Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware attacks. Show all posts
Malware attacks
Cyber Attacks CyberSecurity Ransomware Attacks Finance Sector financial attack malicious PDF files Malware attacks

PDFSider Malware Used in Fortune 100 Finance Ransomware Attack

 

A Fortune 100 finance company was targeted by ransomware actors using a new Windows malware strain called PDFSider, built to quietly deliver malicious code during intrusions. Rather than relying on brute force, the attackers used social engineering, posing as IT support staff and convincing employees to launch Microsoft Quick Assist, enabling remote access. Resecurity researchers identified the malware during incident response, describing it as a stealth backdoor engineered to avoid detection while maintaining long-term control, with traits typically associated with advanced, high-skill intrusion activity. 

Resecurity previously told BleepingComputer that PDFSider had appeared in attacks connected to Qilin ransomware, but researchers emphasize it is not limited to a single group. Their threat hunting indicates the backdoor is now actively used by multiple ransomware operators as a delivery mechanism for follow-on payloads, suggesting it is spreading across criminal ecosystems rather than remaining a niche tool. 

The infection chain begins with spearphishing emails containing a ZIP archive. Inside is a legitimate, digitally signed executable for PDF24 Creator, developed by Miron Geek Software GmbH, paired with a malicious DLL named cryptbase.dll. Since the application expects that DLL, it loads the attacker’s version instead. This technique, known as DLL side-loading, allows the malicious code to execute under the cover of a trusted program, helping it evade security controls that focus on the signed executable rather than the substituted library.  
In some cases, attackers increase the likelihood of execution using decoy documents crafted to appear relevant to targets. One example involved a file claiming authorship from a Chinese government entity. Once launched, the malicious DLL inherits the same privileges as the legitimate executable that loaded it, increasing the attacker’s ability to operate within the system. 

Resecurity notes that while the EXE remains validly signed, attackers exploited weaknesses in the PDF24 software to load the malware and bypass EDR tools more effectively. The firm also warns that AI-assisted coding is making it easier for cybercriminals to identify and exploit vulnerable software at scale. After execution, PDFSider runs primarily in memory to reduce disk traces, using anonymous pipes to issue commands through CMD. 

Each infected device is assigned a unique identifier, system details are collected, and the data is exfiltrated to an attacker-controlled VPS through DNS traffic on port 53. For command-and-control security, PDFSider uses Botan 3.0.0 and encrypts communications with AES-256-GCM, decrypting inbound data only in memory to limit its footprint. It also applies AEAD authentication in GCM mode, a cryptographic approach commonly seen in stealthy remote shell backdoors designed for targeted operations. 

The malware includes anti-analysis checks such as RAM size validation and debugger detection, terminating early when it suspects sandboxing. Based on its behavior and design, Resecurity assesses PDFSider as closer to espionage-grade tradecraft than typical financially motivated ransomware tooling, built to quietly preserve covert access, execute remote commands flexibly, and keep communications protected.
Read more »
Malwares
Cyber Security GootLoader Malicious Codes Malicious Files Malware attacks Malwares

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection

 

A fresh tactic has emerged among cybercriminals using GootLoader, a JavaScript-driven malware installer. Instead of standard compression, they now distribute broken ZIP files designed to slip past digital defenses. These flawed archives exploit differences across decompression programs - some fail to process them, others do so partially. This mismatch lets malicious code stay concealed during scans yet run normally when opened by users. Findings detailed by Expel show that inconsistent parsing logic in software plays right into attacker hands. Hidden scripts activate only when handled by specific tools found on typical machines. 

Starting with a strange structure, these harmful ZIP files combine around 500 to 1,000 smaller archives into one large package. Because of this layered setup, standard programs like WinRAR or 7-Zip cannot properly read them - tools often relied on during malware checks. Due to the confusion they create, automatic detection systems frequently skip examining what's inside. Yet, when opened through Windows’ own built-in decompression feature, the file works without issue. 

That smooth operation lets victims unknowingly unpack dangerous content. Since 2020, GootLoader has maintained a presence among cyber threats, primarily spreading via manipulated search results and deceptive online ads. People looking for official forms or corporate paperwork may unknowingly land on hacked WordPress sites offering infected files. These corrupted archives, once opened, trigger the payload delivery mechanism embedded within the software. Acting as a gateway tool, it paves the way for additional harmful programs - ransomware being one frequent outcome. 

