Tag: malicious
-
SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT
Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT.Kaspersky said the activity is part of a “massive, multi-domain, multi-language” campaign that distributes malicious installer archives hosted on spoofed websites.These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. First seen…
-
‘Phantom Squatting’: An Emerging AI-Driven Supply Chain Threat
LLMs consistently hallucinate Web domains for legitimate brands that attackers can register for malicious activity in a difficult-to-detect attack vector. First seen on darkreading.com Jump to article: www.darkreading.com/endpoint-security/phantom-squatting-ai-driven-supply-chain-threat
-
Malicious Google Notes Extension Swaps Crypto Wallet Addresses During Transactions
Technically sophisticated campaign delivering a malicious Chromium extension that silently swaps cryptocurrency wallet addresses during transactions. Delivered via unsigned installers observed in both .NET and Golang variants access, the payload masquerades as a minimalist “Google Notes” browser extension. Once deployed, the extension acts as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, recognizes wallet addresses…
-
ToddyCat Uses Shadow Token via Remote Debug to Compromise Gmail Accounts
ToddyCat, an advanced persistent threat group long associated with targeted espionage against corporate environments, has evolved its toolkit to exploit OAuth-based authorization flows and compromise Gmail accounts without directly stealing credentials. Umbrij is deployed on Windows hosts using DLL sideloading: attackers place a malicious DLL alongside legitimately signed executables known to insecurely load libraries (examples…
-
Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
Tags: ai, attack, chatgpt, cybercrime, LLM, malicious, malware, programming, ransomware, software, toolesearch by:Alexey Bukhteyev Key Takeaways Introduction Over the past several years, large language models have reshaped software development, and malware development has followed the same path. Check Point Research has documented this trend from early experiments showing that AI systems could generate offensive components, to cases of cybercriminals using ChatGPT to create malicious tools, and…
-
Glitch SPY RAT Abuses Android Accessibility Service for Full Device Control
An emerging Android remote-access trojan platform, tracked as Glitch SPY, that leverages a fraudulent Polish apartment-rental website to trick victims into sideloading a malicious APK. The dropper, identified as the Brokewell Android Loader, presents a plausible rental-app experience while secretly installing Glitch SPY and coercing users to enable Android Accessibility Service an abuse that gives…
-
Attackers Register AI-Hallucinated Domains to Deliver Phishing Kits and Malware
An emergent supply-chain attack vector they term >>phantom squatting,<< in which large language models (LLMs) routinely hallucinate plausible but nonexistent domains for legitimate brands and adversaries then preemptively register those domains to host phishing kits, malware, and other malicious infrastructure. By systematically probing two distinct LLM families across temperature settings, Unit 42 generated a 2.1…
-
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office.New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new…
-
Microsoft dismantles StegoAd campaign using malicious Edge extensions
First seen on scworld.com Jump to article: www.scworld.com/brief/microsoft-dismantles-stegoad-campaign-using-malicious-edge-extensions
-
Malicious PyPI packages give hackers control of Telegram bot servers
A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers/
-
Fake Perplexity extension on Chrome Web Store tracked searches
A malicious extension in the Chrome Web Store is masquerading as the Perplexity AI answer engine, intercepting search traffic and collecting browsing information. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-perplexity-extension-on-chrome-web-store-tracked-searches/
-
Boss Scam Uses DLL Sideloading to Hijack WhatsApp Web and Defraud Enterprises
The new “Boss Scam” is a sharp escalation in CEO fraud: attackers now combine impersonation, Windows DLL sideloading, and WhatsApp Web session theft to turn trusted executive channels into fraud infrastructure. The campaign was highlighted in advisories tied to India’s I4C and NCTAU, which warned that attackers pose as regulators or senior bosses, deliver malicious…
-
Mustang Panda Targets India’s Government and Energy Sectors With ZOHOMURK and MINIRECON
Two concurrent espionage campaigns by Mustang Panda targeting Indian government and energy-sector organisations, deploying a novel malware suite that includes SHARDLOADER, MINIRECON and ZOHOMURK. The intrusions, observed in June 2026, focused on hydropower entities and government offices engaged in MOUs with Taiwanese institutions, using geopolitically themed lures and weaponised archives that sideload malicious DLLs via…
-
Malicious Chromium Extension Spoofs Perplexity AI to Hijack Browser Searches
