Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Website Security
Cyber Security CyberCrime Cybersecurity Data Breach eCommerce Google Tag Manager Hacking Magento malware Payment security Website Security

Cybercriminals Exploit Google Tag Manager to Steal Payment Data from Magento Sites

 

Cybercriminals have been leveraging Google Tag Manager (GTM) to inject malware into Magento-powered eCommerce websites, compromising customer payment data, according to cybersecurity experts.

Security researchers at Sucuri recently detected a live attack where a Magento-based online store suffered a credit card data breach. The investigation led to a malicious script embedded within Google Tag Manager, which, while appearing to be a standard tracking tool, was designed to steal sensitive payment information.

Google Tag Manager is a widely used tag management system that enables website owners to deploy tracking codes without modifying site code directly. However, attackers obfuscate the injected script, making detection difficult. The malware captures payment details at checkout and transmits them to a remote server. Researchers also discovered a backdoor, allowing persistent access to compromised sites.

At least six websites were found infected with the same GTM ID, and one domain used in the attack, eurowebmonitortool[dot]com, has now been blacklisted by major security firms. Cybersecurity experts emphasize that this attack method is not new. Sucuri researchers had previously identified similar threats, reaffirming that this technique is "still being widely used."

Given its popularity among eCommerce businesses, Magento remains a primary target for cybercriminals. Stolen payment data can be exploited for fraudulent purchases, malvertising campaigns, and other illicit activities.

Security Measures for Protection
To mitigate risks, website administrators should:
  • Remove any suspicious GTM tags
  • Conduct a full security scan
  • Ensure Magento and all extensions are updated
  • Regularly monitor site traffic and GTM configurations for anomalies
Proactive cybersecurity measures and ongoing vulnerability monitoring are crucial to safeguarding eCommerce platforms from such sophisticated attacks.
Read more »
malware
Artificial Intelligence Hackers Identity Fraud malware

Cybercriminals Are Now Targeting Identities Instead of Malware

 



The way cybercriminals operate is changing. Instead of using malicious software to break into systems, they are now focusing on stealing and exploiting user identities. A recent cybersecurity report shows that three out of four cyberattacks involve stolen login credentials rather than traditional malware. This trend is reshaping the way security threats need to be addressed.

Why Hackers Are Relying on Stolen Credentials

The underground market for stolen account details has grown rapidly, making user identities a prime target for cybercriminals. With automated phishing scams, artificial intelligence-driven attacks, and social engineering techniques, hackers can gain access to sensitive data without relying on malicious software. 

According to cybersecurity experts, once a hacker gains access using valid credentials, they can bypass security barriers with ease. Many organizations focus on preventing external threats but struggle to detect attackers who appear to be legitimate users. This raises concerns about how companies can defend against these invisible intrusions.

Speed of Cyberattacks Is Increasing

Another alarming discovery is that hackers are moving faster than ever once they gain access. The shortest recorded time for a cybercriminal to spread through a system was just over two minutes. This rapid escalation makes it difficult for security teams to respond in time.

Traditional cybersecurity tools are designed to detect malware and viruses, but identity-based attacks leave no obvious traces. Instead, hackers manipulate system tools and access controls to remain undetected for extended periods. This technique, known as "living-off-the-land," enables them to blend in with normal network activity.

Attackers Are Infiltrating Multiple Systems

Modern cybercriminals do not confine themselves to a single system. Once they gain access, they move between cloud storage, company networks, and online services. This flexibility makes them harder to detect and stop.

Security experts warn that attackers often stay hidden in networks for months, waiting for the right moment to strike. Organizations that separate security measures—such as cloud security, endpoint protection, and identity management—often create loopholes that criminals exploit to maintain access and avoid detection.

AI’s Role in Cybercrime

Hackers are also taking advantage of artificial intelligence to refine their attacks. AI-driven tools help them crack passwords, manipulate users into revealing information, and automate large-scale cyber threats more efficiently than ever before. This makes it crucial for organizations to adopt equally advanced security measures to counteract these threats.

How to Strengthen Cybersecurity

Since identity theft is now a primary method of attack, organizations need to rethink their approach to cybersecurity. Here are some key strategies to reduce risk:

1. Enable Multi-Factor Authentication (MFA): This adds extra layers of protection beyond passwords.
2. Monitor Login Activities: Unusual login locations or patterns should be flagged and investigated.
3. Limit Access to Sensitive Data: Employees should only have access to the information they need for their work.
4. Stay Updated on Security Measures: Companies must regularly update their security protocols to stay ahead of evolving threats.


As hackers refine their techniques, businesses and individuals must prioritize identity security. By implementing strong authentication measures and continuously monitoring for suspicious activity, organizations can strengthen their defenses and reduce the risk of unauthorized access.





Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
SparkCat
Android app removal Apple Breach Cyber Security Cybersecurity Data Google iOS malware SparkCat

Apple and Google Remove 20 Apps Infected with Data-Stealing Malware


Apple and Google have removed 20 apps from their respective app stores after cybersecurity researchers discovered that they had been infected with data-stealing malware for nearly a year.

According to Kaspersky, the malware, named SparkCat, has been active since March 2024. Researchers first detected it in a food delivery app used in the United Arab Emirates and Indonesia before uncovering its presence in 19 additional apps. Collectively, these infected apps had been downloaded over 242,000 times from Google Play Store.

The malware uses optical character recognition (OCR) technology to scan text displayed on a device’s screen. Researchers found that it targeted image galleries to identify keywords associated with cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, and Korean. 

By capturing these recovery phrases, attackers could gain complete control over victims' wallets and steal their funds. Additionally, the malware could extract sensitive data from screenshots, such as messages and passwords.

Following Kaspersky’s report, Apple removed the infected apps from the App Store last week, and Google followed soon after.

Google spokesperson Ed Fernandez confirmed to TechCrunch: "All of the identified apps have been removed from Google Play, and the developers have been banned."

Google also assured that Android users were protected from known versions of this malware through its built-in Google Play Protect security system. Apple has not responded to requests for comment.

