Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
unauthorised access
browser data Credential Theft Cybersecurity Google Infostealer malware Sensitive data Storm unauthorised access

New Malware “Storm” Steals Browser Data and Hijacks Sessions Without Passwords

 



A newly identified infostealer called Storm has emerged on underground cybercrime forums in early 2026, signalling a change in how attackers steal and use credentials. Priced at under $1,000 per month, the malware collects browser-stored data such as login credentials, session cookies, and cryptocurrency wallet information, then covertly transfers the data to attacker-controlled servers where it is decrypted outside the victim’s system.

This change becomes clearer when compared to earlier techniques. Traditionally, infostealers decrypted browser credentials directly on infected machines by loading SQLite libraries and accessing local credential databases. Because of this, endpoint security tools learned to treat such database access as one of the strongest indicators of malicious activity.

The approach began to break down after Google Chrome introduced App-Bound Encryption in version 127 in July 2024. This mechanism tied encryption keys to the browser environment itself, making local decryption exponentially more difficult. Initial bypass attempts relied on injecting into browser processes or exploiting debugging protocols, but these techniques still generated detectable traces.

Storm avoids this entirely by skipping local decryption. Instead, it extracts encrypted browser files and quietly sends them to attacker infrastructure, removing the behavioural signals that endpoint tools typically rely on. It extends this model by supporting both Chromium-based browsers and Gecko-based browsers such as Firefox, Waterfox, and Pale Moon, whereas tools like StealC V2 still handle Firefox data locally.

The data collected includes saved passwords, session cookies, autofill entries, Google account tokens, payment card details, and browsing history. This combination gives attackers everything required to rebuild authenticated sessions remotely. In practice, a single compromised employee browser can provide direct access to SaaS platforms, internal systems, and cloud environments without triggering any password-based alerts.

Storm also automates session hijacking. Once decrypted, credentials and cookies appear in the attacker’s control panel. By supplying a valid Google refresh token along with a geographically matched SOCKS5 proxy, the platform can silently recreate the victim’s active session.

This technique aligns with earlier research by Varonis Threat Labs. Its Cookie-Bite study showed that stolen Azure Entra ID session cookies can bypass multi-factor authentication, granting persistent access to Microsoft 365. Similarly, its SessionShark analysis demonstrated how phishing kits intercept session tokens in real time to defeat MFA protections. Storm packages these methods into a commercial subscription service.

Beyond credentials, the malware collects files from user directories, extracts session data from applications like Telegram, Signal, and Discord, and targets cryptocurrency wallets through browser extensions and desktop applications. It also gathers system information and captures screenshots across multiple monitors. Most operations run in memory, reducing the likelihood of detection.

Its infrastructure design adds resilience. Operators connect their own virtual private servers to Storm’s central system, routing stolen data through infrastructure they control. This setup limits the impact of takedowns, as enforcement actions are more likely to affect individual operator nodes rather than the core service.

Storm supports multi-user operations, allowing teams to divide responsibilities such as log access, malware build generation, and session restoration. It also automatically categorises stolen credentials by service, with visible rules for platforms including Google, Facebook, Twitter/X, and cPanel, helping attackers prioritise targets.

At the time of analysis, the control panel displayed 1,715 log entries linked to locations including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. While it is unclear whether all entries represent real victims or test data, variations in IP addresses, internet service providers, and data volumes suggest ongoing campaigns.

The logs include credentials associated with platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com. Such information often feeds into underground credential marketplaces, enabling account takeovers, fraud, and more targeted intrusions.

Storm is offered through a tiered pricing model: $300 for a seven-day trial, $900 per month for standard access, and $1,800 per month for a team licence supporting up to 100 operators and 200 builds. Use of an additional crypter is required. Notably, once deployed, malware builds continue operating even after a subscription expires, allowing ongoing data collection.

Security researchers view Storm as part of a broader evolution in credential theft. By shifting decryption to remote servers, attackers avoid detection mechanisms designed to identify on-device activity. At the same time, session cookie theft is increasingly replacing password theft as the primary objective.

The data collected by such tools often marks the beginning of further attacks, including logins from unusual locations, lateral movement within networks, and unauthorised access patterns.


Indicators of compromise include:

Alias: StormStealer

Forum ID: 221756

Registration date: December 12, 2025

Current version: v0.0.2.0 (Gunnar)

Build details: Developed in C++ (MSVC/msbuild), approximately 460 KB in size, targeting Windows systems


This advent of Storm underlines how cybercriminal tools are becoming more advanced, automated, and difficult to detect, requiring organisations to strengthen monitoring of sessions, user behaviour, and access patterns rather than relying solely on traditional credential protection methods.


Read more »
VS Code extension compromise
Checkmarx supply chain attack Docker Hub malware KICS vulnerability malware MOVEitm VS Code extension compromise

Malicious Docker Images and VS Code Extensions Linked to Checkmarx Supply Chain Attack

 

Cybersecurity experts have raised alarms over compromised container images discovered in the official “checkmarx/kics” repository on Docker Hub, signaling a significant supply chain security incident.

According to a newly released advisory from software supply chain security firm Socket, unidentified attackers managed to tamper with existing image tags such as v2.1.20 and alpine. They also introduced a suspicious v2.1.21 tag that does not align with any legitimate release. At the time of reporting, the affected Docker repository has been archived.

"Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version," Socket said.

"The malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."

Further investigation revealed that the compromise extended beyond Docker images to developer tools associated with Checkmarx. Certain versions of Microsoft Visual Studio Code extensions were found to contain malicious code capable of downloading and executing a remote add-on using the Bun runtime.

"The behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hard-coded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification," Socket added.

Affected extensions include cx-dev-assist (versions 1.17.0 and 1.19.0) and ast-results (versions 2.63.0 and 2.66.0).

These compromised extensions deploy a multi-stage malware component designed to steal credentials. Once activated, the extensions download a file named “mcpAddon.js” from GitHub, disguising it as a legitimate Model Context Protocol (MCP) feature.

"The attacker began by injecting a backdated commit (68ed490b) into the 'Checkmarx/ast-vscode-extension' repository," Socket said. "This commit was deliberately crafted to appear legitimate: it was spoofed to look like it was authored in 2022, attached to a real commit as its parent, and given a benign-looking change. However, it introduced a large (~10MB) file, modules/mcpAddon.js."

The malware is capable of harvesting sensitive data, including GitHub tokens, AWS credentials, Azure authentication tokens, Google Cloud credentials, SSH keys, environment variables, and configuration files. This information is then compressed, encrypted, and exfiltrated to attacker-controlled GitHub repositories created using stolen credentials.

In addition, the attack chain sends stolen secrets to a remote server at “audit.checkmarx[.]cx/v1/telemetry.” Investigators identified at least 51 repositories containing exfiltrated data labeled under “Checkmarx Configuration Storage.”

The tampered Docker images were also found to include a malicious Golang-based ELF binary masquerading as the legitimate KICS scanner, performing similar data exfiltration activities.

Notably, attacker-created repositories followed a consistent naming convention and began appearing on April 22, 2026. The campaign demonstrates advanced techniques, including injecting malicious GitHub Actions workflows to capture CI/CD secrets. These workflows are automatically triggered and later removed to evade detection.

