ALERTS VIRUS
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
|
1.11.24 | New variant of FakeCall Android malware | ALERTS | VIRUS | A new variant of the Android malware called FakeCall has been observed in the wild. The attackers behind this malware employ voice phishing (vishing) techniques in order to trick victims into disclosing sensitive information such as credentials or banking information. While abusing the Android Accessibility Service, FakeCall grants the attackers a considerable remote control over the infected devices, allowing them to simulate user actions, intercept incoming or outgoing calls, manipulate the devices' camera, etc. FakeCall also allows for collection of user contacts, call logs or SMS messages from the compromised devices. The collected data is then forwarded to the C2 servers controlled by the attackers. |
|
1.11.24 | A possible Bumblebee Loader resurgence | ALERTS | VIRUS | A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. The malware has been spread across a multitude of malicious campaigns and used for the delivery and execution of miscellaneous payloads such as Cobalt Strike, ransomware, etc. Since the botnet disruption campaign called Operation Endgame, conducted by Europol in May 2024, Bumblebee has not been observed up until now. The new Bumblebee infection chain incorporates malicious .zip archives, PowerShell commands, .lnk and .msi files, all leading to payloads deployed in form of .dll binaries. |
|
1.11.24 | Malicious "Lounge Pass" app targets air travelers in India | ALERTS | VIRUS | A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. The scammers exploited an exposed Firebase endpoint to store the stolen SMS messages. To prevent data theft, it’s recommended to download apps only from official stores and to refrain from granting SMS access to travel or lounge apps. |
|
1.11.24 | Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware | ALERTS | VIRUS | Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. Attackers are leveraging ad networks to redirect victims to compromised sites that host these social engineering lures. Once lured, victims are triggering PowerShell commands that deploy credential-stealing malware such as Lumma which harvests cryptocurrency wallets, passwords and browser data, or Amadey, which gathers credentials and can deploy Remcos RAT. |
|
1.11.24 | Rekoobe malware found potentially targeting TradingView users | ALERTS | VIRUS | An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. Rekoobe is a versatile backdoor previously deployed by APT31 and other adversaries engaged in cyber espionage and data theft. Based partially on the publicly available Tiny SHell, the malware has evolved to incorporate enhanced encryption techniques and unique command-and-control configurations, making analysis and detection more difficult. |
|
1.11.24 | Daggerfly targets Taiwanese entities with new CloudScout Toolset | ALERTS | VIRUS | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
|
27.10.24 | Parano Stealer | ALERTS | VIRUS | Parano Stealer is another "run-of-the-mill" infostealer variant recently observed in the wild. This Python-based malware has functionality to collect and exfiltrate various information from the compromised endpoints, including: credentials, cookies, miscellaneous data stored in web browsers, cryptocurrency wallets, system information or data from various 3rd party applications like Steam, Telegram or Discord. |
|
27.10.24 | Liberium RAT malware | ALERTS | VIRUS | Liberium RAT (also known as ShadowRoot) is a malware variant recently advertised for sale on hacking forums. The malware has the capabilities allowing the attackers remote access to the vulnerable endpoints, file management operations, registry manipulation as well as theft of system related information and other confidential data. |
|
27.10.24 | DarkComet Backdoor | ALERTS | VIRUS | DarkComet is a powerful Remote Access Trojan (RAT) that remains a significant threat because of its stealthy operations and comprehensive functionality. It enables attackers to remotely control infected devices, exfiltrate sensitive data, and deploy further malware. It can evade detection by altering file attributes, manipulating registry keys and escalating privileges. Additionally, it communicates with a command-and-control (C2) server to carry out various commands including capturing keystrokes and controlling display devices. |
|
27.10.24 | Threat actors distribute WarmCookie malware via various campaigns | ALERTS | VIRUS | WarmCookie is malware that has been observed being distributed through various campaigns, including malicious emails. This malware provides initial access to a compromised victim and is used to establish persistence. Additional functionality associated with WarmCookie includes remote command execution, file system manipulation, and payload delivery, among others. A recent report by Cisco Talos provides a technical analysis as well as data to support attribution of the malware to the threat actor group TA866. |
|
27.10.24 | Phemedrone Stealer | ALERTS | VIRUS | Phemedrone is an open-source infostealer variant observed being distributed in the wild this year. The malware is written in C# and has the functionality to collect and exfiltrate various sensitive information such as login credentials, data stored in browsers, cookies, credit card information, cryptocurrency wallets, files stored in "My Documents" folders or data from other 3rd party apps such as Steam, Discord or Telegram. |
|
27.10.24 | Phemedrone Stealer | ALERTS | VIRUS | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. |
|
27.10.24 | Ghostpulse Malware: Shifting tactics from PNGs to Pixel values | ALERTS | VIRUS | According to recent reports, Ghostpulse malware has evolved its tactics by shifting from hiding its encrypted configuration and payload in the IDAT chunk of PNG files, to embedding it directly within the pixel values themselves to evade detection. In recent campaigns, attackers have employed social engineering techniques such as CAPTCHA validations to deceive users which ultimately triggers malicious commands via Windows keyboard shortcuts. |
|
27.10.24 | Threat actors abusing open-source phishing framework to deliver RATS | ALERTS | VIRUS | A recent report by (CTA) member Cisco Talos has recently disclosed a new phishing campaign abusing the open-source phishing readiness assessment framework named 'Gophish' to deploy one of two attack chains. The first uses Pidief infected Office docs to deploy a newly discovered PowerShell RAT dubbed 'PowerRAT' while the second employs malicious HTML files and GOLoader to deploy DCRAT. |
|
27.10.24 | Lumma Stealer delivered via Fake CAPTCHA | ALERTS | VIRUS | Researchers are monitoring an ongoing phishing campaign where attackers appear to have upped their tactics from traditional phishing to incorporating the use of fake CAPTCHA pages and exploiting legitimate software. The intention being to eventually lure users into executing a payload called Lumma Stealer. This infostealing malware is a MaaS (Malware-as-a-Service) variant that steals sensitive data such as passwords and cryptocurrency information. |
|
27.10.24 | Emerging Stealer Variants: Divulge, DedSec, and Duck Stealers | ALERTS | VIRUS | Multiple stealers have been observed being advertised on hacker forums, GitHub, and Telegram, all developed and promoted by the same entity. Notable variants include Divulge Stealer (a copy of Umbral), DedSec Stealer (based on Doenerium), and Duck Stealer (a derivative of AZStealer). These variants primarily target Discord data, browser information, cryptocurrency wallets and employ anti-analysis techniques to evade detection and operate effectively in the background. |
|
27.10.24 | TrickMo targeting Android users with fake lock-screen | ALERTS | VIRUS | Security researchers have recently disclosed a new variant of TrickMo, a mobile banking trojan that targets Android and iOS users. This new variant comes with some new functionality in addition to the existing capabilities, such as screen recording, remote control, and permissions granting. Now TrickMo includes the ability to steal screen lock codes and unique device identifiers from infected devices. When the malicious app is run it will display a full screen webpage designed to mimic the standard lock-screen, and if the user inputs their lock-screen code it will be exfiltrated via PHP to the attackers for later use. |
|
27.10.24 | Meduza Stealer | ALERTS | VIRUS | Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. |
|
27.10.24 | New Linux variant of FASTCash malware discovered | ALERTS | VIRUS | A new Linux variant of the FASTCash malware (a tool which CISA has attributed to North Korea) has been discovered. FASTCash is malware that is implanted within compromised networks and leveraged to perform unauthorized banking transactions. This occurs by way of intercepting transaction messages and generating fraudulent responses in return, thereby defrauding the ATM/PoS card user. |
|
27.10.24 | ThunderKitty malware | ALERTS | VIRUS | ThunderKitty is a GO-based open-source infostealer variant seen in the wild. The malware has the functionality to collect miscellaneous information from infected machines including banking details, Discord session tokens, cookies, browser history and other data stored in the browsers, etc. ThunderKitty implements several evasion and anti-analysis techniques, VM environment and Debugger presence detection as well as persistence mechanisms. |
|
27.10.24 | MiyaRat: The latest tool from the Bitter APT group | ALERTS | VIRUS | The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been observed deploying a new malware known as MiyaRat. This malware is capable of collecting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions. |
|
27.10.24 | Abuse of Code-Signing Certificates in Lumma Stealer deployment via HijackLoader | ALERTS | VIRUS | A malware campaign has been observed deploying Lumma Stealer using HijackLoader. The attack vector employs a "fake CAPTCHA" to lure users into executing a PowerShell payload that downloads a ZIP archive containing either a DLL or a signed HijackLoader binary. This binary is then loaded via DLL sideloading, ultimately installing Lumma Stealer. Multiple code-signing certificates were abused to sign the malware, obtained from various issuing certificate authorities that are largely automated, requiring only a valid company registration number and a contact person. |
|
27.10.24 | CoreWarrior Malware | ALERTS | VIRUS | Researchers investigated a malware named CoreWarrior and found that this variant aggressively spreads by creating numerous copies, connecting to various IP addresses, opening multiple backdoor access points, and intercepting Windows UI elements for surveillance purposes. |
|
27.10.24 | Core Werewolf utilizes AutoIt loader and Telegram for Cyber attacks | ALERTS | VIRUS | The Core Werewolf threat actor group, which primarily targets Russia's defense industry and critical infrastructure, has been observed using new tools including an AutoIt loader and delivering malicious files via Telegram in addition to email. As part of their attack chain, they utilize RAR archives containing SFX executables that deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader collects system information, encrypts and transfers files, and communicates with a command-and-control server for data exfiltration. To evade detection, the attackers employ deceptive file names that correspond to the content of the decoy documents. |
|
27.10.24 | ErrorFather Android Trojan | ALERTS | VIRUS | Cerberus Android banking trojan came to light in 2019, and this variant utilizes a multi-stage dropper to deploy its payload and can execute financial fraud through remote attacks, keylogging, and overlay tactics. The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered. |
|
27.10.24 | Demodex targeting American telecommunications | ALERTS | VIRUS | APT group 'Squash' has been reported to be utilizing Demodex to target American telecommunications providers. Demodex, a rootkit, is used to establish persistence and then files with fake file headers (PNG, JPEG and WAV have been observed) are used to help evade detection and utilized to establish C2 communications. |
|
27.10.24 | New Pronsis Loader malware leveraged for Lumma Stealer and Latrodectus delivery | ALERTS | VIRUS | Pronsis Loader is a new malware variant leveraged recently in campaigns delivering Lumma Stealer and Latrodectus payloads. The malware utilizes executables compiled in JPHP programming language, which is a Java implementation of PHP. Pronsis also uses Nullsoft Scriptable Install System (NSIS) for the deployments in the observed campaigns. The malware implements certain detection evasion techniques such as exclusion of the user's profile directory path from Windows Defender scanning. |
|
27.10.24 | LemonDuck: The evolving Multi-Platform cryptomining malware | ALERTS | VIRUS | LemonDuck, a well-known cryptomining malware, has evolved into a multi-platform threat and has been observed exploiting SMB vulnerabilities, particularly EternalBlue, as part of its attack vector to gain network access. The malware employs techniques such as brute-force attacks, creating hidden administrative shares, and executing malicious actions via batch files and PowerShell scripts. LemonDuck has the capability to create scheduled tasks, disable Windows Defender, and utilize anti-detection mechanisms for persistence. It disguises itself as legitimate system services, manipulates firewall settings, in addition to using Mimikatz for credential theft. |
|
27.10.24 | Havoc Framework | ALERTS | VIRUS | Researchers have found that cybercriminals are increasingly leveraging pen testing tools like the Havoc framework to evade security systems. This tool is less recognized than others, such as Cobalt Strike or Metasploit, which makes it harder to spot. The Mysterious Werewolf group is using strategies similar to the Mythic framework, and phishing emails that mimic legitimate organizations remain a common tactic for gaining unauthorized access. |
|
27.10.24 | CleanUpLoader Leveraged By Rhysida | ALERTS | VIRUS | A recent report shed light on a loader/backdoor known as "CleanUpLoader," used by the double-extortion ransomware actor "Rhysida" as an initial vector of infection. It is typically disguised as software installers like Microsoft Teams or Google Chrome. The loader facilitates communication with multiple command-and-control (C2) servers, allowing Rhysida to establish persistence and perform data exfiltration. |
|
27.10.24 | Lua-based malware variants target the educational sector | ALERTS | VIRUS | There has been a recent surge in Lua-based malware targeting students, specifically targeted attacks capitalizing on popular games within the student gamer community who are searching for gaming cheats. Fake game cheats are being leveraged by threat actors to trick users into downloading this malware. Lua-based malware is capable of establishing persistence on infected systems, exfiltrating sensitive harvested credential information, and delivering additional payloads. |
|
27.10.24 | Horus Protector | ALERTS | VIRUS | A new malware distribution service has been uncovered called Horus Protector that claims to be a Fully Undetectable (FUD) crypter and distributes various malware families, including AgentTesla, Remcos, Snake, and NjRat. The service distributes malware using a .zip file that contains a VBE script and gathers information from users' machines to transmit to its server. |
|
