Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Campaign. Show all posts
PyStoreRAT
GitHub Malicious Campaign malware OSINT PyStoreRAT

Fake GitHub OSINT Tools Spread PyStoreRAT Malware

 

Attackers are using GitHub as part of a campaign to spread a novel JavaScript-based RAT called PyStoreRAT, masquerading as widely used OSINT, GPT, and security utilities targeting developers and analysts. The malware campaign leverages small pieces of Python or JavaScript loader code hosted on fake GitHub repositories, which silently fetch and execute remote HTML Application (HTA) files via mshta.exe, initiating a multi-stage infection chain. 

PyStoreRAT is said to be a modular, multi-stage implant that can load and execute a wide range of payload formats, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules, making it highly versatile once a breach has been established. One of the most prominent follow-on payloads is the Rhadamanthys information stealer, which specializes in the exfiltration of sensitive information, including credentials and financial data. The loaders arrive embedded in repositories branded as OSINT frameworks, DeFi trading bots, GPT wrappers, or security tools; many of these hardly work past statically showing menus or other placeholder behavior to appear legitimate.

It is believed the campaign started at around mid-June 2025, with the attackers publishing new repositories at a steady pace, and then artificially inflating stars and forks by promoting those on YouTube, X, and other platforms. When these tools started gaining traction and hit GitHub's trending lists, the threat actors slipped in malicious "maintenance" commits in October and November, quietly swapping or augmenting the code to insert the loader logic. This factor of abusing GitHub's trust model and popularity signals echoes a trend seen in supply chain-like gimmicks such as Stargazers Ghost Network tactic.

Subsequently, the loader retrieves a distant HTA, which installs PyStoreRAT, a tool that profiles the system, identifies whether it has administrator privileges, and searches for cryptocurrency wallet artifacts involving services such as Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02. It also identifies installed anti-virus software and searches for strings such as “Falcon” and “Reason,” which are attributed to CrowdStrike and Cybereason/ReasonLabs, with what appears to be a modification of the path used to execute mshta.exe to avoid detection. 

It uses a scheduled task, which is disguised as an NVIDIA self-update, with the RAT communicating with a distant server for command execution, which includes but is not limited to downloading and executing EXE payloads, delivering Rhadamanthys, unzip archives, loading malicious DLLs via rundll32.exe, unpacking MSI packages, executing PowerShell payloads within a suspended process, instantiating additional mshta.exe, and propagate via portable storage devices by embedding armed LNK documents. 

Additionally, it has the capacity to eliminate its own scheduled tasks, which is attributed to making reverse-engineering even more complicated. The Python-based weapons have revealed Russian language artifacts as well as programming conventions that indicate a probable Eastern European adversary, who has described PyStoreRAT as part of a growth toward adaptable, script-based implants that avoid common detection on a targeted environment until a very late stage in the fight.
Read more »
Threat Intelligence
ClickFix Cyber Security Malicious Campaign Social Engineering Threat Intelligence

ClickFix: The Silent Cyber Threat Tricking Families Worldwide

 

ClickFix has emerged as one of the most pervasive and dangerous cybersecurity threats in 2025, yet remains largely unknown to the average user and even many IT professionals. This social engineering technique manipulates users into executing malicious scripts—often just a single line of code—by tricking them with fake error messages, CAPTCHA prompts, or fraudulent browser update alerts.

The attack exploits the natural human desire to fix technical problems, bypassing most endpoint protections and affecting Windows, macOS, and Linux systems. ClickFix campaign typically begin when a victim encounters a legitimate-looking message urging them to run a script or command, often on compromised or spoofed websites. 

Once executed, the script connects the victim’s device to a server controlled by attackers, allowing stealthy installation of malware such as credential stealers (e.g., Lumma Stealer, SnakeStealer), remote access trojans (RATs), ransomware, cryptominers, and even nation-state-aligned malware. The technique is highly effective because it leverages “living off the land” binaries, which are legitimate system tools, making detection difficult for security software.

ClickFix attacks have surged by over 500% in 2025, accounting for nearly 8% of all blocked attacks and ranking as the second most common attack vector after traditional phishing. Threat actors are now selling ClickFix builders to automate the creation of weaponized landing pages, further accelerating the spread of these attacks. Victims are often ordinary users, including families, who may lack the technical knowledge to distinguish legitimate error messages from malicious ones.

