Tag: infection
-
ClickFix Attack Swaps PowerShell for Cmdkey, Remote Regsvr32 Payloads
A newly identified ClickFix attack variant is raising concerns among cybersecurity researchers after it was observed replacing traditional PowerShell-based delivery with a stealthier technique leveraging native Windows utilities. The infection begins with a familiar ClickFix tactic: a phishing page disguised as a CAPTCHA verification prompt. Victims are instructed to press Win + R, paste a…
-
Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener
IntroductionOn March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for…
-
DPRK Fake Job Scams Self-Propagate in ‘Contagious Interview’
A compromised developer’s repository serves as a worm-like infection vector to spread remote access Trojans (RATs) and other malware. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/dprk-fake-job-scams-self-propagate-contagious-interview
-
The Gentlemen Ransomware Expands With Rapid Affiliate Growth
Gentlemen RaaS expands quickly with multi-platform attacks and SystemBC-linked infections First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/gentlemen-ransomware-rapid/
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape CPU-Z / HWMonitor watering hole infection a copy-pasted attack Fake Claude site installs malware that gives attackers access to your computer Malware Analysis Static SKILL for Codex JanelaRAT: a financial threat targeting users in Latin […]…
-
Weaponized CVE-2026-39987 Pushes Blockchain Backdoor Through Hugging Face
Tags: backdoor, blockchain, credentials, cve, cyber, exploit, infection, rce, remote-code-execution, theftAttackers are rapidly exploiting CVE-2026-39987 in the marimo Python notebook platform to deploy a new NKAbuse backdoor variant hosted on Hugging Face Spaces, turning AI/ML developer environments into high”‘value infection points. The campaign combines pre-auth RCE, credential theft, lateral movement to PostgreSQL and Redis, and a blockchain-based C2 channel that is difficult to monitor or…
-
PlugX USB Worm Hits Multiple Continents via DLL Sideloading
A new PlugX USB worm variant is driving fresh infection waves across several continents, using DLL sideloading and stealthy USB-based propagation to evade detection. First observed in Papua New Guinea in August 2022, the same strain resurfaced months later not only in the Pacific Rim but also in Ghana, Mongolia, Zimbabwe, and Nigeria, underscoring a…
-
Fake Proxifier GitHub Installer Spreads ClipBanker Crypto Malware
Hackers are abusing a fake Proxifier installer hosted on GitHub to deliver a multi”‘stage ClipBanker malware that silently hijacks cryptocurrency transactions from infected systems. The campaign combines search”‘engine poisoning, trojanized installers, and fileless techniques to stay under the radar while swapping victims’ wallet addresses with those controlled by attackers. The infection typically begins when users…
-
Qilin Ransomware Deploys Malicious DLL to Disable Most EDR Defenses
The Qilin ransomware group has developed a highly sophisticated infection chain that targets and disables over 300 endpoint detection and response (EDR) solutions. As defenders improve behavioral detection capabilities, attackers are increasingly targeting the defense layer itself during the early stages of a breach. By deploying a malicious >>msimg32.dll<< file, attackers can bypass traditional antivirus…
-
Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.Cisco Talos has attributed the operation to a threat cluster it tracks as First seen on…
-
Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023.”Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,” Elastic First seen on thehackernews.com Jump to…
-
Qilin EDR killer infection chain
This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/qilin-edr-killer/
-
48 Hours: The Window Between Infostealer Infection and Dark Web Sale
New research maps the full infostealer lifecycle. Your credentials go from an employee’s device to an underground marketplace in less time than it takes your security team to notice anything is wrong. On March 24, 2026, researchers at Whiteintel’s Intelligence Division published a detailed map of the full infostealer lifecycle, tracing the exact sequence from……
-
Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It’s currently not known what lures the threat actors use to trick…
-
Google Drive Expands AI Ransomware Detection, File Recovery to More Users
Google expands Drive ransomware detection and file recovery with its latest AI model, which detects 14 times more infections as the features move beyond beta. The post Google Drive Expands AI Ransomware Detection, File Recovery to More Users appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-google-drive-ransomware-detection-file-recovery/
-
Fake Certificate Loader Hides BlankGrabber Malware Chain