27.10.24 | A Recent PhantomLoader Campaign | ALERTS | VIRUS | PhantomLoader is a malware that disguises itself as a legitimate 32-bit DLL for a certain antivirus software and was recently found posing as “PatchUp.exe,” a genuine component of the software. The malicious loader was observed using binary patching and self-modifying techniques to load rust-based malware dubbed SSLoad into memory. |
|
27.10.24 | Malvertising campaign leads to malicious Windows and Mac payloads | ALERTS | VIRUS | A recently published report identified a campaign whereby advertisers are pushing ads for utility software, such as Slack or Notion, which lead to downloads of malicious payloads. The advertisers registered under existing businesses and distributed ads that target both Windows and Mac users. After multiple redirects, the users are provided downloads of stealer type malware which are masquerading as the advertised software. |
|
27.10.24 | Yunit Stealer - an infostealing malware with geofencing capabilities | ALERTS | VIRUS | Yunit Stealer is a malware variant recently distributed in the wild. Yunit has extensive infostealing capabilities including theft and exfiltration of credentials, credit card data, cryptocurrency wallets, cookies, auto-fill data and others. The collected information is exfiltrated via Discord or Telegram webhooks back to the attackers. Yunit employs various persistence techniques, obfuscation, defense evasion as well as some geofencing techniques ensuring only victims from targeted geographic locations will get infected with the malware. |
|
27.10.24 | Vilsa Stealer | ALERTS | VIRUS | Vilsa Stealer is a new infostealer malware variant identified in the wild. The malware has the functionality to exfiltrate miscellaneous confidential data from the infected machine including: browser data, credentials, autofill data, cookies, banking information, cryptocurrency wallets, Discord tokens and Telegram data, among others. The extracted information is uploaded back to the remote attackers by leveraging GoFile API. Vilsa Stealer also employs some anti-analysis and anti-VM capabilities meant to make the detection and protection against this infostealer more difficult. |
|
27.10.24 | Falcon Keylogger | ALERTS | VIRUS | Falcon is a keylogger variant recently active in the wild. Older samples of this malware date back even to 2019 while the latest observed are from just last month. Falcon has the functionality to record keystrokes on the infected machine, collect system information, screenshots, etc. The collected data is consecutively exfiltrated to the C2 servers controlled by the attackers. Keyloggers such as Falcon can be used by threat actors for the purpose of gaining access to confidential information including credentials, banking data and others. |
|
27.10.24 | Nunu Stealer malware | ALERTS | VIRUS | Nunu Stealer is a recently discovered Python-based infostealing malware variant which is based off an older Akira Stealer strain. The functionality includes exfiltration of various confidential information such as banking details, credit card data, credentials, autofill data stored in browsers, cookies, 3rd app session data, Discord tokens, cryptocurrency wallets and more. Nunu can be potentially used by attackers to compromise various user accounts and leverage those for further intrusions. |
|
27.10.24 | SmartLoader Delivering Lumma Stealer | ALERTS | VIRUS | SmartLoader has been traced back to July 2024, involving a private GitHub account called "user-attachments." It starts with a zip archive containing four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. The user runs Launcher.bat, which executes compiler.exe with conf.txt, triggering SmartLoader and deploying Lumma Stealer. This infostealer written in C is known to steal data stored in the system browsers as well any present cryptocurrency wallets. |
|
27.10.24 | Silver Oryx Blade - a new banking malware targeting Brazil | ALERTS | VIRUS | Silver Oryx Blade is a new banking trojan discovered by the researchers from Scitum. The malware prevalently targets victims from Brazil and attempts to steal banking information from the compromised machines. The infection chain is initiated via phishing emails leveraging financial or tax related lures. In further attack stages the threat actors use malicious .zip archives, .msi droppers as well as .dll loaders. Silver Oryx Blade monitors for data related to over 50 banking and financial institutions and the extracted information is forwarded to the C2 servers controlled by the attackers. |
|
27.10.24 | Advanced Rhadamanthys Infostealer: AI-Driven threats to Cryptocurrency security | ALERTS | VIRUS | A new version of Rhadamanthys Infostealer with advanced features including the use of artificial intelligence (AI) for optical character recognition (OCR) has been reported. |
|
27.10.24 | DCRat (aka Dark Crystal RAT) Trojan Malware | ALERTS | VIRUS | DCRat (aka Dark Crystal RAT) is a modular remote access Trojan available as malware-as-a-service since 2018. It can execute commands, log keystrokes, and exfiltrate data. Recently, it was delivered using HTML smuggling, which embeds and obfuscates the payload within HTML to evade security measures. |
28.9.24 | Vidar malware spreads via PEC Mail and Telegram profiles | ALERTS | VIRUS | CERT-AGID has identified a new campaign distributing Vidar through PEC mailboxes. The attackers are still leveraging Steam community profiles, but a significant new tactic involves exploiting Telegram profiles. In particular, the bios of these profiles are being used to reveal the IP addresses of their command and control (C2) servers. |
27.9.24 | New KLogExe and FPSpy | ALERTS | VIRUS | New keylogger malware KLogExe and backdoor variant FPSpy have been used by Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) threat group. This APT group is known for its sophisticated cyber-espionage operations and advanced spear phishing attacks. Sparkling Pisces lure victims into downloading and executing malicious payloads. This includes the use of new and undocumented malware. |
25.9.24 | PDiddySploit Trojan Malware | ALERTS | VIRUS | A recent research study has revealed that the scandal surrounding Sean 'Diddy' Combs, also known as P. Diddy, has been exploited. Attackers often capitalize on public interest in high-profile scandals to spread malware, taking advantage of the topic to trick unsuspecting users into downloading malicious files. The trojan dubbed PDiddySploit involved in this campaign is a variant of the open-source PySilon RAT, known for stealing sensitive information and executing remote commands. |
25.9.24 | Turkey and Bulgaria Targeted in Remcos RAT Attacks | ALERTS | VIRUS | Symantec has recently observed two ongoing Remcos RAT campaigns from the same actor, targeting companies in Bulgaria and Turkey. In the Bulgarian campaign, they are using a classic invoice scheme (email subject: Плащане на фактура) to lure users, while in the Turkish campaign, they are using SWIFT transfer social engineering (email subject: Gelen Swift Mesaj). Although the social engineering tactics differ, the modus operandi is the same: they leverage a malicious .docx file that exploits an old vulnerability (CVE-2017-0199) to drop Remote Access Trojan. |
25.9.24 | Nanocore RAT Spreads Through Fake XLS Invoice | ALERTS | VIRUS | Nanocore RAT was highly prevalent many years ago and since has drastically dwindled but some groups and individuals continue to leverage this remote access trojan in their campaigns. One recent example being a fake invoice malspam campaign in which the authors have attached a malicious XLS (invoice.xls) that when executed will grab the Nanocore binary from a Discord server. |
25.9.24 | SnipBot - a new variant of the RomCom malware | ALERTS | VIRUS | Researchers from Palo Alto reported on a new variant of the RomCom malware dubbed SnipBot. The malware allows the attackers to execute command-line commands on the infected endpoints as well as to download additional arbitrary modules. |
25.9.24 | New Octo2 mobile malware variant observed in the wild | ALERTS | VIRUS | New variant of the Octo Android malware dubbed Octo2 has been identified in the wild. The malware has been spread via malicious campaigns targeting mobile users from European countries. |
24.9.24 | SectopRAT malware masqueraded as Notion installer in a recent distribution campaign | ALERTS | VIRUS | A new campaign spreading SectopRAT malware has been identified in the wild. The campaign disguises the malware binaries as installer files for known productivity software called Notion. The fake installers are distributed from malicious websites also masquerading as Notion software download portals. |
24.9.24 | Android Malware: Necro Trojan | ALERTS | VIRUS | The latest version of the Necro Trojan has infected various popular applications, including game mods available on Google Play, affecting over 11 million Android devices. This version employs obfuscation to evade detection and uses steganography to conceal its payloads. |
24.9.24 | SambaSpy malware targeting Italian users | ALERTS | VIRUS | SambaSpy RAT has been distributed in a new malicious campaign targeting users from Italy. The campaign has several stages within it's infection chain and is leveraging either malware downloaders or droppers depending on the observed run. |
24.9.24 | Go Injector Campaign Deploys Lumma Stealer | ALERTS | VIRUS | Researchers have identified a campaign using Go Injector to deploy Lumma Stealer, a malware designed to steal sensitive information. The attack begins when users visit a harmful website displaying a fake captcha, which tricks them into copying and running a command. This command downloads a zip file containing legitimate-looking files and the Go Injector. The injector then installs Lumma Stealer, which decrypts stolen data and sends it to the attackers. |
17.9.24 | Ajina mobile banking trojan | VIRUS | Ajina is a recently identified mobile banking trojan variant heavily targeting the Central Asia region. The malware focuses on theft of confidential user data including banking details as well as attempts to intercept the 2FA information. | |
17.9.24 | Stealthy malware targets US-Taiwan Defense Industry conference attendees | VIRUS | A malware campaign targeting entities linked to the upcoming US-Taiwan Defense Industry Conference has been reported. Victims are lured with documents containing a ZIP archive and an LNK file disguised as a legitimate PDF registration form. | |
13.9.24 | Mekotio and Mispadu malware distributed during Gecko Assault campaign | VIRUS | A new malicious campaign dubbed Gecko Assault has been reported by the researchers from SCILabs. The threat actors have been distributing two different payloads belonging to the URSA/Mispadu and the Mekotio malware families. | |
13.9.24 | AutoIt-based credential flusher leveraged alongside StealC infostealer | VIRUS | A new campaign delivering the StealC infostealer malware has been observed in the wild. The initial stages of the attack use Amadey malware for loading the infostealer onto the targeted endpoints. In conjunction to the delivered StealC payload, the attackers are leveraging an AutoIt-based credential flusher malware. | |
13.9.24 | Hadooken - Linux malware targeting Weblogic servers | VIRUS | Hadooken is a new Linux malware variant targeting Oracle Weblogic servers. In the initial attack stages the threat actors exploit known vulnerabilities, server misconfigurations or use weak or otherwise compromised credentials to get access to the targeted environments. Upon execution on the vulnerable server instances Hadooken drops two distinct payloads - Tsunami malware and another binary used for mining cryptocurrency. | |
13.9.24 | Veaty and Spearal: Emerging malware in recent campaign against Iraqi Government | VIRUS | A new malware family, Veaty and Spearal, has been reported by Check Point, a CTA member, as being used in a campaign targeting Iraqi government infrastructure. The malware employs several techniques, including a passive IIS backdoor, DNS tunneling, and command-and-control (C2) communication through compromised email accounts. | |
13.9.24 | Yet Another Silly Stealer (YASS) Infostealer | VIRUS | A new infostealer, being referred to as 'Yet Another Silly Stealer' (YASS), has been observed. While it shares some features with CryptBot, YASS also has distinct characteristics. The research compares YASS to CryptBot, emphasizing YASS's unique code and its delivery via a multi-stage downloader called MustardSandwich. This downloader, executed through a Windows LNK file, involves two JScript stages and two PowerShell stages, with the first PowerShell script run via an ActiveXObject. | |
13.9.24 | BLX (aka XLABB) Stealer activity | VIRUS | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. BLX is an open-source malware actively distributed via Telegram and other platforms. Functionality-wise the malware is capable of stealing confidential data from compromised endpoints. The exfiltration efforts focus on data such as credentials, information stored in browsers, 3rd party applications accounts, Discord tokens, cryptocurrency wallets and others. | |
13.9.24 | SEO manipulation leveraged for PlugX and BadIIS malware delivery | VIRUS | A new malicious campaign attributed to the DragonRank threat group has been discovered by researchers from Cisco Talos. The attackers have been reported to leverage search engine optimization (SEO) manipulation techniques to deploy malicious webshells, collect information off the infected systems as well as to deliver PlugX and BadIIS malware payloads. | |
13.9.24 | Linux SSH servers targeted by new SuperShell malware variant | VIRUS | SuperShell malware variant has been observed in a recent campaign targeted at vulnerable or otherwise misconfigured Linux SSH servers. The malware is Go-based and has the functionality to act as a reverse shell effectively allowing the attackers remote control and remote code execution on the infected machine. The servers compromised with use of SuperShell malware are likely to be used later by the attackers for the purpose of cryptomining or DDoS attacks. | |
13.9.24 | Mekotio and BBTok malware remain active among the banking trojans targeting LATAM | VIRUS | Mekotio and BBTok malware variants remain active among the banking trojan families distributed lately across the Latin America region. The malware is usually spread via phishing campaigns utilizing business- or judicial-themed lures. The spam emails leverage either links leading to malicious archive downloads or use malicious attachments directly within the spam emails. While Mekotio is an older malware variant, BBTok was initially discovered just in 2020. Both variants target similar geographical locations and attempt to exfiltrate credentials and sensitive information in order to carry out unauthorized banking operations. | |
13.9.24 | SpyAgent: Mobile malware stealing cryptocurrency wallets through image scanning | VIRUS | A new mobile malware called SpyAgent has been identified targeting mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is a 12-word phrase used to recover cryptocurrency wallets. These secret phrases are highly valuable to threat actors because gaining access to them enables them to restore your wallet on their own devices and steal all the funds stored within. | |