Despite the apps being taken down from official stores, Kaspersky spokesperson Rosemarie Gonzales revealed that the malware is still accessible through third-party websites and unauthorized app stores, posing a continued threat to users.
Read more »
User Privacy
Cyber Scam Malicious Campaign malware Tria Stealer User Privacy

Fake Wedding Invitation Malware Targets Android Users

 

Malicious actors are propagating a recently discovered Android malware called Tria by sending phoney wedding invitations to consumers in Brunei and Malaysia. 

According to a report published by the Russian cybersecurity firm Kaspersky, the attackers have been using private and group chats on Telegram and WhatsApp since mid-2024 to distribute the malware, inviting users to weddings and prompting them to install a mobile app in order to get the invitation.

Once the malware is installed, it can collect private information from call logs, emails (including Gmail and Outlook), SMS messages, and messaging apps (such as WhatsApp and WhatsApp Business). 

Researchers caution that accounts that depend on email and messaging app authentication could be compromised, passwords can be reset, or online banking can be accessed using the stolen data. 

The attackers' main objective seems to be taking complete control of the victims' Telegram and WhatsApp accounts so they can make phoney money requests to connections or propagate malware. To process stolen data, the hackers employ two Telegram bots: one for managing SMS data and another for gathering text from emails and instant messaging apps. 

According to Kaspersky, posts on social media sites like Facebook and X suggest that the campaign has reached a number of Android users in Malaysia, while the precise number of victims is still unknown.

The researchers have not identified a specific organisation responsible for the attack, but evidence implies that the hackers are Indonesian-speaking. 

In 2023, Kaspersky discovered a similar effort known as UdangaSteal, in which hackers stole text messages from users in Indonesia, Malaysia, and India and transmitted the data to their servers using a Telegram bot. The attackers utilised a variety of deceptive approaches to trick users into installing malicious files, such as bogus wedding invites, package delivery notifications, annual tax payment reminders, and job offers. 

Despite their similarities, experts identify major differences between the two attacks, such as distinct malware code, geographic targets, and attack techniques. While UdangaSteal has always focused on SMS theft, experts say Tria has a larger reach, attacking emails and chat apps as well as SMS conversations.
Read more »
malware
Bank Accounts Hacking links Malaysia malware

Fake Wedding Invitations Used to Hack Phones in Southeast Asia

 



Cybercriminals have found a new way to trick smartphone users, fake wedding invitations. According to cybersecurity researchers, a newly discovered malware named Tria is being used to infect Android devices, primarily in Malaysia and Brunei. The attackers are disguising malicious links as wedding invitations and sending them via WhatsApp and Telegram to unsuspecting victims.  

Once a user clicks the link and downloads the application, the malware starts working silently in the background, stealing sensitive personal information.  


How the Malware Works  

This cyberattack has been active since mid-2024. It follows a simple but effective strategy:  

1. The hackers send a fake wedding invitation through group or private chats.  

2. The invitation asks recipients to download an app to access event details.  

3. Once installed, the app secretly collects private information from the victim’s phone.  

The stolen data includes:  

  • Text messages (SMS)  
  • Emails from accounts like Gmail and Outlook 
  • Call history  
  • Messages from apps like WhatsApp and WhatsApp Business  


Cybersecurity experts warn that this stolen data can be used in several ways, including:  

1. Hijacking banking accounts  

2. Resetting passwords for email and social media  

3. Taking over messaging apps to send fraudulent messages  


Why Hackers Want Control of Your Messaging Apps  

One of the biggest concerns is that hackers aim to take control of WhatsApp and Telegram accounts. Once they gain access, they can:  

  • Send malicious links to more people, spreading the malware further.  
  • Pretend to be the victim and ask contacts for money.  
  • Steal private conversations and sensitive business information.  


To process the stolen data, cybercriminals use Telegram bots, automated systems that collect and sort the information.  

  • One bot gathers data from messaging apps and emails.  
  • Another bot handles SMS messages.  

The exact group responsible for this attack is unknown, but cybersecurity researchers suspect that the hackers speak Indonesian. They have not been linked to any specific organization yet.  


Similarities to Previous Attacks  

This type of scam is not entirely new. In 2023, cybersecurity experts discovered a malware campaign called UdangaSteal, which targeted users in Indonesia, Malaysia, and India.  

1. UdangaSteal also used fake invitations and job offers to trick victims.  

2. It mainly focused on stealing SMS messages.  

However, Tria is more advanced because it collects a wider range of data, including emails and instant messaging conversations.  


How to Protect Yourself  

Cybersecurity experts recommend taking extra precautions to avoid falling victim to such scams:  

1. Be cautious of unexpected messages, even from known contacts.  

2. Never download apps from links shared in messaging apps.  

3. Use official app stores (Google Play Store) to download apps.  

4. Enable two-factor authentication (2FA) for your accounts.  

5. Verify invitations by calling or messaging the sender directly.

As online scams grow more intricate, staying vigilant is the best way to protect your personal data. If something seems too unusual or suspicious, it’s best to ignore it.

Read more »
social media scams
cryptocurrency theft cybercrime syndicate information stealers malware social media scams

Crazy Evil Gang Strikes Crypto Sector with StealC, AMOS, and Angel Drainer Malware

 


A Russian-speaking cybercrime syndicate, Crazy Evil, has been tied to more than 10 active social media scams, employing diverse tactics to trick victims into installing malicious software such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.

"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil operates a sophisticated network of traffers — social engineering specialists tasked with redirecting legitimate traffic to malicious phishing sites," stated Recorded Future's Insikt Group in their analysis.

The group's varied malware arsenal indicates that its targets include both Windows and macOS users, posing a significant threat to the decentralized finance sector.

Crazy Evil, active since at least 2021, mainly operates as a traffer team, redirecting legitimate traffic to fraudulent landing pages controlled by other criminal entities. It is allegedly managed by a figure known as @AbrahamCrazyEvil on Telegram, where the group has over 4,800 subscribers (@CrazyEvilCorp).

