Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

AryStinger Malware Botnet Hijacks Over 4,000 Outdated Routers for Cyberattacks

  AryStinger, a fresh malware botnet, has breached over four thousand aging routers across the globe. Devices caught in its grip now serve a...

All the recent news you need to know
Microsoft
Credential Theft CryptoBandits cryptocurrency malware Microsoft

CryptoBandits Malware Combines Crypto Theft and Backdoor Access

 



Microsoft has disclosed details of a newly identified Windows malware campaign that combines cryptocurrency theft, covert command-and-control communications, and remote access capabilities, creating a threat that extends well beyond traditional crypto-stealing malware.

Tracked as CryptoBandits, the malware has been active since at least February 2026 and is designed to compromise Windows systems through malicious shortcut (LNK) files. While its primary objective is to steal cryptocurrency-related information, Microsoft researchers found that the malware also functions as a lightweight backdoor, allowing attackers to maintain ongoing access to infected devices and issue remote commands.

According to Microsoft's analysis, the threat relies heavily on built-in Windows scripting technologies, including Windows Script Host and ActiveX components, to execute malicious actions while avoiding more obvious indicators typically associated with conventional malware families. Once executed, CryptoBandits deploys a portable version of the Tor anonymity network and establishes communications with attacker-controlled hidden services through a local SOCKS5 proxy, concealing the infrastructure used to manage infected systems.

Researchers observed the malware being distributed through malicious shortcut files that masquerade as legitimate content. After compromising a system, CryptoBandits deploys two distinct modules: a worm component responsible for spreading the infection and a cryptocurrency clipper designed to monitor and manipulate wallet-related data.

The propagation mechanism enables the malware to scan connected USB storage devices and generate additional malicious shortcut files that imitate legitimate documents. By replacing or disguising genuine files with weaponized shortcuts, attackers increase the likelihood that the malware will spread when removable media is shared between systems. Microsoft also noted that the malware can deploy additional payloads while excluding them from Microsoft Defender scanning, helping attackers reduce the likelihood of detection.

One of the most dangerous aspects of CryptoBandits is its clipboard-monitoring functionality. Cryptocurrency clippers are designed to watch for wallet addresses copied by victims during transactions. When a targeted wallet address is detected, the malware silently replaces it with an attacker-controlled address before the victim pastes the information into a cryptocurrency application or exchange platform. Because cryptocurrency addresses are often long and difficult to verify manually, victims may unknowingly transfer digital assets directly to criminal-controlled wallets.

Beyond address substitution, Microsoft found that the malware can harvest cryptocurrency seed phrases and private keys, information that can provide direct access to digital wallets. The malware also captures screenshots and transmits collected information to attacker-controlled infrastructure through Tor-based communications channels.

The malware establishes persistence through scheduled tasks and incorporates anti-analysis checks intended to identify whether system monitoring tools are active. Researchers observed the clipper verifying whether Windows Task Manager was running before continuing execution, a technique commonly used by malware operators attempting to evade investigation and detection.

After installation, CryptoBandits launches a renamed Tor executable and registers the infected device with its command-and-control infrastructure. The malware then continuously polls its operators for instructions at intervals of roughly 500 milliseconds, enabling rapid execution of attacker-issued commands. This capability transforms the malware from a simple financial stealer into a remotely managed backdoor capable of supporting additional malicious activity.

Microsoft's investigation also revealed extensive use of runtime obfuscation. Core malware components remain encrypted until execution, while both the Python-based installation routines and JavaScript payloads are intentionally obscured to complicate reverse engineering efforts. Such techniques make static analysis significantly more difficult and can delay detection by traditional signature-based security tools.

At the center of the operation is the malware's bundled Tor client. Rather than relying on exposed internet-facing servers, CryptoBandits routes traffic through localhost: 9050 using a SOCKS5 proxy and communicates with hidden-service infrastructure hosted within the Tor network. By concealing command-and-control traffic behind anonymized routing, attackers reduce network visibility and make infrastructure disruption efforts considerably more challenging.

