Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
red hat
Cybersecurity Digital Supply Chain Risk GitHub malware red hat

Red Hat Investigates npm Package Compromise After Malware Found in Official Repository

 



Security researchers have identified malicious code in dozens of packages distributed through Red Hat's official @redhat-cloud-services namespace on npm after attackers gained unauthorized access to the repository.

The incident was first reported by researchers at Aikido Security, who found that software packages published through the trusted Red Hat namespace had been modified to include malware capable of collecting credentials from developer environments. Because the affected namespace is used for legitimate Red Hat cloud-related packages, developers may have installed the compromised versions without suspecting unauthorized changes.

According to researchers, more than 30 package versions were affected. Several remained available for download when the activity was initially disclosed, creating a risk for organizations that automatically pull dependencies into development workflows.

Technical analysis showed that the malicious code was designed to run during package installation. This means exposure could occur as soon as a package is installed, even if the software itself is never executed inside an application.

Researchers found that the malware searched infected systems for authentication data commonly used by developers and cloud administrators. The targeted information reportedly included GitHub Actions secrets, npm access tokens, Kubernetes credentials, Vault secrets, and other cloud-service authentication material that could provide access to source code repositories, deployment environments, and internal infrastructure.

The malware also contained mechanisms intended to expand the compromise beyond the initial victim. If credentials with sufficient privileges were discovered, the malicious code could attempt to publish altered packages through repositories or accounts available to the infected environment. This behavior could allow attackers to use one compromised system as a stepping stone into additional software projects.

Investigators further observed that stolen information was encrypted before being transmitted from infected systems. Reports indicate that the malware included backup methods for data exfiltration, including the ability to use compromised GitHub repositories if its primary communication channel became unavailable.

Researchers noted signs that the incident may have involved CI/CD infrastructure. Continuous Integration and Continuous Delivery systems automate software building, testing, and deployment, making them attractive targets because a compromise can provide access to multiple projects simultaneously. Evidence reviewed by researchers suggested that GitHub Actions OpenID Connect workflows may have been involved in publishing the affected packages.

The exact method used to gain access to the Red Hat namespace remains under investigation. Researchers have not publicly attributed the initial compromise to a specific technique, although they believe unauthorized access to publishing credentials likely played a role.

Security firms examining the incident linked the malware to a variant of "Shai-Hulud," a credential-stealing program that has appeared in recent software supply-chain investigations. Researchers noted that code associated with the malware has circulated publicly, increasing the likelihood that similar attacks could be adopted by multiple threat actors.

Following notification of the issue, Red Hat removed the affected packages and began an internal investigation. In a public statement, the company said the compromised packages were intended for internal development purposes and were not distributed to customers through Red Hat production services. The company also stated that it had not identified evidence of impact to customer environments, partner systems, or production infrastructure at the time of its investigation.

Security experts recommend that any organization or developer who installed affected package versions review their systems immediately. Response measures should include rotating credentials, examining CI/CD environments for unauthorized activity, reviewing repository permissions, and checking software dependencies for indicators associated with the compromise.

The incident illustrates a recurring challenge in modern software development: trust placed in widely used package repositories can become a point of failure when an attacker gains access to a legitimate publishing channel. When that occurs, malicious code can reach downstream users through routine software updates rather than through traditional intrusion methods. 

Read more »
wordpress
Malicious Payload Malicious Payloads malware Malware Steam Profiles wordpress

WordPress Malware Campaign Hides Payloads in Steam Profiles

 

WordPress malware campaign hides payloads in Steam profiles, marking one of the most unconventional cyberattacks in recent security history. Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control data, according to GoDaddy security engineers who uncovered the campaign. This bizarre attack chain demonstrates how threat actors increasingly exploit legitimate platforms to evade traditional detection methods. 

The technical sophistication lies in how the malware uses invisible Unicode characters to encode its payload. The threat actor uses six specific invisible Unicode characters: Zero-width non-joiner (U+200C), Zero-width joiner (U+200D), Function application (U+2061), Invisible times (U+2062), Invisible separator (U+2063), and Invisible plus (U+2064). The decoder ignores visible characters and maps invisible ones to corresponding numbers, then converts them to binary representation to reconstruct bytes. This encoding allows binary data to embed within normal-looking text, with visible characters serving as camouflage while invisible characters carry the actual payload. 

Since the campaign was first uncovered in July 2025, researchers have found malware on approximately 1,980 WordPress websites, though the initial infection vector remains unclear. Attackers likely breached websites through stolen admin logins, compromised FTP/SFTP credentials, vulnerable WordPress themes or plugins, or supply-chain compromises. The first-stage malware uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments that sometimes include ASCII art disguised malicious text. The decoded payload builds a hello-mywordl[.]info URL serving JavaScript code injected into every frontend WordPress page. 

GoDaddy describes several evasion mechanisms including obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and standard WordPress APIs that blend with normal activity. The campaign pairs this encoding with a server-side backdoor enabling attackers to remotely rewrite any plugin or theme file using a simple POST request with the right cookie, meaning even removed injected scripts can reinstall. This dual approach makes the malware particularly persistent and difficult to eliminate completely. 

Site owners can defend by checking for Steam Community URL references, suspicious external JavaScript injections, outbound connections from WordPress servers to Steam, and unexpected scripts loading from domains like hello-mywordl[.]info. Other indicators include invisible Unicode characters, suspicious transient_caption cache entries, disabled SSL verification in cURL requests, and POST requests containing malware authentication cookies or the new_code parameter. This attack underscores the importance of monitoring unusual outbound connections and implementing comprehensive security scanning for invisible character anomalies in web content.
Read more »
Remote Access Trojan
Android Malware Android Security BTMOB Malware Cybercrime Operations malware Mobile Cybersecurity Mobile Threats Phishing Attacks Remote Access Trojan

Researchers Uncover BTMOB Malware Capable of Taking Over Android Phones


 

In the Android threat landscape, a new malware operation has been rapidly expanding, reducing the barriers to entry for cybercriminals while simultaneously enhancing their offensive capabilities significantly. Security researchers have identified BTMOB, an Android remote access trojan (RAT) derived from the SpySolr malware family, as an emerging malware-as-a-service platform that enables operators to remotely monitor, manipulate, and control compromised devices with minimal technical expertise. 

Malware primarily distributes itself through phishing campaigns and fraudulent applications masquerading as legitimate online services, combining extensive device takeover functionality with a no-code campaign-building framework, which facilitates the customisation of lures, automatic deployment, and targeting of multiple regions using the malware.

BTMOB's evolution reflects a broader shift in the mobile threat landscape, where commercially packaged malware platforms are transforming advanced Android attack capabilities into scalable cybercrime services available to a wider range of threat actors.  As malware's commercialisation model increases, its reach is closely linked. In contrast to being operated by a single threat group, BTMOB serves as a subscription-based cybercrime service with public-facing marketing channels for the purpose of attracting potential customers. 

The malware is marketed through a dedicated surface-web portal that directs buyers to a Telegram-based operator. Additional marketing is conducted via social media accounts on X and Instagram. The commercialisation of the malware provides valuable insight into how its operators have transformed a technical threat into a structured cybercrime service designed for scale. 

