100 links
tagged with malware
Click any tag below to further narrow down your results
Links
Released a C# version of TrollBlacklistDLL, which allows users to block and unblock DLLs from loading by patching LdrLoadDll in processes. It provides two executables, path.exe for spawning new processes and pid.exe for injecting into existing ones, with notes on their effectiveness against various antivirus and endpoint detection responses. The tool is intended for educational purposes and includes references to potential race conditions and detection evasion techniques.
Santa is a macOS binary and file access authorization system designed to monitor execution and file access, allowing users to manage binary permissions through a local database and various configuration options. It operates in MONITOR or LOCKDOWN modes, supports code signing and path-based rules, and can synchronize settings with remote servers. Santa aims to enhance security by preventing malware execution while integrating into existing defense strategies.
A new botnet named Androxgh0st is expanding its operations by exploiting vulnerabilities in university servers in the United States. The botnet is capable of executing various malicious activities, raising concerns about its potential impact on educational institutions and cybersecurity.
APT28, a Russian state-sponsored hacking group, has been using Signal chats to target Ukrainian government entities with new malware families, BeardShell and SlimAgent. These attacks involve phishing tactics to deliver malicious documents that exploit Windows vulnerabilities, allowing for data exfiltration and unauthorized access to sensitive information. CERT-UA has identified these activities, emphasizing the need for vigilance against threats linked to Signal's usage.
Malware often checks for the presence of certain hardware components, like CPU fans, to detect if it is running in a virtual machine. The article explains how to trick a virtual machine into believing it has a CPU fan by manipulating SMBIOS data, specifically using Xen or QEMU/KVM to set custom SMBIOS configurations. The process involves creating a binary file with the appropriate data structures to bypass these checks and facilitate malware analysis.
Threat actors are using a Japanese Unicode character to create deceptive phishing links that mimic legitimate Booking.com URLs, tricking users into visiting malicious sites. This technique exploits visual similarities in characters, making it difficult for users to discern the real domain. Security measures are suggested to help users identify and avoid such phishing attempts.
The article focuses on threat hunting techniques related to Cobalt Strike, a popular tool used for penetration testing and malicious cyber activities. It discusses the importance of identifying and mitigating threats posed by such tools, emphasizing proactive measures to enhance cybersecurity defenses.
The article discusses the release of the source code for Ermac v3.0, a sophisticated banking Trojan that has been used to steal sensitive information from users. It highlights the potential risks associated with this malware and urges users to be vigilant against security threats.
Malicious packages on the Python Package Index (PyPI) have been identified that deliver the SilentSync remote access Trojan (RAT) to unsuspecting users. These packages exploit the trust developers place in PyPI for downloading dependencies, highlighting the need for vigilance and security measures in the Python ecosystem.
Profero successfully decrypted DarkBit ransomware, enabling recovery of a victim's files without ransom payment. The attack, linked to Iranian state-sponsored actors, involved a unique encryption method that Profero exploited, ultimately leading to significant data recovery due to the sparse nature of the affected VMware ESXi server files. Profero is offering assistance to future victims but will not publicly release the decryptor.
The article discusses the vulnerabilities associated with TCC (Transparency, Consent, and Control) on macOS, which regulates app access to sensitive user data. It highlights the misconceptions among developers regarding TCC's importance in protecting user privacy and outlines various scenarios where malware could exploit TCC bypasses.
Hackers associated with the WinOS 4.0 malware have expanded their operations into Japan and Malaysia, deploying new variants of their malicious software. This increase in activity raises concerns about the potential impact on cybersecurity in these regions, as the malware targets specific vulnerabilities to infiltrate systems.
A developer almost fell victim to a sophisticated scam disguised as a job interview with a legitimate-looking blockchain company. By using AI to analyze the code before running it, he discovered embedded malware designed to steal sensitive information, highlighting the need for caution in tech interviews.
Malicious npm packages are utilizing the Ethereum blockchain to facilitate malware delivery, raising concerns about the security of the JavaScript package ecosystem. These packages exploit vulnerabilities to deliver harmful code, leveraging blockchain technologies to obfuscate their operations and evade detection. Developers are urged to exercise caution and implement protective measures against such threats.
