Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
smart device malware
Android TV botnet FBI cyber alert home network protection internet security risks IoT malware threat malware residential proxy botnet smart device malware

FBI Issues Alert as BADBOX 2.0 Malware Infects Over 1 Million Devices, Hijacking Home Networks Worldwide

 

The FBI has issued a critical warning regarding a massive malware campaign—dubbed BADBOX 2.0—which has compromised over 1 million Internet-connected consumer devices, including smart TVs, Android tablets, projectors, and streaming boxes. The malware, often embedded in Chinese-manufactured IoT devices, turns them into residential proxies exploited by cybercriminals to mask their activities.

"The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," the FBI stated.

The infection typically occurs when users purchase devices preloaded with malicious firmware or unknowingly install compromised apps from third-party stores or, occasionally, even Google Play. During initial setup, these apps introduce backdoors, linking the devices to command and control (C2) servers, where attackers remotely execute various malicious operations.

These include:
  • Residential Proxy Networks: Using victims' home IP addresses to route traffic and hide malicious activity.
  • Ad Fraud: Background ad-clicking to generate illegitimate revenue.
  • Credential Stuffing: Attempting unauthorized logins using stolen credentials, hidden behind compromised IPs.
"Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," the FBI added.

The original BADBOX malware was discovered in 2023 on low-cost Android TV boxes such as the T95. Though a 2024 takedown effort by Germany’s cybersecurity agency temporarily crippled the botnet by disrupting its infrastructure, attackers quickly rebounded. Within a week, nearly 192,000 new infections were recorded—including among more reputable devices like Yandex TVs and Hisense smartphones.

According to HUMAN's Satori Threat Intelligence, over 1 million devices were compromised by March 2025. The malware predominantly affects Android Open Source Project (AOSP) devices—not those certified by Google Play Protect or running official Android TV OS. Researchers observed BADBOX 2.0 activity in 222 countries and territories, with the highest infection rates reported in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).

"This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, 'off brand', uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.

Despite another coordinated disruption effort by HUMAN, Google, Trend Micro, and other partners—successfully preventing 500,000 infected devices from reaching command servers—the malware campaign persists, fueled by ongoing global sales of vulnerable devices.

Red flags indicating BADBOX 2.0 infection include:

  • Suspicious or third-party app stores preloaded on the device
  • Disabled Google Play Protect
  • Claims of free or unlocked streaming access
  • Unbranded or unknown device manufacturers
  • Unusual Internet traffic patterns

The FBI advises consumers to take the following precautions:

  • Audit all connected smart devices for abnormal behavior
  • Avoid downloading apps from unofficial sources
  • Monitor home network traffic regularly
  • Ensure devices are updated with the latest firmware
  • Immediately disconnect any suspected devices from the Internet
If compromised, isolating the affected device from the network can help prevent further damage and disrupt the malware’s control path.

Read more »
Spyware
malware Mozambique Predator Spyware

Predator Spyware Activity Resurfaces in Mozambique Using Novel Techniques

 

The recent discovery of new equipment tied to Predator spyware implies that the surveillance technology is still finding new customers, despite the fact that its backers have faced rounds of US sanctions since July 2023.

In a research published earlier this week, researchers at Insikt Group claim to have linked the sophisticated spyware to operators in Mozambique for the first time. According to Insikt, Mozambique is one of many African countries where the spyware has arrived, with the continent accounting for more than half of all known Predator users.

A further discovery in the investigation reveals "the first technical connection made between Predator infrastructure and corporate entities associated with the Intellexa Consortium," according to Insikt, referring to the organisation believed to be supporting Predator. Intellexa was among the entities sanctioned by the United States.

The revelation is the result of an Insikt investigation into entities tied to Dvir Horef Hazan, a Czech bistro owner, entrepreneur, and programmer who a Czech news site claims worked for Intellexa. A Greek law enforcement investigation into the possible Predator targeting of journalist Thanasis Koukakis further claimed that Intellexa transferred about €3 million (around $3.5 million) to Hazan and his enterprises.

The specifics of Hazan's alleged work for Intellexa are unclear, but Insikt claims it discovered a link between Predator's multi-tiered infrastructure and a Czech business indirectly linked to Hazan. 

According to the researchers, Predator's basic infrastructure has remained mostly unchanged, although there is evidence that operators have developed the spyware to make it more difficult to detect on a device. 

Insikt's recent findings reflect prior allegations indicating that Predator activities persisted following the US government's measures in July 2023. Initially, the Commerce Department placed Intellexa and a subsidiary unit, Cytrox, on the Entity List, which limits how companies conduct business with the United States and tarnish their reputation. Then, in 2024, federal agencies acted twice to ban Predator-related organisations.
Read more »
Ukraine
Hacking malware PathWiper Ukraine

New Malware Called ‘PathWiper’ Discovered in Ukraine Cyberattack

 



A new type of harmful computer program, known as ‘PathWiper,’ has recently been found during a cyberattack on an important organization in Ukraine. Security researchers from Cisco Talos reported this incident but did not reveal the name of the affected organization.

Experts believe the attackers are linked to a Russian hacking group that has been known to target Ukraine in the past. This discovery adds to the growing concerns about threats to Ukraine’s key systems and services.


How the Cyberattack Happened

According to the researchers, the hackers used a common tool that companies normally use to manage devices in their networks. The attackers seem to have learned exactly how this tool works within the victim’s system and took advantage of it to spread the malware across different computers.

Because the attack was carried out using this familiar software, it likely appeared as normal activity to the system’s security checks. This made the hackers’ movements harder to notice.