"It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run as an artifact, and uses stolen npm credentials to identify writable packages for downstream republishing," the company explained. "In effect, the operation was designed not just to steal data from infected environments, but to turn compromised developer and CI/CD access into new exfiltration and supply chain propagation paths."

The attackers further expanded their reach by exploiting npm credentials to republish up to 250 compromised packages, effectively turning the campaign into a self-propagating supply chain attack.

Organizations that used the affected KICS images to scan infrastructure configurations such as Terraform, CloudFormation, or Kubernetes are advised to treat all exposed secrets as compromised.

"The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels," the company noted.

Evidence points to a threat actor known as TeamPCP as a possible culprit. The group hinted at involvement in a social media post shortly after the incident became public. If confirmed, this would mark the second attack targeting Checkmarx within a short span, following a similar breach in March 2026 involving compromised GitHub Actions workflows.

The exact method of the breach remains unclear. "Technical evidence shows the attacker had write access to Checkmarx repos between March and April, but we cannot determine from artifacts alone whether this was retained access, re-compromise, or unremediated credentials," Socket told The Hacker News. "The orphaned commit technique suggests sustained repo access."

Security experts recommend immediate remediation steps, including removing affected components, rotating credentials, auditing repositories and workflows, and monitoring cloud environments for suspicious activity.

In response, Checkmarx confirmed it is actively investigating the issue and stated that versions released prior to the affected timeframe remain secure. The company has removed malicious artifacts, rotated credentials, blocked attacker infrastructure, and advised users to rely only on verified safe versions.

"To date, we have removed the malicious artifacts, revoked and rotated exposed credentials, blocked outbound access to attacker-controlled infrastructure, reviewed our environments for any signs of further compromise," Checkmarx told The Hacker News.
Read more »
Omnistealer
Crypto Hacking fake job scams GitHub malware lockchain malware malware North Korean Hackers Omnistealer

Hidden in Plain Sight: Blockchain-Based ‘Omnistealer’ Malware Spreads via Fake Job Offers

 

kWhat began as a seemingly routine freelance opportunity quickly unraveled into a major cybersecurity discovery. Last year, the vice president of engineering at blockchain analytics firm Crystal Intelligence received a LinkedIn message offering web development work. Suspicious of the approach—given the rise of scams tied to fake job offers—he investigated further and uncovered something alarming.

The assignment required running code hosted on GitHub. On closer inspection, the code concealed the early stages of a sophisticated cyberattack. Designed to appear harmless, it could easily deceive developers into executing it as part of routine contract work.

Once activated, the code connects to blockchain networks such as TRON and Aptos, extracting data that points toward the Binance Smart Chain. From there, an additional payload is retrieved. According to Nick Smart, Crystal Intelligence’s chief intelligence officer, this final stage “fetches the final form—malicious code,” enabling extensive data theft from infected systems.

Cybersecurity experts at Ransom-ISAC, a collaborative group of global researchers, have named this malware “Omnistealer.” Its capabilities are vast. “It literally steals everything,” said Ellis Stannard, a core member of the group. Their analysis revealed compatibility with over 60 cryptocurrency wallets, including MetaMask and Coinbase, as well as numerous password managers like LastPass, popular browsers such as Chrome and Firefox, and cloud platforms including Google Drive. Beyond cryptocurrency, the malware can extract sensitive credentials and access permissions.

Initially resembling a typical phishing scheme, the operation turned out to be far more dangerous. By embedding malicious code in blockchain transactions—where data is permanent and difficult to remove—attackers have created a persistent and scalable threat. Researchers warn that once deployed, the malware does not distinguish between personal and corporate data, putting both individuals and organizations at risk.

Investigators say the scale of the attack could surpass that of WannaCry, the global ransomware outbreak that impacted over 200,000 computers in 2017. So far, approximately 300,000 compromised credentials have been linked to this campaign, though experts believe this figure may represent only a fraction of the total.

Further analysis traced parts of the operation to suspicious IP addresses, including one linked to a former U.S. consulate site in Vladivostok, Russia—previously associated with North Korean cyber activities. Smart noted the financial scale of the operation, explaining that hackers leveraging this method have accumulated millions in cryptocurrency.

Researchers also discovered that elements of the malicious code had been quietly embedded in blockchain transactions years before being activated, functioning like dormant digital triggers. “Hiding malicious payloads within blockchain has become an emerging obfuscation technique,” reads a blog post written by collaborators at Ransom-ISAC.

The attack primarily targets software developers and contractors. Hackers pose either as recruiters offering jobs or as freelancers seeking employment. In both cases, they exploit trust to gain access to systems or credentials. Victims have included organizations across various sectors, from financial services and defense to technology and even food delivery businesses.

“Since this case, I haven't been able to look at GitHub the same way,” Stannard said, reflecting on how attackers embed malicious code into legitimate-looking repositories.

Evidence increasingly points to involvement by North Korean state-backed groups. Infrastructure, malware patterns, and cryptocurrency wallets used in the campaign overlap with known operations linked to such actors. Some wallets have even been tied to previous large-scale cyber thefts.

Experts suggest multiple possible motives, including financial gain, credential harvesting for identity fabrication, or enabling covert access to targeted organizations. “Everything about this has DPRK written all over it,” Stannard said, emphasizing the organized and strategic nature of the operation.

The FBI has acknowledged awareness of such tactics, stating: “This technique highlights the continuing evolution of the DPRK's ability to exploit the web3 space.”

Adding another layer of mystery, investigators uncovered unusual files hidden alongside the malware, including audio clips, images, and even technical documents. While their purpose remains unclear, researchers speculate these may represent experiments in covert data storage or communication.

As blockchain adoption grows, experts warn that such techniques will likely become more common. The combination of low-cost execution, permanence of blockchain data, and increasingly accessible coding tools—including AI—makes these attacks easier to replicate and harder to eliminate.

Authorities have been notified, but with investigations ongoing, many questions remain unanswered. For now, cybersecurity professionals urge caution—especially when dealing with unfamiliar code or unsolicited job offers, even from seemingly trusted platforms.
Read more »
Mirai botnet
Botnet CVE vulnerability DVR Fortinet IoT malware Mirai botnet

Mirai Malware Spreads Through Vulnerable TBK DVR Devices

 



Threat actors are actively taking advantage of security weaknesses in TBK digital video recorders and outdated TP-Link Wi-Fi routers to install variants of the Mirai botnet on compromised systems. This activity has been documented by researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.

One of the primary attack vectors involves the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3, classified as medium severity. This flaw affects TBK DVR-4104 and DVR-4216 devices and is being used to deliver a Mirai-based malware strain identified as Nexcorium.

Security researchers note that IoT devices continue to be heavily targeted because they are widely deployed, frequently lack timely security updates, and are often configured with weak protections. These conditions allow attackers to exploit known vulnerabilities to gain initial access, deploy malicious code, maintain persistence, and ultimately use infected devices to conduct distributed denial-of-service attacks.

