a novel technique for a malicious web browser extension to spoof any installed add-on.

"The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX noted in a report published earlier this month. 

The attack targets all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The strategy relies on the fact that users frequently pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension marketplace) and pass it off as a utility. 

The attackers could then use the harvested credentials to take over online accounts and steal sensitive financial and personal data without authorisation. While the add-on provides the claimed functionality without raising any suspicions, it activates the malicious features in the background by actively scanning for the presence of online resources associated with particular target extensions using a technique known as web resource hitting. 

Once a suitable target extension has been located, the attack proceeds to the next stage, when it morphs into a duplicate of the legitimate extension. This is performed by modifying the rogue extension's icon to match that of the target and temporarily disabling the actual add-on using the "chrome.management" API, resulting in its removal from the toolbar. 

"The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation," SquareX added. "In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with.” 

The findings follow a month after the company revealed Browser Syncjacking, another attack technique that allows a seemingly harmless browser extension to take over a victim's device.
Read more »
User Security
Dance of the Hillary Indo-Pak War Malicious Campaign malware Pahalgam Attack User Security

Pakistan’s ‘Dance of the Hillary’ Malware Targets Indians—Here’s How to Safeguard Yourself

 

In the aftermath of escalating cross-border tensions following the April 22 Pahalgam terror assault, Indian cybersecurity agencies have noticed a worrying shift in strategy: a digital onslaught aimed at civilians. The malware campaign, reportedly linked to Pakistani threat actors, has sparked widespread alarm about Indian residents' vulnerability to targeted cyber assaults. 

Officials believe the attack, known as the ‘Dance of the Hillary’ malware, is spreading via WhatsApp, Facebook, Telegram, and email. It disguises itself as video files or documents, frequently ending with suspicious extensions like as.exe—notably tasksche.exe—and, once downloaded, can acquire unauthorised access to mobile devices and computers. 

Experts warn that the ultimate purpose is to extract confidential information such as financial credentials, official IDs, and communication records. Intelligence services have declared a high alert and issued public warnings against opening unknown attachments, particularly at a period of global upheaval. 

Malware deployment

As India started targeted strikes on terror hubs in Pakistan, including major cities such as Islamabad, security experts believe the digital response is intended to do economic and psychological damage. In response to the Pahalgam massacre, the Indian Armed Forces destroyed numerous drone and missile installations while also targeting terror camps. 

In retaliation, Pakistani cyber cells allegedly recruited sleeper operatives and automated botnets to disseminate malware over Indian networks. 

The attack looks to be well-coordinated and designed to cause maximum social disruption. Officials believe it is part of a hybrid warfare plan that combines conventional military attack and digital infiltration. 

Dance of the Hillary has been identified by cyber researchers as a version of previously known data-stealing trojans that have been repackaged with deceptive file names and distributed through phishing tactics. "What makes it dangerous is its ability to blend into civilian channels of communication and exploit curiosity or emotional responses," explained a CERT-In analyst. 

Safety measures 

In response, India's cybersecurity response units, including CERT-In and the Ministry of Electronics and Information Technology, launched an awareness campaign encouraging people to avoid downloading suspicious files and sharing unverified links or media. 

Citizens are asked to verify texts before forwarding them and to report any suspicious activity to cybercrime departments. The report also recommends installing trusted antivirus programs and updating device operating systems to address known vulnerabilities. Meanwhile, state cyber cells have been directed to monitor social media trends for dangerous content patterns.
Read more »
Telegram
Android Spyware Malicious Campaign malware Russian Military Telegram

Android Spyware Concealed in Mapping App Targets Russian Military

 

Doctor Web researchers discovered a new spyware, tracked as Android. Spy.1292.origin, targets Russian military people. The malicious code was concealed in a trojanized Alpine Quest app and distributed via Russian Android catalogues. The malware acquires contacts, geolocation, and file data, and it can also download additional modules to exfiltrate stored data when directed. 

“Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit.” reads the report published by researchers at Doctor Web. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality.” 

To propagate the trojanized Alpine Quest software, threat actors developed a fraudulent Telegram channel. They shared an app download link from a Russian app store, and then they used the same route to push a malicious update. To evade detection, Android.Spy.1292.origin is embedded within a real copy of the Alpine Quest app, causing it to seem and behave just like the original. 

When the app is activated, the trojan discreetly collects and sends information to a command-and-control server, including the user's phone number, accounts, contact list, current date, geolocation, stored file details, and app version. Simultaneously, it transmits some of this information, such as updated geolocation, with the attackers' Telegram bot whenever the device's position changes. 

