CyberSecurity news
FlagThis - #Malware
|
@www.microsoft.com
//
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft. Recommended read:
References :
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024. Recommended read:
References :
@www.bleepingcomputer.com
//
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets. Recommended read:
References :
@securityonline.info
//
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.
Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan. Recommended read:
References :
@PCWorld
//
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.
Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present. Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.
Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware. Recommended read:
References :
SC Staff@scmagazine.com
//
The FakeUpdate malware campaigns are becoming increasingly complex with the emergence of new cybercrime groups, TA2726 and TA2727, now involved in pushing a new macOS infostealer called FrigidStealer. This malware is being distributed through web inject campaigns, where users are tricked into downloading fake browser updates. Proofpoint researchers have identified FrigidStealer as a new threat targeting Mac users.
This campaign also uses Windows and Android payloads, suggesting a broad targeting strategy. The malicious JavaScript used to display the fake browser update messages is being adopted by an increasing number of threat actors, making tracking and analysis more challenging. Proofpoint identified two new cybercriminal threat actors, TA2726 and TA2727, operating components of web inject campaigns. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
Cybercriminals are exploiting the legitimate Eclipse Jarsigner tool to deploy the XLoader malware, using a DLL side-loading technique. Researchers at AhnLab Security Intelligence Center (ASEC) discovered the campaign, which involves packaging a legitimate jarsigner.exe executable, a tool used for signing Java Archive (JAR) files, with malicious DLL files inside a compressed ZIP archive. When the legitimate executable is run, the malicious DLLs are loaded, triggering the XLoader malware infection. This method allows the malware to evade security defenses by exploiting the trust associated with a legitimate application.
The attack sequence starts with a renamed version of jarsigner.exe (Documents2012.exe) executing, which then loads a tampered "jli.dll" library. This malicious DLL decrypts and injects "concrt140e.dll," the XLoader payload, into a legitimate process (aspnet_wp.exe). XLoader is designed to steal sensitive information, including user credentials, browser data, and system information. The malware can also download and execute additional malicious payloads. Users are advised to exercise caution when handling compressed files with executable files and accompanying DLLs from unverified sources. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
Microsoft has uncovered a new variant of the XCSSET macOS malware, marking the first major revision since 2022. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware is spread through infected Xcode projects, posing a significant risk to Apple developers.
The new XCSSET variant uses more randomized encoding methods, including Base64 in addition to xxd, and obfuscates module names to make analysis more difficult. The malware also employs a "dock method" where a fake Launchpad application is created, replacing the legitimate Launchpad's path in the dock, ensuring the malicious payload executes every time Launchpad is started. Microsoft advises users to inspect Xcode projects before using them and only install apps from trusted sources. Recommended read:
References :
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community. Recommended read:
References :
Kirsten Doyle@Information Security Buzz
//
Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.
These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials. Recommended read:
References :
Aman Mishra@gbhackers.com
//
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud. GitLab's security team discovered these extensions on the official Google Web Store and were used to insert ads and manipulate search engine results.
The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally. They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections. Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store. However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls. Recommended read:
References :
Aman Mishra@gbhackers.com
//
References:
gbhackers.com
, www.bleepingcomputer.com
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures. Recommended read:
References :
@www.the420.in
//
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
Field Effect@Blog
//
References:
Blog
, Information Security Buzz
,
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools. Recommended read:
References :
@securityonline.info
//
A new malware campaign is underway, distributing the Lumma Stealer information stealer via weaponized PDF documents. This campaign specifically targets educational institutions, exploiting compromised infrastructure to deliver malicious LNK files disguised as legitimate PDFs. These files, when executed, initiate a multi-stage infection process designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.
The attackers lure users into downloading these malicious files by disguising them as innocuous documents, such as school fee structures. Once executed, the LNK files trigger PowerShell commands that download and run obfuscated JavaScript code, ultimately deploying the Lumma Stealer payload. The malware employs advanced evasion techniques, including obfuscated JavaScript and encrypted payloads, to avoid detection. This campaign highlights the urgent need for robust cybersecurity measures within educational institutions and other sectors. Lumma Stealer targets various industries beyond education, including finance, healthcare, technology, and media. The use of compromised educational infrastructure as a distribution channel underscores the vulnerabilities in organizational cybersecurity frameworks. Recommended read:
References :
|