ChaosBot, a new Rust-based malware, utilizes Discord for its command and control operations, showcasing a unique approach to evade traditional cybersecurity measures. By leveraging widely used platforms, it complicates detection and response efforts, raising concerns for security professionals. As the threat landscape evolves, understanding such tactics becomes crucial for effective defense strategies.
Threat actors are distributing a fraudulent PDF editing application named AppSuite PDF Editor, which delivers the TamperedChef info-stealer malware. This campaign, supported by Google ads and utilizing fraudulent certificates, has been orchestrated to maximize downloads before activating the malicious components that collect sensitive data and turn systems into residential proxies. Researchers warn that the operation involves multiple apps, some potentially yet to be weaponized, posing ongoing risks to users.
The article discusses a newly identified backdoor and persistence technique used by cyber attackers, highlighting how it is being hijacked and concealed within systems. It emphasizes the need for organizations to enhance their threat detection capabilities to combat this evolving method of attack. Insights into the implications for cybersecurity and recommendations for mitigation are also provided.
Russian malware known as Spypress is exploiting vulnerabilities in webmail services to spy on Ukrainian users, particularly targeting Gmail and Yahoo accounts. The malware facilitates unauthorized access to sensitive information, raising significant security concerns amid ongoing conflict.
Hundreds of e-commerce sites have been compromised in a supply-chain attack that allowed malware to execute malicious code in visitors' browsers, potentially stealing sensitive payment information. The attack involved at least three software providers and may have affected up to 1,000 sites, with the malware remaining dormant for six years before activation. Security firm Sansec reported limited global remediation efforts for the affected customers, including a major multinational company.
North Korean hackers have been identified as the creators of NimDoor, a new malware targeting macOS users through fake Zoom updates. This malware exploits vulnerabilities to gain unauthorized access to systems, highlighting ongoing cybersecurity threats from state-sponsored hacking groups.
An ongoing infostealer campaign is targeting Mac users through fraudulent GitHub repositories that masquerade as legitimate software downloads. The LastPass TIME team is raising awareness of this threat, which employs SEO tactics to position malicious links prominently in search results, and has already initiated takedown efforts against some of these fraudulent sites.
Threat actors are increasingly exploiting Discord webhooks to launch attacks, allowing them to send malicious payloads and automate harmful actions within servers. This trend highlights the need for heightened security awareness and protective measures against such vulnerabilities in popular communication platforms.
Hong Kong financial firms have recently been targeted by SquidLoader malware, which has been linked to a series of cyberattacks that aim to exfiltrate sensitive data. The malware utilizes various techniques to bypass security measures, raising concerns about the potential risks to the financial sector in the region. It is crucial for companies to enhance their cybersecurity protocols to mitigate such threats.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the arrest of Maxim Alexandrovich Rudometov, the developer of the RedLine malware. This malware has been used by various cybercriminal groups to steal sensitive information from compromised systems worldwide.
A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.
A new wiper malware, dubbed "PathWiper," has been used in a destructive cyberattack against critical infrastructure in Ukraine. Conducted through a legitimate endpoint administration framework, the attack showcases a sophisticated understanding of the victim's environment by the attackers, likely associated with Russian nation-state actors.
A new variant of spyware called Stealerium automates sextortion by detecting when users browse pornography, capturing screenshots and webcam images to blackmail victims. Researchers at Proofpoint revealed that this malware, available as open-source on GitHub, enhances traditional infostealer functions by adding a layer of privacy invasion and humiliation. The malware has been linked to multiple cybercriminal campaigns since May.
A threat actor known as WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions designed to steal cryptocurrency. The group uses deceptive tactics to make these extensions appear legitimate, leading to significant financial losses, including a recent incident involving a core Ethereum developer. Researchers emphasize the need for improved verification processes to protect users from such sophisticated attacks.
A vulnerability has been discovered in Canon printer drivers that allows hackers to execute malicious code on affected systems. Users are advised to update their drivers to mitigate potential security risks associated with this flaw. The issue highlights the importance of maintaining up-to-date software for safeguarding devices against cyber threats.
