Collecting Cyber-News from over 60 sources

Tag: malware

New macOS stealer campaign uses Script Editor in ClickFix attack

Apr 8, 2026 9:52 PM

Tags: attack, macOS, malware

A new campaign delivering the Atomic Stealer malware to macOS users abuses the Script Editor in a variation of the ClickFix attack that tricked users into executing commands in Terminal. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

Apr 8, 2026 9:52 PM

Tags: botnet, cloud, cybersecurity, malware, router

Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat’scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet’s targeting infrastructure.”Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices,” Darktrace said in a new report. First seen on thehackernews.com Jump to article: thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

Apr 8, 2026 5:53 PM

Tags: blizzard, cloud, control, malware, phishing, russia, service, spear-phishing, threat, ukraine

The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX.”PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,” Trend Micro First seen on…
The Growing Abuse of GitHub and GitLab in Phishing Campaigns

Apr 8, 2026 3:52 PM

Tags: attack, credentials, email, github, gitlab, malicious, malware, phishing, theft, threat

Threat actors are increasingly abusing trusted platforms like GitHub and GitLab to host malware and credential phishing pages, allowing malicious links to bypass email security because these domains are widely trusted and cannot easily be blocked. The volume of these campaigns has grown significantly since 2021, with 2025 accounting for nearly half of all activity,…
Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions

Apr 8, 2026 1:52 PM

Tags: access, attack, backdoor, blizzard, breach, ceo, ciso, cloud, control, corporate, credentials, data, dns, finance, Hardware, login, malicious, malware, mobile, network, office, password, phishing, ransomware, risk, router, theft, threat, vpn, vulnerability

Invisible path to enterprise systems: This attack poses a serious risk to enterprises because, instead of beginning at the corporate perimeter, it starts from employee environments that are often less secure. Threat actors target vulnerable home or small office routers, which often have weak default passwords or unpatched software.The shift to remote work has dramatically…
New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Apr 8, 2026 12:52 PM

Tags: attack, cisco, malware, phishing, spear-phishing

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/new-lua-based-malware-lucidrook/
Chaos malware expands from routers to Linux cloud servers

Apr 8, 2026 12:52 PM

Tags: cloud, linux, malware, router

Chaos, Go-based malware first documented by Lumen’s Black Lotus Labs, has historically targeted routers and edge devices. A new variant observed in March 2026 shows the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/08/chaos-malware-cloud-misconfigured-servers/
New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

Apr 8, 2026 11:50 AM

Tags: attack, captcha, crypto, malware, threat

Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows. First seen on hackread.com Jump to article: hackread.com/clickfix-attack-node-js-malware-tor-steal-crypto/
Top 10 Best Multi-Factor Authentication (MFA) Providers in 2026

Apr 8, 2026 11:50 AM

Tags: authentication, breach, credentials, cyber, cybersecurity, data, malware, mfa, password, phishing

In the digital realm of 2026, the traditional password stands as a flimsy barrier against an onslaught of sophisticated cyber threats. From phishing campaigns and credential stuffing to ever-evolving malware, attackers are relentlessly targeting the weakest link in cybersecurity: single-factor authentication. A staggering percentage of data breaches continue to stem from compromised credentials, underscoring the…
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

Apr 8, 2026 10:51 AM

Tags: hacker, korea, malicious, malware, north-korea, pypi, rust, threat

The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems.”The threat actor’s packages were designed to impersonate legitimate developer tooling […], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated First seen on thehackernews.com Jump to…
Claude Code Leak Exploited to Spread Vidar and GhostSocks via GitHub Releases

Apr 8, 2026 9:51 AM

Tags: ai, cyber, exploit, github, governance, hacker, leak, malware, risk

Hackers are turning the Claude Code source leak into an active malware-delivery channel, using GitHub Releases to push the Vidar stealer and GhostSocks under the guise of “leaked” Anthropic tooling. The incident shows how human and governance failures around AI development can rapidly cascade into both traditional compromise and new agentic-risk exposure. The 59.8 MB…
Cybercriminals Use Fake Zoom, Teams Calls to Deliver Malware

Apr 8, 2026 9:51 AM

Tags: crypto, cyber, cybercrime, hacker, malicious, malware, microsoft, open-source, phishing, tactics

