CyberSecurity news
FlagThis - #malware
|
sila.ozeren@picussecurity.com (Sıla@Resources-2
//
References:
Resources-2
, securityonline.info
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.
The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results. Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.
The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload. The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign. Recommended read:
References :
@blog.talosintelligence.com
//
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS. PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception. Recommended read:
References :
@www.trendmicro.com
//
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.
The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems. To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.
VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns. The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat. Recommended read:
References :
@research.checkpoint.com
//
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.
CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection. The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy. Recommended read:
References :
Michael Kan@PCMag Middle East ai
//
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.
This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data. Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A large-scale malware campaign, dubbed JSFireTruck, has infected over 269,000 legitimate websites by injecting malicious JavaScript code. Researchers at Palo Alto Networks Unit 42 discovered the campaign, noting the injected code utilizes JSF*ck, an obfuscation technique making detection difficult. This method leverages only six ASCII characters to create working JavaScript, obscuring the code's true purpose and hindering analysis. The obfuscated code primarily consists of the symbols [, ], +, $, {, and }, further complicating identification.
The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day. The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security. Recommended read:
References :
@securityonline.info
//
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.
The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry. The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
References:
The Hacker News
, therecord.media
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.
The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024. A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts. Recommended read:
References :
Jacob Finn@Cisco Talos Blog
//
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.
The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment. Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms. Recommended read:
References :
drewt@secureworldexpo.com (Drew@SecureWorld News
//
References:
SecureWorld News
, The Hacker News
A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system. Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain. Recommended read:
References :
@securebulletin.com
//
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.
This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence. Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness. Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape. Recommended read:
References :
@hivepro.com
//
A new malware campaign is actively exploiting the PuTTY SSH client and the built-in OpenSSH in Windows systems to establish backdoors on compromised machines. This sophisticated attack leverages the popularity and trust associated with these legitimate tools, transforming them into weapons for malicious purposes. Categorized as a "Living Off the Land Binary" (LOLBIN) tactic, this approach allows attackers to evade detection by traditional security software, maintaining unauthorized remote access and control over infected systems. This can lead to data theft, system compromise, and further malware propagation within the network.
The attack campaign, tracked by HivePro, involves the deployment of trojanized versions of PuTTY, a widely used free SSH client, and the abuse of the OpenSSH client integrated into Windows 10 since version 1803. Attackers are using a multi-stage approach, including registry manipulation and the creation of malicious SSH configuration files, to establish persistent communication with their command-and-control infrastructure. A recent malware sample, disguised as "dllhost.exe," exemplifies this strategy, attempting to start the "SSHService" and, if unsuccessful, manipulating registry keys to store randomly chosen ports for future connections. Security experts emphasize the importance of vigilance and caution among system administrators. It is crucial to ensure the use of genuine versions of PuTTY and to monitor SSH traffic for any suspicious activity. The integration of OpenSSH into Windows, while beneficial for system administrators, has inadvertently expanded the attack surface, providing malicious actors with new opportunities to abuse legitimate functionality. By understanding the tactics and techniques employed in this campaign, organizations can better protect themselves against this evolving threat. Recommended read:
References :
@blog.checkpoint.com
//
References:
www.microsoft.com
, Catalin Cimpanu
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.
Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals. In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats. Recommended read:
References :
@securityonline.info
//
A new Rust-based infostealer, EDDIESTEALER, is being spread using the ClickFix social engineering technique, according to a report by Elastic Security Labs on May 30, 2025. This method leverages fake CAPTCHA prompts on compromised websites. Users are tricked into copying and pasting a PowerShell command into their Windows terminal, believing they are verifying they aren't a robot. This command then downloads and executes a malicious JavaScript file, gverify.js, which in turn retrieves the final EDDIESTEALER payload.
The EDDIESTEALER malware is designed to steal sensitive information from infected hosts. Written in Rust, it avoids static analysis through various obfuscation techniques, including XOR string encryption and stripping of function symbols. The malware dynamically retrieves a task list from the attacker's command-and-control (C2) server, enabling it to adapt its behavior over time. Elastic Security Labs has observed it targeting a range of cryptocurrency wallets, web browsers, password managers, FTP clients, and the Telegram messaging app. EDDIESTEALER also employs several evasion techniques, including a basic anti-sandbox check, a self-deletion mechanism, and a custom Windows API lookup method to avoid static analysis of its API interactions. The dynamic C2 tasking method allows attackers to update the list of targeted apps as needed, providing greater flexibility and adaptability. Security experts emphasize the continued popularity of the ClickFix social engineering method and the increasing use of the Rust programming language among malware developers in campaigns like this. Recommended read:
References :
|