SecureList

JUNE 23, 2025

We believe it is connected to SparkCat and also targets the cryptocurrency assets of its victims. Tapping these opened WebView, revealing an online store named TikToki Mall that accepted cryptocurrency as payment for consumer goods. Our initial search led us to a bunch of cryptocurrency apps.

Spyware 128

Spyware Malware Cryptocurrency Scams 128

SecureList

OCTOBER 21, 2024

Kral In mid-2023, we discovered the Kral downloader which, back then, downloaded the notorious Aurora stealer. This changed in February this year when we discovered a new Kral stealer, which we believe is part of the same malware family as the downloader due to certain code similarities. That file is the Kral downloader.

Passwords 123

Passwords Malware Encryption Cryptocurrency 123

SecureList

OCTOBER 29, 2024

Inside this content is an obfuscated PowerShell script that ultimately downloads the malicious payload. Payload: Lumma stealer Initially, the malicious PowerShell script downloaded and executed an archive with the Lumma stealer. One of the modules can also take screenshots.

Adware 124

Adware Malware Cryptocurrency Data collection 124

Security Affairs

JULY 18, 2025

The software can be downloaded from the police website and Europol’s NoMoreRansom site. NoMoreRansom warns users to remove the malware first with a reliable antivirus before using the decryptor, or files may be re-encrypted repeatedly. Despite false malware flags from some browsers, tests confirm it works and is safe.

Ransomware 130

Ransomware Encryption Malware Antivirus 130

SecureList

FEBRUARY 5, 2025

The infected apps in Google Play had been downloaded more than 242,000 times. When initialized, it downloads a JSON configuration file from a GitLab URL embedded in the malware body. It encrypts data with AES-256 in CBC mode before sending and decrypts server responses with AES-128 in CBC mode.

Malware 140

Malware Encryption Mobile Cryptocurrency 140

Security Boulevard

DECEMBER 16, 2024

However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. IntroductionIn October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. mi: Minor version.mj: Major version.

Malware 97

Malware Cryptocurrency Encryption Software 97

SecureList

NOVEMBER 29, 2024

This type of cyberextortion predated Trojans, which encrypt the victim’s files. New ransomware modifications, Q3 2023 — Q3 2024 ( download ) Number of users attacked by ransomware Trojans Despite the decrease in new variants, the number of users encountering ransomware has increased compared to the second quarter. 2 China 0.95

Mobile 105

Mobile Adware Ransomware Malware 105

SecureList

APRIL 25, 2025

Specifically, they can modify cryptocurrency wallet addresses during transfer attempts, replace links in browsers, send arbitrary text messages and intercept replies, and steal login credentials for messaging and social media apps. Similar to previous versions, the backdoor downloads and executes other payloads.

Cryptocurrency 76

Cryptocurrency Malware Firmware Accountability 76

SecureList

APRIL 8, 2025

Instead of the description copied from GitHub, the visitor is presented with an imposing list of office applications complete with version numbers and “Download” buttons. io/download. Page for downloading the suspicious archive Clicking that button finally downloads a roughly seven-megabyte archive named vinstaller.zip.

Passwords 82

Passwords Cryptocurrency Antivirus Software 82

SecureList

APRIL 23, 2025

Variants of Lazarus’ malicious tools, such as ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE, were discovered with new features. LPEClient LPEClient is a tool known for victim profiling and payload delivery ( T1105 ) that has previously been observed in attacks on defense contractors and the cryptocurrency industry.

Malware 140

Malware Software Encryption Internet 140

SecureList

MARCH 5, 2025

Dynamics of Windows Packet Divert detections ( download ) The growing popularity of tools using Windows Packet Divert has attracted cybercriminals. The counter at the time of posting the video showed more than 40,000 downloads. After the download, it saves the payload named t.py com , which hosted the infected archive.

Malware 109

Malware Cryptocurrency Antivirus Technology 109

SecureList

MAY 28, 2025

The threat actors behind Zanubis continue to refine its code adding features, switching between encryption algorithms, shifting targets, and tweaking social engineering techniques to accelerate infection rates. Communication with the C2 API was encrypted with RC4 using a hardcoded key and Base64-encoded.

