Download, Encryption and Information Security

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Security Affairs

NOVEMBER 15, 2024

The Glove Stealer malware exploits a new technique to bypass Chrome’s App-Bound encryption and steal browser cookies. Glove Stealer is a.NET-based information stealer that targets browser extensions and locally installed software to steal sensitive data. Gen Digital observed phishing campaigns distributing the Glove Stealer.

Encryption

Encryption Password Management Cryptocurrency Social Engineering

New MassJacker clipper targets pirated software seekers

Security Affairs

MARCH 15, 2025

The attack involves executing a cmd script followed by a PowerShell script, which downloads three executables, including the Amadey botnet and two.NET executables (32-bit and 64-bit). The malware, dubbed PackerE, downloads an encrypted DLL (PackerD1) that employs multiple anti-analysis techniques.

Software

Software Cryptocurrency Malware Encryption

The source code of Banshee Stealer leaked online

Security Affairs

NOVEMBER 26, 2024

The ZIP file is then XOR encrypted, base64 encoded, and sent via a POST request to a specified URL using the built-in cURL command. We’ve archived the leak and made it available for download on GitHub.” We've archived the leak and made it available for download on GitHub. concludes the report.

Malware

Malware Cryptocurrency Encryption Hacking

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

JANUARY 5, 2025

The backdoor is distributed through: Phishing emails with themes such as code of conduct to trick users into downloading the malware. Upon executing the archive, it drops a malicious Windows executable, which eventually downloads and executesthe PLAYFULGHOST payloadfrom a remote server. sys driver.

Malware

Malware Encryption Phishing Hacking

Russia-linked APT28 use Signal chats to target Ukraine official with malware

Security Affairs

JUNE 24, 2025

BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++.

Malware

Malware Encryption Phishing Government

Around 3.3 million POP3 and IMAP mail servers lack TLS encryption

Security Affairs

JANUARY 3, 2025

Over 3 million POP3 and IMAP mail servers lack TLS encryption, exposing them to network sniffing attacks. million POP3 and IMAP mail servers lack TLS encryption, exposing them to network sniffing attacks. With POP3, the e-mails are downloaded to the local device and often deleted from the server. We see around 3.3M

Encryption

Encryption Passwords Internet Internet

Russia-linked Gamaredon targets Ukraine with Remcos RAT

Security Affairs

MARCH 31, 2025

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader. The threat actor is using troop-related lures to deploy the Remcos RAT via PowerShell downloader. Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a.

Phishing

Phishing Antivirus Encryption Hacking

Authorities released free decryptor for Phobos and 8base ransomware

Security Affairs

JULY 18, 2025

The software can be downloaded from the police website and Europol’s NoMoreRansom site. NoMoreRansom warns users to remove the malware first with a reliable antivirus before using the decryptor, or files may be re-encrypted repeatedly. Despite false malware flags from some browsers, tests confirm it works and is safe.

Ransomware

Ransomware Encryption Malware Cybercrime

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Security Affairs

MAY 27, 2025

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. At the end of January, researchers from security firm Arctic Wolf reported a campaign targeting SimpleHelp servers.

Ransomware

Ransomware Software Retail Data breaches

CISA warns of RESURGE malware exploiting Ivanti flaw

Security Affairs

MARCH 30, 2025

It creates secure tunnels for threat actors via SSH, proxies, and encrypted keys, enabling covert system access. BusyBox enables threat actors to perform various functions such as download and execute payloads on compromised devices.” It acts as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.

Malware

Malware Authentication Encryption Cybersecurity

Experts shared up-to-date C2 domains and other artifacts related to recent MintsLoader attacks

Security Affairs

MAY 5, 2025

“The campaign leveraged fake CAPTCHA verification pages (ClickFix/KongTuke lures) to trick users into executing a copied PowerShell command, which downloaded and ran MintsLoader” The experts observed other infection chains that used fake invoice files (e.g., “Fattura####.js”)

Malware

Malware Phishing Threat Reports Encryption

Malicious npm packages target Ethereum developers

Security Affairs

JANUARY 4, 2025

The campaign is still ongoing and the malicious packages collectively totaled more than one thousand downloads. The attack has led to the identification of 20 malicious packages published by three primary authors, with the most downloaded package, @nomicsfoundation/sdk-test , accumulating 1,092 downloads.”

Encryption

Encryption Hacking Cybercrime Information Security

Report claims that Serbian authorities abused Cellebrite tool to install NoviSpy spyware

Security Affairs

DECEMBER 16, 2024

Serbian authorities also extensively and illegitimately used the Cellebrite extraction suite to download personal data from the phones of journalists and protest organizers. Evidence, including the spywares installation during BIA interviews, attributes these surveillance campaigns with high confidence to the BIA and Serbian government.