13.9.24 | Emerging Loki Backdoor variant employs Mythic Framework and Havoc Techniques | VIRUS | A new version of the Loki backdoor has been discovered targeting Russian organizations. This variant is compatible with the Mythic framework and utilizes various techniques from the Havoc framework, which complicates analysis. The updated variant is divided into a loader and a DLL. The loader gathers system information from the compromised machine, uploads it to the attacker’s C2 server, and retrieves the DLL in response. The DLL is then loaded into memory to download additional payloads and carry out further attacks. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | ToneShell Backdoor Targets IISS Summit | VIRUS | A cyber espionage campaign involving the ToneShell backdoor, attributed to Mustang Panda, has been reported targeting attendees of the 2024 IISS Defense Summit in Prague. The attack leverages a malicious PIF file disguised as summit documents to gain access to sensitive defense discussions. The malware achieves persistence via registry run keys and scheduled tasks and communicates with a C2 server in Hong Kong using raw TCP that mimics TLS. | |
11.9.24 | BlindEagle strikes Colombia's Insurance sector with Quasar RAT variant | VIRUS | BlindEagle, an advanced persistent threat actor, has been observed targeting Colombia’s insurance sector with the BlotchyQuasar Remote Access Trojan (RAT). The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. | |
6.9.24 | Formbook Targets Global Sectors with Fake RFQ from Chemical-Oil Joint Venture | VIRUS | Symantec has recently observed a Formbook actor impersonating a major joint venture between a global chemical company based in Germany and a national oil and gas company from Malaysia. In this malicious email campaign, they're targeting companies across multiple countries and various industry sectors, including: | |
6.9.24 | Acab Infostealer | VIRUS | Acab is a Python-based infostealing malware variant recently observed in the wild. The malware shows some code similarities to another variant known as 1312 Stealer. Acab has the functionality to extract various confidential information from infected endpoints including credentials, banking information, crypto-wallet data, application data/tokens, various information stored in web browsers and others. | |
6.9.24 | KTLVdoor backdoor leveraged by the Funnelweb APT | VIRUS | A new Golang-based backdoor dubbed KTLVdoor has been discovered by researchers from Trend Micro. The malware has been attributed to the Funnelweb APT (also known as Earth Lusca). KTLVdoor is a highly obfuscated malware that comes in variants supporting both Windows and Linux platforms. Functionality-wise the malware is capable of running commands and shellcode received from the C2 servers, various file and directory operations on the infected machine including file download/upload, among others. | |
6.9.24 | Latrodectus 1.4: New version unveiled with advanced capabilities | VIRUS | A newer version of the Latrodectus downloader has been observed, featuring enhancements like a new string deobfuscation method, a revised C2 endpoint, and two additional backdoor commands. The infection chain begins with a heavily obfuscated JavaScript file, which uses numerous comments to inflate file size and complexity, complicating analysis. The malware then extracts and executes hidden code, subsequently downloading and installing an MSI file from a remote server. This MSI file loads an obfuscated DLL to perform its malicious tasks. | |
5.9.24 | Emansrepo infostealer | VIRUS | Researchers from Fortinet reported on a new Python-based infostealer variant dubbed Emansrepo. This malware has been distributed via phishing campaigns masquerading the malicious emails as purchase invoices or orders. The initial attack chain stage varies depending on the campaign and may leverage different attachments such as .html or .7z. The dropped Emansrepo payload has the functionality to collect miscellaneous confidential data from the compromised endpoints including credentials, banking information, crypto-wallets, browser and download history, autofill data as well as exfiltrate text/document files from various on-disk locations. | |
5.9.24 | Zharkbot malware | VIRUS | Zharkbot is a C++based malware loader variant being dropped by Amadey trojan in some recently observed campaigns. Zharkbot employs various anti-analysis, anti-VM and sandbox detection/evasion techniques. Once on the compromised machine, the malware will attempt to set up persistence by copying itself to the temp folder and setting up a scheduled task execution. Zharkbot has the functionality to download and execute arbitrary payloads on the infected endpoints. | |
5.9.24 | WailingCrab: A WikiLoader variant exploiting VPN Spoofs | VIRUS | A recent report from Palo Alto reveals that WailingCrab, a variant of WikiLoader, is being distributed through SEO poisoning and spoofed GlobalProtect VPN software. This campaign primarily targets the U.S. higher education and transportation sectors. The attack vector involves multiple stages like DLL sideloading, shellcode injection, and using MQTT for command and control. Attackers employ various evasion techniques such as fake error messages, process checks, and encryption. The loader's advanced tactics also leverage compromised WordPress sites and cloud-based Git repositories for infrastructure. | |
5.9.24 | Luxy Infostealer | VIRUS | Luxy is a recently discovered malware variant with both infostealing and ransomware capabilities. Luxy collects various confidential information from the compromised machines including credentials, browser data, cookies, cryptocurrency wallets, etc. The ransomware module is used to encrypt files on the infected endpoint using AES256 algorithm. The ransom note dropped after the completed encryption asks the victims for ransom payment and for them to contact the attackers via Discord. | |
5.9.24 | Cybercriminals Target Malaysia’s Digital Lifestyle with SpyNote | VIRUS | Around the world, E-commerce (shopping), service-oriented (food delivery, ride-hailing, and on-demand services), digital payment and deal aggregator android applications are highly popular. They have become integral to the digital lifestyle, meeting the growing demand for convenient, cost-effective services across various markets. These apps cater to consumers' needs for efficiency, accessibility, and savings, making them essential tools in everyday life. | |
31.8.24 | LummaC2 Stealer variant spread via PowerShell execution | VIRUS | LummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers. | |
31.8.24 | Middle East targeted by malware using fake Palo Alto VPN | VIRUS | A malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. It can execute PowerShell commands, manage processes, and encrypt data. Additionally, it incorporates sophisticated evasion techniques to bypass sandboxing and avoid detection. | |
31.8.24 | VIRUS | X-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details. The malware includes features such as a customizable logging system, Telegram notifications, and automated updates, along with security measures like GEO-blocking for CIS countries and regular stub cleaning to evade detection. Additionally, upcoming features like VNC configuration collection and automated password decryption suggest continuous development, making X-FILES a significant threat to organizations. | ||
31.8.24 | Iranian threat actor Elfin deploys 'Tickler' backdoor | VIRUS | Iranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE). The actor has conducted password spray attacks against thousands of organizations and utilized Microsoft Azure infrastructure for command-and-control (C&C), operating through fraudulent, attacker-controlled Azure subscriptions. | |
29.8.24 | A new Snake Keylogger variant | VIRUS | A new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. The attackers also leverage .hta files, VBscript and PowerShell code within the attack chain of this campaign. Snake Keylogger is a .NET-based infostealer capable of stealing various confidential data including system information, credentials, keystrokes, clipboard and more. The collected data is sent back to the attackers via SMTP protocol. | |
29.8.24 | Advanced dropper distributes 'Angry Stealer' infostealer via Telegram | VIRUS | An advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram. Angry Stealer appears to be based on 'Rage Stealer,' sharing identical code and functionality. The dropper executes two payloads: the primary, 'Stepasha.exe,' for data theft, and the secondary, 'MotherRussia.exe,' which may serve as a builder tool for creating malicious executables. | |
29.8.24 | Czech Republic officials hit by malware campaign using NATO-themed lures | VIRUS | A malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools. To lure victims, they used NATO-themed decoy documents and executed a multistage attack chain that included a malicious batch script, a Rust-based loader, and post-exploitation C2 frameworks such as Havoc, Sliver, and Freeze. To evade detection and maintain persistence on compromised systems, advanced techniques including ETW patching, process injection, and encrypted payloads were utilized. | |
29.8.24 | Rocinante mobile malware | VIRUS | Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. The malware might also be leveraged for phishing attacks by displaying bogus login websites and thus targeting the theft of banking credentials. Rocinante can communicate with the attackers infrastructure through either HTTP protocol or via Web Sockets and exfiltrate the collected data. | |
29.8.24 | Emerging loader Emmental spreads malware via disguised binaries | VIRUS | A loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. It has been part of several campaigns globally using the Bunny.net CDN provider and WebDAV servers to distribute various malware payloads, such as CryptBot, AsyncRAT, Lumma, Meduza stealer, Xworm, and SectopRAT. The functionality of this tool matches the capabilities advertised in underground markets. | |
29.8.24 | New macOS variant of the HZ RAT backdoor emerges | VIRUS | A new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat. The malware has some basic functionality to collect information about the infected machines, user information from WeChat and DingTalk applications as well as user data stored in the Google Password Manager, among others. The collected information is send back to the C2 servers controlled by the attackers and possibly used later in future attacks. | |
27.8.24 | Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools | VIRUS | Dolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as SectopRAT, LummaC2, and Redline, primarily through drive-by downloads. | |
27.8.24 | Attackers Spreading Malware via Infected Websites | VIRUS | Researchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server. | |
27.8.24 | SpyNote Variant Lurks In South Africa Impersonating Two Major Banks | VIRUS | Symantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information. | |
27.8.24 | Cthulhu Stealer | VIRUS | Researchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access. | |
24.8.24 | Peaklight downloader malware activity reported | VIRUS | Peaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain. | |
24.8.24 | Sedexp Linux malware uses udev rules for persistence | VIRUS | Sedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory. | |
24.8.24 | PG_MEM - malware targeting PostgreSQL servers for cryptomining | VIRUS | PG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine. | |
23.8.24 | CMoon: A .NET-based malware worm in Russian gas sector | VIRUS | CMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables. | |
23.8.24 | NGate - a novel Android malware able to relay NFC data to the attackers | VIRUS | A new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices. | |
23.8.24 | North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT | VIRUS | A previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations. | |
23.8.24 | TodoSwift: New macOS threat masquerading as a PDF | VIRUS | A new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing. | |
23.8.24 | North Korean-based threat actor develops MoonPeak RAT | VIRUS | MoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure. | |
21.8.24 | Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks | VIRUS | Threat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks. | |
21.8.24 | QWERTY Stealer: New infostealer variant | VIRUS | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads. QWERTY targets the extraction of system information and data stored in various web browsers, and subsequently exfiltrates the collected information to the C2 servers controlled by the attackers. | |
21.8.24 | Styx Stealer malware | VIRUS | Styx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others. Styx Stealer is believed to be based off an older infostealer variant known as Phemedrone Stealer. The malware is advertised online and sold via a subscription model. Styx employs several sandbox evasion and anti-analysis techniques including check for running debugging tools or for processes associated with virtual environments. | |
21.8.24 | New Msupedge backdoor employs communication via DNS traffic | VIRUS | A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen. | |
21.8.24 | A new and emerging malware dubbed UULoader | ALERTS | VIRUS | Recent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users. |
20.8.24 | RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam | VIRUS | Symantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted. | |
20.8.24 | Ailurophile Infostealer | VIRUS | Ailurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions. | |
20.8.24 | Fake Apps target Indian government's PM Kisan Yojana beneficiaries | VIRUS | The PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each. To avail the benefits, one needs to register online via the official PMKSNY website. After registering for the PM Kisan Yojana, many farmers need assistance with updating their information on the registration form, including their Aadhaar number (a 12-digit individual identification number which serves as proof of identity and proof of address for residents of India), bank account details, and mobile number. | |
20.8.24 | BANSHEE Infostealer | VIRUS | Just this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets. | |
20.8.24 | New ValleyRAT malware distribution campaign | VIRUS | A new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. The payload of the campaign - ValleyRAT is a multi-staged malware variant with capabilities including monitoring of user activities, screenshot grabbing, plugin execution, arbitrary file download and others. | |
16.8.24 | Cyclops Go-based malware | VIRUS | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. Cyclops allows the attackers to exfiltrate files from the infected machines as well as run arbitrary files on the infected instances. Once deployed, Cyclops initiates a HTTP service reachable via a SSH tunnel, that allows the operators to initiate commands on the targeted system. | |
16.8.24 | Pupy RAT distributed in recent UTG-Q-010 APT campaign | VIRUS | Pupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment. Pupy is a Python-based Remote Access Trojan (RAT) with functionality for reflective DLL loading and in-memory execution, among others. | |
16.8.24 | Malspam attacks target AnyDesk and Microsoft Teams | VIRUS | Researchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system. | |
16.8.24 | New macOS malware uses SwiftUI and OpenDirectory API for credential theft | VIRUS | A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following: | |
16.8.24 | Gigabud mobile malware shows links to the Golddigger trojan | VIRUS | A new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. The malware is often spread via phishing websites masqueraded as Google Play Store or sites impersonating various banks or governmental entities. The malware has various capabilities such as the collection of data about the infected device, exfiltration of banking credentials, collection of screen recordings, etc. Latest Gigabud variant shows certain similarities in code and leveraged techniques with another mobile family known as Golddigger. | |