Unlike typical scams that create counterfeit shopping websites for fraudulent transactions, Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment card information, and online banking credentials. The group is believed to have generated over $5 million in illicit revenue, impacting thousands of devices worldwide.

The group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLove—which were previously associated with a ClickFix campaign involving fake Google Meet pages in October 2024.

"Crazy Evil explicitly targets the cryptocurrency sector with custom spear-phishing lures," Recorded Future noted. "Crazy Evil traffers often spend days or even weeks scouting operations, identifying targets, and initiating engagements."

In addition to orchestrating attacks that deliveThe group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLover information stealers and wallet-draining malware, the group's leaders offer training materials and guidance for traffers, alongside an affiliate structure to delegate operations.

Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, with its operations centered around Telegram. New recruits are guided by a Telegram bot controlled by the threat actor to various private channels, such as:

  • Payments: Announcing earnings for traffers
  • Logbar: Tracking information-stealer attacks and stolen data
  • Info: Offering regular updates on administrative and technical matters
  • Global Chat: A central space for communication, from work-related topics to casual discussions
The group operates through six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each responsible for specific scams involving the installation of malicious tools via fake websites.

"As Crazy Evil continues to thrive, other cybercriminal groups are likely to mimic its tactics, urging security teams to stay alert to avoid large-scale breaches and loss of trust within the cryptocurrency, gaming, and software sectors," said Recorded Future.

This revelation follows the discovery of a traffic distribution system (TDS) named TAG-124, which overlaps with activity clusters linked to multiple threat groups, including Rhysida ransomware, Interlock ransomware, and SocGholish. This TDS is used in initial infection chains to distribute malware, such as the Remcos RAT and CleanUpLoader, which serves as a conduit for both Rhysida and Interlock ransomware.

"TAG-124 is composed of compromised WordPress sites, actor-controlled payload servers, and additional components," explained Recorded Future. "When specific criteria are met, these sites display fake Google Chrome update landing pages, leading to malware infections."

The use of TAG-124 further links Rhysida and Interlock ransomware strains, with newer variants employing the ClickFix technique, which instructs visitors to execute a command copied to their clipboard to trigger the malware infection.

Compromised WordPress sites, totaling over 10,000, have been used to distribute AMOS and SocGholish as part of client-side attacks.

"JavaScript loaded in the user's browser generates a fake page within an iframe," said researcher Himanshu Anand. "Attackers exploit outdated WordPress versions and plugins to avoid detection by websites lacking client-side monitoring tools."

Additionally, threat actors have leveraged the trust in platforms like GitHub to distribute malicious installers leading to the deployment of Lumma Stealer and other payloads, including SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.

Trend Micro highlighted that this activity shares similarities with the tactics used by the threat actor Stargazer Goblin, known for utilizing GitHub repositories for payload distribution. However, the key difference is that the infection chain begins with compromised websites that redirect to malicious GitHub release links.

"The Lumma Stealer distribution method is evolving, with the attacker now using GitHub repositories to host malware," said security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego.

"The malware-as-a-service (MaaS) model makes it easier for cybercriminals to execute sophisticated cyberattacks, simplifying the spread of threats like Lumma Stealer."

In a comment to The Hacker News, Antonis Terefos, a reverse engineer at Check Point Research, noted that the Stargazer Goblin group has been observed "shifting from Atlantida Stealer to Lumma, and testing other stealers."
Read more »
Telegram
AI Development ChatGPT Cyberattacks CyberCrime CyberThreat GhostGPT malware Telegram

Cyberattackers Exploit GhostGPT for Low-Cost Malware Development

 


The landscape of cybersecurity has been greatly transformed by artificial intelligence, which has provided both transformative opportunities as well as emerging challenges. Moreover, AI-powered security tools have made it possible for organizations to detect and respond to threats much more quickly and accurately than ever before, thereby enhancing the effectiveness of their cybersecurity defenses. 

These technologies allow for the analysis of large amounts of data in real-time, the identification of anomalies, and the prediction of potential vulnerabilities, strengthening a company's overall security. Cyberattackers have also begun using artificial intelligence technologies like GhostGPT to develop low-cost malware. 

By utilizing this technology, cyberattackers can create sophisticated, evasive malware, posing a serious threat to the security of the Internet. Therefore, organizations must remain vigilant and adapt their defenses to counter these evolving tactics. However, cybercriminals also use AI technology, such as GhostGPT, to develop low-cost malware, which presents a significant threat to organizations as they evolve. By exploiting this exploitation, they can devise sophisticated attacks that can overcome traditional security measures, thus emphasizing the dual-edged nature of artificial intelligence. 

Conversely, the advent of generative artificial intelligence has brought unprecedented risks along with it. Cybercriminals and threat actors are increasingly using artificial intelligence to craft sophisticated, highly targeted attacks. AI tools that use generative algorithms can automate phishing schemes, develop deceptive content, or even build alarmingly effective malicious code. Because of its dual nature, AI plays both a shield and a weapon in cybersecurity. 

There is an increased risk associated with the use of AI tools, as bad actors can harness these technologies with a relatively low level of technical competence and financial investment, which exacerbates these risks. The current trend highlights the need for robust cybersecurity strategies, ethical AI governance, and constant vigilance to protect against misuse of AI while at the same time maximizing its defense capabilities. It is therefore apparent that the intersection between artificial intelligence and cybersecurity remains a critical concern for the industry, policymakers, and security professionals alike. 

Recently introduced AI chatbot GhostGPT has emerged as a powerful tool for cybercriminals, enabling them to develop malicious software, business email compromise scams, and other types of illegal activities through the use of this chatbot. It is GhostGPT's uniqueness that sets it apart from mainstream artificial intelligence platforms such as ChatGPT, Claude, Google Gemini, and Microsoft Copilot in that it operates in an uncensored manner, intentionally designed to circumvent standard security protocols as well as ethical requirements. 

