Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
threat
APT41 Attack Calendar Cybersecurity Detection Google Hacking malware phishing threat

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down

 

Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits.

The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails.

Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress.

Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field.

Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect.

To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack.

Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

Google did not disclose the exact number of impacted entities.
Read more »
PumaBot
Data Login Credentials malware Passwords PumaBot

PumaBot: A New Malware That Sneaks into Smart Devices Using Weak Passwords

 


A recently found malware called PumaBot is putting many internet-connected devices at risk. This malicious software is designed to attack smart systems like surveillance cameras, especially those that use the Linux operating system. It sneaks in by guessing weak passwords and then quietly takes over the system.


How PumaBot Finds Its Victims

Unlike many other threats that randomly scan the internet looking for weak points, PumaBot follows specific instructions from a remote command center. It receives a list of selected device addresses (known as IPs) from its control server and begins attempting to log in using common usernames and passwords through SSH — a tool that lets people access devices remotely.

Experts believe it may be going after security and traffic camera systems that belong to a company called Pumatronix, based on clues found in the malware’s code.


What Happens After It Breaks In

Once PumaBot gets into a device, it runs a quick check to make sure it's not inside a fake system set up by researchers (known as a honeypot). If it passes that test, the malware places a file on the device and creates a special service to make sure it stays active, even after the device is restarted.

To keep the door open for future access, PumaBot adds its own secret login credentials. This way, the hackers can return to the device later, even if some files are removed.


What the Malware Can Do

After it takes control, PumaBot can be told to:

• Steal data from the device

• Install other harmful software

• Collect login details from users

• Send stolen information back to the attackers

One tool it uses captures usernames and passwords typed into the device, saves them in a hidden file, and sends them to the hackers. Once the data is taken, the malware deletes the file to cover its tracks.


Why PumaBot Is Concerning

PumaBot is different from other malware. Many botnets simply use infected devices to send spam or run large-scale attacks. But PumaBot seems more focused and selective. Instead of causing quick damage, it slowly builds access to sensitive networks — which could lead to bigger security breaches later.


How to Protect Your Devices

If you use internet-connected gadgets like cameras or smart appliances, follow these safety steps:

1. Change factory-set passwords immediately

2. Keep device software updated

3. Use firewalls to block strange access

4. Put smart devices on a different Wi-Fi network than your main systems

By following these tips, you can lower your chances of being affected by malware like PumaBot.

Read more »
worm
containers Cryptojacking Cybersecurity Dero Docker Golang Kaspersky Linux malware worm

New Self-Spreading Malware Hijacks Docker Servers to Secretly Mine Cryptocurrency

 

A newly uncovered malware campaign is exploiting unsecured Docker environments across the globe, silently enrolling them into a decentralized cryptojacking network that mines the privacy-focused cryptocurrency, Dero.

Cybersecurity firm Kaspersky reports that the attack initiates by targeting exposed Docker APIs on port 2375. Once compromised, the attacker deploys malicious containers and infects existing ones, using system resources to mine Dero and search for other vulnerable hosts — all without relying on a central command-and-control server.

For context, Docker is a platform that uses OS-level virtualization to run applications in lightweight units called containers.

The attackers utilize two implants developed in Golang: one dubbed “nginx,” mimicking the popular web server, and another called “cloud,” which is the actual mining software.

Once a system is breached, the “nginx” component continuously scans the internet for additional misconfigured Docker nodes, using tools like Masscan to identify targets and propagate infection through new containers.

“The entire campaign behaves like a zombie container outbreak,” researchers noted. “One infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed — just more misconfigured Docker endpoints.”

To stay hidden, the malware encrypts crucial data like wallet addresses and Dero nodes, and disguises itself under file paths commonly used by legitimate system processes.

Kaspersky has linked the infrastructure — including the wallet and Dero node — to previous cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024. This points to an evolved version of an existing threat rather than an entirely new operation.

What sets this campaign apart is its worm-like behavior and the lack of centralized coordination, making it especially difficult to detect and eliminate.

As of early May, more than 520 Docker APIs were found to be publicly exposed on port 2375 — each a potential victim of this growing malware network.
Read more »
Operation Endgame
Anti Virus Dark Web FBI Internet malware Operation Endgame

Undercover Operation Shuts Down Website Helping Hackers Internationally


Hackers used AVCheck to see malware efficiency

International police action has shut down AVCheck, an anti-virus scanning website used by threat actors to check whether their malware was detected by mainstream antivirus before using it in the attacks. The official domain “avcheck.net” now shows a seizure banner with the logos of the U.S. Secret Service, the U.S. Department of Justice, the FBI, and the Dutch Police (Politie).  

