Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Perseus
IPTV Spyware malware Notes Stealer Password Scanner Perseus

Perseus Malware Scans Android Notes for Passwords

 

A malicious new Android malware called Perseus is targeting users by scanning personal notes for sensitive information like passwords and cryptocurrency recovery phrases. Discovered by cybersecurity firm ThreatFabric, this threat evolves from earlier malware families such as Cerberus and Phoenix, making it more versatile and invasive. Disguised as IPTV streaming apps, Perseus spreads primarily through unofficial app stores and phishing sites, tricking users eager for free premium content into sideloading it onto their devices. 

Once installed, Perseus exploits Android's Accessibility Services to achieve full device takeover. It can capture real-time screenshots, simulate taps, launch apps remotely, and overlay black screens to hide its actions from victims. This allows cybercriminals to monitor and manipulate devices undetected, with campaigns focusing on countries like Turkey, Italy, Poland, Germany, France, the UAE, and Portugal. 

What makes Perseus particularly alarming is its specialized note-scanning feature, a novel capability not seen in its predecessors. The malware systematically opens popular note-taking apps—including Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes—then logs and exfiltrates their contents to a command-and-control server. Users often store high-value secrets in notes, turning this into a goldmine for thieves. 

Perseus is no amateur threat; it employs sophisticated anti-analysis techniques to evade detection. Before activating, it checks for root access, emulators, Frida debugging tools, SIM details, battery stats, Bluetooth, app counts, and Google Play Services, calculating a "suspicion score" sent to attackers. Developers likely used large language models for coding, evident from emojis and detailed logging in the source code. 

Android users must stay vigilant against Perseus by sticking to the Google Play Store, enabling Play Protect, and scrutinizing sideloaded apps—especially IPTV ones requesting excessive permissions. Avoid unofficial sources for streaming, as these dropper apps like Roja App Directa, TvTApp, and PolBox Tv bypass Android 13+ restrictions. Regular security updates and antivirus scans can further shield devices from such evolving threats.
Read more »
malware
Crypto Wallet Theft DarkSword exploit kit GHOSTBLADE iOS security iOS Vulnerability iPhone Malware malware

DarkSword Exploit Kit Targets iPhones, Steals Crypto Wallet and Personal Data


 

A newly identified exploit kit named “DarkSword” is being used to target iOS devices and extract a wide range of sensitive user information, including data from cryptocurrency wallet applications.

The threat specifically impacts iPhones running iOS versions 18.4 to 18.7 and has been linked to multiple threat actors. Among them is UNC6353, believed to have Russian origins, which leveraged the previously disclosed Coruna exploit chain earlier this month.

The exploit kit was uncovered by researchers at mobile security firm Lookout during an investigation into infrastructure tied to Coruna-based attacks. The analysis was further supported by Google’s Threat Intelligence Group (GTIG) and iVerify, providing deeper insights into this emerging threat and the groups behind it. According to iVerify, the exploit chain relies on already known vulnerabilities—covering sandbox escape, privilege escalation, and remote code execution—that have since been patched by Apple in recent iOS updates.

DarkSword operates using six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

According to a report from GTIG, the exploit kit has been active since at least November 2025 and has been deployed by several actors using three distinct malware families:
  • GHOSTBLADE: A JavaScript-based data stealer that collects extensive information such as cryptocurrency wallet details, system data, browsing history, photos, location, and communications from platforms like iMessage, Telegram, WhatsApp, email, and call logs.
  • GHOSTKNIFE: A backdoor capable of extracting account credentials, messages, browsing data, location history, and recordings.
  • GHOSTSABER: Another JavaScript-based backdoor that can enumerate devices and accounts, execute scripts, access files, and steal data.
The earliest observed use of this exploit chain is attributed to UNC6748, which targeted users in Saudi Arabia through a website mimicking Snapchat.

GTIG also reported that in late November 2025, DarkSword activity was detected in Turkey and linked to PARS Defense, a commercial surveillance vendor. These attacks targeted devices running iOS 18.4 through 18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes.

Subsequently, Google researchers observed similar activity in Malaysia, where another PARS Defense client deployed the GHOSTSABER backdoor.

UNC6353, suspected to be involved in Russian espionage operations, has been using the Coruna exploit kit since mid-2025 and began deploying DarkSword in December 2025 against targets in Ukraine. These attacks continued into March 2026, primarily through watering hole campaigns involving compromised websites that delivered the GHOSTBLADE malware.

Researchers also noted that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."

Lookout researchers highlighted that both Coruna and DarkSword show signs of development aided by large language models (LLMs), with DarkSword containing multiple explanatory code comments.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.

“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

In addition to the one-click exploit kit, iVerify identified a Safari-based exploit chain involving sandbox escape, privilege escalation, and in-memory implants capable of extracting sensitive data.

DarkSword attacks typically begin in the Safari browser, where multiple exploits are chained together to gain kernel-level read/write access. A central orchestrator component (pe_main.js) is then used to execute malicious code.

While the initial compromise vector remains unclear, attackers were able to inject malicious iframes into targeted websites. The orchestrator then embeds a JavaScript engine into high-privilege iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, enabling data exfiltration via modules like GHOSTBLADE.

The stolen data may include:
  • Saved passwords
  • Photos (including hidden and screenshots)
  • Messaging app databases (WhatsApp, Telegram)
  • Cryptocurrency wallets (Coinbase, Binance, Ledger, etc.)
  • SMS messages
  • Contacts and call history
  • Location and browsing history
  • Cookies and Wi-Fi credentials
  • Apple Health data
  • Calendar entries and notes
  • Installed apps and linked accounts
Notably, the malware deletes temporary files and exits after exfiltration, suggesting it is not designed for persistent surveillance.

Lookout assesses that DarkSword is likely used by a Russian-linked threat actor pursuing both financial gain and espionage objectives aligned with national intelligence interests.

Users are strongly advised to update their devices to the latest iOS version. Devices with Lockdown Mode enabled are also protected against both Coruna and DarkSword.

In a statement to BleepingComputer, Apple confirmed that patches addressing these vulnerabilities were released last year and extended to older devices as well. The company noted that users running iOS 15 through iOS 26 are already protected, and that devices on iOS 17 and later benefit from the Memory Integrity Enforcement feature, which mitigates such attacks.

To enhance security, users should enable passcodes, use strong passwords with two-factor authentication, avoid sideloading apps, and refrain from clicking on suspicious links or attachments.



