CyberSecurity news

FlagThis - #malware

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.

The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results.

Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents.

Recommended read:
References :
  • Resources-2: Picus Security blog discussing Silver Fox APT targeting public sector via trojanized medical software.
  • securityonline.info: The post appeared first on .

info@thehackernews.com (The@The Hacker News //
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.

The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload.

The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign.

Recommended read:
References :
  • blog.checkpoint.com: Minecraft Players Targeted in Sophisticated Malware Campaign
  • Check Point Research: Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data
  • securityaffairs.com: Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers
  • securityonline.info: Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
  • The Hacker News: 1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
  • Security Risk Advisors: 🚩 Stargazers Ghost Network Distributes Java Malware Through Fake Minecraft Mods Targeting Gaming Community
  • Check Point Blog: Minecraft Players Targeted in Sophisticated Malware Campaign
  • www.scworld.com: Counterfeit Minecraft mods deliver malware
  • www.techradar.com: Minecraft players watch out - these fake mods are hiding password-stealing malware

@blog.talosintelligence.com //
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.

This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.

PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.

Recommended read:
References :
  • blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
  • Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
  • Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
  • hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
  • Virus Bulletin: This article reports on various APT groups and their activities, including the use of PylangGhost by Famous Chollima.

@www.trendmicro.com //
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.

info@thehackernews.com (The@The Hacker News //
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.

VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.

The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat.

Recommended read:
References :
  • blogs.infoblox.com: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • The Hacker News: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • unit42.paloaltonetworks.com: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code
  • Infoblox Blog: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
  • ciso2ciso.com: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month – Source:thehackernews.com
  • Techzine Global: DNS analysis reveals links between VexTrio and WordPress hackers
  • Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com
  • ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com

@research.checkpoint.com //
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.

CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection.

The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy.

Recommended read:
References :
  • blog.checkpoint.com: Attackers took advantage of a Discord feature that lets expired or deleted invite links be reused, allowing them to hijack trusted community links and redirect users to harmful servers.
  • cyberinsider.com: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • Virus Bulletin: Check Point Research uncovered an active malware campaign exploiting expired & released Discord invite links.
  • bsky.app: Hackers are hijacking  expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.
  • research.checkpoint.com: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
  • The Hacker News: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
  • The DefendOps Diaries: Discord Flaw Exploitation: A Detailed Analysis of Reused Expired Invites in Malware Campaigns
  • CyberInsider: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • BleepingComputer: Discord flaw lets hackers reuse expired invites in malware campaign
  • Check Point Research: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Michael Kan@PCMag Middle East ai //
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.

This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data.

Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps.

Recommended read:
References :
  • gbhackers.com: Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users
  • PCMag Middle East ai: 'BrowserVenom' Windows Malware Preys on Users Looking to Run DeepSeek AI
  • bsky.app: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legit installer for DeepSeek Victims are unwittingly downloading the "BrowserVenom" malware designed to steal stored credentials, session cookies, etc and gain access to cryptocurrency wallets
  • The Register - Software: DeepSeek installer or just malware in disguise? Click around and find out
  • Malware ? Graham Cluley: Malware attack disguises itself as DeepSeek installer
  • Graham Cluley: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legitimate installer for DeepSeek.
  • Securelist: Toxic trend: Another malware threat targets DeepSeek
  • www.pcmag.com: Antivirus provider Kaspersky traces the threat to malicious Google ads.
  • www.techradar.com: Fake DeepSeek website found serving dangerous malware instead of the popular app.
  • www.microsoft.com: Rewriting SymCrypt in Rust to modernize Microsoft’s cryptographic library
  • ASEC: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
  • cyble.com: Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases

info@thehackernews.com (The@The Hacker News //
References: Unit 42 , Virus Bulletin , www.scworld.com ...
A large-scale malware campaign, dubbed JSFireTruck, has infected over 269,000 legitimate websites by injecting malicious JavaScript code. Researchers at Palo Alto Networks Unit 42 discovered the campaign, noting the injected code utilizes JSF*ck, an obfuscation technique making detection difficult. This method leverages only six ASCII characters to create working JavaScript, obscuring the code's true purpose and hindering analysis. The obfuscated code primarily consists of the symbols [, ], +, $, {, and }, further complicating identification.

The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.

The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security.

Recommended read:
References :
  • Unit 42: JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique
  • Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
  • The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code

@securityonline.info //
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.

The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry.

The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat.

Recommended read:
References :
  • securityonline.info: Kimsuky’s AppleSeed Returns: North Korea-Linked APT Targets Korean Users via Social Media
  • Virus Bulletin: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
  • www.genians.co.kr: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
  • securityonline.info: Kimsuky APT Group Abuses HWP and AnyDesk for Covert Remote Surveillance

info@thehackernews.com (The@The Hacker News //
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.

The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024.

A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts.

Recommended read:
References :
  • The Hacker News: Research focusing on the group's methods, including its use of legitimate software.
  • therecord.media: Report of the malicious campaign targeting Russian enterprises.

Jacob Finn@Cisco Talos Blog //
References: Cisco Talos Blog , Cisco Talos , bsky.app ...
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.

The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.

Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.

Recommended read:
References :
  • Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
  • securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
  • blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
  • The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
  • RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
  • ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
  • BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
  • Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
  • Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
  • Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
  • Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
  • hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
  • industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
  • www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
  • www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
  • ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com

drewt@secureworldexpo.com (Drew@SecureWorld News //
A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.

This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.

Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.

