Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label malware. Show all posts

SVG Phishing Campaign Bypasses Antivirus, Targets Colombian Judiciary

 

VirusTotal has uncovered a sophisticated phishing campaign that leverages SVG (Scalable Vector Graphics) files to bypass traditional antivirus detection while impersonating Colombia's judicial system. The campaign was discovered after VirusTotal added SVG support to its AI Code Insight platform, which uses machine learning to analyze suspicious behavior in uploaded files. 

Campaign discovery and scale 

The malicious SVG files initially showed zero detections by conventional antivirus scans but were flagged by VirusTotal's AI-powered Code Insight feature for suspicious JavaScript execution and HTML rendering capabilities. Following the initial discovery, VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign, all of which had evaded detection by traditional security software. 

Modus operandi 

The SVG files exploit the element to display HTML content and execute JavaScript when loaded. These files create convincing fake portals impersonating Colombia's Fiscalía General de la Nación (Office of the Attorney General), complete with case numbers, security tokens, and official government branding to build victim trust. 

When users interact with these fake portals, they see a phony download progress bar that simulates an official government document download process. While victims believe they are downloading legitimate legal documents, the malware simultaneously triggers the download of a password-protected ZIP archive in the background . 

Malware payload

Analysis of the extracted ZIP files reveals a multi-component attack containing four files: a legitimate Comodo Dragon web browser executable renamed to appear as an official judicial document, a malicious DLL, and two encrypted files. When the user opens the executable, the malicious DLL is sideloaded to install additional malware on the system. 

Evasion techniques

The campaign demonstrates sophisticated evasion tactics including obfuscation, polymorphism, and substantial amounts of dummy code designed to increase file entropy and avoid static detection methods. The attackers evolved their payloads over time, with earlier samples being larger (around 25 MB) and later versions becoming more streamlined. 

Detection challenges

SVG files present unique security challenges because they can contain executable JavaScript while appearing as harmless image files to users and many security tools. Traditional antivirus solutions struggle to analyze the XML-based SVG format effectively, making AI-powered behavioral analysis crucial for detection. 

The campaign highlights the growing trend of threat actors exploiting SVG files for phishing attacks, as these files can embed malicious scripts that execute automatically while maintaining the appearance of legitimate graphics. VirusTotal's AI Code Insight platform proved essential in exposing this campaign, demonstrating how machine learning can identify threats that traditional signature-based detection methods miss .

Hackers Exploit Zero-Day Bug to Install Backdoors and Steal Data


Sitecore bug abused

Threat actors exploited a zero-day bug in legacy Sitecore deployments to install WeepSteel spying malware. 

The bug, tracked as CVE-2025-53690, is a ViewState deserialization flaw caused by the addition of a sample ASP.NET machine key in pre-2017 Sitecore guides. 

A few users reused this key, which allowed hackers who knew about the key to create valid, but infected '_VIEWSTATE' payloads that fooled the server into deserializing and executing them, which led to remote code execution (RCE). 

The vulnerability isn’t a bug in ASP.NET; however, it is a misconfiguration flaw due to the reuse of publicly documented keys that were never intended for production use.

About exploitation

Mandiant experts found the exploit in the wild and said that the threat actors have been exploiting the bug in various multi-stage attacks. Threat actors target the '/sitecore/blocked.Aspx' endpoint, which consists of an unauthorized ViewState field, and get RCE by exploiting CVE-2025-53690. 

The malicious payload threat actors deploy is WeepSteel, a spying backdoor that gets process, system, disk, and network details, hiding its exfiltration as standard ViewState responses. Mendiant experts found the RCE of monitoring commands on compromised systems- tasklist, ipconfig/all, whoami, and netstat-ano. 

Mandiant observed the execution of reconnaissance commands on compromised environments, including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. 

In the next attack stage, the threat actors installed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip, which is used to make archives of the stolen information. After this, the threat actors increased access privileges by making local administrator accounts ('asp$,' 'sawadmin'), “cached (SAM and SYSTEM hives) credentials dumping, and attempted token impersonating via GoTokenTheft,” Bleeping Computer said. 

Threat actors secured persistence by disabling password expiration, which gave them RDP access and allowed them to register Dwagent as a SYSTEM service. 

“Mandiant recommends following security best practices in ASP.NET, including implementing automated machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets within the web.config file,” the company said.

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George Česko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Chinese Espionage Group Exploits Fake Wi-Fi Portals to Infiltrate Diplomatic Networks

 

A recent investigation by Google’s security researchers has revealed a cyber operation linked to China that is targeting diplomats in Southeast Asia. The group behind the activity, tracked as UNC6384, has been found hijacking web traffic through deceptive Wi-Fi login pages. 

Instead of providing legitimate internet access, these portals imitated VPN sign-ins or software updates. Unsuspecting users were then tricked into downloading a file known as STATICPLUGIN. That downloader served as the delivery mechanism for SOGU.SEC, a newly modified version of the notorious PlugX malware, long associated with Chinese state-backed operations. What makes this campaign particularly dangerous is the use of a legitimate digital certificate to sign the malware. 

This allowed it to slip past traditional endpoint defenses. Once active, the backdoor enabled data theft, internal movement across networks, and persistent monitoring of sensitive systems. Google noted that the attackers relied on adversary-in-the-middle techniques to blend malicious activity with regular network traffic. 

Redirectors controlled by the group were used to reroute connections through their fake portals, ensuring victims remained unaware of the compromise. The choice of targets reflects Beijing’s broader regional ambitions. Diplomatic staff and foreign service officers often handle classified information relating to alliances, trade talks, and geopolitical strategies. 

By embedding malware within these systems, the attackers could gain visibility into negotiations and policy planning. Google has notified organizations it identified as victims and added the malicious infrastructure to its Safe Browsing alerts, aiming to block future attempts.

APT36 Exploits Linux .desktop Files for Espionage Malware in Ongoing Cyber Attacks

 


The Pakistani threat group APT36 has launched new cyber-espionage attacks targeting India’s government and defense sectors by abusing Linux .desktop files to deploy malware.