The chain of infection begins quietly, escalating quickly under the radar. By late 2025, Expel researchers noticed subtle upgrades, showing how the attack method keeps shifting. Instead of just stacking archives, hackers shorten key metadata inside ZIP structures - especially tampering with the end of central directory entries. That tweak triggers failures in numerous analysis programs, yet files still open in Windows Explorer. 

Inside the package, unimportant sections get scrambled too, throwing off predictable reading patterns and making automated inspection harder. Researchers refer to this method as "hashbusting," delivering a distinct ZIP file to each target. Every time someone downloads it, differences in the archive's layout and data prevent standard hash checks from working. Even the JavaScript inside changes form with each instance. Detection systems relying on repeated patterns struggle as a result. 

 What makes the delivery hard to catch lies in its method. Rather than sending a typical ZIP archive, attackers transmit the malicious code as an XOR-encrypted flow of data, rebuilt only after reaching the target's browser. It grows by adding copies of itself over and over, expanding until it meets a specific volume - this skirts detection meant for compressed files. After launch, the script runs using built-in Windows tools, skipping any need to unpack completely, so the attack unfolds without drawing attention. 

Once active, it stays on the machine by placing shortcuts into the Windows Startup directory - then triggers further scripts through native utilities like cscript or PowerShell. From there, data collection begins: details about the system get pulled and sent back to distant servers that control the attack, setting up what comes next without delay. 

Although often overlooked, limiting access to built-in tools such as wscript.exe helps block common attack paths. Instead of running scripts automatically, setting systems to display code in basic viewers adds another layer of protection. As seen with GootLoader’s shifts over time, attackers now twist everyday OS functions into stealthy weapons, staying active even when defenses improve.
Read more »
Malwares
Booking.com Booking.com scam Cyber Attacks Cyber Phishing Fake Emails Malware attacks Malwares

PHALT#BLYX Malware Campaign Targets European Hotels With Fake Booking Emails

 

A fresh wave of digital threats emerged just after Christmas 2025, aimed squarely at European lodging spots. Instead of random attacks, it used clever email tricks made to look like they came from Booking.com. Staff members got messages that seemed urgent, nudging them to click without thinking twice. Once opened, hidden code slipped inside their systems quietly. That backdoor let attackers take control through software called DCRat. Behind the scenes, the whole scheme ran under the name PHALTBLYX. 

Research from Securonix shows the attack kicks off using fake emails made to look like Booking.com alerts. A supposed booking cancellation triggers the alert. Displayed boldly is a charge in euros - frequently more than €1,000. That sum aims straight at emotions, sparking alarm. Fear takes over, nudging people toward clicking before checking details. 

Clicking the “See Details” button sends people nowhere near Booking.com. A hidden detour happens first - through another web address entirely. Then comes a counterfeit site built to trick. There, a phony CAPTCHA pops up out of nowhere. After that, a fake Blue Screen appears like it is urgent. Words flash: fix this now by clicking here. Those clicks run harmful PowerShell scripts without warning. The whole chain relies on looking real until it is too late. 

Something begins before the main event - stages unfold slowly, one after another. A hidden rhythm runs through it all, tied to familiar parts of Windows, used in ways they were never meant to be. An XML file shows up without notice, slipped into place while no one watches. It looks harmless, built like a regular project for MSBuild.exe, which itself is real software from Microsoft. Instead of old tricks involving clunky HTML apps, attackers now twist everyday tools into something else. 

What seems ordinary might already be working against you. Normal actions become cover, hiding intent inside routine noise. A hidden DCRat program gets activated during execution. At the last step, a compressed .NET tool called staxs.exe unlocks its internal settings through advanced encryption like AES-256 paired with PBKDF2. To stay active across restarts, it drops a misleading Internet Shortcut into the Startup directory on Windows. After turning on, DCRat reaches out to several hidden servers, then checks what kind of machine it has landed on. Information about the software, settings, and person using the device gets gathered piece by piece. 

Remote operators gain complete control right after. Instead of running openly, it sneaks inside normal system tasks by reshaping them from within. That trick helps it stay put without drawing attention. Noticing clues in the code, experts link the operation to hackers who speak Russian. 

