Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Stealth Attack
GoTo Resolve malware Malware PUA Threat Ransomware Stealth Attack

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks

 

Security researchers have raised alarms over a remote administration tool that can quietly turn into a stealthy entry point for cybercriminals. The program, flagged as HEURRemoteAdmin.GoToResolve.gen, is now classified as a Potentially Unwanted Application (PUA) due to the way it conceals its presence and behavior from end users. 

The warning comes from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm that analyzed how this tool can transform a routine IT utility into a serious security liability. According to their report, the application is linked to GoTo Resolve, a legitimate platform formerly known as LogMeIn, widely used by IT support teams for remote access and troubleshooting. 

What makes this case particularly concerning is the tool’s ability to install and operate “silently,” maintaining a persistent foothold on the system without any visible prompts or notifications. Researchers found it buried in a directory named C:\Program Files (x86)\GoTo Resolve Unattended\, along with a bundled file called “32000~” that contains hidden instructions for managing the application in the background. 

Because it runs unattended, this component effectively creates a new attack surface, similar to leaving a window unlocked for intruders. Threat actors who manage to hijack the tool could exploit its background capabilities to move laterally, gather intelligence, or prepare a larger compromise, all without attracting attention from the user sitting at the keyboard.

The most disturbing link is to ransomware tradecraft through the use of the Windows Restart Manager library, RstrtMgr.dll. This DLL has been abused in past campaigns by high-profile groups like Conti and Cactus ransomware, as well as the BiBi wiper, to terminate processes that might block file encryption or forensic analysis, including antivirus tools and security services. Even more deceptive is the fact that the software carries a valid digital signature from GoTo Technologies USA, LLC, giving it an appearance of full legitimacy in the eyes of both users and operating systems.

Experts stress that a trusted signature does not guarantee safe behavior and warn organizations to treat this tool as a high-risk component unless explicitly approved and monitored by their security teams, calling its stealthy execution and Restart Manager loading a form of “dangerous pre-positioning” for future, more destructive attacks.
Read more »
State Sponsored Cyber Attacks
Advanced Persistent Threats APT36 Cyber Espionage Cloud Infrastructure Abuse Defense Sector Government Network Security India Pakistan Cyber Conflict malware State Sponsored Cyber Attacks

Researchers Uncover Pakistan-Linked Cyber Activity Targeting India


 

A familiar, uneasy brink appears to be looming between India and Pakistan once again, where geopolitical tension spills over borders into less visible spheres and risks spilling over into more obscure regions. As the war intensified in May 2025, cyberspace became one of the next arenas that was contested. 

Pakistan-linked hacktivist groups began claiming widespread cyberattacks on Indian government bodies, academic institutions, and critical infrastructure elements as the result of heightened hostilities. It appeared, at first glance, that the volume of asserted attacks indicated that there was a broad cyber offensive on the part of the perpetrators. There is, however, a more nuanced story to be told when we take a closer look at the reports. 

According to findings from security firm CloudSEK, many of these alleged breaches were either overstated or entirely fabrications, based on recycled data dumps, cosmetic website defacements, and short-lived interruptions that caused little harm to operations. 

Despite the symphonic noise surrounding the Pahalgam terror attack, a more sobering development lay instead behind the curtain. It was an intrusion campaign targeting Indian defense-linked networks based on the Crimson RAT malware that was deployed by the APT36 advanced persistent threat group. 

Using a clear distinction between spectacle and substance, this study examines what transpired in India-Pakistan cyber conflict, why it matters, and where the real risks lie in the coming months in order to discern what has truly unfolded. 

In spite of the noise of hacktivist claims, researchers warn that a much more methodical and state-aligned cyber espionage effort has been quietly unfolding beneath the surface level noise. There has been a significant increase in the focus of Pakistan-linked threat actors operating under the designation APT36, also referred to by cybersecurity experts as Earth Karkaddan, Mythic Leopard, Operation C-Major, and Transparent Tribe in the past couple of years. 

It has been more than a decade since this group established itself, and it has demonstrated a track record of conducting targeted intelligence-gathering operations against Indian institutions through its work. 

Analysts observed in August 2025 a shift in tactics for a campaign known as APT36 that focused on Linux-based systems, using carefully designed malware delivery techniques, rather than targeting Windows-based systems. 

APT36 used procurement-themed phishing lures to distribute malware ZIP archives disguised as routine documents, allowing attackers to distribute malware. The malware dropper was coveredtly downloaded and installed by these files, which were then executed through Windows desktop entry configurations. 

A decoy PDF was also displayed to avoid suspicion, while the malware dropper itself retrieved a malware dropper on Google Drive. According to a further analysis, the payload was designed to avoid detection using anti-debugging and anti-sandbox measures, maintain persistence on compromised systems, and establish covert communication with command-and-control infrastructure over WebSockets, which were all hallmarks of a calculated espionage operation rather than an opportunistic intrusion. 

According to further analysis conducted by Zscaler ThreatLabz, the activity appears to be part of two coordinated campaigns, identified as Gopher Strike and Sheet Attack, both of which were carried out from September 2025 to October 2025. It is worth keeping in mind that while elements of the operations bear resemblance to techniques that have historically been associated with APT36, researchers are generally inclined to believe that the observed activity may be the work of a distinct subgroup or a separate threat actor which is linked to Pakistan. 

There are two main types of attacks known as Sheet Attacks and they are characterized by their use of trusted cloud-based platforms for command-and-control communications, including Google Sheets, Firebase, and email services, which enables your attack traffic to blend into legitimate network traffic. 

It has been reported that the Gopher Strike, on the other hand, is initiated by phishing emails that provide PDF attachments which are meant to deceive recipients into installing an Adobe Acrobat Reader DC update that is falsely advertised. A blurred image is displayed on top of a seemingly benign prompt, which instructs users to download the update before they can view the contents of this document. 