Jeffrey Bowie, CEO of Veritaco, was arrested for allegedly installing malware on hospital computers at St. Anthony Hospital in Oklahoma City. The malware was designed to take screenshots and send them to an external address, raising concerns about insider threats in healthcare cybersecurity.
The article discusses the evolution of malware, highlighting a new variant known as ClickFix that emerged from the notorious MonsterRat. It examines the techniques used by this malware to exploit vulnerabilities and the implications for cybersecurity.
Hackers are leveraging Google.com to distribute malware that evades traditional antivirus software, raising significant security concerns. Users are advised to employ various protective measures to safeguard their systems against these threats.
The article discusses the emergence of a new macOS malware known as "AppleProcessHub," which is designed to steal user credentials and sensitive data. It highlights the tactics used by the malware, including its ability to bypass security measures and target specific applications. The piece also emphasizes the importance of user awareness and security practices to mitigate risks associated with such threats.
The article discusses a ransomware attack targeting SimpleHelp, compromising its infrastructure and impacting users. This incident highlights the ongoing threats posed by ransomware and the importance of cybersecurity measures for businesses and service providers.
The article discusses the emergence of ScarCruft, a sophisticated threat actor that employs RokRat malware to conduct cyber espionage and data theft. It details the malware's capabilities and its targeted attacks against high-profile organizations. Additionally, the article emphasizes the importance of cybersecurity measures to counter such threats.
A new strain of malware named "Gayfemboy," based on the Mirai botnet, has been identified targeting vulnerabilities in devices from various vendors including DrayTek and TP-Link. The malware has shown evolved techniques for obfuscation, self-protection, and remote control, enabling attackers to gain control over infected systems and conduct DDoS attacks across multiple sectors worldwide.
Trellix's Advanced Research Center has uncovered a previously undetected infostealer malware named Myth Stealer, written in Rust and marketed on Telegram since late December 2024. This malware specifically targets video games, raising concerns about the security of the gaming community.
The article discusses the emergence of GPUGate malware, which utilizes malicious implants in GitHub Desktop to exploit hardware-specific decryption methods. It highlights the malware's targeting of Google Ads specifically in Western Europe and emphasizes the need for increased cybersecurity awareness and measures against such threats.
A set of ten malicious VSCode extensions on the Microsoft Visual Studio Code Marketplace has been found to infect users with the XMRig cryptominer for Monero. These extensions masquerade as legitimate tools and execute a PowerShell script to install the malware while also disabling critical Windows security features. Microsoft has since removed the extensions and blocked the publisher from the marketplace.
A malicious update in the npm package postmark-mcp introduced a backdoor that silently exfiltrates emails from users to an external server, highlighting severe vulnerabilities in the trust model of MCP servers used by AI assistants. With over 1,500 weekly downloads, developers unknowingly handed over complete email control to a compromised tool, raising alarms about the security of tools integrated into enterprise workflows. Immediate action is required to remove the malicious package and audit other MCP servers for similar risks.
Microsoft has identified a new malware, Lumma, which has been found on approximately 394,000 Windows PCs. The Lumma password stealer is designed to capture sensitive login information, raising significant security concerns for users. Microsoft is urging users to take precautions to protect their devices from this threat.
The article delves into the Gentlemen ransomware, exploring its modus operandi and the tactics employed by its operators. It highlights the impact of such ransomware on victims and discusses the broader implications for cybersecurity and ransomware trends.
A new type of Android malware, dubbed "Godfather," is capable of bypassing sandbox detection to steal sensitive user data from applications, including banking and cryptocurrency wallets. Researchers have noted its ability to impersonate legitimate apps and extract credentials, posing a significant threat to Android users.
Researchers from ESET have identified PromptLock, the first known AI-powered ransomware, which is currently a non-functional proof-of-concept. This prototype utilizes OpenAI's gpt-oss-20b model to generate malicious Lua scripts and operates within a controlled environment, highlighting the potential dangers of AI in cybercrime despite no active infections being reported.