The site was used globally by threat actors

According to the announcement, AVCheck was a famous counter antivirus (CAV) website globally that enabled hackers to check the efficiency of their malware. Politie’s Matthijs Jaspers said, “Taking the AVCheck service offline marks an important step in tackling organized cybercrime." With the collaborative effort, the agencies have disrupted the “cybercriminals as early as possible in their operations and prevent victims." 

The officials also discovered evidence linking AVCheck’s administrators to encrypting services Cryptor.biz  (seized) and Crypt.guru (currently offline). Crypting services allow threat actors to hide their payloads from antivirus, blending them in the ecosystem. Hackers also use a crypting service to hide their malware, check it on AVCheck or other CAV services to see if is detected, and finally launch it against their targets. 

Details about the operation

Before the shutdown of AVCheck, the police made a fake login page warning users of the legal risks when they log in to such sites. The FBI said that “cybercriminals don't just create malware; they perfect it for maximum destruction.” Special Agent Douglas Williams said threat actors leverage antivirus services to “refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems."

Operation Endgame

The undercover agents exposed the illegal nature of AVCheck and its links to ransomware attacks against the U.S. by purchasing these services as clients. According to the U.S. DoJ, in the “affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime.”

The crackdown was part of Operation Endgame, a joint international law enforcement action that captured 300 servers and 650 domains used in assisting ransomware attacks. Earlier, the operation cracked down on the infamous Danabot and Smokeloader malware operations.

Read more »
Microsoft
cyberattacks trending news cybercrime news FBI malware Microsoft

U.S. Shuts Down LummaC2 Malware Network in Major Takedown

 

In a major crackdown on cybercrime, the U.S. Department of Justice (DOJ), in coordination with the FBI and Microsoft, has dismantled a global malware operation known as LummaC2 by seizing five internet domains used to deploy the infostealer malware. LummaC2, notorious for stealing personal and financial data such as browser history, login credentials, and cryptocurrency wallet information, had compromised at least 1.7 million systems worldwide. 

The takedown occurred over three days in May 2025, with two domains seized on May 19, followed by the rapid seizure of three additional domains after the malware operators attempted to restore access. These domains acted as user panels for cybercriminals leasing or buying access to the malware, allowing them to deploy it across networks and extract stolen data. 

FBI Assistant Director Bryan Vorndran said, “We took action against the most popular infostealer service available in online criminal markets. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels.” 

DOJ Criminal Division head Matthew R. Galeotti added, “This type of malware is used to steal personal data from millions, facilitating crimes such as fraudulent bank transfers and cryptocurrency theft.” In a parallel move, Microsoft launched a civil legal action to take down 2,300 more domains believed to be linked to LummaC2 actors or their proxies. 

Emphasising the value of collaboration, Sue J. Bai, chief of the DOJ’s National Security Division, said, “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country.” 

The operation, led by the FBI’s Dallas Field Office and supported by several DOJ divisions, forms part of a broader U.S. strategy to counter cyber threats, including a State Department programme offering up to $10 million for information on individuals targeting U.S. critical infrastructure.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
VMware
Bing Cobalt Strike Beacon CyberCrime Cyberhackers Cybersecurity CyberThreat Fraudlent KeePass malware malware installation VMware

ESXi Environment Infiltrated Through Malicious KeePass Installer


Research by cybersecurity researchers has revealed that threat actors have been using tampered versions of KeePass password manager software to break into enterprise networks for several months. Researchers have discovered that this campaign has been sophisticated and ongoing for several months. For more than eight months, attackers have been using trojanized applications to stealthily infiltrate organisations and present themselves as legitimate KeePass installers while encoding malicious code into them. 

A deceptive installer serves as an entry point by which adversaries may gain access to internal systems, deploy Cobalt Strike beacons and harvest credentials, setting up large-scale ransomware attacks by using these deceptive installers as entry points. In this campaign, attackers have shown a particular interest in environments running VMware ESXi-one of the most widely used enterprise virtualisation platforms-indicating their strategic intention of targeting critical infrastructure environments. 

After the attackers are able to gain access, they escalate their privileges, move across networks, and plant ransomware payloads to disrupt operations as well as compromise data to the maximum extent possible. In addition to ensuring persistent access, malware is also able to exfiltrate sensitive information, which severely undermines the security postures of organisations targeted for attacks. 