A user selecting the embedded option will initiate the download of an ISO image, but only when the request originated from an address in India and corresponds to an Indian user agent specified in a Windows registry - server-side checks to frustrate automated analysis and prevent delivery to a specific audience.

A downloader built on the Golang programming language is embedded within the ISO copy, named GOGITTER, in order for it to be able to establish persistent downloads across multiple directories of the system by creating and repeatedly executing Visual Basic scripts in several locations. 

A portion of the malware periodically retrieves commands from preconfigured command-and-control servers and can, if necessary, access additional payloads from a private GitHub repository, which was created earlier in 2025. This indicates the campaign was deliberately designed and has sustained operational intent for the above period. 

An intrusion sequence is initiated once the malicious payload has been retrieved by executing a tightly coordinated series of actions designed to establish deeper control as well as confirm compromise. The investigator notes that the infected system first sends a HTTP GET request to a domain adobe-acrobat[.]in in order to inform the operator that the target had been successfully breached.

GOGBITTER downloaders unpack and launch executable files that are then executed from previously delivered archives, called edgehost.exe. It is this component's responsibility to deploy GITSHELLPAD, a lightweight Golang backdoor which relies heavily on attackers' control of private GitHub repositories for command-and-control purposes. This backdoor keeps in close touch with the operators by periodically polling a remote server for instructions stored in a file called command.txt that is updated every few seconds.

In addition to being able to navigate directories and execute processes on a compromised system, attackers are also able to transfer files between the compromised and non-compromised system. The execution results are recorded in a separate file and sent back to GitHub, where they are then exfiltrated and stored until the forensic trace is completely removed.

Moreover, Zscaler researchers have observed that operators after initial access downloaded additional RAR archives using the cURL-based command line. As part of these packages, there were tools for system reconnaissance, as well as a custom Golang loader known as GOSHELL that was used to eventually deploy a Cobalt Strike beacon after several decoding stages were completed. 

There is no doubt about the fact that the loader was intentionally padded with extraneous data in order to increase its size to about one gigabyte, which is a tactic that was used as a way to bypass antivirus detections. 

When the auxiliary tools had fulfilled their purpose, they were systematically removed from the host, reflecting a disciplined effort to keep the campaign as stealthy as possible. 

Recently, investigations indicate that cyber tensions between India and Pakistan are intensifying. It is important to distinguish between high-impact threats and performative digital noise in order to avoid the loss of privacy. 

Even though waves of hacktivist claims created the illusion of a widespread cyberattack on Indian institutions in mid-2025, detailed analysis reveals that the majority of these disruptions were exaggerated or of inconsequential nature. Among the more consequential risks that Pakistan-linked actors, including groups such as APT36, are associated with is sustained and technically sophisticated espionage operations. 

The attacks illustrate a clear evolution in the use of tradecraft, combining targeted phishing attacks, exploitation of trusted cloud platforms, and the use of custom malware frameworks, all of which are being used to quietly penetrate both Linux and Windows environments within governments and defense organizations.

It is important to note that selective delivery mechanisms, stealthy persistence techniques, and layering of payloads-all culminating in the deployment of advanced post-exploitation tools-underline a strategic focus on long-term access rather than immediate disruption of the network. 

The findings underscore to policymakers and security teams that the importance of detecting covert, state-aligned intrusions over headline-driven hacktivist activity needs to be prioritized, and that in an increasingly contested cyber world, it is crucial that cybersecurity defenses are strengthened against phishing, cloud abuse, and endpoint monitoring.
Read more »
MFA
AI AI Browsers ChatGPT Data Theft malware MFA

Some ChatGPT Browser Extensions Are Putting User Accounts at Risk

 


Cybersecurity researchers are cautioning users against installing certain browser extensions that claim to improve ChatGPT functionality, warning that some of these tools are being used to steal sensitive data and gain unauthorized access to user accounts.

These extensions, primarily found on the Chrome Web Store, present themselves as productivity boosters designed to help users work faster with AI tools. However, recent analysis suggests that a group of these extensions was intentionally created to exploit users rather than assist them.

Researchers identified at least 16 extensions that appear to be connected to a single coordinated operation. Although listed under different names, the extensions share nearly identical technical foundations, visual designs, publishing timelines, and backend infrastructure. This consistency indicates a deliberate campaign rather than isolated security oversights.

As AI-powered browser tools become more common, attackers are increasingly leveraging their popularity. Many malicious extensions imitate legitimate services by using professional branding and familiar descriptions to appear trustworthy. Because these tools are designed to interact deeply with web-based AI platforms, they often request extensive permissions, which exponentially increases the potential impact of abuse.

Unlike conventional malware, these extensions do not install harmful software on a user’s device. Instead, they take advantage of how browser-based authentication works. To operate as advertised, the extensions require access to active ChatGPT sessions and advanced browser privileges. Once installed, they inject hidden scripts into the ChatGPT website that quietly monitor network activity.

When a logged-in user interacts with ChatGPT, the platform sends background requests that include session tokens. These tokens serve as temporary proof that a user is authenticated. The malicious extensions intercept these requests, extract the tokens, and transmit them to external servers controlled by the attackers.

Possession of a valid session token allows attackers to impersonate users without needing passwords or multi-factor authentication. This can grant access to private chat histories and any external services connected to the account, potentially exposing sensitive personal or organizational information. Some extensions were also found to collect additional data, including usage patterns and internal access credentials generated by the extension itself.

Investigators also observed synchronized publishing behavior, shared update schedules, and common server infrastructure across the extensions, reinforcing concerns that they are part of a single, organized effort.

While the total number of installations remains relatively low, estimated at fewer than 1,000 downloads, security experts warn that early-stage campaigns can scale rapidly. As AI-related extensions continue to grow in popularity, similar threats are likely to emerge.