Because of its uncensored capability, it can create malicious content easily, providing threat actors with the resources to carry out sophisticated cyberattacks with ease. It is evident from the release of GhostGPT that generative AI poses a growing threat when it is weaponized, a concern that is being heightened within the cybersecurity community. 

A tool called GhostGPT is a type of artificial intelligence that enables the development and implementation of illicit activities such as phishing, malware development, and social engineering attacks by automating these activities. A reputable AI model like ChatGPT, which integrates security protocols to prevent abuse, does not have any ethical safeguards to protect against abuse. GhostGPT operates without ethical safeguards, which allows it to generate harmful content unrestrictedly. GhostGPT is marketed as an efficient tool for carrying out many malicious activities. 

A malware development kit helps developers generate foundational code, identify and exploit software vulnerabilities, and create polymorphic malware that can bypass detection mechanisms. In addition to enhancing the sophistication and scale of email-based attacks, GhostGPT also provides the ability to create highly customized phishing emails, business email compromise templates, and fraudulent website designs that are designed to fool users. 

By utilizing advanced natural language processing, it allows you to craft persuasive malicious messages that are resistant to traditional detection mechanisms. GhostGPT offers a highly reliable and efficient method for executing sophisticated social engineering attacks that raise significant concerns regarding security and privacy. GhostGPT uses an effective jailbreak or open-source configuration to execute such attacks. ASeveralkey features are included, such as the ability to produce malicious outputs instantly by cybercriminals, as well as a no-logging policy, which prevents the storage of interaction data and ensures user anonymity. 

The fact that GhostGPT is distributed through Telegram lowers entry barriers so that even people who do not possess the necessary technical skills can use it. Consequently, this raises serious concerns about its ability to escalate cybercrime. According to Abnormal Security, a screenshot of an advertisement for GhostGPT was revealed, highlighting GhostGPT's speed, ease of use, uncensored responses, strict no-log policy, and a commitment to protecting user privacy. 

According to the advertisement, the AI chatbot can be used for tasks such as coding, malware creation, and exploit creation, while also being referred to as a scam involving business email compromise (BEC). Furthermore, GhostGPT is referred to in the advertisement as a valuable cybersecurity tool and has been used for a wide range of other purposes. However, Abnormal has criticized these claims, pointing out that GhostGPT can be found on cybercrime forums and focuses on BEC scams, which undermines its supposed cybersecurity capabilities. 

It was discovered during the testing of the chatbot by abnormal researchers that the bot had the capability of generating malicious or maliciously deceptive emails, as well as phishing emails that would fool victims into believing that the emails were genuine. They claimed that the promotional disclaimer was a superficial attempt to deflect legal accountability, which is a tactic common within the cybercrime ecosystem. In light of GhostGPT's misuse, there is a growing concern that uncensored AI tools are becoming more and more dangerous. 

The threat of rogue AI chatbots such as GhostGPT is becoming increasingly severe for security organizations because they drastically lower the entry barrier for cybercriminals. Through simple prompts, anyone, regardless of whether they possess any coding skills or not, can quickly create malicious code. Aside from this, GhostGPT improves the capabilities of individuals with existing coding experience so that they can improve malware or exploits and optimize their development. 

GhostGPT eliminates the need for time-consuming efforts to jailbreak generative AI models by providing a straightforward and efficient method of creating harmful outcomes from them. Because of this accessibility and ease of use, the potential for malicious activities increases significantly, and this has led to a growing number of cybersecurity concerns. After the disappearance of ChatGPT in July 2023, WormGPT emerged as the first one of the first AI model that was specifically built for malicious purposes. 

It was developed just a few months after ChatGPT's rise and became one of the most feared AI models. There have been several similar models available on cybercrime marketplaces since then, like WolfGPT, EscapeGPT, and FraudGPT. However, many have not gained much traction due to unmet promises or simply being jailbroken versions of ChatGPT that have been wrapped up. According to security researchers, GhostGPT may also busea wrapper to connect to jailbroken versions of ChatGPT or other open-source language models. 

While GhostGPT has some similarities with models like WormGPT and EscapeGPT, researchers from Abnormal have yet to pinpoint its exact nature. As opposed to EscapeGPT, whose design is entirely based on jailbreak prompts, or WormGPT, which is entirely customized, GhostGPT's transparent origins complicate direct comparison, leaving a lot of uncertainty about whether it is a custom large language model or a modification of an existing model.
Read more »
VPN
CyberCrime Cybersecurity CyberThreat Fake VPN Google malware SEO VPN

Malware Infections Surge from Fake VPN Downloads

 


An attacker is reportedly injecting malware into infected devices using popular VPN applications to gain remote control of the devices they are attacking. Google's Managed Defense team reported this disturbing finding, which sheds light on how malicious actors use SEO poisoning tactics to spread what is known as Playfulghost.

It has become increasingly important for individuals who prioritize the protection of their personal data and online privacy to use virtual private networks (VPNs). VPNs establish a secure, encrypted connection between users' devices and the internet, protecting their IP addresses and online activity against prying eyes. 

However, it should be noted that not all VPN applications are trustworthy. The number of fake VPN apps being distributed under the guise of legitimate services is increasing, stealing the sensitive information of unsuspecting users. Researchers have discovered that during the third quarter of 2024, fake VPN applications have become increasingly widespread globally, which is a worrying trend. In comparison to the second quarter, security analysts have reported a 2.5-fold increase in user encounters with fraudulent VPN apps.

These apps were either infected with malware or were built in such a way that they could be exploited by malicious actors. As a result of this alarming development, it is critical to be vigilant when choosing VPN services. Users should take precautionary measures when choosing VPN services and ensure that the apps they download are legitimate before downloading to safeguard their data and devices. 

As more and more home users turn to virtual private networks (VPNs) as a means to safeguard their privacy, to ensure their internet activity is secure, and to circumvent regional content blocks, these VPNs are becoming increasingly popular. Scammers and hackers are aware that the popularity of VPNs is growing, and so they intend to take advantage of that trend as much as possible. 