A malicious Chromium extension that impersonated the Perplexity AI brand to intercept browser searches and capture keystrokes before delivering users to legitimate search results. The extension, listed as “Search for perplexity ai” (ID flkebkiofojicogddingbdmcmkpbplcd, version 2.2), used Manifest V3 capabilities, declarativeNetRequest (DNR) rules, and a typosquatted domain perplexity-ai[.]online to create a stealthy two”‘hop interception pipeline…
-
Mistic Malware Blends Into Microsoft Endpoint Components Using Malicious EndpointDlp.dll
A newly identified Windows backdoor, dubbed Mistic, that has been observed in intrusions since April 2026 and appears designed for stealthy, long-term access. The malware uses DLL sideloading, in-memory execution, and self-deletion to blend into enterprise environments and minimize forensic traces. Mistic is introduced via a DLL sideloading chain that abuses a legitimate executable named…
-
Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results.Microsoft says Google removed it from the store after responsible disclosure. The…
-
Amazon Q VS Extension Flaw Leads to Cloud Credential Theft
Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/amazon-q-vs-extension-flaw-leads-cloud-credential-theft
-
29th June Threat Intelligence Report
Polymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent […] First seen on research.checkpoint.com Jump to article: research.checkpoint.com/2026/29th-june-threat-intelligence-report-2/
-
StegoAd: How 119 Fake Browser Extensions Stole Credentials and Ran Ad Fraud for Two Years
Microsoft shut down the StegoAd campaign, which used 119 malicious Edge extensions, hit 2.6M installs, and ran undetected for two years. Microsoft just shut down one of the more technically clever malicious extension campaigns it’s ever documented. The operation, named StegoAd, ran 119 extensions on the Edge Add-ons store, racked up roughly 2.6 million installs,…
-
Mozilla warns of indirect prompt injection risk in AI coding agents
A malicious GitHub repository can silently compromise a developer’s machine without containing a single line of malicious code, security researchers at Mozilla’s … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/29/mozilla-warns-of-indirect-prompt-injection-risk-in-ai-coding-agents/
-
ClawHavoc Attack Hits ClawHub With 1,184 Malicious Skills and 247,000 Installations
The AI-agent ecosystem experienced its largest supply-chain compromise to date when ClawHavoc detonated across ClawHub, the official skill marketplace for OpenClaw. Our full AIG-powered scan of nearly 50,000 ClawHub Skills found 1,184 clearly malicious packages tied to 12 compromised publisher accounts and confirmed 247,693 installations. The campaign combined typosquatting, ranking manipulation, and multi-stage payload delivery…
-
Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts
Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud.The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat…
-
Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2.libssh2…
-
Microsoft 365 Apps RCE Vulnerability Lets Attackers Execute Code via Malicious Excel Files
A newly disclosed remote code execution (RCE) vulnerability in Microsoft 365 Apps is raising concerns in enterprise environments. Attackers can exploit malicious Excel documents to execute arbitrary code on target systems. This vulnerability, tracked as CVE-2025-60727, arises from an out-of-bounds read condition (CWE-125) in Microsoft Excel’s file-parsing mechanism, allowing threat actors to trigger memory corruption…
-
Rokarolla Uses Fake Google Play Protect App to Target Banking and Cryptocurrency Users
Rokarolla, a sophisticated Android banking trojan distributed via malicious websites that masquerade as trusted applications such as TikTok, Google Chrome and even Google Play Protect. Unlike simple credential stealers, Rokarolla is a multi-functional fraud platform that targets at least 217 banking and cryptocurrency apps and combines Accessibility Service abuse, phishing overlays, SMS interception, keylogging, screenshot…
-
Clean GitHub repo tricks AI coding agents into running malware
An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/
-
Amazon Q Developer Vulnerability Allows Code Execution via Malicious Repositories
A critical security flaw discovered in the Amazon Q Developer Extension for Visual Studio Code (VS Code) left developers vulnerable to arbitrary code execution and cloud credential theft. Tracked as CVE-2026-12957 and CVE-2026-12958, these high-severity vulnerabilities highlight significant risks in how AI coding assistants manage trust boundaries. The root cause of this vulnerability lies in…
-
Polymarket customers lose $3 million in supply-chain attack
Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform’s frontend following a breach at a third-party vendor. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
-
Software, AI companies form alliance to tackle open-source security flaws
The emergence of frontier AI models has increased the speed and capabilities of malicious hackers. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/software-ai-alliance-open-source-security-flaws/823889/

