Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Infostealer. Show all posts
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Malwares
Arcane Cyber Attacks Data Safety User Data data security Data Stealer Discord Infostealer Infostealer Malware Kaspersky Malwares

Arcane Malware Steals VPN, Gaming, and Messaging Credentials in New Cyber Threat

 

A newly identified malware strain, Arcane, is making headlines for its ability to steal a vast range of user data. This malicious software infiltrates systems to extract sensitive credentials from VPN services, gaming platforms, messaging apps, and web browsers. Since its emergence in late 2024, Arcane has undergone several modifications, increasing its effectiveness and expanding its reach. 

Unlike other cyber threats with long-established histories, Arcane is not linked to previous malware versions carrying a similar name. Analysts at Kaspersky have observed that the malware primarily affects users in Russia, Belarus, and Kazakhstan. This is an unusual pattern, as many Russian-based cybercriminal groups tend to avoid targeting their home region to steer clear of legal consequences. 

Additionally, communications linked to Arcane’s operators suggest that they are Russian-speaking, reinforcing its likely origin. The malware spreads through deceptive content on YouTube, where cybercriminals post videos promoting game cheats and cracked software. Viewers are enticed into downloading files that appear legitimate but contain hidden malware. Once opened, these files initiate a process that installs Arcane while simultaneously bypassing Windows security settings. 

This allows the malware to operate undetected, giving hackers access to private information. Prior to Arcane, the same group used a different infostealer known as VGS, a modified version of an older trojan. However, since November 2024, they have shifted to distributing Arcane, incorporating a new tool called ArcanaLoader. This fake installer claims to provide free access to premium game software but instead delivers the malware. 

It has been heavily marketed on YouTube and Discord, with its creators even offering financial incentives to content creators for promoting it. Arcane stands out because of its ability to extract detailed system data and compromise various applications. It collects hardware specifications, scans installed software, and retrieves login credentials from VPN clients, communication platforms, email services, gaming accounts, and cryptocurrency wallets. Additionally, the malware captures screenshots, which can expose confidential information visible on the victim’s screen. 

Though Arcane is currently targeting specific regions, its rapid evolution suggests it could soon expand to a broader audience. Cybersecurity experts warn that malware of this nature can lead to financial theft, identity fraud, and further cyberattacks. Once infected, victims must reset all passwords, secure compromised accounts, and ensure their systems are thoroughly cleaned. 

To reduce the risk of infection, users are advised to be cautious when downloading third-party software, especially from unverified sources. Game cheats and pirated programs often serve as delivery methods for malicious software, making them a significant security threat. Avoiding these downloads altogether is the safest approach to protecting personal information.
Read more »
Microsoft
Cyber Attacks GitHub Infostealer Malvertising Microsoft

Microsoft Warns of Malvertising Campaign Impacting Over 1 Million Devices Worldwide

 

Microsoft has revealed details of a large-scale malvertising campaign that is believed to have impacted over one million devices worldwide as part of an opportunistic attack aimed at stealing sensitive information. 

The tech giant, which discovered the activity in early December 2024, is tracking it under the broader Storm-0408 umbrella, which refers to a group of attackers known for distributing remote access or information-stealing malware via phishing, search engine optimisation (SEO), or malvertising.

"The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team stated. "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”

The campaign relied on GitHub to deliver initial access payloads, but payloads were also detected on Discord and Dropbox. The GitHub repositories were removed, but the number of such repositories was not disclosed. The Microsoft-owned code hosting service serves as a staging ground for dropper malware, which deploys a series of ads.

The Microsoft-owned code hosting site serves as a staging ground for dropper malware, which is in charge of launching a number of further programs such as Lumma Stealer and Doenerium, which can then collect system information. The assault also uses a sophisticated redirection chain with four to five layers, with the first redirector embedded in an iframe element on unlawful streaming websites that serve pirated content.

The entire infection sequence consists of several stages, including system discovery, information collecting, and the employment of follow-on payloads like NetSupport RAT and AutoIT scripts to assist more data theft. The remote access trojan also acts as a gateway for stealer malware. 

