Tag: malware
-
Cyberkriminelle nutzen den Iran-Krieg für Malware-infizierte Geschäftskommunikation
Die Bitdefender Labs beobachten seit 28. Februar 2026, dem Beginn der Auseinandersetzungen zwischen USA, Iran und Israel, einen deutlichen Anstieg von Malware-Kampagnen in der Golf-Region. Im Schnitt wuchs dabei das Volumen von E-Mail-Phishing um mehr als 130 Prozent im Vergleich zum Aufkommen vor dem Beginn der kriegerischen Eskalation. Die Inhalte der eher opportunistisch motivierten Mails…
-
GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.”It logs keystrokes, dumps cookies and session tokens, captures screenshots, and First seen…
-
When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com Part Five
Tags: backdoor, control, data, detection, encryption, infrastructure, leak, malicious, malware, network, resilience, software, windowsDear blog readers, Continuing the “When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Four” blog post series in this post I’ll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success. …
-
China-Backed Hackers Target Southeast Asian Military Systems in Ongoing Spy Campaign
China-linked threat actors have been identified targeting Southeast Asian military networks in a long-running cyber espionage campaign focused on intelligence collection and operational surveillance. The activity, tracked as CL-STA-1087, demonstrates a highly disciplined approach that combines custom malware, stealth techniques, and long-term persistence. Rather than large-scale data theft, the attackers focus on high-value intelligence such…
-
Obfuscated VBS and PNG Loaders Power New Open Directory Malware Campaign with RAT Payloads
A sophisticated, multi-stage delivery framework leveraging obfuscated Visual Basic Script (VBS) files, fileless PowerShell loaders, and payloads hidden within PNG images. The activity was initially detected by LevelBlue’s Managed Detection and Response (MDR) SOC through a SentinelOne alert involving a suspicious VBS file. The file, identified as Name_File.vbs, was located in a public downloads directory…
-
PyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentials
Tags: access, advisory, api, attack, cloud, container, credentials, data, exploit, extortion, github, group, infrastructure, malicious, malware, open-source, pypi, supply-chain, tactics, tool, vulnerabilityAn expanding supply-chain campaign: The LiteLLM incident has been confirmed to be a part of the rapidly unfolding TeamPCP supply chain campaign that first compromised Trivy.Trivy, developed by Aqua Security, is a widely used open-source vulnerability scanner designed to identify security issues in container images, file systems, and infrastructure-as-code (IaC) configurations. The ongoing attack, attributed…
-
KI-gestützte Malware ist fester Bestandteil im Werkzeugkasten von Cyberkriminellen
KI verändert aktuell nicht nur die Qualität von Malware, sondern auch ihre Verfügbarkeit: Neue Analysen von Arctic Wolf zeigen, dass sich KI-gestützte Malware von einem Experiment zu einem festen Bestandteil im Werkzeugkasten von Angreifern entwickelt hat und dass dadurch die Hürde für Cyberkriminalität deutlich sinkt. Im Fokus steht dabei ein struktureller Wandel: Angreifer nutzen KI,…
-
Mirai Botnets Evolve Into Major DDoS and Proxy Abuse Threats
Mirai-based botnets have evolved from simple IoT malware into large-scale DDoS and proxy abuse platforms that now underpin record-breaking attacks and stealthy cybercrime operations. In total, over 21,000 C2 servers were observed between July and December 2025, with a notable shift towards abusing bots as residential proxies in addition to classic DDoS use. This growth…
-
TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise
Python package LiteLLM compromised with credential-stealing malware linked to TeamPCP threat group First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/teampcp-litellm-pypi-supply-chain/
-
New Study Reveals How Infostealer Infections Lead to Dark Web Exposure in Just 48 Hours
New research is shedding light on how infostealer malware turns a single careless click into full-blown credential exposure on dark web marketplaces in less than 48 hours far faster than traditional breach detection timelines. Unlike database breaches that take weeks or months to uncover, infostealer infections move at machine speed. A typical scenario begins when…
-
AI-Driven ‘OpenClaw Trap’ Campaign Targets Developers and Gamers via Trojanized GitHub Repos
A large-scale malware operation abusing GitHub to deliver a custom LuaJIT-based trojan to developers, gamers, and everyday users through convincing but trojanized repositories. The campaign, tracked as “TroyDen’s Lure Factory,” spans more than 300 delivery packages and uses AI-assisted lures ranging from OpenClaw deployment tools to game cheats, Roblox scripts, crypto bots, VPN crackers, and…
-
Stryker says malware was involved in recent cyberattack as production lines reopen
The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices. First seen on therecord.media Jump to article: therecord.media/stryker-cyberattack-malware-iran
-
LiteLLM loses game of Trivy pursuit, gets compromised
Python interface for LLMs infected with malware via polluted CI/CD pipeline First seen on theregister.com Jump to article: www.theregister.com/2026/03/24/trivy_compromise_litellm/
-
Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.”The campaign abuses Google Ads to serve rogue ScreenConnect ( First seen…
-
New Npm ‘Ghost Campaign’ Uses Fake Install Logs to Hide Malware
Ghost npm campaign fakes install logs to steal sudo passwords and drop RATs that loot crypto and data First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/
-
Self-propagating malware poisons open source software and wipes Iran-based machines
Development houses: It’s time to check your networks for infections. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