16.8.24 | Grayfly evolves its attack vectors with new loaders and tactics | VIRUS | Grayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control. The group has introduced new loaders, including StealthVector and StealthReacher, to stealthily launch backdoor components and added SneakCross as their latest modular backdoor. | |
9.8.24 | RHADAMANTHYS Stealer Targeting Users in Israel | VIRUS | RHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. Upon execution, RHADAMANTHYS employs anti-analysis techniques to avoid detection and initiates a multi-staged infection process to establish a presence on the compromised system. | |
8.8.24 | Chameleon trojan targets hospitality Industry | VIRUS | A new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application. | |
8.8.24 | Mispadu (aka URSA) Trojan Malware | VIRUS | Mispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file. | |
7.8.24 | OSX and Windows malware spread under the disguise of meeting or productivity software | VIRUS | Ongoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application. | |
7.8.24 | HeadLace backdoor distributed by the Swallowtail APT | VIRUS | The latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads. | |
7.8.24 | Lumma Stealer via Social Media and AI-Related Lure | VIRUS | There's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma. | |
7.8.24 | BITSLOTH Backdoor | VIRUS | BITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data. | |
3.8.24 | BlankBot Mobile banking trojan targeting Turkish users | VIRUS | BlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device. | |
3.8.24 | NetSupport RAT Campaign | VIRUS | NetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates. | |
3.8.24 | AutoIT scripts leveraged by the latest Konni RAT malware | VIRUS | Konni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk". | |
3.8.24 | Spike of activity observed for the Neshuta malware | VIRUS | During the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information. | |
3.8.24 | Bloody Wolf delivers STRRAT malware | VIRUS | A malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. | |
3.8.24 | Mandrake mobile spyware | VIRUS | A new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year. | |
3.8.24 | TgRAT malware returns with a Linux variant | VIRUS | TgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot | |
2.8.24 | DeerStealer malware spread via fake Google Authenticator websites | VIRUS | A new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository. | |
2.8.24 | SMS Stealer - extensive Android malware distribution campaign | VIRUS | An ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries. | |
2.8.24 | ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland | VIRUS | Modiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families. | |
2.8.24 | Exela Stealer continues to be distributed in the wild | VIRUS | Exela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks. | |
2.8.24 | Flame Stealer malware | VIRUS | Flame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others. | |
27.7.24 | Threat Actor uses MSHTML flaw to distribute Atlantida InfoStealer | ALERTS | VIRUS | A malware campaign conducted by the threat actor known as Void Banshee, which distributes the Atlantida InfoStealer, has been reported. The attack exploits CVE-2024-38112, an MSHTML vulnerability, by abusing .URL files to execute through disabled Internet Explorer. |
27.7.24 | Russian-linked malware campaign targeting Indian political entities | ALERTS | VIRUS | A malware campaign believed to be orchestrated by a Russian-linked threat actor is reportedly targeting entities interested in Indian political affairs. Victims are lured with .LNK files disguised as genuine office documents. |
26.7.24 | Atlantida Stealer among the malware variants spread by Stargazer Goblin threat group | ALERTS | VIRUS | Atlantida Stealer has been determined as one of several malware payloads spread recently in a malware distribution campaign attributed to the threat actor known as Stargazer Goblin. Other payloads spread via this malware delivery service dubbed as Stargazers Ghost Network included RedLine, Lumma Stealer, Rhadamanthys and RisePro. As reported by researchers from Checkpoint, the attackers responsible for this operation have been leveraging compromised Github repositories and Wordpress sites to distribute archives containing the malicious binaries. |
26.7.24 | PicassoLoader Malware | ALERTS | VIRUS | There was a recent surge in activity from the group called UAC-0057 (aka GhostWriter). In this campaign, attackers are distributing Word documents that are macro-enabled with the intention of launching a malware loader known as PicassoLoader. This malicious loader is capable of deploying a Cobalt Strike Beacon onto the victim's machine. |
25.7.24 | LummaC2 variant exploiting Steam for dynamic C2 domains | ALERTS | VIRUS | A new variant of LummaC2 has been observed exploiting the 'Steam' gaming platform. This variant now obtains dynamic C2 domains on demand, a departure from its previous technique of embedding C2 details within the sample itself. The malware stores a Steam URL, specifically a Steam account profile page, as executable code. Upon accessing this page, it parses a specific <tag> to extract a string, which is then decrypted to reveal the C2 domain. |
25.7.24 | New variant of the Jellyfish Loader observed in the wild | ALERTS | VIRUS | A new variant of the .NET-based Jellyfish Loader malware has been found in the wild. The malware has been reported as being distributed via a malicious .LNK file execution. |
24.7.24 | Malware-laden Word Document Delivering Daolpu Stealer | ALERTS | VIRUS | Following the recent outage which affected computers running Microsoft operating systems across the globe, attackers are continuously exploiting the incident to lure users into accessing malicious links or launching malware-laden files. A new attack linked to this incident has been discovered involving a Word document containing macros that execute and download an unidentified stealer dubbed Daolpu. |
24.7.24 | Braodo: A new Python-based Infostealer in the cyber threat landscape | ALERTS | VIRUS | A new infostealer, named Braodo, has been observed circulating in the ever-evolving threat landscape. It is distributed through an archive file that includes a BAT file. When executed, this BAT file connects to GitHub to download a secondary BAT file and a ZIP archive containing the final Braodo infostealer payload. |
24.7.24 | Copybara Android malware | ALERTS | VIRUS | Copybara is a banking Trojan affecting Android mobile devices and has been observed targeting users in Italy. Threat actors use previously obtained contact details and portray themselves as bank employees to socially engineer victims into downloading the malicious application by way of SMS phishing and voice phishing, also known as smishing and vishing respectively. |
24.7.24 | Health Insurance Fund (NEAK) Targeted with Lokibot Malware | ALERTS | VIRUS | A recent report has revealed that the National Health Insurance Fund (NEAK) based in Hungary was targeted by attackers who aimed to deploy Lokibot malware. |
19.7.24 | New variant of BeaverTail malware targets job seekers | ALERTS | VIRUS | A new variant of the BeaverTail malware has been reported, distributed via a macOS DMG file that mimics the legitimate video call service MiroTalk. This campaign is linked to North Korean hackers targeting job seekers. The updated malware is a native Mach-O executable capable of stealing sensitive data from web browsers and cryptocurrency wallets. |
18.7.24 | Killer Ultra Malware | ALERTS | VIRUS | A tool used in Qilin ransomware attacks known as "Killer Ultra" was recently uncovered by researchers. It disables endpoint detection and response (EDR) and antivirus (AV) tools, using a Zemana driver to terminate their processes. |
18.7.24 | Noxious Stealer | ALERTS | VIRUS | A new stealer malware dubbed Noxious Stealer was recently identified by researchers. This Python-based open-source tool, currently hosted on GitHub, possesses several capabilities such as collecting sensitive user data including billing details, emails, phone numbers, tokens, as well as system information such as cookies, browsing history, and WiFi passwords. |
18.7.24 | Malware disguised as cracked versions of MS Office | ALERTS | VIRUS | Threat researchers discovered malware disguised as cracked versions of MS Office. It spreads through downloads and torrents, enabling attackers to control infected systems via updates. The malware adapts installation methods based on the presence of V3 security software. It uses the task scheduler for persistence, ensuring it remains active even if detected. |
18.7.24 | BadPack method used in Android malware | ALERTS | VIRUS | BadPack is a method observed in malware which targets Android mobile devices. The authors of BadPack manipulate header information of the APK file format which effectively breaks the file and prevents manual analysis. |
16.7.24 | Quasar RAT delivered via Home Trading System | ALERTS | VIRUS | Threat researchers have identified Quasar RAT malware being distributed via a private Home Trading System (HTS), a tool that allows investors to trade from their own PCs. However, the HTS (aka HPlus) used in these attacks is unsearchable and its provider remains unknown. |
16.7.24 | Malicious Word Document Spreading Stealer Malware | ALERTS | VIRUS | An ongoing campaign has revealed a stealer malware initially distributed through Word documents. This malware infects computers, retrieves the device’s IP address, and subsequently sends the user’s browser information to a dedicated command-and-control (C2) server operated by the attackers, with the data customized for different countries. |
15.7.24 | Poco RAT phishing campaign targeting Spanish speakers | ALERTS | VIRUS | Since early 2024, an ongoing phishing campaign has been targeting Spanish speakers, distributing a new remote access trojan (RAT) known as Poco RAT. |
12.7.24 | DodgeBox Loader Loading MoonWalk Backdoor | ALERTS | VIRUS | Threat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku. |
12.7.24 | Tax-Themed Android Malware Targeting Uzbekistan Mobile Users | ALERTS | VIRUS | Taxes have been and continue to be prevalently used in social engineering tactics around the world to trick users (both consumers and enterprises) into deploying malware on their machines, entangling themselves in BEC scams, inputting sensitive data into phishing websites, and more. |
11.7.24 | ViperSoftX: Evolving tactics from Torrent software lures to eBook disguises | ALERTS | VIRUS | ViperSoftX is an infostealer that continues to evolve and enhance its tactics and techniques. Initially, attackers leveraged pirated versions of popular software to lure users, often distributed through torrent sites. |
11.7.24 | GuardZoo: Android spyware targeting middle eastern defense entities | ALERTS | VIRUS | An Android spyware dubbed GuardZoo has been observed targeting defense entities in the Middle East. It is believed to be associated with the Houthi rebel faction in Yemen. |
9.7.24 | Popular sticky-note installers trojanized to push malware | ALERTS | VIRUS | A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware. |
8.7.24 | Beware of Orcinius trojan's multi-stage attack via Dropbox and Google docs | ALERTS | VIRUS | Beware of the Orcinius trojan malware! It's a multi-stage trojan reported to utilize Dropbox and Google Docs as part of its attack vector for downloading secondary payloads. |
8.7.24 | Neptune Stealer | ALERTS | VIRUS | A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. |
5.7.24 | Mekotio malware targets banking users in Latin America | ALERTS | VIRUS | Mekotio is a banking trojan active in the threat landscape since at least 2015 and targeting predominantly the Latin America region. |
5.7.24 | Religion as Bait: AndroRAT Targets Nigerian Mobile Users | ALERTS | VIRUS | Nigeria features a vibrant religious landscape with multiple different faiths shaping the country. |
5.7.24 | Fake Sex Tapes of Turkish Celebrities Fuel SpyNote Spread | ALERTS | VIRUS | Fake sex tapes remain a common social engineering lure used by malware actors due to their ability to evoke strong emotions potentially resulting in impulsive actions. |
4.7.24 | Disguised e-book delivering AsyncRAT | ALERTS | VIRUS | Former reports detailed how AsyncRAT malware is usually distributed via file extensions such as .chm, .wsf, and .lnk. Attackers disguise malware as 'survey' content in document files and more recently as e-books. Deceptive e-book archives have contained a malicious LNK file posing as a compressed icon, triggering a PowerShell script (RM.TXT), alongside a disguised video file and a legitimate e-book. These tactics highlight sophisticated methods to exploit users' trust with seemingly harmless files. |
2.7.24 | Poseidon infostealer targeting macOS | ALERTS | VIRUS | Poseidon is a new infostealer variant targeting the macOS platform. The malware is an evolution of the older variant known as RodStealer. Code base and functionalities of Poseidon are very similar to an another popular macOS malware variant AMOS Stealer. The infostealer allows the attackers with capabilities such as file extraction, cryptocurrency wallet theft, collection of data stored in web browsers as well as in password managers on the compromised endpoints. Poseidon infostealer has been observed to be distributed via malicious Google Ads with malware masquerading as an installer for a macOS-based Arc web browser. |
2.7.24 | MerkSpy malware payload delivered through exploitation of CVE-2021-40444 vulnerability | ALERTS | VIRUS | Researchers from Fortinet have reported on a new campaign delivering the MerkSpy malware. The threat actors behind this campaign have been leveraging an older Microsoft MSHTML RCE vulnerability - CVE-2021-40444 for payload distribution. MerkSpy is a type of spyware variant able to monitor user activities, capturing screenshots, keylogging, collecting and exfiltrating confidential data back to the attacker, among others. The observed malware delivery campaign has been reported to target mostly North America and India. |
2.7.24 | Kematian Stealer | ALERTS | VIRUS | Researchers have reported a new stealer-type malware dubbed Kematian. This PowerShell-based tool is used for covertly accessing and transferring data from Windows systems. The tool gathers various sensitive information such as seed phrases, session files, passwords, application data, and Discord tokens. This data is securely transmitted over TCP to a dedicated C2 server for decryption and further exploitation. |
2.7.24 | Fake ZainCash App Steals Mobile User Data | ALERTS | VIRUS | ZainCash, a comprehensive mobile wallet service licensed under the Central Bank of Iraq, designed to provide a variety of digital financial services, has become one of the latest Fintech brands abused by cybercriminals. An actor has been seen luring mobile users in various countries with a fake ZainCash Android app (ZainCash.apk). |
| 28.6.24 | Unfurling Hemlock: Deploying malware cluster bomb for multi-malware infections | ALERTS | VIRUS | The threat actor known as Unfurling Hemlock has been identified employing a method called "malware cluster bomb" to infect target systems with multiple malwares simultaneously. This approach enables the threat actor to distribute additional malware, primarily comprising stealers like Redline, RisePro, and Mystic Stealer, along with loaders such as Amadey and SmokeLoader. These malicious tools are used to steal sensitive information and facilitate further illicit activities once they have been installed on targeted systems. |