  • First stage: Establish a footing on target devices.
  • Second stage: system reconnaissance, collection, exfiltration, and payload delivery. 
  • Third stage: It involves command execution, payload delivery, defence evasion, persistence, command-and-control communications, and data exfiltration. 
  • Fourth stage: PowerShell script for configuring Microsoft Defender exclusions and running commands to download data from a remote server. 

Another feature of the assaults is the use of numerous PowerShell scripts to download NetSupport RAT, identify installed apps and security software, and scan for the presence of cryptocurrency wallets, which indicates possible financial data theft.

"Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host," Microsoft said. "The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.” 

The disclosure comes after Kaspersky reported that fake websites masquerading as DeepSeek and Grok artificial intelligence (AI) chatbots are being used to lure users into installing a previously unknown Python information stealer.

DeekSeek-themed decoy sites promoted by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been used to run a PowerShell script that leverages SSH to enable attackers remote access to the machine. 

"Cybercriminals use various schemes to lure victims to malicious resources,' the Russian cybersecurity company noted. "Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
Read more »
Malwares
Cyber Attacks cybercriminals data security Data Theft Hackers Infostealer Infostealer Malware Malware attacks Malwares

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.
Read more »
Visual Studio Code
Infostealer LNK File malware Phantom Goblin Visual Studio Code

Phantom Goblin: An Emerging Menace in Credential Theft and Remote System Access

 

A complex malware campaign dubbed "Phantom Goblin" has been discovered, which employs social engineering techniques to install information-stealing malware. The malware is distributed by RAR attachments in spam messages, which includes a poisoned shortcut file posing as a PDF. 

When executed, the LNK file launches a PowerShell operation to download further payloads from a GitHub repository, ensuring persistence by generating a registry entry that starts at system boot. These payloads, such as "updater.exe," "vscode.exe," and "browser.exe," spoof legitimate apps, which complicates detection. 

The malware primarily targets web browsers and development tools to steal sensitive data. It harvests cookies, login passwords, and browsing history by forcing browsers such as Chrome, Brave, and Edge to shut down. The "updater.exe" payload allows remote debugging to bypass Chrome's App Bound Encryption (ABE) and achieve covert data exfiltration. The stolen information is subsequently transferred to a Telegram channel via the Telegram Bot API. This approach allows cybercriminals to access data in real time without suspicion. 

Phantom Goblin also uses Visual Studio Code (VSCode) tunnels for remote unauthorised access. The "vscode.exe" payload downloads a legitimate version of VSCode, unpacks it, and creates a tunnel to maintain persistent control over compromised PCs. These connection credentials are passed to a Telegram bot, which allows remote access without triggering traditional security notifications. 

Prevention tips

Several best practices are recommended by experts to safeguard systems against Phantom Goblin and similar threats:

Email Filtering: Use advanced filtering techniques to block suspicious attachments, especially those in RAR, ZIP, or LNK format. Before opening any attachments, be sure they have been scanned with the latest antivirus software. 

Disabling VSCode tunnels: Enforce access controls and authentication measures to prevent unauthorised users from using Visual Studio Code tunnels. Limiting the ability to use VSCode on sensitive systems can help prevent remote access. 

PowerShell Restrictions: Disable or limit the use of PowerShell and script execution on computers unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as script execution from external sources, can assist detect and prevent malicious operations. 

Browser Security: Use strong browser security mechanisms to prevent unauthorised debugging and limit access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can assist to secure browser-based credentials.
Read more »
remote access
Data Leak Infostealer malware Microsoft Teams remote access

Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

 

Trend Micro security experts discovered a sophisticated cyberattack that included social engineering tactics and commonly employed remote access tools. The attack, which uses stealthy infostealer malware, gives thieves permanent access over vulnerable PCs and allows them to steal sensitive data.

