Tag: infection

Technical Analysis of SnappyClient

Mar 18, 2026 7:10 PM

Tags: access, antivirus, api, attack, browser, chrome, cloud, communications, computer, control, credentials, crypto, data, defense, detection, encryption, endpoint, finance, framework, github, infection, injection, jobs, login, malicious, malware, network, password, software, startup, theft, threat, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz identified a new command-and-control (C2) framework implant that we track as SnappyClient, which was delivered using HijackLoader. SnappyClient has an extended list of capabilities including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications. In this blog post, ThreatLabz provides a technical analysis of SnappyClient, including…
4,000+ Routers Compromised by KadNap Malware Exploiting Vulnerabilities

Mar 12, 2026 2:10 PM

Tags: botnet, cyber, exploit, infection, malware, router, russia, vulnerability

A newly uncovered malware campaign dubbed KadNap has silently conscripted more than 14,000 internet”‘exposed routers and edge devices into a stealth proxy botnet, with Asus routers the primary victims. More than 60% of known victims are located in the United States, with additional infections observed in Taiwan, Hong Kong, Russia, and other countriesHow KadNap Infects Routers The…
North Korean fake IT worker tradecraft exposed

Mar 12, 2026 11:10 AM

Tags: access, ai, banking, breach, china, crypto, data-breach, defense, detection, finance, fintech, fraud, gitlab, group, identity, infection, intelligence, jobs, malicious, malware, mobile, north-korea, programming, scam, service, skills, software, tactics, threat, tool

Opportunistic and broadly targeted: These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.”Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a…
North Korean fake IT worker tradecraft exposed

Mar 12, 2026 11:10 AM

Tags: access, ai, banking, breach, china, crypto, data-breach, defense, detection, finance, fintech, fraud, gitlab, group, identity, infection, intelligence, jobs, malicious, malware, mobile, north-korea, programming, scam, service, skills, software, tactics, threat, tool

Opportunistic and broadly targeted: These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.”Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a…
Middle East Conflict Fuels Opportunistic Cyber Attacks

Mar 6, 2026 9:47 PM

Tags: access, advisory, api, apt, attack, authentication, awareness, backdoor, best-practice, breach, browser, business, chrome, cloud, crypto, cyber, cybercrime, cybersecurity, data, defense, endpoint, exploit, fraud, google, government, identity, infection, Internet, iran, iraq, malicious, malware, mfa, middle-east, military, monitoring, network, password, phishing, PurpleTeam, radius, risk, risk-assessment, scam, service, software, technology, theft, threat, training, unauthorized, update, vulnerability, windows, zero-day

IntroductionThreat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings. ThreatLabz…
Fake Zoom and Google Meet Phishing Campaigns Deploy Teramind Surveillance Software

Feb 28, 2026 5:37 PM

Tags: attack, cyber, endpoint, google, infection, monitoring, phishing, scam, software, threat, unauthorized, windows

Threat actors are executing sophisticated phishing campaigns that impersonate Zoom and Google Meet to silently deploy Teramind onto Windows devices. While Teramind is a legitimate enterprise endpoint monitoring product, scammers are abusing its stealth features to conduct unauthorized surveillance. The Infection Chain and Delivery Mechanism The attack relies on fabricated landing pages that mimic official…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
Steaelite RAT combines data theft and ransomware management capability in one tool

Feb 26, 2026 5:37 AM

Tags: access, android, attack, authentication, awareness, business, corporate, credentials, crypto, cybercrime, data, ddos, defense, encryption, endpoint, extortion, infection, infosec, malware, mobile, monitoring, password, phishing, ransomware, rat, remote-code-execution, theft, threat, tool, training, windows

CSO that this isn’t the most sophisticated RAT he’s seen. “The novel aspect here,” he said, “is the convergence. Steaelite bundles remote access, credential harvesting, data exfiltration, and ransomware (currently in development) in a single package.” Traditionally, he explained, these capabilities have occupied different parts of the cybercrime toolchain, but Steaelite unifies the functions, giving…
Malicious OpenClaw Tactics Deceive Users into Manual Password Entry for AMOS Infection

Feb 24, 2026 11:02 AM

Tags: ai, attack, cyber, infection, macOS, malicious, password, skills, social-engineering, software, supply-chain, tactics

Malicious OpenClaw skills are being weaponized to coerce users into manually entering their passwords, enabling a new Atomic (AMOS) Stealer infection chain that abuses AI agent workflows as a social engineering channel. TrendAI Research has tracked Atomic (AMOS) Stealer’s evolution from crude “cracked” macOS software lures to a refined supply chain attack abusing OpenClaw’s skill…
Wormable XMRig Campaign Uses BYOVD Exploit and Time-Based Logic Bomb

