Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware attacks. Show all posts
Network Intrusion
Botnet Botnet attack Cyber Security CyberCrime Internet Routers Malware attacks Network Intrusion

Global Law Enforcement Disrupts SocksEscort Proxy Network Powered by AVRecon Malware

 

Federal and regional police units, working alongside independent digital security experts, took down the SocksEscort hacking infrastructure. This setup used hacked gateway gadgets - infected by AVRecon - to route illicit online traffic through hidden channels. 

A team at Black Lotus Labs, under Lumen Technologies, aided the takedown operation together with officials from the U.S. Department of Justice. Over multiple years, authorities found the proxy system kept around twenty thousand compromised gadgets active weekly - revealing both reach and staying power. 

SocksEscort first came into view back in 2023, though signs point to activity stretching well beyond ten years. Operation relied on offering entry to seemingly legitimate IP addresses - pulled from home and office network devices. Because these connections appeared ordinary, users could mask malicious data flows under normal ISP cover. Detection tools often failed, misled by the everyday digital footprint left behind. 

By early 2026, authorities reported the system had provided entry to vast numbers of IP addresses across its lifespan. Nearly 8,000 compromised routers remained operational at that point. Within the U.S., roughly a quarter of those devices were found scattered throughout the country. Though focused on one case, the ripple effects touched various forms of monetary misconduct. 

A trail led authorities to connect SocksEscort with nearly $1 million siphoned from digital wallets belonging to someone in New York. Separate findings showed about $700,000 lost due to deceptive schemes targeting an industrial company based in Pennsylvania. Victims among American military personnel also faced damage after personal banking records were breached, adding further strain. 

Dozens of domains and servers linked to the network were seized across Europe through joint efforts steered by Europol. Backing came from law enforcement agencies in Austria, France, and the Netherlands. Around $3.5 million in digital currency was blocked during the course of the mission. What powered the entire operation was AVRecon, a form of malicious software aimed at Linux-run home and small office routers. 

By June 2023, it had taken hold on over seventy thousand machines, forming a vast network of hijacked devices. This network served one purpose: strengthening the reach of SocksEscort. Analysts found something unusual - none of the affected IPs showed up in unrelated botnet activity, pointing toward tightly managed usage. Despite setbacks during early 2023 that briefly disrupted operations through severed command channels, the group managed recovery by reconstructing systems. Control returned via decentralized nodes rather than a single hub. Activity restarted months afterward with modified communication pathways. 

Early in 2025, more than 280,000 distinct IP addresses got caught up in the activity. Although infections spread globally, those based in the U.S. and the U.K. stood out - due to their appeal in hiding harmful network behavior. Outdated routers should be swapped out, many professionals suggest. Firmware updates come next on the list for staying protected. Default login details? Better revise them promptly. Remote functions that go unused tend to invite trouble - shutting those off helps block intrusions. Reducing exposure often begins with these small shifts. 

A single operation reveals how digital crime groups using hidden relay systems are expanding their reach. Global teamwork across borders proves essential to weaken such operations.
Read more »
Medical Hacking
Cyber Attacks Cybersecurity Attack Data Removal data security Digital Infrastructure Hacker attack Malware attacks Medical Hacking

Stryker Hit by Major Cyberattack as Hacktivist Group Claims Wiper Malware Operation

 

A major cybersecurity breach hit Stryker, the international medical tech company, throwing operations into disarray across continents. Claiming responsibility is a hacktivist faction supportive of Palestine, said to have ties to Iranian networks. Outages spread quickly through digital infrastructure after the intrusion became active. Emergency protocols were activated by staff as normal workflows collapsed without warning. 

Following the incident, blame was placed on Handala - a collective that openly admitted initiating a cyberattack involving destructive software aimed at Stryker’s infrastructure. Data removal affected numerous devices throughout the organization's environment. From those systems, about 50 terabytes containing confidential material were copied before transmission outside secure boundaries. 

Even though confirmation remains absent, whispers among workers stretch from Dublin to San Jose, pointing at chaos. Over two hundred thousand gadgets - servers mostly, but also handheld units - supposedly vanished under digital assault, according to Handala. Operations froze in clusters of buildings scattered through nearly thirty nations. Evidence trickles in from office staff in Perth, San José, Cork, and beyond, painting a fractured picture of stalled systems. 

One moment staff noticed work phones wiped without warning. Then came reports of private gadgets - once linked to office networks - suddenly cleared too. Afterward, guidance arrived: uninstall every business-related app. Tools meant to manage phones, along with messaging software tied to the organization, had to go. Removal became expected across all equipment. Work slowed in certain areas when digital tools went offline, pushing staff toward handwritten logs instead. With networks down, employees handled tasks by hand until technology recovered. 

A breach within Stryker’s Microsoft-based network led to widespread IT outages worldwide, as disclosed in a regulatory document. Right after spotting the problem, the firm triggered its internal cyber crisis protocol. Outside specialists joined the effort soon afterward - helping examine and limit further damage. Even though the disturbance was serious, Stryker said it found no signs of ransomware and thinks the situation is now under control. Still, the company admitted work continues to restore systems, without saying when operations will return fully. 

Yet completion remains uncertain despite progress so far. Emerging in late 2023, Handala already shows patterns of focusing on Israeli entities - using tactics that pair information exfiltration with damaging software meant to erase digital traces. Public exposure of obtained files forms a consistent part of their method, typically done via web-based disclosure channels. Though relatively new, its actions follow a clear playbook centered around visibility and disruption. 

