CyberSecurity news
FlagThis - #malware
|
Pierluigi Paganini@Security Affairs
//
Cybercriminals are using a fake Bitdefender website to distribute the Venom RAT (Remote Access Trojan) and other malicious programs, tricking users into downloading what they believe is legitimate antivirus software. The spoofed domain, bitdefender-download[.]com, closely mimics the official Bitdefender site, making it difficult for unsuspecting users to distinguish between the real and fake versions. This campaign highlights the importance of verifying the legitimacy of software download sources to avoid becoming a victim of malware.
Researchers have found that clicking on the "Download for Windows" button on the fraudulent site initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The downloaded ZIP archive, named "BitDefender.zip," contains an executable ("StoreInstaller.exe") which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer. These tools work in concert to compromise user systems. The Venom RAT allows attackers to harvest data and maintain persistent remote access to compromised systems. Additionally, the StormKitty malware steals passwords, including those for cryptocurrency wallets, while SilentTrinity ensures the attacker can remain hidden and maintain long-term control. DomainTools suspects the fake Bitdefender site was likely used in phishing attacks, given its overlap with internet infrastructure hosting other fake sites impersonating banks and IT services, further emphasizing the malicious intent behind this cloned website. Recommended read:
References :
djohnson@CyberScoop
//
Mandiant, in collaboration with Google Cloud, has uncovered a cybercriminal campaign exploiting public interest in AI video generation. A group tracked as UNC6032, believed to be based in Vietnam, is spreading malware through fake advertisements, websites, and social media posts that promise access to popular prompt-to-video AI tools like Luma AI, Canva Dream Lab, and Kling AI. These malicious campaigns are designed to trick users into downloading infostealers and backdoors, compromising their devices and data.
UNC6032 has successfully reached millions of users across various social media platforms, including Facebook and LinkedIn, with thousands of malicious ads. These advertisements lure victims to phishing pages disguised as legitimate AI video generators. When users click on the "Start Free Now" button, they are led through a bogus video generation interface. After watching a fake loading bar, the site delivers a ZIP file containing malware. Once executed, this malware backdoors the victim's device and steals sensitive information. Compromised users have experienced the theft of login credentials, cookies, credit card data, and even Facebook information. Mandiant's research indicates that this scheme impacts a wide range of industries and geographic areas. Researchers caution users to be wary of advertisements promising free access to premium software and to verify the legitimacy of video sources before running any PowerShell scripts or downloading files from unknown URLs. Recommended read:
References :
Puja Srivastava@Sucuri Blog
//
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.
The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views. Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A concerning trend has emerged on TikTok where cybercriminals are exploiting the platform's widespread reach through AI-generated videos to distribute malware. These deceptive videos lure users into executing malicious PowerShell commands under the guise of providing instructions for software activation or unlocking premium features for applications like Windows, Microsoft Office, Spotify, and CapCut. Trend Micro researchers discovered that these videos, often featuring AI-generated voices and visuals, instruct viewers to run specific commands that ultimately download and install information-stealing malware such as Vidar and StealC.
One notable example highlighted by researchers involves a TikTok video claiming to offer instant Spotify enhancements, which amassed nearly half a million views along with a significant number of likes and comments. However, instead of delivering the promised benefits, the command provided in the video downloads a remote script that installs Vidar or StealC malware, executing it as a hidden process with elevated system privileges. These infostealers are designed to harvest sensitive information, including credentials, browser sessions, and cryptocurrency wallets, posing a substantial risk to unsuspecting users who fall victim to this social-engineering attack. Security experts warn that these attacks are leveraging the "ClickFix" technique and using AI to generate convincing "how-to" videos. By exploiting the trust users place in video tutorials and the desire for free software or features, cybercriminals are effectively tricking individuals into infecting their own systems. Once active, the malware connects to command-and-control (C&C) servers to exfiltrate stolen data. Vidar employs stealthy tactics, utilizing platforms like Steam and Telegram as Dead Drop Resolvers to hide C&C details, while StealC uses direct IP connections. Users are urged to exercise caution and verify the legitimacy of instructions before running any commands provided in online videos. Recommended read:
References :
@cyberinsider.com
//
Cybersecurity researchers have uncovered a sophisticated malware campaign distributing the Winos 4.0 framework through trojanized installers of popular applications such as LetsVPN and QQBrowser. The campaign, active since February 2025, primarily targets Chinese-speaking environments and showcases careful, long-term planning by a capable threat actor. The attackers use fake software installers to trick users into installing the malware, which grants remote access to compromised systems.