This vulnerability has already been observed in previous attack campaigns. Over the past year, it has been used not only to deploy Mirai variants but also a newer botnet known as RondoDox. In addition, earlier reporting highlighted large-scale botnet operations distributing multiple malware families, including Mirai, RondoDox, and Morte, by exploiting weak credentials and outdated vulnerabilities across routers, IoT devices, and enterprise systems.

In the current attack chain described by Fortinet, exploitation of CVE-2024-3721 allows attackers to download a script onto the target device. This script then determines the system’s Linux architecture and retrieves a compatible botnet payload. Once executed, the malware displays a message indicating that the system has been taken over.

Technical analysis shows that Nexcorium follows a structure similar to traditional Mirai variants. It includes encoded configuration tables, a watchdog mechanism to keep the malware active, and dedicated modules for launching DDoS attacks.

The malware also integrates an exploit for CVE-2017-17215, enabling it to target Huawei HG532 devices within the same network. Additionally, it uses a hard-coded list of usernames and passwords to attempt brute-force logins on other systems via Telnet connections.

If these login attempts succeed, the malware gains shell access, establishes persistence using scheduled tasks and system services, and connects to an external command-and-control server. From there, it waits for instructions to launch attacks using protocols such as UDP, TCP, and SMTP. After securing persistence, it deletes the original binary file to reduce the likelihood of detection and analysis.

Researchers describe Nexcorium as representative of modern IoT botnets, combining multiple techniques such as vulnerability exploitation, multi-architecture support, and persistence mechanisms to maintain long-term control over infected devices. Its use of both older vulnerabilities and brute-force tactics highlights its ability to adapt and expand its reach.

Separately, Unit 42 identified automated scanning activity attempting to exploit another vulnerability, CVE-2023-33538, which has a higher CVSS score of 8.8. This flaw affects several end-of-life TP-Link routers, including TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10). While the observed attack attempts were incorrectly executed and did not succeed, the vulnerability itself remains valid.

This vulnerability was added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency in June 2025, reflecting its relevance in real-world threat activity. Researchers emphasize that successful exploitation requires authenticated access to the router’s web interface, which can often be achieved if default credentials are still in use.

The attacks linked to this vulnerability are designed to deploy Mirai-like malware containing references to “Condi” within its source code. This malware is capable of updating itself to newer versions and can also operate as a web server, allowing it to spread to additional devices that connect to the infected system.

Because the affected TP-Link routers are no longer supported by the manufacturer, users are advised to replace them with newer devices. Security experts also stress the importance of changing default login credentials, as these remain a major weakness that attackers continue to exploit.

Researchers warn that the continued use of default credentials in IoT environments will remain a persistent security risk. Even vulnerabilities that require authentication can become critical entry points if weak or unchanged credentials are present, enabling attackers to compromise devices and expand botnet networks with relative ease.


Read more »
Webhook Exploitation
Automation Security Cyber Threat Intelligence Cyer Threats Device Fingerprinting malware malware delivery N8n Webhook Abuse Phishing Campaigns RMM Abuse Webhook Exploitation

n8n Webhooks Under Threat as Attackers Orchestrate Malware Delivery via Phishing


 

A security researcher has identified a critical flaw in the open-source workflow orchestration platform n8n, which is increasingly embedded in enterprise and AI-driven operations, that highlights the fragility of modern automation ecosystems. 

The vulnerability, CVE-2026-21858, has been assigned the highest severity rating and exposes tens of thousands of deployments to potential compromise because of a subtle yet dangerous "content-type confusion" vulnerability. 

A Cyera study found that this flaw enables attackers to bypass the intended automation controls altogether, effectively turning trusted workflows into unprotected execution paths. In addition to serving as a connector between enterprise applications and advanced AI models such as GPT-4 and Claude, platforms such as n8n and Zapier have also become increasingly appealing targets due to their increasing capacity to orchestrate business logic. These engines were previously designed for integrating tools like Slack, Gmail, and Google Sheets, but may now find themselves being utilized for coordinated malicious campaigns, including large-scale phishing operations and automated distribution of malware. 

N8n's primary function is to interconnect web applications and services through API-driven logic, which allows companies to orchestrate complex processes across platforms such as Slack, GitHub, and Google Sheets. The community-licensed edition of the software enables self-hosted deployment, whereas the cloud-based version can extend these capabilities further by integrating AI-driven features that will automatically interact with external data sources and carry out tasks using agent-based models. 

With the platform's accessibility especially the ability to create developer accounts without any initial investment users have experienced a significant reduction in entry barriers. The platform automatically provisions unique subdomains within its cloud environment for deploying and accessing workflows. 

Although this model is similar to other AI-assisted development ecosystems in terms of convenience, it also introduces an attack surface that threat actors have demonstrated proficiency at exploiting. In adjacent platforms, adversaries have already developed similar patterns, in which they have utilized legitimate cloud-hosted environments to create phishing infrastructure. 

As part of n8n's architecture, webhooks are a crucial component, which allow workflows to be dynamically initiated upon receiving external data in a timely manner. This webhook endpoint is effectively a passive listener that has been assigned unique URLs that enable it to ingest and process inbound requests in real-time. 

Cisco Talos researchers have observed sustained abuse of these publicly accessible endpoints since October 2025, which has drawn scrutiny of this mechanism. A powerful technique used by attackers to embed malicious logic within otherwise legitimate looking infrastructure is the use of webhook URLs hosted on trusted n8n subdomains. This facilitates phishing campaigns and the distribution of downstream malware. 

As webhooks are essentially reverse APIs where applications can receive and process incoming data including dynamically fetched HTML content these features further compound the risk, because they enable adversaries to exploit automation workflows to execute unauthorized actions under the guise of legitimate service interactions. 

Based on these architectural exposures, threat intelligence analysis indicates a sustained abuse of n8n's webhook functionality over a period of approximately one year, from October 2025 until March 2026, that was highly coordinated. As part of phishing campaigns, malicious actors have consistently utilized these endpoints as both delivery channels for malware and as mechanisms for device reconnaissance within phishing campaigns. 

An attacker has effectively bypassed conventional security controls based on domain reputation by embedding webhook URLs within email content in order to route victims through trusted n8n-hosted infrastructure. As a consequence of this tactic, an increased volume of emails containing these links has been observed. Telemetry indicates a dramatic increase. 

Attempts to evade automated detection have been made by incorporating CAPTCHA-gated landing pages, which obscure payload delivery, and ultimately deploying modified remote access tools, including repackaged versions of Datto Remote Monitoring Management and ITarian Endpoint Management. Further, the inclusion of tracking pixels within phishing emails allows attackers to tailor subsequent stages of intrusion more precisely as granular device fingerprinting can be accomplished. 

As a result of this activity, broader implications beyond isolated phishing incidents are evident, as legitimate automation platforms are being operationalized as covert attack infrastructure. Using trusted domains to conceal malicious workflows, adversaries significantly complicate both detection and response efforts, rendering traditional blocklist defenses largely ineffective when they conceal malicious workflows behind trusted domains. 

Depending on the severity, the impact may vary from an initial compromise through credential harvesting to persistent unauthorized access enabled by remote management tools. Because the abuse occurs as a result of intended platform functionality and not a direct software flaw, mitigation requires a reevaluation of defensive strategies. 