Amid rising global tensions, a fresh assault emerges - tied to surging digital threats fueled by ongoing regional disputes. Noted specialists stress these events reveal a shift: large-scale interference now walks hand-in-hand with widespread information theft. While conflict zones heat up offline, their shadows stretch deep into network spaces. With Stryker rebuilding its digital infrastructure, the event highlights how sophisticated cyberattacks increasingly endanger vital sectors - healthcare and medtech among them - where uninterrupted function matters most.
Read more »
Malware attacks
Airport WiFi Security Cyber Attacks cybersecurity threats FBI FBI FBI warning Hacker attack Internet Routers Malware attacks

FBI Warns Outdated Wi-Fi Routers Are Being Targeted in Malware and Botnet Attacks

 

Cybersecurity risks could rise when outdated home routers stop getting manufacturer support, federal agents say. Devices from the late 2000s into the early 2010s often fall out of update cycles, leaving networks open. Without patches, vulnerabilities stay unaddressed - making intrusion more likely over time. Older models reaching end-of-life lack protection upgrades once available. This gap draws attention from officials tracking digital threats to household systems. 

Older network equipment often loses support as makers discontinue update releases. Once patching ends, weaknesses found earlier stay open indefinitely. Such gaps let hackers break in more easily. Devices like obsolete routers now attract criminals who deploy malicious code. Access at admin level gets seized without owners noticing. Infected machines may join hidden networks controlled remotely. Evidence shows law enforcement warning about these risks repeatedly. 

Built from hijacked devices, botnets answer to remote operators. These collections of infected machines frequently enable massive digital assaults. Instead of serving legitimate users, they route harmful data across the web. Criminals rely on them to mask where attacks originate. Through hidden channels, wrongdoers stay anonymous during operations. 

Back in 2011, Linksys made several routers later flagged as weak by the FBI. Devices like the E1200, E2500, and E4200 came under scrutiny due to security flaws. Earlier models also appear on the list - take the WRT320N, launched in 2009. Then there is the M10, hitting shelves a year after that one. Some routers come equipped with remote setup options, letting people adjust settings using web-connected interfaces. 

Though useful, such access may lead to problems if flaws are left unfixed. Hackers regularly search online for devices running open management ports, particularly ones stuck on old software versions. Hackers start by spotting weak routers, then slip through software gaps to plant harmful programs straight onto the machine. Once inside, that hidden code opens the door wide - giving intruders complete control while setting up secret talks with remote hubs. 

Sometimes, these taken devices ping those distant centers each minute, just to say they’re still online and waiting. Opened network ports on routers might let malware turn devices into proxies. With such access, attackers send harmful data across infected networks instead of launching attacks directly. Some even trade entry rights to third parties wanting to mask where they operate from. What makes router-based infections tricky is how hard they are to spot for most people. 

Since standard antivirus tools target laptops and phones, routers often fall outside their scope. Running within the router's own software, the malware stays hidden even when everything seems to work fine. The network keeps running smoothly, masking the presence of harmful code tucked deep inside. Older routers without regular updates become weak spots over time. 

Because of this, specialists suggest swapping them out. A modern replacement brings continued protection through active maintenance. This shift lowers chances of intrusions via obsolete equipment found in personal setups.
Read more »
Malware attacks
Cyber Attacks CyberSecurity Ransomware Attacks Finance Sector financial attack malicious PDF files Malware attacks

PDFSider Malware Used in Fortune 100 Finance Ransomware Attack

 

A Fortune 100 finance company was targeted by ransomware actors using a new Windows malware strain called PDFSider, built to quietly deliver malicious code during intrusions. Rather than relying on brute force, the attackers used social engineering, posing as IT support staff and convincing employees to launch Microsoft Quick Assist, enabling remote access. Resecurity researchers identified the malware during incident response, describing it as a stealth backdoor engineered to avoid detection while maintaining long-term control, with traits typically associated with advanced, high-skill intrusion activity. 

Resecurity previously told BleepingComputer that PDFSider had appeared in attacks connected to Qilin ransomware, but researchers emphasize it is not limited to a single group. Their threat hunting indicates the backdoor is now actively used by multiple ransomware operators as a delivery mechanism for follow-on payloads, suggesting it is spreading across criminal ecosystems rather than remaining a niche tool. 

The infection chain begins with spearphishing emails containing a ZIP archive. Inside is a legitimate, digitally signed executable for PDF24 Creator, developed by Miron Geek Software GmbH, paired with a malicious DLL named cryptbase.dll. Since the application expects that DLL, it loads the attacker’s version instead. This technique, known as DLL side-loading, allows the malicious code to execute under the cover of a trusted program, helping it evade security controls that focus on the signed executable rather than the substituted library.  
In some cases, attackers increase the likelihood of execution using decoy documents crafted to appear relevant to targets. One example involved a file claiming authorship from a Chinese government entity. Once launched, the malicious DLL inherits the same privileges as the legitimate executable that loaded it, increasing the attacker’s ability to operate within the system. 

Resecurity notes that while the EXE remains validly signed, attackers exploited weaknesses in the PDF24 software to load the malware and bypass EDR tools more effectively. The firm also warns that AI-assisted coding is making it easier for cybercriminals to identify and exploit vulnerable software at scale. After execution, PDFSider runs primarily in memory to reduce disk traces, using anonymous pipes to issue commands through CMD. 

Each infected device is assigned a unique identifier, system details are collected, and the data is exfiltrated to an attacker-controlled VPS through DNS traffic on port 53. For command-and-control security, PDFSider uses Botan 3.0.0 and encrypts communications with AES-256-GCM, decrypting inbound data only in memory to limit its footprint. It also applies AEAD authentication in GCM mode, a cryptographic approach commonly seen in stealthy remote shell backdoors designed for targeted operations. 