Read more »
Trojan
coding GitHub JavaScript macOS malware Microsoft Node.js North Korean Hackers Trojan

North Korean Hackers Turn VS Code Projects Into Silent Malware Triggers

 


Opening a project in a code editor is supposed to be routine. In this case, it is enough to trigger a full malware infection.

Security researchers have linked an ongoing campaign associated with North Korean actors, tracked as Contagious Interview or WaterPlum, to a malware family known as StoatWaffle. Instead of relying on software vulnerabilities, the group is embedding malicious logic directly into Microsoft Visual Studio Code (VS Code) projects, turning a trusted development tool into the starting point of an attack.

The entire mechanism is hidden inside a file developers rarely question: tasks.json. This file is typically used to automate workflows. In these attacks, it has been configured with a setting that forces execution the moment a project folder is opened. No manual action is required beyond opening the workspace.

Research from NTT Security shows that the embedded task connects to an external web application, previously hosted on Vercel, to retrieve additional data. The same task operates consistently regardless of the operating system, meaning the behavior does not change between environments even though most observed cases involve Windows systems.

Once triggered, the malware checks whether Node.js is installed. If it is not present, it downloads and installs it from official sources. This ensures the system can execute the rest of the attack chain without interruption.

What follows is a staged infection process. A downloader repeatedly contacts a remote server to fetch additional payloads. Each stage behaves in the same way, reaching out to new endpoints and executing the returned code as Node.js scripts. This creates a recursive chain where one payload continuously pulls in the next.

StoatWaffle is built as a modular framework. One component is designed for data theft, extracting saved credentials and browser extension data from Chromium-based browsers and Mozilla Firefox. On macOS systems, it also targets the iCloud Keychain database. The collected information is then sent to a command-and-control server.

A second module functions as a remote access trojan, allowing attackers to operate the infected system. It supports commands to navigate directories, list and search files, execute scripts, upload data, run shell commands, and terminate itself when required.

Researchers note that the malware is not static. The operators are actively refining it, introducing new variants and updating existing functionality.

The VS Code-based delivery method is only one part of a broader campaign aimed at developers and the open-source ecosystem. In one instance, attackers distributed malicious npm packages carrying a Python-based backdoor called PylangGhost, marking its first known propagation through npm.

Another campaign, known as PolinRider, involved injecting obfuscated JavaScript into hundreds of public GitHub repositories. That code ultimately led to the deployment of an updated version of BeaverTail, a malware strain already linked to the same threat activity.

A more targeted compromise affected four repositories within the Neutralinojs GitHub organization. Attackers gained access by hijacking a contributor account with elevated permissions and force-pushed malicious code. This code retrieved encrypted payloads hidden within blockchain transactions across networks such as Tron, Aptos, and Binance Smart Chain, which were then used to download and execute BeaverTail. Victims are believed to have been exposed through malicious VS Code extensions or compromised npm packages.

According to analysis from Microsoft, the initial compromise often begins with social engineering rather than technical exploitation. Attackers stage convincing recruitment processes that closely resemble legitimate technical interviews. Targets are instructed to run code hosted on platforms such as GitHub, GitLab, or Bitbucket, unknowingly executing malicious components as part of the assessment.

The individuals targeted are typically experienced professionals, including founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors. Their level of access to infrastructure and digital assets makes them especially valuable. In one recent case, attackers unsuccessfully attempted to compromise the founder of AllSecure.io using this approach.

Multiple malware families are used across these attack chains, including OtterCookie, InvisibleFerret, and FlexibleFerret. InvisibleFerret is commonly delivered through BeaverTail, although recent intrusions show it being deployed after initial access is established through OtterCookie. FlexibleFerret, also known as WeaselStore, exists in both Go and Python variants, referred to as GolangGhost and PylangGhost.

The attackers continue to adjust their techniques. Newer versions of the malicious VS Code projects have moved away from earlier infrastructure and now rely on scripts hosted on GitHub Gist to retrieve additional payloads. These ultimately lead to the deployment of FlexibleFerret. The infected projects themselves are distributed through GitHub repositories.

Security analysts warn that placing malware inside tools developers already trust significantly lowers suspicion. When the code is presented as part of a hiring task or technical assessment, it is more likely to be executed, especially under time pressure.

Microsoft has responded to the misuse of VS Code tasks with security updates. In the January 2026 release (version 1.109), a new setting disables automatic task execution by default, preventing tasks defined in tasks.json from running without user awareness. This setting cannot be overridden at the workspace level, limiting the ability of malicious repositories to bypass protections.

Additional safeguards were introduced in February 2026 (version 1.110), including a second prompt that alerts users when an auto-run task is detected after workspace trust is granted.

Beyond development environments, North Korean-linked operations have expanded into broader social engineering campaigns targeting cryptocurrency professionals. These include outreach through LinkedIn, impersonation of venture capital firms, and fake video conferencing links. Some attacks lead to deceptive CAPTCHA pages that trick victims into executing hidden commands in their terminal, enabling cross-platform infections on macOS and Windows. These activities overlap with clusters tracked as GhostCall and UNC1069.

Separately, the U.S. Department of Justice has taken action against individuals involved in supporting North Korea’s fraudulent IT worker operations. Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis were sentenced after pleading guilty in November 2025. Two received probation and fines, while one was sentenced to prison and ordered to forfeit more than $193,000 obtained through identity misuse.

Officials stated that such schemes enable North Korean operatives to generate revenue, access corporate systems, steal proprietary data, and support broader cyber operations. Separate research from Flare and IBM X-Force indicates that individuals involved in these programs undergo rigorous training and are considered highly skilled, forming a key part of the country’s strategic cyber efforts.


What this means

This attack does not depend on exploiting a flaw in software. It depends on exploiting trust.

By embedding malicious behavior into tools, workflows, and hiring processes that developers rely on every day, attackers are shifting the point of compromise. In this environment, opening a project can be just as risky as running an unknown program.

Read more »
Social Engineering
DLL DNS attacks Emails malware Microsoft Teams Social Engineering

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat

 


A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.

Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.

Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.

The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.

To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.

The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.

After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.

Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.

For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.

Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.

The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.

BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.

At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication.

This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

Read more »
Zombie ZIP
Antivirus Bypass Security Flaw malware ZIP Exploit Zombie ZIP

Zombie ZIP Evasion Exposes Antivirus Blind Spot

 

A recently revealed technique known as Zombie ZIP demonstrates how attackers can embed malware inside fragmented and corrupted archives that can’t be fully scanned by most security solutions. By exploiting the way ZIP headers are processed, it enables malicious payloads to evade antivirus and EDR solutions even if the file appears corrupted to end users.