Once the trojan has gathered file information, attackers can command it to download and execute other modules to steal specific data. The attackers behind the malicious app appear to be interested in confidential information transmitted via Telegram and WhatsApp, as well as the locLog file generated by Alpine Quest. This allows Android.Spy.1292.origin to track user whereabouts and extract sensitive data. Its modular design enables it to broaden its capabilities and engage in a wider range of malicious actions. 

“As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.” the researchers added. 

The researchers recommend installing Android apps only from trustworthy sources, such as official app stores, and avoiding Telegram groups and dodgy websites, particularly those providing free versions of commercial apps. Users should also verify app distributors, as cybercriminals frequently copy legitimate developers using identical names and logos.
Read more »
YouTube Account
Account Hack Cyber Fraud Malicious Campaign Online Creator Social Media YouTube Account

Millions at Risk as Malicious Actors Hijack Popular YouTube Accounts

 

At a startling rate, cybercriminals are taking over well-known YouTube channels, exposing viewers to malware, frauds, and data theft. With billions of views and millions of followers at risk, a single mistake can have disastrous results. 

According to new research from Bitdefender Labs, social media account takeovers increased in 2024 and persisted into early 2025. Content creators and influencers with large followings and views have become primary targets. 

Bitdefender discovered more than 9,000 fraudulent livestreams on YouTube in 2024. These are frequently presented on hacked channels that use trusted brands and public figures to propagate fraud and malware. 

One such hijacked account had 12.4 billion views; if even 1% of viewers were duped, 124 million users would be impacted. Attackers frequently imitate well-known brands such as Tesla, Ripple, and SpaceX, holding phoney livestreams with deepfakes of public people like Elon Musk and Donald Trump to push cryptocurrency frauds and phishing links. 

Beyond YouTube, Instagram has been a key target. Hackers send phishing emails impersonating Meta or Instagram Support, cloning login pages, and tricking creators into revealing SMS verification numbers. 

Malicious sponsorships are another form of infiltration. Cybercriminals trick creators into downloading malicious files disguised as promotional content. Malvertising, which includes adverts for bogus AI products or games like GTA VI that install info-stealers and remote access trojans on victims' gadgets, is also a prevalent strategy.

Events with enormous internet audiences, such as Apple keynotes, the XRP-SEC litigation, or CS2 tournaments, are regularly targeted. Attackers take advantage of these periods of high interest to run frauds disguised as official livestreams or contests.

Prevention tips 

To stay safe, creators should utilise the finest browsers with built-in security measures, enable multi-factor authentication (MFA), and regularly monitor account activity for any unusual changes. Unexpected sponsorship offers, particularly those related to trending issues, must also be carefully scrutinised.

It is recommended that you use the best DDoS protection to avoid service disruptions caused by account takeovers, and that you use a reputable proxy service to offer an extra layer of anonymity and security when managing accounts across many platforms.
Read more »
User Security
Android devices Fraudulent Sites Malicious Campaign malware SpyNote User Security

SpyNote Malware Targets Android Users with Fraudulent Google Play Pages

 

The notorious SpyNote malware is making a comeback thanks to a novel campaign. This remote access trojan has many malicious features and is also quite challenging to remove from an infected Android smartphone.

According to security researchers, this time it is being spread through fake websites hosted on recently registered domains; the sites in question imitate Google Play Store app pages with incredibly accurate detail in order to deceive users into downloading infected files rather than the apps they're looking for.

The fraudulent sites include comprehensive details such as image carousels with screenshots of the supposed programs in issue, install buttons, and code traces, all of which are common visual aspects used to create an illusion of legitimacy. 

When a user clicks on the install button on one of these fake sites, JavaScript code is run, resulting in the download of a malicious APK file. This dropper APK calls a function to launch a second, embedded APK. This secondary payload contains the malware's basic functionality and allows it to communicate with the threat actors' command and control (C2) servers via hardcoded IP addresses and ports.

SpyNote can support both dynamic and hardcoded connections since the command-and-control parameters are incorporated in its DEX files. Additionally, the DNS settings and SSL certificates indicate that these malicious websites were deployed in a methodical and automated manner, which suggests that someone with access to a malware-as-a-service tool created them. 

SpyNote is a particularly malicious piece of malware because of its many features and capabilities: it can remotely activate a phone's camera and microphone, intercept text messages, call logs, and contacts; log keystrokes, including credentials and 2FA codes; track your GPS location; record phone calls; download and install apps; remotely wipe or lock devices, and avoid its own removal by abusing Android's accessibility services. 

Aggressive permission requests, which also enable SpyNote to continue operating even after rebooting, are mostly responsible for this. In order to keep running in the background, it can also exempt itself from battery optimisation, conceal its app icon, and relaunch itself immediately after a reboot. According to DomainTools LLC, the internet intelligence firm that uncovered this most recent campaign, a factory reset is frequently the only method to fully eradicate the malware due to its persistent nature.
Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Subscribe to: Posts (Atom)