The MCP server facilitates basic static triage of PE files using a large language model (LLM). Users can create markdown reports summarizing their analysis by providing sample paths and adjusting configuration settings in the triage.py script. The setup requires installing dependencies and includes features like integration with VT/AnyRun/Sandbox and hash lookups.
A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.
Nearly 270,000 websites have fallen victim to malicious JavaScript injections using a unique obfuscation technique called "JSF-ck." This method encodes JavaScript using only six ASCII characters, allowing attackers to redirect users or display harmful content through iframes. Security experts emphasize the importance of keeping web servers updated and monitoring for signs of compromise.
A new malware strain has emerged that targets WordPress sites by mimicking Cloudflare's checkout pages, potentially deceiving users into entering sensitive information. This malware exploits vulnerabilities in e-commerce platforms, posing a significant risk to both site owners and customers. Website administrators are urged to enhance their security measures to prevent such attacks.
Hacktivism is experiencing a resurgence, but many groups are increasingly linked to state-sponsored activities rather than independent activism. While some attacks are nuisance-level, others target critical infrastructure, raising concerns about their potential psychological and operational impacts. Experts warn that today's hacktivists can be sophisticated and may serve as tools for nation-states, blurring the lines between genuine activism and government-sponsored cyber operations.
Memory Integrity Enforcement (MIE) is Apple's latest advancement in memory safety, utilizing a combination of secure memory allocators and the Enhanced Memory Tagging Extension (EMTE) to provide continuous, robust protection against memory corruption vulnerabilities. By integrating hardware and software security measures, MIE aims to safeguard devices while maintaining performance, marking a significant evolution in consumer operating system security.
AgentHopper, an AI virus concept, was developed to exploit multiple coding agents through prompt injection vulnerabilities. This research highlights the ease of creating such malware and emphasizes the need for improved security measures in AI products to prevent potential exploits. The post also provides insights into the propagation mechanism of AgentHopper and offers mitigations for developers.
Kaspersky uncovered a cyber espionage campaign dubbed Operation ForumTroll, where sophisticated phishing emails led to infections via a zero-day exploit in Google Chrome. The malware identified, known as "Dante," was traced back to the Italian company Memento Labs and utilized advanced techniques to bypass browser security measures, highlighting ongoing vulnerabilities in web applications.
The latest version of the 'Crocodilus' Android malware now includes a feature that adds fake contacts to infected devices, allowing attackers to spoof trusted callers and enhance their social engineering tactics. Initially identified in Turkey, the malware has expanded its reach globally and incorporates advanced evasion techniques to avoid detection while stealing sensitive data. Android users are advised to exercise caution and download only from trusted sources to mitigate risks.
VirusTotal uncovered a phishing campaign that utilizes SVG files to create deceptive portals mimicking Colombia's judicial system, leading users to download malware. The AI Code Insight feature enabled the detection of these previously undetected SVG files, which cleverly employ JavaScript to simulate a legitimate download process. This highlights the growing use of SVGs in cyberattacks and the importance of AI in identifying such threats.
A new malware named SparkKitty has been discovered, targeting iOS and Android devices to steal sensitive images from users' photo galleries, particularly those containing cryptocurrency wallet seed phrases. It has been distributed through official app stores and malicious sites, showcasing advanced techniques to exploit app provisioning systems.
Ransomware strains, such as DarkSide, often have built-in failsafes preventing installation on computers with certain virtual keyboards, particularly those in Russian or Ukrainian languages. By installing these keyboards, users may protect themselves from specific malware, compelling cybercriminals to reconsider their targets due to potential legal repercussions in their home countries. However, this method is not a foolproof solution against all malware threats.
Slow Pisces, a North Korean state-sponsored threat group, has stolen over $1 billion from the cryptocurrency sector in 2023 by targeting developers through disguised job offers on LinkedIn. They use malware hidden within coding challenges and have been linked to significant thefts from cryptocurrency companies, prompting action from GitHub and LinkedIn to remove malicious accounts. The malware employs advanced techniques like YAML deserialization to evade detection and execute additional payloads.
Google’s AppBound Cookie Encryption was introduced in July 2024 to enhance cookie security in Chrome, requiring malware to operate with elevated privileges for cookie theft. However, research revealed vulnerabilities that allow low-privileged malware to exploit the system, including COM hijacking and the development of a tool called C4 (Chrome Cookie Cipher Cracker) to bypass these protections. The findings emphasize the ongoing battle between security advancements and malware adaptation.
The article appears to be corrupted or improperly formatted, making it difficult to extract coherent information or insights regarding its content. As a result, the intended analysis or briefing on the "scattered spider threat" is not accessible.
An artist recounts a phishing experience where a seemingly legitimate journalist's email led to the installation of malware on his Mac. After realizing his mistake, he took immediate action to secure his accounts and reported the incident to authorities, while also analyzing the malware to better understand the threat it posed.
A Python proof-of-concept script allows users to dump sensitive files such as SAM, SYSTEM, and NTDS.dit from a physical disk without triggering security alerts by bypassing standard Windows file APIs. It operates by directly reading NTFS filesystem structures, obfuscating the output with XOR encryption to avoid detection by EDR/AV systems. This tool is intended for educational purposes only and should be used in a controlled test environment.
A new cyber espionage campaign named "Blind Eagle" has been linked to the Russian group known as Proton66, targeting organizations in Latin America. The attacks primarily focus on stealing sensitive information using sophisticated malware and phishing techniques to compromise victim systems. Experts warn that this campaign illustrates the increasing threat posed by state-sponsored actors in the region.
A newly discovered WinRAR vulnerability, tracked as CVE-2025-8088, has been exploited in phishing attacks to deploy RomCom malware. The flaw allows attackers to create malicious archives that can extract executables into paths that enable remote code execution when a user logs in. Users are urged to update to WinRAR 7.13 to mitigate this risk.
A malicious desktop application posing as a ChatGPT client, named PipeMagic, has been found to contain a backdoor that compromises users' security. The fraudulent app can potentially allow attackers to execute harmful commands on infected systems, raising concerns about software authenticity and cybersecurity practices. Users are advised to avoid downloading unverified applications and ensure software comes from trusted sources.
A new attack method called 'SmartAttack' exploits smartwatches to covertly exfiltrate data from air-gapped systems by using ultrasonic signals emitted from a compromised computer's speaker. Researchers highlight the attack's reliance on malware to gather sensitive information, which is then transmitted to nearby smartwatches that can decode the signals. To mitigate this threat, it is recommended to prohibit smartwatches in secure environments and consider hardware modifications to air-gapped systems.
Sketchy is a cross-platform security scanner designed to identify potential risks in GitHub repositories, packages, or scripts before installation. It highlights various security concerns, including code execution patterns and credential theft, helping users avoid malicious software. The tool is open-source and encourages users to audit its code and report any malware findings.
Over 4,000 victims in 62 countries have been targeted by the PXA Stealer malware, which has stolen hundreds of credit card numbers, 200,000 passwords, and over 4 million browser cookies. This Python-based infostealer uses sophisticated phishing techniques and has evolved to evade detection, exfiltrating sensitive data through Telegram-based marketplaces.
Nimhawk is an actively developed command and control (C2) framework that builds on the NimPlant project, offering enhanced modularity, security, and a user-friendly web interface for managing implants. Currently, it supports Windows x64 platforms, with plans for a Linux agent in the future. The project encourages community contributions and provides detailed documentation for developers.
Researchers at Mandiant have discovered a new malware strain dubbed "UNC6032," which utilizes AI-generated video content to deceive victims. The malware operates primarily through phishing campaigns, leveraging convincing videos to trick users into downloading malicious software. This highlights a growing trend in cyber threats where AI technology is exploited for malicious purposes.
A sophisticated npm attack employs over seven layers of obfuscation to distribute the Pulsar Remote Administration Tool (RAT). The obfuscation techniques include the use of Japanese Unicode characters, hexadecimal encoding, array shuffling, binary array encoding, and even image steganography to conceal malicious code within a PNG image. The malicious npm package remains publicly available, highlighting ongoing cybersecurity risks.
