Collecting Cyber-News from over 60 sources

Tag: malware

DinDoor Backdoor Exploits Deno and MSI Installers to Slip Past Detection

Apr 22, 2026 10:38 AM

Tags: backdoor, control, cyber, detection, exploit, malware, threat, windows

DinDoor is a newly documented backdoor that abuses the Deno JavaScript runtime and MSI installer files to execute attacker”‘controlled code while sidestepping traditional detection controls quietly. Hiding behind trusted runtimes and common Windows tooling gives threat actors a flexible way to deploy fileless or low”‘footprint malware into enterprise environments. Instead of shipping a conventional compiled…
Namastex npm Packages Spread TeamPCP-Style CanisterWorm Malware

Apr 22, 2026 9:39 AM

Tags: cyber, data, malware, pypi, supply-chain

Compromised Namastex npm packages are delivering a new TeamPCP-style CanisterWorm variant that targets developer secrets, browser and wallet data, and then attempts to spread across npm and PyPI ecosystems using canister-backed exfiltration infrastructure. The campaign closely mirrors the original CanisterWorm, reinforcing concerns that TeamPCP is continuing to refine its supply chain tooling against real-world development…
Hackers Tie Iranian Espionage to CastleRAT and ChainShell

Apr 22, 2026 8:39 AM

Tags: cyber, espionage, group, hacker, iran, malware, powershell, russia, service

A direct operational link between Iran’s MuddyWater espionage group and the Russian TAG-150 CastleRAT malware-as-a-service (MaaS) platform, showing how state and criminal ecosystems are now tightly intertwined. Investigators recovered 15 malware samples, including at least two CastleRAT “builds” and a PowerShell script named reset.ps1 that deploys a previously undocumented JavaScript/Node.js agent dubbed ChainShell. On this server, two native…
SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

Apr 21, 2026 10:40 PM

Tags: botnet, control, malware, network, ransomware, threat

Threat actors associated with The Gentlemen ransomware”‘as”‘a”‘service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC.According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims.”SystemBC establishes SOCKS5 network tunnels within…
New Lotus data wiper used against Venezuelan energy, utility firms

Apr 21, 2026 9:39 PM

Tags: attack, data, malware

A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-lotus-data-wiper-used-against-venezuelan-energy-utility-firms/
Trojanized Android App Fuels New Wave of NFC Fraud

Apr 21, 2026 6:39 PM

Tags: android, data, fraud, malware, nfc

NGate malware abuses HandyPay app to steal NFC card data and PINs in Brazil First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/trojanized-android-handle-nfc/
AI-Powered NGate Malware Evades Detection Inside NFC Payment Apps

Apr 21, 2026 2:39 PM

Tags: ai, android, cyber, data, detection, malware, nfc

A new NGate malware variant that hides inside a trojanized version of HandyPay, a legitimate NFC payment relay app for Android, to steal card data and PINs for ATM cash-outs and fraudulent payments. The injected code shows clear signs of being produced with generative AI, highlighting how low”‘skill actors can now weaponize NFC payment apps…
NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

Apr 21, 2026 2:39 PM

Tags: ai, android, cybersecurity, data, malicious, malware, nfc, threat

Cybersecurity researchers have discovered a new iteration of an Android malware family calledNGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate.”The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated,” ESET security researcher LukÃ¡Å¡…
NGate NFC malware targets Android users through trojanized payment app

Apr 21, 2026 11:39 AM

Tags: android, fraud, malware, nfc

NFC-based payment fraud is expanding geographically and operationally. A campaign active since November 2025 is targeting Android users in Brazil using a new variant of the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/21/android-ngate-nfc-malware/
NGate Android malware uses HandyPay NFC app to steal card data

Apr 21, 2026 11:39 AM

Tags: android, data, malware, mobile, nfc

A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/ngate-android-malware-uses-handypay-nfc-app-to-steal-card-data/
Vercel’s security breach started with malware disguised as Roblox cheats

Apr 20, 2026 11:38 PM

Tags: attack, breach, cloud, malware, saas

The attack, which originated at Context.ai, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. First seen on cyberscoop.com Jump to article: cyberscoop.com/vercel-security-breach-third-party-attack-context-ai-lumma-stealer/
The Gentlemen ransomware now uses SystemBC for bot-powered attacks