Spyware

Spyware Surveillance Technology Mobile

Russia-linked group Nebulous Mantis targets NATO-related defense organizations

Security Affairs

APRIL 30, 2025

The RAT supports advanced evasion techniques, including living-off-the-land ( LOTL ) tactics and encrypted command and control (C2) communications. ” Nebulous Mantis imitates trusted services like OneDrive to trick victims into downloading infected files, often hosted on Mediafire. . ” continues the report.

Encryption

Encryption Ransomware Malware Phishing

A new Mirai botnet variant targets DigiEver DS-2105 Pro DVRs

Security Affairs

DECEMBER 26, 2024

The experts pointed out that this Mirai variant has been modified to use improved encryption algorithms. The malware maintains persistence using a cron job that downloads a shell script from “hailcocks[.]ru.” TheMiraivariant incorporates ChaCha20 and XOR decryption algorithms. ” reads the analysis published by Akamai.

Manufacturing

Manufacturing Malware Firmware IoT

Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner

Security Affairs

MARCH 10, 2025

com to distribute an infected archive, which had over 40,000 downloads. Its configuration is Base64-encoded and encrypted with AES-CBC. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware.

Cryptocurrency

Cryptocurrency Malware Social Engineering Antivirus

Cloak ransomware group hacked the Virginia Attorney General’s Office

Security Affairs

MARCH 24, 2025

Initially, the group published screenshots of stolen data as proof of the attack, now the whole archive can be downloaded from the leak page. ” The group uses an ARCrypter ransomware variant, derived from Babuks leaked code , to encrypt files after infiltrating a network.

Ransomware

Ransomware Hacking Social Engineering Healthcare

Crooks are reviving the Grandoreiro banking trojan

Security Affairs

MARCH 28, 2025

Attackers also employ encrypted or password-protected files to evade security detection. Clicking the “Download PDF” button leads to a zip payload from MediaFire. Attackers use Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft. contaboserver[.]net.

Banking

Banking Phishing Malware Passwords

Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware

Security Affairs

APRIL 21, 2025

The emails contained links that downloaded a malicious file (wine.zip). GRAPELOADER is a 64-bit DLL (ppcore.dll) used as an initial-stage downloader, triggered via its PPMain function through DLL side-loading by wine.exe. The phishing campaign used domains like bakenhof[.]com com and silry[.]com

Malware

Malware Phishing Encryption Hacking

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Security Affairs

MARCH 12, 2025

. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.” It processes encrypted data over a RAW socket, limiting further analysis.

IoT

IoT Malware Encryption DDOS

Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations

SecureList

DECEMBER 18, 2024

3:8092/sdc.exe In some reverse shell incidents, we also found traces of Revenge RAT ( 48210CA2408DC76815AD1B7C01C1A21A ) being run through the PowerShell process: powershell.exe -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::LoadFile('C:Users<username>Downloads <exe_name> exe').EntryPoint.Invoke($null,

Encryption

Encryption Passwords Accountability Ransomware

Operation SyncHole: Lazarus APT targets supply chains in South Korea

Security Affairs

APRIL 25, 2025

Kaspersky notified Korea Internet & Security Agency (KrCERT/CC), the researchers discovered that threat actor exploited a one-day vulnerability in Innorix Agent for lateral movement. The attackers used multiple hacking tools and malware, including ThreatNeedle , Agamemnon downloader, wAgent , SIGNBT, and COPPERHEDGE.

Malware

Malware Software Encryption Hacking

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

Security Affairs

JUNE 9, 2025

“The request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.” The latest DVR-focused variant is also built on Mirai’s foundation but introduces new features like RC4 string encryption, anti-virtual machine checks, and anti-emulation tactics.

IoT

IoT Firmware Malware Architecture

Enhanced capabilities sustain the rapid growth of Vo1d botnet

Security Affairs

FEBRUARY 28, 2025

The malicious code acts as a backdoor allowing attackers to download and install third-party software secretly. Users may also mistakenly believe TV boxes are more secure than smartphones and are less likely to install antivirus software, increasing their risk when downloading third-party apps or unofficial firmware.

Antivirus

Antivirus Firmware Encryption Manufacturing

The U.S. House banned WhatsApp on government devices due to security concerns

Security Affairs

JUNE 24, 2025

. “nuto has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use,” reads an email sent by Chief Administrative Officer and obtained by Axios. ” continues the email. .”

Government

Government Spyware Encryption Mobile

China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure

Security Affairs

MAY 26, 2025

Researchers observed that the attackers relied on standard Linux tools like wget and curl to download an encrypted version of the Sliver backdoor. Using tools like mysqldump and Bash scripts downloaded from paste sites, the attackers extracted LDAP configs, Office 365 credentials, and metadata on managed devices.