According to recent reports from CYFIRMA and CloudSEK, the campaign—first detected on August 1, 2025—is still active. Researchers highlight that this activity focuses on data theft, long-term surveillance, and persistent backdoor access. Notably, APT36 has a history of using .desktop files in espionage operations across South Asia.
Abuse of Linux Desktop Files

Victims receive phishing emails containing ZIP archives with a disguised .desktop file masquerading as a PDF. Once opened, the file triggers a hidden bash command that fetches a hex-encoded payload from an attacker-controlled server or Google Drive, writes it into /tmp/, makes it executable with chmod +x, and launches it in the background.

To avoid suspicion, the malware also opens Firefox to display a decoy PDF hosted online. Attackers manipulated fields like Terminal=false to hide terminal windows and X-GNOME-Autostart-enabled=true for persistence at every login.

While .desktop files are typically harmless text-based launchers defining icons and commands, APT36 weaponized them as malware droppers and persistence mechanisms—a method similar to how Windows LNK shortcuts are exploited.

The dropped malware is a Go-based ELF executable with espionage capabilities. Despite obfuscation, researchers confirmed it can:
  • Remain hidden,
  • Achieve persistence via cron jobs and systemd services,
  • Establish C2 communication through a bi-directional WebSocket channel for remote command execution and data exfiltration.
Both cybersecurity firms conclude that APT36 is evolving its tactics, becoming increasingly evasive, stealthy, and sophisticated, making detection on Linux environments difficult since .desktop abuse is rarely monitored by security tools.

New Shamos Malware Targets Mac Users Through Fake Tech Support Sites

 

Cybersecurity researchers have unearthed a new Mac-targeting malware called Shamos that deceives users through fake troubleshooting guides and repair solutions. This information-stealing malware, developed by the cybercriminal organization "COOKIE SPIDER," represents a variant of the previously known Atomic macOS Stealer (AMOS).

Modus operandi

The malware spreads through ClickFix attacks, which utilize malicious advertisements and counterfeit GitHub repositories to trick victims. Attackers create deceptive websites such as mac-safer[.]com and rescue-mac[.]com that appear to offer legitimate macOS problem-solving assistance. These sites instruct users to copy and paste Terminal commands that supposedly fix common system issues. 

However, these commands actually decode Base64-encoded URLs and retrieve malicious Bash scripts from remote servers. The scripts capture user passwords, download the Shamos executable, and use system tools like 'xattr' and 'chmod' to bypass Apple's Gatekeeper security feature. 

Data theft capabilities

Once installed, Shamos performs comprehensive data collection targeting multiple sensitive areas. The malware searches for cryptocurrency wallet files, Keychain credentials, Apple Notes content, and browser-stored information. It employs anti-virtual machine commands to avoid detection in security sandboxes and uses AppleScript for system reconnaissance.

All stolen data gets compressed into an archive file named 'out.zip' before transmission to the attackers via curl commands. When operating with administrator privileges, Shamos establishes persistence by creating a Plist file in the LaunchDaemons directory, ensuring automatic execution during system startup. 

CrowdStrike's monitoring has detected Shamos attempting infections across more than 300 environments globally since June 2025. The security firm has also observed instances where attackers deployed additional malicious components, including fake Ledger Live cryptocurrency applications and botnet modules. 

Safety measures

Security experts strongly advise Mac users to avoid executing any online commands they don't fully understand. Users should be particularly cautious with GitHub repositories, as the platform hosts numerous malicious projects designed to infect unsuspecting individuals.

For legitimate macOS assistance, users should bypass sponsored search results and instead consult Apple Community forums or the built-in Help system (Cmd + Space → "Help"). ClickFix attacks have proven highly effective across various platforms, appearing in TikTok videos, fake captchas, and bogus Google Meet error messages, making user awareness crucial for prevention.

Hackers Trick Users with Fake Captchas to Steal Data

 



Cybersecurity researchers have uncovered a new technique where attackers use fake Captcha tests to trick people into installing malware called Lumma Stealer. This malicious program is designed to quietly search infected computers for valuable information, such as login credentials, cryptocurrency wallet details, and two-factor authentication codes.

The scheme first appeared on a Greek banking website, where users were shown what looked like a Captcha security test. Instead of a normal verification, the prompt instructed Windows users to copy a piece of text into their Run dialog box and press Enter. By doing so, victims unknowingly triggered the installation of Lumma Stealer without downloading a visible file.

According to data shared by DNSFilter, a security company monitoring the incident, clients came across this fake Captcha 23 times in just three days. Alarmingly, around 17% of users who saw it followed the instructions, which led to attempts to infect their systems with malware.


How Lumma Stealer Works

Once inside a computer, Lumma Stealer immediately begins searching for anything that can be exploited for profit. This includes saved browser passwords, cookies, stored two-factor authentication tokens, cryptocurrency wallets, and even the data kept in password managers. Cybercriminals can use this stolen information to commit identity theft, break into financial accounts, or steal digital assets such as crypto funds.

What makes this threat particularly concerning is that Lumma Stealer can be hidden on otherwise legitimate websites, meaning unsuspecting users may fall victim even without visiting suspicious or obviously harmful pages.


Malware-as-a-Service Model

Lumma Stealer is part of a growing cybercrime trend known as Malware-as-a-Service (MaaS). Under this model, professional malware developers create the malicious software, improve its ability to avoid detection, and maintain hosting services. They then rent access to the malware to other cybercriminals in exchange for subscription fees. This arrangement makes it easy for attackers with little technical expertise to launch damaging campaigns.

Earlier this year, authorities attempted to disrupt Lumma Stealer operations. The U.S. Department of Justice seized several domains linked to the malware, while Microsoft removed thousands of related websites. However, security analysts report that Lumma Stealer quickly resurfaced, showing just how resilient and profitable such services can be.