Access to the platform has reportedly been advertised for approximately $5,000, along with recurring support fees. Researchers note that the cost remains relatively low compared with the potential returns from successful fraud operations, making the service attractive to a broader range of cybercriminals. Further aggravating the risks is the fact that the malware is circulated outside the commercial ecosystem. 

BTMOB-related files appeared briefly on a dark web forum in January of 2026 as a free download before disappearing, showing how malware distributed through commercial channels can rapidly spread through unauthorised sharing and reselling networks. Consequently, security teams are faced with an increasingly dynamic threat, as new builds and modified payloads emerge more rapidly than traditional detection mechanisms can react. 

Beyond its commercial appeal, BTMOB's effectiveness ultimately depends on its ability to compromise devices at scale through carefully crafted social engineering campaigns. In order to achieve operational success, BTMOB will continue to rely heavily on phishing-driven infection chains designed to maximize the trust of the user base. 

The threat actors often redirect targets to counterfeit websites masquerading as streaming platforms, cryptocurrency services, or other widely recognised online brands in order to divert them to fraudulent application repositories containing malicious Android applications. Additionally, attacks have been observed that are tailored to align with local institutions and government entities, including operations impersonating Argentine tax and public sector agencies as lures. 

Upon sideloading, the malware seeks elevated privileges by exploiting Android's Accessibility Services, giving it the ability to silently grant it additional permissions without the user having to take any further action. The BTMOB establishes communication with attacker-controlled command-and-control infrastructure with these privileges, allowing the operator to remotely manage the compromised device and maintain persistent access in order to monitor, steal credentials, and conduct other malicious activities on the compromised device. A significant challenge for defenders is the commercial framework underpinning BTMOB.

A report by security researchers indicates that the malware's pricing structure includes a lifetime license that costs approximately $5,000 plus recurring support fees, which are relatively modest expenditures when compared to the potential financial gains that could be realized from successful credential theft and fraud. These economic factors have accelerated the malware's adoption across underground communities, expanding its operational reach beyond highly skilled threat actors.

In January 2026, a dark web forum briefly advertised BTMOB-related files as free downloads before going offline. The incident illustrates how commercially distributed malware can quickly spread beyond its intended customer base through resale networks, private exchanges, and closed underground communities. 

It is quite possible that competitors can replicate the successful design elements of the original malware by borrowing campaign management features and payload customisation mechanisms that facilitate large-scale operations even where the original malware is inaccessible. This combination of rapid distribution and continuous modification creates additional challenges for defenders attempting to track the malware's evolution. As a result, defenders face an increasingly fluid threat environment in which payloads, infrastructure, and delivery techniques can change faster than conventional detection strategies can adapt.

ESET currently identifies MSIL/BtmobRat as the primary malware framework, while associated Android variants have been detected under several classifications, including Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, and Android/Spy.Agent.EIK. As a result of its rapid development, the pace of development has already demonstrated its capacity for rapid evolution; a Cyble analysis of February 2025 observed the emergence of approximately fifteen distinct samples of BTMOB v2.5 within a relatively short timeframe. 

Behavioural monitoring and continuous threat intelligence correlation become increasingly critical with such turnover, which complicates traditional signature-based detection efforts. As BTMOB is predominantly driven by social engineering and the installation of unauthorised applications, security experts emphasise the importance of preventive measures. 

As a precautionary measure, organisations should implement policies which limit software installation to trusted application repositories, as well as educate users about the risks associated with unsolicited links received via email, messaging platforms, social media platforms, and online advertisements. In order to ensure the security of mobile devices is as high as that of workstations and servers, dedicated mobile threat defence solutions must be deployed. 

Additionally, researchers warn that one unauthorised application installed on a corporate device may create a pathway to sensitive business information. Employee awareness is a critical component of organisational resilience in the face of cybersecurity threats. It is important to note that, despite BTMOB's rapid mutation, static indicators of compromise remain useful signals for incident response teams conducting threat hunting and compromise assessments despite the rapid mutation of the BTMOB system. 

BTMOB highlights the continued evolution of cybercrime from isolated malware campaigns to commercially supported attack platforms capable of scaling sophisticated Android intrusions. As mobile threats become easier to acquire, customise, and deploy, organisations can no longer treat smartphones as secondary assets within their security programs. Strong application controls, user awareness, and continuous monitoring remain essential for reducing exposure to increasingly adaptable mobile threats.
Read more »
Malware attacks
Cyber Attacks GTA 6 GTA 6 Scams malware Malware attacks

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

 

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early. 

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists. 

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts. 

Safety tips 

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately. 

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.
Read more »
Ukraine
Gamaredon GammaPhish GammaWorm malware Russia Ukraine

Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware


The Russian Hacking group called Gamaredon has been linked to the constant hack of a WinRar bug to install a few malware strains aiming to propagate and steal data.

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server. The main goal is to fingerprint the host device and update the network settings in the registry via dead drop resolvers (DDRs), retrieve and launch arbitrary VBScript payloads from the C2 servers.

About the malware

“Gamaredon’s arsenal has undergone a significant transformation over the last decade, transitioning from Pteranodon custom-built framework into a fragmented and modular malware. Based on our observation, today’s Gamaredon capacities are characterised by a proliferation and a highly active development cycle of new malware variants,” said Sekoia

Payloads attacking VBS

One payload is a VBScript worm called GammaWorm that builds persistence through scheduled tasks and is built to hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code gotten from a C2 server.

To fix C2,  GammaWorm starts a GET request to the public Telegram channel. Via genuine platforms such as Telegram, hackers blend with regular traffic, escape getting caught, and launch long-term spying campaigns. GammaWorm also depends on NTFS Alternate Data Streams (ADS) tactics to hide its core modules.

Other malware strains

A different malware family deployed through GammaLoad is a modular information stealer called GammaSteel that stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option. According to Sekoia, the infection chain could be used to launch different malware strains like GammaWipe or GamaWiper, this depends on the hacker’s targets. 

"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first,” Sekoia said.

State-sponsored hackers involved

Russian state-sponsored actor Gamaredon associated with the official Federal Security Service (FSB) has a long history of targeting Ukraine and its government, critical infrastructures, military via spear-phishing emails that consist infected attachments in “booby-trapped RAR archives”, according to the Hacker News.

Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.

Read more »
Supply Chain Attack
Backdoor GitHub malware Megalodon Supply Chain Attack

Megalodon Malware Backdoors 5,500+ GitHub Repos in 6-Hour Supply-Chain Attack

 

On May 18, 2026, a massive automated supply-chain attack codenamed Megalodon struck GitHub, injecting malicious CI/CD backdoors into more than 5,500 repositories in under six hours. Security firm SafeDep discovered the campaign, which pushed 5,718 malicious commits to 5,561 distinct repositories using throwaway accounts with randomized eight-character usernames, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. 

The attackers forged bot-like author identities—build-bot, auto-ci, ci-bot, and pipeline-bot—using emails build-system@noreply.dev and ci-bot@automated.dev to mimic routine automated CI maintenance. Between approximately 11:36 and 17:48 UTC on May 18, these fake commits slipped into repositories without triggering immediate suspicion, as they appeared to be ordinary build optimization updates. 