As an example, recently it has been found that some VPNs have been found to have security vulnerabilities that do not make them as secure as they should be. Playfulghost is a backdoor similar to Gh0st RAT, a remote administration tool that is well-known in the security community. According to Google's expert, Playfulghost is "a backdoor that shares functionality with Gh0st RAT." The latter has been around since 2008, and it is considered one of the best. 

The traffic patterns of Playfulghost can be distinguished from those of other known threats, especially in terms of encryption and traffic patterns. There are several ways hackers use phishing and SEO poisoning to trick their victims into downloading malicious software onto their computers, and according to a Google expert, one victim was tricked into opening a malicious image file for Playfulghost to run remotely from a remote location, which results in the malware being downloaded onto his computer. In the same vein, SEO poisoning techniques employed trojanized virtual private network (VPN) apps to download Playfulghost components from a remote server on the victims' devices (see GIF below). 

Infected with Payfulghost, an attacker can remotely execute a wide range of tasks on the device once it has been infected. It is particularly dangerous as a virus. Data mining is capable of capturing keystrokes, screenshots, and audio, as well as capturing screenshots. In addition to this, attackers can also perform file management activities, including opening, deleting, and writing new files. Security experts from Google have warned that a new malware threat has been detected that is very dangerous. It is known as Playfulghost and is distributed worldwide via fraudulent VPN apps. Researchers have warned that this scam uses sophisticated techniques to trick users into downloading infected VPN software, including what is called "SEO poisoning". 

There is something especially cruel about this latest cyberattack because signing up for one of the best VPN deals is usually an easy way to improve users' level of privacy and security online. Unfortunately, those who installed the fake VPN applications laced with malware in the last few days have now found themselves in the worst possible position due to the malware they have installed. As people know, the purpose of Playfulghost is to allow hackers to monitor every letter users type on their keyboard, a practice known as keylogging. 

It can also record audio from the built-in microphone on users' computers, laptops, tablets, or desktops, and it can also be used as a tool to record what they are seeing on the screen, which is often used for blackmail. The dangerous malware also enables attackers to remotely execute various file management activities, including opening, deleting, and writing new files, This can enable hackers to download and install other types of malware on machines infected with Playfulghost. Playfulghost also makes it possible for attackers to perform various file management activities remotely, such as opening, deleting, and creating files, allowing hackers to download and install other kinds of malware on computers infected with this dangerous malware. 

As it turns out, Playfulghost's functionality is quite similar to Gh0st RAT, which has wreaked havoc on PCs since 2001 and is now a public open-source tool, whose source code was released in 2008. Since this code is widely available, there have been several copies and clones created, including the latest variant. In addition to utilizing distinct traffic patterns and encryption, Google security researchers have pinpointed two methods by which the malware is being spread by hackers, according to their study. The first is using the infected computers' network cables and the second is via the Internet. 

 The first thing to know is that cybercriminals are utilizing phishing emails — unsolicited messages that entice people to download malicious software. One of the earliest examples that was spotted by Google's team involved emails with themes such as "Code of Conduct" which trick users into downloading the attached file, which turned out to be Playfulghost, a nasty infection. 

Another documented case has also been found in which a victim was tricked into opening a malicious image file and when they opened it in the background Playfulghost was automatically installed and activated on their computer from a remote server. Secondly, the malware may also be spread by bundling it with popular VPN apps in a process known as SEO poisoning. This method has been gaining popularity recently among virus creators. Search engine poisoning is the act of manipulating or hacking a search engine to make malicious downloads appear as an official import.
Read more »
malware
fake ads Google Ads Infostealer Malicious Campaign malware

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

 

Hackers are once more exploiting Google advertisements to disseminate malware, using a fake Homebrew website to compromise Macs and Linux systems with an infostealer that harvests credentials, browsing data, and cryptocurrency wallets. 

Ryan Chenkie discovered the fraudulent Google ad campaign and warned on X regarding the potential of malware infection. The malware employed in this operation is AmosStealer (aka 'Atomic'), an infostealer intended for macOS devices and sold to malicious actors on a monthly subscription basis for $1,000. 

The malware recently appeared in various malvertising campaigns promoting bogus Google Meet conferencing pages, and it is now the preferred stealer for fraudsters targeting Apple customers. 

Targeting Homebrew customers 

Homebrew is a popular open-source package manager for macOS and Linux that lets you install, update, and manage software using the command line. 

A fraudulent Google advertising featured the correct Homebrew URL, "brew.sh," misleading even seasoned users into clicking it. However, the ad redirected users to a bogus Homebrew website hosted at "brewe.sh". Malvertisers have extensively exploited this URL strategy to trick users into visiting what appears to be a legitimate website for a project or organisation.

When the visitor arrives at the site, he or she is requested to install Homebrew by copying and pasting a command from the macOS Terminal or Linux shell prompt. The official Homebrew website provides a similar command for installing legitimate software. However, running the command displayed on the bogus website will download and execute malware on the device. 

Cybersecurity expert JAMESWT discovered that the malware injected in this case [VirusTotal] is Amos, a potent infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and online browser data. Mike McQuaid, Homebrew's project leader, indicated that the project is aware of the situation but that it is beyond its control, criticising Google's lack of oversight. 

"Mac Homebrew Project Leader here. This seems taken down now," McQuaid stated on X. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”

At the time of writing, the malicious ad has been removed, but the campaign could still run through other redirection domains, therefore Homebrew users should be aware of sponsored project adverts.

To mitigate the risk of malware infection, while clicking on a link in Google, make sure you are directed to the authentic site for a project or company before entering sensitive information or installing software. Another safe option is to bookmark official project websites that you need to visit frequently when sourcing software and utilise them instead of searching online every time.
Read more »
Sophos
Cyberbreaches CyberCrime Fake IT Support malware Micrpsoft Teams ransomware attacks Sophos

Fake IT Support Used by Ransomware Gangs in Microsoft Teams Breaches

 


The Sophos security team has identified two ransomware campaigns that are utilizing Microsoft Teams to steal data from organizations, and the crooks may be allied with Black Basta and FIN7. In the X-Ops Managed Detection and Response (MDR) service, Sophos X-Ops responds to incidents related to two different groups of threat actors. In each case, the attackers gained access to targeted organizations by using the Microsoft Office 365 platform to steal data and deploy ransomware to steal data. 