What Makes PathWiper Different

Malware that destroys files, known as “wiper” malware, has been used in Ukraine before. However, PathWiper works in a more advanced way than some of the older malware seen in past attacks.

In earlier cases, malware like HermeticWiper simply searched through storage drives in a straight list, going one by one. PathWiper, however, carefully scans all connected storage devices, including those that are currently not active. It also checks each device’s labels and records to make sure it is targeting the right ones.

In addition, PathWiper can find and attack shared drives connected over a network. It does this by looking into the system’s registry, an area where Windows computers store important system details to locate specific paths to these network drives.


Why This Is Serious

The way PathWiper is built shows that cyber attackers are continuing to create more advanced and more damaging tools. This malware’s ability to carefully search and destroy files across many connected devices makes it especially dangerous to organizations that provide essential services.

Even though the war between Russia and Ukraine has been going on for a long time, cyber threats like this are still growing and becoming more complex. Security experts are warning companies in Ukraine to be extra careful and make sure their protective systems are up to date.


Staying Careful and Updated

It is very important to keep track of new information about this malware. Companies often fix security problems quickly, and attackers may also change their methods. Writers and researchers covering such topics must carefully check for updates and confirm facts using reliable sources to avoid sharing old or incorrect details.

Cisco Talos is continuing to watch this situation and advises organizations to stay alert.

Read more »
Warning
AsyncRAT attack Booking.com scam Fake Captcha malware OTA phishing travel cybersecurity vacation scam alert Warning

Fake Booking.com CAPTCHAs Are Tricking Travelers Into Installing Malware

 

Cybercriminals are exploiting vacationers in a deceptive phishing campaign that mimics the well-known online travel agency, Booking.com. According to cybersecurity researchers at Malwarebytes Labs, this scam uses bogus CAPTCHA prompts to trick users into giving hackers remote access to their devices, compromising both personal and financial information.

The attack typically starts with links shared on social media platforms or gaming websites, sometimes even appearing as sponsored advertisements. These links redirect users to fraudulent sites impersonating Booking.com—a legitimate OTA (online travel agency) widely used for booking flights, hotels, car rentals, and travel packages.

Once a user clicks on the deceptive link, a counterfeit CAPTCHA prompt appears, asking them to check a box. This step secretly copies a command to the user's clipboard. The next prompt instructs users to run a specific keystroke combination on their device—a red flag, as this is not part of any authentic CAPTCHA process.

Behind the scenes, the copied text contains a PowerShell command. Executing it initiates the download of several files that install a Remote Access Tool (RAT) known as Backdoor.AsyncRAT. This software enables attackers to remotely monitor and take control of the victim's system.

How to identify and protect yourself from the Booking.com RAT scam:

Always verify URLs: Malwarebytes Labs highlights that these fake domains shift regularly and vary in how legitimate they appear. Some might resemble real Booking.com URLs, like (booking.)guestsalerts[.]com, while others are more obscure, such as kvhandelregis[.]com. The safest approach is to avoid clicking on social media links or ads and instead navigate directly to the website by typing the URL into your browser’s address bar.

Avoid using search engines for travel bookings: Searching for travel deals on platforms like Google may expose you to “malvertising,” where scammers replicate trusted brands to lure users through top-ranking sponsored results. It’s better to book directly with hotels, airlines, or verified OTAs.

Don’t trust CAPTCHA forms from unknown sources:
"Be wary of following instructions, such as executing commands, from websites, CAPTCHA forms, or social media videos, which can easily trick you into installing malware."

Disabling JavaScript in your browser can block clipboard-based exploits, though it may also interfere with the functionality of many legitimate websites.

Cybersecurity experts continue to stress vigilance, especially during peak travel seasons when scammers often ramp up such campaigns.
Read more »
US Federal
CTU Cyber CyberCrime Cybersecurity CyberThreat DragonForce LockBit malware Qakbot US Federal

US Federal Authorities Disrupt Growing Malware Pyramid Network

 


A new study by Secureworks' Counter Threat Unit (CTU) has revealed that ransomware operations have shifted significantly in response to heightened law enforcement crackdowns, forcing threat actors to evolve their strategies accordingly. There has been a tradition of many ransomware groups relying on affiliate models, including the LockBit gang, which involves recruiting external partners to carry out attacks in exchange for a share of the ransom payment. 

Cybercriminal organizations are beginning to be forced to adjust in order to maintain profitability and operational reach in the face of sustained global enforcement efforts and coordinated takedowns, forcing them to rethink how they operate so they can remain profitable and profitable. In response to the changing landscape in ransomware, groups such as DragonForce and Anubis have been observed to adopt innovative frameworks for attracting affiliates and maximizing profits. 

In addition to evading legal scrutiny, these emerging models also appear to be designed in such a way as to offer collaborators more incentives and flexibility than previously offered by traditional methods. In a hostile environment in which traditional tactics are becoming increasingly risky and unsustainable, these groups are readjusting their internal hierarchies and engagement strategies in order to maintain momentum. 

There is a clear indication that this evolution indicates that the underground ransomware economy is undergoing a significant transformation. This shift is being driven by the growing influence of international cyber defense efforts, as well as criminals' ability to adapt to escalating pressure. It is estimated that more than 700,000 computers were infected worldwide by the malware campaign at the centre of the investigation, including approximately 200,000 systems within the United States. 

Despite the prevalence of this infiltration, 58 million dollars in financial losses have been directly linked to ransomware activities in the last 24 hours, highlighting the scale and sophistication of this criminal network. According to U.S. Attorney Martin Estrada, Operation Duck Hunt has been the largest technological and financial operation ever conducted by the Department of Justice against a botnet. The operation is a comprehensive enforcement initiative that is aimed at capturing the infrastructure behind the botnet, a process that has been ongoing for several years. 