-
New ‘StoatWaffle’ malware auto”‘executes attacks on developers
Tags: attack, detection, group, infrastructure, jobs, korea, malicious, malware, north-korea, threatContagious Interview, revisited: StoatWaffle isn’t an isolated campaign. It’s the latest chapter in the Contagious Interview attacks, widely attributed to North Korea-linked threat actors tracked as WaterPlum.Historically, this campaign has targeted developers and job seekers through fake interview processes, luring them into running malicious code under the guise of technical assessments. Previously, the campaign weaponized…
-
GitHub-hosted malware campaign uses split payload to evade detection
A large-scale malware delivery campaign has been targeting developers, gamers, and general users through fake tools hosted on GitHub, Netskope researchers have warned. These … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/03/24/github-malware-split-payload/
-
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercriminal operation also behind the Trivy supply chain attack.The workflows, both maintained by the supply chain security company Checkmarx, are listed below -checkmarx/ast-github-actioncheckmarx/kics-github-actionCloud security First seen on thehackernews.com Jump to article:…
-
Threat Actors Target MS-SQL Servers to Deploy ICE Cloud Scanner Malware
Threat actors are continuing to aggressively target Microsoft SQL (MS-SQL) servers in 2026, with new evidence showing the deployment of a scanner malware known as ICE Cloud Client. Larva-26002 has maintained a consistent focus on poorly secured MS-SQL servers exposed to the internet. These systems are typically compromised through brute-force or dictionary attacks using weak…
-
Google Forms Job Scam Spreads PureHVNC Malware
A newly observed malware campaign is leveraging trusted platforms like Google Forms to distribute the PureHVNC Remote Access Trojan (RAT), marking a shift in how attackers initiate infections. Rather than relying on traditional phishing emails or malicious websites, threat actors are using business-themed lures such as job interviews, project proposals, and financial documents to trick…
-
North Korea-linked threat actors abuse VS Code auto-run to spread StoatWaffle malware
North Korea-linked threat actors use VS Code auto-run tasks to spread StoatWaffle malware via malicious projects that execute on folder open. North Korea-linked threat actor Team 8 behind the Contagious Interview campaign is spreading StoatWaffle malware through malicious Microsoft Visual Studio Code projects. Since late 2025, they have abused the “tasks.json” auto-run feature in Microsoft…
-
Fake ChatGPT Invites Target Android Users With Malware
Threat actors are now abusing Google’s Firebase App Distribution service to push fake Android ChatGPT and Meta advertising apps that steal Facebook credentials and enable account takeover. The operation closely mirrors a recent iOS phishing campaign that used bogus ChatGPT and Gemini apps, but this wave specifically targets Android users through invitation-style emails that appear…
-
FBI: Iranian hackers targeting opponents with Telegram malware
The campaign goes back to 2023 but is the subject of an alert amid conflict in the Middle East. First seen on cyberscoop.com Jump to article: cyberscoop.com/fbi-iranian-hackers-targeting-opponents-with-telegram-malware/
-
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that’s distributed via malicious Microsoft Visual Studio Code (VS Code) projects.The use of VS Code “tasks.json” to distribute malware is a relatively new tactic adopted by the threat actor since December…
-
FBI says Iranian hackers are using Telegram to steal data in malware attacks
Hackers working for Iran’s government are using Telegram in hacking operations that use malware to target dissidents, opposition groups, and journalists who oppose its regime, according to the FBI. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/23/fbi-says-iranian-hackers-are-using-telegram-to-steal-data-in-malware-attacks/
-
44 Aqua Security repositories defaced after Trivy supply chain breach
Malicious Trivy images on Docker Hub spread infostealer malware, exposing developers after a supply chain attack. Researchers found malicious Trivy images on Docker Hub linked to a supply chain attack. Versions 0.69.40.69.6, now removed, contained TeamPCP infostealer code. Suspicious tags were pushed without matching GitHub releases, increasing the risk to developers using compromised container images.…
-
Russia-linked malware operation collapses after security failures, developer’s arrest
An Android malware operation that briefly gained traction in Russia appears to have collapsed within months of its launch after security flaws exposed its infrastructure and authorities arrested the suspected developer, researchers said. First seen on therecord.media Jump to article: therecord.media/russia-malware-arrest-clayrat
-
Tax Scam Google Ads Push BYOVD EDR Killer, Huntress Finds
Tax-themed Google Ads are being weaponized to deliver a BYOVD-based EDR killer, with Huntress linking a large-scale malvertising campaign to rogue ScreenConnect deployments and a vulnerable Huawei audio driver used to blind endpoint defenses before hands-on-keyboard activity. Sponsored Google Ads for queries such as “W2 tax form” and “W”‘9 Tax Forms 2026” led to realistic…
-
Tax Scam Google Ads Push BYOVD EDR Killer, Huntress Finds
Tax-themed Google Ads are being weaponized to deliver a BYOVD-based EDR killer, with Huntress linking a large-scale malvertising campaign to rogue ScreenConnect deployments and a vulnerable Huawei audio driver used to blind endpoint defenses before hands-on-keyboard activity. Sponsored Google Ads for queries such as “W2 tax form” and “W”‘9 Tax Forms 2026” led to realistic…