Feb 23, 2026 8:01 PM

Tags: crypto, cybersecurity, exploit, infection, software

Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts.”Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim First seen on thehackernews.com Jump…
Fake troubleshooting tip on ClawHub leads to infostealer infection

Feb 23, 2026 5:02 PM

Tags: ai, infection, malware

A new malware delivery campaign has hit ClawHub, the official online repository for >>skills<< that augment the capabilities of the popular OpenClaw AI agent. Unlike … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/02/23/clawhub-malicious-comment-infostealer/
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 85

Feb 22, 2026 5:02 PM

Tags: android, backdoor, china, data-breach, infection, international, malware

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter Ninja Browser & Lumma Infostealer Ghost Tapped: Tracking the Rise of Chinese Tap-to-pay Android Malware Hudson Rock Identifies Real-World Infostealer Infection Targeting OpenClaw Configurations Divide and conquer: how the new Keenadu backdoor exposed links…
PromptSpy: First Android AI Malware Leverages Google’s Gemini for Decision-Making

Feb 20, 2026 7:02 AM

Tags: ai, android, cyber, data, google, infection, malware

PromptSpy is a newly discovered Android malware family that abuses Google’s Gemini generative AI model to make real”‘time decisions on how to manipulate the user interface and stay active on infected devices. PromptSpy’s AI”‘assisted functionality is focused on persistence rather than initial infection or data theft. Instead of relying on hardcoded tap coordinates or fragile…
Infostealer Found Stealing OpenClaw AI Identity and Memory Files

Feb 19, 2026 12:01 PM

Tags: ai, identity, infection, malware

Researchers at Hudson Rock have identified a live infection where an infostealer exfiltrated a victim’s OpenClaw configuration. The discovery highlights a shift in malware behaviour toward harvesting personal AI identity files. First seen on hackread.com Jump to article: hackread.com/infostealer-steal-openclaw-ai-identity-memory-files/
Stealthy Crypto-Mining Malware Jumps Air-Gaps, Spreads via External Drives

Feb 19, 2026 9:01 AM

Tags: computing, crypto, cyber, infection, malware, software, threat, unauthorized

Cryptojacking, the unauthorized use of a victim’s computing resources to mine cryptocurrency, has transitioned from a browser-based nuisance (typified by Coinhive scripts) to a system-level threat utilizing advanced malware techniques. The infection chain starts with a familiar lure: cracked “premium” productivity suites distributed via pirated software bundles, where the user executes what appears to be…
Keenadu: Android malware that comes preinstalled and can’t be removed by users

Feb 18, 2026 1:58 PM

Tags: access, ai, android, backdoor, banking, browser, cctv, chrome, control, credentials, data, endpoint, firmware, governance, identity, infection, kaspersky, malware, mitigation, mobile, network, risk, software, update

Embedded in core system apps: Keenadu can control legitimate system applications on affected devices. Kaspersky observed it inside critical components such as face unlock applications, raising the possibility that attackers could access biometric data. The malware was also found operating within the home screen app that controls the device’s primary interface.The researchers warned that the…
Fake CAPTCHA Attack Chain Triggers Enterprise-Wide Malware Infection in Organizations

Feb 18, 2026 12:58 PM

Tags: attack, captcha, cyber, infection, malware, social-engineering, threat

Fake CAPTCHA (ClickFix) pages are enabling threat actors to turn a single user click into an enterprise”‘wide compromise, as seen in a recent incident affecting a major Polish organization. The campaign chained social engineering, DLL side”‘loading, and dual malware families (Latrodectus and Supper) to gain persistence, perform reconnaissance, and prepare the environment for potential follow”‘on…
Fake CAPTCHA Attack Chain Triggers Enterprise-Wide Malware Infection in Organizations

Feb 18, 2026 12:58 PM

Tags: attack, captcha, cyber, infection, malware, social-engineering, threat

Fake CAPTCHA (ClickFix) pages are enabling threat actors to turn a single user click into an enterprise”‘wide compromise, as seen in a recent incident affecting a major Polish organization. The campaign chained social engineering, DLL side”‘loading, and dual malware families (Latrodectus and Supper) to gain persistence, perform reconnaissance, and prepare the environment for potential follow”‘on…
China-linked snoops have been exploiting Dell 0-day since mid-2024, using ‘ghost NICs’ to avoid detection