There was a successful operation in which 52 servers critical to the botnet were taken down and more than $8.6 million in cryptocurrency assets were seized, used to facilitate or conceal illicit gains. In spite of these remarkable achievements, cybersecurity experts caution against interpreting the disruption as a definitive victory. As is often the case when it comes to cybercrime enforcement, what appears to be the end may actually only be a temporary setback when it comes to the criminal activity. 

A cybercriminal ecosystem is resilient, adaptable, and able to evolve very quickly, which results in the emergence of new variants, techniques, or successor operations in a short period of time to fill the void left behind when a network has been dismantled. In the dynamic and ever-evolving cyber threat landscape, it is important to recognize that federal agencies are capable of performing complex takedowns, but that they also face a persistent challenge in achieving lasting impact. 

There has been a recent international crackdown targeting a particular type of malicious software called "initial access malware," which is one of the most critical enablers in the overall lifecycle of cyberattacks, according to statements released by Europol and Eurojust. As malware strains are typically deployed as early as possible in the course of a cyber-attack, they allow threat actors to quietly breach targeted systems and establish a foothold from which additional malicious payloads can be deployed, such as ransomware. 

Attempting to disrupt the foundational layer of the so-called "cybercrime-as-a-service" ecosystem by dismantling these tools was an important part of the authorities' effort. Its aim was to provide cybercriminals worldwide with flexible and scalable access to the services they needed. As part of the coordinated operation, a number of well-known malware variants were neutralized, including Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie, each of which has played a significant role in numerous ransomware attacks and data extraction. 

Several authorities emphasized that the strike of these elements at their root greatly undermines the ability of downstream criminal operations by preventing them from functioning and limit the ability of malicious actors to carry out large-scale attacks, as well as significantly limiting the capabilities of the malicious actors. Nearly 50 command-and-control servers were successfully neutralized in Germany, where a significant portion of the law enforcement activity was concentrated. 

There has been an investigation conducted by the German Federal Criminal Police Office (BKA) and the Frankfurt Public Prosecutor's Office for Cybercrime on the grounds of organized extortion and suspected affiliations with foreign criminal organizations based on suspected organized extortion. In response to this effort, international arrest warrants were issued for twenty individuals, most of whom were Russian nationals, and several search operations were conducted specifically to investigate these individuals. 

Continuing Operation Endgame, which was regarded as the largest coordinated effort ever undertaken to fight botnets, this sweeping enforcement action represents a continuation of that effort. In addition to acquiring €21.2 million in assets, the operation has also demonstrated the global increasing momentum behind collaborative efforts to dismantle high-impact cybercrime infrastructure since it was launched in 2024. Defendant Gallyamov and his co-conspirators allegedly orchestrated highly targeted spam bomb campaigns targeting members of the employees of victim organizations.

The attacks were designed to overwhelm recipients' inboxes with a barrage of messages, creating confusion and increasing the sense of urgency within them. The attackers then exploited this chaos by impersonating an internal IT employee, contacting overwhelmed victims by impersonating a technical support representative, and offering technical assistance. 

Once they had established trust and granted access, the attackers were quick to get their hands dirty—extorting data, deploying malware, encrypting systems, and ultimately demanding ransoms. In this case, the backdoor was built using the highly sophisticated Qakbot malware, which was used to exploit compromised systems to deploy malicious payloads further encoding the credentials of the target systems, as well as collect login credentials across networks. Such access was a valuable commodity among the cybercriminals. 

In the past, it has been suggested that Gallyamov and his network were monetizing these intrusions by selling access to operators of some of the most dangerous ransomware strains, such as REvil, Black Basta, and Conti, which are all dangerous strains of ransomware. In some cases, these ransomware groups are alleged to have compensated Gallyamov not only with direct payments but also by dividing a portion of the extorted profits with Gallyamov. 

In April 2025, U.S. authorities seized more than 30 bitcoins linked to Gallyamov as well as approximately $700,000 in illicit assets. Although these financial hits may have been significant, the primary suspect remains on the loose in Russia, out of reach of U.S. law enforcement due to the lack of extradition agreements. Despite the fact that Gallyamov faces a high probability of being captured, federal officials said that it would be unlikely that he would be brought to justice unless he voluntarily left the relative safety of his country. 

The incident has served as a stark reminder of just how sophisticated social engineering and malware-based attacks are becoming as time goes by. Investing in enterprise-grade antivirus solutions and implementing advanced endpoint protection platforms are two of the best ways for organizations to protect themselves against such threats. In many ways, these tools can be of great benefit in detecting unusual behavior, isolating compromised systems, and preventing the rapid escalation of attacks into full-scale data breaches or ransomware attacks that cause financial losses or reputational harm to companies.
Read more »
malware
Android Crocodilus fake contacts malware

Crocodilus Android Malware Can Now Trick Victims Using Fake Contacts

 


A dangerous Android malware called Crocodilus has developed a new way to fool smartphone users. It can now secretly add fake names to the contact list on an infected phone. This makes it easier for hackers to pretend they are calling from trusted people or organizations.


How Crocodilus Fools Users

When a phone is infected with Crocodilus, the malware can automatically add new contacts without the owner’s permission. These contacts can be given names that sound familiar or trustworthy, such as banks, service centers, or even personal contacts. If the hacker later calls the victim, the phone will display the fake name instead of the real caller ID, making it easier to trick the user into answering and trusting the call.