Experts advise users to carefully evaluate browser extensions before installation, pay close attention to permission requests, and remove tools that request broad access without clear justification. Staying cautious is increasingly important as browser-based attacks become more subtle and harder to detect.

Read more »
Phishing emails
Data Theft Income Tax Department India malware Phishing emails

Fake Tax Emails Used to Target Indian Users in New Malware Campaign

 


A newly identified cyberattack campaign is actively exploiting trust in India’s tax system to infect computers with advanced malware designed for long-term surveillance and data theft. The operation relies on carefully crafted phishing emails that impersonate official tax communications and has been assessed as potentially espionage-driven, though no specific hacking group has been confirmed.

The attack begins with emails that appear to originate from the Income Tax Department of India. These messages typically warn recipients about penalties, compliance issues, or document verification, creating urgency and fear. Victims are instructed to open an attached compressed file, believing it to be an official notice.

Once opened, the attachment initiates a hidden infection process. Although the archive contains several components, only one file is visible to the user. This file is disguised as a legitimate inspection or review document. When executed, it quietly loads a concealed malicious system file that operates without the user’s awareness.

This hidden component performs checks to ensure it is not being examined by security analysts and then connects to an external server to download additional malicious code. The next stage exploits a Windows system mechanism to gain administrative privileges without triggering standard security prompts, allowing the attackers deeper control over the system.

To further avoid detection, the malware alters how it identifies itself within the operating system, making it appear as a normal Windows process. This camouflage helps it blend into everyday system activity.

The attackers then deploy another installer that adapts its behavior based on the victim’s security setup. If a widely used antivirus program is detected, the malware does not shut it down. Instead, it simulates user actions, such as mouse movements, to quietly instruct the antivirus to ignore specific malicious files. This allows the attack to proceed while the security software remains active, reducing suspicion.

At the core of the operation is a modified banking-focused malware strain known for targeting organizations across multiple countries. Alongside it, attackers install a legitimate enterprise management tool originally designed for system administration. In this campaign, the software is misused to remotely control infected machines, monitor user behavior, and manage stolen data centrally.

Supporting files are also deployed to strengthen control. These include automated scripts that change folder permissions, adjust user access rights, clean traces of activity, and enable detailed logging. A coordinating program manages these functions to ensure the attackers maintain persistent access.

Researchers note that the campaign combines deception, privilege escalation, stealth execution, and abuse of trusted software, reflecting a high level of technical sophistication and clear intent to maintain prolonged visibility into compromised systems.

Read more »
State Sponsored Hacking
Critical Infrastructure Security DynoWiper ESET Research malware Polish Energy Sector Power Grid Cybersecurity Russia Linked Cyberattack Sandworm State Sponsored Hacking

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure


 

A cyber intrusion targeting the nation's energy infrastructure occurred in late 2025, which security experts have described as one of the largest cyberattacks the nation has faced in many years. It underscores the growing vulnerability of critical national systems in light of increasing geopolitical tensions, which are at odds with one another. 

ESET, a cybersecurity company specializing in cyber security, has uncovered new data indicating that the operation was carried out by Sandworm, an advanced persistent threat group closely aligned with Russia that has been associated with disrupting energy and industrial networks for decades. 

ESET researchers found that a deeper analysis of the malware used during the incident revealed operational patterns and code similarities that are consistent with Sandworm's past campaigns, indicating that the attack follows Sandworm's established playbook for damaging cyber activity. 

According to the assailants, they were planning to use a malware strain named DynoWiper that was designed to permanently destroy files and cripple affected systems by irreversibly destroying them, a strategy which could have caused widespread disruptions across the Poland electricity industry if it had been successful. 

At the time of publication, the Russian Embassy in Washington did not respond to requests for comment. According to cyber experts, Sandworm, which is also known as UAC-0113, APT44, or Seashell Blizzard in the cybersecurity community, has been active for more than a decade and is widely regarded as an act of state-sponsored hacking, most likely aimed at Russian military intelligence agencies. 

The group's ties to Unit 74455 of the Main Intelligence Directorate (GRU) have been established by security researchers after repeated accusations that the organization has committed high-impact cyber-operations intended to disrupt and degrade critical infrastructure systems. 

Throughout its history, Sandworm has been credited with some of the most significant cyber incidents against energy networks, most notably a devastating attack on the Ukraine's power grid nearly a decade ago, which used data-wiping malware and left around 230,000 people without power for a period of nearly 10 days.

It is important to note that this episode still remains a prototypical example of the group's capabilities and intentions, and it continues to shape the assessment of the group's role in more recent attempts to undermine energy systems beyond Ukraine's borders. 

As detailed in a recent report issued by ESET, they believed that the operation bore the hallmarks of Sandworm, a threat actor widely linked to Russia's military and intelligence apparatus, evidenced by its involvement in the operation. 

A data wiping malware, DynoWiper, dubbed DynoWiper, was identified by investigators and tracked as Win32/KillFiles.NMO, which had previously been undocumented, pointing the finger at the group. The wiper campaign was similar in both technical and operational aspects to earlier Sandworm wiper campaigns, especially those that were observed following Russian invasion of Ukraine in February of that year. 

In a statement published by ESET on December 29, 2025, the company stated that the malware had been detected during an attempt to disrupt Poland's energy sector, but that there are no indications that the attackers succeeded in causing outages or permanently damage the energy sector. 

In an email sent on December 29, the Polish authorities confirmed that there was activity observed in the area of two combined heat and power plants and a system used to manage the generation of electricity from renewable sources, such as the power of wind and sun. 

In a public statement, the Prime Minister said that the attacks were directed by groups “directly linked to Russian services,” citing the government's plans to strengthen national defenses through additional safeguards and cybersecurity legislation that will require more stringent requirements on risk management, information technology and operational technology security, and preparedness for incidents. Tusk said this legislation is expected to be implemented very soon. 