BlankGrabber’s operators are now abusing a fake “certificate” loader to hide a multi”‘stage Rust and Python infection chain, making this commodity stealer significantly harder to spot on Windows endpoints. The new technique relies on built”‘in tools such as certutil.exe, heavily obfuscated PyInstaller stubs, and stealthy exfiltration via Telegram and public web services to evade both…
-
GlassWorm attack installs fake browser extension for surveillance
It hides inside developer tools, then monitors activity and steals data, turning a single infection into a wider risk across the supply chain. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/glassworm-attack-installs-fake-browser-extension-for-surveillance/
-
SmartApeSG ClickFix Campaign Spreads Remcos, NetSupport RAT, StealC, Sectop RAT
A recent SmartApeSG campaign observed on March 24, 2026, highlights the growing sophistication of ClickFix-based attack chains, which deliver multiple remote access trojans (RATs) and information stealers through a staged infection process. The infection begins with the ClickFix technique, where victims are redirected from a compromised legitimate website to a fake CAPTCHA page. This page…
-
New Study Reveals How Infostealer Infections Lead to Dark Web Exposure in Just 48 Hours
New research is shedding light on how infostealer malware turns a single careless click into full-blown credential exposure on dark web marketplaces in less than 48 hours far faster than traditional breach detection timelines. Unlike database breaches that take weeks or months to uncover, infostealer infections move at machine speed. A typical scenario begins when…
-
We Know You Can Pay a Million by Anja Shortland review the terrifying new world of ransomware
Criminals extorting money online have created huge businesses, complete with branding and HRThe birth of ransomware was a stunt that got out of hand. In 1989, an evolutionary biologist called Joseph L Popp Jr was working part time for the World Health Organisation on the Aids epidemic. He was a difficult man. When he was…
-
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge
Apple warns that outdated iPhones are vulnerable to Coruna and DarkSword exploit kits and urges users to update iOS. Apple has warned that iPhones running outdated iOS versions are at risk from exploit kits like Coruna and DarkSword. These attacks use malicious web content to trigger infection chains that can steal sensitive data. Users are…
-
Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks
Apple is urging users who are still running an outdated version of iOS to update their iPhones to secure against web-based attacks carried out via powerful exploit kits like Coruna and DarkSword.These attacks employ malicious web content to target out-of-date versions of iOS, triggering an infection chain that leads to the theft of sensitive data.”For…
-
Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks
Apple is urging users who are still running an outdated version of iOS to update their iPhones to secure against web-based attacks carried out via powerful exploit kits like Coruna and DarkSword.These attacks employ malicious web content to target out-of-date versions of iOS, triggering an infection chain that leads to the theft of sensitive data.”For…
-
Technical Analysis of SnappyClient
Tags: access, antivirus, api, attack, browser, chrome, cloud, communications, computer, control, credentials, crypto, data, defense, detection, encryption, endpoint, finance, framework, github, infection, injection, jobs, login, malicious, malware, network, password, software, startup, theft, threat, update, windowsIntroductionIn December 2025, Zscaler ThreatLabz identified a new command-and-control (C2) framework implant that we track as SnappyClient, which was delivered using HijackLoader. SnappyClient has an extended list of capabilities including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications. In this blog post, ThreatLabz provides a technical analysis of SnappyClient, including…
-
4,000+ Routers Compromised by KadNap Malware Exploiting Vulnerabilities
A newly uncovered malware campaign dubbed KadNap has silently conscripted more than 14,000 internet”‘exposed routers and edge devices into a stealth proxy botnet, with Asus routers the primary victims. More than 60% of known victims are located in the United States, with additional infections observed in Taiwan, Hong Kong, Russia, and other countriesHow KadNap Infects Routers The…
-
North Korean fake IT worker tradecraft exposed
Opportunistic and broadly targeted: These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.”Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a…
-
North Korean fake IT worker tradecraft exposed
Opportunistic and broadly targeted: These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.”Based on our visibility, malware operations targeting individual developers seeking employment are most common,” Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. “Threat actors appear to have a…