Part of Lumma Stealer’s popularity comes from its low cost. Subscriptions can be found on underground forums for only a few hundred dollars per month, yet the potential financial return for criminals is enormous. In recent analyses, experts estimated that hundreds of thousands of devices have been compromised, with losses reaching tens of millions of dollars.

The importance of staying alert online cannot be emphasised enough. Unusual instructions, such as copying text into a computer’s Run command should raise suspicion immediately. Cybersecurity specialists advise users to verify unexpected prompts and ensure their systems are protected with updated security tools to reduce the risk of infection.



PayPal Password Leak Puts Millions of Users on High Alert

 


It has been reported that millions of PayPal accounts have been traded on underground forums, which has raised a new wave of alarm in the ever-evolving landscape of cybercrime. Using the moniker “Chucky_BF”, a hacker announcing the availability of a dataset of 15.8 million PayPal accounts for the startlingly low price of $750 USD has advertised what he claims is a dataset of 15.8 million PayPal accounts. 

There has been widespread discussion across social media about the trove, which allegedly contains a 1.1 gigabyte text file that stores plaintext email and password combinations, making them accessible and ready for immediate use for malicious purposes. According to the hacker, the records he created cover a wide range of email providers, such as Gmail, Yahoo, Hotmail, among others, suggesting that the victims are spread around the globe. 

A concern, however, may be the inclusion of PayPal-specific login URLs and mobile URLs, which appear to be structured in such a way as to facilitate an automated exploit. The stolen credentials are organized along with direct links to PayPal sign-in portals that you can use to sign into PayPal—for example, the /signin, /signup, /connect, and the Android application URIs—in a way that makes them easy for cybercriminals to deploy as a toolkit. 

According to screenshots of the offer being circulated on the internet, there are rows of raw email:password:url entries, an information dump format commonly used in underground credential dumps. Even though the authenticity of the data has not been confirmed, due to its structured nature and low asking price, concerns have been raised that the data could rapidly be acquired by cybercriminals eager to exploit any portion of the data.

Those who would want to be attackers could use a dataset like this as the foundation for credential stuffing attacks, phishing campaigns, or even large-scale fraud against PayPal users across multiple countries if they wanted to make such a purchase. 

Not just because of the numbers, but because PayPal is a trusted platform for millions of businesses and individuals throughout the world, the hacker’s bold claims have caught the attention of the world. The central player in the global ecosystem of digital payments, even unverified reports of a massive leak raise immediate questions regarding the potential financial loss, the reputational damage, and the security of user identities in an environment that is becoming increasingly hostile. 

It is important to note, however, that while the alleged dataset has sparked headlines, experts emphasise that a thorough analysis of the situation is necessary. Neither PayPal nor any of its subsidiaries have ever been directly breached by large-scale attackers who have taken millions of user records from the company's systems. This distinction is crucial because previous incidents related to PayPal—such as one involving around 35,000 users—were attributed to credential stuffing or the use of previously stolen data, not to flaws within PayPal's own infrastructure. 

If the claims made by "Chucky_BF" are accurate, it appears as though the dataset has more likely come from an infostealer malware infection than from PayPal's servers themselves. A malicious program, known as an infostealer malware infection, infects computers and mobile devices and can often be delivered through phishing emails, malicious downloads, or compromised websites in order to gain access to personal data. 

It has been shown that the malware is silently extracting stored login information, browser history, cookies, and autofill information from a system once inside, then sending this information to cybercriminals. This theory is supported by the fact that the hacker shared samples that included PayPal login URLs and Android URIs. In contrast to the centralised dump that PayPal's systems may have produced, this dataset may have gathered stolen logs from compromised personal devices all over the world, carefully restructured to appear as if they were stolen from PayPal. 

The practice of rebranding or repackaging stolen data is common within cybercrime markets, where rebranding can enhance a person's perception of how valuable it is. Recent discoveries strengthen this belief. Researchers identified 184 million login credentials, including unique usernames and passwords, that had been exposed through a misconfigured cloud server in May of 2025, according to cybersecurity researcher Jeremiah Fowler. 

In the same way that PayPal credentials are believed to have been retrieved via infostealer malware rather than through a direct company breach, those credentials are almost certainly the result of infostealer malware. Information-stealing malware is extremely destructive. In Hudson Rock's research, it has been determined that such malware is not only readily available on the dark web but has been successfully infiltrating not just individual users, but also critical institutions, according to Hudson Rock's research. 

It was found that employees of some of the most sensitive organisations in the United States had been infected by the virus, including the Pentagon, Lockheed Martin, Honeywell, branches of the military, and even the FBI, according to the analysis. Taking advantage of infostealers highlights that even institutions that have robust security frameworks can be compromised, which underscores how vulnerable consumers may be to similar threats that they are not aware of or are unable to protect themselves from. 

PayPal users face immediate and multifaceted risks if the data is fabricated or recycled, millions of real credentials are still in circulation despite the fact that some of the data may be fabricated or recycled. The information that cybercriminals possess can be used to launch credential stuffing attacks in which stolen email-password pairs are tested across multiple platforms in search of accounts whose credentials are reusable. Because most individuals recycle the same login information across a wide range of financial, e-commerce, and social platforms, a compromise of a single PayPal account can lead to an overall e-commerce invasion. 

Besides direct financial theft, there are also other risks associated with structured datasets such as this, including phishing campaigns that can be created to mimic PayPal login pages and lure victims into providing updated credentials. This data can also be used for social engineering purposes by attracting individuals to tailored scams that exploit their trust in financial institutions. Depending on the extent of the data, there could be a loss of revenue, fraud, and recovery costs of billions of dollars, depending on whether it was authentic. 

As of the time of writing, PayPal has not confirmed or denied the authenticity of the dataset. HackRead.com, which reported the sale, was also unable to independently confirm the claims. I have contacted the company to get their opinion, but I anticipate that any confirmation or rebuttal of the statement would affect the level of response its global user base will require. However, vigilance has not been abandoned by cybersecurity experts in cases where unverified leaks make headlines. 

