CyberSecurity news

FlagThis - #malware

@unit42.paloaltonetworks.com //
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.

This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload.

The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection.

Recommended read:
References :
  • Virus Bulletin: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis.
  • The Hacker News: Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
  • Anonymous ???????? :af:: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader.

@www.microsoft.com //
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.

The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST.

The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes.

Recommended read:
References :

Aman Mishra@gbhackers.com //
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.

The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload.

After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats.

Recommended read:
References :
  • hackread.com: CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
  • securityonline.info: Beware Fake PDF Converters: A Social Engineering Threat
  • www.scworld.com: Infostealer deployed via bogus PDFCandy converter
  • Cyber Security News: CyberPress: Beware! Online PDF Converters Luring Users into Installing Password-Stealing Malware
  • hackread.com: CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer
  • cybersecuritynews.com: CybersecurityNews: Beware of Online PDF Converters That Tricks Users to Install Password Stealing Malware
  • cyberpress.org: Beware! Online PDF Converters Luring Users into Installing Password-Stealing Malware
  • gbhackers.com: Beware! Online PDF Converters Tricking Users into Installing Password-Stealing Malware

@unit42.paloaltonetworks.com //
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.

The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.

GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.

Recommended read:
References :
  • Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
  • unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
  • securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
  • The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
  • Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
  • Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
  • www.itpro.com: Hackers are duping developers with malware-laden coding challenges
  • cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
  • Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.

Pierluigi Paganini@securityaffairs.com //
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.

ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks.

Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms
  • The Hacker News: The Hacker News: ResolverRAT Campaign Targets Healthcare, Pharma via Phishing and DLL Side-Loading
  • BleepingComputer: BleepingComputer: New ResolverRAT malware targets pharma and healthcare orgs worldwide
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • bsky.app: A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors.
  • Anonymous ???????? :af:: ResolverRAT is hitting healthcare and pharma sectors hard — phishing, fear-bait, stealth attacks.
  • industrialcyber.co: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • Industrial Cyber: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • www.scworld.com: Novel ResolverRAT trojan launched in global attacks against healthcare, pharma
  • Tech Monitor: Researchers identify new ResolverRAT cyber threat affecting global healthcare organisations
  • Security Risk Advisors: 🚩 ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.morphisec.com: ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.csoonline.com: New ResolverRAT malware targets healthcare and pharma orgs worldwide
  • Virus Bulletin: Morphisec's Nadav Lorber analyses ResolverRAT, a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.
  • securityonline.info: A new remote access trojan (RAT) has emerged, and it’s armed with advanced techniques to evade detection. Morphisec The post appeared first on .
  • Blog: New ResolverRAT sniffs around healthcare & pharmaceutical organizations

Pierluigi Paganini@Security Affairs //
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.

The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.

GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.

Recommended read:
References :
  • bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
  • cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
  • The Hacker News: Shuckworm targets Western military mission
  • Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
  • gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
  • securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
  • BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
  • securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
  • Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
  • www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
  • www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
  • securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
  • The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
  • www.scworld.com: Infected removable drives were used to spread the malware.
  • Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
  • ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
  • Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
  • Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
  • Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Sathwik Ram@seqrite.com //
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.

Recommended read:
References :
  • Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.

SC Staff@scmagazine.com //
A new cyberespionage campaign, attributed to the hacking group UAC-0226, is actively targeting Ukrainian organizations. The campaign, ongoing since February 2025, focuses on stealing sensitive information from military formations, law enforcement agencies, and local government bodies, particularly those near the country's eastern border with Russia. The hackers are exploiting trust by impersonating Ukrainian state agencies and drone manufacturers in their attacks.

The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram.

CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group.

Recommended read:
References :
  • The Hacker News: UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine
  • www.scworld.com: Ukraine subjected to new cyberespionage campaign
  • The Record: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
  • therecord.media: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
  • cyberpress.org: GIFTEDCROOK: New Stealer Malware Hits Government Agencies to Steal Sensitive Data

@gbhackers.com //
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

Recommended read:
References :
  • cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
  • Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
  • Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
  • securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
  • Cyber Security News: Cybersecurity News article on SourceForge malware distribution
  • Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins

@blog.extensiontotal.com //
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.

The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.

This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.

Recommended read:
References :
  • blog.extensiontotal.com: reports on a VSCode extension cryptojacking campaign.
  • Secure Bulletin: reports on the malicious VSCode extensions and a growing threat to developers
  • The DefendOps Diaries: Discusses safeguarding VSCode and addressing the threat of malicious extensions.
  • BleepingComputer: Details how malicious VSCode extensions infect Windows with cryptominers.
  • www.csoonline.com: CSOOnline reports the malicious tools.
  • securebulletin.com: Malicious VSCode extensions: a growing threat to developers
  • bsky.app: Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
  • www.scworld.com: Cryptojacking facilitated by nefarious VS Code extensions
  • aboutdfir.com: Malicious VSCode extensions infect Windows with cryptominersÂ
  • securityonline.info: Malicious VSCode Extensions Caught Mining Crypto with XMRig

Andrey Gunkin@Securelist //
The APT group ToddyCat has been discovered exploiting a vulnerability, CVE-2024-11859, in ESET's command-line scanner (ecls) to conceal their malicious activities. This sophisticated attack, uncovered during investigations into ToddyCat-related incidents in early 2024, involved using a malicious DLL library to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. Researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems, which was identified as a complex tool called TCESB, designed to stealthily execute payloads in circumvention of protection mechanisms.

This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one.

To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025.