The malware includes anti-analysis checks such as RAM size validation and debugger detection, terminating early when it suspects sandboxing. Based on its behavior and design, Resecurity assesses PDFSider as closer to espionage-grade tradecraft than typical financially motivated ransomware tooling, built to quietly preserve covert access, execute remote commands flexibly, and keep communications protected.
Read more »
Malwares
Cyber Security GootLoader Malicious Codes Malicious Files Malware attacks Malwares

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection

 

A fresh tactic has emerged among cybercriminals using GootLoader, a JavaScript-driven malware installer. Instead of standard compression, they now distribute broken ZIP files designed to slip past digital defenses. These flawed archives exploit differences across decompression programs - some fail to process them, others do so partially. This mismatch lets malicious code stay concealed during scans yet run normally when opened by users. Findings detailed by Expel show that inconsistent parsing logic in software plays right into attacker hands. Hidden scripts activate only when handled by specific tools found on typical machines. 

Starting with a strange structure, these harmful ZIP files combine around 500 to 1,000 smaller archives into one large package. Because of this layered setup, standard programs like WinRAR or 7-Zip cannot properly read them - tools often relied on during malware checks. Due to the confusion they create, automatic detection systems frequently skip examining what's inside. Yet, when opened through Windows’ own built-in decompression feature, the file works without issue. 

That smooth operation lets victims unknowingly unpack dangerous content. Since 2020, GootLoader has maintained a presence among cyber threats, primarily spreading via manipulated search results and deceptive online ads. People looking for official forms or corporate paperwork may unknowingly land on hacked WordPress sites offering infected files. These corrupted archives, once opened, trigger the payload delivery mechanism embedded within the software. Acting as a gateway tool, it paves the way for additional harmful programs - ransomware being one frequent outcome. 

The chain of infection begins quietly, escalating quickly under the radar. By late 2025, Expel researchers noticed subtle upgrades, showing how the attack method keeps shifting. Instead of just stacking archives, hackers shorten key metadata inside ZIP structures - especially tampering with the end of central directory entries. That tweak triggers failures in numerous analysis programs, yet files still open in Windows Explorer. 

Inside the package, unimportant sections get scrambled too, throwing off predictable reading patterns and making automated inspection harder. Researchers refer to this method as "hashbusting," delivering a distinct ZIP file to each target. Every time someone downloads it, differences in the archive's layout and data prevent standard hash checks from working. Even the JavaScript inside changes form with each instance. Detection systems relying on repeated patterns struggle as a result. 

 What makes the delivery hard to catch lies in its method. Rather than sending a typical ZIP archive, attackers transmit the malicious code as an XOR-encrypted flow of data, rebuilt only after reaching the target's browser. It grows by adding copies of itself over and over, expanding until it meets a specific volume - this skirts detection meant for compressed files. After launch, the script runs using built-in Windows tools, skipping any need to unpack completely, so the attack unfolds without drawing attention. 

Once active, it stays on the machine by placing shortcuts into the Windows Startup directory - then triggers further scripts through native utilities like cscript or PowerShell. From there, data collection begins: details about the system get pulled and sent back to distant servers that control the attack, setting up what comes next without delay. 

Although often overlooked, limiting access to built-in tools such as wscript.exe helps block common attack paths. Instead of running scripts automatically, setting systems to display code in basic viewers adds another layer of protection. As seen with GootLoader’s shifts over time, attackers now twist everyday OS functions into stealthy weapons, staying active even when defenses improve.
Read more »
Malwares
Booking.com Booking.com scam Cyber Attacks Cyber Phishing Fake Emails Malware attacks Malwares

PHALT#BLYX Malware Campaign Targets European Hotels With Fake Booking Emails

 

A fresh wave of digital threats emerged just after Christmas 2025, aimed squarely at European lodging spots. Instead of random attacks, it used clever email tricks made to look like they came from Booking.com. Staff members got messages that seemed urgent, nudging them to click without thinking twice. Once opened, hidden code slipped inside their systems quietly. That backdoor let attackers take control through software called DCRat. Behind the scenes, the whole scheme ran under the name PHALTBLYX. 

Research from Securonix shows the attack kicks off using fake emails made to look like Booking.com alerts. A supposed booking cancellation triggers the alert. Displayed boldly is a charge in euros - frequently more than €1,000. That sum aims straight at emotions, sparking alarm. Fear takes over, nudging people toward clicking before checking details. 

Clicking the “See Details” button sends people nowhere near Booking.com. A hidden detour happens first - through another web address entirely. Then comes a counterfeit site built to trick. There, a phony CAPTCHA pops up out of nowhere. After that, a fake Blue Screen appears like it is urgent. Words flash: fix this now by clicking here. Those clicks run harmful PowerShell scripts without warning. The whole chain relies on looking real until it is too late. 

Something begins before the main event - stages unfold slowly, one after another. A hidden rhythm runs through it all, tied to familiar parts of Windows, used in ways they were never meant to be. An XML file shows up without notice, slipped into place while no one watches. It looks harmless, built like a regular project for MSBuild.exe, which itself is real software from Microsoft. Instead of old tricks involving clunky HTML apps, attackers now twist everyday tools into something else. 

What seems ordinary might already be working against you. Normal actions become cover, hiding intent inside routine noise. A hidden DCRat program gets activated during execution. At the last step, a compressed .NET tool called staxs.exe unlocks its internal settings through advanced encryption like AES-256 paired with PBKDF2. To stay active across restarts, it drops a misleading Internet Shortcut into the Startup directory on Windows. After turning on, DCRat reaches out to several hidden servers, then checks what kind of machine it has landed on. Information about the software, settings, and person using the device gets gathered piece by piece. 

Remote operators gain complete control right after. Instead of running openly, it sneaks inside normal system tasks by reshaping them from within. That trick helps it stay put without drawing attention. Noticing clues in the code, experts link the operation to hackers who speak Russian. 