The real-world impact of ClickFix is extensive: it enables attackers to steal sensitive information, hijack browser sessions, install malicious extensions, and even execute ransomware attacks. Cybersecurity firms and agencies are urging users to exercise caution with prompts to run scripts and to verify the authenticity of error messages before taking any action. Proactive human risk management and user education are essential to mitigate the threat posed by ClickFix and similar social engineering tactics.
Read more »
Supply Chain Attack
Malicious Campaign malware NPM Package Shai-Hulud Supply Chain Attack

Shai-Hulud Worm Strikes: Self-Replicating Malware Infects Hundreds of NPM Packages

 

A highly dangerous self-replicating malware called “Shai-Hulud” has recently swept through the global software supply chain, becoming one of the largest incidents of its kind ever documented. 

Named after the sandworms in the Dune series, this worm has infected hundreds of open-source packages available on the Node Package Manager (NPM) platform, which is widely used by JavaScript developers and organizations worldwide. 

Shai-Hulud distinguishes itself from previous supply chain attacks by being fully automated: it propagates by stealing authentication tokens from infected systems and using them to compromise additional software packages, thus fueling a rapid, worm-like proliferation.

The attack vector starts when a developer or system installs a poisoned NPM package. The worm then scans the environment for NPM credentials, specifically targeting authentication tokens, which grant publishing rights. Upon finding such tokens, it not only corrupts the compromised package but also infects up to twenty of the most popular packages accessible to that credential, automatically publishing malicious versions to the NPM repository. 

This creates a domino effect—each newly infected package targets additional developers, whose credentials are then used to expand the worm’s grip, further cascading the spread across the global development community.

Researchers from various security firms, including CrowdStrike and Aikido, were among those affected, though CrowdStrike quickly removed impacted packages and rotated its credentials. Estimates of the scale vary: some report at least 180 packages infected, while others cite figures above 700, underscoring the scope and severity of the outbreak. 

Major tools used by the worm, such as TruffleHog, enabled it to scan compromised systems for a broad array of secrets, including API and SSH keys, as well as cloud tokens for AWS, Azure, and Google Cloud, making its impact particularly far-reaching.

Response to the attack involved urgent removals of poisoned software, rotations of compromised credentials, and investigations by platform maintainers. Security experts argued for immediate industry reforms, recommending that package managers like NPM require explicit human approval and use robust, phishing-resistant two-factor authentication on all publishing operations. 

The attack also exposed the vulnerabilities inherent in modern open-source ecosystems, where a single compromised credential or package can threaten countless downstream systems and organizations. This incident highlights the evolving tactics of cyber attackers and the critical need for improved security measures throughout the global software supply chain.
Read more »
User Security
Cyber Fraud Malicious Campaign Pharmacy Scam PharmaFraud User Security

Millions Face Potential Harm After Experts Uncovered a Vast Network of 5,000+ Fake Pharmacy Sites

 

Security experts have exposed "PharmaFraud," a criminal network of more than 5,000 fraudulent online pharmacies. The operation puts millions of consumers at risk by selling unsafe counterfeit medications while also stealing their private data. 

The fraudulent campaign mimics legitimate online pharmacies and specifically targets individuals seeking discreet access to medications such as erectile dysfunction treatments, antibiotics, steroids, and weight-loss drugs. What makes this operation particularly dangerous is its use of advanced deception techniques, including AI-generated health content, fabricated customer reviews, and misleading advertisements to establish credibility with potential victims. 

These sites are designed to circumvent basic security indicators by omitting legitimate business credentials and requiring payments through cryptocurrency, which makes transactions virtually untraceable. The operation extends beyond simply selling fake drugs—it actively harvests sensitive medical information, personal details, and financial data that can be exploited in subsequent fraud schemes. 

Health and financial risks

Even when products are delivered, there's no guarantee of safety or effectiveness—medications may be expired, contaminated, or completely fake, creating health risks that extend far beyond financial losses. The report highlights that these fraudulent sites often bypass prescription requirements entirely, allowing dangerous medications to reach consumers without proper medical oversight. 

The broader cyberthreat landscape has seen escalation, with financial scams increasing by 340% in just three months, often using fake advertisements and chatbot interfaces to impersonate legitimate legal or investment services. Tech support scams appearing as browser pop-ups have also risen sharply, luring users into contacting fraudulent help services.

Safety tips 

To avoid these scams, consumers should be vigilant about several key warning signs: 

  • Websites that offer prescription medications without requiring valid prescriptions.
  • Missing or unclear contact information and business registration details.
  • Absence of verifiable physical addresses.
  • Unusually low prices and limited-time offers.
  • Payment requests specifically for cryptocurrency.

Essential security measures include verifying that websites use secure checkout processes with HTTPS protocols and trusted payment gateways. Users should also deploy antivirus software to detect malware that may be embedded in fraudulent medical sites, enable firewalls to block suspicious traffic from known scam domains, and install endpoint protection across multiple devices for comprehensive security. 

Consumers should maintain healthy skepticism toward unsolicited health advice, product reviews, or miracle cure claims found through advertisements, emails, or social media links. When in doubt, consumers should verify pharmacy legitimacy through official regulatory channels before sharing any personal or financial information.
Read more »
User Privacy
Cyber Scam FBI Alert Malicious Campaign QR Code Phishing User Privacy

FBI Alert: Avoid Scanning This QR Code on Your Phone

 

The FBI has issued a warning about a new scam in which cybercriminals send unsolicited packages containing a QR code to people’s homes, aiming to steal personal and financial information or install malware on their devices. These packages often lack sender information, making them seem mysterious and tempting to open. 

Modus operandi 

Scammers mail unexpected packages without sender information, deliberately creating curiosity that encourages recipients to scan the included QR code. Once scanned, the code either: 

  • Redirects users to fake websites requesting personal and financial information. 
  • Automatically downloads malicious software that steals data from phones.
  • Attempts to gain unauthorized access to device permissions.

This strategy is based on old "brushing scams," in which unscrupulous vendors send unsolicited products in order to generate fake positive feedback. The new variation uses QR codes to permit more serious financial theft, rather than simple review manipulation. 

Who is at risk?

Anyone who receives a surprise package—especially one without clear sender details—could be targeted. The scam exploits curiosity and the widespread, trusting use of QR codes for payments, menus, and other daily activities. 

Safety tips

  • Do not scan QR codes from unknown or unsolicited packages.
  • Be cautious of packages you didn’t order, especially those without sender information. 
  • Inspect links carefully if you do scan a QR code—look for suspicious URLs before proceeding. 
  • Secure your online accounts and consider requesting a free credit report if you suspect you’ve been targeted. 
  • Stay vigilant in public places, as scammers also place fake QR codes on parking meters and in stores. 

This warning comes amid a broader rise in sophisticated scams, including voice message attacks where criminals impersonate recognizable figures to encourage victim interaction. The FBI emphasizes that while QR codes may appear harmless, they can pose significant security risks when used maliciously. 
Read more »
User Security
Blockchain Developer Crypto Theft Cyber Fraud Malicious Campaign User Security

Online Criminals Steal $500K Crypto Via Malicious AI Browser Extension

 

A Russian blockchain engineer lost over $500,000 worth of cryptocurrencies in a sophisticated cyberattack, highlighting the persisting and increasing threats posed by hostile open-source packages. Even seasoned users can be duped into installing malicious software by attackers using public repositories and ranking algorithms, despite the developer community's growing knowledge and caution.

The incident was discovered in June 2025, when the victim, an experienced developer who had recently reinstalled his operating system and only employed essential, well-known applications, noticed his crypto assets had been drained, despite rigorous attention to cybersecurity. 

The researchers linked the breach to a Visual Studio Code-compatible extension called "Solidity Language" for the Cursor AI IDE, a productivity-boosting tool for smart contract developers. The extension, which was made public via the Open VSX registry, masqueraded as a legal code highlighting tool but was actually a vehicle for remote code execution. After installation, the rogue extension ran a JavaScript file called extension.js, which linked to a malicious web site to download and run PowerShell scripts. 

These scripts, in turn, installed the genuine remote management tool ScreenConnect, allowing the perpetrators to maintain remote access to the compromised PC. The attackers used this access to execute further VBScripts, which delivered additional payloads such as the Quasar open-source backdoor and a stealer module capable of syphoning credentials and wallet passphrases from browsers, email clients, and cryptocurrency wallets. 

The masquerade was effective: the malicious extension appeared near the top of search results in the extension marketplace, thanks to a ranking mechanism that prioritised recency and perceived activity over plain download counts. The attackers also plagiarised descriptions from legitimate items, thus blurring the distinction between genuine and fraudulent offerings. When the bogus extension failed to deliver the promised capabilities, the user concluded it was a glitch, allowing the malware to remain undetected. 

In an additional twist, after the malicious item was removed from the store, the threat actors swiftly uploaded a new clone called "solidity," employing advanced impersonation techniques. The malicious publisher's name differed by only one character: an uppercase "I" instead of a lowercase "l," a discrepancy that was nearly hard to detect due to font rendering. The bogus extension's download count was intentionally boosted to two million in a bid to outshine the real program, making the correct choice difficult for users.