Mobile

Mobile Telecommunications Authentication Healthcare

Fog and Akira ransomware attacks exploit SonicWall VPN flaw CVE-2024-40766

Security Affairs

OCTOBER 29, 2024

The latest patch builds are available for download on mysonicwall.com “ In September, SonicWall warned that the flaw CVE-2024-40766 in SonicOS is now potentially exploited in attacks. The latest patch builds are available for download on mysonicwall.com ,” warns the updated SonicWall advisory.

VPN

VPN Ransomware Firewall Internet

CoffeeLoader uses a GPU-based packer to evade detection

Security Affairs

MARCH 31, 2025

CoffeeLoader is a sophisticated malware that uses numerous techniques to bypass security solutions, Zscaler ThreatLabz warns. Zscaler ThreatLabz discovered CoffeeLoader, a malware family active since September 2024, that uses multiple techniques to evade endpoint security while downloading second-stage payloads.

Malware

Malware Encryption Antivirus Marketing

News Flodrix botnet targets vulnerable Langflow servers

Security Affairs

JUNE 18, 2025

Attackers exploit CVE-2025-3248 in Langflow servers to deliver Flodrix botnet via downloader scripts, Trend Research reports. Attackers exploit the flaw to run scripts on Langflow servers, downloading and installing Flodrix malware. Once satisfied, they download and execute the Flodrix botnet malware from a remote server.

DDOS

DDOS Malware Encryption Hacking

Web Skimmer found on at least 17 websites, including Casio UK

Security Affairs

FEBRUARY 3, 2025

The software skimmer encrypts stolen data using AES-256-CBC, generating a unique key and IV for each request. The encrypted data, along with the key and IV, is sent to a server controlled by attackers. The stolen information includes billing addresses, credit card details, phone numbers, and email addresses. .”

Encryption

Encryption Software Hacking Cybercrime

Attackers exploit SimpleHelp RMM Software flaws for initial access

Security Affairs

JANUARY 28, 2025

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. Researchers from security firm Arctic Wolf now report that an ongoing campaign is targeting SimpleHelp servers.

Software

Software Passwords Accountability Encryption

U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog

Security Affairs

FEBRUARY 14, 2025

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. Researchers from security firm Arctic Wolf now report that an ongoing campaign is targeting SimpleHelp servers. 6, 2025: Horizon3.I

Passwords

Passwords Software Accountability Risk

SparkCat campaign target crypto wallets using OCR to steal recovery phrases

Security Affairs

FEBRUARY 5, 2025

The malicious apps were downloaded more than 242,000 times from Google Play. ” The component communicates with C2 servers and execute commands from an encrypted GitLab file. The experts noted that the malware-laced apps were also distributed through official stores.

Malware

Malware Cryptocurrency Mobile Encryption

Port of Seattle ‘s August data breach impacted 90,000 people

Security Affairs

APRIL 5, 2025

The Port confirmed that an unauthorized actor accessed and encrypted parts of their computer systems, disrupting key services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking. The Port holds very little information about airport or maritime passengers, and systems processing payments were not affected.”

Data breaches

Data breaches Ransomware Cyber Attacks Healthcare

DoNot APT is expanding scope targeting European foreign ministries

Security Affairs

JULY 9, 2025

Once opened, the disguised executable established persistence using a scheduled task and connected to a C2 server to send system information, receive commands, download additional payloads. The archive contained a disguised executable (notflog.exe) with a PDF icon to trick users into running malware.

Malware

Malware Phishing Passwords Encryption

New Batavia spyware targets Russian industrial enterprises

Security Affairs

JULY 7, 2025

” Clicking the link included in the phishing messages downloads a VBE script that collects system info and retrieves a malware file (WebView.exe) from the attacker’s domain. It also downloads a new malware stage ( javav.exe ) and sets a startup shortcut to launch it on reboot, continuing the infection cycle.

Spyware

Spyware Malware Phishing Encryption

WhatsApp introduces Advanced Chat Privacy to protect sensitive communications

Security Affairs

APRIL 24, 2025

The feature blocks chat exports, auto-media downloads, and the use of messages in AI features, ensuring conversations stay private and within the app. “When the setting is on, you can block others from exporting chats, auto-downloading media to their phone, and using messages for AI features. .”

Media

Media Encryption Hacking Accountability

The Role of Enterprise Browsers in Securing Remote Work and Hybrid Teams

IT Security Guru

DECEMBER 26, 2024

Here are some of the ways enterprise browsers help safeguard remote work: Data Security and Protection Remote work demands robust data protection. Enterprise browsers deliver, offering end-to-end encryption for online information. These secure tools shield against phishing, malware, and other digital threats.