This pair of separate clusters of activity were investigated by Sophos MDR in November and December 2024 as a result of customer reports, and the threat is tracked as STAC5143 and STAC5777, respectively. The two groups are utilizing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations, according to Sophos, who has observed over 15 incidents in just the past two weeks, the majority of which took place between November and December 2024. 

According to Sophos, the attackers took advantage of a Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users, thereby taking advantage of a default configuration, he warned. As a result of threat actors exploiting Microsoft Teams to pose as tech support personnel, attackers gain initial access to victim organizations by using the platform, and their goal is to steal data and deploy ransomware, according to a report released on Tuesday by Sophos, which examined ongoing threat campaigns related to these two threats. 

A customer who received over 3,000 spam emails in 45 minutes in November of last year first brought STAC5143 to the attention of the Sophos team. Shortly thereafter, a Microsoft Teams call from outside the organization, coming from a bogus "Help Desk Manager" account, reached out to the customer, and he was instructed to allow a remote screen control session through Microsoft Teams to resolve the issue. 

As it turned out, the attacker was exploiting this vulnerability to inject malicious files into the victim's computer as well as infect the computer with malware by opening a command shell and dropping some files on it. The attacker had downloaded a Java archive (JAR) file (MailQueue-Handler.jar), as well as Python scripts (RPivot backdoor). As soon as the attackers have established a command-and-control channel with their target, they utilize the target's credentials to disable multifactor authentication and antivirus protections. 

They then connect to other computers in the network and move laterally to compromise additional computers and systems. Java code performed some reconnaissance work as well, mostly scoping out the user's account name and local network, before extracting and running from the snow.zip archive the payload contained a Python-based backdoor that could be used to remote control the Windows computer remotely. 

Python code included a lambda function to obfuscate the malware, which matched Python malware loaders previously spotted as part of the FIN7 malware campaign.  Two other Python pieces were extracted as part of the malware, including copies of the publicly available reverse SOCKS proxy RPivot, which FIN7 had previously used in its earlier attacks. 

As with the STAC5777 attacks, the malware started with large amounts of spam emails being sent to targeted organizations, followed by team messages claiming to be from the organization's IT department and requesting that they be contacted to stop the spam. CyberScoop spoke to Sean Gallagher, Sophos's principal threat researcher, and the study's lead author. 

Gallagher explained that his team had observed multiple individuals and at least 15 organizations using these tactics, and most of them were blocked before they were able to compromise the device they were attempting to compromise. Using the social engineering technique of posing as a technical support representative is a well-known social engineering method used by malicious hackers to compromise large, multinational companies.

Cybercriminal groups such as Lapsus$ have used this scheme for several years to compromise large, multinational corporations. It is, however, mainly smaller organizations that have been targeted by Office 365 and Teams, and it illustrates how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to adopt cloud computing and digitization, especially after the COVID-19 virus pandemic. 

A significant portion of these small organizations were left vulnerable by the fact that, for the first time, they were using unfamiliar software like Microsoft Office 365, Teams, and Azure. It is a piece of malware, winhttp.dll, that is sideloaded into a legitimate oneDriveStandaloneUpdater.exe process, which is then relaunched by a PowerShell command when Windows starts up. Through the Windows API, the malicious DLL logs the user's keystrokes, gathers credential information from files and the registry, and scans the network for potential pivot points via SMB, RDP, and WinRM. 

Once a C2 connection has been established, the OneDriveStandaloneUpdater.exe process is started and a check is performed to see if there are any Remote Desktop Protocol hosts or Windows Remote Management hosts that can be accessed with stolen credentials. It appears that the attackers then attempted to move laterally to other hosts to continue their attack. 

One instance of this was when the attackers used the backdoor to uninstall local multifactor authentication integration on a compromised device, and Sophos has also found that the attackers have been hoovering up local files whose names contained the word "password". In one instance, STAC5777 was trying to infect the machine with the Black Basta ransomware - even though Sophos assured that its security protections blocked it from infecting the machine. 

According to the researchers, the threat actor has access to Notepad and Word files that have the word "password" in them. Moreover, the attackers also accessed two Remote Desktop Protocol files, likely searching for credentials. To prevent external domains from initiating messages and calls on Microsoft Teams and disabling Quick Assist in critical environments, organizations should consider implementing these tactics in the ransomware space as they become more prevalent.
Read more »
Trend Micro SafeBreach Vulnerability Attack Security
Cybersecurity Exploit FTP server Infostealer malware PowerShell Trend Micro SafeBreach Vulnerability Attack Security

Malicious GitHub PoC Exploit Spreads Infostealer Malware

 

A malicious GitHub repository disguises a proof-of-concept (PoC) exploit for CVE-2024-49113, also known as "LDAPNightmare," delivering infostealer malware that sends sensitive data to an external FTP server. Disguised as a legitimate PoC, the exploit tricks users into executing malware.

While using fake PoC exploits is not a new tactic, Trend Micro's discovery shows that cybercriminals continue to deceive unsuspecting users. This malicious repository appears to be a fork of SafeBreach Labs' original PoC for CVE-2024-49113, which was released on January 1, 2025.

CVE-2024-49113 is one of two vulnerabilities affecting the Windows Lightweight Directory Access Protocol (LDAP), which was patched by Microsoft during December 2024's Patch Tuesday. The other vulnerability, CVE-2024-49112, is a critical remote code execution (RCE) flaw.

SafeBreach's blog post initially mislabeled the vulnerability as CVE-2024-49112, which sparked interest in LDAPNightmare, potentially attracting threat actors looking to exploit this buzz.