According to Trend Micro Threat Intelligence, the majority of incidents since October 2024 have been concentrated in North America, with 21 breaches reported. The US was the most affected, with 17 cases, followed by Canada and the United Kingdom, each with five. Europe documented a total of 18 incidents. 

Modus operandi 

Threat actors utilise social engineering techniques to acquire initial access by deceiving victims into submitting credentials. Microsoft Teams is used for impersonation, and Quick Assist and other remote access applications allow attackers to escalate privileges. OneDriveStandaloneUpdater.exe, a genuine OneDrive update application, is used to sideload malicious DLLs and grant attackers network access.

Subsequently, the attackers install BackConnect malware, which allows them to keep control of affected systems. Malicious files are hosted and propagated via commercial cloud storage services, leveraging misconfigured or publicly available storage buckets. 

The BackConnect malware has been linked by researchers to QakBot, a loader malware that was the focus of the 2023 takedown effort called "Operation Duckhunt." Access to target computers by Black Basta ransomware attackers was made possible in large part via QakBot. After it was taken down, these threat actors switched to alternative methods to continue operating. 

Black Basta and Cactus ransomware link 

Trend Micro analysts recently investigated cases in which the Black Basta and Cactus ransomware perpetrators used the identical BackConnect malware. This malware allows cybercriminals to execute commands remotely, steal credentials, and steal financial information.

In 2023, Black Basta alone extorted $107 million from victims, with manufacturing the largest hit, followed by financial sectors and real estate. Attackers also utilised WinSCP, an open-source file transfer client, to move data within infected systems. The infected files were first acquired from a cloud storage provider before being repackaged and distributed using system vulnerabilities. 

Further investigation into Black Basta's internal chat breaches indicates that members of the gang are now using Cactus ransomware. Researchers believe that this transition will allow Cactus to remain a major threat by 2025.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
malware
fake ads Google Ads Infostealer Malicious Campaign malware

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

 

Hackers are once more exploiting Google advertisements to disseminate malware, using a fake Homebrew website to compromise Macs and Linux systems with an infostealer that harvests credentials, browsing data, and cryptocurrency wallets. 

Ryan Chenkie discovered the fraudulent Google ad campaign and warned on X regarding the potential of malware infection. The malware employed in this operation is AmosStealer (aka 'Atomic'), an infostealer intended for macOS devices and sold to malicious actors on a monthly subscription basis for $1,000. 

The malware recently appeared in various malvertising campaigns promoting bogus Google Meet conferencing pages, and it is now the preferred stealer for fraudsters targeting Apple customers. 

Targeting Homebrew customers 

Homebrew is a popular open-source package manager for macOS and Linux that lets you install, update, and manage software using the command line. 

A fraudulent Google advertising featured the correct Homebrew URL, "brew.sh," misleading even seasoned users into clicking it. However, the ad redirected users to a bogus Homebrew website hosted at "brewe.sh". Malvertisers have extensively exploited this URL strategy to trick users into visiting what appears to be a legitimate website for a project or organisation.

When the visitor arrives at the site, he or she is requested to install Homebrew by copying and pasting a command from the macOS Terminal or Linux shell prompt. The official Homebrew website provides a similar command for installing legitimate software. However, running the command displayed on the bogus website will download and execute malware on the device. 

Cybersecurity expert JAMESWT discovered that the malware injected in this case [VirusTotal] is Amos, a potent infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and online browser data. Mike McQuaid, Homebrew's project leader, indicated that the project is aware of the situation but that it is beyond its control, criticising Google's lack of oversight. 

"Mac Homebrew Project Leader here. This seems taken down now," McQuaid stated on X. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”

At the time of writing, the malicious ad has been removed, but the campaign could still run through other redirection domains, therefore Homebrew users should be aware of sponsored project adverts.

To mitigate the risk of malware infection, while clicking on a link in Google, make sure you are directed to the authentic site for a project or company before entering sensitive information or installing software. Another safe option is to bookmark official project websites that you need to visit frequently when sourcing software and utilise them instead of searching online every time.
Read more »
Subscribe to: Posts (Atom)