@www.microsoft.com - 14d
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
Recommended read:
References :
- www.microsoft.com: Storm-2372 conducts device code phishing campaign
- Volexity :verified:: recently identified multiple Russian threat actors targeting users via + campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success:
- cyberscoop.com: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
- The Register - Security: If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish
- Microsoft Security Blog: Storm-2372 conducts device code phishing campaign
- www.volexity.com: Volexity: Multiple Russian threat actors have been identified targeting Microsoft 365 accounts through Device Code Authentication phishing campaigns, according to Volexity. These attacks, which began in mid-January 2025, involve social engineering and spear-phishing tactics, often masquerading as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence.
- cyberinsider.com: Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts
- Threats | CyberScoop: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
- Security Risk Advisors: Attackers Exploit Device Code Phishing to Hijack Microsoft Accounts in Global Storm-2372 Drive
- The Hacker News: Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts
- www.helpnetsecurity.com: Discussion of the ongoing Microsoft 365 campaign.
- www.infosecurity-magazine.com: More details about the ongoing Microsoft 365 campaign.
- arstechnica.com: Russian spies use device code phishing to hijack Microsoft accounts
- securityaffairs.com: Storm-2372 used the device code phishing technique since August 2024
- Christoffer S.: Volexity report on multiple Russian threat actors targeting Microsoft 365 accounts via Device Code Authentication phishing campaigns
- BleepingComputer: An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing.
- www.bleepingcomputer.com: Microsoft Hackers Steal Emails in Device Code Phishing Attacks
- securityaffairs.com: Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries.
- Graham Cluley: Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks
- Email Security - Blog: Security Alert: Device Code Authentication Phishing Attack
@Talkback Resources - 2d
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.
Recommended read:
References :
- bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
- BleepingComputer: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
- socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
- bsky.app: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
- Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
- gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
- bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and 'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
- gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
- aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
- bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
- Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Pierluigi Paganini@Security Affairs - 4d
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
Recommended read:
References :
- Cyber Security News: GitVenom Campaign Exploits Thousands of GitHub Repositories to Spread Infections
- gbhackers.com: The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
- Talkback Resources: Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials through fraudulent repositories, resulting in the attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
- Talkback Resources: Open-source code has a significant impact on software development, but developers should be cautious of the GitVenom campaign involving threat actors creating fake projects on GitHub to distribute malicious code and steal sensitive information.
- The Hacker News: GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets
- securityaffairs.com: GitVenom campaign targets gamers and crypto investors by posing as fake GitHub projects
- The Register - Security: Reports that more than 200 GitHub repos are hosting fake projects laced with malicious software.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Talkback Resources: Malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Help Net Security: Hundreds of GitHub repos served up malware for years
- bsky.app: Bluesky post about the malware campaign GitVenom.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers.
- aboutdfir.com: GitVenom attacks abuse hundreds of GitHub repos to steal crypto
@www.bleepingcomputer.com - 10d
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
Recommended read:
References :
- www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
- securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
- Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
- Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
- securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
- The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
- www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
- Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
- BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
- aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
info@thehackernews.com (The@The Hacker News - 4d
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.
Recommended read:
References :
- bsky.app: After many reports on Ghostwriter's info-ops, SentinelOne has seen the group returning to malware delivery, this time with a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations
- Talkback Resources: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
- The Hacker News: Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware
- Talkback Resources: Talkback post on Excel Macros to Deploy Malware
- Anonymous ???????? :af:: A new malware campaign targets Belarusian activists and the Ukrainian military, using Excel files to deliver PicassoLoader.
- Virus Bulletin: SentinelLABS researcher Tom Hegel writes about an extension of the long-running Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations with weaponized Excel documents lures.
- Information Security Buzz: Cybersecurity researchers at SentinelLABS have uncovered a new campaign linked to the long-running Ghostwriter operation, targeting Belarusian opposition activists and Ukrainian military and government entities.Â
- gbhackers.com: Ghostwriter Malware Targets Government Organizations with Weaponized XLS File
- securityaffairs.com: New Ghostwriter campaign targets Ukrainian Government and opposition activists in Belarus
- Know Your Adversary: 058. Hunting for Ghostwriter
- Cyber Security News: Ghostwriter Malware Attacks Government Organizations Using Weaponized XLS File
@securityonline.info - 9d
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.
Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.
Recommended read:
References :
- securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
- The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
- www.scworld.com: Global XMRig attack campaign involves trojanized game installers
- Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
- Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
- Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
- gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
- BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
- securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
- www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
- Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
@PCWorld - 10d
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.
Recommended read:
References :
- CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
- hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
- cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
- The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
- Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
- The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
- PCWorld: This high-risk keylogger malware is a growing threat to Windows users
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
- www.scworld.com: More advanced Snake Keylogger variant emerges
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
info@thehackernews.com (The Hacker News)@The Hacker News - 12d
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.
Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.
Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.
Recommended read:
References :
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
- The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
- Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
- www.scworld.com: Telegram API exploited by new Golang backdoor
- Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
- securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
- Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
- www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations
info@thehackernews.com (The Hacker News)@The Hacker News - 9d
Cybercriminals are exploiting the legitimate Eclipse Jarsigner tool to deploy the XLoader malware, using a DLL side-loading technique. Researchers at AhnLab Security Intelligence Center (ASEC) discovered the campaign, which involves packaging a legitimate jarsigner.exe executable, a tool used for signing Java Archive (JAR) files, with malicious DLL files inside a compressed ZIP archive. When the legitimate executable is run, the malicious DLLs are loaded, triggering the XLoader malware infection. This method allows the malware to evade security defenses by exploiting the trust associated with a legitimate application.
The attack sequence starts with a renamed version of jarsigner.exe (Documents2012.exe) executing, which then loads a tampered "jli.dll" library. This malicious DLL decrypts and injects "concrt140e.dll," the XLoader payload, into a legitimate process (aspnet_wp.exe). XLoader is designed to steal sensitive information, including user credentials, browser data, and system information. The malware can also download and execute additional malicious payloads. Users are advised to exercise caution when handling compressed files with executable files and accompanying DLLs from unverified sources.
Recommended read:
References :
- Cyber Security News: Cybercriminals Abuse Jarsigner to Spread XLoader Malware
- gbhackers.com: Hackers Exploit Jarsigner Tool to Deploy XLoader Malware
- The Hacker News: Cybercriminals Use Eclipse Jarsigner to Deploy XLoader Malware via ZIP Archives
- cyberpress.org: Cybercriminals Abuse Jarsigner to Spread XLoader Malware
- Talkback Resources: Cybercriminals Use Eclipse Jarsigner to Deploy XLoader Malware via ZIP Archives [rev] [mal]
- gbhackers.com: Hackers Exploit Jarsigner Tool to Deploy XLoader Malware
- www.scworld.com: Intrusions begin with the spread of a compressed ZIP archive containing a renamed jarsigner.exe file, which when executed prompts the loading of a tampered DLL library and eventual injection of XLoader malware, according to an analysis from the AhnLab Security Intelligence Center.
- Talkback Resources: XLoader malware campaign uses DLL side-loading with legitimate Eclipse Foundation application, distributing payload in compressed ZIP archive to steal sensitive information and download additional malware, evolving with obfuscation and encryption layers to evade detection, potentially linked to other loaders like NodeLoader and RiseLoader.
info@thehackernews.com (The Hacker News)@The Hacker News - 12d
Microsoft has uncovered a new variant of the XCSSET macOS malware, marking the first major revision since 2022. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware is spread through infected Xcode projects, posing a significant risk to Apple developers.
The new XCSSET variant uses more randomized encoding methods, including Base64 in addition to xxd, and obfuscates module names to make analysis more difficult. The malware also employs a "dock method" where a fake Launchpad application is created, replacing the legitimate Launchpad's path in the dock, ensuring the malicious payload executes every time Launchpad is started. Microsoft advises users to inspect Xcode projects before using them and only install apps from trusted sources.
Recommended read:
References :
- Talkback Resources: Talkback.sh article summarizing Microsoft's discovery of an advanced XCSSET malware variant for macOS.
- The Hacker News: The Hacker News article about Microsoft uncovering a new XCSSET macOS malware variant with advanced obfuscation tactics.
- www.bleepingcomputer.com: Microsoft spots XCSSET macOS malware variant used for crypto theft
- Help Net Security: The XCSSET info-stealing malware is back, targeting macOS users and devs
- securityonline.info: XCSSET Malware Returns with Enhanced Capabilities to Target macOS Users
- www.helpnetsecurity.com: The XCSSET info-stealing malware is back, targeting macOS users and devs
- ciso2ciso.com: Source: thehackernews.com – Author: . Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
- The Register: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- ciso2ciso.com: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics – Source:thehackernews.com
- go.theregister.com: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- BleepingComputer: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics
- securityaffairs.com: New XCSSET macOS malware variant used in limited attacks
@cyberinsider.com - 15d
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
Recommended read:
References :
- cyberinsider.com: Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional network monitoring.
- Virus Bulletin: infosec.exchange post on finaldraft
- The Hacker News: FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
- BleepingComputer: A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
- securityonline.info: SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication.
- www.bleepingcomputer.com: BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control.
- securityonline.info: In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on .
- Anonymous ???????? :af:: A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country.
