@unit42.paloaltonetworks.com
//
References:
Virus Bulletin
, The Hacker News
,
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload. The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection. Recommended read:
References :
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST. The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes. Recommended read:
References :
Aman Mishra@gbhackers.com
//
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.
The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload. After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats. Recommended read:
References :
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications. GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks. Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging. GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection. Recommended read:
References :
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell. Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services. Recommended read:
References :
SC Staff@scmagazine.com
//
A new cyberespionage campaign, attributed to the hacking group UAC-0226, is actively targeting Ukrainian organizations. The campaign, ongoing since February 2025, focuses on stealing sensitive information from military formations, law enforcement agencies, and local government bodies, particularly those near the country's eastern border with Russia. The hackers are exploiting trust by impersonating Ukrainian state agencies and drone manufacturers in their attacks.
The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram. CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group. Recommended read:
References :
@gbhackers.com
//
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.
The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password. Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign. Recommended read:
References :
@blog.extensiontotal.com
//
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.
The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion. This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats. Recommended read:
References :
Andrey Gunkin@Securelist
//
The APT group ToddyCat has been discovered exploiting a vulnerability, CVE-2024-11859, in ESET's command-line scanner (ecls) to conceal their malicious activities. This sophisticated attack, uncovered during investigations into ToddyCat-related incidents in early 2024, involved using a malicious DLL library to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. Researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems, which was identified as a complex tool called TCESB, designed to stealthily execute payloads in circumvention of protection mechanisms.
This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one. To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025. Recommended read:
References :
Mandvi@Cyber Security News
//
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.
The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer. Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications. Recommended read:
References :
CyberNewswire@hackread.com
//
SpyCloud has released new research indicating a significant gap in the effectiveness of endpoint detection and response (EDR) and antivirus (AV) solutions. According to their analysis of recaptured darknet data, a staggering 66% of malware infections occur on devices that already have endpoint security solutions installed. This highlights the increasing ability of threat actors to bypass traditional security measures.
The report emphasizes that modern infostealer malware employs sophisticated tactics to evade detection, even by EDR solutions with advanced AI and telemetry analysis. These tactics include polymorphic malware, memory-only execution, and exploiting zero-day vulnerabilities or outdated software. Data from 2024 showed that nearly one in two corporate users were victims of malware infections, and in the prior year, malware was the cause of 61% of all breaches. Damon Fleury, Chief Product Officer at SpyCloud, stated that the consequences of undetected malware infections can be "catastrophic." He emphasized the ongoing "arms race" where attackers constantly evolve their techniques to avoid detection. SpyCloud aims to provide a crucial line of defense by uncovering infostealer infections that slip past EDR and AV solutions, detecting when stolen data surfaces in the criminal underground, and automatically feeding this intelligence back to EDRs to facilitate quarantine and remediation. Recommended read:
References :
|