Moreover, the timing of the incident attracted the attention of analysts as it coincided with the tenth anniversary of Sandworm's historic attack on Ukraine's power grid in 2015. BlackEnergy and KillDisk malware were deployed during the attack, and the attack caused hours-long blackouts for thousands of people, something that was cited as a continuation of a pattern of disruption campaigns against critical infrastructure that has been occurring for years. 

A company named ESET stated that the attempted intrusion coincided with Sandworm's tenth anniversary of the devastating attack on Ukraine's power grid in the year 2000, though it only provided limited technical information beyond the identification of the malware involved. 

Researchers are pointing out that the use of a custom-built wiper, as well as the pattern of Russian cyber operations in which data-destroying malware has been a strategic tool, aligns with a broader pattern observed in cyber operations. The use of wipers in attacks linked to Moscow has increased significantly since 2022. 

The use of AcidRain to disable roughly 270,000 satellite modems in Ukraine has been an effort to disrupt the communication of the country. A number of campaigns targeting universities, critical infrastructure, and the like have been attributed to Sandworm. This is also true in the case of the NotPetya outbreak in 2017, a destructive worm that in its early stage was targeted at Ukrainian targets, but quickly spread worldwide, causing an estimated $10 billion in damage and securing its place as one of the highest-profile case studies in the history of cybercrime. 

There are no indications yet as to why DynoWiper had failed to trigger power outages in Poland; the investigation has left open the possibility that the operation may have been strategically calibrated to avoid escalation or that strong defenses within the country’s energy grid prevented it. 

In the aftermath of the incident, governments and operators of critical infrastructure across Europe have been reminded once again that energy systems continue to be an attractive target among state-sanctioned cyber operations even when those attacks do not result in immediate disruptions. 

It is noted that security analysts have noted the attempt to deploy DynoWiper in a strategic capacity reflects a continued reliance on destructive malware as a strategy tool, and emphasize the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both the information technology as well as operational technologies. 

Although it appears that Polish officials are using the episode as a springboard in order to strengthen their defenses, experts point out that similar threats may not be bound by borders in the near future since geopolitical tensions are unlikely to ease at all. 

Despite the fact that the failure of the attack may offer some reassurance for the time being, it also emphasizes a more significant reality: adversaries continue to search energy networks for weaknesses, and it will be crucial to be prepared and cooperative if we wish to avoid future disruptions, as well as to be able to detect and neutralize malware before it becomes a major problem.
Read more »
Trojan
AD fraud AI APK Files Clickjacking malware Trojan

Android Malware Uses Artificial Intelligence to Secretly Generate Ad Clicks

 


Security researchers have identified a new category of Android malware that uses artificial intelligence to carry out advertising fraud without the user’s knowledge. The malicious software belongs to a recently observed group of click-fraud trojans that rely on machine learning rather than traditional scripted techniques.

Instead of using hard-coded JavaScript instructions to interact with web pages, this malware analyzes advertisements visually. By examining what appears on the screen, it can decide where to tap, closely imitating normal user behavior. This approach allows the malware to function even when ads frequently change layout, include video content, or are embedded inside iframes, which often disrupt older click-fraud methods.

The threat actors behind the operation are using TensorFlow.js, an open-source machine learning library developed by Google. The framework allows trained AI models to run inside web browsers or server environments through JavaScript. In this case, the models are loaded remotely and used to process screenshots taken from an embedded browser.

Researchers from mobile security firm Dr.Web reported that the malware has been distributed through GetApps, Xiaomi’s official application store. The infected apps are mainly games. In several cases, the applications were initially uploaded without harmful functionality and later received malicious components through software updates.

Once active, the malware can run in what researchers describe as a “phantom” mode. In this mode, it opens a hidden browser based on Android’s WebView component. This browser loads a webpage containing advertisements and a JavaScript file designed to automate interactions. The browser operates on a virtual screen that is not visible to the device owner. Screenshots of this screen are repeatedly captured and sent to the AI model, which identifies relevant ad elements and triggers taps that appear legitimate.

A second operational mode, referred to as “signalling,” gives attackers direct control. Using WebRTC technology, the malware streams a live video feed of the hidden browser to the threat actor. This allows them to perform actions such as tapping, scrolling, or entering text in real time.

Dr.Web identified multiple infected games hosted on Xiaomi’s platform, including titles with tens of thousands of downloads. Beyond official app stores, the malware has also been found in modified versions of popular streaming applications distributed through third-party APK websites, Telegram channels, and a Discord server with a large subscriber base. Many of these apps function as expected, which reduces user suspicion.

Although this activity does not directly target personal data, it still affects users through increased battery drain, higher mobile data usage, and faster device wear. For cybercriminals, however, covert ad fraud remains a profitable operation.

Security experts advise Android users to avoid downloading apps from unofficial sources and to be cautious of altered versions of well-known apps that promise free access to paid features.

Read more »
VS Code malware
BeaverTail malware Contagious Interview campaign malicious GitHub repository malware North Korea Hackers VS Code malware

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors

 

North Korea–linked threat actors behind the long-running Contagious Interview campaign have been seen leveraging weaponized Microsoft Visual Studio Code (VS Code) projects to trick victims into installing a backdoor on their systems.

According to Jamf Threat Labs, this activity reflects a steady refinement of a technique that first came to light in December 2025. The attackers continue to adapt their methods to blend seamlessly into legitimate developer workflows.

"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

Initially revealed by OpenSourceMalware last month, the attack relies on social engineering job seekers. Targets are instructed to clone a repository hosted on platforms such as GitHub, GitLab, or Bitbucket and open it in VS Code as part of an alleged hiring assessment.