Megalodon deployed two distinct GitHub Actions workflow variants sharing the same command-and-control server at 216.126.225.129:8443. The SysDiag variant added a new ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches. The Optimize-Build variant replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that attackers can silently activate on demand via the GitHub API, producing zero visible CI runs and no failed builds. 

The base64-encoded 111-line bash payload conducted aggressive credential harvesting, exfiltrating all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other secrets while scanning source code for more than 30 secret regex patterns. 

The attack's most critical downstream impact targeted Tiledesk, an open-source live chat platform, where the attacker compromised the repository and replaced the legitimate Docker build workflow. The unsuspecting maintainer published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Organizations should immediately revert malicious commits from build-system@noreply.dev or ci-bot@automated.dev, rotate all secrets, audit cloud logs for anomalous OIDC requests, check Actions tabs for unexpected workflow_dispatch executions, and pin GitHub Actions to specific commit SHAs.
Read more »
Software security
AI GitHub Global Supply-Chain Attack malware Software security

TeamPCP’s Supply Chain Campaign Raises Fresh Concerns Over Open-Source Software Security

 



A cybercrime group known as TeamPCP has been linked to an expanding series of software supply chain attacks that researchers say have affected hundreds of organizations, with GitHub becoming the latest high-profile name connected to the campaign.

GitHub recently disclosed that it had identified thousands of repositories impacted after a developer reportedly installed a compromised extension for Visual Studio Code (VSCode), Microsoft's widely used source-code editor. TeamPCP later claimed on the cybercrime forum BreachForums that it had gained access to roughly 4,000 GitHub repositories and attempted to advertise what it described as GitHub source code and internal organizational data for sale. GitHub stated that it had identified at least 3,800 affected repositories but said its investigation indicated the exposed repositories contained the company's own code rather than customer code.

The incident highlights the growing danger of software supply chain attacks. Unlike traditional intrusions that target a company directly, these operations focus on software that developers trust and use every day. By secretly inserting malicious code into legitimate tools, attackers can potentially reach thousands of downstream users through a single compromise.

Security researchers tracking TeamPCP believe the group has transformed what was once considered an occasional cybersecurity threat into a recurring problem. According to software supply chain security firm Socket, the group has launched around 20 separate attack waves in recent months, embedding malicious code into more than 500 unique software projects. When different compromised versions are counted, that number rises to well over a thousand malicious releases.

Researchers say the group's success stems from a self-reinforcing attack cycle. TeamPCP typically begins by compromising a development environment associated with an open-source project. Malware is then inserted into software packages that are downloaded by other developers. Once installed, the malicious code can steal credentials, authentication tokens, and publishing permissions, allowing attackers to compromise additional software projects and continue spreading through the development ecosystem.

Recent investigations indicate that TeamPCP has increasingly automated this process through a worm known as Mini Shai-Hulud. The malware has been observed creating GitHub repositories containing encrypted credentials stolen from victims while leaving references to Frank Herbert's science-fiction universe Dune. Researchers note that although the name resembles an earlier worm called Shai-Hulud, there is currently no evidence linking TeamPCP to that previous campaign.

GitHub is not the only organization mentioned in connection with the operation. Researchers have previously linked TeamPCP activity to incidents involving OpenAI, Mercor, and several widely used software development projects. During a major expansion of its campaign earlier this year, the group reportedly compromised software and infrastructure associated with Trivy, LiteLLM, Checkmarx, pgserve, TanStack, and Mistral AI. The stolen credentials obtained through those attacks were allegedly used to fuel further compromises.

Security analysts describe credential theft as the group's primary enabler. Long-lived access tokens and poorly managed credentials allow attackers to move from one environment to another with relatively little effort. According to researchers, once a single trusted credential is stolen, it can provide access to additional repositories, cloud resources, and development systems.

The group's activities have also evolved beyond software tampering. Threat intelligence researchers report that TeamPCP has engaged in ransomware deployment, data extortion, and data-sale operations. In April, the group reportedly began adopting elements of a ransomware-as-a-service model through associations with cybercriminal platforms such as BreachForums and DragonForce. Researchers have additionally observed activity involving CanisterWorm, malware that targeted Kubernetes environments and reportedly deployed destructive functionality against selected Iranian targets.

The scale of the campaign has renewed debate over how organizations should safely consume open-source software. Experts recommend strengthening credential management practices, regularly rotating access tokens, limiting permissions wherever possible, and closely monitoring software dependencies. They also advise organizations to avoid automatically installing newly released software updates without first validating their integrity. In some recent cases, security teams detected malicious updates within minutes, but users who relied on automatic updates had already installed the compromised code.

The bigger lesson, researchers say, is that trust alone is no longer sufficient in modern software development. Open-source software remains a cornerstone of the global technology ecosystem, but organizations increasingly need verification processes, update review procedures, and continuous monitoring to reduce the risk posed by rapidly spreading supply chain attacks.

Read more »
Ukraine cyber police
browser session theft Cybercrime Investigation Infostealer malware stolen credentials Telegram cybercrime Ukraine cyber police

Ukrainian Cyber Police Uncover Alleged Infostealer Operation Linked to 18-Year-Old Suspect

 


Ukrainian cyber police, in collaboration with U.S. law enforcement agencies, have identified an 18-year-old resident of Odesa who is suspected of operating an infostealer malware campaign that targeted customers of a California-based online retailer.

Authorities allege that between 2024 and 2025, the suspect used information-stealing malware to compromise users’ devices and obtain browser session data along with account login credentials.

Infostealers are a widely used form of malicious software designed to collect sensitive information from infected systems. The stolen data can include passwords, browser cookies, session tokens, cryptocurrency wallet details, and payment information, which are often exploited for fraud, account takeovers, and illicit resale.

Investigators reported that the operation affected approximately 28,000 customer accounts. Cybercriminals allegedly exploited around 5,800 of those accounts to make unauthorized purchases worth nearly $721,000. The attacks also resulted in direct financial losses of about $250,000, including chargeback-related expenses.

“To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police says.

“The information was then processed and sold through specialized online resources and Telegram bots.”

According to law enforcement officials, the suspect also conducted cryptocurrency transactions with accomplices involved in the scheme.

The session information referenced by investigators reportedly included session tokens, which can allow unauthorized access to online accounts without requiring passwords. In certain situations, these tokens may even enable attackers to bypass multi-factor authentication (MFA) protections.

Police believe the 18-year-old played a key role in the operation by managing the infrastructure used to process, distribute, and exploit stolen session data.

During the investigation, officers carried out searches at two residences connected to the suspect. Authorities seized mobile phones, computer hardware, bank cards, digital storage devices, and additional electronic evidence believed to be linked to the cybercrime activity.

Investigators stated that the evidence includes access to platforms used for selling stolen information, tools for managing compromised accounts, server activity records, and accounts on cryptocurrency exchange services.

While authorities have identified the suspect and collected significant evidence, the official announcement does not indicate that an arrest has been made. This suggests investigators may still be gathering additional information before filing formal charges.