KeePass was a rogue installer that was disguised in the appearance of a trustworthy software application, however, it underscored the increasing sophistication of cyber threats in the 21st century and the urgency of maintaining heightened security across enterprise systems. A comprehensive investigation by WithSecure's Threat Intelligence team, which had been engaged to analyse a ransomware attack that affected a corporate environment, led to the discovery of the campaign. 

Upon closer examination, the team traced the intrusion back to a malicious version of KeePass that had been deceptively distributed via sponsored advertisements on Bing. These ads led unsuspecting users to fraudulent websites designed to mirror legitimate software download pages, thereby tricking them into downloading the compromised installer. 

As the team investigated further, they found that the intrusion was linked to a malicious version of KeePass that had been misrepresenting itself as available through sponsored advertisements on Bing, leading unsuspecting users to fraudulent websites that mirrored legitimate software download pages, which tricked them into downloading the compromised installer by deceptively distributing it. Researchers have since discovered that the threat actors exploited KeePass's open-source nature by altering its original source code to craft a fully functional yet malicious version of the program, known as KeeLoader. 

In spite of the fact that this trojanized version maintains all of the standard features of a real password manager, it is capable of operating without immediately raising suspicions about its legitimacy. There are, however, covert enhancements embedded within the application designed to serve the attackers' objectives, namely the deployment of a Cobalt Strike beacon that will serve as a means for delivering the attacker's objectives. 

The tool enables remote control and data exfiltration, which can be done, for example, by exchanging the user's entire KeePass password database in cleartext with the use of remote command-and-control capabilities. As a result of the beacon, the attackers were able to extract this information, which provided a basis for the further infiltration of the network as well as, in the end, ransomware deployment. This tactic exemplifies the growing trend of leveraging trusted open-source software to deliver advanced persistent threats. According to industry experts, this incident emphasises the importance of many critical, multifaceted cybersecurity challenges.

It has been pointed out by Boris Cipot, Senior Security Engineer at Black Duck, that the campaign raises concerns on a number of fronts, ranging from the inherent risks that arise from open source software development to the growing problem of deceptive online advertising. Using a combination of open-source tools and legitimate ad platforms, Cipot explained that the attackers were able to execute a highly efficient and damaging ransomware campaign that exploited the public's trust in both of these tools. In their breach, the attackers the impact of their attack by targeting VMware ESXi servers, which are at the heart of many enterprise virtual environments. 

Having stolen the credentials for KeePass, including administrative access to both hosts and service accounts, threat actors could compromise entire ESXi infrastructures without having to attack each virtual machine individually. As a result of this approach, a high level of technical sophistication and planning was demonstrated in order to cause widespread disruption across potentially hundreds of different systems in a single campaign. 

Cipot emphasises one key lesson in his presentation: the organisation and users should not blindly trust any software promoted through online advertisements, nor should they assume that open-source software tools are necessarily safe, as it is advertised. A person who knows the importance of verifying the authenticity and integrity of software before deploying it to any development environment or on a personal computer has said that the importance of this cannot be overstated. Moreover, Rom Carmel, Co-Founder and CEO of Apono, also noted that the attack highlighted the fact that identity compromise is becoming a growing part of ransomware operations. 

In addition to the KeePass compromise, there was a large repository of sensitive credentials, including admin credentials and API access keys, that were exposed to attackers. With this data at hand, attackers were able to rapidly advance from network to network, escalating privileges as quickly as possible, turning credential theft into the most powerful enabler of enterprise-wide compromise. According to Carmel, the example provided by this case proves the importance of securing identity and access management as the front-line defence against cyberattacks that exist today. 

It was discovered by researchers that, as they investigated malicious websites distributing trojanized versions of KeePass password managers, there was a wider network of deceptive domains advertising other legitimate software products. In addition to the software impersonated, trusted applications such as WinSCP, a secure file transfer tool, and several popular cryptocurrency applications were also posed as legitimate software. 

It was noteworthy that these applications were modified less aggressively than KeePass, however, they still posed an important threat. Instead of incorporating complex attack chains, the attackers delivered a well-known malware strain called Nitrogen Loader, which acts as a gateway for further malicious payloads to be distributed on compromised systems by using Nitrogen Loader as a malicious payload. In light of the recent discovery, it appears that the trojanized KeePass variant was likely to have been created and distributed by initial access brokers, a group of cybercriminals who specialise in penetrating corporate networks. 

They are known to steal login credentials, harvest data, and identify exploitable entry points in enterprise networks, which are all ways of stealing sensitive information. It is then that they use the intrusion to monetise their intrusion by selling this access to other threat groups, primarily ransomware operators, on underground forums. One particular reason that this threat model is so dangerous is that it is indiscriminate in nature. 