Hackers are increasingly using fake Zoom and Microsoft Teams meetings to trick victims into infecting their own systems with malware. SEAL says it has blocked 164 malicious domains tied to this operation using MetaMask’s eth-phishing-detect system. The campaign primarily targets cryptocurrency professionals, Web3 developers, and investors, but its tactics are now expanding toward open-source communities.…
SparkCat meldet sich zurück: Neue Malware-Variante im App Store und in Google Play aufgetaucht

Apr 8, 2026 12:51 AM

Tags: google, malware

First seen on datensicherheit.de Jump to article: www.datensicherheit.de/sparkcat-malware-variante-app-store-google-play
Emulating the Multi-Stage RoningLoader Malware

Apr 7, 2026 9:54 PM

Tags: detection, malware

AttackIQ has released a new assessment template that emulates the behaviors of RoningLoader, a multi-stage loader observed in recent intrusion campaigns. RoningLoader operates through a layered execution chain, enabling stealthy delivery and execution of follow-on payloads while evading traditional detection mechanisms. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/emulating-the-multi-stage-roningloader-malware/
Hackers Pose as Non-Profit Developers to Deploy Monero Mining Malware

Apr 7, 2026 8:52 PM

Tags: detection, hacker, malware, tactics

REF1695 hackers spread Monero mining malware via fake non-profit installers, using stealth tactics to evade detection and hijack systems for profit. First seen on hackread.com Jump to article: hackread.com/hackers-non-profit-developers-monero-mining-malware/
Storm Infostealer umgeht 2FA: Malware übernimmt Accounts ohne Passwort

Apr 7, 2026 7:51 PM

Tags: 2fa, malware, password

Der neue Storm Infostealer umgeht 2FA, kapert Accounts per Session-Hijacking und entschlüsselt Daten serverseitig. First seen on tarnkappe.info Jump to article: tarnkappe.info/artikel/szene/dark-commerce/storm-infostealer-umgeht-2fa-malware-uebernimmt-accounts-ohne-passwort-328010.html
Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows

Apr 7, 2026 12:51 PM

Tags: access, captcha, cyber, hacker, malicious, malware, rat, windows

Hackers are using a deceptive technique known as “ClickFix” to deliver a sophisticated Node. js-based remote access Trojan (RAT) targeting Windows users. ClickFix, which gained popularity in early 2025, tricks users into interacting with fake CAPTCHA or verification prompts. In this latest campaign, attackers lure victims into executing malicious commands that silently install malware disguised…
Fake Installers Spread RATs, Monero Miners in Ongoing Malware Campaign

Apr 7, 2026 10:51 AM

Tags: access, cyber, malware, rat, software

Fake software installers are being used in a long-running malware operation to drop remote access trojans (RATs), Monero cryptominers, and a new .NET implant across multiple campaigns dating back to late 2023. REF1695 relies on ISO-based fake installers that mimic legitimate software setup packages but never deliver real applications. Instead, users are guided via a…
New Microsoft Defender Update Issued for Windows 11, Windows 10, and Server Images

Apr 7, 2026 8:51 AM

Tags: ai, antivirus, cloud, cyber, detection, endpoint, intelligence, malware, microsoft, threat, update, windows

Microsoft has rolled out a fresh security intelligence update for Microsoft Defender Antivirus to help secure Windows 11, Windows 10, and Windows Server images. Released on April 7, 2026, this update equips endpoints with the latest threat detection logic and AI-enhanced cloud protection to defend against emerging malware campaigns. Keeping antimalware solutions up to date…
Fake TradingView Premium Reddit Posts Spread Vidar and AMOS Stealers

Apr 7, 2026 7:52 AM

Tags: crypto, cyber, macOS, malware, threat, windows

A new malware campaign is abusing Reddit to distribute fake “cracked” builds of TradingView Premium that secretly install Vidar and AMOS information”‘stealing malware on Windows and macOS systems. The campaign targets users searching for free or pirated versions of TradingView Premium, a popular browser”‘based charting and social platform for stock, crypto, and forex traders. Threat…
Best of the Worst: The Week Your Security Tools Became the Disguise

Apr 6, 2026 9:52 PM

Tags: ai, antivirus, attack, authentication, cisco, control, credentials, crime, detection, dkim, dmarc, email, finance, fraud, google, infrastructure, intelligence, Internet, malicious, malware, microsoft, phishing, phone, risk, social-engineering, software, technology, threat, tool, training

