Malware Blog News(339) - 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
28.9.24 | Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors | Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected software packages PondRAT. We’ve also found Linux variants of POOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka Citrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new PondRAT is a lighter version of POOLRAT. | Malware blog | Palo Alto |
28.9.24 | Inside SnipBot: The Latest RomCom Malware Variant | We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD (RomCom 4.0). | Malware blog | Palo Alto |
28.9.24 | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy | Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities. | Malware blog | Palo Alto |
21.9.24 | Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are... | Malware blog | |
21.9.24 | ESET Research Podcast: EvilVideo | ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos | Malware blog | |
14.9.24 | Earth Preta Evolves its Attacks with New Malware and Strategies | In this blog entry, we discuss our analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. | Malware blog | |
14.9.24 | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads | The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. | Malware blog | Cisco Blog |
7.9.24 | Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command | Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. | Malware blog | |
7.9.24 | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. | Malware blog | |
7.9.24 | ESET Research Podcast: HotPage | ESET researchers discuss HotPage, a recently discovered adware armed with a highest-privilege, yet vulnerable, Microsoft-signed driver | Malware blog | |
7.9.24 | In plain sight: Malicious ads hiding in search results | Sometimes there’s more than just an enticing product offer hiding behind an ad | Malware blog | |
31.8.24 | Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence | Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. | Malware blog | |
31.8.24 | This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. | |||
24.8.24 | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure | Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” | Malware blog | Cisco Blog |
17.8.24 | Mario movie malware might maliciously mess with your machine | There are probably few among us who, never have they ever, downloaded questionable content. Whether it was a hit song in the Napster era or a Blockbuster movie you found on a “special” site online, you can probably think of at least one occasion when you got access to something from a, shall we say, less than reputable source. | Malware blog | Avast Blog |
17.8.24 | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove | Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. Even though it only recently appeared, it has already been noticed in attacks, including those targeting our customers. | Malware blog | |
10.8.24 | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | In the past year, there has been a marked increase in the use of legitimate cloud services by attackers, including nation-state actors. | Malware blog | Symantec |
10.8.24 | Beware of Fake WinRar Websites: Malware Hosted on GitHub | A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. | Malware blog | |
3.8.24 | Detecting evolving threats: NetSupport RAT campaign | In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. | Malware blog | Cisco Blog |
3.8.24 | Phishing targeting Polish SMBs continues via ModiLoader | ESET researchers detected multiple, widespread phishing campaigns targeting SMBs in Poland during May 2024, distributing various malware families | Malware blog | |
27.7.24 | This blog will focus on the threat actor’s background and previous actions, the attack chain, and the wiper’s internals and reused code. | |||
27.7.24 | ESET researchers have discovered threats abusing the success of the Hamster Kombat clicker game | |||
20.7.24 | Beware of BadPack: One Weird Trick Being Used Against Android Devices | This article discusses recent samples of BadPack Android malware and examines how this threat’s tampered headers can obstruct malware analysis. We also review the effectiveness of various freely available tools for analyzing BadPack Android Package Kit (APK) files. | Malware blog | Palo Alto |
20.7.24 | NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS | MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal. | Malware blog | Checkpoint |
20.7.24 | HotPage: Story of a signed, vulnerable, ad-injecting driver | A study of a sophisticated Chinese browser injector that leaves more doors open! | Malware blog | Eset |
13.7.24 | The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution | ViperSoftX uses CLR to embed and execute PowerShell commands within AutoIt, seamlessly integrating malicious functions while evading detection with an AMSI bypass. | Malware blog | Trelix |
13.7.24 | Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant | The SonicWall RTDMI ™ engine has recently protected users against the distribution of the “6.6” variant of DarkGate malware by a phishing email campaign containing PDF files as an attachment. DarkGate is an advanced Remote Access Trojan that has been widely active since 2018. The RAT has been marketed as Malware-as-a-Service in underground forums, and threat actors are actively updating its code. The malware supports a wide range of features, including (Anti-VM Anti-AV Delay Execution multi-variant support and process hollowing, etc.), which are controlled by flags in the configuration data. | Malware blog | SonicWall |
13.7.24 | DarkGate: Dancing the Samba With Alluring Excel Files | This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware. | Malware blog | Palo Alto |
13.7.24 | Dissecting GootLoader With Node.js | This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware. | Malware blog | Palo Alto |
6.7.24 | Mekotio Banking Trojan Threatens Financial Systems in Latin America | We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we'll provide an overview of the trojan and what it does. | Malware blog | Trend Micro |
6.7.24 | The Hidden Danger of PDF Files with Embedded QR Codes | The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time. | Malware blog | SonicWall |
6.7.24 | Hijacked: How hacked YouTube channels spread scams and malware | Here’s how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform | Malware blog | Eset |
| 29.6.24 | StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe | The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany. | Malware blog | SonicWall |
| 29.6.24 | New Orcinius Trojan Uses VBA Stomping to Mask Infection | This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys. | Malware blog | SonicWall |
| 29.6.24 | Attackers Exploiting Public Cobalt Strike Profiles | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository. | Malware blog | Palo Alto |
| 29.6.24 | RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS | Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. Known for its open-source nature and flexibility, Android offers users a wide array of features, customization options, and access to a vast ecosystem of applications through the Google Play Store and other sources. | Malware blog | Checkpoint |
| 29.6.24 | SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques | Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. | Malware blog | Cisco Blog |
| 29.6.24 | Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia | The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. | Malware blog | Cisco Blog |
| 29.6.24 | Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more | As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs. | Malware blog | Cisco Blog |