In cases where unverified leaks make headlines, it would be prudent for users to assume the worst and take proactive measures to protect themselves. Analysts recommend that all PayPal users immediately: Reset their PayPal password to a strong, unique one. Enable Multi-Factor Authentication (MFA), ideally through an authenticator app instead of SMS. 

Check linked email accounts for unusual login activity. Use password managers to avoid reusing credentials across multiple platforms. Run updated antivirus and anti-malware scans on devices to detect possible infections. Monitor financial transactions closely, enabling alerts for any suspicious payments. Consider identity theft protection services, particularly for users who conduct significant business via PayPal. 

Experts also stress the importance of an overall digital hygiene program. As infostealer malware has emerged as one of the most potent and pervasive forms of cybersecurity, experts advise updating software regularly, being cautious when browsing, and being sceptical when receiving unsolicited emails or downloading files. 

A significant risk reduction can be achieved for businesses, especially those relying heavily on PayPal for e-commerce, by implementing endpoint protection solutions and employee training programs. The alleged theft of PayPal credentials serves as a stark reminder of the fragile balance between trust and e-commerce in general. 

In spite of the fact that PayPal may not have suffered any direct breaches, the reputational fallout of its brand and its users still lingers, especially when the company's brand is compromised. With the rise of cybercrime marketplaces, stolen or recycled data will likely continue to be retrieved, repackaged, and sold to eager customers for the foreseeable future. 

The only way to stay ahead of attackers is to practice proactive security, so the only way to protect yourself is to stay ahead of them. As a result, whether the 15.8 million credentials that were advertised by “Chucky_BF” represented a real new breach, a compilation of stolen logs, or simply a rebranded dump of older leaks, the underlying issue remains the same: in today's digital economy, personal data is a commodity and vigilance is not optional - it is the price of taking part. 

The lesson from this episode is clear: your password should not be changed after confirmation, but now rather than later. Considering the ever-expanding digital landscape, incidents such as the alleged sale of PayPal credentials underscore a more important truth that security is no longer just an optional layer of protection, but a fundamental responsibility of everyone involved in the online economy today. In addition to immediate countermeasures like password resets or multifactor authentication, users must adopt a mindset of continuous cyber-resilience in addition to these immediate countermeasures. 

Digital accounts should be treated in the same way as physical assets in order to prevent them from being compromised. It is essential to pay close attention to the evolving nature of threats and take the time to utilise tools that go beyond basic security hygiene to detect compromised credentials early, such as hardware security keys, zero-trust authentication models, and regular dark web monitoring. 

There is no doubt that in an environment where a brand's reputation is fragile, cybersecurity awareness is integral to a business's daily operations, especially for small businesses that rely heavily on platforms like PayPal. By embedding cybersecurity awareness into everyday operations, businesses are not only protecting revenues but also strengthening customer trust. 

A proactive approach to layered defences can ultimately be a source of peace of mind for the individual, who is confident that he or she will not be perpetually vulnerable to unseen adversaries while transacting, communicating, and operating online. Cybersecurity may seem complicated at first glance, but it is the discipline of foresight, vigilance, and accountability that ensures digital trust remains strong in the long run.

Fake Telegram Premium Website Spreads Lumma Stealer Malware

 

Cybersecurity researchers have uncovered a malicious campaign that uses a fraudulent Telegram Premium website to distribute a dangerous variant of the Lumma Stealer malware. According to a report by Cyfirma, the fake domain telegrampremium[.]app closely imitates the official Telegram Premium branding and hosts a file named start.exe.

The executable, developed in C/C++, is automatically downloaded when a user visits the site—no clicks required. Once executed, it collects sensitive data, including stored browser credentials, cryptocurrency wallet information, and system details, significantly raising the risk of identity theft. The site acts as a drive-by download, meaning malware is delivered without user consent.

Researchers noted the executable’s high entropy, indicating the use of a cryptor to conceal its operations and evade traditional security detection. Static analysis revealed that the malware imports numerous Windows API functions, giving it the ability to alter files, edit registry entries, access the clipboard, launch further payloads, and bypass defenses.

The Lumma Stealer variant also makes DNS queries through Google’s public DNS, sidestepping corporate network restrictions. It communicates with legitimate platforms like Telegram and Steam Community for possible command-and-control (C2) operations, while also relying on algorithmically generated domains to avoid domain takedowns.

The attackers rely on newly registered infrastructure, pointing to short-lived but highly targeted operations. The malware also drops disguised files in the %TEMP% directory, including encrypted payloads hidden as image files. These are later renamed and executed as obfuscated scripts, which help the malware erase its tracks.

Advanced evasion techniques include the use of commands like Sleep to delay execution and LoadLibraryExW to discreetly load DLLs, making early detection more difficult for security analysts.

How to Stay Safe
  • Deploy endpoint detection and response (EDR) tools that can spot behaviors linked to Lumma Stealer
  • Block known malicious domains
  • Enforce strict download restrictions to prevent drive-by attacks
  • Use multi-factor authentication (MFA) to minimize damage from stolen credentials
  • Rotate credentials regularly to limit attackers’ long-term access
  • Continuously monitor for unusual activity to ensure swift response

Crypto24 ransomware uses custom “EDR-blinding” tool to hit high-value targets




A threat group tracked as Crypto24 is attacking large organizations across the U.S., Europe, and Asia, aiming at finance, manufacturing, entertainment, and technology firms. First discussed publicly on security forums in September 2024, the group has since shown mature tradecraft, according to researchers monitoring its campaigns.


How they gain and keep access

After breaking in, the attackers enable built-in administrator accounts on Windows machines or create new local admins to keep a quiet foothold. They run a scripted recon phase that lists user accounts, profiles hardware, and maps disks. For persistence, they add malicious Windows services and scheduled tasks, most notably:

WinMainSvc: a keylogger that pretends to be “Microsoft Help Manager,” recording active window titles and keystrokes (including Ctrl/Alt/Shift and function keys).