Built into everyday tools users trust, this malware plays on emotions while slipping past alarms. What stands out is how each step connects - carefully strung - to avoid detection. Staying hidden matters most, especially where guest data flows through open networks.
Read more »
Malwares
Cyber Attacks cyber theft data security GitHub GitHub Actions vulnerability GitHub malware Malware attacks Malwares

WebRAT Malware Spreads Through Fake GitHub Exploit Repositories

 

The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed security vulnerabilities. This marks a shift in the malware’s delivery strategy, as earlier campaigns relied on pirated software and cheats for popular games such as Roblox, Counter-Strike, and Rust. First identified at the beginning of the year, WebRAT operates as a backdoor that allows attackers to gain unauthorized access to infected systems and steal sensitive information, while also monitoring user activity. 

A report published by cybersecurity firm Solar 4RAYS in May detailed the scope of WebRAT’s capabilities. According to the findings, the malware can harvest login credentials for platforms including Steam, Discord, and Telegram, along with extracting data from cryptocurrency wallets. Beyond credential theft, WebRAT poses a serious privacy threat by enabling attackers to activate webcams and capture screenshots, exposing victims to covert surveillance. 

Since at least September, the threat actors behind WebRAT have expanded their tactics by creating GitHub repositories designed to appear legitimate. These repositories present themselves as exploit code for high-profile vulnerabilities that have received widespread media attention. Among the issues referenced are a Windows flaw that allows remote code execution, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and a Windows privilege escalation vulnerability that enables attackers to gain elevated system access. By exploiting public awareness of these vulnerabilities, the attackers increase the likelihood that developers and security researchers will trust and download the malicious files. 

Security researchers at Kaspersky identified 15 GitHub repositories linked to the WebRAT campaign. Each repository contained detailed descriptions of the vulnerability, explanations of the supposed exploit behavior, and guidance on mitigation. Based on the structure and writing style of the content, Kaspersky assessed that much of the material was likely generated using artificial intelligence tools, adding to the appearance of legitimacy. The fake exploits are distributed as password-protected ZIP archives containing a mix of decoy and malicious components. 

These include empty files, corrupted DLLs intended to mislead analysis, batch scripts that form part of the execution chain, and a dropper executable named rasmanesc.exe. Once launched, the dropper elevates system privileges, disables Windows Defender, and downloads the WebRAT payload from a hardcoded remote server, enabling full compromise of the system.  

Kaspersky noted that the WebRAT variant used in this campaign does not introduce new features and closely resembles previously documented samples. Although all identified malicious repositories have been removed from GitHub, researchers warn that similar lures could resurface under different names or accounts. 

Security experts continue to advise that exploit code from unverified sources should only be tested in isolated, controlled environments to reduce the risk of infection.
Read more »
Malwares
Cyber Attacks CyberCrime DanaBot Malicious Backdoor Malicious Mails Malware attacks Malwares

DanaBot Malware Resurfaces With New Variant After Operation Endgame Disruption

 

Despite a coordinated international takedown earlier this year, the DanaBot malware has returned with a newly upgraded version, signaling yet another resurgence of a threat that has repeatedly evaded permanent shutdown. The fresh discovery comes roughly six months after law enforcement agencies crippled the malware’s network during Operation Endgame, a global effort that announced infrastructure seizures and criminal indictments in May. Researchers at Zscaler ThreatLabz now report that DanaBot is once again circulating in attacks, with a rebuilt architecture designed for persistence and continued financial gain. 

The latest version, identified as DanaBot 669, introduces a command-and-control system based on Tor hidden services and “backconnect” nodes. By routing malicious communication through .onion domains, the operators create a layer of anonymity that makes tracking and disruption significantly more difficult. Zscaler’s analysis also uncovered several active cryptocurrency wallet addresses linked to the campaign, spanning Bitcoin, Ethereum, Litecoin, and TRON, which the attackers are using to collect stolen funds from victims. 

DanaBot first emerged several years ago when researchers at Proofpoint revealed it as a Delphi-written banking trojan delivered largely through phishing emails and malvertising lures. Its creators adopted a malware-as-a-service model, renting out access to cybercriminal groups who used it to harvest credentials from online banking sessions. Over time, the malware evolved into a modular system capable of functioning as both an information stealer and a loader, extracting stored browser data — including crypto wallet details — and enabling follow-on payloads such as ransomware. 

Although Operation Endgame temporarily slowed activity, it did not eliminate the malware’s core operators. Threat actors simply paused long enough to rebuild infrastructure and adapt their tactics. During this downtime, many initial access brokers shifted toward other malware families, but the financial motivation behind DanaBot ensured its eventual revival. Its steady reappearance in campaigns since 2021 has shown that as long as cybercrime remains profitable, disruptions are rarely permanent.

Zscaler warns that current DanaBot campaigns employ familiar distribution methods. Malicious email attachments and links continue to be the main infection route, while SEO poisoning and deceptive online advertisements also lure victims into executing the malware. Some infections have been linked to wider incidents involving ransomware deployments, demonstrating the tool’s ongoing role in larger criminal ecosystems. 

Organizations can reduce exposure by updating security tools and blocking newly published indicators of compromise from Zscaler’s latest intelligence. The return of DanaBot highlights a recurring cybersecurity reality: even major law enforcement actions cannot fully dismantle financially driven malware operations when key actors remain at large.
Read more »
Malwares
Cybersecurity Breach Data Breach data security Data Stolen Google Pixel Malware attacks Malwares

Pixnapping Malware Exploits Android’s Rendering Pipeline to Steal Sensitive Data from Google and Samsung Devices

 

Cybersecurity researchers have revealed a new Android malware attack called Pixnapping, capable of stealing sensitive information from Google and Samsung smartphones without any user interaction. The name “Pixnapping” blends “pixel” and “snapping,” referring to how the malware stealthily extracts visual data pixel by pixel from targeted apps. 

When a user installs an app laced with the Pixnapping malware, it silently scans the device for other apps to spy on—such as Google Authenticator. Instead of opening the target app directly, the malware leverages the Android rendering pipeline to intercept the visual data being displayed. It then analyzes the color and content of individual pixels in areas known to display confidential information, like two-factor authentication (2FA) codes. By interpreting these pixels, the malware reconstructs the original data—essentially taking “invisible screenshots” of protected content without ever triggering normal app permissions. 