Read more »
signing service
Azure Artifact Signing Fox Tempest malware Microsoft cybersecurity ransomware attacks signing service

Microsoft Dismantles Malware-Signing Network Exploiting Azure Artifact Signing Service

 



Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates. The operation enabled cybercriminals and ransomware groups to disguise malicious software as trusted applications, increasing the likelihood of successful infections.

According to a new report from Microsoft Threat Intelligence, the operation was run by a threat actor known as Fox Tempest. The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.

Azure Artifact Signing, formerly known as Trusted Signing, was introduced by Microsoft in 2024 as a cloud-based solution that helps developers digitally sign software through Microsoft's infrastructure. Investigators found that Fox Tempest leveraged the platform extensively, creating over 1,000 certificates along with hundreds of Azure tenants and subscriptions to facilitate its activities.

Microsoft has also revealed that it has initiated legal action against the cybercrime operation in the U.S. District Court for the Southern District of New York.

"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said.

"May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use."

As part of the takedown effort, Microsoft seized the domain signspace[.]cloud, which was used to operate the service. The company also shut down hundreds of virtual machines linked to the operation and blocked access to infrastructure supporting the platform. Visitors attempting to access the domain are now redirected to a Microsoft-controlled page detailing the seizure and ongoing legal proceedings.

The investigation connected the service to several malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, and ransomware families including Rhysida, Akira, INC, Qilin, and BlackByte. Microsoft stated that threat groups such as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 utilized malware signed through the service.

Vanilla Tempest, associated with INC Ransomware, has also been identified as a co-conspirator in Microsoft's legal complaint. The company alleges that the group used the signing platform to distribute malware and ransomware against organizations globally.

Researchers found that the malware-signing operation enabled customers to upload malicious files and receive code-signed versions using fraudulently acquired certificates. The signed files often impersonated trusted software brands such as Microsoft Teams, AnyDesk, PuTTY, and Webex, making them appear more credible to potential victims.

"When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware," reads Microsoft's complaint.

"Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system."

Microsoft believes the operators likely relied on stolen identities from individuals in the United States and Canada to bypass identity verification requirements and obtain signing credentials. The group reportedly favored certificates with a validity period of just 72 hours, reducing the chances of detection before the certificates expired.

The company noted that similar abuse of Microsoft's signing services had previously been observed in malware campaigns involving the Crazy Evil Traffers cryptocurrency theft operation and Lumma Stealer. However, it remains unclear whether those incidents were directly linked to Fox Tempest.

Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.

The service was reportedly promoted through a Telegram channel called "EV Certs for Sale by SamCodeSign." Access to the platform was advertised at prices ranging from $5,000 to $9,000 in Bitcoin.

Microsoft estimates that the criminal enterprise generated millions of dollars in revenue. The company described Fox Tempest as a sophisticated and well-funded operation capable of maintaining extensive infrastructure, handling customer support, and processing financial transactions while facilitating cybercrime activities worldwide.

Read more »
Threat Intelligence
Authentication Tokens Browser Cookie Theft Cybercrime Marketplace malware Password Manager Security REMUS Infostealer Threat Intelligence

REMUS Infostealer Reveals the Growing Sophistication of MaaS Platforms


Cybercrime is increasingly becoming an industrialized business as infostealer operations adopt the structure, speed, and feature-based development cycles of legitimate software platforms. The emergence of REMUS, as well as the development cycles associated with it, mark another shift in the industrialization of cybercrime. 


Flare researchers examined 128 underground posts published from February to May 2026, and observed the malware's rapid evolution into a full-scale malware-as-a-service ecosystem designed to facilitate operational scalability and persistent account compromise over a period of five years. This initial effort focused on harvesting saved credentials and collecting browser information, but later expanded into hijacking sessions, targeting password managers, abuse of restore tokens, and automated Telegram delivery methods, reflecting a deliberate shift toward long-term access theft rather than simple credential extraction. 

By combining REMUS's rapid updates with improved operator visibility and modular deployment capabilities, it has become apparent that REMUS will not only be used as a malware payload, but also as a commercially managed cybercrime platform aimed at supporting broader distribution, easier affiliate adoption, and increasingly resilient post-compromise operations. 

There has been an overall transformation within the underground infostealer economy that has led to operations such as REMUS maturing rapidly, where malware distribution has evolved into a highly structured commercial ecosystem, characterized by defined supply chains, subscription-based access models, dedicated log brokers and affiliate operators. 

Information theft is no longer considered as an isolated malware family but rather as the foundation for many layers of financial-motivated cybercrime. They are now playing a greater role than just stealing credentials, serving as an entry point for larger compromise operations, which include the deployment of ransomware and unauthorized access to corporate networks. 

Recent DBIR assessments indicate that credentials linked to 54 percent of ransomware victims were previously disclosed through infostealer logs, and nearly 40 percent of those datasets contained corporate email accounts, indicating that harvested session data can play a valuable role in enterprise attacks. 

A type of advanced remote access Trojan called an infostealer operates silently within infected systems, gathering cookies, authentication tokens, stored passwords, fingerprints, and other telemetry from the infected system before packaging the information into standardized "stealer logs" for exfiltration. 

In turn, these logs are sold as monetizable access assets on dark web marketplaces, cybercrime forums, and encrypted Telegram channels. Operators routinely distribute free log samples as promotional materials to attract buyers and expand their criminal subscriber base, further enhancing the commercialization of the infostealer ecosystem and its scalability. 

A detailed examination of the operator's advertisements, feature announcements, support discussions, and update logs offers an exceptional chronological perspective on REMUS' evolution from a relatively lightweight credential stealer to a continuous, operationally efficient and commercially successful MaaS platform. 

Based on the activities observed between February and May 2026, a development model that closely resembles legitimate software operations was observed, where iterative features were released, customer-oriented improvements were made, and backend management improvements were improved rapidly. 

A number of early campaigns in February created a perception of REMUS as a trustworthy, accessible, and reliable stealer that specialized in stealing browser credentials, cookie theft, extracting Discord tokens, delivering logs through Telegram, and simplifying log management. 

Throughout the promotional language, the operator emphasized a commercial mindset, including advertising "24/7 support" alongside claims that the malware was "simple enough that even a child can figure it out," as well as boasting that its callback success rate was near 90 percent through the use of dedicated intermediary infrastructure and custom encryption algorithms. After entering an aggressive expansion phase in March, the operation shifted focus from data theft toward campaign administration and operator visibility in an effort to increase efficiency. 

In addition to enhanced delivery workflows, restore-token capabilities, worker tracking, duplicate-log filtering, and expanded statistics dashboards were introduced to provide affiliates with a greater understanding of failed executions and infection performance. 

April marked another strategic transition in REMUS's evolution, this time toward authentication-based session persistence and browser-side artifact collection. These changes signaled the emergence of a managed operational ecosystem rather than merely a standalone malignant binary.

SockS5 proxy integration, antivirtualization controls, gaming-platform targeting, as well as deeper password harvesting were all added to the malware. It also included IndexedDB extractions linked to browser extensions associated with the 1Password and LastPass browser extensions, and references to Bitwarden-related collection mechanisms. 