The campaign gives us a foray into the new trend of financially motivated cybercrimes, where lightweight malware increasingly combines credential theft, cryptocurrency targeting, covert communications, and remote-access functionality within a single package. Security researchers have repeatedly observed threat actors moving away from easily identifiable command-and-control servers in favor of anonymized infrastructure that blends malicious traffic with legitimate network activity.

To mitigate the threat, Microsoft recommends restricting unnecessary use of scripting engines such as Windows Script Host, monitoring systems for unauthorized local SOCKS proxy activity, reviewing unusual clipboard access patterns, and implementing behavioral detection mechanisms capable of correlating script execution, network communications, process activity, and data exfiltration attempts. Additional safeguards include disabling autorun functionality for removable media, restricting execution of shortcut files from USB devices, and closely monitoring Tor-related network traffic originating from enterprise endpoints.

Read more »
WordPress security flaw
CVE-2026-4020 Gravity SMTP exploit Gravity SMTP vulnerability Vulnerabilities and Exploits WordPress security flaw

Gravity SMTP Vulnerability Under Active Exploitation, Over 17 Million Attack Attempts Detected

 


Cybersecurity researchers are warning WordPress administrators about ongoing attacks targeting a recently fixed security flaw in the Gravity SMTP plugin, which is currently installed on nearly 100,000 websites.

The vulnerability, identified as CVE-2026-4020 and assigned a CVSS score of 5.3, is classified as a medium-severity information disclosure issue. The flaw enables unauthenticated attackers to access sensitive information, including configuration settings, API credentials, secrets, and OAuth tokens associated with the plugin’s email service integrations.

"This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it," Wordfence said.

"When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report."

By exploiting the weakness, attackers can gain access to a broad range of system details, including:

* PHP version
* Loaded extensions
* Web server version
* Document root path
* Database server type and version
* WordPress version
* Active plugins and their versions
* Active theme information
* WordPress configuration settings
* Database table names
* API keys and tokens configured for services such as Amazon SES, Google, Mailjet, Resend, and Zoho

Security experts note that the exposed information can be leveraged to obtain credentials that may allow malicious actors to send emails using the affected website’s connected services. Additionally, the extensive system information could help attackers identify further weaknesses and launch follow-up attacks.

"As with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed," Wordfence added. "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site."

The issue has been addressed in Gravity SMTP version 2.1.5. However, threat actors have already begun actively exploiting vulnerable installations by sending unauthenticated HTTP GET requests to the affected REST API endpoint with the "?page=gravitysmtp-settings" parameter. These requests trigger the server to disclose valuable site information without requiring authentication.

According to Wordfence, more than 17 million exploitation attempts targeting CVE-2026-4020 have been blocked so far. Malicious activity was first observed in early May 2026 and surged significantly around June 6, 2026, peaking at more than 4 million requests within a single day.

The primary IP addresses associated with the attack activity include:

* 45.148.10.95
* 193.32.162.60
* 176.65.148.139
* 173.199.90.188
* 45.148.10.120
* 185.8.107.155
* 185.8.106.37
* 185.8.106.92
* 185.8.106.145
* 176.65.148.30

Website owners using affected versions of Gravity SMTP, particularly those with third-party email integrations enabled, are strongly advised to update to the latest version immediately. Security experts also recommend rotating all associated API credentials after updating, as a precautionary measure.

Administrators should further inspect server logs for requests originating from the identified IP addresses and review any suspicious activity involving the vulnerable API endpoint to determine whether their systems may have been targeted.

Read more »
RDP
Cryptographic Dark Web Data Theft malware Prinz Eugen RAAS ransomware RDP

New Prinz Eugen Ransomware Targets Recently Modified Files First, Researchers Find

 



Security researchers have revealed a ransomware operation known as Prinz Eugen that employs an unusual file-encryption strategy designed to increase pressure on victims. According to an investigation by ThreatDown, Malwarebytes' enterprise security division, the malware gives priority to files that have been modified most recently, focusing its efforts on data that organizations are most likely to rely on for day-to-day operations.