Behavioral analysis should be prioritized over static indicators by security teams, anomalous webhook activity should be monitored closely, and workflow automation should be governed more strictly. Enhanced email filtering, combined with user awareness initiatives focused on evolving phishing techniques, remains essential, especially as attackers continue to refine methods that blend seamlessly into legitimate operational environments. 

On the basis of these findings, researchers have demonstrated how threat actors have rapidly adapted n8n webhook capabilities to scale both malware delivery and reconnaissance efforts. As of early 2026, phishing emails containing n8n webhook URLs had skyrocketed dramatically in intensity, reflecting a sharp rise in campaign intensity. 

In one observed operation, attackers posed as sharing documents and lured recipients to interact with embedded webhook links through emails masquerading as shared documents. In response to engagement, victims were redirected to intermediate pages containing CAPTCHA challenges, a tactic intended to evade automated security analysis.

Successful interaction resulted in the silent retrieval of malicious payloads from external infrastructure, and the execution chain remained visually linked to n8n as a trusted domain. Additionally, client-side scripting is used to obfuscate the download so that browsers interpret it to be originating from an appropriate source, reducing suspicion and bypassing conventional filtering.

A key component of these campaigns is the deployment of executable files or MSI installers which deliver modified versions of popular remote monitoring and management programs. By establishing persistent access via command-and-control communication channels, attackers have been able to establish persistent access. 

Parallel to this, phishing emails contain webhook-hosted tracking pixels, thereby posing a secondary vector of abuse. As soon as an email is opened, these invisible elements automatically initiate outbound requests, transmitting identifying parameters that provide adversaries with the ability to profile targets in great detail and refine subsequent attack phases. 

Collectively, these techniques illustrate the trend of repurposing low-code automation platforms into scalable attack frameworks for various types of attacks. It is now being exploited by malicious parties to streamline their malicious operations in the same flexible and integrated manner that underpins their enterprise value, reinforcing the importance of reassessing trust assumptions and implementing controls that prevent these platforms from inadvertently becoming conduits for compromise. Because of these developments, the focus is now shifting toward strengthening oversight around the automation ecosystems, which are now critical extensions of enterprise infrastructures.

Security strategies need to develop to account for misuse of legitimate services, emphasizing contextual analysis, tighter access governance, and continuous monitoring of workflow behaviour. It is imperative that resilience is built upon the capability of not only blocking known indicators, but also of detecting subtle deviations in the way these platforms are being used as threat actors integrate into trusted environments. 

To maintain the integrity of automation systems that were never designed to be adversarial in nature, a disciplined approach to automation security, combined with informed user vigilance, will be essential.
Read more »
social engineering attacks
Advanced Persistent Threats Charming Kitten cyber espionage cybersecurity risks Insider Threats Iranian Cyber Threats malware Phishing Campaigns social engineering attacks

Old Espionage Techniques Power New Cyber Attacks by Charming Kitten Hackers


 

As zero-day exploits and increasingly sophisticated malware become a norm, a quieter and more calculated threat is beginning to gain momentum - one which relies less on breaking systems than it does on destroying trust. 

In recent months, there have been significant developments in Iran-linked cyber activities, where groups such as Charming Kitten are abandoning conventional vulnerability-driven attacks for deception, psychological manipulation, and carefully orchestrated human interaction. 

Instead of forcing entry through technical loopholes, these actors embed themselves within the digital lives of their targets, posing as credible contacts and cultivating familiarity over time. As a platform-agnostic organization, their operations are both available on macOS and Windows, demonstrating a commitment to maximizing access over exploitative efforts. 

While this occurs, emerging concerns regarding insider-driven data exposure, including allegations of covert methods such as photographing sensitive screens to bypass monitoring systems, underscore a broader reality indicating that the most critical vulnerabilities are no longer associated with code, but with human behavior.

These operations are being carried out by Charming Kitten, a threat group widely linked to Iran's security establishment that has targeted government officials, academic researchers, and corporate employees since its establishment in 2010. As a primary attack vector, the group uses identity deception, impersonating known contacts through convincingly engineered communication to obtain credentials or launch malware, rather than exploiting software flaws or exploit chains. 

As an intentional alignment with traditional intelligence tradecraft, the methodology provides deeper access than purely technical intrusion techniques by cultivating trust and controlling interaction. For this reason, operatives construct layered digital personas based on professional credibility or social engagement as part of this effort and establish rapport with target audiences before executing phishing attacks or delivering payloads.

Using a human-centered approach, it is consistently effective across both Apple and Microsoft environments without relying on platform-specific vulnerabilities, so its effectiveness is consistent across both environments. 

Additionally, insider risk concerns have been intensified in parallel, as investigations indicate the possibility of individuals inside major technology organizations facilitating data exposure through low detection techniques, including the capture of sensitive information physically, thus circumventing conventional cybersecurity controls and reinforcing the complexity of modern threat environments. 

The threat landscape has begun to reflect a more sophisticated approach to visibility and restraint as a result of these targeted intrusion campaigns, in addition to a broader pattern of Iranian-related cyber activity.

In many cases, the activity observed at present has a low level of immediate operational severity, ranging from website defacements and disruptions of distributed denial-of-service to phishing waves, coordinated influence messaging, and reconnaissance of externally exposed infrastructures. These actions, however, are rarely isolated or symbolic; historically, they have served as early indicators of intent, which have enabled the testing of defenses, signaling capabilities, and forming of the operational environment in advance of sustained or covert engagements. 

In extensive and highly adaptable ecosystem is responsible for enabling this activity, which consists of state-aligned advanced persistent threat groups, semi-autonomous proxies, hacktivist fronts, and loosely aligned external collectives. While these actors usually lack overt coordination during periods of geopolitical tension, they are often aligned in their targeting priorities and narrative framing, resulting in disruptive noise and intelligence-driven precision. 

Developing regional dynamics provides the opportunity for this structure to be scalable and implausibly deniable for escalation, particularly in the context of entities in regions aligned with U.S. or Israeli interests. In sectors such as critical infrastructure, energy, telecommunications, logistics, and public administration, high value targets are encountered.

It is important to note that Iran's cyber strategy does not adhere to a single, publicly defined doctrine, but rather represents a pragmatic extension of its broader asymmetric security approach. During the last decade, cyber capabilities have evolved into multipurpose instruments that can be used for intelligence collection, domestic oversight, retaliatory signaling, as well as regional influence. 

The concept of cyber activity is less of a distinct domain within this framework as it is an integral part of statecraft that is designed to operate beneath the threshold of conventional conflict while delivering strategic outcomes. 

Through the surveillance and disruption of opposition networks, it can be applied to strengthen internal regime stability, extract political and economic advantage, and project coercive influence by imposing calculated costs on adversaries while maintaining deniability to achieve political and economic advantage. 

Increasingly, modern cyber operations are being characterized by a convergence of intent and capability which underscores a threat model that incorporates technical intrusions, psychological manipulation, and geopolitical signaling as integral components. These methods are reminiscent of intelligence practices historically associated with Cold War espionage, when cultivating access through trust led to more lasting results than purely technical advancement. 

The current threat landscape operationalizes this principle through the creation of highly curated digital identities that are frequently designed to appear credible or socially engaging. By establishing rapport with their target, adversaries are able to harvest credentials or deliver malware. 