MSRuntime: a loader that later launches the file-encrypting payload.


How they bypass security tools

Crypto24 deploys a customized version of the open-source RealBlindingEDR utility to neutralize endpoint detection and response (EDR) products. The tool reads a driver’s metadata to extract the vendor name, compares it to a built-in list, and, on a match, tampers with kernel callbacks/hooks to “blind” detections. Vendors targeted include Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, Cynet, McAfee, Bitdefender, Broadcom (Symantec), Cisco, Fortinet, and Acronis.

On systems running Trend Micro, the operators have been seen, once they have admin rights — launching the legitimate XBCUninstaller.exe (Trend Vision One’s uninstaller) via gpscript.exe (a Group Policy script runner). The tool is intended for support tasks like cleaning inconsistent agents, but here it’s repurposed to remove protections so follow-on payloads can run undetected.


How they move and what they steal

For lateral movement, the intruders rely on SMB shares to copy tools and spread across the network. Before encryption, they exfiltrate data to Google Drive, using a custom program that calls the Windows WinINET API to talk to the cloud service. This gives them an off-network stash of sensitive files for double-extortion.


What remains unknown

Researchers have not yet published details about the final ransomware stage, such as the encryption method, ransom note, payment channel, or any language/branding clues. However, they have released indicators of compromise (IOCs) to help defenders detect and block the intrusions earlier in the kill chain.


Why it matters

Crypto24 blends custom malware with “living-off-the-land” techniques and legitimate admin tools, making alerts easier to miss. Organizations should harden admin account policies, monitor for suspicious driver tampering and service creation, restrict outbound cloud traffic where possible, and use the published IOCs to hunt proactively.


Hackers Are Spreading Malware Through SVG Images on Facebook


The growing trend of age checks on websites has pushed many people to look for alternative platforms that seem less restricted. But this shift has created an opportunity for cybercriminals, who are now hiding harmful software inside image files that appear harmless.


Why SVG Images Are Risky

Most people are familiar with standard images like JPG or PNG. These are fixed pictures with no hidden functions. SVG, or Scalable Vector Graphics, is different. It is built using a coding language called XML, which can also include HTML and JavaScript, the same tools used to design websites. This means that unlike a normal picture, an SVG file can carry instructions that a computer will execute. Hackers are taking advantage of this feature to hide malicious code inside SVG files.


How the Scam Works

Security researchers at Malwarebytes recently uncovered a campaign that uses Facebook to spread this threat. Fake adult-themed blog posts are shared on the platform, often using AI-generated celebrity images to lure clicks. Once users interact with these posts, they may be asked to download an SVG image.

At first glance, the file looks like a regular picture. But hidden inside is a script written in JavaScript. The code is heavily disguised so that it looks meaningless, but once opened, it runs secretly in the background. This script connects to other websites and downloads more harmful software.


What the Malware Does

The main malware linked to this scam is called Trojan.JS.Likejack. Once installed, it hijacks the victim’s Facebook account, if the person is already logged in, and automatically “likes” specific posts or pages. These fake likes increase the visibility of the scammers’ content within Facebook’s system, making it appear more popular than it really is. Researchers found that many of these fake pages are built using WordPress and are linked together to boost each other’s reach.


Why It Matters

For the victim, the attack may go unnoticed. There may be no clear signs of infection besides strange activity on their Facebook profile. But the larger impact is that these scams help cybercriminals spread adult material and drive traffic to shady websites without paying for advertising.


A Recurring Tactic

This is not the first time SVG files have been misused. In the past, they have been weaponized in phishing schemes and other online attacks. What makes this campaign stand out is the combination of hidden code, clever disguise, and the use of Facebook’s platform to amplify visibility.

Users should be cautious about clicking on unusual links, especially those promising sensational content. Treat image downloads, particularly SVG files with the same suspicion as software downloads. If something seems out of place, it is safer not to interact at all.

WinRAR Flaw Exploited as Zero-Day to Spread RomCom Malware in Phishing Attacks

 

A recently patched security flaw in WinRAR, identified as CVE-2025-8088, was weaponized as a zero-day exploit in phishing campaigns to deliver the RomCom malware, security researchers revealed.

The vulnerability, a directory traversal bug, was addressed in WinRAR version 7.13. It enabled attackers to craft malicious archives that could extract files into arbitrary file paths defined by the attacker rather than those selected by the user.

According to the WinRAR 7.13 changelog: "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path."

It further clarified that "Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected."

By exploiting this flaw, attackers could place executables in Windows autorun directories, such as:
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (user-specific)
  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)
This ensured that the malicious files would automatically run on the next reboot, giving attackers remote code execution capabilities.

Since WinRAR lacks an auto-update mechanism, users are urged to manually download the latest version from win-rar.com to protect themselves against this vulnerability.

The vulnerability was uncovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. Strýček confirmed to BleepingComputer that the bug was actively exploited: "ESET has observed spearphishing emails with attachments containing RAR files," he said.

These malicious archives were used to deploy RomCom backdoors. Also known as Storm-0978, Tropical Scorpius, or UNC2596, RomCom is a Russia-linked cybercrime group tied to ransomware, credential theft, and extortion operations.

The group has a track record of leveraging zero-day exploits and developing custom malware to maintain persistence, steal sensitive data, and conduct espionage operations. RomCom has also been associated with ransomware families such as Cuba and Industrial Spy.

ESET confirmed that a detailed report on the exploitation of this flaw will be released in the coming weeks.

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware strikes again. This time, it has abused an Intel CPU tuning driver to stop Microsoft Defender in attacks from EDRs and security tools active on target devices.

Windows defender turned off for attacks

The exploited driver is called “rwdrv.sys” (used by ThrottleStop), which the hackers list as a service that allows them to gain kernel-level access. The driver is probably used to deploy an additional driver called “hlpdrv.sys,” a hostile tool that modifies Windows Defender to shut down its safety features.