Phishing

Phishing Authentication Technology Malware

North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy

Security Affairs

MARCH 13, 2025

Upon execution, the spyware retrieves an encrypted configuration from Firebase Firestore, controlling activation and the C2 server address. KoSpy communicates with its C2 servers through two request types: one for downloading plugins and another for retrieving surveillance configurations.

Spyware

Spyware Surveillance Encryption Malware

New Batavia spyware targets Russian industrial enterprises

Security Affairs

JULY 7, 2025

” Clicking the link included in the phishing messages downloads a VBE script that collects system info and retrieves a malware file (WebView.exe) from the attacker’s domain. It also downloads a new malware stage ( javav.exe ) and sets a startup shortcut to launch it on reboot, continuing the infection cycle.

Spyware

Spyware Malware Phishing Encryption

Storm-1977 targets education sector with password spraying, Microsoft warns

Security Affairs

APRIL 27, 2025

vip to download AES-encrypted data, which, once decrypted, revealed password spray targets. Over the past year, Microsoft Threat Intelligence researchers observed a threat actor, tracked as Storm-1977, using AzureChecker.exe to launch password spray attacks against cloud tenants in the education sector. nodefunction[.]vip

Education

Education Passwords Accountability Encryption

Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

Security Affairs

DECEMBER 12, 2024

Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine. Amadey bots encoded system data to communicate with the C2 at [link] , attempting to download two plugins, cred64.dll dll and clip64.dll

Cybercrime

Cybercrime Malware Hacking Cryptocurrency

Sophos fixed critical vulnerabilities in its Firewall product

Security Affairs

DECEMBER 20, 2024

Tianfeng worked at Sichuan Silence Information Technology Co., The malware stole data and encrypted files to block remediation attempts. It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

Firewall

Firewall Authentication Passwords Accountability

Chinese national charged for hacking thousands of Sophos firewalls

Security Affairs

DECEMBER 11, 2024

Tianfeng worked at Sichuan Silence Information Technology Co., The malware stole data and encrypted files to block remediation attempts. “Guan and his co-conspirators worked at the offices of Sichuan Silence Information Technology Co. It was designed to download payloads intended to exfiltrate XG Firewall-resident data.

Firewall

Firewall Hacking Malware Encryption

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

New MassJacker clipper targets pirated software seekers

Trending Sources

The source code of Banshee Stealer leaked online

PLAYFULGHOST backdoor supports multiple information stealing features

Russia-linked APT28 use Signal chats to target Ukraine official with malware

Around 3.3 million POP3 and IMAP mail servers lack TLS encryption

Russia-linked Gamaredon targets Ukraine with Remcos RAT

Authorities released free decryptor for Phobos and 8base ransomware

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

CISA warns of RESURGE malware exploiting Ivanti flaw

Experts shared up-to-date C2 domains and other artifacts related to recent MintsLoader attacks

Malicious npm packages target Ethereum developers

Report claims that Serbian authorities abused Cellebrite tool to install NoviSpy spyware

Russia-linked group Nebulous Mantis targets NATO-related defense organizations

A new Mirai botnet variant targets DigiEver DS-2105 Pro DVRs

Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner

Cloak ransomware group hacked the Virginia Attorney General’s Office

Crooks are reviving the Grandoreiro banking trojan

Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations

Operation SyncHole: Lazarus APT targets supply chains in South Korea

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

Enhanced capabilities sustain the rapid growth of Vo1d botnet

The U.S. House banned WhatsApp on government devices due to security concerns

China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure

Fog and Akira ransomware attacks exploit SonicWall VPN flaw CVE-2024-40766

CoffeeLoader uses a GPU-based packer to evade detection

News Flodrix botnet targets vulnerable Langflow servers

Web Skimmer found on at least 17 websites, including Casio UK

Attackers exploit SimpleHelp RMM Software flaws for initial access

U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog

SparkCat campaign target crypto wallets using OCR to steal recovery phrases

Port of Seattle ‘s August data breach impacted 90,000 people

DoNot APT is expanding scope targeting European foreign ministries

New Batavia spyware targets Russian industrial enterprises

WhatsApp introduces Advanced Chat Privacy to protect sensitive communications

The Role of Enterprise Browsers in Securing Remote Work and Hybrid Teams

North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy

New Batavia spyware targets Russian industrial enterprises

Storm-1977 targets education sector with password spraying, Microsoft warns

Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

Sophos fixed critical vulnerabilities in its Firewall product

Chinese national charged for hacking thousands of Sophos firewalls

Stay Connected