Once opened, the malicious repository abuses VS Code task configuration files to run harmful payloads hosted on Vercel infrastructure, with execution tailored to the victim’s operating system. By configuring tasks with the "runOn: folderOpen" option, the malware automatically runs whenever the project or any file within it is opened in VS Code. This process ultimately results in the deployment of BeaverTail and InvisibleFerret.

Later versions of the campaign have introduced more complex, multi-stage droppers concealed within task configuration files. These droppers masquerade as benign spell-check dictionaries, serving as a fallback if the malware cannot retrieve its payload from the Vercel-hosted domain.

As with earlier iterations, the obfuscated JavaScript embedded in these files executes immediately when the project is opened in the integrated development environment (IDE). It connects to a remote server ("ip-regions-check.vercel[.]app") and runs any JavaScript code sent back. The final payload stage consists of yet another heavily obfuscated JavaScript component.

Jamf also identified a newly observed infection method that had not been documented previously. While the initial lure remains the same—cloning and opening a malicious Git repository in VS Code—the execution path changes once the repository is trusted.

"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained. "If that trust is granted, the application automatically processes the repository's tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system."
"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output."

The JavaScript payload, delivered from Vercel, contains the core backdoor logic. It establishes persistence, gathers basic system information, and maintains communication with a command-and-control server to enable remote code execution and system profiling.

In at least one observed incident, Jamf noted additional JavaScript being executed approximately eight minutes after the initial compromise. This secondary payload beacons to the server every five seconds, executes further JavaScript instructions, and can delete traces of its activity upon command. Researchers suspect the code may have been generated with the help of artificial intelligence (AI), based on the language and inline comments found in the source.

Actors linked to the Democratic People's Republic of Korea (DPRK) are known to aggressively target software developers, especially those working in cryptocurrency, blockchain, and fintech environments. These individuals often possess elevated access to financial systems, wallets, and proprietary infrastructure.

By compromising developer accounts and machines, attackers could gain access to sensitive source code, internal platforms, intellectual property, and digital assets. The frequent tactical changes observed in this campaign suggest an effort to improve success rates and further the regime’s cyber espionage and revenue-generation objectives.

The disclosure coincides with findings from Red Asgard, which investigated a malicious repository abusing VS Code tasks to install a full-featured backdoor known as Tsunami (also called TsunamiKit), along with the XMRig cryptocurrency miner. Separately, Security Alliance reported on a similar attack where a victim was contacted on LinkedIn by actors posing as the CTO of a project named Meta2140. The attackers shared a Notion[.]so page containing a technical test and a Bitbucket link hosting the malicious code.

Notably, the attack framework includes multiple fallback mechanisms. These include installing a rogue npm package called "grayavatar" or executing JavaScript that downloads an advanced Node.js controller. This controller runs five modules designed to log keystrokes, capture screenshots, scan the home directory for sensitive data, replace clipboard wallet addresses, steal browser credentials, and maintain persistent communication with a remote server.

The malware further establishes a parallel Python environment using a stager script that supports data exfiltration, cryptocurrency mining via XMRig, keylogging, and the installation of AnyDesk for remote access. The Node.js and Python components are tracked as BeaverTail and InvisibleFerret, respectively.

Collectively, these observations show that the state-sponsored group is testing several delivery mechanisms simultaneously to maximize the chances of successful compromise.

"While monitoring, we've seen the malware that is being delivered change very quickly over a short amount of time," Jaron Bradley, director of Jamf Threat Labs, told The Hacker News. It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted. It's difficult to know exactly how quickly attackers are changing their workflows, but this particular threat actor has a reputation for adapting quickly."

To reduce exposure, developers are urged to remain cautious when handling third-party repositories—particularly those shared during hiring exercises—carefully review source code before opening it in VS Code, and limit npm installations to trusted, well-vetted packages.

"This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows," Jamf said. "The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."
Read more »
XSS Vulnerability
CyberArk research dark web cybercrime info-stealer malware malware Malware-as-a-Service StealC malware XSS Vulnerability

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data

 

A cross-site scripting (XSS) vulnerability in the web-based management panel used by StealC information-stealing malware operators enabled security researchers to monitor live activity and collect intelligence about the attackers’ systems.

First appearing in early 2023, StealC quickly gained traction on dark web forums due to aggressive promotion and its ability to evade detection while harvesting large volumes of sensitive data. Over time, the malware continued to evolve, with its developer rolling out several upgrades to expand functionality and appeal among cybercriminals.

A major update arrived in April last year with the launch of StealC version 2.0. This release introduced Telegram bot integration for real-time notifications, along with a revamped builder capable of creating customized malware samples based on templates and tailored data-exfiltration rules. Around the same period, the source code for StealC’s administrative panel was leaked, allowing researchers deeper insight into its internal workings.

CyberArk analysts later identified an XSS flaw within the panel that proved particularly revealing. By abusing this weakness, the team was able to gather browser and hardware fingerprints of StealC operators, monitor ongoing sessions, extract session cookies, and remotely take over active panel logins.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”

To avoid tipping off attackers and enabling a rapid fix, CyberArk chose not to publish technical specifics about the XSS issue.

The research also details a StealC user tracked as ‘YouTubeTA’, who reportedly took over dormant but legitimate YouTube channels—likely through stolen credentials—and used them to distribute malicious links. Throughout 2025, this actor conducted sustained malware campaigns, amassing more than 5,000 victim logs, roughly 390,000 passwords, and around 30 million cookies, the majority of which were non-sensitive.

Screenshots from the attacker’s control panel suggest that infections largely occurred when victims searched online for pirated versions of Adobe Photoshop and Adobe After Effects. Exploiting the XSS flaw further allowed researchers to profile the attacker’s setup, revealing the use of an Apple M3-based machine configured with English and Russian language settings, operating in an Eastern European time zone, and connecting from Ukraine.