This process happens when the malware receives a secret command. It uses Android’s contact system to quickly add these fake names to the local contact list. Since these contacts are saved only on the phone, they won’t appear on other devices linked to the same Google account.


The Malware Has Spread Worldwide

Crocodilus was first discovered in March 2025 by security researchers. In the early days, it mostly affected a small number of users in Turkey. At that time, it already had tools to steal information and control infected phones from a distance. It also tried to trick people by showing fake messages, like warning users to back up their cryptocurrency wallets within 12 hours or lose access.

Recent updates show that the malware is now being used in attacks across many countries. It has also improved the way it hides itself from security checks. The updated version uses more advanced coding methods and stronger encryption to avoid being detected by cybersecurity tools. These changes make it harder for security teams to study and block the malware.

Another serious upgrade is that Crocodilus can now sort and check stolen information directly on the victim’s phone before sending it to the hackers. This helps attackers collect the most useful data quickly and easily.


How to Stay Safe

Crocodilus is growing fast and is becoming more dangerous, mainly because it relies on tricking people instead of only using technical methods. This makes it especially risky for everyday users.

To protect themselves, Android users should download apps only from trusted sources like Google Play and from well-known app makers. It is important to keep security features like Google Play Protect active and avoid installing too many apps, especially those from unknown developers. Having fewer apps reduces the chances of downloading harmful software by mistake.

Users should also be careful with unexpected phone calls, even if the caller name seems familiar. The name might be fake and added by malware to trick the user.

Read more »
Ransomware
Critical Infrastructure data security malware Play PlayCrypt Playgroup Ransomware

FBI Alert: Play Ransomware Attacks 900 Organizations

FBI Alert: Play Ransomware Attacks 900 Victims

In a recent joint cybersecurity advisory released with its Australian partners, the FBI announced that the Play ransomware group has attacked over 900 organizations since May 2025. “As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors,” the FBI said

Triple growth in three years

The number has tripled; in 2023, the figure was 300. This highlights the group’s rapid growth of attacking capabilities and compromise of new flaws.

Since 2022, the Playgroup, aka Playcrypt, has launched attacks across Europe, North America, and South America. The victims are diverse, ranging from MNCs to public sector agencies to areas of critical infrastructure. 

The Play ransomware differs due to its strategic use of manual-coded malware for each compromise. The constant configuration of attacks and retooling increases the group’s efficiency by helping it avoid getting caught. 

In a few cases, the group has strengthened attack tactics by contacting victims directly and asking for ransom for not leaking their data. 

Members of the infamous cybercrime syndicate have also compromised various newly found flaws (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in remote monitoring and management software, deploying them as entry points for deeper penetration to compromise systems. In one incident, threat actors backdoored systems and used Sliver beacons, building the foundation for future ransomware attacks. 

Play follows a unique approach

Differing from other gangs, Play uses direct email communication instead of the Dark Web negotiation. 

Play extracts sensitive data and uses it for extortion, and also uses a proprietary tool to escape shadow copy protections in data thefts. Some high-profile targets include the City of Oakland, Dallas County, and Krispy Kreme. 

How to stay safe?

A sound understanding of ransomware groups and good cyber hygiene is a must to prevent ransomware attacks, specialized tools, however, can boost your defenses. 

The joint advisory recommends security teams to keep their systems updates to prevent exploit of unpatched vulnerabilities. They are also advised to use two-factor authentication (2FA) throughout all services. Organizations should keep offline data backups and make and test a recovery drill as part of their security practices. 


Read more »
US
Cyberwarfare / Nation-State Attack Europe malware US

Zero-Click iMessage Exploit ‘NICKNAME’ Targets High-Profile Figures in US and Europe

 

A newly uncovered zero-click vulnerability in Apple’s iMessage, codenamed NICKNAME, has been exploited in a series of sophisticated cyberattacks targeting influential individuals across the United States and Europe, according to a new report from mobile security firm iVerify. The exploit, which requires no interaction from the victim, was detected on iPhones belonging to political leaders, journalists, and executives in the AI industry. 

The campaign is suspected to be part of an espionage operation with potential links to Chinese state-backed actors. In late 2024 and early 2025, iVerify observed a minuscule but significant anomaly in crash reports—0.0001% of logs among a sample of 50,000 iPhones. Deeper analysis led to the identification of the NICKNAME flaw, which stems from a vulnerability in the imagent process. 

The exploit is triggered by a rapid sequence of iMessage nickname updates, leading to a use-after-free memory issue that allows for remote device takeover. Six compromised devices have been identified so far. Four displayed signs of the NICKNAME exploit, while two showed evidence of successful breaches. 

The common link among the victims was their perceived opposition to Chinese interests, with many previously targeted by the notorious Salt Typhoon operation or involved in business or activism against the Chinese Communist Party (CCP). Although Apple addressed the flaw in its iOS 18.3.1 update, iVerify warns that NICKNAME may be only a single piece of a broader, ongoing exploit chain. 

The company is urging government agencies and high-risk organizations to revamp their mobile security frameworks in light of the growing threat landscape. While direct attribution to the CCP remains unconfirmed, circumstantial evidence is strong. Independent iOS security experts, including Patrick Wardle of the Objective-By-The-Sea foundation, have corroborated the threat, validating the risks posed by mobile spyware even against encrypted platforms like Signal.
Read more »
Web browser
Google Internet malware Microsoft RustStealer Web browser

Rust-Developed InfoStealer Extracts Sensitive Data from Chromium-Based Browsers

Rust-Developed InfoStealer Extracts Sensitive Data from Chromium-Based Browsers

Browsers at risk

The latest information-stealing malware, made in the Rust programming language, has surfaced as a major danger to users of Chromium-based browsers such as Microsoft Edge, Google Chrome, and others. 