'Bring your own vulnerable driver' attack

Experts have termed the attack “Bring your vulnerable driver (BYOVD), where hackers use genuine logged-in drivers that have known bugs that can be exploited to get privilege escalation. The driver is later used to deploy a hostile that turns off Microsoft Defender. According to the experts, the additional driver hlpdrv.sys is “similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware.” The malware achieves this by executing regedit.exe. 

Discovery of the Akira ransomware attack

The technique was observed by Guidepoint Security, which noticed repeated exploitation of the rwdrv.sys driver in Akira ransomware attacks. The experts flagged this tactic due to its ubiquity in the latest Akira ransomware incidents. “This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” the report said. 

To assist security experts in stopping these attacks, Guidepoint Security has offered a YARA rule for hlpdrv.sys and complete indicators of compromise (IoCs) for the two drivers, as well as their file paths and service names.

SonicWall VPN attack

Akira ransomware was also recently associated with SonicWall VPN attacks. The threat actor used an unknown bug. According to Guidepoint Security, it could not debunk or verify the abuse of a zero-day flaw in SonicWall VPNs by the Akira ransomware gang. Addressing the reports, SonicWall has advised to turn off SSLVPN, use two-factor authentication (2FA), remove inactive accounts, and enable Botnet/Geo-IP safety.

The DFIR report has also released a study of the Akira ransomware incidents, revealing the use of Bumblebee malware loader deployed through trojanized MSI loaders of IT software tools.

New Malware Campaign Using Legitimate-Looking Software Targets Users Worldwide

 

Cybersecurity experts are warning about a new wave of cyberattacks involving PXA Stealer, a sophisticated info-stealing malware now spreading rapidly across multiple countries. Originally detected by Cisco Talos researchers, PXA Stealer, written in Python was initially deployed against government agencies and educational institutions in Europe and Asia. 

However, its operators, believed to be Vietnamese-speaking cybercriminals, have shifted focus to everyday users in the U.S., South Korea, the Netherlands, Hungary, and Austria. 

According to SentinelOne, the campaign has already compromised over 4,000 unique IP addresses in 62 countries. The malware is designed to harvest browser-stored passwords, cookies, credit card information, autofill data, cryptocurrency wallet keys, and credentials from applications like Discord. Sideloading Tactics to Evade Detection The attackers are leveraging “sideloading” techniques to bypass antivirus detection. 

Victims are lured through phishing sites or tricked into downloading ZIP archives containing a legitimate, signed copy of Haihaisoft PDF Reader alongside a malicious DLL file. Once installed, the DLL ensures persistence via the Windows Registry and downloads additional payloads often hosted on platforms like Dropbox. 

When the PDF reader is launched, the malware executes a script that prompts Microsoft Edge to open a booby-trapped PDF file. Although the file triggers an error message instead of displaying content, the infection process is already complete. In another variation of the campaign, a fake Microsoft Word 2013 executable is sent as an email attachment. 

It looks like a standard document but executes a different DLL with the same malicious objective deploying PXA Stealer. Telegram Used for Data Theft Once the malware collects the stolen data, it transmits it via Telegram to the attackers, who then sell the information on underground forums and the dark web. 

Experts advise extreme caution with unsolicited emails, links, and attachments, even when they appear legitimate. Hovering over links to check their destination and avoiding downloads from unknown senders are essential safety steps. Users are also urged not to store sensitive information such as passwords or credit card details in their web browsers. Instead, dedicated password managers and secure payment methods are recommended. 

While antivirus tools remain an important layer of defence, the advanced evasion methods used in this campaign highlight the need for strong user vigilance. With PXA Stealer’s shift from targeting high-profile organisations to everyday users, security professionals warn that more variants of the malware may emerge in future attacks.

DevilsTongue Spyware Attacking Windows System, Linked to Saudi Arabia, Hungary


Cybersecurity experts have discovered a new infrastructure suspected to be used by spyware company Candiru to target computers via Windows malware.

DevilsTongue spyware targets Windows systems

The research by Recorded Future’s Insikt Group disclosed eight different operational clusters associated with the spyware, which is termed as DevilsTongue. Five are highly active, including clusters linked to Hungary and Saudi Arabia. 

About Candiru’ spyware

According to the report, the “infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.” While a few clusters directly handle their victim-facing infrastructure, others follow an intermediary infrastructure layers approach or through the Tor network, which allows threat actors to use the dark web.

Additionally, experts discovered another cluster linked to Indonesia that seemed to be active until November 2024. Experts couldn’t assess whether the two extra clusters linked with Azerbaijan are still active.

Mode of operation

Mercenary spyware such as DevilsTongue is infamous worldwide, known for use in serious crimes and counterterrorism operations. However, it also poses various legal, privacy, and safety risks to targets, their companies, and even the reporter, according to Recorded Future.

Windows itself has termed the spyware Devil's Tongue. There is not much reporting on its deployment techniques, but the leaked materials suggest it can be delivered via malicious links, man-in-the-middle attacks, physical access to a Windows device, and weaponized files. DevilsTongue has been installed via both threat actor-controlled URLs that are found in spearphishing emails and via strategic website attacks known as ‘watering hole,’ which exploit bugs in the web browser.

Insikt Group has also found a new agent inside Candiru’s network that is suspected to have been released during the time when Candiru’s assets were acquired by Integrity Partners, a US-based investment fund. Experts believe that a different company might have been involved in the acquisition.

How to stay safe?

In the short term, experts from Recorded Future advise defenders to “implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices.” In the long term, organizations are advised to invest in robust risk assessments to create effective policies.

Scattered Spider Targets VMware ESXi Hosts in Rapid, High-Impact Cyber Attacks Across North America

 

A notorious cybercrime group known as Scattered Spider is ramping up sophisticated attacks on VMware ESXi hypervisors, zeroing in on critical infrastructure across North America’s retail, airline, and transportation sectors. Also referred to as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the group is renowned for bypassing traditional security measures through elaborate social engineering campaigns rather than exploiting software vulnerabilities. 