A noticeable shift occurred towards maintaining active authenticated environments through stolen session material instead of only relying on exposed credentials. Early May showed a slowdown in the addition of entirely new features as development focused on platform stability, restoring function refinements, optimizing collection, adjusting delivery schedules, and resolving bugs. It indicated that the operator was moving from rapid capability expansion to long-term operational reliability and service maturity. 

REMUS reflected a broader shift in the priorities of the underground malware economy by clearly pivoting towards session theft and authenticated access preservation as a defining characteristic of its operation. 

Information thieves in the previous generations primarily focused on obtaining usernames and passwords for later exploitation, REMUS consistently promoted browser cookies, authentication tokens, workflows to restore sessions, and proxy-assisted continuity mechanisms as central operational features of their operations. 

There were repeated references throughout the campaign to "Restore" capabilities, multi-proxy compatibility, and token recovery workflows indicating that the malware was designed specifically to maintain active authenticated environments as opposed to simply capturing credentials on its own. As modern security controls increasingly rely on multi-factor authentication, device trust verification, behavioral analytics, and risk-based login verification, this distinction has significant operational value for threat actors.

Through the use of stolen session artifacts, rather than raw credentials alone, attackers may be able to bypass many of these layered defenses without triggering immediate authentication challenges. This objective was further reinforced by repeated targeting of Discord, Steam, Riot Games, and Telegram environments, as persistent authenticated sessions within such platforms can be used to resell accounts, conduct fraud operations, abuse social engineering, and monetize access over the long term. 

As part of its session-focused development, REMUS has demonstrated a growing interest in browser-based password management systems as well. As of April 2026, the operator has implemented collection capabilities associated with Bitwarden, 1Password, LastPass, and IndexedDB-based browser storage mechanisms commonly used to retain locally authenticated data by modern extensions and web applications. 

While the observed activity cannot independently confirm vault decryption or direct compromise of password-manager databases, it indicates that development priorities had expanded toward harvesting browser-side storage artifacts associated with password-management workflows, although there is no independent confirmation of either. 

In addition, the campaign infrastructure itself displayed a high degree of operational maturity. Throughout the deployment cycle, the operator maintained a steady cadence of versioned releases, troubleshooting refinements, feature additions, bug remediation, statistics enhancements, and backend management improvements. These practices closely resemble legitimate software maintenance practices.

Throughout the report, references to worker management, log categorization systems, infection visibility dashboards, and loader monitoring were made, implying a structured multi-role environment, where development, deployment, infrastructure management, and monetization functions were increasingly segmented. These organizational models are similar to the organizational models found in mature malware-as-a-service ecosystems today. 

REMUS illustrates how modern infostealer campaigns have evolved from opportunistic credential theft to scalable, persistent, and monetizable platforms that enable access. As a result of the rapid development cycle, a focus on authenticated session continuity, and an increasing interest in browser-based authentication ecosystems, cybercrime has experienced a broad shift, demonstrating the increasing value of stolen access in the cybercrime landscape. 

A reminder to defenders that password protection alone is not sufficient to protect against threats increasingly engineered to exploit trusted sessions, browser storage artifacts, and post-authentication workflows.

In the near future, organizations will face increased pressure to strengthen session monitoring practices, token invalidation practices, endpoint visibility, browser hardening, and anomaly-based access controls as MaaS operations continue to adopt the speed, structure, and operational discipline commonly associated with legitimate software companies. 

There is less significance to the evolution observed in REMUS with regard to any single malware capability than it has in relation to the emergence of a professional and commercialized cyber intrusion ecosystem.
Read more »
User Privacy
Android Trojan Data Harvesting Data Leak malware User Privacy

Millions of Devices at Risk: New Trojan Monitors Smartphones

 

A menacing new Trojan has emerged that puts millions of smartphone devices worldwide at risk, according to recent cybersecurity reports. This sophisticated malware specifically targets Android devices and has already infected thousands of users across 143 countries. The Trojan's ability to monitor smartphones in real-time represents a significant evolution in mobile cyberthreats, with security researchers warning that the actual infection count could be far higher than currently detected.

The malware spreads primarily through seemingly legitimate websites that trick users into downloading malicious applications. Once installed, the Trojan grants hackers complete remote control over compromised devices, enabling live monitoring of user activities. Security firm Zimperium zLabs identified similar dangerous Trojans like Arsink, which impersonates popular brands including WhatsApp and TikTok to evade detection. The infected devices can have their audio recorded, text messages read, and even be wiped completely by attackers. 

This Trojan's most alarming capability is its live monitoring feature combined with coordinated attack systems. Beyond stealing credentials, the malware transmits live screen content to remote servers, creating a continuous visual feed that allows attackers to observe activity and intercept authentication steps in real time. Encrypted communication channels connect infected devices to centralized command systems that coordinate attacks and distribute updated instructions, managing thousands of compromised devices simultaneously. The infection has created a massive footprint, with Egypt reporting around 13,000 compromised phones, Indonesia approximately 7,000, and Iraq and Yemen each with 3,000 infections. 

The Trojan harvests an extensive range of sensitive data including SMS messages, call logs, contacts, device location, and Google account information. It can steal user accounts in messengers and social networks, stealthily send messages on behalf of victims, monitor browser activities, replace links, swap numbers during calls, and intercept SMS messages. Previous similar malware campaigns have already stolen at least $270,000 worth of cryptocurrency, suggesting the financial damage from this new Trojan could be substantial. 

Experts recommend several critical protection measures to safeguard against this threat. Users should only download applications from official app stores like Google Play, avoid clicking links from suspicious websites, and keep their Android operating system updated with the latest security patches. Google has warned that over 40% of Android devices remain vulnerable because they run outdated versions without security support. If your smartphone brand no longer provides security updates, experts strongly recommend considering a new device to protect your personal data.
Read more »
virus
Antivirus malware ransomware spyware trojans virus

Virus, Malware, or Spyware? Here’s What They Really Mean

 




Many people casually refer to every cyber threat as a “virus,” but cybersecurity professionals use a much broader classification system. A security program that only defended against traditional computer viruses would offer very limited protection today because viruses represent just one form of malicious software. Modern antivirus platforms are designed to detect and block many different categories of malware, including ransomware, spyware, trojans, credential stealers, rootkits, and bot-driven attacks.

Traditional computer viruses have also become less common than they once were. Most modern cybercriminal groups are financially motivated and prefer attacks that generate revenue rather than simple disruption or digital vandalism. Spyware operators profit from stolen personal information, banking trojans attempt to drain financial accounts directly, and ransomware gangs demand cryptocurrency payments from victims in exchange for restoring encrypted files. Because current security tools already defend against a wide range of malicious software, most users do not usually need to distinguish one malware family from another during day-to-day use.

At the same time, understanding these terms still matters. News reports about cyberattacks, data breaches, espionage campaigns, and ransomware incidents often contain technical language that can confuse readers unfamiliar with cybersecurity terminology. Knowing how different forms of malware behave makes it easier to understand how attacks spread, what damage they cause, and why security researchers classify them differently.