| 28.6.24 | Threat Actor UAC-0184 using XWorm RAT | ALERTS | VIRUS | Threat Actor group UAC-0184 has targeted Ukraine using a malware campaign to deliver a RAT known as XWorm. Using evasive techniques and through the use of Python-related files the XWorm malware compromises systems. This malware possesses an extensive offering of functionalities such as data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. |
| 28.6.24 | 0bj3ctivity infostealer targeting Italy | ALERTS | VIRUS | 0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID. The malware is spread via malspam disguised as purchase inquiries. The attackers leverage malicious Javascript and PowerShell code as well as image files using steganography. The dropped infostealer has the functionality to collect machine information, credentials from various applications, banking and clipboard data as well as data stored in system browsers, etc. The stolen data is exfiltrated to the attackers via email or Telegram APIs. |
| 28.6.24 | Latest P2Pinfect malware variant spreads ransomware and coinminers | ALERTS | VIRUS | A new P2Pinfect variant has been reported to spread both ransomware and Monero coinminer payloads in recent campaigns. P2Pinfect is a Rust-based botnet leveraging peer-to-peer (P2P) communication as C&C mechanism. The malware is known to spread to vulnerable Redis instances. The dropped ransomware payload targets specific files related to databases, documents or media files and appends either .encrypted or .lockedfiles extension to the encrypted files. The new P2Pinfect str |
| 28.6.24 | Threat actor Boolka compromising websites with BMANAGER malware | ALERTS | VIRUS | Threat actor Boolka has been carrying out opportunistic SQL inection attacks against websites. When unsuspecting visitors land on the infected site(s) the JS inserted into the site(s) collects and exfiltrates the users inputs and interactions (such as credentials and other personal information). The site(s) also redirect users to a fake loading page to download and install a browser extension - but it really drops the BMANAGER trojan. This malware serves as a conduit to deploy additional modules like the below: |
| 26.6.24 | New Medusa Android malware variant | ALERTS | VIRUS | Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey. The new Medusa variant has some enhanced capabilities including screenshot grabbing, ability for full-screen overlays as well as remote application uninstall. While this malware strain requires less permissions than previous iterations, its' full functionality depends on the abuse of Accessibility Services on the targeted device. |
| 26.6.24 | Unstable and Condi botnets abusing cloud services for malicious activities | ALERTS | VIRUS | As recently reported by researchers from Fortinet, Unstable and Condi botnets have been abusing various cloud services for storage and distribution of malware binaries as well as C2 communication purposes. Both botnet variants leverage multiple older vulnerabilities targeting webservers, routers or other devices. The deployed payloads have capabilities to control the compromised devices, conduct miscellaneous types of DDoS attacks or execute additional arbitrary commands received from C&C servers. |
| 26.6.24 | ClickFix: Exploiting social engineering via PowerShell for malware deployment | ALERTS | VIRUS | There is a growing cybersecurity trend where users are deceived into copying and pasting malicious PowerShell scripts into an administrative PowerShell terminal window, leading to malware installation. This technique was observed in a recent campaign dubbed ClickFix. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal. Upon execution, the PowerShell script retrieves and activates a malicious payload known as Lumma Stealer. |
| 26.6.24 | Stego-Campaign exploiting documents to deploy Remcos RAT | ALERTS | VIRUS | A phishing email campaign utilizing a URL shortener in a Microsoft Word file attachment, exploiting the CVE-2017-0199 vulnerability, has been reported in the wild. The URL redirect enticed users to download a variant of Equation Editor malware in RTF format. Exploiting the Equation Editor vulnerability CVE-2017-11882, the malware attempts to download an obfuscated VB script containing PowerShell code, which in turn downloads the final malicious payload, Remcos RAT, using a steganographic image. |
| 26.6.24 | SpiceRAT malware | ALERTS | VIRUS | SpiceRAT is a new malware variant identified by Cisco Talos. The malware has been attributed to a threat actor known as SneakyChef that has been conducting malicious campaigns against governmental entities in EMEA. The attackers leverage multi-staged distribution chain involving either .hta or .lnk files. SpiceRAT utilizes DLL sideloading technique by abusing a legitimate signed executable to load a malicious DLL loader binary. The delivered payload has the functionality to run arbitrary commands as well as to download and execute additional payloads. |
| 26.6.24 | SpyMax mobile malware targets Telegram users | ALERTS | VIRUS | A new variant of the Android malware SpyMax has been observed in recent campaigns targeting Telegram users. The malicious .apk binaries are spread via a website masqueraded as a legitimate Telegram app download portal. Upon executing the .apk package, the malware is installed on the device under the disguise of the legitimate Telegram app. SpyMax has typical RAT functionality including keylogging and exfiltration of confidential information from the compromised devices. |
| 26.6.24 | Red Mongoose Daemon malware | ALERTS | VIRUS | Red Mongoose Daemon is a new banking malware variant identified by researchers from Scitum. The malware has been observed in campaigns targeting banking users and organizations in Brazil. The attack chain in the observed campaigns includes leverage of malicious .msi droppers as well as DLL side-loading techniques. With help of windows overlay techniques, Red Mongoose Daemon focuses on banking information exfiltration by spoofing PIX payment system transactions. The malware additionally features capabilities such as command execution, remote control, clipboard hijacking, theft of various credentials and cryptocurrency wallets. |
| 26.6.24 | Rafel RAT mobile malware | ALERTS | VIRUS | Rafel RAT is an open-source mobile malware observed in some recent campaigns targeting Android users. As reported by Checkpoint, the malware is a versatile tool that allows the attackers both data exfiltration as well as remote control over the infected device. Rafels' infostealing capabilities include theft of device information, SMS messages and call logs, among others. The malware can also initiate file deletion, encryption or upload to the C2 servers controlled by the attackers. Rafel mainly leverages http(s) protocols for C2 communication but it can also utilize Discord APIs to contact the threat actors. |
| 26.6.24 | Satanstealer Infostealer | ALERTS | VIRUS | Satanstealer is a new open source infostealing malware shared on GitHub. The malware collects and exfiltrates various types of information such as browser cookies, passwords, registered phone numbers, and email client details. Additionally, it can steal sensitive information including cryptocurrency wallets, Discord tokens, Discord injections, and information from Steam and Riot Games. This malware includes AntiDebug and AntiVM features to detect sandboxed and virtual environments. |
| 26.6.24 | SquidLoader - new loader in the threat landscape | ALERTS | VIRUS | A new loader malware dubbed SquidLoader has been reported as being active distributed via phishing campaigns targeting Chinese-speaking users. The malware employs various evasion and decoy techniques in order to stay under the radar and avoid detection. The loader has been found to deliver Cobalt Strike beacon in the most recent campaigns. Upon initiating C2 communication the delivered payload will extract information about the compromised machine back to the attackers and await further commands. |
| 26.6.24 | Fickle Stealer | ALERTS | VIRUS | Fickle Stealer is a recently observed malware written in Rust. Attackers leverage multiple delivery methods in a multi-stage attack chain to distribute the payload. Attacks may initiate with a Word document, link file, or executable that either drops or downloads PowerShell scripts to continue the compromise. The stealer has numerous targets including crypto wallets, browsers and browser plugins, document file types, communication applications, and more. A more technical report about this malware campaign has been published by Fortinet. |
| 19.6.24 | New strain of Diamorphine Linux rootkit | ALERTS | VIRUS | A new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild. The rootkit is used by threat actors to hide malicious processes or elevate privileges on the compromised machines. Diamorphine leverages magic packets allowing it to run arbitrary commands on the infected endpoint. This latest variant has also new exit function that allows for unloading the rootkit kernel module from memory. |
| 19.6.24 | Malvertising Campaign Targets Users With Fake Software Installers | ALERTS | VIRUS | A malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams. Users are directed to typo-squatted websites after searching for these software titles on search engines. These installers are designed to deploy a backdoor known as Oyster, also referred to as Broomstick. Oyster facilitates gathering information about the compromised system, manages communication with command-and-control (C2) servers, and enables remote code execution. |
| 19.6.24 | Hijack Loader and Vidar Stealer targeting Cisco Webex users | ALERTS | VIRUS | Malware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. These campaigns target users of popular commercial software such as the Cisco Webex Meetings App, enticing them to download password-protected archive files containing trojanized software copies. Upon extraction and execution, a stealthy malware loader named Hijack Loader is activated. Hijack Loader then acts as a gateway to deploy Vidar Stealer using an AutoIt script. Vidar Stealer is designed to gather credentials and sensitive data, which it exfiltrates to the attacker's command-and-control (C2) servers. Additionally, the stealer can download payloads such as Amadey Loader, used to initiate the XMRig miner, and a clipper malware that redirects cryptocurrency transactions to wallets controlled by the attackers. |
| 19.6.24 | Rogue Raticate Malspam Campaign: Malicious PDFs Lead to NetSupport RAT | ALERTS | VIRUS | The cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. This week another one of their campaigns was observed. Attached to the malicious emails is a PDF file (e.g., unpaid-7985652547.pdf, Paper-2445311685.pdf) containing a malicious URL. The attackers are using two social engineering templates as lures – OneDrive and Adobe. If a user is successfully tricked into clicking on the URL, they will be led via a Traffic Distribution System (TDS) into the rest of the chain and in the end, have the NetSupport Remote Access Tool deployed on their machine. |
| 18.6.24 | Vortax: MacOS Malware Campaign Unveiled | ALERTS | VIRUS | A recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users. They utilize a compromised binary of a virtual meeting software called Vortax, which, once downloaded and installed, leads to the deployment of infostealers such as Rhadamanthys, Stealc, and Atomic macOS Stealer. |
| 17.6.24 | DISGOMOJI: Discord-based malware campaign targeting government organizations | ALERTS | VIRUS | A new innovative malware campaign has emerged, utilizing Discord for Command and Control (C2) operations and employing an emoji-based protocol where the threat actor communicates commands to the malware through emojis in the command channel. Dubbed DISGOMOJI, the malware is a UPX-packed ELF2 written in Golang. It contains hardcoded authentication tokens and server IDs within the ELF, enabling access to the Discord server. |
| 14.6.24 | Malspam Campaign Delivering Koi Loader/Koi Stealer | ALERTS | VIRUS | In a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario. If the recipient responds back and engages, the attackers will follow up and send a malicious link. Clicking on it will lead to a webpage where a ZIP file containing a Windows shortcut file (LNK) will be downloaded. This shortcut will subsequently load Koi Loader or Koi Stealer payload, capable of stealing sensitive data such as cookies, history, and login information. |
| 13.6.24 | Noodle RAT malware supports both Windows and Linux deployments | ALERTS | VIRUS | Noodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region. Noodle RAT is a modular malware with relatively straightforward capabilities and displays several code overlaps with Gh0st RAT and Rekoobe malware families. It allows the attackers to download/upload arbitrary files, in-memory modules execution as well as TCP proxying. The threat actors behind Noodle RAT have also been leveraging MultiDrop and MicroLoad malwares prior to final payload deployment. Next to the Windows variant of this malware, a Linux strain has also been identified. It features capabilities to download/upload arbitrary files, reverse shell execution as well as SOCKS tunneling. |
| 13.6.24 | Adwind (aka jRAT) distributed in recent campaigns targeting users in Italy | ALERTS | VIRUS | Adwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files. The final dropped payload is Adwind Remote Access Trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration. |
| 13.6.24 | WarmCookie backdoor | ALERTS | VIRUS | WarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. The attackers abuse the Background Intelligent Transfer Service (BITS) to download the malicious payloads. WarmCookie backdoor has extensive capabilities including endpoint fingerprinting, screenshot capture, arbitrary commands execution, file content read/exfiltration and deployment of additional payloads, among others. |
| 13.6.24 | Black Basta attackers leveraging CVE-2024-26169 vulnerability as a Zero-day | ALERTS | VIRUS | In a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. The vulnerability CVE-2024-26169 is a Windows Error Reporting Service exploit that can permit an attacker to elevate their privileges. Analysis indicates that an exploit tool deployed in recent attacks linked to Black Basta has been exploiting this vulnerability as a zero-day. |
| 13.6.24 | Malware campaign unveils new ValleyRAT variant | ALERTS | VIRUS | A malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server to download the next stage malware. This provides remote attackers with unauthorized access and control over infected machines. The new variant of ValleyRAT is equipped with capabilities such as capturing screenshots, process filtering, forced shutdowns, and clearing Windows event logs. |
| 12.6.24 | Remcos RAT delivered via UUEncoding (UUE) File | ALERTS | VIRUS | A recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. This script facilitates the saving and execution of a PowerShell script, which in turn connects to a link to download an additional obfuscated PowerShell script. The purpose of this obfuscation chain is to evade detection. |
| 12.6.24 | AZStealer - a Python-based infostealer | ALERTS | VIRUS | AZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including: data stored in browsers (cookies, history, bookmarks, passwords, saved credit card info and autofill data), Discord tokens, login sessions from miscellaneous applications including Steam, Uplay, Tiktok, Telegram, Twitch, Spotify, Reddit or Roblox. |