The effort did not end there; similar attack tactics were discovered in further malicious packages on both the Open VSX registry and npm, which targeted blockchain developers via extensions and packages with recognisable names. Each infection chain followed a well-known pattern: executing PowerShell scripts, downloading further malware, and communicating with attacker-controlled command-and-control servers. This incident highlights the ongoing threat of supply-chain attacks in the open-source ecosystem.
Read more »
Malicious Campaign
Columbia University Cyber Attacks Data Leak Hacktivist Malicious Campaign

Politically Motivated Hacktivist Stole Data of 2.5 Million Columbia University Students And Employees

 

In a targeted cyberattack that investigators suspect was politically motivated, a seasoned "hacktivist" allegedly acquired private data from over two million Columbia University students, applicants, and staff.

The savvy hacktivist stole social security numbers, citizenship status, university-issued ID numbers, application choices, employee wages, and other private details on June 24 after taking down the Ivy League's systems for several hours, according to Bloomberg News. A university insider told The Post that the astute hacker appeared to target specific documents to serve their political purpose. 

“We immediately began an investigation with the assistance of leading cybersecurity experts and after substantial analysis determined that the outage was caused by an unauthorized party,” Columbia said in a statement Tuesday. “We now have initial indications that the unauthorized actor also unlawfully stole data from a limited portion of our network. We are investigating the scope of the apparent theft and will share our findings with the University community as well as anyone whose personal information was compromised.”

The lone intruder responsible for the major disruption later admitted to the breach in an anonymous message to Bloomberg News, which said it had investigated the 1.6-gigabyte haul of stolen material. The suspected hacker, who refuses to reveal their name to the site, claimed they targeted the struggling Manhattan university to locate documents revealing the use of affirmative action in admissions, a practice prohibited by the Supreme Court last year. 

The trove of extracted documents allegedly comprised 2.5 million applications stretching back decades, as well as financial help packages, the outlet reported. 

A university official said Columbia’s admissions processes are compliant with the high court’s ruling. The cyber trespasser told Bloomberg they were able to infiltrate Columbia’s classified information after spending more than two months gaining access to the university’s servers. The hours-long incident temporarily locked students and faculty out of university systems and caused bizarre images to appear on screens across campus. 

The university also reassured the Columbia community that the Irving Medical Centre was unaffected. Officials said they identified the hacker's tactics and signature and haven't seen any malicious activity since. The attack occurred during the top school's ongoing dispute with the Trump administration, which revoked over $400 million in grants and contracts for the institution's failure to eradicate antisemitism on campus.
Read more »
SEO Poisoning
Fake Sites Malicious Campaign malware Oyster Backdoor SEO Poisoning

Malware Masquerading as AI Tools Targets 8,500+ SMB Users in an SEO Poisoning Campaign

 

Cybersecurity researchers have discovered a malicious campaign that uses SEO-optimized phoney landing pages to propagate the Oyster malware loader. 

Security experts at Arctic Wolf unearthed that threat actors have designed numerous landing sites that mimic two well-known Windows tools for securely connecting to remote servers: PuTTY and WinSCP.

People who search for these tools on Google (primarily IT, cybersecurity, and web development professionals) can be duped into visiting the fraudulent website because these pages seem exactly like their authentic equivalents. Since nothing on the sites would raise their suspicions, users might download the tool, which would perform as intended but would also deliver Oyster, a well-known malware loader also known as Broomstick or CleanUpLoader. 

"Upon execution, a backdoor known as Oyster/Broomstick is installed," Arctic Wolf noted. "Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism.”

Oyster is a stealthy malware loader that delivers malicious payloads to infiltrated Windows systems, usually as part of a multi-stage attack. To avoid detection and preserve persistence, it employs techniques such as process injection, string obfuscation, and HTTP-based command-and-control. Here are some of the phoney websites utilised in the attacks: UpdaterPutty.com and ZephyrHype. com putty. Run putty[.]bet and putty[.]org. 

Arctic Wolf emphasised that other tools might have been misused in the same way, even though it only specified PuTTY and WinSCP. They stated that although only Trojanized versions of WinSCP and PuTTY have been detected in this campaign, other tools might also be at play. Out of caution, IT professionals are encouraged to only download software from reputable sites and to type in addresses themselves rather than simply searching them and clicking on the first result.
Read more »
Subscribe to: Comments (Atom)