Known as “RustStealer” by cybersecurity experts, this advanced malware is made to retrieve sensitive data, including login cookies, browsing history, and credentials, from infected systems. 

Evolution of Rust language

The growth in Rust language known for memory safety and performance indicates a transition toward more resilient and hard-to-find problems, as Rust binaries often escape traditional antivirus solutions due to their combined nature and lower order in malware environments. 

RustStealers works with high secrecy, using sophisticated obfuscation techniques to escape endpoint security tools. Initial infection vectors hint towards phishing campaigns, where dangerous attachments or links in evidently genuine emails trick users into downloading the payload. 

After execution, the malware makes persistence via registry modifications or scheduled tasks, to make sure it remains active even after the system reboots. 

Distribution Mechanisms

The main aim is on Chromium-based browsers, abusing the accessibility of unencrypted information stored in browser profiles to harvest session tokens, usernames, and passwords. 

Besides this, RustStealer has been found to extract data to remote C2 servers via encrypted communication channels, making detection by network surveillance tools such as Wireshark more challenging.

Experts have also observed its potential to attack cryptocurrency wallet extensions, exposing users to risks in managing digital assets via browser plugins. This multi-faceted approach highlights the malware’s goal to increase data robbery while reducing the chances of early detection, a technique similar to advanced persistent threats (APTs).

About RustStealer malware

What makes RustStealer different is its modular build, letting hackers rework its strengths remotely. This flexibility reveals that future ve

This adaptability suggests that future replications could integrate functionalities such as ransomware components or keylogging, intensifying threats in the longer run. 

The deployment of Rust also makes reverse-engineering efforts difficult, as the language’s output is less direct to decompile in comparison to scripts like Python or other languages deployed in outdated malware strains. 

Businesses are advised to remain cautious, using strong phishing securities, frequently updating browser software, and using endpoint detection and response (EDR) solutions to detect suspicious behavior. 

Read more »
Windows
2FA Chrome Katz malware Windows

New Malware Threat Puts Windows Users at Serious Risk — Protect Your Data Now

 

A dangerous new computer virus called Katz is spreading fast, and it's targeting people who use Windows devices. Once it sneaks into your system, it can steal almost everything — from passwords and emails to cryptocurrency wallets and even two-factor login codes.

Security researchers have raised alarms because this virus isn’t just stealing one type of information — it’s collecting anything it can get. That includes browser data, saved login details, private files, and more. And even though companies like Microsoft are working hard to fight these threats, hackers keep coming back with new tricks.


How This Malware Gets In

The Katz virus doesn’t use any fancy or rare method to infect devices. Instead, it spreads through common scams. These include fake emails, harmful ads, shady downloads, and suspicious search results. Once someone clicks the wrong thing, the virus quietly installs itself without any warning signs.

After it's in, it scans to see which web browser you’re using — like Chrome, Edge, or Brave — and then quietly runs in the background. While invisible to you, it's actively collecting your saved information.


What Data Is at Risk?

Here’s what this malware can steal from your device:

1. Website and app passwords

2. Login codes from two-factor authentication

3. Stored messages from chat platforms

4. Cryptocurrency wallets and backup phrases

5. Email account access

6. Game logins and saved payment methods

7. Wi-Fi and VPN passwords

8. Files from file transfer tools

9. Anything you copy to your clipboard

10. Screenshots of your screen

That’s a huge amount of personal data that could be misused.


How to Keep Yourself Safe

To avoid falling victim to this malware, follow these safety tips:

• Use strong, unique passwords for every account

• Turn on two-step login wherever available

• Don’t click on strange links or download unverified software

• Keep your system and apps updated

• Install a reliable antivirus tool and keep it active


Extra Steps for Companies

If you're managing devices at work, it’s also important to:

1.Watch for odd background processes or hidden files

2. Check for unknown files being created in unusual folders

3. Monitor network traffic for any suspicious activity

4. Be alert to any strange behavior in browser-related apps


This malware uses very sneaky methods, including social engineering, to trick people into clicking or installing it. But by being cautious and aware, you can stay one step ahead and protect your information.


Read more »
threat
APT41 Attack Calendar Cybersecurity Detection Google Hacking malware phishing threat

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down

 

Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits.

The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails.

Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress.

Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field.

Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect.

To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack.

Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

Google did not disclose the exact number of impacted entities.
Read more »
PumaBot
Data Login Credentials malware Passwords PumaBot

PumaBot: A New Malware That Sneaks into Smart Devices Using Weak Passwords

 


A recently found malware called PumaBot is putting many internet-connected devices at risk. This malicious software is designed to attack smart systems like surveillance cameras, especially those that use the Linux operating system. It sneaks in by guessing weak passwords and then quietly takes over the system.


How PumaBot Finds Its Victims

Unlike many other threats that randomly scan the internet looking for weak points, PumaBot follows specific instructions from a remote command center. It receives a list of selected device addresses (known as IPs) from its control server and begins attempting to log in using common usernames and passwords through SSH — a tool that lets people access devices remotely.

Experts believe it may be going after security and traffic camera systems that belong to a company called Pumatronix, based on clues found in the malware’s code.


What Happens After It Breaks In

Once PumaBot gets into a device, it runs a quick check to make sure it's not inside a fake system set up by researchers (known as a honeypot). If it passes that test, the malware places a file on the device and creates a special service to make sure it stays active, even after the device is restarted.