Built into everyday tools users trust, this malware plays on emotions while slipping past alarms. What stands out is how each step connects - carefully strung - to avoid detection. Staying hidden matters most, especially where guest data flows through open networks.
Read more »
Malwares
Cyber Attacks cyber theft data security GitHub GitHub Actions vulnerability GitHub malware Malware attacks Malwares

WebRAT Malware Spreads Through Fake GitHub Exploit Repositories

 

The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed security vulnerabilities. This marks a shift in the malware’s delivery strategy, as earlier campaigns relied on pirated software and cheats for popular games such as Roblox, Counter-Strike, and Rust. First identified at the beginning of the year, WebRAT operates as a backdoor that allows attackers to gain unauthorized access to infected systems and steal sensitive information, while also monitoring user activity. 

A report published by cybersecurity firm Solar 4RAYS in May detailed the scope of WebRAT’s capabilities. According to the findings, the malware can harvest login credentials for platforms including Steam, Discord, and Telegram, along with extracting data from cryptocurrency wallets. Beyond credential theft, WebRAT poses a serious privacy threat by enabling attackers to activate webcams and capture screenshots, exposing victims to covert surveillance. 

Since at least September, the threat actors behind WebRAT have expanded their tactics by creating GitHub repositories designed to appear legitimate. These repositories present themselves as exploit code for high-profile vulnerabilities that have received widespread media attention. Among the issues referenced are a Windows flaw that allows remote code execution, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and a Windows privilege escalation vulnerability that enables attackers to gain elevated system access. By exploiting public awareness of these vulnerabilities, the attackers increase the likelihood that developers and security researchers will trust and download the malicious files. 

Security researchers at Kaspersky identified 15 GitHub repositories linked to the WebRAT campaign. Each repository contained detailed descriptions of the vulnerability, explanations of the supposed exploit behavior, and guidance on mitigation. Based on the structure and writing style of the content, Kaspersky assessed that much of the material was likely generated using artificial intelligence tools, adding to the appearance of legitimacy. The fake exploits are distributed as password-protected ZIP archives containing a mix of decoy and malicious components. 

These include empty files, corrupted DLLs intended to mislead analysis, batch scripts that form part of the execution chain, and a dropper executable named rasmanesc.exe. Once launched, the dropper elevates system privileges, disables Windows Defender, and downloads the WebRAT payload from a hardcoded remote server, enabling full compromise of the system.  

Kaspersky noted that the WebRAT variant used in this campaign does not introduce new features and closely resembles previously documented samples. Although all identified malicious repositories have been removed from GitHub, researchers warn that similar lures could resurface under different names or accounts. 

Security experts continue to advise that exploit code from unverified sources should only be tested in isolated, controlled environments to reduce the risk of infection.
Read more »
Malwares
Cyber Attacks CyberCrime DanaBot Malicious Backdoor Malicious Mails Malware attacks Malwares

DanaBot Malware Resurfaces With New Variant After Operation Endgame Disruption

 

Despite a coordinated international takedown earlier this year, the DanaBot malware has returned with a newly upgraded version, signaling yet another resurgence of a threat that has repeatedly evaded permanent shutdown. The fresh discovery comes roughly six months after law enforcement agencies crippled the malware’s network during Operation Endgame, a global effort that announced infrastructure seizures and criminal indictments in May. Researchers at Zscaler ThreatLabz now report that DanaBot is once again circulating in attacks, with a rebuilt architecture designed for persistence and continued financial gain. 

The latest version, identified as DanaBot 669, introduces a command-and-control system based on Tor hidden services and “backconnect” nodes. By routing malicious communication through .onion domains, the operators create a layer of anonymity that makes tracking and disruption significantly more difficult. Zscaler’s analysis also uncovered several active cryptocurrency wallet addresses linked to the campaign, spanning Bitcoin, Ethereum, Litecoin, and TRON, which the attackers are using to collect stolen funds from victims. 

DanaBot first emerged several years ago when researchers at Proofpoint revealed it as a Delphi-written banking trojan delivered largely through phishing emails and malvertising lures. Its creators adopted a malware-as-a-service model, renting out access to cybercriminal groups who used it to harvest credentials from online banking sessions. Over time, the malware evolved into a modular system capable of functioning as both an information stealer and a loader, extracting stored browser data — including crypto wallet details — and enabling follow-on payloads such as ransomware. 

Although Operation Endgame temporarily slowed activity, it did not eliminate the malware’s core operators. Threat actors simply paused long enough to rebuild infrastructure and adapt their tactics. During this downtime, many initial access brokers shifted toward other malware families, but the financial motivation behind DanaBot ensured its eventual revival. Its steady reappearance in campaigns since 2021 has shown that as long as cybercrime remains profitable, disruptions are rarely permanent.

Zscaler warns that current DanaBot campaigns employ familiar distribution methods. Malicious email attachments and links continue to be the main infection route, while SEO poisoning and deceptive online advertisements also lure victims into executing the malware. Some infections have been linked to wider incidents involving ransomware deployments, demonstrating the tool’s ongoing role in larger criminal ecosystems. 

Organizations can reduce exposure by updating security tools and blocking newly published indicators of compromise from Zscaler’s latest intelligence. The return of DanaBot highlights a recurring cybersecurity reality: even major law enforcement actions cannot fully dismantle financially driven malware operations when key actors remain at large.
Read more »
Malwares
Cybersecurity Breach Data Breach data security Data Stolen Google Pixel Malware attacks Malwares

Pixnapping Malware Exploits Android’s Rendering Pipeline to Steal Sensitive Data from Google and Samsung Devices

 

Cybersecurity researchers have revealed a new Android malware attack called Pixnapping, capable of stealing sensitive information from Google and Samsung smartphones without any user interaction. The name “Pixnapping” blends “pixel” and “snapping,” referring to how the malware stealthily extracts visual data pixel by pixel from targeted apps. 

When a user installs an app laced with the Pixnapping malware, it silently scans the device for other apps to spy on—such as Google Authenticator. Instead of opening the target app directly, the malware leverages the Android rendering pipeline to intercept the visual data being displayed. It then analyzes the color and content of individual pixels in areas known to display confidential information, like two-factor authentication (2FA) codes. By interpreting these pixels, the malware reconstructs the original data—essentially taking “invisible screenshots” of protected content without ever triggering normal app permissions. 

According to researchers, three flaws in Android’s design enable Pixnapping. First, apps can invoke another app’s activity through the rendering pipeline, which allows unauthorized access to refresh sensitive screens. Second, Android permits graphical operations to be performed on another app’s displayed content. Third, apps can detect pixel color changes during these operations, revealing the hidden visual data. 

Tests confirmed Pixnapping’s success across several devices, including the Pixel 6, 7, 8, and 9, as well as the Samsung Galaxy S25, running Android versions 13 through 16. The malware’s efficiency varied across devices, achieving success rates between 29% and 73% on Pixel models. On the Galaxy S25, however, researchers couldn’t extract 2FA codes before they expired. The attack was also demonstrated on apps and services such as Gmail, Signal, Venmo, Google Accounts, and Google Maps—indicating that Pixnapping could potentially expose emails, encrypted messages, payment data, and location histories. 

The vulnerability is tracked as CVE-2025-48561. While Google has issued an initial patch, researchers found ways to bypass it, prompting Google to develop a stronger fix expected in the December Android security update.  

Fortunately, Pixnapping has not been detected in active attacks yet. Still, experts urge users to stay vigilant by updating their devices with the latest security patches and downloading apps only from verified marketplaces such as the Google Play Store. Even then, users should double-check app details to ensure authenticity and avoid sideloading unverified applications. 

Pixnapping underscores a critical flaw in Android’s visual data handling and highlights the growing sophistication of modern mobile malware. Until Google delivers a complete patch, maintaining cautious download habits and prompt software updates remains the best defense.
Read more »
North Korea cyberattacks
cyberattacks trending news malware Malware attacks News North Korea North Korea Hackers North Korea cyberattacks

North Korean Hackers Target Fintech and Gaming Firms with Fake Zoom Apps

 

A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data. 

Attack strategy 

The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us. 

Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms. The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.” 

These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration. This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed. 

Motives behind the attack

BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script. 

Protection Measures for Organizations Given the growing sophistication of such campaigns, security experts recommend several protective steps: 

• Independently verify Zoom participants to ensure authenticity. 

• Block suspicious domains like zoom-tech[.]us at the firewall level. 

• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons. 

• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure. 

• Use identity theft monitoring services to detect compromised credentials early. 

• Train employees to recognize and respond to social engineering attempts. 

• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
Read more »
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
Subscribe to: Comments (Atom)