According to researchers, three flaws in Android’s design enable Pixnapping. First, apps can invoke another app’s activity through the rendering pipeline, which allows unauthorized access to refresh sensitive screens. Second, Android permits graphical operations to be performed on another app’s displayed content. Third, apps can detect pixel color changes during these operations, revealing the hidden visual data. 

Tests confirmed Pixnapping’s success across several devices, including the Pixel 6, 7, 8, and 9, as well as the Samsung Galaxy S25, running Android versions 13 through 16. The malware’s efficiency varied across devices, achieving success rates between 29% and 73% on Pixel models. On the Galaxy S25, however, researchers couldn’t extract 2FA codes before they expired. The attack was also demonstrated on apps and services such as Gmail, Signal, Venmo, Google Accounts, and Google Maps—indicating that Pixnapping could potentially expose emails, encrypted messages, payment data, and location histories. 

The vulnerability is tracked as CVE-2025-48561. While Google has issued an initial patch, researchers found ways to bypass it, prompting Google to develop a stronger fix expected in the December Android security update.  

Fortunately, Pixnapping has not been detected in active attacks yet. Still, experts urge users to stay vigilant by updating their devices with the latest security patches and downloading apps only from verified marketplaces such as the Google Play Store. Even then, users should double-check app details to ensure authenticity and avoid sideloading unverified applications. 

Pixnapping underscores a critical flaw in Android’s visual data handling and highlights the growing sophistication of modern mobile malware. Until Google delivers a complete patch, maintaining cautious download habits and prompt software updates remains the best defense.
Read more »
North Korea cyberattacks
cyberattacks trending news malware Malware attacks News North Korea North Korea Hackers North Korea cyberattacks

North Korean Hackers Target Fintech and Gaming Firms with Fake Zoom Apps

 

A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data. 

Attack strategy 

The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us. 

Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms. The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.” 

These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration. This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed. 

Motives behind the attack

BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script. 

Protection Measures for Organizations Given the growing sophistication of such campaigns, security experts recommend several protective steps: 

• Independently verify Zoom participants to ensure authenticity. 

• Block suspicious domains like zoom-tech[.]us at the firewall level. 

• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons. 

• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure. 

• Use identity theft monitoring services to detect compromised credentials early. 

• Train employees to recognize and respond to social engineering attempts. 

• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
Read more »
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
personal data leak
Data Breach Data Leak data security Data stealing malware Database Breach Infostealer Infostealer Malware Login Credentials Login Security Malware attacks personal data leak

Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

 

A recent investigation by Cybernews has uncovered a staggering 30 separate online datasets containing approximately 16 billion stolen login credentials from services including Apple, Google, and Facebook. These data dumps, discovered through open sources, appear to be the result of large-scale malware attacks that harvested user information through infostealers. 

Each dataset contains a URL alongside usernames and passwords, suggesting that malicious software was used to collect login details from infected devices. While some overlap exists among the records, the overall size and spread of the leak make it difficult to determine how many unique users have been compromised. 

Except for one dataset previously identified by cybersecurity researcher Jeremiah Fowler—which included over 185 million unique credentials—most of the remaining 29 databases had not been publicly reported before. These leaked collections are often only temporarily available online before being removed, but new compilations are regularly uploaded, often every few weeks, with fresh data that could be weaponized by cybercriminals. The exact sources and individuals behind these leaks remain unknown. 

To avoid falling victim to similar malware attacks, experts advise staying away from third-party download platforms, especially when obtaining software for macOS. Users are encouraged to download apps directly from the Mac App Store or, if not available there, from a developer’s official website. Using cracked or pirated software significantly increases the risk of malware infection. 

Phishing scams remain another common threat vector. Users should be cautious about clicking on links in unsolicited emails or messages. Even if a message appears to come from a trusted company, it’s vital to verify the sender’s address and inspect URLs carefully. You can do this by copying the link and pasting it into a text editor to see its actual destination before clicking. 

To reduce the chance of visiting malicious sites, double-check the spelling of URLs typed manually and consider bookmarking commonly used sites. Alternatively, using a search engine and clicking on verified results can reduce the risk of visiting typo-squatting domains. 

If you suspect your credentials may have been compromised, take immediate action. Start by updating passwords on any affected services and enabling two-factor authentication for added security. It’s also wise to check your financial statements for unauthorized activity and consider placing a freeze on your credit file to prevent fraudulent account openings. 

Additionally, tools like Have I Been Pwned can help verify if your email address has been part of a known breach. Always install the latest system and app updates, as they often include crucial security patches. Staying current with updates is a simple but effective defense against vulnerabilities and threats.
Read more »
phishing
CAPTCHA CAPTCHA Security Cyber Attacks cybercriminals Fake Captcha Hacker attack Hackers Malware attacks phishing

Fake CAPTCHAs Are the New Trap: Here’s How Hackers Are Using Them to Install Malware

 

For years, CAPTCHAs have been a familiar online hurdle—click a box, identify a few blurry images, and prove you’re human. They’ve long served as digital gatekeepers to help websites filter out bots and protect against abuse. But now, cybercriminals are turning this trusted security mechanism into a tool for deception. Security researchers are sounding the alarm over a growing threat: fake CAPTCHAs designed to trick users into unknowingly installing malware. 

These phony tests imitate the real thing, often appearing as pop-up windows or embedded verification boxes on compromised websites. At first glance, they seem harmless—just another quick click on your way to a webpage. But a single interaction can trigger a hidden chain reaction that compromises your device. The tactic is subtle but effective. By replicating legitimate CAPTCHA interfaces, attackers play on instinct. Most users are conditioned to complete CAPTCHAs without much thought. That reflexive click becomes the entry point for malicious code. 