To keep the door open for future access, PumaBot adds its own secret login credentials. This way, the hackers can return to the device later, even if some files are removed.


What the Malware Can Do

After it takes control, PumaBot can be told to:

• Steal data from the device

• Install other harmful software

• Collect login details from users

• Send stolen information back to the attackers

One tool it uses captures usernames and passwords typed into the device, saves them in a hidden file, and sends them to the hackers. Once the data is taken, the malware deletes the file to cover its tracks.


Why PumaBot Is Concerning

PumaBot is different from other malware. Many botnets simply use infected devices to send spam or run large-scale attacks. But PumaBot seems more focused and selective. Instead of causing quick damage, it slowly builds access to sensitive networks — which could lead to bigger security breaches later.


How to Protect Your Devices

If you use internet-connected gadgets like cameras or smart appliances, follow these safety steps:

1. Change factory-set passwords immediately

2. Keep device software updated

3. Use firewalls to block strange access

4. Put smart devices on a different Wi-Fi network than your main systems

By following these tips, you can lower your chances of being affected by malware like PumaBot.

Read more »
worm
containers Cryptojacking Cybersecurity Dero Docker Golang Kaspersky Linux malware worm

New Self-Spreading Malware Hijacks Docker Servers to Secretly Mine Cryptocurrency

 

A newly uncovered malware campaign is exploiting unsecured Docker environments across the globe, silently enrolling them into a decentralized cryptojacking network that mines the privacy-focused cryptocurrency, Dero.

Cybersecurity firm Kaspersky reports that the attack initiates by targeting exposed Docker APIs on port 2375. Once compromised, the attacker deploys malicious containers and infects existing ones, using system resources to mine Dero and search for other vulnerable hosts — all without relying on a central command-and-control server.

For context, Docker is a platform that uses OS-level virtualization to run applications in lightweight units called containers.

The attackers utilize two implants developed in Golang: one dubbed “nginx,” mimicking the popular web server, and another called “cloud,” which is the actual mining software.

Once a system is breached, the “nginx” component continuously scans the internet for additional misconfigured Docker nodes, using tools like Masscan to identify targets and propagate infection through new containers.

“The entire campaign behaves like a zombie container outbreak,” researchers noted. “One infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed — just more misconfigured Docker endpoints.”

To stay hidden, the malware encrypts crucial data like wallet addresses and Dero nodes, and disguises itself under file paths commonly used by legitimate system processes.

Kaspersky has linked the infrastructure — including the wallet and Dero node — to previous cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024. This points to an evolved version of an existing threat rather than an entirely new operation.

What sets this campaign apart is its worm-like behavior and the lack of centralized coordination, making it especially difficult to detect and eliminate.

As of early May, more than 520 Docker APIs were found to be publicly exposed on port 2375 — each a potential victim of this growing malware network.
Read more »
Operation Endgame
Anti Virus Dark Web FBI Internet malware Operation Endgame

Undercover Operation Shuts Down Website Helping Hackers Internationally


Hackers used AVCheck to see malware efficiency

International police action has shut down AVCheck, an anti-virus scanning website used by threat actors to check whether their malware was detected by mainstream antivirus before using it in the attacks. The official domain “avcheck.net” now shows a seizure banner with the logos of the U.S. Secret Service, the U.S. Department of Justice, the FBI, and the Dutch Police (Politie).  

The site was used globally by threat actors

According to the announcement, AVCheck was a famous counter antivirus (CAV) website globally that enabled hackers to check the efficiency of their malware. Politie’s Matthijs Jaspers said, “Taking the AVCheck service offline marks an important step in tackling organized cybercrime." With the collaborative effort, the agencies have disrupted the “cybercriminals as early as possible in their operations and prevent victims." 

The officials also discovered evidence linking AVCheck’s administrators to encrypting services Cryptor.biz  (seized) and Crypt.guru (currently offline). Crypting services allow threat actors to hide their payloads from antivirus, blending them in the ecosystem. Hackers also use a crypting service to hide their malware, check it on AVCheck or other CAV services to see if is detected, and finally launch it against their targets. 

Details about the operation

Before the shutdown of AVCheck, the police made a fake login page warning users of the legal risks when they log in to such sites. The FBI said that “cybercriminals don't just create malware; they perfect it for maximum destruction.” Special Agent Douglas Williams said threat actors leverage antivirus services to “refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems."

Operation Endgame

The undercover agents exposed the illegal nature of AVCheck and its links to ransomware attacks against the U.S. by purchasing these services as clients. According to the U.S. DoJ, in the “affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime.”

The crackdown was part of Operation Endgame, a joint international law enforcement action that captured 300 servers and 650 domains used in assisting ransomware attacks. Earlier, the operation cracked down on the infamous Danabot and Smokeloader malware operations.

Read more »
Microsoft
cyberattacks trending news cybercrime news FBI malware Microsoft

U.S. Shuts Down LummaC2 Malware Network in Major Takedown

 

In a major crackdown on cybercrime, the U.S. Department of Justice (DOJ), in coordination with the FBI and Microsoft, has dismantled a global malware operation known as LummaC2 by seizing five internet domains used to deploy the infostealer malware. LummaC2, notorious for stealing personal and financial data such as browser history, login credentials, and cryptocurrency wallet information, had compromised at least 1.7 million systems worldwide. 

The takedown occurred over three days in May 2025, with two domains seized on May 19, followed by the rapid seizure of three additional domains after the malware operators attempted to restore access. These domains acted as user panels for cybercriminals leasing or buying access to the malware, allowing them to deploy it across networks and extract stolen data. 

