Security Affairs

NOVEMBER 7, 2024

SentinelLabs observed North Korea-linked threat actor BlueNoroff targeting businesses in the crypto industry with a new multi-stage malware. SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign tracked as “Hidden Risk.”

Malware 124

Malware Risk Architecture Cryptocurrency 124

Security Affairs

APRIL 21, 2025

Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER. The phishing emails either led to malware delivery via GRAPELOADER or redirected to the Ministry’s real website to appear legitimate. The emails contained links that downloaded a malicious file (wine.zip).

Malware 107

Malware Phishing Encryption Hacking 107

Security Affairs

FEBRUARY 13, 2025

Valve removed a game from Steam because it contained malware, the company also warned affected users to reformat their operating systems. PCMag cited the case of a gamer who downloaded the game and reported that his accounts were hijacked using stolen cookies. SteamDB estimates that over 800 users may have downloaded the game.

Malware 111

Malware Antivirus Accountability Software 111

Security Affairs

DECEMBER 27, 2024

North Korea-linked threat actors were spotted using new malware called OtterCookie as part of the Contagious Interview campaign that targets software developer community with fake job offers. Since November 2024, threat actors employed the malware OtterCookie, alongside BeaverTail and InvisibleFerret, in the campaign.

Malware 89

Malware Cryptocurrency Software Hacking 89

Security Affairs

NOVEMBER 26, 2024

Banshee Stealer, a MacOS Malware-as-a-Service, shut down after its source code leaked online. In August 2024, Russian hackers promoted BANSHEE Stealer, a macOS malware targeting x86_64 and ARM64, capable of stealing browser data, crypto wallets, and more. We’ve archived the leak and made it available for download on GitHub.”

Malware 144

Malware Cryptocurrency Encryption Passwords 144

Security Affairs

APRIL 25, 2025

Researchers identified a new malware, named DslogdRAT, deployed after exploiting a now-patched flaw in Ivanti Connect Secure (ICS). JPCERT/CC researchers reported that a new malware, dubbed DslogdRAT, and a web shell were deployed by exploiting a zero-day vulnerability during attacks on Japanese organizations in December 2024.

Malware 94

Malware Hacking Authentication Cybersecurity 94

Security Affairs

JUNE 15, 2025

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Supply chain attack hits Gluestack NPM packages with 960K weekly downloads Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 Destructive npm Packages Disguised as Utilities Enable Remote (..)

Malware 75

Malware Spyware Ransomware Hacking 75

Security Affairs

JANUARY 5, 2025

PLAYFULGHOST is a new malware family with capabilities including keylogging, screen and audio capture, remote shell access, and file transfer/execution. The backdoor is distributed through: Phishing emails with themes such as code of conduct to trick users into downloading the malware. sys driver.

Malware 132

Malware Encryption Phishing Hacking 132

Security Affairs

OCTOBER 17, 2024

The threat actors also employed two new downloaders, called RustClaw and MeltingClaw, plus two backdoors, DustyHammock (Rust-based) and C++-based ShadyHammock. Polish entities were likely targeted as well, based on malware language checks. ” reads the report published by Talos.

Government 123

Government Malware Cyber Attacks Ransomware 123

Security Affairs

MARCH 15, 2025

Pirated software seekers are targeted by the new MassJacker clipper malware, according to CyberArk researchers. A new malware campaign spreading a new clipper malware dubbed MassJacker targets users searching for pirated software, Cyberark users warn. com) distributing pirated software that also spreads malware.

Software 118

Software Cryptocurrency Malware Encryption 118

Security Affairs

DECEMBER 21, 2024

” Recently, The Federal Office for Information Security (BSI) announced it had blocked communication between the 30,000 devices infected with the BadBox malware and the C2. Sinkholing isolates the malware and prevents it from executing commands or stealing data. ” concludes the report.

Firmware 143

Firmware Malware Internet Internet 143

Security Affairs

JUNE 9, 2025

malware has infected millions of IoT devices globally, creating a botnet used for cyber criminal activities, the FBI warns. The FBI published a Public Service Announcement (PSA) to warn that cybercriminals are using the BADBOX 2.0 3 ” reads the alert published by the FBI. ” BADBOX 2.0 Indicators of BADBOX 2.0

IoT 145

IoT Internet Internet Advertising 145

Security Affairs

SEPTEMBER 14, 2023

Researchers discovered a free download manager site that has been compromised to serve Linux malware to users for more than three years. Researchers from Kaspersky discovered a free download manager site that has been compromised to serve Linux malware. org domain and they were not containing any malware.

Malware 135

Malware Software Cryptocurrency Hacking 135

Security Affairs

JANUARY 10, 2025

CrowdStrike warns of a phishing campaign that uses its recruitment branding to trick recipients into downloading a fake application, which finally installs the XMRig cryptominer. “Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominerXMRig.”

Phishing 114

Phishing Scams Malware Authentication 114

Security Affairs

MAY 5, 2025

MintsLoader is a malware loader delivering the GhostWeaver RAT via a multi-stage chain using obfuscated JavaScript and PowerShell. The malware supports sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.

Malware 128

Malware Phishing Threat Reports Encryption 128

Security Affairs

MARCH 26, 2025

New ReaderUpdate malware variants, now written in Crystal, Nim, Rust, and Go, targets macOS users, SentinelOne warns. SentinelOne researchers warn that multiple versions of the ReaderUpdate malware written in Crystal, Nim, Rust, and Go programming languages, are targeting macOS users. The malware maintains persistence via a.plist file.

Malware 73

Malware Adware Antivirus Marketing 73

Security Affairs

MAY 12, 2025

Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn. Morphisec researchers observed attackers exploiting AI hype to spread malware via fake AI tools promoted in viral posts and Facebook groups.

Malware 112

Malware Media Cybercrime Scams 112

Security Affairs

JUNE 9, 2025

“The request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.” The malware also includes anti-VM and anti-emulation checks by scanning running processes for signs of VMware or QEMU. ” reads the analysis.

IoT 138

IoT Firmware Malware Architecture 138

Security Affairs

JUNE 19, 2025

Java-based malware targets Minecraft users via fake cheat tools, utilizing the Stargazers Ghost Network distribution-as-a-service (DaaS). Check Point researchers found a multi-stage malware on GitHub targeting Minecraft users via Stargazers DaaS , using Java/.NET NET stealers disguised as cheat tools.

64

64

Security Affairs

NOVEMBER 15, 2024

The Glove Stealer malware exploits a new technique to bypass Chrome’s App-Bound encryption and steal browser cookies. Glove Stealer is a.NET-based information stealer that targets browser extensions and locally installed software to steal sensitive data. Gen Digital observed phishing campaigns distributing the Glove Stealer.

Encryption 118

Encryption Password Management Cryptocurrency Social Engineering 118

Krebs on Security

APRIL 20, 2023

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file. Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file. Image: Mandiant.

Malware 331

Malware Software Technology Accountability 331

Security Affairs

APRIL 17, 2025

to deliver info-stealing malware via fake crypto trading sites like Binance and TradingView. increasingly used in malware campaigns since October 2024, including an ongoing crypto-themed malvertising attack as of April 2025. to deploy malware, shifting from traditional scripts like Python or PHP. .” components.

Social Engineering 117

Social Engineering Malware Cryptocurrency Engineering 117

Security Affairs

APRIL 23, 2025

is the recommended library for integrating a JavaScript/TypeScript app with the XRP, it has more than 140.000 weekly downloads. Hundreds of thousands of applications and websites use this package, the package has been downloaded over 2.9 It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads.”

Cryptocurrency 109

Cryptocurrency Malware Hacking Risk 109

Security Affairs

MARCH 20, 2025

The archive contains a fake PDF report and DarkTortilla malware, which acts as a launcher for the Dark Crystal RAT ( DCRat ). The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

Computers and Electronics 109

Computers and Electronics Telecommunications Malware Surveillance 109

Security Affairs

MARCH 27, 2025

Cybercriminals are exploiting the popularity of DeepSeek by using fake sponsored Google ads to distribute malware. While DeepSeek is rising in popularity, threat actors are attempting to exploit it by using fake sponsored Google ads to distribute malware, Malwarebytes researchers warn. ” reads the alert published by Malwarebytes.

Malware 69

Malware Data collection Advertising Media 69

Security Affairs

OCTOBER 19, 2024

This led to a zero-click attack, requiring no user interaction, as the ad program automatically downloaded and rendered the malicious content. APT37 exploited this flaw to trick victims into downloading malware on their desktops with the toast ad program installed. dll), allowing type confusion to occur.

Internet 143

Internet Internet Engineering Malware 143

Security Affairs

FEBRUARY 4, 2025

Threat actors target Brazilian users by stealing financial data, the malware can harvest sensitive information from over 70 financial applications and numerous websites. The script retrieved from the remote server contains encoded data segments, which are decoded and executed to advance the malware’s operation.

Banking 119

Banking Malware Antivirus Cyber threats 119

Security Affairs

DECEMBER 26, 2024

In November 2024, the Akamai Security Intelligence Research Team (SIRT) observed increased activity targeting the URI /cgi-bin/cgi_main.cgi , linked to a Mirai-based malware campaign exploiting an unassigned RCE vulnerability in DVR devices, including DigiEver DS-2105 Pro. ” reads the analysis published by Akamai.

Manufacturing 90

Manufacturing Malware Firmware IoT 90

Security Affairs

MARCH 10, 2025

Kaspersky researchers discovered a mass malware campaign spreading SilentCryptoMiner by disguising it as a tool to bypass internet restrictions. While investigating the increased use of Windows Packet Divert ( WPD ) tools by crooks to distribute malware under this pretense, the researchers spotted the campaign.

Cryptocurrency 92

Cryptocurrency Malware Social Engineering Antivirus 92

Security Affairs

FEBRUARY 12, 2025

Upon running the code as an administrator, it downloads and installs a browser-based remote desktop tool and downloads a certificate file with a hardcoded PIN from a remote server. When opened, they execute PowerShell or Mshta to download malware like PebbleDash and RDP Wrapper, to control the infected systems.

Phishing 90

Phishing Malware Security Intelligence Hacking 90

Security Affairs

JULY 22, 2024

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the legitimate open-source project BOINC. SocGholish attack chain involves a malicious JavaScript file that downloads further stages. top, with BOINC accessed directly by IP.

Malware 141

Malware Cryptocurrency Hacking Software 141

Security Affairs

JULY 30, 2024

A new version of the Mandrake Android spyware has been found in five apps on Google Play, which have been downloaded over 32,000 times since 2022. Researchers from Kaspersky discovered a new version of the Mandrake Android spyware in five app on Google Play, totaling over 32,000 downloads between 2022 and 2024.

Spyware 128

Spyware Malware Mobile Marketing 128

Security Affairs

JULY 14, 2024

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and services to distribute malware. Palo Alto Networks Unit 42 researchers shared details about a DarkGate malware campaign from March-April 2024. The malware is considered a sophisticated threat and is continuously improved.

Malware 135

Malware Cybercrime Software Phishing 135

Security Affairs

MARCH 28, 2025

Clicking the “Download PDF” button leads to a zip payload from MediaFire. Clicking the “Download PDF” button triggers a JavaScript function that checks the browser and platform, then retrieves a Mediafire URL from a PHP file to download a.zip file. contaboserver[.]net. net to evade detection.”

Banking 90

Banking Phishing Malware Passwords 90

Security Affairs

NOVEMBER 21, 2024

. “In January, someone leaked the personal information of 263 journalists who had signed up to cover presidential activities.” “In that case, officials at the president’s press office later said the information appeared to have been downloaded using the password of a former employee.”

Government 144

Government Hacking Ransomware Insurance 144

Security Affairs

JANUARY 22, 2025

It extracts Python backdoors from ZIP files downloaded via remote SharePoint links and employs techniques associated with the FIN7 threat actor. STAC5777 was spotted using Microsoft Quick Assist and manual configuration changes to deploy malware.

Ransomware 98

Ransomware Malware Social Engineering Phishing 98

Security Affairs

SEPTEMBER 13, 2024

A new Linux malware called Hadooken targets Oracle WebLogic servers, it has been linked to several ransomware families. Aqua Security Nautilus researchers discovered a new Linux malware, called Hadooken, targeting Weblogic servers. Upon execution, the malware drops a Tsunami malware and deploys a cryptominer.

Malware 127

Malware Internet Internet Ransomware 127