The human-centered intrusion model is independent of platform-specific vulnerabilities and has demonstrated sustained effectiveness across both the Apple and Microsoft ecosystems Nevertheless, parallel concerns have emerged regarding insider risk. 

Investigations have shown that individuals embedded within technology environments can facilitate data exposure through deliberately low-tech methods, such as taking photographs directly from screens, to circumvent conventional monitoring methods. It is a common statement among security practitioners that trusted access remains one of the most difficult vectors to combat, often bypassing even mature security architectures. 

According to analysts, these patterns are not isolated incidents but are part of an integrated intelligence framework integrating cyber operations with human networks, surveillance, and strategic recruitment pipelines. 

In accordance with former Iranian officials, Iran has developed a multi-layered operational model encompassing online intelligence collection, asset cultivation, and procurement mechanisms, which together increase Iran's reach and resilience. It is widely recognized that Iran is a highly sophisticated adversary with the potential to blend psychological operations with technical intrusion, despite historically being overshadowed by larger cyber powers. 

Moreover, the same operational networks have been used to monitor dissident communities beyond national borders, indicating a dual-purpose strategy extending beyond conventional state competition into internal control mechanisms as well. In the context of increasing blurring boundaries between external intelligence gathering and domestic influence operations, attribution and intent assessment become more difficult. 

Several high-profile cases involving alleged insider cooperation further underscore the enduring threat that is posed by human-mediated compromise. Mitigation therefore requires a rigorous, layered security posture that addresses technical as well as behavioral vulnerabilities. Prior to sharing sensitive information, it remains imperative to verify digital identities, particularly in environments susceptible to targeted social engineering schemes. 

By combining strong, unique credentials with multi-factor authentication, it is significantly less likely that a compromised account will occur, while regular updating of antivirus software and endpoint protection solutions provides a baseline level of security.

As part of active network defense, such as properly configured firewalls, unauthorized access pathways can be further limited, and the use of reputable malware detection and remediation tools makes it possible to identify and contain suspicious activity early. These measures reinforce the principle that effective cybersecurity no longer involves merely technological controls, but rather a combination of user awareness, operational vigilance, and adaptive defense strategies.

Increasingly, threat actors are implementing operations that blur the line between human intelligence and cyber intrusion, requiring organizations to increase their focus on resilience beyond perimeter defenses. 

To detect subtle indicators of compromise that do not evade conventional controls, strategic investments in behavioral monitoring, identity governance, and continuous threat intelligence integration will be essential. It is clear that preparedness has evolved from being able to detect and avoid every breach, but rather from being able to anticipate, detect, and respond with precision to adversaries that utilize both systems and human trust to carry out their attacks.
Read more »
phishing
Banks Brazil Data JanelaRAT malware Mexico phishing

JanelaRAT Malware Attacks Banks in Brazil and Mexico, Steals Data


Banks in Latin American countries such as Mexico and Brazil have been victims of continuous malware attacks by a strain called JanelaRAT. 

An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.  

In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features. 

Security

Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit. 

In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware. 

Distribution tactic

An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab. 

"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."

The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches. 

Phishing campaign

The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.

Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable. 

Victim tracking

According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.” 

If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.

Read more »
malware
AI Cloud Data GlassWorm Internet malware

GlassWorm Malware Campaign Attacks Developer IDEs, Steals Data


About GlassWorm campaign 

Cybersecurity experts have discovered another incident of the ongoing GlassWorm campaign, which uses a new Zig dropper that's built to secretly compromise all integrated development environments (IDEs) on a developer's system. 

The tactic was found in an Open VSX extension called "specstudio.code-wakatime-activity-tracker”, which disguised as WakaTime, a famous tool that calculates the time programmes spend with the IDE. The extension can not be downloaded now. 

Attack tactic 

In previous attacks, GlassWorm used the same native compiled code in extensions. Instead of using the binary as the payload directly, it is deployed as a covert indirection for the visible GlassWorm dropper. It can secretly compromise all other IDEs that may be present in your device. 

The recently discovered Microsoft Visual Studio Code (VS Code) extension is a replica (almost).

The extension installs a universal Mach-O binary called "mac.node," if the system is running Apple macOS, and a binary called "win.node" for Windows computers.

Execution 

These Zig-written compiled shared libraries that load straight into Node's runtime and run outside of the JavaScript sandbox with complete operating system-level access are Node.js native addons.

Finding every IDE on the system that supports VS Code extensions is the binary's main objective once it has been loaded. This includes forks like VSCodium, Positron, and other AI-powered coding tools like Cursor and Windsurf, in addition to Microsoft VS Code and VS Code Insiders.

Malicious code installation 

Once this is achieved, the binary installs an infected VS Code extension (.VSIX) from a hacker-owned GitHub account. The extension, known as “floktokbok.autoimport”, imitates “steoates.autoimport”, an authentic extension with over 5 million downloads on the office Visual Studio Marketplace.

After that, the installed .VSIX file is written to a secondary path and secretly deployed into each IDE via editor's CLI installer. 

In the second-stage, VS Code extension works as a dropper that escapes deployment on Russian devices, interacts with the Solana blockchain, gets personal data, and deploys a remote access trojan (RAT). In the final stage, RAT installs a data-stealing Google Chrome extension. 

“The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump,” cybersecurity firm aikido reported. 

Read more »
Supply Chain Attack
Cybercrime India Data Theft Risks Firmware Attack malware MediaTek Vulnerability Mobile Security Threats Remote Access Trojan Smartphone Security Supply Chain Attack

Hidden Android Malware Capable of Controlling Devices Raises Security Concerns


 

Smartphones have become increasingly important as repositories of identity, finances, and daily communications. The recent identification of a new Android malware strain, recently flagged by the National Cybercrime Threat Analytics Unit and ominously dubbed "God Mode", is indicative of a worrying escalation in mobile security threats. 

As opposed to conventional scams that employ visible deception or user interaction, this variant is designed to persist silently, enabling attackers to gain an unsettling degree of control without prompting immediate suspicion. 

The name of the program is not accidental; it reflects its ability to assume a wide range of permissions and surveillance capabilities once deployed, reducing users to the position of unaware bystanders.  It is noteworthy that this development coincides with an increase in sophisticated malware campaigns throughout India, where cybercriminals are increasingly utilizing the perception of legitimacy of digital services to exploit public trust, mimicking official government platforms. 

Often deployed through widely used messaging channels, these operations take advantage of urgency and limited verification by utilizing carefully orchestrated social engineering tactics, resulting in a seamless illusion of authenticity that has already led to widespread identity theft and financial fraud. In view of these concerns, researchers have identified a threat class that is more deeply ingrained into the Android operating system.

The Oblivion Remote Access Trojan, observed recently, signals the shift from surface-level compromise to systemic invasion. Based on reports, the malware is being distributed through subscription-based distribution models across a wide range of Android devices running versions 8 through 16 and is designed to operate across a broad range of devices.

Using Certo's analysis, it appears that the toolkit is not simply a standalone payload, but rather a structured package with a configurable builder that enables operators to create malicious applications that resemble legitimate applications. As a complement, a dropper mechanism was developed to mimic routine system update prompts, a tactic that blends seamlessly with user expectations and greatly increases the likelihood of execution. 