Feb 18, 2026 1:58 AM

Tags: china, detection, exploit, infection, zero-day

Full scale of infections remains ‘unknown’ First seen on theregister.com Jump to article: www.theregister.com/2026/02/18/dell_0day_brickstorm_campaign/
ZeroDayRAT spyware targets Android and iOS devices via commercial toolkit

Feb 17, 2026 2:58 PM

Tags: android, control, detection, edr, email, exploit, infection, malicious, mobile, software, spyware, threat, unauthorized, vulnerability

Reliance on deception and not exploits: Despite the name, ZeroDayRAT does not depend on undisclosed operating system vulnerabilities to infect devices. Instead, the primary infection vector is social engineering. Victims are persuaded to install a malicious application or configuration profile disguised as legitimate software, often delivered through links shared via SMS, email, or messaging platforms.While…
Threat Actors Target OpenClaw Configurations to Steal Login Credentials

Feb 17, 2026 6:58 AM

Tags: ai, credentials, crypto, cyber, infection, login, malware, theft, threat

A new wave of infostealer activity targeting OpenClaw, an emerging AI assistant platform. The discovery marks a major turning point in the behavior of infostealer malware moving beyond browser and cryptocurrency theft to focus on AI configuration environments that hold deep digital identities and sensitive metadata. Hudson Rock detected a live infection where an infostealer successfully…
Washington Hotel in Japan discloses ransomware infection incident

Feb 16, 2026 10:58 PM

Tags: attack, business, infection, ransomware

The Washington Hotel brand in Japan has announced that that its servers were compromised in a ransomware attack, exposing various business data. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/washington-hotel-in-japan-discloses-ransomware-infection-incident/
Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens

Feb 16, 2026 8:58 PM

Tags: ai, credentials, cybersecurity, infection

Cybersecurity researchers disclosed they have detected a case of an information stealer infection successfully exfiltrating a victim’s OpenClaw (formerly Clawdbot and Moltbot) configuration environment.”This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the ‘souls’ and identities of personal AI [ First seen on thehackernews.com…
OysterLoader Evolves With New C2 Infrastructure and Obfuscation

Feb 16, 2026 5:58 PM

Tags: infection, infrastructure, malware

OysterLoader malware evolves into 2026, refining C2 infrastructure, obfuscation & infection stages First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/oysterloader-new-c2-infrastructure/
New ClickFix Attack Wave Targets Windows Systems to Deploy StealC Stealer

Feb 13, 2026 7:58 AM

Tags: attack, captcha, credentials, crypto, cyber, email, infection, malicious, powershell, windows

A new wave of ClickFix attacks is targeting Windows users with fake Cloudflare-style CAPTCHA verification pages that trick victims into executing malicious PowerShell commands. This campaign delivers a multi-stage, fileless infection chain that ends with StealC, a powerful information stealer capable of harvesting credentials, cryptocurrency wallets, gaming accounts, emails, and detailed system fingerprints. The operation…
Fake CAPTCHA Attacks Exploit Key Entry Point for LummaStealer Malware

Feb 12, 2026 7:58 AM

Tags: attack, captcha, credentials, crypto, cyber, data, exploit, infection, law, malware

Fake CAPTCHA attacks are now a key entry point for a new wave of LummaStealer infections, with CastleLoader loaders turning simple web clicks into full system compromise. Less than a year after a major law-enforcement takedown, the infostealer’s operators have rebuilt at scale and are again harvesting credentials, crypto wallets, and personal data worldwide. LummaStealer…
LummaStealer infections surge after CastleLoader malware campaigns

Feb 11, 2026 6:22 PM

Tags: infection, malware, social-engineering

A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/
10,000+ Active Infections Traced to SystemBC Botnet

Feb 5, 2026 11:17 PM

Tags: botnet, infection

Researchers identified over 10,000 active infections linked to the SystemBC proxy malware. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/10000-active-infections-traced-to-systembc-botnet/
New DesckVB RAT Unveiled with Multi-Stage Infection Chain and Plugin-Based Architecture

Feb 5, 2026 8:13 AM

Tags: access, cyber, infection, malware, rat

A sophisticated strain of the DeskVB Remote Access Trojan (RAT) has been identified in the wild, showcasing a highly modular architecture and a complex, multi-stage infection chain. While the malware family itself is not entirely new, this latest iteration (v2.9.0.0) stands out for its operational stability and >>plugin-based<< design, which allow attackers to deploy capabilities…