A traditional virus spreads when a user unknowingly launches an infected application or boots a compromised storage device such as a USB drive. Viruses generally try to remain unnoticed because their ability to spread depends on avoiding detection long enough to infect additional files, programs, or devices. In many cases, the malicious payload activates only after a specific date, time, or triggering condition. Earlier generations of viruses often focused on deleting files, corrupting systems, or displaying disruptive messages for attention. Modern variants are more likely to steal information quietly or help conduct distributed denial-of-service attacks that overwhelm online services with massive volumes of internet traffic.

Worms share some similarities with viruses but spread differently because they do not necessarily require users to open infected files. Instead, worms automatically replicate themselves across connected systems and networks. One of the earliest examples, the Morris worm of 1988, was originally intended as an experiment to measure the size of the developing internet. However, its aggressive self-replication consumed enormous amounts of bandwidth and disrupted numerous systems despite not being intentionally designed to cause widespread destruction.

Trojan malware takes its name from the ancient Greek story of the Trojan Horse because it disguises malicious code inside software that appears safe or useful. A trojan may present itself as a game, utility, browser tool, mobile application, or software installer while secretly performing harmful actions in the background. These threats often spread when users unknowingly download, share, or install infected files. Banking trojans are particularly dangerous because they can manipulate online financial transactions or steal login credentials directly. Other trojans harvest personal information that can later be sold through underground cybercrime marketplaces.

Some malware categories are defined less by how they spread and more by what they are designed to do. Spyware, for example, focuses on monitoring victims and collecting sensitive information without consent. These programs may capture passwords, browsing histories, financial information, or login credentials. More invasive forms of spyware can activate webcams or microphones to observe victims directly. A related category known as stalkerware is frequently installed on smartphones to monitor calls, messages, locations, and online activity. Because surveillance-focused malware has become increasingly common, many modern security products now include dedicated spyware protection features.

Adware primarily generates unwanted advertisements on infected devices. In some cases, these advertisements are targeted using data gathered through spyware-related tracking techniques. Aggressive adware infections can become so intrusive that they interfere with normal computer use by flooding browsers, redirecting searches, or constantly displaying pop-up windows.

Rootkits are designed to hide malicious activity from operating systems and security software. They manipulate how the system reports files, processes, or registry information so infected components remain invisible during scans. When security software requests a list of files or registry entries, the rootkit can alter the response before it is displayed, effectively concealing the malware’s presence from the user and from defensive tools.

Bot malware usually operates silently in the background and may not visibly damage a computer at first. Instead, infected devices become part of remotely controlled botnets managed by attackers sometimes referred to as bot herders. Once connected to the botnet, systems can receive commands to send spam emails, participate in coordinated cyberattacks, or overwhelm websites with malicious traffic. This arrangement also helps attackers hide their own infrastructure behind thousands of compromised machines.

Cryptojacking malware secretly hijacks a device’s processing power to mine cryptocurrencies such as Bitcoin. Although these infections may not directly destroy data, they can severely slow systems, increase electricity usage, drain battery life, and contribute to overheating problems because of constant processor strain.

The malware ecosystem also includes droppers, which are small programs designed specifically to install additional malicious software onto infected systems. Droppers often operate quietly to avoid attracting attention while continuously delivering new malware payloads. Some receive instructions remotely from attackers regarding which malicious programs should be installed. Cybercriminal operators running these distribution systems may even receive payment from other malware developers for spreading their software.

Ransomware remains one of the most financially damaging forms of cybercrime. In most attacks, the malware encrypts documents, databases, or entire systems and demands payment in exchange for a decryption key. Security software is generally expected to detect ransomware alongside other malware categories, but many cybersecurity professionals still recommend additional dedicated ransomware defenses because the consequences of missing a single attack can be devastating. Hospitals, schools, businesses, and government organizations around the world have all experienced major operational disruptions linked to ransomware campaigns.

Not every program claiming to improve cybersecurity protection is legitimate. Fake antivirus products, commonly called scareware, are designed to frighten users with fabricated infection warnings and pressure them into paying for unnecessary or malicious software. At best, these programs provide no meaningful protection. At worst, they introduce additional security risks or steal financial information entered during payment. Many scareware campaigns rely on alarming pop-ups and fake scan results to manipulate victims psychologically.

Identifying fake security products has become increasingly difficult because many now imitate legitimate software convincingly. Cybersecurity experts generally recommend checking trusted reviews and downloading security tools only from reputable vendors or established sources. Fraudulent review websites also exist, making careful verification especially important before installing security software.

Modern malware rarely fits neatly into a single category. One malicious program may spread like a virus, steal information like spyware, and hide itself using rootkit techniques simultaneously. Likewise, modern security solutions rely on multiple defensive layers rather than antivirus scanning alone. Comprehensive security suites may include firewalls that block network-based attacks, spam filters that intercept malicious email attachments, phishing protection systems, and virtual private networks that help secure internet traffic. Some VPN services, however, restrict advanced features behind additional subscription payments.

The term “malware” ultimately serves as a broad label covering every type of software intentionally created to harm systems, steal information, spy on users, disrupt operations, or provide unauthorized access. Industry organizations such as Anti-Malware Testing Standards Organization often prefer the term “anti-malware” because it reflects the wider range of threats modern security tools must address. However, most consumers remain more familiar with the word “antivirus,” which continues to dominate the industry despite the changing nature of cyber threats.

Understanding these distinctions does not require becoming a cybersecurity specialist, but it does help people recognize how varied modern digital threats have become. From ransomware and spyware to botnets and credential-stealing trojans, malicious software now exists in many different forms, each designed for a specific purpose within the broader cybercrime economy.

Read more »
Worm Infection
Credential Stealer Linux Shell malware PCPJack Worm Worm Infection

PCPJack Worm Steals Cloud Credentials While Wiping Out TeamPCP Infections

 

A new malware framework called PCPJack is drawing attention because it not only steals credentials from exposed cloud systems but also wipes out traces of TeamPCP infections before taking over the environment. The campaign shows how one criminal group can piggyback on another group’s compromised infrastructure to expand access, harvest secrets, and monetize stolen data. 

PCPJack begins with a Linux shell script that creates a hidden workspace, installs Python dependencies, downloads extra modules, sets up persistence, and launches an orchestrator that manages the infection. During that startup sequence, it actively searches for TeamPCP processes, services, files, containers, and persistence artifacts, then removes them so its own payload can operate without interference. That behavior makes the malware unusually aggressive even by cloud-threat standards. 

Once inside a host, the framework focuses on credential theft across cloud, container, developer, productivity, and financial services. Reported targets include SSH keys, environment files, tokens, Docker and Kubernetes secrets, WordPress configs, and logins for services such as AWS, Slack, GitHub, OpenAI, Anthropic, Discord, and Office 365. Researchers also noted that the malware exfiltrates data to Telegram after encrypting it and splitting it into small chunks to fit message limits. 

The worm-like spread is what makes PCPJack especially dangerous in exposed cloud environments. It is built to move laterally, search for additional systems, and exploit vulnerable web applications and services such as Docker, Kubernetes, Redis, MongoDB, RayML, and other internet-facing infrastructure. It does not appear to rely on cryptomining, which suggests the main motive is stolen-access monetization through fraud, spam, extortion, or credential resale.