Malware distributors target a wide variety of victims, from individuals to large corporations, without applying any specific selection criteria in the way they select their victims. There is a meticulous sorting and selling process for all of the stolen data, which is varied from passwords and financial records, to personal information and social media credentials. Ransomware gangs, on the other hand, are typically interested in corporate network credentials, while scammers are interested in financial data and banking information. 

Spammers may also attempt to exploit email, social networking, or gaming accounts by acquiring login credentials. A stealer malware distributor who employs an opportunistic business model is more likely to cast a wide net and embed their payload in virtually any type of software, so that they can distribute the malware to a wider audience. In addition to consumer-oriented applications, like games and file managers, it also offers professional tools for architects, accountants and information technology administrators. 

The importance of implementing strict software verification practices, both for organisations and individuals, cannot be overstated. Every download tool, no matter how trustworthy it may seem, must be obtained from a trustworthy and verifiable source, regardless of the appearance of a given tool. As a result of the campaign with the help of WithSecure, the victim organisation's VMware ESXi servers – a critical component of the organisation's virtual infrastructure – were encrypted.

There was a significant impact of this malware distribution operation far beyond a single compromised installer, as reflected by the severity of the consequences resulting from this sophisticated and well-orchestrated operation. According to further analysis, a sprawling malicious infrastructure masquerading as a trusted financial service and software platform was revealed. It seems that the attackers used the domain aenys[.]com, which hosted a number of subdomains impersonating reputable organisations such as WinSCP, Phantom Wallet, PumpFun, Sallie Mae, Woodforest Bank, and DEX Screener. 

Every subdomain was designed to deliver malware payloads or act as phishing portals designed to harvest sensitive user credentials from the targeted users. A careful, multi-pronged approach to compromise a wide range of targets is demonstrated by this level of detail and breadth. As a result of the analysis conducted by WithSecure, UNC4696, a threat group associated with operations previously involving Nitrogen Loader malware, has been identified as responsible for this activity.

Research suggests that campaigns involving Nitrogen Loader may have been linked to the deployment of BlackCat/AlphaPhy ransomware, a highly destructive and well-known threat actor known for attacking enterprise networks. The importance of cautious and deliberate software acquisition practices has been emphasised for many years by security experts, especially for security-critical applications such as password managers that require careful attention to detail. 

Downloading software from official, verified sources is strongly recommended, and links provided through online advertisements should not be relied upon. It is important to note that a website may appear to be referencing the right URL or brand of a legitimate provider, but it might still be redirecting users to fake websites that are created by malicious actors. Having been shown repeatedly that advertising platforms are being exploited to circumvent content policies, it is vital that vigilance and source verification be maintained in order to avoid compromise. 

In the cybersecurity landscape, there is still a persistent and evolving threat to be addressed because legitimate credentials are increasingly used in cyberattacks. It is widely known that Infostealers, which are specifically designed to harvest sensitive data and login information, serve as a gateway for more widespread breaches, including ransomware attacks. 

Organisations must adopt a comprehensive security strategy that goes beyond the basics to reduce this risk. When it comes to preventing trojanized software, such as the malicious KeePass variant, strict controls must be enforced on the execution of applications that aren't trusted. Users can achieve this by implementing application allow lists to restrict software installations and make sure that trusted vendors or applications signed with verified digital certificates are allowed to install the software. 

In the case of the KeePass attack, such a certificate-based policy could have effectively prevented the tampered version from getting into the system, since it had been signed with an unauthorised certificate. It is equally crucial to implement centralised monitoring and incident response mechanisms on all endpoints, whether they are desktops or servers, to detect and respond to incidents. Every endpoint in an organisation should be equipped with Endpoint Detection and Response (EDR) sensors. 

By combining these tools with Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) platforms, security teams can get a real-time view of network activity and detect, analyse, and respond to threats before they get too far. Furthermore, an organisation must cultivate a well-informed and security-conscious workforce. 

Beyond learning about phishing scams, employees should be trained on how to recognise fake software, misleading advertisements, and other forms of social engineering that cybercriminals commonly employ. With Kaspersky's Automated Security Awareness Platform, organisations can support ongoing education efforts, helping them foster a culture of security that is proactive and resilient. With the proliferation of cyber attacks and the continual refining of attackers' methods, a proactive, layered defence approach, rooted in intelligent technology, policy, and education, is essential for enterprises to protect their systems against increasingly deceptive and damaging threats.
Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
Subscribe to: Posts (Atom)