Researchers describe the actors behind Prinz Eugen as highly interactive intruders who rely on direct involvement throughout the attack process rather than fully automated deployment methods. Instead of depending on large-scale ransomware affiliate networks, the group appears to conduct attacks manually, using legitimate administration tools and built-in system utilities to move through victim environments and maintain access.

Evidence collected during incident response investigations suggests that attackers may initially gain entry through compromised Remote Desktop Protocol (RDP) credentials. After securing access, operators manually retrieve and launch the ransomware payload, identified as servertool.exe. In one investigated intrusion, researchers observed the use of the RemotePC remote management platform, alongside the creation of a backdoor administrator account that allowed the attackers to retain access to the compromised environment.

ThreatDown noted that Prinz Eugen does not currently appear to operate under the ransomware-as-a-service model that has become common across the cybercriminal ecosystem. Researchers found no indication that the group's operators are actively recruiting affiliates or distributing their malware to external partners. Instead, available evidence points to a more centralized operation in which attacks are carried out directly by the threat actors themselves.

Although the group's data-leak platform presently displays only three victims, researchers believe the actual number of affected organizations is higher. Information gathered during investigations indicates that multiple organizations have experienced incidents linked to the ransomware. Depending on the attack, victims may face file encryption, data theft, or a combination of both. Security researchers have identified at least five organizations impacted by the operation, including an incident involving Standard Bank, where attackers reportedly demanded a ransom payment of one Bitcoin. The demand was ultimately rejected.

One of the most distinctive characteristics of Prinz Eugen is its approach to selecting files for encryption. Analysis of the malware revealed that it processes files according to modification time, encrypting the most recently changed data before moving to older content. When several files share the same timestamp, the malware follows alphabetical order to determine which file is processed next.

Researchers believe this strategy is intended to maximize operational disruption. Files that have been edited recently are often associated with ongoing business activities, active projects, financial records, or other information that employees depend on regularly. By rendering this data inaccessible first, attackers can create immediate pressure on organizations to engage with extortion demands.

Technical analysis further showed that the ransomware scans directories recursively without imposing depth restrictions. Unlike some ransomware families that avoid certain locations or system folders, the examined Prinz Eugen sample applies very few limitations. The malware attempts to encrypt virtually every accessible file it encounters, excluding only files that already carry the .prinzeugen extension, which is added to data after encryption has been completed.

The encryption mechanism itself incorporates multiple modern cryptographic components. Researchers found that the ransomware uses the ChaCha20-Poly1305 algorithm together with a 32-byte master key. Each targeted file receives its own randomly generated initialization vector, while key generation and derivation processes rely on Argon2id, SHA-256, and HKDF-SHA256. Data is encrypted in 1 MB segments, and SHA-256 hashing is used to verify file integrity throughout the process.

Investigators also identified a safeguard built into the malware's deletion routine. When operators use the – delete option, the ransomware removes original files only after confirming that the encrypted version can be successfully decrypted. This verification step reduces the likelihood of accidental data destruction that could undermine the attackers' leverage over victims.

Beyond encrypting files, Prinz Eugen incorporates measures intended to frustrate forensic investigations. Researchers observed that the malware overwrites encryption keys with zero values once they are no longer needed, triggers garbage collection routines to remove remaining traces from memory, and then attempts to delete itself from disk. These actions are designed to make post-incident analysis and key recovery efforts more difficult.

Another noteworthy aspect of the ransomware is the absence of conventional extortion artifacts. The analyzed sample contains no functionality for dropping a ransom note onto infected systems, nor does it alter the victim's desktop wallpaper to display payment instructions. While such techniques have historically been common among ransomware groups, ThreatDown researchers noted that some organized operations are increasingly shifting away from visible on-system communications.