One reported incident involved a prompt asking users to paste a code into the Windows Run dialog—an action that launched malware installation scripts. Another campaign tied to the Quakbot malware family used similar deception, embedding CAPTCHAs that initiated background downloads and executed harmful commands with a single click. These attacks, often referred to as ClickFix CAPTCHA scams, are a form of social engineering—a psychological manipulation tactic hackers use to exploit human behavior. 

In this case, attackers are banking on your trust in familiar security prompts to lower your guard. The threat doesn’t stop at just fake clicks. Some CAPTCHAs redirect users to infected web pages, while others silently copy dangerous commands to the clipboard. In the worst cases, users are tricked into pressing keyboard shortcuts that launch Windows PowerShell, allowing attackers to run scripts that steal data, disable security software, or hijack system functions. 

Experts warn that this method is particularly dangerous because it blends in so well with normal browsing activity. Unlike more obvious phishing scams, fake CAPTCHA attacks don’t rely on emails or suspicious links—they happen right where users feel safe: in their browsers. To defend against these attacks, users must remain skeptical of CAPTCHAs that ask for more than a simple click. 

If a CAPTCHA ever requests you to enter text into system tools, press unusual key combinations, or follow unfamiliar instructions, stop immediately. Those are red flags. Moreover, ensure you have reliable antivirus protection installed and keep your browser and operating system updated. Visiting lesser-known websites? Use an ad blocker or security-focused browser extension to reduce exposure to malicious scripts. 

As CAPTCHA-based scams grow more sophisticated, digital vigilance is your best defense. The next time you’re asked to “prove you’re not a robot,” it might not be your humanity being tested—but your cybersecurity awareness.
Read more »
Malwares
Cyber Attacks cybercriminals data security Data Theft Hackers Infostealer Infostealer Malware Malware attacks Malwares

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.
Read more »
Malwares
browser credential theft Browser Extension Cyber Attacks Login Credentials Malicious Browser Extension Malware attacks Malwares

New Malware Impersonates Browser Extensions to Steal Login Credentials

 

Cybercriminals are continually evolving their tactics to evade antivirus detection and trick users into installing malicious software. One of the latest threats involves malware that impersonates legitimate browser extensions, allowing attackers to steal login credentials while remaining undetected. Although this discovery is concerning, researchers have identified the vulnerability before it could be widely exploited, giving security teams time to respond. 

According to a report by SquareX Labs, this attack starts with scammers developing seemingly useful browser extensions, such as an AI-powered transcription tool. To avoid malware detection, they distribute the extension outside official platforms like the Chrome Web Store or Google Play. Users are then encouraged to pin the extension for easy access, allowing it to quietly monitor their browsing habits over time. 

Once installed, the malicious extension collects data on the user’s existing extensions, particularly those used for handling sensitive information, such as password managers. When the right opportunity arises, it disables the legitimate extension and replaces its icon with an identical version. If the user attempts to access their password manager, they unknowingly interact with the fake extension instead. 

To further deceive users, the fraudulent extension displays a message stating that their session has expired, requiring them to log in again. However, rather than accessing their accounts, victims unknowingly submit their credentials directly to cybercriminals. With this information, attackers can break into password vaults, gaining access to sensitive data, stored passwords, and linked accounts. This method is particularly dangerous because it exploits trust in well-known extensions. 

Unlike traditional phishing attempts, which rely on fake websites or deceptive emails, this attack leverages the user’s own browser environment, making it harder to detect. Victims may not realize they’ve been compromised until they notice unauthorized activity on their accounts. Despite the sophistication of this attack, there is no immediate reason for panic. Security researchers identified the exploit before cybercriminals could widely deploy it, and browser developers have been alerted to the risk. 

However, this incident underscores the importance of practicing good cybersecurity habits. Users should only install browser extensions from trusted sources like the Chrome Web Store, avoid third-party downloads, and check reviews before installation. 

Additionally, enabling multi-factor authentication (MFA) on important accounts can provide an extra layer of security, reducing the risk of credential theft. As cyber threats continue to evolve, staying informed and cautious about software installations remains crucial to maintaining online security.
Read more »
Mobile Malware
Bank Information Security Cyber Attacks data security Data Theft Fake Apps Malicious Apps Malware attacks Mobile Malware

Massive Mobile Malware Campaign Targets Indian Banks, Steals Financial Data

 

Zimperium's zLabs research team has uncovered a significant mobile malware campaign that targets Indian banks. First reported on February 5, 2025, this threat was orchestrated by a threat actor called FatBoyPanel. Nearly 900 malware samples are used in the campaign, which is distributed via WhatsApp and uses malicious apps that impersonate banking or government apps to steal private and sensitive financial data from unsuspecting users.  

Once installed, the malicious apps steal the users data, such as credit and debit card information, ATM PINs, Aadhaar card details, PAN card numbers, and mobile banking information. Additionally, the malware uses sophisticated stealth techniques to conceal itself and avoid detection or removal by intercepting SMS messages that contain OTPs. 

By using the reputation and legitimacy of Indian banks and government agencies to trick users into thinking the apps are authentic, this cyberattack is a clear illustration of how threat actors have advanced to a new level. These cybercriminals are deceiving users into downloading malicious apps intended to drain accounts and compromise sensitive data by posing as trustworthy organizations. 

Upon closer examination, the malware can be divided into three different types: hybrid, firebase-exfiltration, and SMS forwarding. Different exfiltration techniques are used by each variant to steal confidential information. By employing live phone numbers to intercept and reroute SMS messages in real time, these Trojan Bankers go beyond standard attacks. By hiding its icon, the malware makes itself even more difficult to remove. 

According to a Zimperium report, more than 1,000 malicious applications were created with the intention of stealing banking credentials. An estimated 50,000 victims were impacted by the campaign, which revealed 2.5GB of financial and personal data kept in 222 unprotected Firebase buckets. Attackers have been able to trick users into divulging extremely sensitive information by using phony government and banking apps that are distributed via WhatsApp. 