Zombie ZIP works by manipulating the ZIP header so that the archive claims its contents are stored with the “Method 0” (STORED) mode, which means uncompressed data. In reality, the payload is still compressed with the standard Deflate algorithm, so scanners that trust the header see only high-entropy “noise” instead of recognizable malware signatures. Standard utilities like WinRAR, 7‑Zip, or unzip will usually throw errors or report corruption when users attempt to extract these malformed files. 

Security researcher Chris Aziz of Bombadil Systems tested this approach against VirusTotal and found that 50 out of 51 antivirus engines failed to detect the hidden payload when using Zombie ZIP archives. He also published proof-of-concept code and sample archives on GitHub, making it easier for security teams and, unfortunately, attackers to reproduce the method. A key trick is setting the CRC integrity value to match the uncompressed payload, which further confuses extraction and scanning tools. 

While common archivers fail, a custom loader can simply ignore the misleading header and decompress the data as Deflate, recovering the embedded malware without issues. This means an attacker only needs to get the loader executed once on a target system to start unpacking any number of Zombie ZIP containers. Once the loader runs, traditional defenses lose the benefit of pre-execution scanning at the file level. 

The CERT Coordination Center (CERT/CC) issued an advisory assigning CVE‑2026‑0866 to the issue and warning that malformed archives can undermine current detection models. CERT/CC notes that some tools do manage to decompress these archives correctly, but many popular solutions still fail, echoing an old flaw tracked as CVE‑2004‑0935 in early ESET antivirus versions. The agency urges vendors to validate compression method fields against actual data, detect structural inconsistencies, and enable more aggressive archive inspection. 

Not all experts agree that Zombie ZIP deserves a CVE, however, with several researchers arguing it is a clever evasion trick rather than a true vulnerability. They point out that these archives are not openable with standard tools and that using a custom loader already implies the system is compromised in some way. As one researcher put it, corrupting or encrypting any file and then requiring a special loader achieves a similar outcome without necessarily exposing a new flaw. 

For everyday users and organizations, the practical takeaway is to treat suspicious ZIP files with extra caution, especially from unknown senders. CERT/CC advises deleting archives that fail to extract and show “unsupported method” or similar errors, rather than repeatedly trying to open them. Meanwhile, defenders should pressure vendors to harden archive parsing and incorporate deeper content validation so that tricks like Zombie ZIP do not become a reliable blind spot in the malware detection chain.
Read more »
Toolkit
Advanced Persistent Threats Chinese cyber espionage Cisco Talos Cyber Intelligence Operations malware Network Security Threats Telecom Cyber Attacks Toolkit

Chinese Cyber Espionage Group Targets Telecom Infrastructure With New Toolkit


 

In the midst of intensifying geopolitical competition in cyberspace, a previously undetected cyberattack linked to China is quietly unfolding across South America's telecommunications industry since 2024. Cisco Talos researchers have reported that the operation represents a methodical and deeply embedded effort to secure long-term access to core communications infrastructure -- an objective which goes well beyond opportunistic intrusions. 

The group is responsible for the UAT-9244 malware, a suite of tools engineered not only for initial compromise but also for durability, stealth, and sustained intelligence collection. A number of analysts have noted that this campaign's tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment. 

As a result of this campaign's apparent emphasis on maintaining uninterrupted footholds within telecom environments, which underpin national connectivity, sensitive data flows, and, by extension, elements of sovereign control, are apparent to have been paramount. In embedding themselves within these networks, operators position their capabilities at a crucial vantage point where surveillance, data interception, and disruption can all converge. 

According to the findings, telecommunications companies are no longer peripheral targets, but rather are central elements in state-aligned intelligence gathering. This reflects a dramatic shift in modern cyber warfare towards infrastructure-level persistence. 

On the basis of these observations, Cisco Talos researchers believe the activity cluster has a strong operational affinity with Famous Sparrow and Tropic Trooper, while remaining sufficiently distinct to qualify for its own classification.

The attribution does not rely on any particular indicator, but instead on a convergence of technical evidence, including shared tooling characteristics, overlapping tactics, techniques, and procedures, as well as a unified victimology focused on telecommunications infrastructure. 

A comparison between the targeting profile and campaigns attributed to Salt Typhoon cannot be established without establishing a definitive link, suggesting either parallel operational tracks or compartmentalized tasking within the context of a broad state-aligned actor ecosystem. 

In addition to the three previously undocumented malware families in the intrusion set, a variety of newly developed malware families have been specifically developed to provide resilience in heterogeneous telecom environments. There are several backdoors that are designed for covert persistence and flexible post-exploitation control, including TernDoor. 

he malware deploys itself using DLL side-loading, by abusing the legitimate wsprint.exe executable to load the malicious library BugSplatRc64.dll, which, in turn, decrypts and executes the payload directly in memory by injecting it into msiexec.exe, thereby minimizing its forensic impact. It also includes a kernel-level component, WSPrint.sys, which enables granular manipulation of system processes, such as terminating, suspending, or resuming them, improving evasion as well as operational stability. 

A layering of persistence mechanisms is created through scheduled tasks and carefully crafted modifications to the Windows Registry, as well as additional steps taken to obscure these artifacts from routine examination. 

 Additionally, the malware is capable of performing many operator-controlled actions, including remote shell execution, initiation of arbitrary processes, file system interaction, reconnaissance, and even controlled self-removal, underscoring a level of engineering consistent with long-term intelligence-driven campaigns rather than transient intrusions. 

Considering the historical context of this threat landscape further reinforces the assessment of continuity. It is believed that Famous Sparrow has been operating since at least 2019, consistently targeting sectors such as the hospitality industry, government institutions, international organizations, and legal services, whereas Tropic Trooper has been in business since 2011, concentrating on government entities, transportation systems, and advanced technology industries across a range of regions, including Taiwan, Philippines, and Hong Kong, as well as more recently in the Middle East. 

In light of this background, the current campaign's focus on telecommunication networks illustrates a deliberate preference for infrastructure that aggregates vast amounts of sensitive information related to communications, positioning compromised environments as strategic vantage points for the collection of long-term intelligence. 

There was a coordinated deployment of three malware families within the intrusions, including TernDoor, PeerTime, and BruteEntry, each designed to fulfil a specific operational role across heterogeneous networks. Apparently, TernDoor, an implant for Windows, can be traced back to earlier implants like CrowDoor and SparrowDoor, underscoring the iterative nature of the development process within established espionage working groups. 