Recommended read:
References :
  • SecureWorld News: Malicious Open-Source Packages Target Crypto Wallets, Telegram Tokens, and Codebases
  • The Hacker News: Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack

@securebulletin.com //
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.

This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence.

Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks.

Recommended read:
References :
  • ciso2ciso.com: News and insights for CISOs from CISO2CISO.
  • cyberpress.org: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux, according to CyberPress.
  • hackread.com: Hackread reports on Backdoors in Python and NPM Packages Target Windows and Linux.
  • securityonline.info: Stealthy npm supply chain attack using typosquatting leads to remote code execution and data destruction.
  • Cyber Security News: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux
  • The Hacker News: Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware

securebulletin.com@Secure Bulletin //
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.

The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness.

Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.

Recommended read:
References :
  • Secure Bulletin: Sophos exposes massive GitHub campaign distributing backdoored malware
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
  • Sophos X-Ops: We’ve previously looked into the niche world of threat actors targeting each other, so we investigated further, and found 133 backdoored repos, most linked to the same threat actor via an email address. Some repos claimed to be malware, others gaming cheats. The threat actor appears to have gone to some lengths to make their backdoored repos seem legitimate – including multiple accounts and contributors, and automated commits.
  • Sophos X-Ops: To avoid falling victim to these kinds of attacks, be wary of downloading/running code from unverified/untrusted repos, and where possible inspect code for anything unusual.
  • Sophos X-Ops: When we analyzed the backdoors, we ended up down a rabbithole of multiple variants, obfuscation, convoluted infection chains, and identifiers. The upshot is that a threat actor seems to be creating backdoored repos at scale, and may have been doing so for some time.
  • The Register - Security: More than a hundred backdoored malware repos traced to single GitHub user. Someone went to great lengths to prey on the next generation of cybercrooks
  • Sophos News: A simple customer query leads to a rabbit hole of backdoored malware and game cheats
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User

@hivepro.com //
A new malware campaign is actively exploiting the PuTTY SSH client and the built-in OpenSSH in Windows systems to establish backdoors on compromised machines. This sophisticated attack leverages the popularity and trust associated with these legitimate tools, transforming them into weapons for malicious purposes. Categorized as a "Living Off the Land Binary" (LOLBIN) tactic, this approach allows attackers to evade detection by traditional security software, maintaining unauthorized remote access and control over infected systems. This can lead to data theft, system compromise, and further malware propagation within the network.

The attack campaign, tracked by HivePro, involves the deployment of trojanized versions of PuTTY, a widely used free SSH client, and the abuse of the OpenSSH client integrated into Windows 10 since version 1803. Attackers are using a multi-stage approach, including registry manipulation and the creation of malicious SSH configuration files, to establish persistent communication with their command-and-control infrastructure. A recent malware sample, disguised as "dllhost.exe," exemplifies this strategy, attempting to start the "SSHService" and, if unsuccessful, manipulating registry keys to store randomly chosen ports for future connections.

Security experts emphasize the importance of vigilance and caution among system administrators. It is crucial to ensure the use of genuine versions of PuTTY and to monitor SSH traffic for any suspicious activity. The integration of OpenSSH into Windows, while beneficial for system administrators, has inadvertently expanded the attack surface, providing malicious actors with new opportunities to abuse legitimate functionality. By understanding the tactics and techniques employed in this campaign, organizations can better protect themselves against this evolving threat.

Recommended read:
References :
  • hivepro.com: HivePro Threat Advisory on UNC4034 Backdoor
  • www.redhotcyber.com: Quando gli hacker entrano dalla porta di servizio! PuTTY e SSH abusati per accedere alle reti
  • cyberpress.org: Hackers Exploit Free SSH Client PuTTY to Deploy Malware on Windows Systems
  • gbhackers.com: Hackers Weaponize Free SSH Client PuTTY to Deliver Malware on Windows

@blog.checkpoint.com //
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.

Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals.

In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats.

Recommended read:
References :
  • www.microsoft.com: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  • Catalin Cimpanu: Mastodon: The developers of the Lumma Stealer malware are making significant efforts to restore servers and return online.

@securityonline.info //
A new Rust-based infostealer, EDDIESTEALER, is being spread using the ClickFix social engineering technique, according to a report by Elastic Security Labs on May 30, 2025. This method leverages fake CAPTCHA prompts on compromised websites. Users are tricked into copying and pasting a PowerShell command into their Windows terminal, believing they are verifying they aren't a robot. This command then downloads and executes a malicious JavaScript file, gverify.js, which in turn retrieves the final EDDIESTEALER payload.

The EDDIESTEALER malware is designed to steal sensitive information from infected hosts. Written in Rust, it avoids static analysis through various obfuscation techniques, including XOR string encryption and stripping of function symbols. The malware dynamically retrieves a task list from the attacker's command-and-control (C2) server, enabling it to adapt its behavior over time. Elastic Security Labs has observed it targeting a range of cryptocurrency wallets, web browsers, password managers, FTP clients, and the Telegram messaging app.

EDDIESTEALER also employs several evasion techniques, including a basic anti-sandbox check, a self-deletion mechanism, and a custom Windows API lookup method to avoid static analysis of its API interactions. The dynamic C2 tasking method allows attackers to update the list of targeted apps as needed, providing greater flexibility and adaptability. Security experts emphasize the continued popularity of the ClickFix social engineering method and the increasing use of the Rust programming language among malware developers in campaigns like this.

Recommended read:
References :
  • Anonymous ???????? :af:: “Prove you're not a robot” — turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
  • securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
  • The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
  • www.scworld.com: ClickFix used to spread novel Rust-based infostealer