Kaspersky has found parallel evidence linking this activity to a strain they call "Keenadu," discovered during deeper investigations into firmware-level threats that resembled the earlier Triada threat. It is noteworthy that this variant is persistent: instead of being installed solely by the user, it has been observed embedded within the device firmware itself, indicating a compromise within the supply chain. 

The researchers claim that a tainted dependency introduced during firmware development enabled the malware to be integrated into the core system environment by allowing the malware to persist. Upon attachment to Android’s Zygote process, the malicious code replicates across all running applications on the device, resulting in widespread and difficult to detect control. Because affected devices may reach end users already compromised, manufacturers may be unaware of the intrusion prior to their products being distributed, which has significant consequences. 

There is a deceptively simple entry point into the infection chain associated with such threats: the link or application file is delivered via messaging platforms under the guise of legitimate notifications, often posing as bank alerts, service updates, or time-sensitive announcements. As soon as the application is executed, it strategically requests access to the Accessibility Service an Android feature intended to make the application more usable for people who are differently abled. 

A systemic abuse of this permission occurs in the context described above in order to establish extensive control over device operations. By gaining access to this level of access, the malware can monitor on-screen activity, intercept text communications, and perform autonomous user interactions. The ability to capture one-time passwords, navigate applications, and authorize transactions without explicit user awareness is included in this category. 

Most of the times observed, the initial payload is distributed via widely used communication channels such as instant messaging platforms as an APK file, where it appears as a routine application or system update via widely used communication channels. As a result of its outward appearance, the malware is often not suspected and is more likely to succeed during installation.

The malicious process embeds itself within the device and is designed to maintain persistence and stealth. By avoiding visibility within the standard application interface, the malicious process is evading casual detection while remaining silently operating in the background. The degree of risk introduced by this level of compromise is substantial. 

Through the malware's ability to access sensitive inputs, such as OTPs, personal messages, and contact databases, conventional authentication procedures are effectively bypassed. Further, by utilizing its ability to initiate or redirect calls, overlay fraudulent interfaces over legitimate banking applications, and simulate genuine user behavior, sophisticated financial exploitation and data exfiltration can be accomplished. 

Additionally, the threat is lowly visible; the lack of overt indicators, combined with its ability to avoid basic scrutiny, make it difficult for users to become aware of a breach until tangible damage has already occurred - financial or otherwise. Because the vulnerability does not uniformly impact all Android devices, assessing exposure becomes an important first step when confronted with this backdrop. 

According to current findings, the risk is primarily confined to smartphones equipped with MediaTek system-on-chip architectures, although devices that are powered by Qualcomm Snapdragon or Google Tensor are not affected. 

Users can verify their device's status by verifying its exact model in system settings and referencing its hardware specifications using manufacturer documentation. It becomes more urgent when the MediaTek chipset is identified to ensure that the latest security patches are applied as soon as possible. 

While a fix has been reportedly issued at the chipset level, its effectiveness is determined by the timely distribution by individual device manufacturers, making timely system updates a decisive factor in preventing exposures. A broader defensive posture requires a combination of technical safeguards and user discipline in addition to identification and patching. 

Security applications can not directly address firmware-level vulnerabilities, but they still play an important role in detecting secondary payloads, such as spyware or malicious applications, which may be deployed following a compromise. It is also important to minimize sensitive data stored locally on devices, particularly credentials, recovery keys, and financial information that could be accessed if access is obtained. Also highlighted in this case is the importance of physical security, as certain exploit vectors may require direct device access, which makes unattended or improperly handled devices potentially vulnerable. 

Additionally, complementary measures add essential layers of resistance against unauthorised activity, such as robust screen locks, shorter auto-lock intervals, and multi-factor authentication across critical accounts. In addition to reducing credential exposure, using encrypted password managers will help reduce device-level control capabilities, such as USB-restricted mode, when available, to limit data transfer capabilities while locked. 

As a result of these measures, the underlying vulnerability remains, however a layered security framework is established that significantly reduces the likelihood and impact of exploitation in the real world. As a result, these deeply embedded Android threats highlight a significant shift in the mobile security landscape, where risks are no longer restricted to user-level interactions, but extend to the underlying architecture of the device itself. 

With this evolving technology, users and manufacturers need to remain vigilant and informed, emphasizing proactive security hygiene, timely software maintenance, and carefully examining digital interactions. As threat actors continue to refine their methods, resilience will be determined by the development of layered, adaptive defense strategies that anticipate compromise and limit its impact, rather than a single safeguard.
Read more »
malware
Aisuru botnet API Chaos Malware Cloud systems Docker malware

New Chaos Malware Variant Expands to Cloud Targets, Introduces Proxy Capability

 



A newly observed version of the Chaos malware is now targeting poorly secured cloud environments, indicating a defining shift in how this threat is being deployed and scaled.

According to analysis by Darktrace, the malware is increasingly exploiting misconfigured cloud systems, moving beyond its earlier focus on routers and edge devices. This change suggests that attackers are adapting to the growing reliance on cloud infrastructure, where configuration errors can expose critical services.

Chaos was first identified in September 2022 by Lumen Black Lotus Labs. At the time, it was described as a cross-platform threat capable of infecting both Windows and Linux machines. Its functionality included executing remote shell commands, deploying additional malicious modules, spreading across systems by brute-forcing SSH credentials, mining cryptocurrency, and launching distributed denial-of-service attacks using protocols such as HTTP, TLS, TCP, UDP, and WebSocket.

Researchers believe Chaos developed from an earlier DDoS-focused malware strain known as Kaiji, which specifically targeted exposed Docker instances. While the exact operators behind Chaos remain unidentified, the presence of Chinese-language elements in the code and the use of infrastructure linked to China suggest a possible connection to threat actors from that region.

Darktrace detected the latest variant within its honeypot network, specifically on a deliberately misconfigured Hadoop deployment that allowed remote code execution. The attack began with an HTTP request sent to the Hadoop service to initiate the creation of a new application.

That application contained a sequence of shell commands designed to download a Chaos binary from an attacker-controlled domain, identified as “pan.tenire[.]com.” The commands then modified the file’s permissions using “chmod 777,” allowing full access to all users, before executing the binary and deleting it from the system to reduce forensic evidence.

Notably, the same domain had previously been linked to a phishing operation conducted by the cybercrime group Silver Fox. That campaign, referred to as Operation Silk Lure by Seqrite Labs in October 2025, was used to distribute decoy documents and ValleyRAT malware, suggesting infrastructure reuse across campaigns.

The newly identified sample is a 64-bit ELF binary that has been reworked and updated. While it retains much of its original functionality, several features have been removed. In particular, capabilities for spreading via SSH and exploiting router vulnerabilities are no longer present.

In their place, the malware now incorporates a SOCKS proxy feature. This allows compromised systems to relay network traffic, effectively masking the origin of malicious activity and making detection and mitigation more difficult for defenders.

Darktrace also noted that components previously associated with Kaiji have been modified, indicating that the malware has likely been rewritten or significantly refactored rather than simply reused.