In a recent in-depth analysis, Google’s Mandiant unit revealed that the group’s hallmark tactic involves impersonating employees during phone calls to IT help desks. Once initial access is secured, attackers proceed with highly targeted and well-organized operations, focusing on core enterprise systems and sensitive data. "Their campaigns are aggressive, precise, and driven by human engineering more than by code,” noted Mandiant researchers. 

Rather than launching broad opportunistic attacks, Scattered Spider operates with an almost surgical approach. The group frequently mimics legitimate IT infrastructure by registering domain names resembling official portals — including variations like victimname-sso[.]com, victimname-servicedesk[.]com, and sso-victimname[.]com. 

To counter the evolving tactics of groups like Scattered Spider, cybersecurity experts advise a layered and proactive defense strategy. At the infrastructure level, organizations should enable lockdown mode in VMware vSphere, enforce the use of only signed binaries through execInstalledOnly, apply VM encryption, retire outdated virtual machines, and strengthen help desk protocols to prevent social engineering exploits. 

Identity security is equally crucial, companies must implement phishing-resistant multi-factor authentication, segregate critical identity systems, and avoid authentication loops that could be exploited by attackers. 

Additionally, effective monitoring and backup practices are essential. This includes centralizing log collection for better threat visibility, ensuring backups are stored separately from production Active Directory environments, and making them inaccessible to compromised administrators. These measures collectively form a more resilient defense posture, helping organizations detect, contain, and recover from sophisticated intrusion attempts targeting their virtual infrastructure.

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Emerging Koske Malware Leverages Visual Deception on Linux Platforms


 

The new Linux malware strain, Kosk, has emerged in a striking demonstration of how artificial intelligence is being used to fight cybercrime. In a remarkable development in how cybercrime intersects with artificial intelligence, the malware uses stealthy delivery mechanisms and AI-assisted development to deploy cryptomining payloads. 

Koske disguises himself behind seemingly harmless images of pandas and uses dropper techniques and advanced evasion tactics in order to infiltrate target systems using a variety of techniques. Aqua Nautilus, Aqua Security's threat intelligence team, reports that the malware's code structure indicates a large language model (LLM) influence on its code structure. 

It is believed that Koske, a sophisticated Linux threat, has evidently been developed using artificial intelligence tools, as the malware was partially generated or optimised using them. According to Aqua researcher Assaf Morag, "Koske, a sophisticated Linux threat, shows clear signs of artificial intelligence-assisted development." A new generation of adaptable and highly specialised malware is now available on the market. Koske is characterised by modular payloads, persistent rootkits, and innovative steganographic delivery methods. 

Koske represents an entirely new type of malware, able to perform one unique goal: the unauthorised mining of cryptocurrency on a large scale. As discovered by Aqua Nautilus researchers through a honeypot, the malware strain known as Koske combines a unique blend of advanced threat engineering, automation, and artificial intelligence. 

According to the Koske cryptominer manual, the application is designed in such a way that it will assess the processing capabilities of the host environment and then deploy GPU-or CPU-optimised miners that are tailored specifically for extracting value from a wide range of digital assets, including Monero and Ravencoin. In his opinion, Koske was almost entirely artificial intelligence-generated, according to Assaf Morag, Aqua Nautilus' Director of Threat Intelligence. Several indicators within the code itself supported this assessment, such as context-aware, explanatory comments and a structurally consistent, machine-like coding style that was consistent with the underlying code. 

Koske stands out from a crowd of malware generated by artificial intelligence in 2025 by providing levels of sophistication that can rival—and in some cases exceed—that of traditional, manually crafted malware strains. In a brilliant demonstration of deception mixed with technical sophistication, Koske exploits a misconfigured JupyterLab instance exposed to the internet to gain initial system access. 

Once the attackers have penetrated the system, they execute remote commands to retrieve two panda-themed JPEG images that have been hosted by legitimate websites like Postimage, OVH Images, and Freeimage that have been compromised. Although these images may appear harmless, they are in fact polyglot files that conceal executable scripts, allowing them to run arbitrary commands on the host computer as long as they are hidden within the files. 

Research by AquaSec suggests that the malware's architecture was shaped by automation frameworks or large language models, which contributed to the malware's modularity and scalability. After Koske has been executed, it activates both GPU- and CPU-optimised cryptocurrency miners that exploit system resources to mine over 18 digital assets, including Monero, Tari, Zano, Ravencoin, and Nexa, among others. In the future, Koske could evolve to incorporate real-time adaptive capabilities, positioning it as a precursor to a class of AI-assisted cyber threats that are expected to prove more powerful in the future. 

As a stunning example of the dual-purpose manipulation of files, Koske uses polyglot files rather than traditional steganography to conceal the malicious payloads, a method that illustrates its technical ingenuity as a hacker. Aqua Security points out that these files are structured in such a way that they can be understood as both valid JPEG images as well as executable scripts, depending on what context they are accessed.

There appears to be no harm in the fact that the files are innocent panda-themed images to the casual user, but upon processing by a script interpreter, the files contain shell scripts and C code embedded within. It is important to note that each image file within the attack chain contains its own payload, which is executed simultaneously upon activation. 

It is common for these payloads to consist of C code that is directly written to memory, compiled, and then run as a shared object (.so) file, which functions as a rootkit. In addition to overriding the readdir() function, the rootkit uses LD_PRELOAD to conceal malware-related processes, files, and directories from user space monitoring tools, thereby causing the malware to appear as if it were unrelated to them. 

Besides hardcoded keywords like koske and hideproc, the data is filtered using hidden process identifiers located in /dev/shm/.hiddenpid, as well. In addition to this payload, there is a stealth shell script implemented by hacking native Linux utilities in order to execute it entirely in memory. Through the use of cron jobs that run every 30 minutes and custom system services, persistence is established. 