The individual’s real location was exposed after they accessed the StealC panel without a VPN, revealing an IP address tied to Ukrainian internet provider TRK Cable TV.

CyberArk emphasized that while malware-as-a-service (MaaS) platforms allow threat actors to scale operations quickly, they also introduce significant risks by increasing the chances of operational exposure.

BleepingComputer reached out to CyberArk to understand the timing behind the disclosure. Researcher Ari Novick explained that the decision was driven by a recent surge in StealC activity, possibly linked to upheaval surrounding the Lumma malware ecosystem.

"By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market."
Read more »
StealC
Cybersecurity information stealer MaaS malware StealC

Researchers Exploit Flaw in StealC Malware Panel to Monitor Cybercriminals




Security researchers have identified a weakness in the web-based dashboard used by operators of the StealC information-stealing malware, allowing them to turn the malware infrastructure against its own users. The flaw made it possible to observe attacker activity and gather technical details about the systems being used by cybercriminals.

StealC first surfaced in early 2023 and was heavily promoted across underground cybercrime forums. It gained traction quickly because of its ability to bypass detection tools and extract a wide range of sensitive data from infected devices, including credentials and browser-stored information.

As adoption increased, the malware’s developer continued to expand its capabilities. By April 2024, a major update labeled version 2.0 introduced automated alerting through messaging services and a redesigned malware builder. This allowed customers to generate customized versions of StealC based on predefined templates and specific data theft requirements.

Around the same time, the source code for StealC’s administration panel was leaked online. This leak enabled researchers to study how the control system functioned and identify potential security gaps within the malware’s own ecosystem.

During this analysis, researchers discovered a cross-site scripting vulnerability within the panel. By exploiting this weakness, they were able to view live operator sessions, collect browser-level fingerprints, and extract session cookies. This access allowed them to remotely take control of active sessions from their own systems.

Using this method, the researchers gathered information such as approximate location indicators, device configurations, and hardware details of StealC users. In some cases, they were able to directly access the panel as if they were the attacker themselves.

To prevent rapid remediation by cybercriminals, the researchers chose not to publish technical specifics about the vulnerability.

The investigation also provided insight into how StealC was being actively deployed. One customer, tracked under an alias, had taken control of previously legitimate video-sharing accounts and used them to distribute malicious links. These campaigns remained active throughout 2025.

Data visible within the control panel showed that more than 5,000 victim systems were compromised during this period. The operation resulted in the theft of roughly 390,000 passwords and tens of millions of browser cookies, although most of the cookies did not contain sensitive information.

Panel screenshots further indicated that many infections occurred when users searched online for pirated versions of widely used creative software. This reinforces the continued risk associated with downloading cracked applications from untrusted sources.

The researchers were also able to identify technical details about the attacker’s setup. Evidence suggested the use of an Apple device powered by an M3 processor, with both English and Russian language configurations enabled, and activity aligned with an Eastern European time zone.

The attacker’s real network location was exposed when they accessed the panel without a privacy tool. This mistake revealed an IP address associated with a Ukrainian internet service provider.

Researchers noted that while malware-as-a-service platforms allow criminals to scale attacks efficiently, they also increase the likelihood of operational mistakes that can expose threat actors.

The decision to disclose the existence of the vulnerability was driven by a recent increase in StealC usage. By publicizing the risk, the researchers aim to disrupt ongoing operations and force attackers to reconsider relying on the malware, potentially weakening activity across the broader cybercrime market.

Read more »
Transparent Tribe
Advanced Persistent Threat APT36 Command And Control cyber espionage Indian Government Cyber Attacks malware Remote Access Trojan Spear Phishing Transparent Tribe

Transparent Tribe Targets Indian Public Sector and Academic Networks


Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe. 


According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time. 

In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.

APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio. 

To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document. 

Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks. 

To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script. 

It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved. 

Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime. 

Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data. 

As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used. This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems. 

In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception. 

The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence. 

When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position. 

Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs. 

Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected. 

According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape. It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks. 

There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack. 

The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan. 

In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods. 

In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed. 

By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs. 

This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment. 

Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage. Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine. 

As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip." The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.

This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file. 

It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive. 

In addition to this, a multi-stage design can be observed in the archive as well. An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process. 

As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application. 

It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected. 

Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible. 

A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.

Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems. 

It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach. 

Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure. 

A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025. 

Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company. 

By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval. 

Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent. 

According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves. 

Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve. Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions. 

It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques. This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.

StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets. 

Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.
Read more »
User Security
Browser Extension GhostPoster LayerX malware User Security

GhostPoster Malware Campaign Exposes Browser Extension Risks

 

A stealthy malware operation has been discovered by cybersecurity researchers, which remained undetected for a period of up to five years and accumulated more than 840,000 downloads on various platforms. The research began with a study by Koi Security of a Firefox browser extension called GhostPoster, which embedded its malicious code in a seemingly innocuous PNG image file. Such a trick allowed the malware to evade static analysis and manual reviews by browser markets. 

Based on the findings of Koi Security, the LayerX researchers decided to dig deeper into the infrastructure and discovered 17 more extensions that used the same backend infrastructure and had the same tactics, techniques, and procedures (TTPs). In total, these extensions had more than 840,000 downloads, with some of them remaining undetected on the users' devices for almost five years. LayerX researchers also discovered a more complex variant of the malware that used other evasion techniques and had 3,822 downloads on its own. 

The operation emanates from Microsoft Edge and then methodically moves to chrome and Firefox, which looks like the work of a patient, evolving threat actor that is focused on stealth and trust-building. The extensions used to mimic legitimate functionality at first, avoiding suspicion, while the infrastructure was in place after many years. This stress test mentality highlights how cybercriminals abuse browser extensions as a low-friction vector to compromise user security without raising alarms in the short term. 