In order to execute the malware, it uses DLL side-loading, by manipulating trusted executables in order to load malicious libraries that decrypt and inject the payload into msiexec.exe, which allows the malware to operate under the guise of legitimate system activity. 

Upon establishing the implant, remote command execution, system reconnaissance, and file manipulation are available, while persistence is enhanced by scheduling tasks and registry-based autorun mechanisms designed to avoid routine inspection. 

As a result of the malicious kernel driver, the campaign has a greater ability to bypass security controls since it is capable of suspending or terminating processes. Furthermore, PeerTime extends the campaign’s reach to Linux-based infrastructure commonly used in telecom environments, including servers, routers, and embedded systems. 

The ELF binary is compatible with multiple architectures including ARM, MIPS, PowerPC, and AArch64 and demonstrates a deliberate effort to maximize operational coverage. As a result of this design choice, it obscures infrastructure dependencies and complicates attribution and detection by utilizing BitTorrent protocol to retrieve instructions and secondary payloads from distributed peers, diverging from conventional command-and-control paradigms. 

An embedded debug string in Simplified Chinese within associated binaries serves as an additional linguistic indicator that aligns the activity with Chinese-speaking operators. Additionally, the malware can masquerade as legitimate processes while executing commands and facilitating lateral file transfers between compromised hosts in addition to executing commands. 

A third component, BruteEntry, allows for expansion of the threat by transforming compromised edge devices into operational relay boxes that serve as distributed scanning nodes in the event that they are compromised. 

By using predefined credential sets, the tool systematically probes exposed services, including SSH, Postgres, and Tomcat, using attacker-controlled infrastructure that receives target lists. Authentication attempts that are successful are relayed back to command infrastructure, effectively converting compromised systems into contributors within a broader framework of reconnaissance and access acquisition. 

As a result of this distributed approach, operators can scale credential harvesting efforts across large address spaces while minimizing the exposure of their core infrastructure to direct exposure. This study matches a larger pattern of cyberespionage activity targeting global telecommunications providers, which is increasingly recognized as a critical sector for both national security and intelligence. 

The scope of Salt Typhoon's campaigns has already been demonstrated with incidents spanning multiple major carriers in the United States and dozens of countries worldwide, and this activity is believed to be continuing into early 2026. 

A renewed focus on infrastructure-centric operations aiming to secure enduring access to the world's communications backbones is underscored by the emergence of UAT-9244 and its tailored malware ecosystem. In further investigation of the Linux-oriented component, it becomes evident that the architecture is intentionally designed to facilitate operation across diverse hardware environments. 

PeerTime has been designed to support multiple processor architectures including ARM, MIPS, PowerPC, and AArch64 so it can propagate across a wide range of devices, including routers, network appliances, and embedded systems, that are essential components of modern telecommunications infrastructures. 

The deployment of the application is managed by a shell-based installation procedure, which introduces both a loader and a secondary "instrumentor" module, the latter of which facilitates operational management and control of execution. 

Typically, when containerization is implemented, particularly when Docker is used, the loader is executed within a container context, a technique aligned with contemporary infrastructure practices but also provides a layer of abstraction, thereby complicating detection and forensic analysis. 

Additionally, by utilizing BruteEntry, the campaign is systematically extending its reach beyond initially compromised hosts in parallel to this foothold. Specifically, Cisco Talos has documented that the tool is specifically designed to convert infected Linux systems especially edge-facing devices into operational relay boxes that can conduct large-scale scanning operations and credential harvesting operations. 

Upon deployment, BruteEntry communicates with attacker-controlled command infrastructure, from which it receives dynamically assigned IP addresses for reconnaissance. This application probes common enterprise and telecommunications services, including SSH endpoints, PostgreSQL databases, and Apache Tomcat management interfaces, using predefined credential sets that are then matched by a structured brute-force approach. 

As successful authentication attempts are relayed back to the command infrastructure, attackers are effectively able to pivot laterally and incrementally expand their access across interconnected systems as a consequence. By using modular tooling coordinated in this way, a deliberate strategy to enhance scalability and persistence can be seen, with each compromised node contributing to an overall reconnaissance and intrusion framework. 

Especially significant is the emphasis placed on telecommunication providers, as these entities provide access to vast volumes of sensitive communications and metadata by operating at the convergence of data flow and network control. Their positioning enables them to act not only as a target of opportunity but also as critical assets in a broader context of state-aligned intelligence gathering, where sustained access can offer both immediate and long-term benefits.

It is important for telecommunications operators to take note of these findings and to reassess their defensive posture in the face of highly persistent, state-sponsored threats designed to disrupt operations for extended periods of time rather than to create short-term disruptions. In environments where adversaries actively blend into legitimate system processes and take advantage of trusted execution paths, traditional perimeter-based controls are no longer sufficient.

In order to protect critical network assets, a shift is becoming increasingly important toward continuous monitoring, behavior-based threat detection, and rigorous segmentation is needed. Edge devices are being hardened, credential policies are being enforced, and containerized environments are being audited in particular, since they are emerging as attractive platforms for covert operations. 

Additionally, proactive threat hunting and intelligence sharing across sectors are essential, as campaigns of this nature often unfold slowly across multiple jurisdictions and often take a long time to complete. An organization can improve early detection and limit lateral movement by identifying anomalous activity based on known adversarial patterns and maintaining visibility across Windows and Linux ecosystems. 

 As a result of the persistence and adaptability demonstrated in this operation, cyberespionage strategy has evolved with silent access to critical infrastructure being prioritized over overt disruption putting the onus on defenders to adopt security frameworks that are equally adaptive and intelligence-driven.
Read more »
Vidar Stealer
Atomic Stealer Bing AI search security GitHub fake repositories malware OpenClaw Vidar Stealer

Malicious OpenClaw Installers on GitHub Exploit Bing AI Search to Spread Data-Stealing Malware

 

Cybersecurity researchers have uncovered a campaign where fake installers for OpenClaw were distributed through GitHub repositories and surfaced via Microsoft Bing’s AI-powered search results, ultimately infecting users with information-stealing and proxy malware.

OpenClaw, a widely used open-source AI assistant, is designed to perform tasks with access to local files and integrations across email, messaging platforms, and other online services. Its extensive permissions made it an attractive target for cybercriminals aiming to extract sensitive user data.