The Winos 4.0 malware is delivered using a multi-layered infection chain called the Catena loader. This loader employs multi-stage reflective loaders and in-memory payload delivery techniques to evade traditional antivirus tools. The infection process begins with seemingly legitimate NSIS installers bundled with signed decoy applications and malicious components like shellcode embedded in ".ini" files and reflective DLLs. This modular approach allows the attackers to adapt quickly to detection pressures, as observed in the evolution of tactics from February to April 2025. Once installed, Winos 4.0 connects to attacker-controlled servers, predominantly hosted in Hong Kong, to receive follow-up instructions or additional malware. The malware framework, built atop the foundations of Gh0st RAT, is written in C++ and utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks. This campaign highlights the ongoing risk posed by trojanized software and emphasizes the importance of verifying software sources to prevent malware infections. Recommended read:
References :
@securityonline.info
//
References:
securityonline.info
, cyberpress.org
,
A new and stealthy formjacking malware has been discovered targeting WooCommerce, the popular e-commerce plugin for WordPress. The malware discreetly steals customer payment data from legitimate checkout processes, posing a significant threat to online businesses. Unlike traditional skimmers that simply overlay payment forms, this malware integrates seamlessly into the checkout process, exfiltrating sensitive customer data without raising immediate suspicion.
This sophisticated malware injects a fake payment form into legitimate checkout pages, meticulously mimicking the design and functionality of the actual site. It captures card numbers, expiration dates, CVVs, and personal information like names and addresses. To evade detection, the malware uses the browser's localStorage to silently collect and store cardholder data, ensuring persistence and anti-forensic capabilities. The data theft is triggered when the "Place Order" button is pressed, using the navigator.sendBeacon() method to transmit data asynchronously and silently to a remote Command & Control (C2) server. The infection vector is believed to be through compromised WordPress admin accounts. Attackers inject malicious JavaScript code via plugins like Simple Custom CSS and JS, exploiting their capabilities to insert code dynamically. This allows the malware to monitor user input on checkout fields continuously, capturing data even if the purchase isn't completed. Cybersecurity experts recommend implementing robust security measures, including regular security audits, up-to-date software, and careful monitoring of third-party dependencies, to protect against such attacks. Recommended read:
References :
Waqas@hackread.com
//
A massive data breach has exposed over 184 million passwords and login credentials from various online platforms, including major players like Google, Microsoft, Facebook, and Apple. The unprotected database, containing 184,162,718 records, was discovered by security researcher Jeremiah Fowler. The exposed data includes logins for accounts connected to multiple governments, highlighting the severity of the potential impact.
The exposed Elastic database, which was over 47 GB in size, contained a plain text file with millions of sensitive pieces of data, lacking encryption, password protection, or any security measures. Fowler noted the unusual nature of the discovery, as the database didn't offer any clues about its owner or the source of the collected data. The unsecured nature of the database highlights the risks associated with recklessly compiling sensitive information in a single, vulnerable repository. The incident underscores the importance of robust data security practices and the potential consequences of misconfigured or unsecured databases. The exposure of millions of plaintext passwords and login credentials raises significant concerns about potential misuse and unauthorized access to personal accounts. The discovery serves as a stark reminder of the need for organizations to prioritize data protection and implement strong security measures to safeguard sensitive user information. Recommended read:
References :
@cyberscoop.com
//
A federal grand jury indictment unsealed today has charged 16 defendants who allegedly developed and deployed the DanaBot malware, a scheme that infected over 300,000 computers globally. The malware, controlled and deployed by a Russia-based cybercrime organization, facilitated fraud and ransomware attacks, causing at least $50 million in damage. Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, also known as “Onix”, both of Novosibirsk, Russia are amongst those charged.