Following the revelations, Mozilla and Microsoft immediately removed the offending extensions from their official stores, preventing further downloads. However, this removal does nothing to those copies already installed on users browsers, meaning millions might be left vulnerable to potential attacks unless they take action. LayerX’s blog stressed that users need to take an active role in mitigating ongoing risk by reviewing for and deleting the extensions. 

Browser extensions have become a lucrative target for cybercriminals as hackers exploit the deep access these extensions have to browsing data and permissions, raising the stakes for vigilance in the evolving threat landscape. Users are advised to regularly review the installed add-ons' permissions, disable the ones they don't use or need, and remove the ones they don't trust. This is a warning that even extensions or add-ons that have been trusted for a long time can potentially contain malicious code, and it effectively calls for those using any major browser to adopt a more proactive approach to security.
Read more »
malware
Aisuru botnet Android Malware Black Lotus Labs command and control servers cybersecurity research DDOS Attacks Kimwolf botnet Lumen security malware

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks

 

Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse.

Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions.

Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services.

The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures.

Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab.

Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts.

Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult.

Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands.

Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers.

By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies.

“The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen.

In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion.

Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time.

“To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.


Read more »
malware
Aisuru Android Botnets IP Address malware

Researchers Disrupt Major Botnet Network After It Infects Millions of Android Devices

 


Security researchers have dismantled a substantial portion of the infrastructure powering the Kimwolf and Aisuru botnets, cutting off communication to more than 550 command-and-control servers used to manage infected devices. The action was carried out by Black Lotus Labs, the threat intelligence division of Lumen Technologies, and began in early October 2025.

Kimwolf and Aisuru operate as large-scale botnets, networks of compromised devices that can be remotely controlled by attackers. These botnets have been used to launch distributed denial-of-service attacks and to route internet traffic through infected devices, effectively turning them into unauthorized residential proxy nodes.

Kimwolf primarily targets Android systems, with a heavy concentration on unsanctioned Android TV boxes and streaming devices. Prior technical analysis showed that the malware is delivered through a component known as ByteConnect, which may be installed directly or bundled into applications that come preloaded on certain devices. Once active, the malware establishes persistent access to the device.

Researchers estimate that more than two million Android devices have been compromised. A key factor enabling this spread is the exposure of Android Debug Bridge services to the internet. When left unsecured, this interface allows attackers to install malware remotely without user interaction, enabling rapid and large-scale infection.

Follow-up investigations revealed that operators associated with Kimwolf attempted to monetize the botnet by selling access to the infected devices’ internet connections. Proxy bandwidth linked to compromised systems was offered for sale, allowing buyers to route traffic through residential IP addresses in exchange for payment.

Black Lotus Labs traced parts of the Aisuru backend to residential SSH connections originating from Canadian IP addresses. These connections were used to access additional servers through proxy infrastructure, masking malicious activity behind ordinary household networks. One domain tied to this activity briefly appeared among Cloudflare’s most accessed domains before being removed due to abuse concerns.

In early October, researchers identified another Kimwolf command domain hosted on infrastructure linked to a U.S.-based hosting provider. Shortly after, independent reporting connected multiple proxy services to a now-defunct Discord server used to advertise residential proxy access. Individuals associated with the hosting operation were reportedly active on the server for an extended period.

During the same period, researchers observed a sharp increase in Kimwolf infections. Within days, hundreds of thousands of new devices were added to the botnet, with many of them immediately listed for sale through a single residential proxy service.

Further analysis showed that Kimwolf infrastructure actively scanned proxy services for vulnerable internal devices. By exploiting configuration flaws in these networks, the malware was able to move laterally, infect additional systems, and convert them into proxy nodes that were then resold.

Separate research uncovered a related proxy network built from hundreds of compromised home routers operating across Russian internet service providers. Identical configurations and access patterns indicated automated exploitation at scale. Because these devices appear as legitimate residential endpoints, malicious traffic routed through them is difficult to distinguish from normal consumer activity.

Researchers warn that the abuse of everyday consumer devices continues to provide attackers with resilient, low-visibility infrastructure that complicates detection and response efforts across the internet.

Read more »
VoidLink Framework
Advanced Persistent Threats Cloud Infrastructure Threats Cloud Security Container Security Cyber Threat Intelligence malware supply chain attacks VoidLink Framework

VoidLink Malware Poses Growing Risk to Enterprise Linux Cloud Deployments


 

A new cybersecurity threat has emerged beneath the surface of the modern digital infrastructure as organizations continue to increase their reliance on cloud computing. Researchers warn that a subtle but dangerous shift is occurring beneath the surface. 

According to Check Point Research, a highly sophisticated malware framework known as VoidLink, is being developed by a group of cyber criminals specifically aimed at infiltrating and persisting within cloud environments based on Linux. 

As much as the industry still concentrates on Windows-centric threats, VoidLink's appearance underscores a strategic shift by advanced threat actors towards Linux-based systems that are essential to the runtime of cloud platforms, containerized workloads, and critical enterprise services, even at a time when many of the industry's defensive focus is still on Windows-centric threats. 

Instead of representing a simple piece of malicious code, VoidLink is a complex ecosystem designed to deliver long-term, covert control over compromised servers by establishing long-term, covert controls over the servers themselves, effectively transforming cloud infrastructure into an attack vector all its own. 

There is a strong indication that the architecture and operational depth of this malware suggests it was designed by well-resourced, professional adversaries rather than opportunistic criminals, posing a serious challenge for defenders who may not know that they are being silently commandeered and used for malicious purposes.

Check Point Research has published a detailed analysis of VoidLink to conclude that it is not just a single piece of malicious code; rather, it is a cloud-native, fully developed framework that is made up of customized loaders, implants, rootkits, and a variety of modular plugins that allows operators to extend, modify, and repurpose its functionality according to their evolving operational requirements. 