This breach has serious repercussions, including the possibility of identity theft, financial loss, and privacy violations for impacted users. In order to assist authorities in locating the cybercriminals responsible for FatBoyPanel, Zimperium has shared the gathered data with them. Users should use security software to identify and eliminate malware, update their devices frequently, and refrain from downloading apps from unidentified sources in order to protect themselves. 

On Thursday, Feb. 20, Zimperium, the global leader in mobile security, will release new research highlighting the evolving landscape of mobile phishing attacks.

As organizations increasingly rely on mobile devices for business operations including BYOD, multi-factor authentication, cloud applications, and mobile-first workflows, mobile phishing is becoming one of the most severe threats to enterprise security. Adversaries are exploiting security gaps in mobile and cloud-based business applications, expanding the attack surface and increasing exposure to credential theft and data compromise.

Zimperium’s latest research provides a data-driven look at how attackers are evolving their tactics to evade detection and why businesses must rethink their security strategies to stay ahead. 

Key findings from the report include: Mishing surge: Activity peaked in August 2024, with over 1,000 daily attack records. Smishing (SMS/text based phishing) attacks dominate globally with 37% in India, 16% in the U.S., and 9% in Brazil. Quishing (QR code phishing) is gaining traction, with notable activity in Japan (17%), the U.S. (15%), and India (11%). Stealthy phishing techniques: 3% of phishing sites use device-specific detection to display harmless content on desktops while delivering malicious phishing payloads exclusively to mobile users. Zimperium’s research emphasizes that traditional anti-phishing solutions designed for desktops are proving inadequate against this shift, making mobile threat defense a critical necessity for organizations worldwide.

The FatBoyPanel campaign emphasizes the need for increased vigilance in an increasingly digital world and the increasing sophistication of cyber threats. Keeping up with online security best practices is crucial to reducing risks and protecting financial and personal information as cybercriminals improve their tactics.
Read more »
Ransomwares
Cyber Security Cyber Security Vendor macOS MacOS Malware Malware attacks MITRE MITRE ATT&CK Ransomwares

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Read more »
Malware attacks
AI generated Deepfake AI tools Cyber Attacks data security Data Theft Fake Apps Information Security Malware attacks

Meeten Malware Targets Web3 Workers with Crypto-Stealing Tactics

 


Cybercriminals have launched an advanced campaign targeting Web3 professionals by distributing fake video conferencing software. The malware, known as Meeten, infects both Windows and macOS systems, stealing sensitive data, including cryptocurrency, banking details, browser-stored information, and Keychain credentials. Active since September 2024, Meeten masquerades as legitimate software while compromising users' systems. 
 
The campaign, uncovered by Cado Security Labs, represents an evolving strategy among threat actors. Frequently rebranded to appear authentic, fake meeting platforms have been renamed as Clusee, Cuesee, and Meetone. These platforms are supported by highly convincing websites and AI-generated social media profiles. 
 
How Victims Are Targeted:
  • Phishing schemes and social engineering tactics are the primary methods.
  • Attackers impersonate trusted contacts on platforms like Telegram.
  • Victims are directed to download the fraudulent Meeten app, often accompanied by fake company-specific presentations.

Key behaviors include:
  • Escalates privileges by prompting users for their system password via legitimate macOS tools.
  • Displays a decoy error message while stealing sensitive data in the background.
  • Collects and exfiltrates data such as Telegram credentials, banking details, Keychain data, and browser-stored information.
The stolen data is compressed and sent to remote servers, giving attackers access to victims’ sensitive information. 
 
Technical Details: Malware Behavior on Windows 

On Windows, the malware is delivered as an NSIS file named MeetenApp.exe, featuring a stolen digital certificate for added legitimacy. Key behaviors include:
  • Employs an Electron app to connect to remote servers and download additional malware payloads.
  • Steals system information, browser data, and cryptocurrency wallet credentials, targeting hardware wallets like Ledger and Trezor.
  • Achieves persistence by modifying the Windows registry.
Impact on Web3 Professionals 
 
Web3 professionals are particularly vulnerable as the malware leverages social engineering tactics to exploit trust. By targeting those engaged in cryptocurrency and blockchain technologies, attackers aim to gain access to valuable digital assets. Protective Measures:
  1. Verify Software Legitimacy: Always confirm the authenticity of downloaded software.
  2. Use Malware Scanning Tools: Scan files with services like VirusTotal before installation.
  3. Avoid Untrusted Sources: Download software only from verified sources.
  4. Stay Vigilant: Be cautious of unsolicited meeting invitations or unexpected file-sharing requests.
As social engineering tactics grow increasingly sophisticated, vigilance and proactive security measures are critical in safeguarding sensitive data and cryptocurrency assets. The Meeten campaign underscores the importance of staying informed and adopting robust cybersecurity practices in the Web3 landscape.
Read more »
Microsoft
cybercriminals Hacking malware Malware attacks Microsoft

Hackers Exploit Visual Studio Code as a Remote Access Tool, Researchers Find

 

In a new wave of cyberattacks, hackers are using Microsoft’s Visual Studio Code (VSCode) as a remote access tool to gain unauthorized entry into computers, according to Cyble Research and Intelligence Labs. Visual Studio, a popular integrated development environment (IDE) for app development on the .NET framework, supports languages like C#, VB.NET, and C++. 

While the tool is widely used for legitimate purposes, cybercriminals have now found a way to exploit it for malicious activities. The attack begins with a seemingly harmless file, a malicious “.LNK” shortcut, which is likely spread through spam emails. Once opened, the file displays a fake “Installation Successful” message in Chinese. 