Instead, attackers may conduct negotiations through external channels such as email correspondence, direct phone contact, or dedicated dark-web portals. By moving communications outside the compromised environment, threat actors leave behind fewer artifacts that investigators can collect and reduce opportunities for automated security tools to identify the extortion phase of an attack.

To assist defenders, ThreatDown has published a collection of indicators of compromise associated with Prinz Eugen activity. These indicators can help security teams, incident responders, and researchers identify potential infections, investigate suspicious activity, and strengthen defenses against future attacks involving the ransomware. 

Read more »
Financial Monitoring
Bitcoin Crypto Market crypto market risks cryptocurrency Cryptocurrency news Cyber Security Financial Monitoring

Bitcoin Drops Below $60,000 as Market Selloff and Security Fears Weigh on Crypto

 

Falling further now, Bitcoin dipped under $60,000 again - the first time since early 2024 - amid softness across financial markets and rising unease about digital safety. Around $59,909, it lost close to 6% in one session, almost 18.5% in seven days. This slump stretches beyond just Bitcoin. Ethereum followed closely behind, sliding 23% over the week until reaching approximately $1,555. Meanwhile, Solana saw a similar drop of 22%, settling near $63.75 after sharp downward pressure. 

Bitcoin now trades over 52 percent below its peak of $126,080 set last October. A mix of pressures drives the drop, according to market observers. Attention earlier centered on steady withdrawals from physical Bitcoin ETFs along with Strategy offloading coins for the first time since 2022. Lately, though, shifts in outlook regarding Federal Reserve interest moves have added pressure, alongside fresh unease about digital asset safety. 

Surprising strength marked last month's U.S. labor numbers, as payrolls expanded by 172,000 during May. That outcome ran well ahead of forecasts - almost twice what analysts had predicted - shifting how investors view future rate moves. With inflation concerns lingering, officials may feel less pressure to ease policy soon. Because higher yields often make safer investments more appealing, digital coins typically face headwinds under such conditions. Market participants now weigh whether extended tightening cycles could dampen speculative flows. 

Despite recent gains in employment figures, expectations for lower interest rates have faded, according to Nicolai Søndergaard of Nansen. Having shed roughly 15 percent lately, Bitcoin now faces added strain without any obvious economic trigger to spark rebound. Though digital assets struggle, broader uncertainty lingers due to unrest in the Middle East. That stress shows up in cautious trading behavior worldwide. 

With few positive signals on the horizon, momentum remains fragile. Even as attention grows around blockchain safety, news of a serious weakness in Zcash - a coin built for anonymity - has raised alarms. Though programmers pushed out an update to correct the problem, they stated plainly that tracking past misuse is impossible due to hidden transaction details. Without clear evidence of abuse, doubt spread quickly among investors. 

That hesitation showed in price movements: ZEC plunged over two-fifths in value in just one day. Now worries spread through crypto circles after the event. Because AI tools might detect weak spots in blockchains, investor unease grows. Questions emerge - could similar flaws threaten more digital currencies? As machine learning advances, trust faces new tests. Out of nowhere, a slight uptick appeared for Bitcoin ETFs amid continued market softness. 

On Thursday, U.S. spot Bitcoin funds saw inflows exceeding $3 million - breaking a run of 13 straight days of outflows. While tiny next to the billions pulled so far this year, the shift hinted at changed sentiment, if only briefly. Not long after prolonged pullbacks, investors paused, then edged back in. After tech shares slipped, so did broader market sentiment - Nasdaq dropped sharply amid wider financial strains. 

Not just crypto felt the downturn; traditional assets wavered too, pulled by similar worries. Investors moved carefully through overlapping pressures: shaky economies, global conflicts, threats in digital finance. When equities fell, digital coins followed close behind, mirroring the wariness spreading through capital markets.
Read more »
User Security
Banking scam Cyber Fraud Haldwani OTP Bypass User Security

Haldwani Cyber Fraud: ₹2.5 Lakh Stolen Without OTP, Raising Bank Security Concerns

 

In Haldwani, a cyber fraud case has once again shaken public trust in digital banking, after a victim reportedly lost money without clicking a suspicious link or sharing an OTP. The case is worrying because it shows how modern fraud can bypass the protections many users still consider reliable. For years, OTPs have been seen as a strong safety layer, but incidents like this suggest scammers are finding new ways to drain accounts while staying hidden. As digital payments grow, so does the need to understand how these silent attacks work. 