Based on its original identification in December 2025, the framework was designed with a strong emphasis on dependability and adaptability within cloud and containerized environments, reflecting the deliberate emphasis on persistence and adaptability within the framework. 

There were many similarities between VoidLink and Cobalt Strike's Beacon Object Files model, as the VoidLink architecture is built around a bespoke Plugin API that draws conceptual parallels to its Plugin API. There are more than 30 modules available at the same time, which can be shifted rapidly without redeploying the core implant as needed. 

As the primary implant has been programmed in Zig, it can detect major cloud platforms - including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, and Tencent - and adjust its behavior when executed within Docker containers or Kubernetes pods, dynamically adjusting itself accordingly. 

Furthermore, the malware is capable of harvesting credentials linked to cloud services as well as extensively used source code management platforms like Git, showing an operational focus on software development environments, although the malware does not appear to be aware of the environment. 

A researcher has identified a framework that is actively maintained as the work of threat actors linked to China, which emphasizes a broader strategic shift away from Windows-centric attacks toward Linux-based attacks which form the basis for cloud infrastructures and critical digital operations, and which can result in a range of potential consequences, ranging from the theft of data to the compromise of large-scale supply chains. 

As described by its developers internally as VoidLink, the framework is built as a cloud-first implant that uses Zig, the Zig programming language to develop, and it is designed to be deployed across modern, distributed environments. 

Depending on whether or not a particular application is being executed on Docker containers or Kubernetes clusters, the application dynamically adjusts its behavior to comply with that environment by identifying major cloud platforms and determining whether it is running within them. 

Furthermore, the malware has been designed to steal credentials that are tied to cloud-based services and popular source code management systems, such as Git, in addition to environmental awareness. With this capability, software development environments seem to be a potential target for intelligence collection, or to be a place where future supply chain operations could be conducted.

Further distinguishing VoidLink from conventional Linux malware is its technical breadth, which incorporates rootkit-like techniques, loadable kernel modules, and eBPF, as well as an in-memory plugin system allowing for the addition of new functions without requiring people to reinstall the core implant, all of which is supported by LD_PRELOAD. 

In addition to adapting evasion behavior based on the presence of security tooling, the stealth mechanism also prioritizes operational concealment in closely monitored environments, which in turn alters its evasion behavior accordingly. 

Additionally, the framework provides a number of command-and-control mechanisms, such as HTTP and HTTPS, ICMP, and DNS tunneling, and enables the establishment of peer-to-peer or mesh-like communication among compromised hosts through the use of a variety of command-and-control mechanisms. There is some evidence that the most components are nearing full maturity.

A functional command-and-control server is being developed and an integrated web-based management interface is being developed that facilitates centralized control of the agents, implants, and plugins by operators. To date, no real-world infection has been confirmed. 

The final purpose of VoidLink remains unclear as well, but based on its sophistication, modularity, and apparent commercial-grade polish, it appears to be designed for wider operational deployment, either as a tailored offensive tool created for a particular client or as a productized offensive framework that is intended for broader operational deployment. 

Further, Check Point Research has noted that VoidLink is accompanied by a fully featured, web-based command-and-control dashboard that allows operators to do a centralized monitoring and analysis of compromised systems, including post-exploitation activities, to provide them with the highest level of protection. 

Its interface, which has been localized for Chinese-language users, allows operations across familiar phases, including reconnaissance, credential harvesting, persistence, lateral movement, and evidence destruction, confirming that the framework is designed to be used to engage in sustained, methodical campaigns rather than opportunistic ones.

In spite of the fact that there were no confirmed cases of real-world infections by January 2026, researchers have stated that the framework has reached an advanced state of maturity—including an integrated C2 server, a polished dashboard for managing operations, and an extensive plugin ecosystem, which indicates that its deployment could be imminent.

According to the design philosophy behind the malware, the goal is to gain long-term access to cloud environments and keep a close eye on cloud users. This marks a significant step up in the sophistication of Linux-focused malware. It was argued by the researchers in their analysis that VoidLink's modular plug-ins extend their reach beyond cloud workloads to the developer and administrator workstations which interact directly with these environments.

A compromised system is effectively transformed into a staging ground that is capable of facilitating further intrusions or potential supply chain compromises if it is not properly protected. Their conclusion was that this emergence of such an advanced framework underscores a broader shift in attackers' interest in Linux-based cloud and container platforms, away from traditional Windows-based targets. 

This has prompted organizations to step up their security efforts across the full spectrum of Linux, cloud, and containerized infrastructures, as attacks become increasingly advanced. Despite the fact that VoidLink was discovered by chance in the early days of cloud adoption, it serves as a timely reminder that security assumptions must evolve as rapidly as the infrastructure itself. 

Since attackers are increasingly investing in frameworks built to blend into Linux and containerized environments, organizations are no longer able to protect critical assets by using perimeter-based controls and Windows-focused threat models. 

There is a growing trend among security teams to adopt a cloud-aware defense posture that emphasizes continuous monitoring, least-privilege access, and rigorous monitoring of the deployment of development and administrative endpoints that are used for bridging on-premise and cloud platforms in their development and administration processes. 

An efficient identity management process, hardened container and Kubernetes configurations, and increased visibility into east-west traffic within cloud environments can have a significant impact on the prevention of long-term, covert compromises within cloud deployments.

There is also vital importance in strengthening collaboration between the security, DevOps, and engineering teams within the platform to ensure that detection and response capabilities keep pace with the ever-changing and adaptive threat landscape. 

Modern enterprises have become dependent on digital infrastructure to support the operation of their businesses, and as frameworks like VoidLink are closer to real-world deployment, investing in Linux and cloud security at this stage is important not only for mitigating emerging risks, but also for strengthening the resilience of the infrastructure that supports them.
Read more »
Subscribe to: Comments (Atom)