The PoC from the malicious repository contains a UPX-packed executable, 'poc.exe,' which drops a PowerShell script in the victim's %Temp% folder upon execution. The script sets up a scheduled job that runs an encoded script, which fetches another script from Pastebin.

This final payload gathers information such as computer details, process lists, network data, and installed updates, which it then compresses into a ZIP file and uploads to an external FTP server using hardcoded credentials.

Users downloading PoCs from GitHub should exercise caution, trusting only reputable cybersecurity firms and researchers. Verifying repository authenticity and reviewing code before execution is essential. For added security, consider uploading binaries to VirusTotal and avoid anything that appears obfuscated.
Read more »
malware
Data Theft Hacking Ivanti VPN Exploitation malware

Hackers Exploit Ivanti VPN Flaw to Install New Malware

 



A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.

The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.

New Malware Families Identified

During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups. 

Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.

Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.  

How the Attack Works  

The attack process involves several steps:  

1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.  

2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.

3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.  

4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.  

5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.

When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.

What Can Be Done? 

To defend against this threat, Ivanti advises doing the following:

  • Update Software: Install the latest version of Ivanti Connect Secure, version 22.7R2.5 or newer.
  • Factory Reset: That would erase the entire malware infection by resetting the device.  
  • Monitor for Signs of Attack: That would use Mandiant's shared IoCs and detection rules to identify malicious activity.  

Why it Matters

This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.




Read more »
User Security
Banshee Stealer Infostealer macOS malware User Security

New Version of Banshee Malware Targets macOS Users

 

According to the latest study published this week, a new variant of the info-stealing malware known as "Banshee" has been targeting macOS users' passwords, cryptocurrency wallets, browser credentials, and other data for at least the past four months.

Check Point researchers discovered that the latest version targets anyone using a Mac and can be downloaded mostly through malicious GitHub uploads, but also through other websites (GitHub's policies prohibit malware, but this does not mean there is no malware on GitHub). 

This latest Banshee malware often disguises itself as the Telegram messaging app or the Google Chrome browser, two popular apps that other malware attackers use to trick users. This version first surfaced in September last year and attempts to evade detection by using Apple's proprietary string encryption algorithm, XProtect.

This malware targets your browsing activities in Chrome, Brave, Edge, or Vivaldi. It also attempts to steal your cryptocurrency if you have any crypto wallet browser extensions installed, and it may show macOS victims fake login pages in an attempt to steal their usernames and passwords, which it then uses to steal accounts and funds. It will target your Coinbase, Ronin, Slope, TONNE, MetaMask, and other cryptocurrency wallet extensions if you have them. 

The source code for Banshee was leaked online in November. This could have helped antivirus companies ensure their software catches the sneakier version in the months since. Prior versions of this malware were marketed as "stealer-as-a-service" malware on cybercriminal channels, including attacker-controlled Telegram channels, for $3,000 per "license.” 

To stay protected from info-stealer malware, it's a good idea to consider getting a crypto hardware wallet like one from Ledger or Trezor if you have over $1,000 in crypto. In general, it's also a good practice to avoid storing more than $1,000 in any browser extension-based crypto wallet (you can also store funds with an exchange like Coinbase, Robinhood, or Kraken). 

Additionally, passwords should never be kept in an unsecured digital document on your computer (no Google Docs). Instead, think about keeping your crypto seed phrases on paper in a closed box or safe at home.
Read more »
Software
Apple MacOS Banshee Stealer MaaS malware Software

New Variant of Banshee Stealer Targets macOS with Enhanced Evasion Tactics

 




Cybersecurity researchers have identified a dangerous new version of Banshee Stealer, a sophisticated malware specifically targeting macOS users. This updated strain is designed to bypass antivirus defenses and steal sensitive data from millions of macOS devices.

Originally detected in August 2024, Banshee Stealer was offered as malware-as-a-service (MaaS) to cybercriminals for $3,000 per month. Its capabilities included:
  • Data Theft: Stealing browser data, cryptocurrency wallet credentials, and specific file types.
The malware's source code was leaked in late 2024, briefly halting its spread. However, security experts have now discovered ongoing campaigns distributing an updated and more powerful version.

The latest version of Banshee Stealer, uncovered in September 2024, is being spread through:
  • Phishing Websites: Fake websites impersonating legitimate services to trick users into downloading the malware.
  • Fake GitHub Repositories: Malicious repositories posing as popular software like Google Chrome, Telegram, and TradingView.
Additionally, cybercriminals are simultaneously deploying another malware called Lumma Stealer to target Windows systems, signaling a broader, cross-platform attack strategy.

Key Enhancements in the Updated Version

The new variant of Banshee Stealer features several dangerous improvements:
  1. Advanced Encryption: Incorporates sophisticated encryption methods inspired by Apple's XProtect to evade detection by security tools.
  2. Expanded Targeting: Previously restricted from targeting Russian-language systems, this limitation has been removed, broadening the malware's victim pool.
  3. Social Engineering Tactics: The malware disguises itself as software updates or legitimate applications, increasing its chances of tricking users into installing it.

Related Threats on Other Platforms

Beyond Banshee Stealer, other malware families like Nova Stealer and Hexon Stealer are exploiting social engineering techniques on platforms such as Discord. Attackers lure users with fake promises of the latest video game versions, aiming to steal Discord credentials and access linked accounts for further exploitation.

To mitigate the risk of infection, users should adopt the following cybersecurity practices:
  • Download from Trusted Sources: Always install software from official and reputable platforms.
  • Exercise Caution with Links: Avoid clicking on suspicious links or accepting unsolicited invitations, particularly on social platforms like Discord.
  • Keep Security Software Updated: Regularly update antivirus and security tools to guard against the latest threats.
The resurgence of Banshee Stealer underscores the need for continuous vigilance in cybersecurity. Cybercriminals are constantly evolving their methods, blending technical exploits with social engineering to target both human and system vulnerabilities. Staying informed and cautious remains the most effective defense against such sophisticated attacks.
Read more »
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data


A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

  • Request specific data from the infected device
  • Install additional payloads
  • Modify surveillance parameters
  • Initiate immediate data uploads

Furthermore, the malware can:

  • Monitor screen activity and app usage
  • Track changes in screen on/off states
  • Log keystrokes, clipboard data, and credentials stored in password managers
  • Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

  • Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
  • Exercise caution when opening links from unknown sources.
  • Regularly review and restrict app permissions to prevent unauthorized data access.
  • Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.