| 12.6.24 | Beware of malicious Python packages on PyPI repository | ALERTS | VIRUS | Numerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. For instance one such package, 'crytic-compilers', masquerades as the legitimate library 'crytic-compile' and is designed to distribute the Lumma stealer. Similarly, another malicious PyPI package, 'pytoileur', is capable of downloading and installing trojanized Windows binaries for purposes such as surveillance, persistence, and crypto theft. |
| 11.6.24 | SSLoader malware using PhantomLoader | ALERTS | VIRUS | SSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. This malware infiltrates via phishing mail campaigns, performs reconnaissance while evading detection, and exfiltrates data back to threat actors while delivering payloads through various techniques. |
| 11.6.24 | Yet another JScript RAT spreads via phishing campaign | ALERTS | VIRUS | It is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects to a C&C server triggering the transmission of a new malicious script, known as the second stage loader. This loader then fetches a JScript RAT component from the server, enabling persistent operation and execution of commands received from the server. |
| 11.6.24 | Abusing Google Ads to distribute backdoor malware masquerading as Advanced IP Scanner | ALERTS | VIRUS | A malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild. Advanced IP Scanner is a free network scanner for Windows, primarily used by IT administrators to analyze local area networks (LANs) and gather information about connected devices. However, over the past year, this tool has become the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results. As part of the attack vector, the masqueraded installer is used to deploy and load a CobaltStrike beacon. |
| 11.6.24 | New Grandoreiro banking trojan campaign masquerading as government entities through spear-phishing | ALERTS | VIRUS | A new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files infected with malware. Grandoreiro is a highly sophisticated and adaptive Windows-based banking trojan first observed in 2016. It has the capability to hijack browser sessions, discover email accounts, steal credentials from web browsers, collect operating system and installed software details, and exfiltrate the collected data to its C2 server. |
| 11.6.24 | Agent Tesla sending malicious XLA files | ALERTS | VIRUS | Agent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. These files are crafted to take advantage of multiple old vulnerabilities in Office documents (CVE-2017-11882 and CVE-2017-0199) which causes Excel to automatically download and open remotely stored malicious RTF and JS files, which eventually leads to an Agent Tesla infection. |
| 8.6.24 | Seidr Stealer | ALERTS | VIRUS | Seidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc. Seidr leverages Telegram for data exfiltration and command and control (C2) purposes. |
| 8.6.24 | Enhanced version of Vidar Stealer emerges | ALERTS | VIRUS | An updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor. Developed in C++, the malware targets compromised victims' personal information, web browser data, cryptocurrency wallets, financial information, communication applications, and more. It evades detection and exfiltrates sensitive data from compromised systems to its C2 servers. |
6.6.24 | Rising trend of exploiting Packer apps in targeted attacks | ALERTS | VIRUS | An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware. |
6.6.24 | The rise of Kiteshield packer in the ever-evolving landscape of Linux malware | ALERTS | VIRUS | Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms. |
6.6.24 | Updated Cuckoo malware variant spotted in the wild | ALERTS | VIRUS | Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website. The malware has the usual infostealing features allowing it to steal confidential information, credentials, browser cookies, cryptocurrency wallets and exfiltrate the collected data to C2 servers controlled by the attackers. The new Cuckoo variant has also added some VM environment detection capabilities. |
6.6.24 | DarkCrystal RAT Delivered via Signal Messenger | ALERTS | VIRUS | The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it. Inside the archive is an executable file (".pif" or ".exe"), which is a RARSFX archive containing a VBE file, a BAT file, and an EXE file. Running these files infects the computer with DarkCrystal RAT malware, granting attackers unauthorized access. |
6.6.24 | Android Spyware Targets Brazilian Mobile Users in Nubank Masquerade | ALERTS | VIRUS | Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank. These applications are likely being distributed via malicious SMS or other social platforms. If a user is successfully lured and installs the fake Nubank app on their mobile device, they will end up with a well-known remote access trojan known as SpyNote. |
6.6.24 | Botnet malware campaign distributing NiceRAT malware | ALERTS | VIRUS | A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities. It collects system information, browser information, and cryptocurrency data from compromised systems and exfiltrates the collected data to threat actors' Discord channel, used as a Command and Control (C&C) server. |
6.6.24 | LummaC2 Infostealer Delivered via a Recent ClearFake Campaign | ALERTS | VIRUS | ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware. |
6.6.24 | Brazilian banking trojan CarnavalHeist | ALERTS | VIRUS | A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice). The actual download is a malicious LNK file which leads to further downloads and executions of script components which are responsible for delivering the final malicious payload. Details regarding the campaign and suspected attacker information were made available in a newly published report by Cisco Talos. |
30.5.24 | BitRAT and Lumma Stealer spread as fake browser updates | ALERTS | VIRUS | A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. The attack chain is initiated by users visiting compromised websites and triggering malicious Javascript code redirecting them to fake update websites. Further down the chain, malicious PowerShell scripts lead to the retrieval of malware loaders and final payload execution. The attackers can leverage the delivered payloads to gain control over the compromised endpoints, remote command execution, and infostealing purposes. |
30.5.24 | Metamorfo Banking Trojan | ALERTS | VIRUS | Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. The HTML attachment contains malicious code that kicks off processes with the main focus on exfiltrating victims’ financial information including banking credentials. |
30.5.24 | NSIS-based packer usage observed in many common malware families | ALERTS | VIRUS | The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. This system is used to generate self-extracting custom installers which have been observed delivering many different malware families. In a recent report by Check Point Research, they have provided details on a group of packers using this system. |
30.5.24 | Mexican Telecom Continuously Impersonated by SpyNote Actor | ALERTS | VIRUS | Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers in countries such as Argentina, Brazil, Chile, Colombia, and many more. |
30.5.24 | AllaSenha - new AllaKore malware variant | ALERTS | VIRUS | AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. The multi-staged infection chain leverages malicious .lnk files possibly delivered through phishing, BPyCode launcher binaries and a DLL loader dubbed ExecutorLoader that leads to the final AllaSenha payload. The malware functionality focuses on theft of user credentials associated with Brazil’s most popular banks. The targeted data includes passwords, QR codes and 2FA tokens. The malware abuses Azure Cloud infrastructure for the purpose of C2 communication and data exfiltration. |
30.5.24 | Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event | ALERTS | VIRUS | Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. |
30.5.24 | Red Akodon threat group recent activities | ALERTS | VIRUS | According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. The threat actors have been observed to target various public organizations and other businesses with a variety of commodity malware variants such as Remcos, QuasarRAT, Neshta, XWorm or AsyncRAT. The attack chain often relies on phishing emails coming from compromised accounts. The attackers have been leveraging malicious .svg files either directly attached in malspam or hosted on public file hosting repositories. The attacks conducted by this threat group aim at information exfiltration and gaining control over the compromised endpoints. |
30.5.24 | TXZ file extension: Evolution of malware distribution in email campaigns | ALERTS | VIRUS | Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. In a recent campaign, multiple emails carrying files with the TXZ extension as attachments were observed. Late last year, Microsoft added native support to Windows 11 for the TXZ filetype. This means recipients of the malicious messages would have been able to open the TXZ attachment using Windows File Explorer if they are using the Windows 11 operating system. This shows that TXZ campaigns are actively used in some regionally targeted campaigns and can grow in the future with the adoption of Windows 11 or higher. |
30.5.24 | Gipy malware distributed under the disguise of AI voice generator tools | ALERTS | VIRUS | A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. The malware binaries are masqueraded as an AI voice generator tool and distributed via phishing websites. Some examples of the package names observed for this malware are as follows: VoiceAIbeta-x64.exe, VoiceAIAdvancedPro.exe, VoiceAiPro-x64.exe, VoiceAIChanger.exe, etc. Next to typical infostealing features, the malware has capabilities to download and execute additional arbitrary payloads. Various malware families have been observed among the malware payloads downloaded by Gipy, including: Lumma Stealer, Redline Stealer, DCRat, RadxRAT, RisePro, TrueClient and more. |
28.5.24 | Iluria Stealer | ALERTS | VIRUS | There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. The malware is currently being advertised, and for now, consumers appear to be the focus via drive-by-download attacks. In addition, multiple tests are also being observed. |
28.5.24 | Rise of Fake AV websites hosting advanced malware | ALERTS | VIRUS | Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. These deceptive sites have been found hosting advanced malicious files, such as APKs, EXEs, and Inno Setup installers, which can deliver spyware like the Spynote Trojan and data-stealing malwares such as Lummna and StealC. These malicious programs are adept at harvesting victim information, including browser data, and sending it to remote servers under the control of attackers. |
28.5.24 | Android Bankbot impersonates Uzbekistan banks | ALERTS | VIRUS | In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk), impersonating two Uzbekistan banks: Xalq Banki and Ipak Yuli. If a user is successfully lured into installing these on their mobile phone, BankBot will monitor for when the user launches any banking apps it is coded to target. It will then leverage the classic overlay technique, overlaying a fake page on top of the legitimate one in order to steal the user's inputs, such as credentials. At this time, the vector of infection remains unknown but it's very likely that these are being spread via malicious SMS messages or redirections. |
25.5.24 | RustDoor malware exploits JAVS Viewer vulnerability in courtroom software | ALERTS | VIRUS | A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments. This backdoor enables attackers to gain full control of affected systems and transmit data about the host system to a command-and-control (C2) server. The malware exploits a deserialization vulnerability in JAVS Viewer software, tracked as CVE-2024-4978. JAVS technologies are utilized in courtrooms, jails, prisons, councils, hearings, and lecture halls nationwide, with more than 10,000 installations worldwide. |
23.5.24 | GuLoader Impersonates an Italian Seafood Distributor | ALERTS | VIRUS | GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. One campaign was recently identified where actors are posing as a known Italian company that specializes in the wholesale and retail distribution of seafood, sourcing and importing its products from various countries. |
23.5.24 | Acrid infostealer leverages “Heaven’s Gate” technique | ALERTS | VIRUS | Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape. Its main functionality relies on collecting various user data from the compromised endpoints and exfiltration to the C&C servers controlled by the attackers. Acrid focuses on the theft of data such as browser cookies, passwords stored in browsers, banking information, cryptocurrency wallets, and credentials stored in various applications. Acrid has been reported to leverage a "Heaven’s Gate" technique that effectively enables 64-bit code to be executed within a 32-bit process, potentially allowing the malware to evade security controls monitoring only 32-bit processes. |
23.5.24 | GhostEngine malware terminates EDR agents and deploys coin miner | ALERTS | VIRUS | A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. |
22.5.24 | XWorm v5.6 malware | ALERTS | VIRUS | A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. XWorm has miscellaneous capabilities including keylogging, data theft, download of additional arbitrary payloads, RAT functionalities and others. |
22.5.24 | Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor | ALERTS | VIRUS | A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. This payload is believed to be the TinyTurla backdoor, based on its first-stage backdoor functionalities and utilization of a specific C2 infrastructure. |
22.5.24 | Keyplug backdoor distributed against organizations in Italy | ALERTS | VIRUS | A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. Keyplug has the capabilities to initiate the C2 communication with attacker servers either via abuse of CloudFlare's CDN (Content Delivery Network) and via the WSS protocol. |
21.5.24 | Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign | ALERTS | VIRUS | A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear. The RAT exhibits advanced capabilities, such as anti-analysis techniques, avoiding handshakes during RAT operation, anti-memory scanning, and using HTTPS for command-and-control (C&C) communication. The Deuterbear infection chain involves two stages: the first stage functions as a plugin downloader, while the second stage acts as a backdoor, harvesting sensitive information from the compromised host. |
21.5.24 | SamsStealer malware | ALERTS | VIRUS | Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. This malware covertly infiltrates victims' systems, exfiltrating various forms of personal data, including login credentials, cryptocurrency wallets, session data, and browsing history. The stolen data is transmitted to file-sharing services and messaging platforms like Telegram, which are used as command-and-control (C2) servers by the attackers. |
21.5.24 | Vultur Malware Poses as Antivirus | ALERTS | VIRUS | Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). This Android banking malware leverages the overlay technique, displaying fake overlay windows in the hope of tricking users into entering their banking credentials. It targets hundreds of banks and cryptocurrency exchange platforms. |