The addition of proxy functionality points to a broader monetization strategy. Beyond cryptocurrency mining and DDoS-for-hire operations, attackers may now leverage infected systems to provide anonymized traffic routing or other illicit services, reflecting increasing competition within cybercriminal ecosystems.

This shift aligns with a wider trend observed in other botnets, such as AISURU, where proxy services are becoming a central feature. As a result, the threat infrastructure is expanding beyond traditional service disruption to include more complex abuse scenarios.

Security experts emphasize that misconfigured cloud services, including platforms like Hadoop and Docker, remain a critical risk factor. Without proper access controls, attackers can exploit these systems to gain initial entry and deploy malware with minimal resistance.

The continued evolution of Chaos underlines how threat actors are persistently enhancing their tools to expand botnet capabilities. It also reinforces the need for continuous security monitoring, as changes in how APIs and services function may not always appear as direct vulnerabilities but can exponentially increase exposure.

Organizations are advised to regularly audit configurations, restrict unnecessary access, and monitor for unusual behavior to mitigate the risks posed by increasingly adaptive malware threats.

Read more »
Omnistealer
Developers GitHub malware North Korea Omnistealer

Malware Hidden in Blockchain Networks Is Quietly Targeting Developers Worldwide



A new investigation has uncovered a cyberattack method that uses blockchain networks to quietly distribute malware, raising concerns among security researchers about how difficult it may be to stop once it spreads further.

The threat first surfaced when a senior engineering executive at Crystal Intelligence received a freelance opportunity through LinkedIn. The message appeared routine, asking him to review and run code hosted on GitHub. However, the request resembled a known tactic used by a North Korean-linked group often referred to as Contagious Interview, which relies on fake job offers to target developers.

Instead of proceeding, the executive examined the code and found something unusual. Hidden within it was the beginning of a multi-step attack designed to look harmless. A developer following normal instructions would likely execute it without noticing anything suspicious.

Once activated, the code connects to blockchain networks such as TRON and Aptos, which are commonly used because of their low transaction costs. These networks do not contain the malware itself but instead store information that directs the program to another blockchain, Binance Smart Chain. From there, the final malicious payload is retrieved and executed.

Researchers say this last stage installs a powerful data-stealing tool known as “Omnistealer.” According to analysts working with Ransom-ISAC, the malware is designed to extract a wide range of sensitive data. It can access more than 60 cryptocurrency wallet extensions, including MetaMask and Coinbase Wallet, as well as over 10 password managers such as LastPass. It also targets major browsers like Chrome and Firefox and can pull data from cloud storage services like Google Drive. This means attackers are not just stealing cryptocurrency, but also login credentials and internal access to company systems.

What initially looked like a simple phishing attempt turned out to be far more layered. By placing parts of the attack inside blockchain transactions, the attackers have created a system that is extremely difficult to dismantle. Data stored on blockchains cannot easily be removed, which means parts of this malware infrastructure could remain accessible for years.

Researchers believe the scale of this operation could grow rapidly. Some have compared its potential reach to the WannaCry ransomware attack, which disrupted hundreds of thousands of systems worldwide. In this case, however, the method is quieter and more flexible, which may allow it to spread further before being detected. At the same time, investigators are still unsure what the attackers ultimately intend to do with the access they gain.

Further analysis has revealed possible links to North Korean cyber actors. Investigators traced parts of the activity to an IP address in Vladivostok, a location that has previously appeared in investigations involving North Korean operations. Research cited by NATO has noted that North Korea expanded its internet routing through Russia several years ago. Additional findings from Trend Micro connect similar infrastructure to earlier campaigns involving fake recruiters.

The number of affected victims is already significant. Researchers estimate that around 300,000 credentials have been exposed so far, although they believe the real figure could be much higher. Impacted organizations include cybersecurity firms, defense contractors, financial companies, and government entities in countries such as the United States and Bangladesh.

The attackers rely heavily on deception to gain access. In some cases, they pose as recruiters and convince developers to run infected code as part of a hiring process. In others, they present themselves as freelance developers and introduce malicious code directly into company systems through platforms like GitHub.

Developers in rapidly growing tech ecosystems appear to be a key focus. India, for example, has seen a surge in new contributors on GitHub and ranks among the top countries for cryptocurrency adoption. Researchers suggest that a combination of high developer activity and economic incentives may make such regions more vulnerable to these tactics.

Initial contact is typically made through platforms such as LinkedIn, Upwork, Telegram, and Discord. Representatives from these platforms have advised users to be cautious, particularly when asked to download files or execute unfamiliar code outside controlled environments.

Not all targeted organizations appear strategically important, which suggests the attackers may be casting a wide net. However, the presence of defense and security-related entities among the victims raises more serious concerns about potential intelligence-gathering objectives.

Security experts say this campaign reflects a broader shift in how attacks are being designed. Instead of relying on a single point of failure, attackers are combining social engineering, publicly accessible code platforms, and decentralized infrastructure. The use of blockchain in particular adds a layer of persistence that traditional security tools are not designed to handle.

As investigations continue, researchers warn that this may only be an early stage of a much larger problem. The combination of hidden delivery methods, long-term persistence, and unclear intent makes this campaign especially difficult to predict and contain.

Read more »
worm
Block Chain Canister Cybersecurity malware Supply Chain worm

CanisterWorm Campaign Combines Supply Chain Attack, Data Destruction, and Blockchain-Based Control

 



Malware that can automatically spread between systems, commonly referred to as worms, has long been a recurring threat in cybersecurity. What makes the latest campaign unusual is not just its ability to propagate, but the decision by its operators to deliberately destroy systems in a specific region. In this case, machines located in Iran are being targeted for complete data erasure, alongside the use of an unconventional control architecture.

The activity has been linked to a relatively new group known as TeamPCP. The group first appeared in reporting late last year after compromising widely used infrastructure tools such as Docker, Kubernetes, Redis, and Next.js. Its earlier operations appeared focused on assembling a large network of compromised systems that could function as proxies. Such infrastructure is typically valuable for conducting ransomware attacks, extortion campaigns, or other financially driven operations, either by the group itself or by third parties.

The latest version of its malware, referred to as CanisterWorm, introduces behavior that diverges from this profit-oriented pattern. Once inside a system, the malware checks the device’s configured time zone to infer its geographic location. If the system is identified as being in Iran, the malware immediately executes destructive commands. In Kubernetes environments, this results in the deletion of all nodes within a cluster, effectively dismantling the entire deployment. On standard virtual machines, the malware runs a command that recursively deletes all files on the system, leaving it unusable. If the system is not located in Iran, the malware continues to operate as a traditional worm, maintaining persistence and spreading further.

The decision to destroy infected machines has raised questions among researchers, as disabling systems reduces their value for sustained exploitation. In comments reported by KrebsOnSecurity, Charlie Eriksen of Aikido Security suggested that the action may be intended as a demonstration of capability rather than a financially motivated move. He also indicated that the group may have access to a much larger pool of compromised systems than those directly impacted in this campaign.