Read more »
VPN malware threats
antivirus software cybersecurity tips malware Phishing Attacks PLAYFULGHOST malware SEO Poisoning VPN malware threats

This New Malware Exploits VPN Apps to Hijack Devices

 

A newly discovered malware, named PLAYFULGHOST, is causing concern among cybersecurity experts due to its versatile capabilities for data theft and system compromise. According to researchers, this malware employs techniques such as screen and audio capture, keylogging, remote shell access, and file transfer, enabling threat actors to launch further attacks.

PLAYFULGHOST is primarily delivered through phishing emails or SEO poisoning techniques, which distribute trojanized VPN applications. Once executed, it establishes persistence using four methods: the run registry key, scheduled tasks, Windows startup folder, and Windows services. This persistence allows the malware to collect a vast array of data, including keystrokes, screenshots, system metadata, clipboard content, and QQ account details, as well as information on installed security products.

The malware also exhibits advanced functionalities such as deploying additional payloads, blocking mouse or keyboard inputs, clearing event logs, deleting cache and browser profiles, and wiping messaging app data. Notably, it can use Mimikatz, a tool for extracting passwords, and a rootkit to conceal registry entries, files, and processes. PLAYFULGHOST further utilizes Terminator, an open-source utility, to disable security processes via a BYOVD (Bring Your Own Vulnerable Driver) attack.

The initial infection often begins with phishing emails containing lures such as warnings about code-of-conduct violations. Alternatively, it leverages SEO poisoning to distribute malicious versions of legitimate VPN apps like LetsVPN. For instance, one victim unknowingly launched a malicious executable disguised as an image file, which subsequently downloaded and executed PLAYFULGHOST. Google’s Managed Defense team notes that this backdoor shares features with the Gh0st RAT, whose source code was leaked in 2008.

PLAYFULGHOST infections employ DLL search order hijacking and sideloading to launch malicious DLLs, decrypting and loading the malware directly into memory. It also uses combined Windows shortcuts and rogue DLL construction for stealthy execution.

How to Protect Yourself

To avoid falling victim to PLAYFULGHOST, adopt the following security practices:
  • Be cautious with phishing emails: Verify the sender and context before clicking links or downloading attachments. If unsure, confirm directly with the sender or relevant departments.
  • Download only from trusted sources: Always access applications from official websites rather than links in emails or messages.
  • Avoid urgency traps: If contacted about urgent matters like account issues, manually visit the company’s website by typing its URL into your browser.
  • Strengthen account security: Use unique passwords, a password manager, two-factor authentication, and robust antivirus software across devices.
For additional protection, consider antivirus programs with integrated VPNs or hardened browsers for enhanced security. Stay informed about phishing techniques and remain vigilant online. As Google’s Managed Defense team warns, “PLAYFULGHOST’s sophistication highlights the need for constant vigilance against evolving cyber threats.”
Read more »
Social Media Scam
cyberattack news FireScam malware News Online Scam Social Media Scam

FireScam Malware Disguised as Telegram Premium Spreads via Phishing Sites

A new Android malware called FireScam is being distributed through phishing websites hosted on GitHub, masquerading as a premium version of the Telegram app. These fraudulent sites mimic RuStore, Russia’s official mobile app marketplace, tricking users into downloading the malware. This incident highlights how cybercriminals exploit trusted platforms to deploy sophisticated threats.

RuStore was launched in May 2022 by Russian tech company VK (VKontakte) with support from the Ministry of Digital Development as an alternative to Google Play and Apple’s App Store. It was designed to provide Russian users access to mobile applications despite Western sanctions. Cybercriminals have taken advantage of RuStore’s credibility by creating phishing pages that distribute malware under the guise of legitimate applications. According to security researchers at CYFIRMA, attackers have set up a GitHub-hosted phishing page impersonating RuStore, delivering an initial malware payload named GetAppsRu.apk.

Once installed, the dropper module requests multiple permissions, allowing it to identify installed applications, access device storage, and install additional software. It then downloads and installs the primary malware payload, disguised as Telegram Premium.apk. This second-stage malware requests extensive permissions, enabling it to monitor notifications, read clipboard data, access SMS and call information, and track user activity.

FireScam displays a fake Telegram login page via WebView to steal user credentials. The malware then communicates with Firebase Realtime Database, where stolen data is uploaded in real time. Each infected device is assigned a unique identifier, allowing attackers to track it. According to CYFIRMA, the stolen data is temporarily stored in Firebase before being filtered and transferred to another location. FireScam maintains a persistent WebSocket connection with a Firebase-based command-and-control (C2) endpoint, allowing attackers to execute real-time commands, download and install additional payloads, modify surveillance settings, and trigger immediate data uploads.

FireScam continuously tracks various device activities, including screen on/off events, active app usage, and user interactions lasting over 1,000 milliseconds. One of its most concerning features is its focus on e-commerce transactions. The malware attempts to intercept sensitive financial data by logging keystrokes, tracking clipboard content, and extracting auto-filled credentials from password managers.

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers describe it as a sophisticated and multifaceted threat that employs advanced evasion techniques. To minimize the risk of infection, users should avoid downloading apps from unverified sources, be cautious when clicking on unfamiliar links, download applications only from official platforms like Google Play or verified stores, and regularly review and restrict app permissions to prevent unauthorized data access. The rise of malware like FireScam underscores the growing need for cybersecurity awareness. Staying vigilant and adopting secure online practices is essential to protecting personal and financial data from evolving cyber threats.

Read more »
Subscribe to: Posts (Atom)