Banking 101

Banking Malware Encryption Energy and Utilities 101

SecureList

NOVEMBER 29, 2024

The malware, which received commands via the Dropbox cloud service, was used to download additional payloads. The threat actor specializes in encrypting and then deleting its targets’ data, which suggests that the group’s primary objective is to cause as much damage as possible.

Energy and Utilities 99

Energy and Utilities Ransomware Malware Government 99

Security Affairs

FEBRUARY 5, 2025

The malicious apps were downloaded more than 242,000 times from Google Play. ” The component communicates with C2 servers and execute commands from an encrypted GitLab file. The module uses Google ML Kit OCR to extract text from images, searching for cryptocurrency wallet recovery phrases in multiple languages.

Malware 72

Malware Mobile Cryptocurrency Encryption 72

Malwarebytes

MAY 1, 2025

Whereas early phishing scams arrived almost entirely through emails, modern phishing scams can reach victims through malicious websites, text messages, social media, and even mobile app downloads. The hackers hijacked the channels to spread cryptocurrency scams, while deleting some of the groups old videos in the process.

Small Business 82

Small Business Cybersecurity Scams Passwords 82

SecureList

APRIL 21, 2025

Fake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram channels with names containing keywords related to cryptocurrencies or pirated content, such as software, movies, etc. txt file contains aBase64-encoded PowerShell script that then downloads and runs theLumma Stealer. shop/firefire[.]png.

Malware 79

Malware Cryptocurrency Software Antivirus 79

SecureList

DECEMBER 19, 2024

Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. It is unclear exactly how the files were downloaded by the victims.

Malware 138

Malware Encryption Software Cryptocurrency 138

SecureList

OCTOBER 23, 2024

On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version. But that was just a disguise. As big computer games fans ourselves, we immediately wanted to try it.

Engineering 145

Engineering Accountability Social Engineering Cryptocurrency 145

Penetration Testing

JULY 9, 2025

The malware’s infection chains and system persistence methods echo those used in DPRK’s cryptocurrency-stealing operations—albeit now adapted and deployed globally by Russia-affiliated threat actors. That’s when the malware begins to harvest sensitive data—and lay the groundwork for persistent access.

Malware 77

Malware Surveillance InfoSec Penetration Testing 77

Security Affairs

DECEMBER 12, 2024

Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine. Storm-1919 often deploys XMRIG cryptocurrency miners via Amadey bots, used globally in 2024. dll and clip64.dll

Cybercrime 51

Cybercrime Malware Hacking Cryptocurrency 51

SecureList

FEBRUARY 21, 2025

We ended up with the original AU3 file: Restored AU3 script The script is heavily obfuscated, with all strings encrypted. However, it is also packed and encrypted. Command servers This sample contains encoded and encrypted addresses of command servers. After deobfuscating and decrypting the code, we analyzed it.

Phishing 83

Phishing Encryption Banking Malware 83

Penetration Testing

JUNE 9, 2025

Fortinet, Check Point, CrushFTP) ShadowPad samples used malicious implants like AppSov.exe, downloaded via PowerShell and curl from compromised internal infrastructure. These implants exfiltrated sensitive files such as certificates and cryptocurrency keys via a custom PowerShell exfiltration script.

Penetration Testing 93

Penetration Testing Advertising DNS Cybersecurity 93

Hacker's King

APRIL 1, 2025

Choosing the right cryptocurrency wallet is crucial for everyone involved with digital currencies. eCryptobit.com wallets are digital wallets that aid users in effectively managing their cryptocurrency. Support for Multiple Currencies You can keep several cryptocurrencies in one location with the eCryptobit.com wallets.

Cryptocurrency 52

Cryptocurrency Backups Mobile Encryption 52

Digital Shadows

NOVEMBER 26, 2024

Attackers exploiting cloud accounts pose significant risks, targeting virtual machines (VMs) for activities like cryptocurrency mining, leading to unexpected costs for organizations. Additionally, securing internal documents with encrypted storage and using safe file-sharing platforms is crucial, especially when sharing externally.