<div cla TL;DR This week’s Attack of the Day posts revealed a clear pattern: attackers are deliberately routing attacks through legitimate security and platform infrastructure so the tools themselves become trust signals. TitanHQ and Cisco URL wrappers hid a malware payload. Microsoft Safe Links rewrote a phishing URL to look protected. Microsoft Bookings sent a…
North Korean hackers abuse LNKs and GitHub repos in ongoing campaign

Apr 6, 2026 2:52 PM

Tags: api, attack, detection, github, hacker, Internet, malware, network, north-korea, powershell

GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
North Korean hackers abuse LNKs and GitHub repos in ongoing campaign

Apr 6, 2026 2:52 PM

Tags: api, attack, detection, github, hacker, Internet, malware, network, north-korea, powershell

GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
GitHub-Backed Malware Spread via LNK Files in South Korea

Apr 6, 2026 2:52 PM

Tags: api, cyber, github, hacker, korea, malware, powershell, tool, windows

Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi”‘stage malware campaign against organizations in South Korea. The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts. These older…
North Korea’s Modular Malware Strategy Hides Attribution, Defies Takedowns

Apr 6, 2026 1:51 PM

Tags: cyber, korea, law, malware, north-korea, strategy, tool

North Korea’s cyber program is shifting from monolithic “families” to a modular, portfolio-style malware ecosystem designed to survive exposure, frustrate attribution, and keep operations running under constant pressure. Years of sanctions, coordinated law-enforcement pressure, and rapid public disclosure of campaigns have forced Pyongyang to treat every tool as disposable. Once-static implants are now built with…
6 ways attackers abuse AI services to hack your business

Apr 6, 2026 11:51 AM

Tags: ai, api, attack, backdoor, breach, business, ceo, china, control, cve, cyber, cybercrime, cybersecurity, data, email, espionage, exploit, framework, group, hacking, injection, leak, LLM, malicious, malware, marketplace, microsoft, monitoring, open-source, openai, service, skills, software, startup, supply-chain, threat, tool, vulnerability

Abusing AI platforms as covert C2 channels: Cybercriminals are also abusing AI platforms as covert command-and-control (C2) channels by turning AI services into proxies that hide malicious traffic inside the flow of legitimate content.Instead of running a dedicated C2 server, malware is programmed to fetch commands and exfiltrate data through AI services, circumventing traditional security…
Hackers Breach ILSpy WordPress Domain to Deliver Malware

Apr 6, 2026 10:51 AM

Tags: attack, breach, cyber, cybersecurity, group, hacker, malware, open-source, software, tool, wordpress

The official WordPress website for ILSpy, a highly popular open-source tool used by software developers to examine .NET code, has been compromised. Hackers successfully breached the site to redirect visitors and deliver malware, turning a trusted developer resource into a dangerous trap. The Redirection Attack Cybersecurity research group vx-underground confirmed the breach after receiving video…
Poisoned Axios Package Spreads Cross-Platform Malware via Phantom Dependency

Apr 6, 2026 10:51 AM

Tags: access, cyber, hacker, linux, macOS, malicious, malware, windows

Hackers hijacked the npm account of Axios’s lead maintainer. They used it to push two malicious releases that silently installed a cross”‘platform remote access trojan (RAT) on macOS, Windows, and Linux systems. Axios is one of the JavaScript ecosystem’s most widely used HTTP clients, with over 100 million weekly downloads on npm, making it deeply…
ResokerRAT Hijacks Telegram API to Command Infected Windows PCs

Apr 6, 2026 8:51 AM

Tags: api, control, cyber, defense, malware, network, windows

A newly identified Windows malware dubbed ResokerRAT abuses Telegram’s Bot API as its main command-and-control (C2) channel to remotely monitor and control infected systems without relying on a traditional attacker”‘owned server. By blending in with legitimate encrypted Telegram traffic, it becomes harder for network defenses to distinguish its C2 communication from normal user activity. When ResokerRAT runs,…
36 Malicious Strapi npm Packages Deliver Redis RCE, Persistent C2 Malware

Apr 6, 2026 7:52 AM

Tags: attack, control, credentials, cyber, malicious, malware, rce, remote-code-execution, spam, supply-chain

A coordinated supply chain attack has been uncovered involving 36 malicious npm packages masquerading as Strapi CMS plugins, delivering a range of payloads including Redis remote code execution (RCE), credential harvesting, and persistent command-and-control (C2) malware. The campaign was carried out using four sock-puppet npm accounts umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1. Unlike typical npm spam…