What makes such frauds especially alarming is that victims often receive no obvious warning before the money disappears. In some recent cases, cybercriminals have used methods such as SIM swap attacks, malware, account takeovers, call forwarding, or unauthorized beneficiary additions to move funds without the user’s approval. Other reports have also shown that fraud can happen through fake banking apps, remote access tools, or abuse of pre-linked payment mandates. This means the problem is no longer just about sharing an OTP; it is also about securing the phone, SIM, banking app, and personal identity. 

The Haldwani incident highlights a deeper issue in bank security: authentication systems are only as strong as the weakest device or process connected to them. If a fraudster gains access to a phone number, banking credentials, or an already trusted payment route, the transaction may look legitimate to the bank’s systems. That is why “no OTP” does not automatically mean “no compromise.” In fact, some frauds exploit loopholes where money is shifted through internal banking paths, or through beneficiary changes that may not trigger immediate user attention. 

Safety recommendations 

For users, the first rule is to monitor bank alerts closely and treat any unexpected debit, SMS, or app activity as urgent. Keep mobile software updated, avoid installing apps from unknown links, and never grant unnecessary SMS, accessibility, or call permissions to random applications. It also helps to use strong screen locks, secure SIM cards with a PIN, and enable additional notifications through email or alternate channels. If anything looks suspicious, contact the bank immediately and report the fraud through the cybercrime helpline without delay. 

This case is a reminder that cybersecurity is no longer only a technical concern; it is a daily financial survival issue. Banks need stronger fraud detection, faster alerts, and better protection against account takeover methods that bypass OTP-based trust. At the same time, users must stop assuming that OTP alone can keep money safe. The real defense is layered security, quick reporting, and constant digital caution.
Read more »
Usbliter8 Exploit
Apple A12 Security Apple A13 Exploit Apple Device Vulnerability Apple SecureROM Vulnerability BootROM Exploit Cyber Security Cyber Threats Hardware Security Flaw iPhone Security Research Usbliter8 Exploit

Unpatchable BootROM Flaw Exposes Apple A12 and A13 SecureROM Chain


 

The disclosure of a new hardware-level exploit has raised new concerns about the long-term security implications of immutable silicon vulnerabilities across Apple's entire ecosystem. Paradigm Shift researchers have revealed usbliter8, a working SecureROM exploit compromising the boot chain of Apple A12 and A13 processor-based devices. 

In 2019, checkm8 emerged as the first publicly released unpatched attack on these chip generations. By exploiting a flaw within the BootROM, the code that runs before iOS and all higher security controls, the exploit is able to bypass protections at the earliest stage of the initialization process. Physical access, a USB connection, and manual placement of the device into DFU mode are required to perform the attack, but the significance lies in the vulnerability itself. This vulnerability is not able to be remedied by updating firmware, updating operating systems, or restoring devices since it occurs in silicon rather than software.

In addition to the niche jailbreak development impacted by this disclosure, Apple hardware that is still supported, including iPhones, iPads, Apple Watches, and other Apple devices, now carry a permanent hardware weakness that can be exploited throughout the device's operational lifetime. 

Along with presenting a notable research discovery, USBliter8 also presents a significant hardware security incident due to the permanent nature of the vulnerability exploited by it. The affected SecureROM code is therefore physically embedded within the processor while the device is being manufactured, placing it beyond Apple's control once the device leaves the factory. This is in contrast to conventional vulnerabilities that can be mitigated by updating firmware or operating systems. 