Veronika Telychko@SOC Prime Blog - 12d
The RedCurl/EarthKapre APT group is actively engaged in corporate espionage, particularly targeting the legal sector. The group uses sophisticated techniques to infiltrate organizations, beginning with phishing emails disguised as Indeed-themed job applications. These emails contain malicious attachments designed to trick victims into downloading ZIP archives containing ISO image files that mimic CVs. Once the ISO image is mounted, the victim unknowingly executes a signed Adobe executable, which then sideloads the EarthKapre loader.
This loader, delivered via a legitimate Adobe executable, is the core of the attack. It establishes command and control through Cloudflare Workers. The malware uses encryption to protect its payloads and sets up a scheduled task to maintain persistence on the compromised system. The eSentire Threat Response Unit (TRU) identified this attack targeting law firms and legal services.
Recommended read:
References :
- Information Security Buzz: eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader.
- SOC Prime Blog: The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing.
- Virus Bulletin: Infosec Exchange post summarizing eSentire's investigation into RedCurl/EarthKapre APT targeting legal services.
- Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre...
- Know Your Adversary: 046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
- socprime.com: RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader
- www.esentire.com: eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage.
- securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
- Talkback Resources: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
- securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
- Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal]
- securityaffairs.com: eSentire report on the RedCurl/EarthKapre APT's campaign targeting law firms, using a legitimate Adobe executable for the loader.
- Kim Zetter: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
SC Staff@scmagazine.com - 10d
The FakeUpdate malware campaigns are becoming increasingly complex with the emergence of new cybercrime groups, TA2726 and TA2727, now involved in pushing a new macOS infostealer called FrigidStealer. This malware is being distributed through web inject campaigns, where users are tricked into downloading fake browser updates. Proofpoint researchers have identified FrigidStealer as a new threat targeting Mac users.
This campaign also uses Windows and Android payloads, suggesting a broad targeting strategy. The malicious JavaScript used to display the fake browser update messages is being adopted by an increasing number of threat actors, making tracking and analysis more challenging. Proofpoint identified two new cybercriminal threat actors, TA2726 and TA2727, operating components of web inject campaigns.
Recommended read:
References :
- cyberinsider.com: New macOS Malware FrigidStealer Spreads via Fake Updates
- www.scworld.com: Novel FrigidStealer macOS malware spread via bogus browser updates
- Virus Bulletin:
Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
- www.bleepingcomputer.com: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
- www.proofpoint.com: Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
- bsky.app: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
- BleepingComputer: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
- Anonymous ???????? :af:: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
Aman Mishra@gbhackers.com - 4d
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud. GitLab's security team discovered these extensions on the official Google Web Store and were used to insert ads and manipulate search engine results.
The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally. They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections. Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store. However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls.
Recommended read:
References :
- bsky.app: GitLab's security team has discovered a cluster of 16 malicious Chrome extensions on the official Google Web Store. The extensions were used to insert ads and manipulate search engine results. Over 3.2 million users downloaded the extensions
- gbhackers.com: A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.
- Cyber Security News: Chrome Under Siege: 16 Malicious Extensions Infect Over 3.2 Million Users
- thecyberexpress.com: Remove These Extensions Now! Hackers Hijack Google Chrome Add-ons for Fraud
@www.the420.in - 4d
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems.
Recommended read:
References :
- Cyber Security News: cyberpress.org on 35,000 Websites Compromised with Malicious Scripts Redirecting Users to Chinese Websites
- gbhackers.com: Over 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese Websites
- Talkback Resources: talkback.sh on Over 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam
- Sucuri Blog: Sucuri article detailing WordPress spam
Field Effect@Blog - 9h
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.
Recommended read:
References :
- Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
- Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
- The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems
@securityonline.info - 10d
A new malware campaign is underway, distributing the Lumma Stealer information stealer via weaponized PDF documents. This campaign specifically targets educational institutions, exploiting compromised infrastructure to deliver malicious LNK files disguised as legitimate PDFs. These files, when executed, initiate a multi-stage infection process designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.
The attackers lure users into downloading these malicious files by disguising them as innocuous documents, such as school fee structures. Once executed, the LNK files trigger PowerShell commands that download and run obfuscated JavaScript code, ultimately deploying the Lumma Stealer payload. The malware employs advanced evasion techniques, including obfuscated JavaScript and encrypted payloads, to avoid detection.
This campaign highlights the urgent need for robust cybersecurity measures within educational institutions and other sectors. Lumma Stealer targets various industries beyond education, including finance, healthcare, technology, and media. The use of compromised educational infrastructure as a distribution channel underscores the vulnerabilities in organizational cybersecurity frameworks.
Recommended read:
References :
- gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
- securityonline.info: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
- www.cloudsek.com: Lumma Stealer Chronicles: PDF-Themed Campaign Using Compromised Educational Institutions’ Infrastructure
- gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
- Talkback Resources: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures [mal]
- www.silentpush.com: Silent Push recently expanded our research on the “Lumma Stealer� infostealer malware.
|
|
FlagThis - #malware