FBI Assistant Director Bryan Vorndran said, “We took action against the most popular infostealer service available in online criminal markets. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels.” 

DOJ Criminal Division head Matthew R. Galeotti added, “This type of malware is used to steal personal data from millions, facilitating crimes such as fraudulent bank transfers and cryptocurrency theft.” In a parallel move, Microsoft launched a civil legal action to take down 2,300 more domains believed to be linked to LummaC2 actors or their proxies. 

Emphasising the value of collaboration, Sue J. Bai, chief of the DOJ’s National Security Division, said, “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country.” 

The operation, led by the FBI’s Dallas Field Office and supported by several DOJ divisions, forms part of a broader U.S. strategy to counter cyber threats, including a State Department programme offering up to $10 million for information on individuals targeting U.S. critical infrastructure.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
VMware
Bing Cobalt Strike Beacon CyberCrime Cyberhackers Cybersecurity CyberThreat Fraudlent KeePass malware malware installation VMware

ESXi Environment Infiltrated Through Malicious KeePass Installer


Research by cybersecurity researchers has revealed that threat actors have been using tampered versions of KeePass password manager software to break into enterprise networks for several months. Researchers have discovered that this campaign has been sophisticated and ongoing for several months. For more than eight months, attackers have been using trojanized applications to stealthily infiltrate organisations and present themselves as legitimate KeePass installers while encoding malicious code into them. 

A deceptive installer serves as an entry point by which adversaries may gain access to internal systems, deploy Cobalt Strike beacons and harvest credentials, setting up large-scale ransomware attacks by using these deceptive installers as entry points. In this campaign, attackers have shown a particular interest in environments running VMware ESXi-one of the most widely used enterprise virtualisation platforms-indicating their strategic intention of targeting critical infrastructure environments. 

After the attackers are able to gain access, they escalate their privileges, move across networks, and plant ransomware payloads to disrupt operations as well as compromise data to the maximum extent possible. In addition to ensuring persistent access, malware is also able to exfiltrate sensitive information, which severely undermines the security postures of organisations targeted for attacks. 

KeePass was a rogue installer that was disguised in the appearance of a trustworthy software application, however, it underscored the increasing sophistication of cyber threats in the 21st century and the urgency of maintaining heightened security across enterprise systems. A comprehensive investigation by WithSecure's Threat Intelligence team, which had been engaged to analyse a ransomware attack that affected a corporate environment, led to the discovery of the campaign. 

Upon closer examination, the team traced the intrusion back to a malicious version of KeePass that had been deceptively distributed via sponsored advertisements on Bing. These ads led unsuspecting users to fraudulent websites designed to mirror legitimate software download pages, thereby tricking them into downloading the compromised installer. 

As the team investigated further, they found that the intrusion was linked to a malicious version of KeePass that had been misrepresenting itself as available through sponsored advertisements on Bing, leading unsuspecting users to fraudulent websites that mirrored legitimate software download pages, which tricked them into downloading the compromised installer by deceptively distributing it. Researchers have since discovered that the threat actors exploited KeePass's open-source nature by altering its original source code to craft a fully functional yet malicious version of the program, known as KeeLoader. 

In spite of the fact that this trojanized version maintains all of the standard features of a real password manager, it is capable of operating without immediately raising suspicions about its legitimacy. There are, however, covert enhancements embedded within the application designed to serve the attackers' objectives, namely the deployment of a Cobalt Strike beacon that will serve as a means for delivering the attacker's objectives. 

The tool enables remote control and data exfiltration, which can be done, for example, by exchanging the user's entire KeePass password database in cleartext with the use of remote command-and-control capabilities. As a result of the beacon, the attackers were able to extract this information, which provided a basis for the further infiltration of the network as well as, in the end, ransomware deployment. This tactic exemplifies the growing trend of leveraging trusted open-source software to deliver advanced persistent threats. According to industry experts, this incident emphasises the importance of many critical, multifaceted cybersecurity challenges.

It has been pointed out by Boris Cipot, Senior Security Engineer at Black Duck, that the campaign raises concerns on a number of fronts, ranging from the inherent risks that arise from open source software development to the growing problem of deceptive online advertising. Using a combination of open-source tools and legitimate ad platforms, Cipot explained that the attackers were able to execute a highly efficient and damaging ransomware campaign that exploited the public's trust in both of these tools. In their breach, the attackers the impact of their attack by targeting VMware ESXi servers, which are at the heart of many enterprise virtual environments. 

Having stolen the credentials for KeePass, including administrative access to both hosts and service accounts, threat actors could compromise entire ESXi infrastructures without having to attack each virtual machine individually. As a result of this approach, a high level of technical sophistication and planning was demonstrated in order to cause widespread disruption across potentially hundreds of different systems in a single campaign. 

Cipot emphasises one key lesson in his presentation: the organisation and users should not blindly trust any software promoted through online advertisements, nor should they assume that open-source software tools are necessarily safe, as it is advertised. A person who knows the importance of verifying the authenticity and integrity of software before deploying it to any development environment or on a personal computer has said that the importance of this cannot be overstated. Moreover, Rom Carmel, Co-Founder and CEO of Apono, also noted that the attack highlighted the fact that identity compromise is becoming a growing part of ransomware operations. 

In addition to the KeePass compromise, there was a large repository of sensitive credentials, including admin credentials and API access keys, that were exposed to attackers. With this data at hand, attackers were able to rapidly advance from network to network, escalating privileges as quickly as possible, turning credential theft into the most powerful enabler of enterprise-wide compromise. According to Carmel, the example provided by this case proves the importance of securing identity and access management as the front-line defence against cyberattacks that exist today. 