| 15.6.24 | Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups | This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. | Malware blog | Trend Micro |
| 15.6.24 | DarkGate again but... Improved? | DarkGate is back, if it ever left, with the latest version, the number 6, which includes new distribution methods, anti-analysis techniques and features. | Malware blog | Trelix |
| 15.6.24 | Operation Celestial Force employs mobile and desktop malware to target Indian entities | Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” | Malware blog | Cisco Blog |
| 15.6.24 | How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe | The spyware, called AridSpy by ESET, is distributed through websites that pose as various messaging apps, a job search app, and a Palestinian Civil Registry app | Malware blog | Eset |
1.6.24 | STATIC UNPACKING FOR THE WIDESPREAD NSIS-BASED MALICIOUS PACKER FAMILY | Packers or crypters are widely used to protect malicious software from detection and static analysis. | Malware blog | Checkpoint |
25.5.24 | Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries | Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings | Malware blog | Eset |
18.5.24 | Payload Trends in Malicious OneNote Samples | In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. | Malware blog | Palo Alto |
11.5.24 | The hacker’s toolkit: 4 gadgets that could spell security trouble | Their innocuous looks and endearing names mask their true power. These gadgets are designed to help identify and prevent security woes, but what if they fall into the wrong hands? | Malware blog | Eset |
| 4.5.24 | It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise | Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. | Malware blog | Palo Alto |
| 28.4.24 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. | Malware blog | Cisco Blog |
| 28.4.24 | Suspected CoralRaider continues to expand victimology using three information stealers | Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host. | Malware blog | Cisco Blog |
| 20.4.24 | Redline Stealer: A Novel Approach | Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was... | Malware blog | Mcafee |
| 20.4.24 | OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal | The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. | Malware blog | Cisco Blog |
| 13.4.24 | Starry Addax targets human rights defenders in North Africa with new malware | Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. | Malware blog | Cisco Blog |
| 13.4.24 | eXotic Visit includes XploitSPY malware – Week in security with Tony Anscombe | Almost 400 people in India and Pakistan have fallen victim to an ongoing Android espionage campaign called eXotic Visit | Malware blog | Eset |
| 6.4.24 | AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES | When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted. Is it worth an investigation to begin with? As it turns out, there are new discoveries with previously hidden information of valuable significance that can be built into the already-painted picture. | Malware blog | Checkpoint |
| 6.4.24 | MALWARE SPOTLIGHT: LINODAS AKA DINODASRAT FOR LINUX | In recent months, Check Point Research (CPR) has been closely monitoring the activity of a Chinese-nexus cyber espionage threat actor who is focusing on Southeast Asia, Africa, and South America. | Malware blog | Checkpoint |
| 6.4.24 | Adversaries are leveraging remote access tools now more than ever — here’s how to stop them | While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. | Malware blog | Cisco Blog |
| 6.4.24 | Malware hiding in pictures? More likely than you think | There is more to some images than meets the eye – their seemingly innocent façade can mask a sinister threat. | Malware blog | Eset |
| 23.3.24 | Large-Scale StrelaStealer Campaign in Early 2024 | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim's email login information, which they can then use to perform further attacks. | Malware blog | Palo Alto |
| 23.3.24 | Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention | This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. | Malware blog | Palo Alto |
| 23.3.24 | Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor | This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). | Malware blog | Palo Alto |
| 23.3.24 | AceCryptor attacks surge in Europe – Week in security with Tony Anscombe | The second half of 2023 saw massive growth in AceCryptor-packed malware spreading in the wild, including courtesy of multiple spam campaigns where AceCryptor packed the Rescoms RAT | Malware blog | Eset |
| 23.3.24 | Rescoms rides waves of AceCryptor spam | Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries | Malware blog | Eset |
| 23.3.24 | A prescription for privacy protection: Exercise caution when using a mobile health app | Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data | Malware blog | Eset |
| 17.3.24 | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled | This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims. | Malware blog | Palo Alto |
| 2.3.24 | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users | First identified in 2004, Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. In this article, along with exploring Bifrost, we’ll also showcase a notable spike in Bifrost’s Linux variants during the past few months. | Malware blog | Palo Alto |
| 2.3.24 | TimbreStealer campaign targets Mexican users with financial lures | Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. | Malware blog | Cisco Blog |
| 25.2.24 | Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns | Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. | Malware blog | Cisco Blog |
| 10.2.24 | RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS | Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time. | Malware blog | Checkpoint |
| 10.2.24 | New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization | Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” | Malware blog | Cisco Blog |
| 4.2.24 | Exploring the Latest Mispadu Stealer Variant | Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability. | Malware blog | Palo Alto |
| 4.2.24 | Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers | Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. | Malware blog | Cisco Blog |
| 4.2.24 | Grandoreiro banking malware disrupted – Week in security with Tony Anscombe | The banking trojan, which targeted mostly Brazil, Mexico and Spain, blocked the victim’s screen, logged keystrokes, simulated mouse and keyboard activity and displayed fake pop-up windows | Malware blog | Eset |
| 4.2.24 | ESET takes part in global operation to disrupt the Grandoreiro banking trojan | ESET provided technical analysis, statistical information, known C&C servers and was able to get a glimpse of the victimology | Malware blog | Eset |
20.1.24 | Parrot TDS: A Persistent and Evolving Malware Campaign | This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders. It specifically focuses on more than 100 highly popular projects, aiming its attacks at token holders. | Malware blog | Palo Alto |
14.1.24 | Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer | Malware, like many complex software systems, relies on the concept of software configuration. Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine. | Malware blog | Palo Alto |
14.1.24 | .NET HOOKING – HARMONIZING MANAGED TERRITORY | For a malware researcher, analyst, or reverse engineer, the ability to alter the functionality of certain parts of code is a crucial step, often necessary to reach a meaningful result during the analysis process. | Malware blog | Checkpoint |