Cyber Attacks 59

Cyber Attacks Phishing Ransomware Cyber Insurance 59

Security Boulevard

JUNE 26, 2025

Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On Subscribe to our Newsletters Most Read on the Boulevard 16 Billion Leaked Records May Not Be a New Breach, But They’re a Threat Scattered Spider Targets Aflac, Other Insurance Companies WhatsApp BANNED by House Security Goons — But Why?

Social Engineering 52

Social Engineering Data privacy Security Awareness Mobile 52

Webroot

OCTOBER 31, 2024

A pivotal moment came when the FBI obtained over 7,000 decryption keys, allowing victims to unlock their encrypted data for free. Despite these setbacks, LockBit attempted to maintain its operations, quickly adapting by changing encryption methods and shifting its leak site strategy.

Malware 117

Malware Ransomware Healthcare Passwords 117

SecureList

JUNE 12, 2023

Introduction Stealing cryptocurrencies is nothing new. Since then, stealing cryptocurrencies has continued to occupy cybercriminals. One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. For example, the Mt. recovery phrases). recovery phrases).

Cryptocurrency 119

Cryptocurrency Encryption Malware Ransomware 119

The Last Watchdog

MARCH 17, 2020

Encryption is a cornerstone of digital commerce. Related: A ‘homomorphic-like’ encryption solution We know very well how to encrypt data in transit. And we’ve mastered how to encrypt — and decrypt — data at rest. PKI is the authentication and encryption framework on which the Internet is built.

Encryption 171

Encryption Authentication IoT Internet 171

SecureWorld News

APRIL 21, 2022

Treasury Department warning of a North Korean state-sponsored advanced persistent threat (APT) known as the Lazarus Group targeting cryptocurrency and blockchain companies. The threat actors use social engineering to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems.

Cryptocurrency 98

Cryptocurrency Computers and Electronics Social Engineering System Administration 98

SecureList

JANUARY 13, 2022

Also, we have previously reported on cryptocurrency-focused BlueNoroff attacks. It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Malware infection. PROCESS_ID. #. DLL_FILE_SIZE. DLL_FILE_DATA.

Cryptocurrency 145

Cryptocurrency Malware Accountability Banking 145

Security Affairs

MARCH 11, 2019

Experts observed the STOP ransomware installing the Azorult password-stealing Trojan to steal account credentials, cryptocurrency wallets, and more. Experts observed the ransomware also installing the dreaded Azorult password-stealing Trojan on victim’s machine to steal account credentials, cryptocurrency wallets, documents and more.

Encryption 109

Encryption Ransomware Cryptocurrency Passwords 109

Security Affairs

JANUARY 9, 2020

In the last 18 months, North Korea-linked Lazarus APT group has continued to target cryptocurrency exchanges evolving its TTPs. Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and cryptocurrency exchanges.

Cryptocurrency 93

Cryptocurrency Malware Advertising Encryption 93

Krebs on Security

APRIL 20, 2023

In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

Malware 344

Malware Software Technology Accountability 344

Security Affairs

JULY 7, 2020

The recent wave has been noted in Portugal and is impacting clients of several Portuguese and Brazilian banking organizations and also some cryptocurrency platforms. Here, it was distributed using fake webpages, where the victim downloaded an MSI file, which then held the remaining Lampion infection chain. dll YourGonnaPayMeToday.

Malware 134

Malware Banking Phishing Internet 134

Security Affairs

APRIL 29, 2023

xyz pic.twitter.com/VLhISark8Y — Goldwave (@OGoldwave) March 13, 2023 The variant employed in the campaign supports a more sophisticated encryption method of byte remapping and a monthly rotation of the C2 server. #ViperSoftX is back, doesn't look like much has changed. c2 arrowlchat[.]com ” continues the report.

Encryption 98

Encryption Malware Cryptocurrency Software 98

Krebs on Security

MARCH 28, 2021

Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute. But Watson said they don’t know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain.

Hacking 363

Hacking Cybercrime DNS Antivirus 363

eSecurity Planet

DECEMBER 7, 2023

Encryption uses mathematical algorithms to transform and encode data so that only authorized parties can access it. What Encryption Is and How It Relates to Cryptology The science of cryptography studies codes, how to create them, and how to solve them. How Does Encryption Process Data? How Does Encryption Process Data?

Encryption 112

Encryption Passwords IoT Firewall 112