CyberSecurity news

FlagThis - #malware

@securelist.com //
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.

The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers.

This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness.

Recommended read:
References :
  • Lukasz Olejnik: Malicious extension to AI software development assistant Cursor contained malware. It silently executed PowerShell scripts, installed remote access tools, and stole $500K in crypto from a blockchain dev. It ranked high in search due to algorithm tricks, fooling even experienced users. Always verify extensions, check author names, and use real security tools—AI-enhanced dev tools can be weaponized too.
  • Securelist: Code highlighting with Cursor AI for $500,000
  • securelist.com: Malicious extension to AI software development assistant Cursor contained malware. It silently executed PowerShell scripts, installed remote access tools, and stole $500K in crypto from a blockchain dev.
  • cyberinsider.com: Fake Visual Studio Code extension for Cursor led to $500K theft

@gbhackers.com //
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.

At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.

Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.

Recommended read:
References :
  • unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
  • Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.

@training.invokere.com //
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.

The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics.

The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection.

Recommended read:
References :

Aman Mishra@gbhackers.com //
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.

The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects.

In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites.

Recommended read:
References :
  • cyberpress.org: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • Ian Campbell: Just a heads-up on this supply chain attack on the Gravity Forms wordpress plugin, one IOC is POST requests to gravityapi[.]org - a 3 day old domain. That domain shares an IP with gravityapi[.]io. cc
  • Talkback Resources: WordPress Gravity Forms developer hacked to push backdoored plugins
  • gbhackers.com: Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection
  • Cyber Security News: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • securityonline.info: WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads
  • gbhackers.com: Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.

The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results.

Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents.

Recommended read:
References :
  • Resources-2: Picus Security blog discussing Silver Fox APT targeting public sector via trojanized medical software.
  • securityonline.info: The post appeared first on .

info@thehackernews.com (The@The Hacker News //
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.

The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload.

The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign.

Recommended read:
References :
  • blog.checkpoint.com: Minecraft Players Targeted in Sophisticated Malware Campaign
  • Check Point Research: Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data
  • securityaffairs.com: Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers
  • securityonline.info: Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
  • The Hacker News: 1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
  • Security Risk Advisors: 🚩 Stargazers Ghost Network Distributes Java Malware Through Fake Minecraft Mods Targeting Gaming Community
  • Check Point Blog: Minecraft Players Targeted in Sophisticated Malware Campaign
  • www.scworld.com: Counterfeit Minecraft mods deliver malware
  • www.techradar.com: Minecraft players watch out - these fake mods are hiding password-stealing malware

@blog.talosintelligence.com //
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.

This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.

PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.

Recommended read:
References :
  • blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
  • Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
  • Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
  • hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
  • Virus Bulletin: This article reports on various APT groups and their activities, including the use of PylangGhost by Famous Chollima.

@www.trendmicro.com //
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.

info@thehackernews.com (The@The Hacker News //
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.

VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.

The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat.

Recommended read:
References :
  • blogs.infoblox.com: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • The Hacker News: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • unit42.paloaltonetworks.com: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code
  • Infoblox Blog: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • ciso2ciso.com: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month – Source:thehackernews.com
  • Techzine Global: DNS analysis reveals links between VexTrio and WordPress hackers
  • Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com

@research.checkpoint.com //
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.

CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection.

The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy.

Recommended read:
References :
  • blog.checkpoint.com: Attackers took advantage of a Discord feature that lets expired or deleted invite links be reused, allowing them to hijack trusted community links and redirect users to harmful servers.
  • cyberinsider.com: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • Virus Bulletin: Check Point Research uncovered an active malware campaign exploiting expired & released Discord invite links.
  • bsky.app: Hackers are hijacking  expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.
  • research.checkpoint.com: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
  • The Hacker News: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
  • The DefendOps Diaries: Discord Flaw Exploitation: A Detailed Analysis of Reused Expired Invites in Malware Campaigns
  • CyberInsider: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • BleepingComputer: Discord flaw lets hackers reuse expired invites in malware campaign
  • Check Point Research: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Michael Kan@PCMag Middle East ai //
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.

This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data.

Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps.

Recommended read:
References :
  • gbhackers.com: Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users
  • PCMag Middle East ai: 'BrowserVenom' Windows Malware Preys on Users Looking to Run DeepSeek AI
  • bsky.app: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legit installer for DeepSeek Victims are unwittingly downloading the "BrowserVenom" malware designed to steal stored credentials, session cookies, etc and gain access to cryptocurrency wallets
  • The Register - Software: DeepSeek installer or just malware in disguise? Click around and find out
  • Malware ? Graham Cluley: Malware attack disguises itself as DeepSeek installer
  • Graham Cluley: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legitimate installer for DeepSeek.
  • Securelist: Toxic trend: Another malware threat targets DeepSeek
  • www.pcmag.com: Antivirus provider Kaspersky traces the threat to malicious Google ads.
  • www.techradar.com: Fake DeepSeek website found serving dangerous malware instead of the popular app.
  • www.microsoft.com: Rewriting SymCrypt in Rust to modernize Microsoft’s cryptographic library
  • ASEC: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
  • cyble.com: Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases

info@thehackernews.com (The@The Hacker News //
References: Unit 42 , Virus Bulletin , www.scworld.com ...
A large-scale malware campaign, dubbed JSFireTruck, has infected over 269,000 legitimate websites by injecting malicious JavaScript code. Researchers at Palo Alto Networks Unit 42 discovered the campaign, noting the injected code utilizes JSF*ck, an obfuscation technique making detection difficult. This method leverages only six ASCII characters to create working JavaScript, obscuring the code's true purpose and hindering analysis. The obfuscated code primarily consists of the symbols [, ], +, $, {, and }, further complicating identification.

The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.

The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security.

Recommended read:
References :
  • Unit 42: JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique
  • Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code

@securityonline.info //
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.

The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry.

The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat.

Recommended read:
References :
  • securityonline.info: Kimsuky’s AppleSeed Returns: North Korea-Linked APT Targets Korean Users via Social Media
  • Virus Bulletin: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
  • www.genians.co.kr: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
  • securityonline.info: Kimsuky APT Group Abuses HWP and AnyDesk for Covert Remote Surveillance

info@thehackernews.com (The@The Hacker News //
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.

The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024.

A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts.

Recommended read:
References :
  • The Hacker News: Research focusing on the group's methods, including its use of legitimate software.
  • therecord.media: Report of the malicious campaign targeting Russian enterprises.