Threat actors leveraged this by uploading malicious instruction files and fake installers to GitHub, including listings that appeared in the tool’s official registry. The activity was identified last month by researchers at Huntress, a managed detection and response firm, who observed multiple malware variants being distributed to users attempting to install OpenClaw.

According to Huntress, attackers created deceptive GitHub repositories posing as legitimate OpenClaw installers. These repositories were even recommended in Bing’s AI-generated search results for the Windows version of the software, increasing their visibility and credibility.

The researchers noted that "just hosting the malware on GitHub was enough to poison Bing AI search results."

One such repository analyzed by Huntress looked convincing at first glance, as it was linked to a GitHub organization named “openclaw-installer,” which may have influenced Bing’s AI recommendations. Although the GitHub accounts behind these repositories were newly created, the attackers attempted to appear legitimate by copying code from the Cloudflare moltworker project.

For macOS users, the fake repository included installation instructions directing users to execute a bash command in Terminal. This command connected to another GitHub organization called “puppeteerrr” and a repository named “dmg,” which hosted malicious payloads.

"The repository contained a number of files that followed a theme of containing a shell script paired with a Mach-O executable,"

Huntress researchers identified this payload as Atomic Stealer malware.

Windows users were targeted through a fake installer named OpenClaw_x64.exe, which deployed several harmful executables. In one analyzed case, security tools such as Managed AV and Defender for Endpoint successfully quarantined the files before further damage occurred.

Most of the payloads were written in Rust and functioned as loaders to run information stealers directly in memory. Among them was the Vidar stealer, which retrieved command-and-control instructions via Telegram and Steam profiles.

Another payload delivered through the campaign was GhostSocks, a backconnect proxy malware that converts infected machines into proxy nodes. Such compromised systems can be used to access stolen accounts, bypass fraud detection systems, route malicious traffic, or conceal attacker activity.

During the investigation, Huntress uncovered multiple GitHub accounts and repositories linked to this campaign, all targeting individuals searching for OpenClaw installation files.

Although the malicious repositories have been reported to GitHub, it remains uncertain whether all of them have been removed.

Users are advised to rely on official sources when downloading software and to bookmark trusted websites instead of repeatedly searching for them online.
Read more »
Supply Chain Attack
AI Tool GlassWorm malware Open VSX Supply Chain Attack

GlassWorm Abuses 72 Open VSX Extensions in Bold Supply-Chain Assault

 

GlassWorm has resurfaced with a more aggressive supply‑chain campaign, this time weaponizing the Open VSX registry at scale to target developers. Security researchers say the latest wave represents a significant escalation in both scope and stealth compared to earlier activity. 

Since January 31, 2026, at least 72 new malicious Open VSX extensions have been identified, all masquerading as popular tools like linters, formatters, code runners, and AI‑powered coding assistants. These look and behave like legitimate utilities at first glance, making it easy for busy developers to trust and install them. Behind the scenes, however, they embed hidden logic designed to pull in additional malware once inside a development environment.

The attackers now abuse trusted Open VSX features such as extensionPack and extensionDependencies to spread their payloads transitively. An extension can appear harmless on installation but later pull in a malicious dependency via an update or a bundled pack. This approach allows the threat actor to minimize obviously suspicious code in each listing while still maintaining a broad infection path.

Once executed, GlassWorm behaves as a multi‑stage infostealer and remote access tool targeting developer systems. It focuses on harvesting credentials for npm, GitHub, Git, and other services, then uses those stolen tokens to compromise additional repositories and publish more infected extensions. This creates a self‑reinforcing loop that can quickly expand across ecosystems if not promptly contained. 

Beyond credentials, GlassWorm aggressively targets financial data by going after more than 49 different cryptocurrency wallet browser extensions, including popular wallets like MetaMask, Coinbase, and Phantom. Stolen cookies and session tokens can enable account takeover, while drained wallets provide immediate monetization for the attackers. In later stages, the malware deploys a hidden VNC component and SOCKS proxy, effectively converting developer machines into nodes within a criminal infrastructure. 

For developers and organizations, this campaign underscores how extension ecosystems have become high‑value attack surfaces. Teams should enforce strict extension allowlists, monitor unusual repository activity, and rotate credentials if any suspicious Open VSX extensions were recently installed. Security tooling that inspects extension metadata, dependency chains, and post‑install behavior is now essential to counter evolving threats like GlassWorm.
Read more »
zero-day cyberattack
CISA CVE-2025-0282 Ivanti Connect Secure vulnerability malware RESURGE UNC5221 threat actor zero-day cyberattack

CISA Reveals New Details on RESURGE Malware Exploiting Ivanti Zero-Day Vulnerability

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published fresh technical insights into RESURGE, a malicious implant leveraged in zero-day attacks targeting Ivanti Connect Secure appliances through the vulnerability tracked as CVE-2025-0282.

The latest advisory highlights the implant’s ability to remain undetected on affected systems for extended periods. According to CISA, the malware employs advanced network-level evasion and authentication mechanisms that allow attackers to maintain hidden communication channels with compromised devices.

CISA first reported the malware on March 28 last year, noting that it can persist even after system reboots. The implant is capable of creating web shells to harvest credentials, generating new accounts, resetting passwords, and escalating privileges on affected systems.

Security researchers at incident response firm Mandiant revealed that the critical CVE-2025-0282 flaw had been actively exploited as a zero-day vulnerability since mid-December 2024. The campaign has been linked to a China-associated threat actor identified internally as UNC5221.

Network-level evasion techniques

In the updated bulletin, CISA shared additional technical details about the implant. The malware is a 32-bit Linux shared object file named libdsupgrade.so that was recovered from a compromised Ivanti device.

RESURGE functions as a passive command-and-control (C2) implant with multiple capabilities, including rootkit, bootkit, backdoor, dropper, proxying, and tunneling functions.

Unlike typical malware that regularly sends signals to its command server, RESURGE remains idle until it receives a specific inbound TLS connection from an attacker. This behavior helps it avoid detection by traditional network monitoring systems.

When loaded within the ‘web’ process, the implant intercepts the ‘accept()’ function to inspect incoming TLS packets before they reach the web server. It searches for particular connection patterns originating from remote attackers using a CRC32 TLS fingerprint hashing method.

If the fingerprint does not match the expected pattern, the traffic is redirected to the legitimate Ivanti server. CISA also explained that the attackers rely on a fake Ivanti certificate to confirm that they are interacting with the malware implant rather than the genuine web server.

The agency noted that the forged certificate is used strictly for authentication and verification purposes and does not encrypt communication. However, it also helps attackers evade detection by impersonating the legitimate Ivanti service.