It was discovered by researchers that, as they investigated malicious websites distributing trojanized versions of KeePass password managers, there was a wider network of deceptive domains advertising other legitimate software products. In addition to the software impersonated, trusted applications such as WinSCP, a secure file transfer tool, and several popular cryptocurrency applications were also posed as legitimate software. 

It was noteworthy that these applications were modified less aggressively than KeePass, however, they still posed an important threat. Instead of incorporating complex attack chains, the attackers delivered a well-known malware strain called Nitrogen Loader, which acts as a gateway for further malicious payloads to be distributed on compromised systems by using Nitrogen Loader as a malicious payload. In light of the recent discovery, it appears that the trojanized KeePass variant was likely to have been created and distributed by initial access brokers, a group of cybercriminals who specialise in penetrating corporate networks. 

They are known to steal login credentials, harvest data, and identify exploitable entry points in enterprise networks, which are all ways of stealing sensitive information. It is then that they use the intrusion to monetise their intrusion by selling this access to other threat groups, primarily ransomware operators, on underground forums. One particular reason that this threat model is so dangerous is that it is indiscriminate in nature. 

Malware distributors target a wide variety of victims, from individuals to large corporations, without applying any specific selection criteria in the way they select their victims. There is a meticulous sorting and selling process for all of the stolen data, which is varied from passwords and financial records, to personal information and social media credentials. Ransomware gangs, on the other hand, are typically interested in corporate network credentials, while scammers are interested in financial data and banking information. 

Spammers may also attempt to exploit email, social networking, or gaming accounts by acquiring login credentials. A stealer malware distributor who employs an opportunistic business model is more likely to cast a wide net and embed their payload in virtually any type of software, so that they can distribute the malware to a wider audience. In addition to consumer-oriented applications, like games and file managers, it also offers professional tools for architects, accountants and information technology administrators. 

The importance of implementing strict software verification practices, both for organisations and individuals, cannot be overstated. Every download tool, no matter how trustworthy it may seem, must be obtained from a trustworthy and verifiable source, regardless of the appearance of a given tool. As a result of the campaign with the help of WithSecure, the victim organisation's VMware ESXi servers – a critical component of the organisation's virtual infrastructure – were encrypted.

There was a significant impact of this malware distribution operation far beyond a single compromised installer, as reflected by the severity of the consequences resulting from this sophisticated and well-orchestrated operation. According to further analysis, a sprawling malicious infrastructure masquerading as a trusted financial service and software platform was revealed. It seems that the attackers used the domain aenys[.]com, which hosted a number of subdomains impersonating reputable organisations such as WinSCP, Phantom Wallet, PumpFun, Sallie Mae, Woodforest Bank, and DEX Screener. 

Every subdomain was designed to deliver malware payloads or act as phishing portals designed to harvest sensitive user credentials from the targeted users. A careful, multi-pronged approach to compromise a wide range of targets is demonstrated by this level of detail and breadth. As a result of the analysis conducted by WithSecure, UNC4696, a threat group associated with operations previously involving Nitrogen Loader malware, has been identified as responsible for this activity.

Research suggests that campaigns involving Nitrogen Loader may have been linked to the deployment of BlackCat/AlphaPhy ransomware, a highly destructive and well-known threat actor known for attacking enterprise networks. The importance of cautious and deliberate software acquisition practices has been emphasised for many years by security experts, especially for security-critical applications such as password managers that require careful attention to detail. 

Downloading software from official, verified sources is strongly recommended, and links provided through online advertisements should not be relied upon. It is important to note that a website may appear to be referencing the right URL or brand of a legitimate provider, but it might still be redirecting users to fake websites that are created by malicious actors. Having been shown repeatedly that advertising platforms are being exploited to circumvent content policies, it is vital that vigilance and source verification be maintained in order to avoid compromise. 

In the cybersecurity landscape, there is still a persistent and evolving threat to be addressed because legitimate credentials are increasingly used in cyberattacks. It is widely known that Infostealers, which are specifically designed to harvest sensitive data and login information, serve as a gateway for more widespread breaches, including ransomware attacks. 

Organisations must adopt a comprehensive security strategy that goes beyond the basics to reduce this risk. When it comes to preventing trojanized software, such as the malicious KeePass variant, strict controls must be enforced on the execution of applications that aren't trusted. Users can achieve this by implementing application allow lists to restrict software installations and make sure that trusted vendors or applications signed with verified digital certificates are allowed to install the software. 

In the case of the KeePass attack, such a certificate-based policy could have effectively prevented the tampered version from getting into the system, since it had been signed with an unauthorised certificate. It is equally crucial to implement centralised monitoring and incident response mechanisms on all endpoints, whether they are desktops or servers, to detect and respond to incidents. Every endpoint in an organisation should be equipped with Endpoint Detection and Response (EDR) sensors. 

By combining these tools with Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) platforms, security teams can get a real-time view of network activity and detect, analyse, and respond to threats before they get too far. Furthermore, an organisation must cultivate a well-informed and security-conscious workforce. 

Beyond learning about phishing scams, employees should be trained on how to recognise fake software, misleading advertisements, and other forms of social engineering that cybercriminals commonly employ. With Kaspersky's Automated Security Awareness Platform, organisations can support ongoing education efforts, helping them foster a culture of security that is proactive and resilient. With the proliferation of cyber attacks and the continual refining of attackers' methods, a proactive, layered defence approach, rooted in intelligent technology, policy, and education, is essential for enterprises to protect their systems against increasingly deceptive and damaging threats.
Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
Subscribe to: Posts (Atom)