The attack chain appears to have begun over a recent weekend, starting with the compromise of Trivy, an open-source vulnerability scanning tool frequently used in software development pipelines. By gaining access to publishing credentials associated with Node.js packages that depend on Trivy, the attackers were able to inject malicious code into the npm ecosystem. This allowed the malware to spread further as developers unknowingly installed compromised packages. Once executed, the malware deployed multiple background processes designed to resemble legitimate system services, reducing the likelihood of detection.

A key technical aspect of this campaign lies in how it is controlled. Instead of relying on conventional command-and-control servers, the operators used a decentralized approach by hosting instructions on the Internet Computer Project. Specifically, they utilized a canister, which functions as a smart contract containing both executable code and stored data. Because this infrastructure is distributed across a blockchain network, it is significantly more resistant to disruption than traditional centralized servers.

The Internet Computer Project operates differently from widely known blockchain systems such as Bitcoin or Ethereum. Participation requires node operators to undergo identity verification and provide substantial computing resources. Estimates suggest the network includes around 1,400 machines, with roughly half actively participating at any given time, distributed across more than 100 providers in 34 countries.

The platform’s governance model adds another layer of complexity. Canisters are typically controlled only by their creators, and while the network allows reports of malicious use, any action to disable such components requires a vote with a high approval threshold. This structure is designed to prevent arbitrary or politically motivated shutdowns, but it also makes rapid response to abuse more difficult.

Following public disclosure of the campaign, there are indications that the malicious canister may have been temporarily disabled by its operators. However, due to the design of the system, it can be reactivated at any time. As a result, the most effective defensive measure currently available is to block network-level access to the associated infrastructure.

This campaign reflects a convergence of several developing threat trends. It combines a software supply chain compromise through npm packages, selective targeting based on inferred geographic location, and the use of decentralized technologies for operational control. Together, these elements underline how attackers are expanding both their technical methods and their strategic objectives, increasing the complexity of detection and response for organizations worldwide.

Read more »
phishing
AI Cloud Data malware phishing

China-based TA416 Targets European Businesses via Phishing Campaigns

Chinese state-sponsored attacks

A China-based hacker is targeting European government and diplomatic entities; the attack started in mid-2025, after a two-year period of no targeting in the region. The campaign has been linked to TA416; the activities coincide with DarkPeony, Red Lich, RedDelta, SmugX, Vertigo Panda, and UNC6384.

According to Proofpoint, “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."

Multiple attack campaigns

Additionally, TA416 organized multiple campaigns against the government and diplomatic organizations in the Middle East after the US-Iran conflict in February 2026. The attack aimed to gather regional intelligence regarding the conflict.

TA416 also has a history of technical overlaps with a different group, Mustang Panda (UNK_SteadySplit, CerenaKeeper, and Red Ishtar). The two gangs are listed as Hive0154, Twill Typhoon, Earth Preta, Temp.HEX, Stately Taurus, and HoneyMyte. 

TA416’s attacks use PlugX variants. The Mustang Panda group continually installed tools like COOLCLIENT, TONESHELL, and PUBLOAD. One common thing is using DLL side-loading to install malware.

Attack tactic

TA416’s latest campaigns against European entities are pushing a mix of web bug and malware deployment operations, while threat actors use freemail sender accounts to do spying and install the PlugX backdoor through harmful archives via Google Drive, Microsoft Azure Blob Storage, and exploited SharePoint incidents. The PlugX malware campaigns were recently found by Arctic Wolf and StrikeReady in October 2025. 

According to Proofpoint, “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target.”

The TA416 attacks in December last year leveraged third-party Microsoft Entra ID cloud apps to start redirecting to the download of harmful archives. Phishing emails in this campaign link to Microsoft’s authentic OAuth authorization. Once opened, resends the user to the hacker-controlled domain and installs PlugX.

According to experts, "When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it."

Read more »
Windows
Casbaneiro ClickFix Attacks Europe Gmail Latin America malware Phishing emails Windows

Hackers Use Fake Legal Emails to Spread Casbaneiro Malware

 



A coordinated phishing operation is targeting Spanish-speaking users in both Latin America and Europe, using layered infection methods to deploy banking malware on Windows systems.

The campaign delivers the Casbaneiro trojan, also referred to as Metamorfo, and relies on an additional malware strain called Horabot to assist in spreading the infection. Investigators have linked the activity to a Brazil-based cybercrime group tracked as Augmented Marauder and Water Saci, which was first publicly reported by Trend Micro in October 2025.

Technical findings shared by BlueVoyant researchers Thomas Elkins and Joshua Green show that the attackers operate through multiple entry points. Their approach combines phishing emails, automated messaging through WhatsApp, and social engineering techniques such as ClickFix. This setup allows them to simultaneously target everyday users and corporate environments. While WhatsApp-based scripts are mainly used to reach consumers in Latin America, the group also runs an email takeover mechanism aimed at breaching business systems in both Latin America and Europe.

The attack begins with an email crafted to resemble a legal notice, often framed as a court-related message. Recipients are urged to open a password-protected PDF file attached to the email. Inside the document, a link directs the user to a harmful website, which triggers the download of a compressed ZIP file. Opening this file leads to the execution of intermediate components, including HTML Application files and Visual Basic scripts.

The VBS script conducts several checks before continuing, including verifying the presence of antivirus tools such as Avast. These checks are designed to avoid analysis or detection. Once completed, the script contacts an external server to download further payloads. Among these are AutoIt-based loaders that unpack encrypted files with extensions like “.ia” and “.at,” eventually activating both Casbaneiro and Horabot on the infected system.

Casbaneiro serves as the main malware responsible for financial theft, while Horabot is used to expand the attack’s reach. After installation, Casbaneiro communicates with a command server to retrieve a PowerShell script. This script uses Horabot to extract contact lists from Microsoft Outlook and send phishing emails from the victim’s own account.

A key change in this campaign is the use of dynamically generated phishing documents. Instead of distributing a fixed malicious file, the malware sends a request to a remote server, including a randomly created four-digit code. The server responds by generating a unique, password-protected PDF designed to mimic a Spanish judicial summons. This file is then attached to phishing emails sent to new targets, making each message appear more personalized and credible.

The operation also uses a secondary Horabot-related file that acts as both a spam tool and an account hijacker. It targets email services such as Yahoo, Gmail, and Microsoft Live, enabling attackers to send phishing messages through compromised Outlook accounts. Researchers note that Horabot has been used in attacks across Latin America since at least November 2020.

Earlier campaigns linked to Water Saci relied heavily on WhatsApp Web to spread malware in a self-propagating manner, including banking threats like Maverick and Casbaneiro. More recent activity, as observed by Kaspersky, shows the use of ClickFix tactics, where users are tricked into executing malicious HTA files under the pretense of resolving technical issues.

Researchers conclude that the attackers are continuously refining their methods by combining multiple delivery channels. The use of WhatsApp automation, dynamically generated PDF lures, and ClickFix techniques allows them to bypass security controls more effectively. The group appears to operate parallel attack chains, switching between WhatsApp-driven distribution and email-based infection methods powered by Horabot, depending on the target environment.

This activity points to a wider change in how cybercriminal operations are structured, where threat actors increasingly depend on adaptable tactics, automated tools, and manipulation of user behavior to maintain and expand attacks across different regions.

Read more »
Subscribe to: Comments (Atom)