The DanaBot malware was distributed through spam email messages containing malicious attachments or hyperlinks. Once a computer was infected, it became part of a botnet, allowing operators to remotely control the compromised machines. The malware operated on a malware-as-a-service model, offering access to the botnet and support tools to clients for a fee. DanaBot had extensive capabilities, including stealing data, hijacking banking sessions, recording keystrokes, and providing full remote access to victim computers. In addition to the criminal charges related to DanaBot, the U.S. Department of Justice announced the seizure of internet domains tied to the LummaC2 information-stealing malware operation, which has been actively targeting U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of these campaigns, which involve the deployment of the LummaC2 infostealer to breach networks and siphon off sensitive data. Microsoft independently took down 2,300 internet domains also used by the LummaC2 actors. Recommended read:
References :
@securityonline.info
//
SK Telecom, South Korea's largest mobile network operator, revealed a significant data breach in April 2025 that exposed the USIM data of 27 million subscribers. The company first detected malware on its networks on April 19, 2025, and responded by isolating the compromised servers. Investigations have since revealed the breach began as far back as June 15, 2022, with attackers deploying a web shell on one of SK Telecom's servers. This initial compromise provided a foothold in the network allowing them to execute commands and deploy additional malware payloads across multiple servers.
The attackers were able to steal a wide array of sensitive information, including users’ IMSI numbers, USIM authentication keys, network usage data, text messages, and contacts stored on SIM cards. A joint investigative committee comprising the South Korean government and SK Telecom discovered 25 separate backdoor programs on the company’s servers. Due to the undetected nature of the breach for nearly three years, the intruders were able to implant backdoors tailored to different malicious functions. SK Telecom only began logging server activity on December 31, 2024, creating a data void between June 15, 2022, and December 31, 2024, making it difficult to ascertain what data was exfiltrated or what malicious operations were executed during that time. The breach has affected an estimated 26.95 million SK Telecom users, prompting the company to take immediate action. SK Telecom has suspended the onboarding of new customers and announced it will begin notifying all affected individuals to replace their SIM cards and adopt enhanced security measures. To mitigate the risks associated with SIM-swapping attacks, SK Telecom announced it would issue replacement SIM cards to all affected customers, while also implementing stricter safeguards to prevent unauthorized number transfers. The company also confirmed that USIM records for its entire subscriber base of 29 million people were exposed. Recommended read:
References :
@research.checkpoint.com
//
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.
Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT). The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools. Recommended read:
References :
Aminu Abdullahi@eSecurity Planet
//
Cybersecurity researchers are raising alarms about a new, sophisticated cryptojacking campaign called RedisRaider, which targets publicly accessible Redis servers running on Linux. Discovered by Datadog Security Labs, RedisRaider employs an aggressive and technically complex attack chain to deploy Monero miners on compromised systems. The malware uses a custom-built scanner to identify vulnerable Redis servers across the internet, exploiting weak configurations to execute malicious cron jobs that download and run the primary payload.
The attackers behind RedisRaider have implemented advanced techniques to evade detection and analysis. The malware is written in Go and heavily obfuscated using a tool called Garble, hiding key functions within the code. Additionally, RedisRaider employs anti-forensic measures such as short key time-to-live (TTL) settings to erase traces, writing temporary files to cron directories to blend with system processes, and deleting keys and logs after execution to cover its tracks. These tactics make it challenging for security professionals to detect and analyze the malicious activity. Datadog's investigation uncovered that the same infrastructure used for the server-level attacks also hosted a web-based Monero miner, indicating a multi-pronged revenue generation strategy. The attackers generate income not only from hijacked Linux servers but also from unsuspecting website visitors. Experts emphasize the need for proper configuration and security measures for publicly accessible Redis servers, including strong authentication and access controls, to prevent RedisRaider and similar cryptojacking campaigns from compromising systems and stealing resources. Recommended read:
References :
@gbhackers.com
//
References:
cyberpress.org
, isc.sans.edu
,
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.
The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active. The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process. Recommended read:
References :
Mandvi@Cyber Security News
//
Skitnet, also known as Bossnet, is a multi-stage malware that has emerged as a favored tool for ransomware gangs, offering stealth and versatility in cybercrime. First advertised on underground forums like RAMP in April 2024, it has quickly gained traction among notorious groups such as BlackBasta. These groups have leveraged Skitnet's capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams. The malware is attributed to threat actor LARVA-306.
Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel. To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool. Recommended read:
References :
|