CyberSecurity news
FlagThis - #infostealer
|
@www.huntress.com
//
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.
Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process. The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff. Recommended read:
References :
Dissent@DataBreaches.Net
//
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.
Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data. The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials. Recommended read:
References :
@cyberscoop.com
//
INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.
Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes. The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams. Recommended read:
References :
Matt Burgess,@WIRED
//
References:
arstechnica.com
, WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.
The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information. Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness. Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape. Recommended read:
References :
@blog.checkpoint.com
//
References:
www.microsoft.com
, Catalin Cimpanu
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.
Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals. In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats. Recommended read:
References :
@securityonline.info
//
Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.
This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs. EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development. Recommended read:
References :
djohnson@CyberScoop
//
A sophisticated multi-stage malware campaign is exploiting the growing interest in AI video generation tools to distribute the Noodlophile information stealer. Cybercriminals are using social media platforms like Facebook and LinkedIn to post malicious ads that lure users to fake websites promising AI video generation services. These websites, designed to mimic legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI, instead deliver a range of malware including infostealers, Trojans, and backdoors. The campaign has been active since mid-2024, with thousands of malicious ads reaching millions of unsuspecting users.
The attackers, identified as the Vietnamese-speaking threat group UNC6032, utilize a complex infrastructure to evade detection. They constantly rotate the domains used in their ads and create new ads daily, using both compromised and newly created accounts. Once a user clicks on a malicious ad and visits a fake website, they are led through a deceptive process that appears to generate an AI video. However, instead of receiving a video, the user is prompted to download a ZIP file containing malware. Executing this file compromises the device, potentially logging keystrokes, scanning for password managers and digital wallets, and installing backdoors. The malware deployed in this campaign includes the STARKVEIL dropper, which then deploys the XWorm and FROSTRIFT backdoors, and the GRIMPULL downloader. The Noodlophile stealer itself is designed to extract sensitive information such as login credentials, cookies, and credit card data, which is then exfiltrated through Telegram. Mandiant Threat Defense reports that these attacks have resulted in the theft of personal information and are concerned that the stolen data is likely sold on illegal online markets. Users are urged to exercise caution and verify the legitimacy of AI tools before using them. Recommended read:
References :
djohnson@CyberScoop
//
A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.
The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads. This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A concerning trend has emerged on TikTok where cybercriminals are exploiting the platform's widespread reach through AI-generated videos to distribute malware. These deceptive videos lure users into executing malicious PowerShell commands under the guise of providing instructions for software activation or unlocking premium features for applications like Windows, Microsoft Office, Spotify, and CapCut. Trend Micro researchers discovered that these videos, often featuring AI-generated voices and visuals, instruct viewers to run specific commands that ultimately download and install information-stealing malware such as Vidar and StealC.
One notable example highlighted by researchers involves a TikTok video claiming to offer instant Spotify enhancements, which amassed nearly half a million views along with a significant number of likes and comments. However, instead of delivering the promised benefits, the command provided in the video downloads a remote script that installs Vidar or StealC malware, executing it as a hidden process with elevated system privileges. These infostealers are designed to harvest sensitive information, including credentials, browser sessions, and cryptocurrency wallets, posing a substantial risk to unsuspecting users who fall victim to this social-engineering attack. Security experts warn that these attacks are leveraging the "ClickFix" technique and using AI to generate convincing "how-to" videos. By exploiting the trust users place in video tutorials and the desire for free software or features, cybercriminals are effectively tricking individuals into infecting their own systems. Once active, the malware connects to command-and-control (C&C) servers to exfiltrate stolen data. Vidar employs stealthy tactics, utilizing platforms like Steam and Telegram as Dead Drop Resolvers to hide C&C details, while StealC uses direct IP connections. Users are urged to exercise caution and verify the legitimacy of instructions before running any commands provided in online videos. Recommended read:
References :
karlo.zanki@reversinglabs.com (Karlo@Blog (Main)
//
References:
Blog (Main)
, www.tripwire.com
,
Cybersecurity experts are raising alarms over the increasing use of artificial intelligence for malicious purposes. ReversingLabs (RL) researchers recently discovered a new malicious campaign targeting the Python Package Index (PyPI) that exploits the Pickle file format. This attack involves threat actors distributing malicious ML models disguised as a "Python SDK for interacting with Aliyun AI Labs services," preying on users of Alibaba AI labs. Once installed, the package delivers an infostealer payload hidden inside a PyTorch model, exfiltrating sensitive information such as machine details and contents of the .gitconfig file. This discovery highlights the growing trend of attackers leveraging AI and machine learning to compromise software supply chains.
Another significant security concern is the rise of ransomware attacks employing social engineering tactics. The 3AM ransomware group has been observed impersonating IT support personnel to trick employees into granting them remote access to company networks. Attackers flood an employee's inbox with unsolicited emails and then call, pretending to be from the organization's IT support, using spoofed phone numbers to add credibility. They then convince the employee to run Microsoft Quick Assist, granting them remote access to "fix" the email issue, allowing them to deploy malicious payloads, create new user accounts with admin privileges, and exfiltrate large amounts of data. This highlights the need for comprehensive employee training to recognize and defend against social engineering attacks. The US Department of Justice has announced charges against 16 Russian nationals allegedly tied to the DanaBot malware operation, which has infected at least 300,000 machines worldwide. The indictment describes how DanaBot was used in both for-profit criminal hacking and espionage against military, government, and NGO targets. This case illustrates the blurred lines between cybercrime and state-sponsored cyberwarfare, with a single malware operation enabling various malicious activities, including ransomware attacks, cyberattacks in Ukraine, and spying. The Defense Criminal Investigative Service (DCIS) has seized DanaBot infrastructure globally, underscoring the severity and scope of the threat posed by this operation. Recommended read:
References :
Waqas@hackread.com
//
A massive database containing over 184 million unique login credentials has been discovered online by cybersecurity researcher Jeremiah Fowler. The unprotected database, which amounted to approximately 47.42 gigabytes of data, was found on a misconfigured cloud server and lacked both password protection and encryption. Fowler, from Security Discovery, identified the exposed Elastic database in early May and promptly notified the hosting provider, leading to the database being removed from public access.
The exposed credentials included usernames and passwords for a vast array of online services, including major tech platforms like Apple, Microsoft, Facebook, Google, Instagram, Snapchat, Roblox, Spotify, WordPress, and Yahoo, as well as various email providers. More alarmingly, the data also contained access information for bank accounts, health platforms, and government portals from numerous countries, posing a significant risk to individuals and organizations. The authenticity of the data was confirmed by Fowler, who contacted several individuals whose email addresses were listed in the database, and they verified that the passwords were valid. The origin and purpose of the database remain unclear, with no identifying information about its owner or collector. The sheer scope and diversity of the login details suggest that the data may have been compiled by cybercriminals using infostealer malware. Jeremiah Fowler described the find as "one of the most dangerous discoveries" he has found in a very long time. The database's IP address pointed to two domain names, one of which was unregistered, further obscuring the identity of the data's owner and intended use. Recommended read:
References :
|