Apr 20, 2026 10:39 PM

Tags: attack, botnet, corporate, malware, ransomware

A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/
Over 800 Android Apps Targeted in PIN-Stealing Trojan Campaign

Apr 20, 2026 9:39 PM

Tags: android, banking, malware

Four Android banking malware campaigns are targeting more than 800 apps by abusing overlays, Accessibility permissions, and sideloaded fake apps to steal PINs. The post Over 800 Android Apps Targeted in PIN-Stealing Trojan Campaign appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-android-malware-stealing-pin-overlay-attack/
ZionSiphon Malware Targets Water Infrastructure Systems

Apr 20, 2026 6:39 PM

Tags: infrastructure, malware

ZionSiphon malware targets OT water systems with sabotage and ICS scanning capabilities First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/zionsiphon-malware-water/
Formbook Malware Campaign Uses Multiple Obfuscation Techniques to Avoid Detection

Apr 20, 2026 5:37 PM

Tags: attack, detection, malware

Formbook attacks use combination of DLL Side-Loading and Obfuscated JavaScript to stay hidden, researchers at WatchGuard have uncovered First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/formbook-malware-multiple/
Gh0st RAT, CloverPlus Hit Victims in Dual-Malware Campaign

Apr 20, 2026 4:37 PM

Tags: access, adware, control, cyber, malware, rat

A new malware campaign is bundling a powerful remote access trojan (RAT) with intrusive adware, giving attackers both long-term control of infected systems and an immediate revenue stream from fraudulent advertising activity. The loader hides two encrypted payloads in its resource section, one of which is detected as AdWare.Win32.CloverPlus. Once executed, this adware installs advertising…
Attackers abuse Microsoft Teams to impersonate the IT helpdesk in a new enterprise intrusion playbook

Apr 20, 2026 3:39 PM

Tags: access, attack, authentication, awareness, business, control, data, defense, detection, endpoint, governance, identity, malicious, malware, mfa, microsoft, risk, soc, tool, zero-trust

Cross-tenant risk grows: The attack chain uses Teams’ cross-tenant communication capability, which allows external users to initiate chats with employees, Microsoft wrote in the blog.”The cross-tenant risk is significant, and many organizations probably do underestimate it,” said Sunil Varkey, advisor at Beagle Security.”Collaboration tools were designed to reduce friction, but many organizations enabled that convenience…
Intel Utility Hijacked in AppDomain Attack to Launch Malware

Apr 20, 2026 3:39 PM

Tags: attack, cyber, finance, hacker, malicious, malware, middle-east

Hackers are abusing a trusted Intel utility to quietly launch advanced malware by hijacking the .NET AppDomain mechanism, allowing malicious code to run inside a signed executable and evade many enterprise defenses. The campaign, dubbed Operation PhantomCLR by researchers, targets financial and other organizations in the Middle East and wider EMEA region using highly targeted…
North Korea-Linked UNC1069 Hacks Crypto Pros via Fake Meetings

Apr 20, 2026 2:38 PM

Tags: access, crypto, cyber, google, korea, linux, macOS, malware, microsoft, north-korea, social-engineering, theft, threat, windows

North Korea-linked threat actor UNC1069 is running a highly targeted campaign that abuses fake Zoom, Google Meet, and Microsoft Teams meetings to compromise cryptocurrency and Web3 professionals across Windows, macOS, and Linux systems. The goal is long-term access and large-scale theft of digital assets through stealthy social engineering and multi-stage malware deployment. Attackers often hijack…
TBK DVR Vulnerability CVE-2024-3721 Exploited to Spread Nexcorium DDoS Malware

Apr 20, 2026 12:38 PM

Tags: botnet, cve, cyber, ddos, exploit, hacker, injection, iot, malware, service, threat, vulnerability

Hackers are actively exploiting a critical vulnerability in TBK digital video recorder (DVR) devices to deploy a new Mirai-based botnet called Nexcorium. The campaign leverages CVE-2024-3721, an OS command injection vulnerability, highlighting how poorly secured IoT devices continue to fuel large-scale distributed denial-of-service (DDoS) attacks. Threat actors exploit CVE-2024-3721 by manipulating the “mdb” and “mdc”…
Microsoft-Signed Malware Built With FUD Crypt Packs Persistence and C2