Organizations can reduce risk by hardening cloud access and secrets management, enforcing MFA, and limiting exposure of Docker, Kubernetes, and web applications. Security teams should also monitor for unusual shell-script activity, hidden directories, unexpected persistence, and outbound traffic to attacker-controlled messaging channels. In practice, PCPJack is a reminder that cloud intrusions are increasingly iterative, with one attacker cleaning up another’s mess only to create a new one.
Read more »
User Privacy
Beagle Backdoor Claude AI Malvertising malware User Privacy

Fake Claude AI Site Spreads New Beagle Windows Backdoor – Here’s How to Stay Safe

 

Cybercriminals have launched a sophisticated malvertising campaign using a fake Claude‑AI website that installs a new Windows backdoor called “Beagle,” highlighting how attackers are weaponizing the popularity of AI tools against software developers. The deceptive site, reachable through sponsored search results, mimics Anthropic’s legitimate Claude interface and lures users into downloading what appears to be a productivity‑oriented “Claude‑Pro Relay” tool but is in fact a poisoned installer.

Modus operandi 

The malicious domain claude‑pro[.]com presents a stripped‑down clone of the official Claude design, using similar colors and fonts to create a veneer of legitimacy. However, most navigation links on the page simply redirect back to the homepage, and the only functional element is a large download button that serves a 505‑MB archive named Claude‑Pro‑windows‑x64.zip, which contains a trojanized MSI installer. Users who bypass standard security hygiene—such as verifying the URL or ignoring suspicious “sponsored” tags—end up deploying this bundle on their machines. 

Once the MSI executes, it drops three files into the Windows Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and a malicious DLL named avk.dll. The first file is a legitimate, digitally signed updater from G Data security software, which attackers abuse via DLL sideloading to load the malicious avk.dll instead of the genuine library. This DLL decrypts the encrypted data file, then executes the open‑source in‑memory loader DonutLoader, which in turn deploys the final payload—the Beagle backdoor—entirely in memory to evade disk‑based detection.

Beagle backdoor capabilities

Beagle is a lightweight but dangerous Windows backdoor that gives attackers remote control over an infected system. It supports a small set of commands such as running arbitrary shell commands, uploading and downloading files, creating and renaming directories, listing folder contents, and uninstalling itself to destroy evidence. The malware communicates with its command‑and‑control server at license[.]claude‑pro[.]com over TCP port 443 or UDP port 8080, encrypting traffic with a hardcoded AES key to make network monitoring more difficult. 

Attribution and broader implications Security researchers have not yet pinned the campaign to a specific named threat group, but they note technical overlaps and suggest the same actors behind the PlugX malware family may be experimenting with this new payload. The fact that the attackers impersonate major security vendors in other related samples—such as Trellix, CrowdStrike, SentinelOne, and Microsoft Defender—points to a broader malvertising and supply‑chain‑style strategy.

How users and organizations can protect themselves 

Organizations should block the domains claude‑pro[.]com and license[.]claude‑pro[.]com at the DNS and firewall level and search endpoints for NOVupdate.exe and avk.dll in Startup folders, which are strong indicators of compromise. End users, especially developers, must download Claude and similar AI tools only from verified official domains, treat sponsored search results with skepticism, and verify URLs before clicking installers. Updated endpoint protection, EDR logging, and user‑awareness training on AI‑related phishing and malvertising are critical to mitigating this evolving threat.
Read more »
quasar
chain attacks Cybersecurity Digital Supply Chain Risk Linux malware quasar

Quasar Linux Malware Targets Developers in Stealthy Supply Chain Attack

 

A newly discovered Linux implant called Quasar Linux, or QLNX, is a serious threat because it goes after the people and systems that build software. Instead of behaving like ordinary malware, it is designed to quietly take root in developer and DevOps environments, steal valuable credentials, and open the door to supply-chain attacks. 

QLNX is dangerous because it combines several attack techniques in one package. Trend Micro says it can function as a rootkit, a backdoor, and a credential stealer, while also running filelessly, wiping logs, spoofing process names, and removing its original binary from disk to make investigation harder. It also uses multiple persistence methods, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection, so it can keep coming back even if part of it is removed.

The malware’s main prize is access to developer secrets. Researchers say it targets credentials tied to npm, PyPI, GitHub, AWS, Docker, Kubernetes, Terraform, and other tools that are deeply embedded in modern software delivery pipelines. If attackers get those tokens or keys, they can publish malicious packages, tamper with builds, or move from one system into cloud infrastructure and CI/CD environments.

What makes the threat especially troubling is how stealthy it is. Trend Micro found that QLNX can dynamically compile rootkit and PAM backdoor components on the victim host using gcc, which helps it blend in with normal Linux activity. It also harvests clipboard contents, SSH keys, browser profiles, and authentication data, giving attackers a wide view into how developers work and where their secrets are stored.

The broader issue is that developer machines have become high-value targets in the software supply chain. One compromised workstation can expose publishing pipelines, cloud accounts, and internal codebases, so the impact may spread far beyond the original victim. The safest response is to treat developer endpoints like crown-jewel systems: monitor for unusual persistence, restrict secret storage, rotate tokens quickly, and assume a stolen workstation could become the first step in a wider breach.
Read more »
Siri Vulnerability
Apple Security Bluetooth Forensics Crypto Wallet cryptocurrency theft Cybercrime Investigation digital surveillance FakeWallet Campaign iOS security malware Siri Vulnerability

Apple Account Data and Bluetooth Signals Tie Suspect to Crypto Robbery


 

The App Store ecosystem has been infiltrated by a coordinated wave of fraudulent cryptocurrency wallet applications that exploit regional platform restrictions and user trust to steal credentials from iOS users. More than two dozen malicious apps have been identified as related to a campaign called "FakeWallet," which has been active since at least late 2025 and was designed to harvest passwords and private keys from unsuspecting users via the use of various malware programs.

During the early months of March, counterfeit wallet applications became prominent in search results within China’s App Store after they began appearing prominently in search results, posing a threat to the legitimacy of several legitimate crypto wallet services due to regulatory restrictions. 

In addition to replicating the trusted wallet branding, abusing typosquatting techniques and embedding deceptive prompts leading users towards unofficial wallet downloads, the campaign blurred the distinction between genuine financial tools and malicious software, significantly increasing iPhone users' chances of committing cryptocurrency theft. 

During technical analysis, Kaspersky determined that phishing applications were primarily used as delivery mechanisms for trojanized cryptocurrency wallet software to be installed via browsers. According to the researchers, malicious payloads are commonly embedded through third-party libraries embedded within the applications, despite several samples demonstrating direct modifications of the wallet code itself, indicating a more sophisticated level of tampering. 

Through reverse engineering, special routines have been found that can intercept and exfiltrate recovery phrases as well as seed phrases, while simultaneously manipulating the wallet restoration process for recovering hot wallets. The investigation also identified two separate implants targeting cold wallets hosted on Ledger, extending the campaign's scope beyond software-based assets to hardware wallet users as well. 