As part of the script, Cloudflare and Google DNS are rewritten into /etc/resolv.conf, chattr +i attribute is added to it, iptables rules are flushed, proxy environment variables are reset, and a custom module is deployed to brute-force operational proxies using curl, wget, and raw TCP calls in order to further enhance operational security.

According to AquaSec researchers, this degree of adaptability, combined with the fact that Koske executes in memory and has a minimal forensic footprint, strongly suggests that automation frameworks or large language models may have been used in the development of the application. Koske's exemplifies how artificial intelligence is playing an increasingly prominent role in cyber warfare as a whole, signalling a significant shift in the cyber threat landscape. 

It was observed by Aqua Security analysts that the malware's codebase had several characteristics that suggested an AI-assisted development process. These included verbose scripts with well-commented comments, clean logic structures with a modular approach, and consistent defensive programming techniques. In addition, the malware contains Serbian language strings in some functions, which are likely to have been inserted to obscure the malware's true origin or to make attribution attempts difficult.

In the Aqua team's opinion, Koske may be an early indicator of a bigger trend: a weaponisation of artificial intelligence by malicious actors that could be a larger trend over time. While defenders have increasingly adopted AI as a way of detecting threats and automating processes, adversaries are also beginning to use the same technology to enhance obfuscation, develop polymorphic code, and implement adaptive features that may make it difficult to detect and attribute a cyberattack. 

There is an arms race going on between attackers and cybersecurity teams due to the dual-use potential of AI. It is recommended that organisations maintain a proactive monitoring system for shell file changes, unexpected startup behaviours, and changes to DNS configurations or systemd services. Each of these changes may indicate that malicious activity has occurred. The container security tools should also be optimised so they can prevent rootkit injection as well as block unknown binaries.

In the face of the next generation of malware, Koske stands as a warning not simply of the skillfulness of human hackers but likewise of the increasing influence of artificial intelligence on the next generation of malware, which raises the stakes for security professionals across multiple industries. The Aqua Security team stresses that organizations must adopt a more proactive and layered defense strategy in light of Koske's advanced capabilities and stealthy infection vectors, as well as adopt a proactive, layered defense strategy. 

As a first line of defence, people need to audit and secure all exposed instances of JupyterLab, which is commonly used in Koske campaigns. People also need to disable unnecessary services and enforce robust access controls to protect the environment. Likewise, it is imperative to continuously monitor system activity for anomalies like executions that take place only in memory, or cron jobs that are unauthorised, or the misuse of native Linux utilities, to establish persistence. 

Given that the threat consists of hybrid elements - image files that act as scripts as well as executables - traditional signature-based defences may be insufficient. It is Aqua's recommendation to deploy behaviour-based detection tools in order to identify suspicious execution patterns. These tools are especially helpful for bypassing disk-based traces, and Aqua recommends doing so. 

Furthermore, organisations are advised to revise their incident response plans to accommodate AI-assisted, polymorphic threats such as Koske, which blur the lines between conventional malware and intelligent automation. Security teams can greatly benefit from integrating these countermeasures to be more equipped in detecting, containing, and neutralising emerging cyberattacks whose intelligence and adaptability are on the rise. 

In Koske's opinion, the evolution of cyber threats has reached a critical point, where artificial intelligence, automation, and sophisticated evasion techniques have converged to create malware that is more agile, stealthy, and adaptive than ever before. Apart from its cryptomining function, Koske also illustrates the shift towards intelligent, modular, and self-sustaining threats that challenge traditional security assumptions in a way that is beyond the scope of crypto mining. 

Incorporating polyglot files, memory-resident execution and AI-generated code into attacks demonstrates how attackers are rapidly evolving, leveraging the same technologies that are used by defenders to defend themselves. The data from Koske indicates that organisations need to take proactive measures to defend themselves against modern threats. They need to be able to detect threats using behaviour-based detection, hardened environments, and proactive monitoring. 

As attackers begin to use artificial intelligence more and more industrially, Koske's discovery is only the beginning. This discovery reminds us that in the era of intelligent automation, cyber defence must be equally agile, adaptable, and forward-looking.

Fake Dating Apps Target Users in a New Appstore Phishing Campaign

Fake Dating Apps Target Users in a New Appstore Phishing Campaign

Malicious dating apps are stealing user information

When we download any app on our smartphones, we often don't realize that what appears harmless on the surface can be a malicious app designed to attack our device with malware. What makes this campaign different is that it poses as a utility app and uses malicious dating apps, file-sharing apps, and car service platforms. 

When a victim installs these apps on their device, the apps deploy an info-stealing malware that steals personal data. Threat actors behind the campaign go a step further by exposing victims’ information if their demands are not met.

iOS and Android users are at risk

As anyone might have shared a link to any malicious domains that host these fake apps, Android and iOS users worldwide can be impacted. Experts advise users to exercise caution when installing apps through app stores and to delete those that seem suspicious or are not used frequently. 

Zimperium’s security researchers have dubbed the new campaign “SarangTrap,” which lures potential targets into opening phishing sites. These sites are made to mimic famous brands and app stores, which makes the campaign look real and tricks users into downloading these malicious apps. 

How does the campaign work?

After installation, the apps prompt users to give permissions for proper work. In dating apps, users are asked to give a valid invitation code. When a user enters the code, it is sent to a hacker-controlled server for verification, and later requests are made to get sensitive information, which is then used to deploy malware on a device. This helps to hide the malware from antivirus software and other security checks. The apps then show their true nature; they may look real in the beginning, but they don’t contain any dating features at all.

How to stay safe from fake apps

Avoid installing and sideloading apps from unknown websites and sources. If you are redirected to a website to install an app instead of the official app store, you should immediately avoid the app.

When installing new apps on your device, pay attention to the permissions they request when you open them. While it is normal for a text messaging app to request access to your texts, it is unusual for a dating app to do the same. If you find any permission requests odd, it is a major sign that the app may be malicious.

Experts also advise users to limit the number of apps they install on their phones because even authentic apps can be infected with malicious code when there are too many apps installed on your device.