21.5.24 | HiJackLoader gets new modules to lay low | ALERTS | VIRUS | HijackLoader is a multi-stage loader that has recently seen some updates. The first stage allows the loader decrypt and decompress additional modules and execute a second stage while the second stage process lives in memory to read an embedded or remotely hosted image in order to fully initiate the second stage and load additional modules. Some of the newly discovered modules, like User Account Control bypass, are design to allow for additional persistence in the target environment. |
21.5.24 | Antidot mobile malware | ALERTS | VIRUS | Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control and execution of commands received from the attackers. Malware has the capability to establish http connections or WebSocket communication to the C2 servers. |
16.5.24 | New malware Cuttlefish | ALERTS | VIRUS | A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, passwords, and tokens etc. It also has the capability of introducing more payloads. |
16.5.24 | Remcos RAT expands functionality with PrivateLoader module | ALERTS | VIRUS | Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. By employing VB scripts,registry modification, and establishing services to restart the malware at varying intervals, this malware can thoroughly infiltrate a system, evade detection, and report statistics to its C2 server. |
16.5.24 | Malicious Minecraft mod harvests data from Windows system | ALERTS | VIRUS | Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. |
16.5.24 | Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation | ALERTS | VIRUS | A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. The distributed malware variants include Atomic Stealer (AMOS), Vidar Stealer, Lumma and Octo banking trojan. The attackers have been leveraging fake profiles and repositories hosted on Github that offer software binaries masqueraded as various popular applications. Threat actors behind this campaign have also been utilizing web-based infrastructure including Filezilla FTP servers for malware delivery. |
16.5.24 | PureCrypter malware used in Mallox ransomware distribution campaign | ALERTS | VIRUS | PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads. The attackers have been reported to employ brute-force attacks against vulnerable or otherwise mis-configured MS-SQL servers in the initial attacks stages. PureCrypter is a piece of Malware-as-a-Service (MaaS) offering and potentially leveraged by various affiliates. The delivered payloads might also exfiltrate the user data before encryption, as the Mallox ransomware operators have been known to employ double extortion techniques in the past attacks. |
16.5.24 | Malicious Word Document Dropping DanaBot Malware | ALERTS | VIRUS | A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt, and a PowerShell. This process eventually leads to the dropping of payloads such as iu4t4.exe (Danabot) and rundll32.exe, which are responsible for collecting sensitive user and system information. |
15.5.24 | Dracula (Samurai) Stealer | ALERTS | VIRUS | Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). This threat actor is known for using various other infostealer variants including Aurora, Lumma, Redline and Rhadamanthys, among others. Dracula Stealer is leveraged by the attackers to exfiltrate a wide range of confidential information from victim machines including credentials, banking information and others. |
15.5.24 | WaveStealer: New malware distributed on messaging platforms | ALERTS | VIRUS | WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. This malware is disguised as video game installers and designed to extract various types of sensitive data from compromised systems. It targets web browsers, cryptocurrency wallets, credit card numbers, as well as data associated with messaging platforms like Telegram and Discord. Additionally, WaveStealer has the capability to capture screenshots, enhancing its data exfiltration capabilities. |
15.5.24 | FIN7 malware campaign exploiting Google Ads | ALERTS | VIRUS | A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. The attackers utilized deceptive websites masquerading as well-known brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, and Google Meet. Visitors to these sites, often directed through sponsored Google Ads, encountered fake pop-ups urging them to download what seemed to be a browser extension. However, the downloaded payload was actually an MSIX file, a packaging format for Windows apps, which delivered NetSupport RAT and DiceLoader for subsequent stages in the infection chain. |
15.5.24 | Malspam campaign delivers ASyncRAT by way of multiple scripts | ALERTS | VIRUS | In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. The attack downloads a Windows Script File (WSF) that in turn launches a VBS file that's responsible for further execution. Latter parts of the attack are carried out by JS, PowerShell, and batch script components. |
15.5.24 | A Mining Trojan called Hidden Shovel | ALERTS | VIRUS | Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. This Trojan was initially spotted back in November 2023 and has been undergoing multiple upgrades, currently at version 3.0. Hidden Shovel's key features are strong concealment, anti-analysis measures, DLL hijacking backdoor and shellcode injection capabilities. |
10.5.24 | Malware campaign targeting Windows and MS Office users via software cracks | ALERTS | VIRUS | A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal. |
10.5.24 | Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic | ALERTS | VIRUS | Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. The attack chain's initial step remains uncertain, but recently observed Coper samples have been hosted on a content delivery network (CDN) used by LiveChat, a customer service platform. |
10.5.24 | Malicious Minecraft Mods: zEus stealer targets gamers | ALERTS | VIRUS | A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
| 9.5.24 | Malicious Minecraft Mods: zEus stealer targets gamers | ALERTS | VIRUS | A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
| 9.5.24 | Continuous Distribution of RokRAT Malware | ALERTS | VIRUS | APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. Subsequently, these commands will execute additional files, enabling attackers to gather user information and transmit that data back to their C2 servers. |
| 7.5.24 | Counterfeit Revenue Agency page distributing VBlogger malware | ALERTS | VIRUS | A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. Upon accessing the site, users unwittingly download an archive containing a malware downloader, which in turn fetches the final payload via FTP to Altervista. The malware, dubbed "vblogger," is developed in VB6 and possesses keylogging and clipboard capture functionalities. The harvested information is stored in a text file and then sent to the command-and-control server (C2) on Altervista. |
| 7.5.24 | Cuckoo: A new macOS malware targeting music ripping applications | ALERTS | VIRUS | A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. Cuckoo boasts extensive functionality, including the collection of browser-stored information such as passwords, cookies, and other credentials. Additionally, it gathers system information and data related to installed cryptocurrency wallets and extensions. |
| 7.5.24 | Android malware used in targeted attack against Indian defense forces | ALERTS | VIRUS | A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. Upon successful delivery, the application would install itself under the guise of a Contacts application. Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view. |
3.5.24 | TesseractStealer malware leverages OCR engine for information extraction | ALERTS | VIRUS | TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. The malware focuses on specific data related to credentials and cryptocurrency wallet information. Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the QuasarRAT malware family. |
3.5.24 | Latest macOS Adload variant focuses on detection evasion | ALERTS | VIRUS | A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. Adload malware has been present in the macOS landscape for several years now, known to be distributed via drive-by-downloads and often used in attempts to hijack browser search results, inject ads into webpages or deliver various payloads to the victims. |
3.5.24 | Old dogs teaching new tricks to ZLoader | ALERTS | VIRUS | ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. This 'new' ability allows ZLoader to block installation on machines other than where the initial infection occurred, stopping further stages from deploying, in the hopes of hindering in depth analysis. |
3.5.24 | BirdyClient malware leverages Microsoft Graph API for C&C communication | ALERTS | VIRUS | An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware called BirdyClient used the Graph API to leverage Microsoft OneDrive for C&C purposes. |
3.5.24 | DarkGate loader continues to be actively distributed | ALERTS | VIRUS | DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. Emails have been observed containing direct download links while others may use attachments (PDF, ZIP, etc) to initiate the delivery. |
3.5.24 | Dwphon mobile malware | ALERTS | VIRUS | Dwphon is a recently identified malware variant targeting the Android platform. The malware has the functionality to collect information about the infected device, the info about applications installed on the device as well as some confidential personal information. Dwphon might consist of several distinct modules, each with its own functions and C2 instructions. |
3.5.24 | SpyNote using Central Bank of Kazakhstan as a lure | ALERTS | VIRUS | No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. Symantec has recently observed an actor actively targeting users in Kazakhstan with the SpyNote RAT. |
| 30.4.24 | Security vendor applications impersonated in recent malware campaign | ALERTS | VIRUS | Impersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. In a recent report published by Sophos, they have identified activity in which attackers are modifying legitimate binaries of security vendors to launch newly embedded malicious payloads. It should be noted that modifying such files will break digital signatures and conversely de-legitimize the applications. |
| 30.4.24 | Ziraat Stealer disguised as data recovery tool | ALERTS | VIRUS | The Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, and various email applications. Moreover, it can conduct screenshot and keylogging activities. Classified as a specialized Remote Access Trojan (RAT), this malicious software has the ability to extract sensitive information from compromised systems. |
| 30.4.24 | Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertising | ALERTS | VIRUS | Many campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. This involves exploiting online advertising platforms, including Google Ads, to spread the malware. What makes FakeBat unique is that the threat actor uses MSIX installers packaged with heavily obfuscated PowerShell code. |
| 27.4.24 | Brokewell mobile malware | ALERTS | VIRUS | Brokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. The malware features extensive infostealing functionalities including hardware information collection, credential exfiltration, call logs retrieval, audio capture, screen streaming, capture of taps, swipes and text inputs as well other various remote access and device takeover capabilities. |
| 27.4.24 | Amadey malware family remains an active threat in the landscape | ALERTS | VIRUS | Amadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. While this malware family has been known for a relatively long time, new Amadey samples are found in the wild almost every day. Modular architecture combined with both infostealing and payload loading capabilities allow for this malware to be used in miscellaneous of campaigns by different threat groups. Amadey is known to be distributed via a wide variety of ways including malicious attachments, drive-by-downloads masqueraded as cracked software, malvertising or exploit kits. |
| 25.4.24 | CryptBot among the infostealer variants distributed in latest CoralRaider campaign | ALERTS | VIRUS | According to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. The threat actors have been leveraging Content Delivery Network (CDN) cache as a malware delivery mechanism. The new variant of CryptBot malware has the functionality to steal a wide variety of data from the compromised machines. It targets data exfiltration from web browsers, cryptocurrency wallets, authenticator apps and password managers. |
| 25.4.24 | More Fake MetaMask Android Apps Circulating, Targeting Users' Wallets | ALERTS | VIRUS | More fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. It's most likely that these apps are being spread via malicious SMS. |
| 25.4.24 | GooseEgg, a post-explotation malware | ALERTS | VIRUS | Researchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. This activity has been taking place since at least 2020 and possibly as early as 2019. The tool exploits a vulnerability in the Windows Print Spooler service (CVE-2022-38028) to gain SYSTEM-level privileges and steal credentials from compromised networks. The recently observed campaign targets government, non-governmental, education, and transportation sector organizations primarily in Ukraine, Western Europe, and North America. |
| 23.4.24 | Kapeka backdoor | ALERTS | VIRUS | Kapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. It is believed that this backdoor has been distributed by the threat group known as Sandworm. Kapeka backdoor is coded in C++ and contains capabilities for victim's machine fingerprinting, shell command execution, read/write file operations or launch of arbitrary payloads, among others. Kapeka has also functionalities to upgrade the backdoor binaries or to completely remove itself from the infected endpoint. |
| 23.4.24 | Sharpil RAT malware - possible precursor to Sharp Stealer | ALERTS | VIRUS | Sharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. Once on the infected machine Sharpil initiates connection to the attackers via a Telegram bot. Sharpil exhibits some code similarities with another recently identified malware variant called Sharp Stealer. This variant has been reported as being advertised for sale on Telegram, and it possesses some enhanced capabilities when compared to Sharpil RAT. |
| 22.4.24 | OfflRouter observed infecting Ukrainian DOC files | ALERTS | VIRUS | Threat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. These documents contain VBA code that, once opened, downloads an executable file which begins to look for other DOC files on the machine to infect as well as search for additional plugins on removable drives. |
| 20.4.24 | XAgent spyware targeting iOS devices | ALERTS | VIRUS | An XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe, XAgent possesses capabilities for remote control and data exfiltration. It can gather information on users' contacts, messages, device details, installed applications, screenshots, and call records. |
| 19.4.24 | CR4T malware implant distributed in the DuneQuixote campaign | ALERTS | VIRUS | Malicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. CR4T malware comes in two different strains, one written in C/C++ and the other one in the Golang programming language. The malware functionality focuses on granting the attackers with access to the infected endpoints, enabling remote command execution and arbitrary file upload/download capabilities. |
| 19.4.24 | Mamont Android banking trojan | ALERTS | VIRUS | Mamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. Mamont has the functionality to collect information about the infected device. It can exfiltrate selected messages and intercept new messages, sending them back to attackers' controlled Telegram channel. The malware has the capability to examine the content of the messages as it is focused on those related to any financial or monetary transactions. |