Recommended read:
References :
  • cyberpress.org: ToddyCat Attackers Used ESET Command Line Scanner Vulnerability to Hide Their Tool
  • cybersecuritynews.com: ToddyCat, the notorious APT group, used a sophisticated attack strategy to stealthily deploy malicious code in targeted systems by exploiting a weakness in ESET’s command line scanner.  The vulnerability, now tracked as CVE-2024-11859, allowed attackers to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. In early 2024,
  • Securelist: While analyzing a malicious DLL library used in attacks by APT group ToddyCat, Kaspersky expert discovered the CVE 2024-11859 vulnerability in a component of ESET’s EPP solution.
  • gbhackers.com: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET’s Command Line Scanner (ecls) to mask their malicious activities. The attack came to light when researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems. This file was identified as a tool called TCESB,
  • gbhackers.com: ToddyCat Attackers Exploited ESET Command Line Scanner Vulnerability to Conceal Their Tool
  • securityonline.info: CVE-2024-11859: ToddyCat Group Hides Malware in ESET’s Scanner to Bypass Security
  • ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
  • cyberinsider.com: Kaspersky details how ToddyCat APT exploits ESET antivirus flaw to bypass Windows security.
  • Cyber Security News: Detailed article on the ToddyCat group hiding malware in ESET's scanner to bypass security.
  • securityonline.info: Security Online covers CVE-2024-11859, detailing how ToddyCat hides malware in ESET's scanner to bypass security.
  • Cyber Security News: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET's command-line scanner (CVE-2024-11859) to stealthily execute a malicious tool named TCESB.
  • CyberInsider: Security researchers have uncovered a sophisticated cyberespionage technique used by the ToddyCat APT group to execute malicious payloads undetected — by hijacking a vulnerability in a command-line scanner component of ESET's own antivirus suite.
  • www.csoonline.com: CSOOnline article about Chinese ToddyCat abuses ESET antivirus bug for malicious activities
  • securelist.com: How ToddyCat tried to hide behind AV software
  • ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
  • support.eset.com: Advisory from ESET
  • The Hacker News: The Hacker News article on New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner
  • ciso2ciso.com: New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner – Source:thehackernews.com
  • eSecurity Planet: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
  • securityaffairs.com: An APT group exploited ESET flaw to execute malware
  • www.esecurityplanet.com: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
  • www.cysecurity.news: ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB

Mandvi@Cyber Security News //
Netskope Threat Labs has uncovered a new evasive campaign that uses fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader malware. This sophisticated attack targets individuals searching for PDF documents online, tricking them into downloading malware that installs a malicious browser extension. This extension is designed to steal sensitive user data. The campaign has been active since February 2025 and has impacted over 140 customers.

The attack begins when victims are lured to malicious websites after searching for specific PDF documents. These sites present fake CAPTCHAs. Interacting with the fake CAPTCHA redirects the victim through a Cloudflare Turnstile page to a notification prompt. If the user enables browser notifications, they are directed to download what they believe is their intended document. However, this process executes a command that downloads a malicious MSI installer.

Upon execution, the MSI file installs a program named "Kilo Verfair Tools" which sideloads a malicious DLL, initiating the LegionLoader infection. The LegionLoader payload uses a custom algorithm to deobfuscate shellcode and then injects the payload into an "explorer.exe" process. This ultimately leads to the installation of a malicious browser extension, often masquerading as "Save to Google Drive". This extension steals sensitive information like clipboard data, cookies, and browsing history. The affected sectors include technology and business services, retail, and telecommunications.

Recommended read:
References :
  • Cyber Security News: LegionLoader Delivered Through Fake CAPTCHAs and Abused Cloudflare Turnstile by Threat Actors
  • cybersecuritynews.com: Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Virus Bulletin: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.
  • securityonline.info: New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
  • gbhackers.com: Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader
  • Threat Labs - Netskope: The Netskope Threat Labs team discovered a campaign abusing fake CAPTCHA & CloudFlare Turnstile to deliver LegionLoader.

CyberNewswire@hackread.com //
SpyCloud has released new research indicating a significant gap in the effectiveness of endpoint detection and response (EDR) and antivirus (AV) solutions. According to their analysis of recaptured darknet data, a staggering 66% of malware infections occur on devices that already have endpoint security solutions installed. This highlights the increasing ability of threat actors to bypass traditional security measures.

The report emphasizes that modern infostealer malware employs sophisticated tactics to evade detection, even by EDR solutions with advanced AI and telemetry analysis. These tactics include polymorphic malware, memory-only execution, and exploiting zero-day vulnerabilities or outdated software. Data from 2024 showed that nearly one in two corporate users were victims of malware infections, and in the prior year, malware was the cause of 61% of all breaches.

Damon Fleury, Chief Product Officer at SpyCloud, stated that the consequences of undetected malware infections can be "catastrophic." He emphasized the ongoing "arms race" where attackers constantly evolve their techniques to avoid detection. SpyCloud aims to provide a crucial line of defense by uncovering infostealer infections that slip past EDR and AV solutions, detecting when stolen data surfaces in the criminal underground, and automatically feeding this intelligence back to EDRs to facilitate quarantine and remediation.

Recommended read:
References :
  • Cyber Security News: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackread.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • The Last Watchdog: News alert: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • www.csoonline.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • securityboulevard.com: SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections
  • www.lastwatchdog.com: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • cybersecuritynews.com: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • securityboulevard.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackernoon.com: SpyCloud Research Reveals Endpoint Detection And Antivirus Solutions Miss 66% Of Malware Infections
  • securityaffairs.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections