Malware analysis, reverse engineering findings, and detection guidance.
32 items
NFCShare Android malware variants are being distributed as fake updates for legitimate banking applications hosted on GitHub repositories. This attack exploits developer trust in source code platforms and user expectations of app updates, bypassing traditional mobile security controls.
A new Gafgyt botnet variant called C0XMO is actively targeting DD-WRT router firmware vulnerabilities to establish a botnet capable of spreading to multiple device architectures. This represents an evolution in router-targeting malware with potential for rapid propagation across heterogeneous IoT environments.
A previously unidentified threat actor is distributing NetSupport RAT, a legitimate remote access tool repurposed for malicious purposes. This represents an active malware campaign using RAT tooling for post-compromise control.
Dutch law enforcement and the NCSC successfully dismantled a botnet commanding at least 17 million infected devices across multiple platforms, with over 200 command-and-control servers operating from the Netherlands. This represents a significant disruption to a large-scale criminal infrastructure, though the source and purpose of the botnet remain unclear from available details.
Threat actors are abusing ChatGPT's legitimate content-sharing feature to host convincing fake OpenAI outage pages that redirect users to download malware masquerading as the official ChatGPT desktop client. This exploits user trust in OpenAI's infrastructure and takes advantage of the feature's legitimacy to bypass security filters.
A phishing campaign is distributing ACR Stealer through fake Claude AI pages. This represents an active social engineering threat targeting users seeking legitimate AI tools.
Canadian authorities arrested a 23-year-old suspected operator of Kimwolf, an IoT botnet that compromised millions of devices for large-scale DDoS attacks. The arrest and cross-border charges signal coordinated enforcement against botnet operators who target journalists and security researchers.
Ukrainian cyberpolice and U.S. law enforcement identified and disrupted an infostealer malware operation run by an 18-year-old from Odesa who had compromised approximately 28,000 user accounts from a California-based online retailer. The case demonstrates effective international law enforcement coordination against financially-motivated cybercriminals operating from Eastern Europe.
Symantec and Carbon Black have analysed the Lua-based Fast16 malware, a pre-Stuxnet cyber sabotage tool designed to corrupt uranium-compression simulations used in nuclear weapons design. The discovery provides historical evidence of advanced persistent threat capabilities targeting critical infrastructure simulation environments.
Russian state-sponsored group Turla has rebuilt its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent command-and-control. This represents a significant operational upgrade that complicates detection and attribution for defenders.
VECT 2.0 ransomware contains a critical implementation flaw in nonce handling that causes it to permanently destroy files above a certain size rather than encrypt them. This unintended behaviour converts the malware into a data wiper, eliminating ransom recovery options and increasing damage to victims.
Researchers discovered a Lua-based malware framework dating to 2005 that targeted engineering software for cyber sabotage, predating Stuxnet by several years and suggesting a deeper operational history of state-sponsored infrastructure attacks.
Threat actor UNC6692 is using Microsoft Teams to socially engineer targets into executing a custom malware suite called Snow, which comprises a browser extension, tunneler, and backdoor. This represents a shift toward trusted communication platforms as malware delivery vectors, complicating detection and increasing organisational risk.
Custom malware called Firestarter persists on Cisco Firepower and ASA devices even after security patches and firmware updates, indicating attackers have achieved privileged compromise that survives standard remediation procedures.
Trigona ransomware operators have developed a custom command-line exfiltration utility to speed up data theft from compromised networks. This represents a shift toward operationalised tooling that reduces dwell time and increases the volume of data stolen per attack.
26 fraudulent cryptocurrency wallet apps mimicking Metamask, Coinbase, Trust Wallet, and OneKey were distributed through Apple's App Store in China, designed to harvest seed phrases and drain user funds. This represents a significant supply chain compromise of a trusted platform targeting high-value assets.
Payouts King ransomware operators are deploying QEMU virtual machines as covert execution containers, using reverse SSH tunnels to maintain hidden command channels that bypass endpoint detection and response tools. This represents a maturation of VM-based evasion tactics in ransomware operations.
ZionSiphon is a newly discovered malware family purpose-built for operational technology environments, specifically engineered to disrupt water treatment and desalination plants. This represents a shift toward adversary-developed sabotage tools for critical infrastructure rather than repurposed IT malware.
CrystalRAT is a new malware-as-a-service offering combining remote access, data theft, keylogging, and clipboard hijacking, distributed via Telegram. The bundling of multiple attack capabilities into a single commodity service lowers the barrier to entry for financially motivated threat actors.
A new iOS exploit kit called Coruna reuses and updates kernel exploits originally deployed in Operation Triangulation three years ago, indicating that sophisticated threat actors are recycling proven attack code rather than developing entirely new exploits.
Hambardzum Minasyan, an Armenian national allegedly involved in developing and administering the RedLine infostealer, has been extradited to the United States. This arrest represents a significant enforcement action against a malware-as-a-service operation that has compromised thousands of organisations globally.
Attackers are deploying payment skimmers that abuse WebRTC data channels to receive malicious payloads and exfiltrate stolen card data, successfully circumventing Content Security Policy controls that block traditional HTTP-based exfiltration vectors.
Torg Grabber is a new infostealer malware targeting 850 browser extensions, predominantly cryptocurrency wallets, to exfiltrate private keys and sensitive account credentials. This represents a significant threat to the crypto ecosystem given the direct targeting of wallet software.
VoidStealer malware has developed a novel technique to bypass Chrome's Application-Bound Encryption (ABE) by leveraging debugger access to extract the browser's master encryption key. This enables attackers to decrypt sensitive stored data including passwords and payment information without user interaction.
Over 100 GitHub repositories are distributing BoryptGrab Stealer, a malware targeting browser and cryptocurrency wallet data, posing significant risks to users.
Ransomware operators are using a combination of legitimate Windows tools and the ClickFix technique to deploy DonutLoader malware and CastleRAT backdoors, posing a significant threat to systems.
The QuickLens Chrome extension was removed after being compromised to push malware aimed at stealing cryptocurrency from users. The attack highlights vulnerabilities in third-party browser extensions and the risks of crypto-related phishing.
North Korean hackers, APT37, are using newly discovered malware to breach air-gapped networks by leveraging removable drives and conducting covert surveillance.
UK retailer Co-op shut down parts of its IT infrastructure after detecting unauthorized access, becoming the second major British retailer hit by cyberattack in weeks following Marks & Spencer.
UK retail giant Marks & Spencer suffered a significant cyberattack that disrupted contactless payments, click-and-collect services, and online ordering, attributed to the DragonForce ransomware operation working with Scattered Spider affiliates.
FBI, CISA, and MS-ISAC warn that the Medusa ransomware-as-a-service operation has impacted over 300 organizations across critical infrastructure sectors since 2021.
A joint advisory warns that the Ghost (Cring) ransomware group, operating from China, has compromised organizations across 70 countries by exploiting known vulnerabilities in internet-facing services.