A browser hijacking campaign has infected 2.3 million users of Chrome and Edge through malicious extensions that started as legitimate tools. These extensions, which include features like color pickers and emoji keyboards, were later updated to include malware that tracks user activity and redirects browser sessions. Microsoft has removed the extensions from its store, but Google has not yet responded to the incident.
LastPass has alerted macOS users about a malicious campaign using fake password managers and other software, which deliver the Atomic info-stealing malware through deceptive GitHub repositories. The campaign employs search engine optimization tactics to promote these fraudulent applications, urging users to execute potentially harmful commands that install malware on their systems. Users are advised to only download software from official sources to avoid such threats.
A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.
A recent threat research report highlights three malicious Go modules that use obfuscation techniques to deliver destructive payloads capable of wiping entire disks. These modules exploit the open nature of the Go ecosystem, allowing attackers to masquerade as legitimate libraries, leading to irreversible data loss for unsuspecting developers.
A new FileFix social engineering attack mimics Meta account suspension alerts to deceive users into installing the StealC infostealer malware. It utilizes a multi-language phishing page that instructs victims to copy a disguised PowerShell command into the File Explorer address bar, ultimately leading to the execution of malicious code hidden within a JPG image. Acronis highlights the evolution of this attack method and emphasizes the need for heightened awareness against such sophisticated phishing tactics.
Over 300 entities have been affected by a new variant of the Atomic MacOS Stealer malware in a recent campaign. This malicious software targets MacOS systems to extract sensitive information, raising concerns about the security of Apple devices. Cybersecurity experts are advising users to remain vigilant and implement protective measures.
A North Korean hacking group, dubbed Elusive Comet, has been caught using Zoom's remote control feature to hijack victims' computers during seemingly legitimate business calls. By employing social engineering tactics, they trick individuals into granting remote access, allowing malware installation and data exfiltration.
CISA has released an analysis detailing malware used in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), specifically an authentication bypass and a code injection issue. The vulnerabilities, already being exploited by a China-nexus espionage group, allow for arbitrary code execution and data exfiltration. CISA recommends immediate patching of affected systems and treating mobile device management solutions as high-value assets.
A hacker is exploiting GitHub by distributing backdoored source code, specifically targeting hackers, gamers, and researchers. The malicious repositories, linked to the publisher "ischhfd83," deploy hidden backdoors through various means, leading to the installation of remote access trojans and info-stealers, which pose significant risks to users who compile the code. Sophos researchers warn of the sophisticated multi-step infection process that follows the download of these trojanized files.
The article discusses a new malware identified as "Sparrow," attributed to a Chinese cyber espionage group known as FamousSparrow. This malware poses a significant threat to organizations in the Americas by exploiting vulnerabilities in various systems to conduct surveillance and data theft.
A new variant of the Coyote Trojan has been identified, which exploits Microsoft UI Automation to carry out banking attacks. This malware is capable of intercepting user inputs and manipulating user interfaces to steal sensitive information from victims. Cybersecurity experts warn that users should be vigilant and take necessary precautions to protect their banking credentials.
iClicker's website was compromised in a ClickFix attack that used a fake CAPTCHA to trick users into executing a PowerShell script that potentially installed malware on their devices. The attack, targeting college students and instructors, aimed to steal sensitive data, but the malware's specific nature varied based on the visitor type. Users who interacted with the fake CAPTCHA between April 12 and April 16, 2025, are advised to change their passwords and run security checks on their devices.
A security warning has been issued regarding a major printer vendor's software that was found to contain malware, potentially compromising user data and system integrity. Users are advised to uninstall the affected software immediately and check for any unusual activity on their devices.
Microsoft has discovered a new variant of the XCSSET malware targeting macOS systems, which is being used in targeted attacks against specific individuals. This malware exploits vulnerabilities to gain unauthorized access and control over compromised devices, highlighting ongoing threats to macOS users.
Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io and designed to steal cryptocurrency private keys by scanning developers' systems for sensitive information. Discovered by security researchers at Socket, the packages were removed and their publishers banned, urging affected developers to clean their systems and secure their digital assets.