Because the fake certificate is transmitted over the internet without encryption, CISA said defenders can potentially use it as a network signature to identify ongoing compromises.

Once the fingerprint verification and authentication steps are completed, attackers establish encrypted remote access to the implant through a Mutual TLS session secured with elliptic curve cryptography.

"Static analysis indicates the RESURGE implant will request the remote actors' EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key," CISA says.

By disguising its traffic to resemble legitimate TLS or SSH communications, the implant maintains stealth while ensuring long-term persistence on compromised systems.

Additional malicious components

CISA also examined another file, a variant of the SpawnSloth malware named liblogblock.so, which is embedded within the RESURGE implant. Its primary role is to manipulate system logs to conceal malicious activities on infected devices.

A third analyzed component, called dsmain, is a kernel extraction script that incorporates the open-source script extract_vmlinux.sh along with the BusyBox collection of Unix/Linux utilities.

The script enables the malware to decrypt, alter, and re-encrypt coreboot firmware images while modifying filesystem contents to maintain persistence at the boot level.

“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."

To address the risk, CISA recommends that administrators review the updated indicators of compromise (IoCs) provided in the advisory to identify potential RESURGE infections and remove the malware from affected Ivanti systems.
Read more »
phishing
AppleChris APT Data malware MemFun phishing

Chinese Threat Actors Attack Southeast Asian Military Targets via Malware


A China-based cyber espionage campaign is targeting Southeast Asian military targets. The state-sponsored campaign started in 2020. 

Palo Alto Networks Unit 42 has been tracking the campaign under the name CL-STA-1087. Here, CL means cluster, and STA means state-backed motivation. 

According to security experts Yoav Zemah and Lior Rochberger, “The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”

About the campaign

The campaign shows traces commonly linked with APT campaigns, such as defense escape tactics, tailored delivery methods, custom payload deployment, and stable operational infrastructure to aid sustained access to hacked systems.

MemFun and AppleChris

Threat actors used tools such as backdoors called MemFun and AppleChris, and a credential harvester called Getpass. Experts found the hacking tools after finding malicious PowerShell execution that allowed the script to go into a sleep state and then make reverse shells to a hacker-controlled C2 server. Experts don't know about the exact initial access vector. 

About the attack sequence

The compromise sequence deploys AppleChris’ different versions across victim endpoints and moves laterally to avoid detection. Hackers were also found doing searches for joint military activities, detailed assessments of operational capabilities, and official meeting records. The experts said that the “attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems.”

MemFun and AppleChris are designed to access a shared Pastebin account that serves as a dead-drop resolver to retrieve the real C2 address in Base64-encoded format. An AppleChris version also depends on Dropbox to fetch the C2 details via the Pastebin approach, kept as a backup option. Installed via DLL hijacking, AppleChris contacts the C2 server to receive commands to perform drive enumeration and related tasks. 

According to Unit 42, “To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.”

Read more »
VENON
Banking Trojans Brazil DLL hijacking malware VENON

Rust-Based VENON Malware Targets 33 Brazilian Banks

 


A newly identified banking malware strain called VENON is targeting users in Brazil and stands out for an unusual technical choice. Instead of relying on the Delphi programming language used by many long-running Latin American banking trojans, the new threat is written in Rust, a modern systems language that is increasingly appearing in intricately executed cyber operations.

The malware infects Windows machines and was first detected in February 2026. Researchers at the Brazilian cybersecurity firm ZenoX assigned the malware the name VENON after analyzing the threat.

Although it is written in a different programming language, the malware behaves similarly to several well-known banking trojans that have historically targeted financial institutions in Latin America. Analysts say the threat shares operational patterns with malware families such as Grandoreiro, Mekotio, and Coyote. These similarities include techniques like monitoring the active window on a victim’s computer, launching fake login overlays when banking applications open, and hijacking Windows shortcut files to redirect users.

At the moment, investigators have not linked VENON to any previously identified cybercriminal operation. However, forensic examination of an earlier version of the malware dating back to January 2026 revealed traces from the developer’s workstation. File paths embedded in the code repeatedly referenced a Windows user account named “byst4,” which may indicate the environment used during development.

Researchers believe the developer appears to be familiar with how Latin American banking trojans typically operate. However, the implementation in Rust suggests a higher level of technical expertise compared with many traditional banking malware campaigns. Analysts also noted that generative artificial intelligence tools may have been used to help reproduce and expand existing malware capabilities while rewriting them in Rust.

The infection process relies on a multi-stage delivery chain designed to avoid detection. VENON is executed through a technique known as DLL side-loading, where a malicious dynamic-link library runs when a legitimate application loads it. Investigators suspect the campaign may rely on social-engineering tactics similar to the ClickFix method. In this scenario, victims are persuaded to download a ZIP archive that contains the malicious components. A PowerShell script within the archive then launches the malware.

Before performing any harmful actions, the malicious DLL runs several checks designed to evade security tools. Researchers documented nine separate evasion methods. These include detecting whether the malware is running inside a security sandbox, using indirect system calls to avoid monitoring, and bypassing both Event Tracing for Windows (ETW) logging and the Antimalware Scan Interface (AMSI).

After completing these checks, the malware contacts a configuration file hosted on Google Cloud Storage. It then installs a scheduled task on the compromised machine to maintain persistence and establishes a WebSocket connection with a command-and-control server operated by the attackers.

Investigators also identified two Visual Basic Script components embedded in the DLL. These scripts implement a shortcut hijacking mechanism aimed specifically at the Itaú banking application. The technique replaces legitimate shortcuts with manipulated versions that redirect victims to a fraudulent webpage controlled by the threat actor.

The malware even includes an uninstall routine that can reverse these shortcut changes. This feature allows operators to restore the original system configuration, which could help remove evidence of the compromise after an attack.

VENON is configured to monitor activity related to 33 financial institutions and cryptocurrency services. The malware constantly checks the titles of open windows and the domains visited in web browsers. It activates only when a user accesses one of the targeted banking platforms. When triggered, the malware displays fake login overlays designed to capture credentials.

The discovery comes amid a broader wave of campaigns targeting Brazilian users through messaging platforms. Researchers recently observed threat actors exploiting the widespread popularity of WhatsApp in the country to spread a worm known as SORVEPOTEL. The worm spreads through the desktop web version of the messaging service by abusing already authenticated chat sessions to send malicious messages directly to contacts.

According to analysts at Blackpoint Cyber, a single malicious message sent from a compromised SORVEPOTEL session can initiate a multi-stage infection chain. In one observed scenario, the attack eventually deployed the Astaroth threat entirely in system memory.

The researchers noted that the combination of local automation tools, browser drivers operating without supervision, and runtime environments that allow users to write files locally created an environment that made it easier for both the worm and the final malware payload to install themselves with minimal resistance.

Read more »
Proxy
Botnet KadNap Linux malware NTP Proxy

KadNap Malware Compromises Over 14,000 Edge Devices to Operate Hidden Proxy Botnet

 


Cybersecurity researchers have identified a previously undocumented malware strain called KadNap that is primarily infecting Asus routers and other internet-facing networking devices. The attackers are using these compromised systems to form a botnet that routes malicious traffic through residential connections, effectively turning infected hardware into anonymous proxy nodes.

The threat was first observed in real-world attacks in August 2025. Since that time, the number of affected devices has grown to more than 14,000, according to investigators at Black Lotus Labs. A large share of infections, exceeding 60 percent, has been detected within the United States. Smaller groups of compromised devices have also been identified across Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.

Researchers report that the malware uses a modified version of the Kademlia Distributed Hash Table (DHT) protocol. This peer-to-peer networking technology enables the attackers to conceal the true location of their infrastructure by distributing communication across multiple nodes. By embedding command traffic inside decentralized peer-to-peer activity, the operators can evade traditional network monitoring systems that rely on detecting centralized servers.

Within this architecture, infected devices communicate with one another using the DHT network to discover and establish connections with command-and-control servers. This design improves the botnet’s resilience, as it reduces the chances that defenders can disable operations by shutting down a single control point.

Once a router or other edge device has been compromised, the system can be sold or rented through a proxy platform known as Doppelgänger. Investigators believe this service is a rebranded version of another proxy operation called Faceless, which previously had links to TheMoon router malware. According to information published on the Doppelgänger website, the service launched around May or June 2025 and advertises access to residential proxy connections in more than 50 countries, promoting what it claims is complete anonymity for users.

Although many of the observed infections involve Asus routers, researchers found that the malware operators are also capable of targeting a wider range of edge networking equipment.

The attack chain begins with the download of a shell script named aic.sh, retrieved from a command server located at 212.104.141[.]140. This script initiates the infection process by connecting the compromised device to the botnet’s peer-to-peer network.

To ensure the malware remains active, the script establishes persistence by creating a cron task that downloads the same script again at the 55-minute mark of every hour. During this process, the file is renamed “.asusrouter” and executed automatically.

After persistence is secured, the script downloads an ELF executable, renames it “kad,” and runs it on the device. This program installs the KadNap malware itself. The malware is capable of operating on hardware that uses ARM and MIPS processor architectures, which are commonly found in routers and networking appliances.

KadNap also contacts a Network Time Protocol (NTP) server to retrieve the current system time and store it along with the device’s uptime. These values are combined to produce a hash that allows the malware to identify and connect with other peers within the decentralized network, enabling it to receive commands or download additional components.

Two additional files used during the infection process, fwr.sh and /tmp/.sose, contain instructions that close port 22, which is the default port used by Secure Shell (SSH). These files also extract lists of command server addresses in IP-address-and-port format, which the malware uses to establish communication with control infrastructure.

According to researchers, the use of the DHT protocol provides the botnet with durable communication channels that are difficult to shut down because its traffic blends with legitimate peer-to-peer network activity.

Further examination revealed that not every infected device communicates with every command server. This suggests the attackers are segmenting their infrastructure, possibly grouping devices based on hardware type or model.

Investigators also noted that routers infected with KadNap may sometimes contain multiple malware infections simultaneously. Because of this overlap, it can be challenging to determine which threat actor is responsible for particular malicious activity originating from those systems.

Security experts recommend that individuals and organizations operating small-office or home-office (SOHO) routers take several precautions. These include installing firmware updates, restarting devices periodically, replacing default administrator credentials, restricting management access, and replacing routers that have reached end-of-life status and no longer receive security patches.

Researchers concluded that KadNap’s reliance on a peer-to-peer command structure distinguishes it from many other proxy-based botnets designed to provide anonymity services. The decentralized approach allows operators to remain hidden while making it significantly harder for defenders to detect and block the network.

In a separate report, security analysts at Cyble disclosed a new Linux malware threat named ClipXDaemon.

The malware targets cryptocurrency users by intercepting wallet addresses that victims copy to their clipboard and secretly replacing them with addresses controlled by attackers. This type of threat is commonly known as clipper malware.

ClipXDaemon is distributed through a Linux post-exploitation framework called ShadowHS and has been described as an automated clipboard-hijacking tool designed specifically for systems running Linux X11 graphical environments.

The malware operates entirely in memory, which reduces traces on disk and improves its ability to remain undetected. It also employs several stealth techniques, including disguising its process names and deliberately avoiding execution in Wayland sessions.

This design choice is intentional because Wayland’s security architecture introduces stricter restrictions on clipboard access. Applications must usually involve explicit user interaction before they can read clipboard contents. By disabling itself when Wayland is detected, the malware avoids triggering errors or suspicious behavior.

Once active in an X11 session, ClipXDaemon continuously checks the system clipboard every 200 milliseconds. If it detects a copied cryptocurrency wallet address, it immediately substitutes it with an attacker-controlled address before the victim pastes the information.

The malware currently targets a wide range of digital currencies, including Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON.

Researchers noted that ClipXDaemon differs significantly from traditional Linux malware families. It does not include command-and-control communication, does not send beaconing signals to remote servers, and does not rely on external instructions to operate.

Instead, the malware generates profits directly by manipulating cryptocurrency transactions in real time, silently redirecting funds when victims paste compromised wallet addresses during transfers.

Read more »
malware
Android Anthropic Artificial Inteligence Firefox malware

Anthropic AI Model Finds 22 Security Flaws in Firefox

 

Anthropic said its artificial intelligence model Claude Opus 4.6 helped uncover 22 previously unknown security vulnerabilities in the Firefox web browser as part of a collaboration with the Mozilla. 

The company said the issues were discovered during a two week analysis conducted in January 2026. 

The findings include 14 vulnerabilities rated as high severity, seven categorized as moderate and one considered low severity. 

Most of the flaws were addressed in Firefox version 148, which was released late last month, while the remaining fixes are expected in upcoming updates. 

Anthropic said the number of high severity bugs discovered by its AI model represents a notable share of the browser’s serious vulnerabilities reported over the past year. 

During the research, Claude Opus 4.6 scanned roughly 6,000 C++ files in the Firefox codebase and generated 112 unique vulnerability reports. 

Human researchers reviewed the results to confirm the findings and rule out false positives before reporting them. One issue identified by the model involved a use-after-free vulnerability in Firefox’s JavaScript engine. 

According to Anthropic, the AI located the flaw within about 20 minutes of examining the code, after which a security researcher validated the finding in a controlled testing environment. 

Researchers also tested whether the AI model could go beyond identifying flaws and attempt to build exploits from them. Anthropic said it provided Claude access to the list of vulnerabilities reported to Mozilla and asked it to develop working exploits. 

After hundreds of test runs and about $4,000 worth of API usage, the model succeeded in producing a working exploit in only two cases. 

Anthropic said the results suggest that finding vulnerabilities may be easier for AI systems than turning those flaws into functioning exploits. 

“However, the fact that Claude could succeed at automatically developing a crude browser exploit, even if only in a few cases, is concerning,” the company said. 

It added that the exploit tests were performed in a restricted research environment where some protections, such as sandboxing, were deliberately removed. 

One exploit generated by the model targeted a vulnerability tracked as CVE-2026-2796, which involves a miscompilation issue in the JavaScript WebAssembly component of Firefox’s just-in-time compilation system. 

Anthropic said the testing process included a verification system designed to check whether the AI-generated exploit actually worked. 

The system provided real-time feedback, allowing the model to refine its attempts until it produced a functioning proof of concept. The research comes shortly after Anthropic introduced Claude Code Security in a limited preview. 

The tool is designed to help developers identify and fix software vulnerabilities with the assistance of AI agents. Mozilla said in a separate statement that the collaboration produced additional findings beyond the 22 vulnerabilities. 

According to the company, the AI-assisted analysis uncovered about 90 other bugs, including assertion failures typically identified through fuzzing as well as logic errors that traditional testing tools had missed. 

“The scale of findings reflects the power of combining rigorous engineering with new analysis tools for continuous improvement,” Mozilla said. 

“We view this as clear evidence that large-scale, AI-assisted analysis is a powerful new addition to security engineers’ toolbox.”
Read more »
Pakistan threat group
AI cyber espionage Hackers malware Malware Campaign Pakistan threat group

Pakistan-Linked Hackers Use AI to Flood Targets With Malware in India Campaign

 

A Pakistan-aligned hacking group known as Transparent Tribe is using artificial intelligence coding tools to produce large numbers of malware implants in a campaign primarily targeting India, according to new research from cybersecurity firm Bitdefender. 

Security researchers say the activity reflects a shift in how some threat actors are developing malicious software. Instead of focusing on highly advanced malware, the group appears to be generating a large volume of implants written in multiple programming languages and distributed across different infrastructure. 

Researchers said the operation is designed to create a “high-volume, mediocre mass of implants” using less common languages such as Nim, Zig and Crystal while relying on legitimate platforms including Slack, Discord, Supabase and Google Sheets to help evade detection. 

“Rather than a breakthrough in technical sophistication, we are seeing a transition toward AI-assisted malware industrialization that allows the actor to flood target environments with disposable, polyglot binaries,” Bitdefender researchers said in a technical analysis of the campaign. 

The strategy involves creating numerous variations of malware rather than relying on a single sophisticated tool. Bitdefender described the approach as a form of “Distributed Denial of Detection,” where attackers overwhelm security systems with large volumes of different binaries that use various communication protocols and programming languages. 

Researchers say large language models have lowered the barrier for threat actors by allowing them to generate working code in unfamiliar languages or convert existing code into different formats. 

That capability makes it easier to produce large numbers of malware samples with minimal expertise. 

The campaign has primarily targeted Indian government organizations and diplomatic missions abroad. 

Investigators said the attackers also showed interest in Afghan government entities and some private businesses. According to the analysis, the attackers use LinkedIn to identify potential targets before launching phishing campaigns. 

Victims may receive emails containing ZIP archives or ISO images that include malicious Windows shortcut files. In other cases, victims are sent PDF documents that include a “Download Document” button directing them to attacker-controlled websites. 

These websites trigger the download of malicious archives. Once opened, the shortcut file launches PowerShell scripts that run in memory. 

The scripts download a backdoor and enable additional actions inside the compromised system. Researchers said attackers sometimes deploy well-known adversary simulation tools such as Cobalt Strike and Havoc to maintain access. 

Bitdefender identified a wide range of custom tools used in the campaign. These include Warcode, a shellcode loader written in Crystal designed to load a Havoc agent into memory, and NimShellcodeLoader, which deploys a Cobalt Strike beacon. 

Another tool called CreepDropper installs additional malware, including SHEETCREEP, a Go-based information stealer that communicates with command servers through Microsoft Graph API, and MAILCREEP, a backdoor written in C# that uses Google Sheets for command and control. 

Researchers also identified SupaServ, a Rust-based backdoor that communicates through the Supabase platform with Firebase acting as a fallback channel. The code includes Unicode emojis, which researchers said suggests it may have been generated with the help of AI. 

Additional malware used in the campaign includes CrystalShell and ZigShell, backdoors written in Crystal and Zig that can run commands, collect host information and communicate with command servers through platforms such as Slack or Discord. 

Other tools observed in the operation include LuminousStealer, a Rust-based information stealer that exfiltrates files to Firebase and Google Drive, and LuminousCookies, which extracts cookies, passwords and payment information from Chromium-based browsers. 

Bitdefender said the attackers are also using utilities such as BackupSpy to monitor file systems for sensitive data and ZigLoader to decrypt and execute shellcode directly in memory. Despite the large number of tools involved, researchers say the overall quality of the malware is often inconsistent. 

“The transition of APT36 toward vibeware represents a technical regression,” Bitdefender said, referring to the Transparent Tribe group. “While AI-assisted development increases sample volume, the resulting tools are often unstable and riddled with logical errors.” 

Still, the researchers warned that the broader trend could make cyberattacks easier to scale. By combining AI-generated code with trusted cloud services, attackers can hide malicious activity within normal network traffic. 

“We are seeing a convergence of two trends that have been developing for some time the adoption of exotic programming languages and the abuse of trusted services to hide in legitimate traffic,” the researchers said. 

They added that this combination allows even relatively simple malware to succeed by overwhelming traditional detection systems with sheer volume.
Read more »
Subscribe to: Comments (Atom)