In the background, however, it secretly downloads a Python package named “python-3.12.5-embed-amd64.zip” and creates a directory on the target system. This malicious file then executes an obfuscated Python script (update.py) from the online source paste[.]ee, which was not detected by the VirusTotal scanning service. 

To maintain access, the malware sets up a scheduled task, “MicrosoftHealthcareMonitorNode,” which runs every four hours or when the computer starts, using SYSTEM-level privileges. If the system does not have VSCode already installed, the malware fetches the Visual Studio Code Command Line Interface (CLI) from Microsoft’s servers. 

This tool is then used to open a remote tunnel that enables the attackers to generate an 8-character activation code, giving them unauthorized remote access to the victim’s computer. Once access is established, the malware gathers sensitive system information, such as data from critical directories, running processes, user details, and even geographical locations. 

With this, hackers can fully control the victim’s machine, accessing files, directories, and the terminal. This discovery highlights the growing sophistication of cyberattacks and emphasizes the need for vigilance, especially with common developer tools like VSCode. Users are advised to be cautious of unexpected email attachments and ensure their systems are protected against such threats.
Read more »
Web Community
Cyber Attacks CyberCrime Cybersecurity efvt Malware attacks Microsoft Office Netskope Phishing Attacks QR code Quishing Quishing Campaign URL Web Community

Quishing Scams Exploit Microsoft Sway Platform

 


It has been discovered that a new phishing campaign is being run using Microsoft Sway, which has been found by researchers. A series of attacks have been called the "Quishing" campaign to describe what is happening. The practice of "squishing" is a form of phishing that uses QR codes to lead people to malicious websites. An example of Quishing is embedding malicious URLs into a QR code to commit phishing. 

A few groups of victims in Asia and North America are primarily focusing on the campaign. In late December, researchers noticed that an unexpected spike in traffic to unique Microsoft Sway phishing pages arose as a result of a campaign called "quishing," which targeted Microsoft Office credentials.  As defined by Netskope Threat Labs, quishing is essentially phishing to trick users into opening malicious pages by presenting them with QR codes, which are commonly used in many forms of phishing. 

According to a spokesperson for the campaign, the campaign mainly targets victims in Asia and North America, across multiple industries such as the technology, manufacturing, and finance sectors. A researcher from the University of California, Davis, reported that "attackers instruct their victims to scan QR codes with their mobile devices, in the hope that these portable devices do not possess the strict security measures found on corporate-issued devices," according to an article written by the researchers. 

This QR phishing campaign utilizes two techniques that have been discussed in previous articles: transparent phishing in conjunction with Cloudflare Turnstile" Those who operate phishing websites use Cloudflare Turnstile to ensure that their malicious websites are protected from static analysis tools so that they can hide their malicious payloads, prevent web filtering providers from blocking their domains, and maintain a clean reputation among the web community. 

This is known as an attack-in-the-middle phishing technique, which is more sophisticated than traditional phishing techniques. The attackers not only attempt to gain access to the victims' credentials but also attempt to log them into the legitimate service using those credentials, bypassing multi-factor authentication, so they can steal sensitive tokens or cookies which can be used to gain further unauthorized access to the system. 

This is a massive QR code phishing campaign, which abused Microsoft Sway, a cloud-based tool for creating presentations online, to create landing pages that scammed Microsoft 365 users into handing over their credentials in exchange for money. According to Netskope Threat Labs, these attacks were spotted in July 2024 after detecting an increase of 2,000-fold in attacks exploiting Microsoft Sway to host phishing pages that allegedly steal access credentials for Microsoft 365 accounts. 

Interestingly, this surge of activity dates back to the first half of the year when minimal activity was reported. So, it comes as no surprise that this campaign has been so widespread. Essentially, they were interested in targeting users in Asia and North America, concentrating primarily on the technology, manufacturing, and finance sectors, which were the most likely to present themselves to them. A free application, called Sway, is available in Microsoft 365 for anyone with a Microsoft account who has a Microsoft account. 

Attackers, however, utilize this open access as an opportunity to fool users by misrepresenting them as legitimate cloud applications, thus defrauding them of the money they are paid to use them. Furthermore, Sway is accessed once an individual logs into their Microsoft 365 account, adding a layer of legitimacy to the attack, since it is accessible once the victim has already logged into the account, thus increasing the chances of them opening malicious links. 

Netskope Threat Labs identified a new QR code phishing campaign in July 2024, marking a significant development in cyber threats. This campaign primarily targets victims in Asia and North America, affecting various sectors, including manufacturing, technology, and finance. Cybercriminals employ diverse sharing methods, such as email, links, and social media platforms like Twitter, to direct users to phishing pages hosted on the sway. cloud.Microsoft domain. 

Once on these pages, victims are prompted to scan QR codes that subsequently lead them to malicious websites. Microsoft Sway, a platform known for its versatility, has been exploited in the past for phishing activities. Notably, five years ago, the PerSwaysion phishing campaign leveraged Microsoft Sway to target Office 365 login credentials. This campaign, driven by a phishing kit offered through a malware-as-a-service (MaaS) operation, was uncovered by Group-IB security researchers.

The attacks deceived at least 156 high-ranking individuals within small and medium-sized financial services companies, law firms, and real estate groups. The compromised accounts included those of executives, presidents, and managing directors across the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore. This escalation in phishing tactics highlights the ongoing battle between cybercriminals and cybersecurity professionals, where each defensive measure is met with a corresponding offensive innovation. 

The need for a comprehensive approach to cybersecurity has never been more apparent, as malicious actors continue to exploit seemingly innocuous technologies for nefarious purposes. With the rising popularity of Unicode QR code phishing techniques, security experts emphasize the importance of enhancing detection capabilities to analyze not just images but also text-based codes and other unconventional formats used to deceive users and infiltrate systems. This sophisticated phishing method underscores the continuous vigilance required to safeguard digital environments against increasingly cunning cyber threats.
Read more »
Subscribe to: Comments (Atom)