The article explores advanced techniques in Cyberchef to deobfuscate a .vbs loader for Nanocore malware, detailing steps such as identifying and manipulating ASCII character codes, alternating decimal and hex values, and applying mathematical operations. It provides a comprehensive guide on using regular expressions and Cyberchef operations to transform the obfuscated code into a readable format, ultimately revealing the underlying payload.
Samsung has addressed a critical remote code execution vulnerability (CVE-2025-21043) affecting Android devices running version 13 or later, which was exploited in zero-day attacks. Discovered in a closed-source image parsing library, the flaw allows attackers to execute malicious code remotely. Meta and WhatsApp reported the vulnerability, highlighting the importance of keeping devices updated to mitigate such risks.
A malicious post-install command executed during the installation of the nx build kit created unauthorized GitHub repositories in users' accounts, stealing sensitive information like wallets and API keys. Organizations are urged to review their GitHub activity and rotate credentials to mitigate exposure, while ongoing investigations continue into the incident.
Hellcat ransomware has been found targeting firms by stealing Jira credentials, leading to significant data breaches. The malware is designed to extract sensitive information and poses a serious threat to organizations that rely on Jira for project management and collaboration. Cybersecurity experts are urging companies to enhance their defenses against such sophisticated attacks.
Researchers have introduced a new malware technique named "Shade BIOS," which operates directly within a computer's BIOS, circumventing all traditional security measures. By requiring minimal interaction with an operating system, this method allows attackers to execute malicious actions undetected, presenting significant challenges for conventional cybersecurity defenses.
A new version of the Atomic macOS info-stealer malware has been discovered, featuring a persistent backdoor that allows attackers to maintain indefinite access to compromised systems. Analyzed by Moonlock, the malware targets macOS files and user data, exploiting phishing tactics and advanced evasion techniques to execute remote commands and survive system reboots.
A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.
The article discusses the exploitation of Microsoft Teams for delivering malware through direct messages, highlighting the tactics employed by cybercriminals to bypass security measures. It emphasizes the need for organizations to enhance their cybersecurity protocols to mitigate such threats.
VMDragonSlayer is an advanced framework designed for the automated analysis of binaries protected by various Virtual Machine (VM) protectors, utilizing multiple analysis engines such as Dynamic Taint Tracking and Symbolic Execution. Its goal is to streamline and enhance the reverse engineering process, transforming what typically takes weeks or months into efficient, structured analysis. The framework supports integration with popular reverse engineering tools and features a modular architecture for extensibility and custom workflows.
A new Linux malware called "Plague" has been discovered, allowing attackers persistent SSH access while evading traditional detection methods for over a year. It employs advanced obfuscation techniques and environment tampering to eliminate traces of malicious activity, making it particularly difficult to identify and analyze. Researchers emphasize its sophisticated nature and the ongoing threat it poses to Linux systems.
Spanish authorities have arrested a 25-year-old Brazilian national known as GoogleXcoder, who is accused of leading the GXC Team crime-as-a-service operation that sold phishing kits and Android malware. The GXC Team targeted banks and other organizations, contributing to significant financial losses through their phishing campaigns.
Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware through a method called authenticode stuffing, which alters hidden settings in the software's digital signature. This has led to infections reported via phishing attacks that trick users into downloading malicious executables disguised as legitimate software. ConnectWise has since revoked the certificate used for these binaries, but the campaign highlights the risks of using modified enterprise tools.
A malicious campaign is targeting macOS developers through fake Homebrew, LogMeIn, and TradingView platforms that distribute infostealing malware such as AMOS and Odyssey. The campaign uses deceptive tactics to trick users into executing harmful commands in Terminal, leading to the theft of sensitive information from their systems. Researchers identified over 85 domains involved in this scheme, which are promoted via Google Ads to appear in search results.
The article explores techniques for making virtual machines mimic real hardware to deceive malware. By presenting a more authentic environment, it aims to hinder malware's ability to detect its surroundings and improve security measures against malicious software.
The DetectRaptor repository provides a collection of Velociraptor detection artifacts for easy public access and use. Users can import the VQL zip file into Velociraptor through the artifact exchange feature, which includes various detection methods for Windows, Linux, and macOS systems. Current artifacts cover a range of detection scenarios, including malware and system behavior analysis.