Apr 20, 2026 12:38 PM

Tags: cyber, hacker, malware, microsoft, service, tool

Hackers are abusing a service called FUD Crypt to generate fully undetected, Microsoft”‘signed malware that installs persistence and connects to a dedicated command”‘and”‘control (C2) platform with zero effort on the buyer’s part. This Malware”‘as”‘a”‘Service (MaaS) offering turns ordinary payloads into polymorphic, signed loaders that are extremely hard for both security tools and human analysts to…
MiningDropper Spreads Infostealers, RATs, Banking Malware on Android

Apr 20, 2026 11:39 AM

Tags: access, android, banking, credentials, crypto, cyber, framework, hacker, malware, rat

Hackers are abusing a modular Android framework called MiningDropper to mine cryptocurrency and silently install infostealers, remote access trojans (RATs), and banking malware on infected devices. MiningDropper is a multi-stage Android dropper that combines crypto-mining with the delivery of additional malware payloads, including banking trojans, RATs such as BTMOB, and credential-stealing spyware. A recent variant is built…
Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems

Apr 20, 2026 11:39 AM

Tags: cybersecurity, malware, service, technology

Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems.The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet. First seen…
JanaWare Ransomware Hits Turkish Users via Tailored Adwind RAT

Apr 20, 2026 9:39 AM

Tags: access, cyber, detection, malware, ransomware, rat

A newly analyzed ransomware campaign dubbed “JanaWare” is targeting users in Turkey by leveraging a customized version of the Adwind Remote Access Trojan (RAT). The campaign combines stealthy delivery techniques, geographic restrictions, and polymorphic malware to evade detection while maintaining long-term activity. Researchers identified that JanaWare is specifically designed to infect systems located in Turkey.…
ZionSiphon Hits Israeli Water Systems With OT Sabotage Malware

Apr 20, 2026 9:39 AM

Tags: cyber, malware, network, technology

ZionSiphon is a newly analyzed Operational Technology (OT) malware strain designed to target Israeli water treatment and desalination facilities, with a clear emphasis on sabotage rather than simple IT disruption. Darktrace’s investigation found that ZionSiphon restricts itself to hardcoded IPv4 ranges that map to Israeli network space, such as 2.52.0.02.55.255.255, 79.176.0.079.191.255.255, and 212.150.0.0212.150.255.255. The malware…
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93

Apr 19, 2026 4:38 PM

Tags: access, attack, computer, finance, infection, international, malware, threat

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape CPU-Z / HWMonitor watering hole infection a copy-pasted attack Fake Claude site installs malware that gives attackers access to your computer Malware Analysis Static SKILL for Codex JanelaRAT: a financial threat targeting users in Latin […]…
Security Affairs newsletter Round 573 by Pierluigi Paganini INTERNATIONAL EDITION

Apr 19, 2026 12:38 PM

Tags: data, email, hacker, international, malware, WeeklyReview

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant…
Security Affairs newsletter Round 573 by Pierluigi Paganini INTERNATIONAL EDITION

Apr 19, 2026 12:38 PM

Tags: data, email, hacker, international, malware, WeeklyReview

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant…
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

Apr 18, 2026 6:38 PM

Tags: control, data, detection, endpoint, hacker, malicious, malware, open-source, ransomware, sophos

Attackers abuse QEMU to hide malware in virtual machines, bypass detection, steal data, and deploy ransomware without leaving any trace. Sophos researchers report a rise in attackers abusing QEMU, an open-source emulator, to hide malicious activity inside virtual machines. By running malware in a VM, attackers avoid endpoint security controls and leave minimal traces on…
Nexcorium Mirai Variant Weaponises TBK DVR Vulnerability in Fresh IoT Botnet Push

Apr 18, 2026 11:37 AM

Tags: botnet, cve, cyber, exploit, Internet, iot, malware, service, threat, vulnerability

A newly discovered Mirai malware variant named Nexcorium is actively targeting unpatched Internet of Things (IoT) devices. According to recent threat research from FortiGuard Labs, attackers are exploiting a severe vulnerability in TBK DVR systems to build a massive botnet capable of launching destructive distributed denial-of-service (DDoS) attacks. The campaign primarily focuses on CVE-2024-3721, a…