A counterfeit website impersonating Ledger's official platform was also discovered by researchers, which distributed malicious iOS application links and compromised Android wallet packages hosted on Chinese-language phishing websites outside of Google Play. It is unclear whether the malware modules had geographic enforcement mechanisms despite the infrastructure and linguistic indicators suggesting that Chinese-speaking victims were targeted. 

It is of concern that the campaign may easily be extended to international targets based on some phishing prompts that dynamically adapt to the language settings of the infected application. Furthermore, the operation has been linked to the previously identified SparkKitty malware cluster, which was discovered last year, based on overlapping distribution tactics, cryptocurrency-centered targeting patterns, Chinese-language debugging strings within the malicious code, and the inclusion of SparkKitty-related components within several analyzed programs. 

When the findings were disclosed to Apple, they were notified and the identified malicious applications have since been removed from the App Store. According to court records reviewed by Forbes, the incident occurred as a result of a targeted home invasion last month in Winnetka, where attackers allegedly used social engineering tactics to gain physical access to the victim's property. 

Investigators reported that a man impersonating a food delivery driver approached the residence and knocked on the front door before at least four armed accomplices gained access moments after the resident responded. Once inside, the group demanded access to a secure safe as well as credentials related to online cryptocurrency accounts, emphasizing the increasing convergence between the targeting of digital assets and conventional violent crimes.

A report by authorities indicates that the operation failed in achieving its intended objective after the victim escaped the residence, leading the suspects to depart the scene without obtaining any known cryptocurrency assets. 

In spite of the attempted robbery, organized groups have increasingly combined physical coercion with identity deception and intelligence-driven targeting to compromise high-value cryptocurrency holders. It is believed that the investigation developed into a broader criminal case involving Chicago rapper Lil Zay Osama, formally known as Isaiah Dukes, along with five additional suspects, were alleged to have kidnapped children and committed a violent cryptocurrency-related robbery. 

Dukes has entered a not guilty plea to the latest charges after previously serving a 14-month prison sentence for unlawful possession of a machine gun in 2024. According to reports, investigators used unconventional but highly effective digital forensics methods in order to identify members of the group after one suspect connected his iPhone to a stolen getaway vehicle's Bluetooth interface.

The combination of the infotainment pairing logs and the subpoenaed Apple records provided authorities with information that allowed them to locate the connected device in a iCloud account belonging to Tyrese Fenton-Watson. The discovery was significant as it demonstrated how telemetry generated by connected consumer technologies, such as smartphone synchronization and in-vehicle wireless systems, is becoming an increasingly important tool for criminal investigations in modern times.

Technology and cybersecurity landscapes were also subject to increasing scrutiny due to the emergence of artificial intelligence, surveillance practices, and digital governance concerns. Anthropic's reported intention to broaden access to its advanced "Mythos" model, which was originally restricted to approximately 40 organizations due to concerns surrounding misuse of the system and offensive security applications. This model is designed with large-scale cyber vulnerability discovery capabilities and is designed to detect cyber vulnerabilities on a large scale.

Reports in The Wall Street Journal indicated that the company hoped to expand its availability to approximately 120 companies, though White House officials expressed reservations about both national security implications and the potential strain on Anthropic's infrastructure and disruption of government access to the technology that could result from excessive external usage. 

In addition, further revelations indicated that the boundary between the deployment of AI, the privacy of users, and digital surveillance is increasingly blurred. In a report published by Wired, it was reported that the DHS had requested location and identification information from Google regarding a Canadian user who criticized the Trump administration, but it is unclear whether Google complied with this request. 

Additionally, Meta disclosed that Facebook and Instagram were using artificial intelligence-driven bone structure analysis to detect whether users are under the age of 13. According to security researcher Jeremiah Fowler, nearly 90,000 screenshots allegedly extracted from a celebrity's smartphone had been exposed as a result of spyware exposure, including sensitive photos, financial records, and private conversations, further illustrating the degree of personal data risks associated with commercial surveillance tools.

A significant amount of industry attention was also drawn to Forbes' publication of its eighth annual AI 50 ranking in partnership with Mayfield, highlighting some of the leading private AI firms, including Harvey and ElevenLabs, along with emerging startups, including Gamma, Chai Discovery, and Rogo. In addition, the AI 50 Brink list highlighted early-stage companies that were expected to compete effectively with more established companies. 

During the investigation, law enforcement agencies also recorded a notable operational success after cooperating with Meta and international authorities to dismantle nine cryptocurrency scam centers and arrest more than 275 individuals allegedly involved in fraudulent schemes targeting Americans. This marks a rare instance of coordinated action between the Department of Justice and China's Ministry of Public Security. 

A report alleging that workers employed by contractor Sama encountered explicit and sensitive footage while annotating video captured through Ray-Ban smart glasses prompted Meta to be subjected to renewed scrutiny for its privacy oversight. As a result of these allegations, Meta terminated its relationship with Sama shortly before terminating its agreement due to an unmet standard, a claim Sama denied publicly. 

Following the latest developments, the company issued a series of critical software updates to resolve vulnerabilities affecting Siri, the company's voice-based digital assistant, resulting in the potential for unauthorized access to sensitive user information on locked mobile devices. These updates further renewed attention to mobile device security. It was found that the assistant was capable of processing certain voice interactions even while the device was locked, allowing attackers who possessed iPhones or other Apple hardware to access contact information and additional private data without complete authentication if they had physical possession of the devices. 

As a result, Apple introduced security enhancements as a means of limiting Siri's functionality when devices are immobilized. By doing so, Apple reduces the likelihood that unauthorized commands may be executed while the device is immobilized as well as strengthening protections against physical access attacks. Several products within Apple's ecosystem, including iPhone, Apple Watch, iPadOS, and macOS Ventura systems, have been patched as part of broader platform security updates to mitigate the vulnerabilities.

Several software updates have been recommended to ensure that vulnerabilities are fully mitigated across all supported devices, including iOS 17.6 and iPadOS 17.6, by using the standard settings, general, and software update process. 

Collectively, these incidents reflect a rapidly evolving threat environment in which cybercrime, artificial intelligence, connected consumer technologies, and digital surveillance are becoming increasingly interconnected. This collection of cases illustrates how both attackers and law enforcement are leveraging the expanding data footprint created by modern devices and online services in order to infiltrate trusted app ecosystems with malicious cryptocurrency wallet campaigns as well as investigators using Bluetooth telemetry and cloud account records to investigate violent crimes. 

Furthermore, growing concerns surrounding the discovery of vulnerabilities using artificial intelligence, spyware-linked data exposure, biometric analysis, and voice assistant security continue to increase pressure for technology companies to strengthen platform security measures while maintaining a balance between privacy, accessibility, and operational transparency. 

Increasing sophistication and technical integration of cyber-enabled financial crime underscores the importance of proactive security updates, stricter application vetting, and enhanced awareness of consumers in increasingly interconnected digital ecosystems as cyber-enabled financial crime becomes more sophisticated and technologically integrated.
Read more »
Subscribe to: Posts (Atom)