During a coordinated engagement with Apple Product Security on June 18, 2026, researchers revealed the exploit and accompanying proof of concept, demonstrating that a successful attack can be carried out in less than two seconds before Apple's trusted boot sequence takes over. There remains a strict physical access requirement for the attack: a target device must be manually placed into Device Firmware Update (DFU) mode and connected to an RP2350-based microcontroller platform using USB. Nevertheless, there is a considerable range of hardware impacted. 

Publicly supported targets include devices built on Apple's A12 and A13 application processors, in addition to the S4 and S5 systems-on-chip used across Apple Watch and HomePod products. There are a number of products, such as the iPhone XS, iPhone XR, iPhone 11, two-generation iPhone SE, multiple iPad models, Apple Watch Series 4 and 5, the first-generation Apple Watch SE, HomePod mini, and others, which continue to see active deployment. 

Research indicates that support for A12X and A12Z processors may be technically achievable in the future, but this has not yet been implemented. The architectural differences in USB memory handling do not seem to affect devices based on A11 silicon, while A14 and newer generations appear to be immune due to improved DART configuration and memory isolation controls within the boot environment.

The disclosure also highlights an aspect of modern device security that is seldom encountered: there are some vulnerabilities that are beyond the reach of all software-based defense mechanisms available to vendors as well as users. The vulnerability can not be eliminated by iOS updates, firmware revisions, factory restores, or standard hardening measures since the vulnerability lies within immutable SecureROM code. It remains imperative to maintain the latest software versions, enforce strong authentication controls, and adhere to sound security practices to protect against conventional threats; however, those measures do not alter the hardware trust anchor targeted by USBliter8. 

In identifying the most practical long-term mitigation strategy for organizations and individuals seeking to reduce exposure, Paradigm Shift identified migration to devices utilizing A14 or newer silicon. While Apple has not publicly addressed the research as of publication, the researchers stated that Apple Product Security has been notified and disclosure procedures have been completed before technical details and exploit code can be released. There is a great deal of variation in the security implications associated with the various operating environments in which affected devices are used. 

For the average consumer, the requirement for physical possession, DFU mode access, and specialized hardware greatly narrows the scope of potential exploitation. Individuals who operate under elevated threat conditions, including journalists, corporate executives, activists, government employees, and others whose devices may be seized, inspected, or held for extended periods, face a significantly different risk profile. In such scenarios, a compromised device based on A12, A13, S4, or S5 could be affected by persistent boot-level intrusions that are anchored underneath the operating system itself, even after software updates are applied. Thus, device lifecycle planning now includes security considerations instead of just procurement, with the newer A14-generation hardware and later platforms posing the most obvious route to avoiding this type of exposure. 

In addition to the immediate technical accomplishments, researchers are closely tracking whether usbliter8 follows a similar path to checkm8 that was established nearly seven years ago. Along with the research, a proof-of-concept code was released that gained significant attention from the security community.

It quickly gained hundreds of GitHub stars and indicated strong interest from researchers and developers alike. It is widely anticipated that jailbreak-focused tools will emerge in the near future, but the more consequential question is whether the exploit will evolve into a mature hardware research and forensic framework for A12 and A13 devices. Ultimately, Checkm8 has become the primary tool for examining and interacting with older Apple hardware in a manner previously not possible for defenders, researchers, and forensic practitioners. 

While USBliter8 has not yet reached that level, its publication provides the first public insight into a generation of Apple silicon which, until now, has been largely beyond the reach of unpatched SecureROM exploits. With the advent of USBliter8, we are reminded that not all security risks originate with software, and not all can be resolved through patching. 

By exposing a hardware-rooted vulnerability that remains widely deployed, this research contributes to a heightened awareness of the long-term security implications of silicon-level trust boundaries. However, organizations and individuals responsible for sensitive data should reassess their device custody practices, hardware refresh strategies, and exposure to high-risk environments as a result of the exploit. 

Usbliter8 remains a significant landmark in Apple security research and is being examined by the security community in order to fully comprehend its impact. It demonstrates how important it is not only to secure the software on a device, but also the device itself.
Read more »
Subscribe to: Posts (Atom)

Featured