| 17.4.24 | SoumniBot - Android banking malware | ALERTS | VIRUS | SoumniBot is a new banking malware variant for Android. This malware has been reported to target mobile users from Korea. SoumniBot leverages several techniques to evade detection such as invalid compression method value, invalid manifest size or long XML namespace names. Functionality-wise this android malware can collect information about the infected device, contact data, SMS/MMS messages, and exfiltrate digital certificates issued by Korean banks that are stored on the device. |
| 17.4.24 | Tax-Themed phishing campaign deploys XWorm RAT | ALERTS | VIRUS | An email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. The attack begins with an HTML tax document attachment. Upon opening, it triggers the download of a JavaScript file which then executes a PowerShell script. This script is equipped with features to terminate running processes, manage decoy PDF files, disable User Account Control (UAC), and ultimately deliver the XWorm payload. |
| 16.4.24 | SolarMarker malware campaign adapts with PyInstaller for obfuscation | ALERTS | VIRUS | A SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. SolarMarker is typically spread through attacks involving Search Engine Optimization Poisoning (SEO-Poisoning). In this observed campaign, users were tempted to download a disguised PDF document from a website impersonating a reputed South Californian Medical University. |
| 16.4.24 | Hive0051c malware campaign distributing GammaLoad in Ukraine | ALERTS | VIRUS | Hive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. The attack vector employed phishing emails containing Ukrainian-language lure documents targeting military and government entities. The GammaLoad backdoor presents the risk of various follow-on payloads, facilitated by independent C2 fallback channels. Hive0051c utilized synchronized DNS fluxing across multiple channels to rotate infrastructure and maintained several active C2 clusters. |
| 16.4.24 | FatalRAT Distributed Through Fake Cryptocurrency App Website | ALERTS | VIRUS | A new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. Once the RAT payload is installed, it can steal personal information from victims and perform keylogging activities. |
| 16.4.24 | Fake Anti Radar App SpyNote RAT Targets French Drivers | ALERTS | VIRUS | Speed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. They are deployed in various locations, including highways, urban areas, and rural roads, to monitor and enforce speed limits. These cameras are often placed strategically in areas prone to speeding or high accident rates, such as near schools, construction zones, and dangerous curves. |
| 16.4.24 | XploitSPY Android malware | ALERTS | VIRUS | An active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. The campaign, which reportedly started way back in 2021, has been delivering malicious apps hosted on either dedicated websites or the Google Play store. Most recent variants of this malware incorporate code updates regarding obfuscation, emulator detection and use of native libraries to hide attacker information, among others. XploitSPY has the functionality to extract call logs, contacts and text messages from the infected device. It can also take pictures, record audio or send SMS messages, etc. |
| 13.4.24 | Signed backdoor found in screen mirroring software | ALERTS | VIRUS | A recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. The malware contains an embedded freeware proxy server, likely intended to watch and potentially manipulate network traffic. |
| 12.4.24 | LightSpy malware implant | ALERTS | VIRUS | LightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. This malware implant has functionality to exfiltrate private user information, GPS location data, SMS messages, messenger apps data, phone call history and others. LightSpy has also capabilities allowing it to comprehensively track browser history on the infected device, remotely execute shell commands and record voice over IP (VOIP) call sessions. |
| 12.4.24 | Rhadamanthys malware deployments attributed to TA547 | ALERTS | VIRUS | A new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. In their attacks, the attackers leverage .zip archives containing malicious .lnk files that once executed trigger PowerShell scripts leading to Rhadamanthys infection on the compromised endpoint. The deployed malware payload has various capabilities including collection and exfiltration of confidential user data such as credentials, cookies etc. |
| 11.4.24 | Pupy RAT continues to be used in attacks against Linux systems | ALERTS | VIRUS | Pupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. The malware has various functionalities including upload/download of files, remote command execution, information theft, keylogging and screenshot capture among others. While Pupy RAT is known to target both Windows and Linux systems, recently reported campaigns have seen usage of the Linux variant of this malware against targets in Asia. |
| 9.4.24 | SpyNote mobile malware spread under the disguise of INPS Mobile application | ALERTS | VIRUS | A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. INPS (National Institute for Social Security) is the main social security organisation in Italy and the INPS Mobile app gives INPS users access to various consultation and documentation services. The malicious app disguised as INPS mobile is distributed via a phishing page that resembles the official INPS website. The SpyNote malware payload has various capabilities including keylogging, SMS theft, screenshot grabbing, call recording or installation of additional arbitrary payloads. |
| 9.4.24 | Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services | ALERTS | VIRUS | A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. The advertisements lead victims to download malicious software disguised as desktop versions of the mentioned AI programs. Nova Stealer, Rilide Stealer V4, Vidar and IceRAT were among the infostealing payloads distributed in this campaign, which have been known to target users from various European countries. |
| 8.4.24 | Xamalicious Android malware | ALERTS | VIRUS | Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. The malware has been previously distributed by various apps hosted on Google Play and some other 3rd party platforms. Xamalicious has the functionality to collect information about the infected device including hardware info, list of installed applications, geolocation info and network provider data, among others. Second stage payload might allow the attackers to take full control of the infected device and to perform additional fraudulent tasks. |
| 8.4.24 | Bandook malware - an older threat remains active in the wild | ALERTS | VIRUS | Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day. In one recent such run, Bandook has been spread with help of malicious PDF files leading to download of password-protected 7z archives that once extracted will deliver the Bandook payload. Upon infection the malware will execute commands received from the attacker-controlled C2 servers. The payload has also more capabilities allowing it to download additional arbitrary modules and executables. |
| 8.4.24 | Malicious SMS Targets BDO Unibank users | ALERTS | VIRUS | Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, Symantec has observed recurrent malicious SMS in which actors are attempting to lure the bank's mobile users into providing sensitive information that will eventually lead to financial theft. This campaign, while it mostly affects consumers, has also been observed targeting corporate users. |
| 8.4.24 | No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign | ALERTS | VIRUS | Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going. In a recent example, an Agent Tesla malspam campaign caught Symantec's attention, with the actor impersonating Riyad Bank – a major financial institution in Saudi Arabia and one of the largest banks in the country by assets. |
| 8.4.24 | MetaStealer distributed via malvertising | ALERTS | VIRUS | MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. Recently the malware has been also seen being delivered via means of malvertising. Upon clicking on the ads, the victim gets redirected to malware landing pages masqueraded as download portals for AnyDesk or Notepad++ software. MetaStealer has the functionalities to collect various information from local browsers, steal credentials, cryptowallets, extract data from miscellaneous 3rd party applications and more. |
| 8.4.24 | New variant of Chameleon Android malware allows for biometric authentication bypass | ALERTS | VIRUS | Chameleon is an Android banking malware that first emerged at the beginning of 2023. The malware has been used in earlier campaigns targeting Android users in Australia and in Poland and has been distributed under the disguise of banking or cryptocurrrency apps. Chameleon's capabilities include keylogging, SMS harvesting, credential theft and cookie stealing, among others. The most recently discovered variant of this malware allows the attackers to bypass the biometric authentication on the infected device, forcing it to fallback to standard authentication means such as PIN entry and unlock the device. |
| 8.4.24 | Fictitious OnlyFans premium mobile app revealed as SpyNote | ALERTS | VIRUS | OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. Yet, the intriguing dichotomy lies in its content, which ventures into the NSFW (Not Safe For Work) territory. Many users, while capitalizing on the platform's income potential, inadvertently tread a fine line that might lead them onto Santa's naughty list. |
| 8.4.24 | GuLoader campaign: From Seoul to Brussels | ALERTS | VIRUS | GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. In fact, this actor has been orchestrating a substantial campaign in South Korea over the past three weeks in three waves, recently shifting focus to Belgium. |
| 8.4.24 | TA544 activities involving IDAT Loader | ALERTS | VIRUS | A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. In their latest campaigns, the attackers have been leveraging new variants of the IDAT Loader malware to deliver various payloads such as Remcos RAT or SystemBC malware. |
| 8.4.24 | JaskaGO infostealer for Windows and macOS | ALERTS | VIRUS | JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, cryptowallets and others. Collected data is compressed into a .zip archive and forwarded to attackers C2 servers. Beside the info-stealing functionality JaskaGO can also execute shell commands received from attackers as well as download and run additional payloads. |
| 8.4.24 | Fake NordVPN Installer Delivering SecTopRAT | ALERTS | VIRUS | While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. This malware is pretty much the same as many stealers that abuse both Discord and Telegram to report to the actors and exfiltrate stolen information. |
| 5.4.24 | New JsOutProx malware variant observed in campaigns targeted at financial sector | ALERTS | VIRUS | A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. While in the past the group has been using GitHub repositories to host the malicious payloads, the latest attacks leverage repositories on the GitLab platform instead. |
| 5.4.24 | Byakugan malware | ALERTS | VIRUS | Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. The malware receives commands from a remote C2 server that also acts as attacker's control panel. Byakugan's functionality includes keylogging, screen capture, coin mining, theft of information stored in the web browsers and arbitrary file download, among others. |
| 5.4.24 | Phorpiex malware campaign targets finance sector in Europe and North America | ALERTS | VIRUS | A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. As part of the attack, shortcut files with embedded malicious macros are used to infect user systems and download additional malware payloads. Phorpiex can work without an active C2 server and is mainly used to steal cryptocurrency using the crypto-clipping technique. |
| 5.4.24 | Latrodectus malware | ALERTS | VIRUS | Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. The loader is mostly used in the initial stages of the attacks to execute remote commands and to download additional payloads. Notably, its distribution campaigns exhibit similarities with previous IcedID operations in techniques and infrastructure usage. |
| 5.4.24 | Backdoor code found in XZ Utils library | ALERTS | VIRUS | On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. The malicious code, tracked as CVE-2024-3094, is embedded in XZ Utils versions 5.6.0 and 5.6.1. and could allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system. |
| 5.4.24 | MacOS Users targeted with Infostealers | ALERTS | VIRUS | MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. This website installs an infostealer capable of extracting users' keychain data, credentials stored in web browsers, and information from cryptocurrency wallets. |
| 3.4.24 | Emergence of new Vultur banking trojan variant in mobile threat landscape | ALERTS | VIRUS | A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. In the recent campaign, victims are lured into installing a trojanized version of a security app via a link sent through SMS, along with instructions provided via a phone call. |
| 3.4.24 | Indonesian Businesses Targeted in an Agent Tesla Campaign | ALERTS | VIRUS | Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries. |
| 30.3.24 | Sync-Scheduler Infostealer | ALERTS | VIRUS | A Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files. |
| 30.3.24 | WarzoneRAT malware re-emerges with new samples | ALERTS | VIRUS | WarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat. |
| 30.3.24 | TheMoon malware targets thousands of insecure routers | ALERTS | VIRUS | A new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless. |
| 30.3.24 | Beware of FlightNight | ALERTS | VIRUS | A new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor. |
| 28.3.24 | Dropper disguised as legitimate PuTTy Software | ALERTS | VIRUS | A threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY. The PuTTY file advertised in the ad was actually malware, serving as a dropper written in the Go language. Upon execution, the dropper delivered the final payload, known as Rhadamanthys. |
| 28.3.24 | Mispadu Stealer extends its reach | ALERTS | VIRUS | Mispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well. The malware delivery chain leverages .pdf documents containing URL links to .zip archive with malicious MSI installers or HTA scripts. Later stages include deployment of malicious VB Scripts and the Mispadu malware payloads. |
| 28.3.24 | SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilities | ALERTS | VIRUS | Recent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns. |
| 27.3.24 | VCURMS and STRRAT being delivered via links in spam messages | ALERTS | VIRUS | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 26.3.24 | VCURMS and STRAT being delivered via links in spam messages | ALERTS | VIRUS | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 26.3.24 | VCURMS and STRRAT being delivered via links in spam messages | ALERTS | VIRUS | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 26.3.24 | New backdoor WineLoader | ALERTS | VIRUS | Phishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence. |
| 26.3.24 | New remote control backdoor leveraging malicious drivers emerges in China | ALERTS | VIRUS | In a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time. |