Tag: malware
-
Torg Grabber Malware Shifts from Telegram Exfiltration to Encrypted REST API for C2
A fast-evolving information”‘stealing malware dubbed “Torg Grabber” that has shifted from simple Telegram”‘based exfiltration to a hardened, encrypted REST API command”‘and”‘control (C2) channel fronted by Cloudflare. The operation surfaced when a 747 KB 64″‘bit sample initially tagged as Vidar was found to be fundamentally different from known Vidar builds, exposing an internal debug string “grabber…
-
Fake Screenshot Lures Target Web3 Support Staff with Multi-Stage Malware Attack
Fake screenshot links are being used to quietly deploy a multi”‘stage backdoor against Web3 customer support teams, in a campaign assessed to be linked to the Chinese financially motivated group APT”‘Q”‘27 (GoldenEyeDog). The operation abuses live chat workflows, signed .NET loaders, AWS S3 dead drops, and DLL sideloading to land a memory”‘resident Farfli backdoor that…
-
Kiss Loader Malware Targets with Early Bird APC Injection in New Attack Campaign
A newly identified malware loader dubbed “Kiss Loader” is emerging as a potential threat, leveraging advanced process injection techniques and dynamic delivery infrastructure. The loader, still under active development at the time of discovery, demonstrates a blend of stealth, modular staging, and experimental implementation, suggesting it may evolve into a more mature attack tool. When…
-
Preventing Account Takeovers: A Practical Guide to Detection and Response
Yesterday’s password leak can become tomorrow’s identity crisis. According to research firm Gitnux, account-takeover attacks jumped 354 percent in 2023, driven by bots that replay stolen credentials and infostealer malware that sidesteps multi-factor prompts. The fallout, billions in fraud losses, shaken customer trust, and security teams scrambling, demands a clear plan. In this article, we:…
-
WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.”Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data,” Sansec said in a report published…
-
Microsoft Unveils New Guidance to Detect and Defend Against Trivy Supply Chain Attack
Tags: attack, credentials, cve, cyber, malware, microsoft, supply-chain, threat, tool, vulnerabilityAqua Security’s vulnerability scanner, Trivy, suffered a sophisticated CI/CD supply chain compromise. The threat actor, identified as TeamPCP, leveraged prior incomplete remediation to inject credential-stealing malware into official releases. This incident, tracked as CVE-2026-33634, successfully weaponized a trusted security tool against the organizations relying on it to stay safe. This visualizes the attack propagation timeline…
-
Fake VS Code Security Alerts on GitHub Spread Malware in Massive Phishing Attack
A large-scale phishing campaign is actively targeting developers on GitHub by abusing the platform’s Discussions feature to distribute fake Visual Studio Code (VS Code) security alerts. The campaign appears highly coordinated, with thousands of near-identical posts discovered across multiple repositories, indicating automated mass exploitation rather than isolated abuse. Attackers are creating GitHub Discussions with alarming…
-
Delve did the security compliance on LiteLLM, an AI project hit by malware
LiteLLM offers an AI open source project used by millions that was infected by credential harvesting malware. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/25/delve-did-the-security-compliance-on-litellm-an-ai-project-hit-by-malware/
-
Alleged RedLine infostealer conspirator extradited to US
Tags: malwareThe Armenian man faces three counts for his role for allegedly administering “one of the most prevalent infostealing malware variants in the world.” First seen on cyberscoop.com Jump to article: cyberscoop.com/alleged-redline-infostealer-conspirator-extradited-to-us/
-
An Evolving GlassWorm Malware is Making the Rounds of Code Repositories
Threat researchers with various vendors for the past year have been tracking the efforts of a bad actor dubbed GlassWorm known for dropping malicious extensions in code registries like npm, Open VSX, PyPI, and Microsoft’s Visual Studio Marketplace with the aim of stealing secrets and cryptocurrency. This month, threat researchers wrote about a resurgence in..…
-
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth
Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide. First seen on hackread.com Jump to article: hackread.com/mirai-malware-variants-botnet-growth/
-
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth
Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide. First seen on hackread.com Jump to article: hackread.com/mirai-malware-variants-botnet-growth/
-
New Torg Grabber infostealer malware targets 728 crypto wallets
A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-torg-grabber-infostealer-malware-targets-728-crypto-wallets/
-
Cyberkriminelle nutzen den Iran-Krieg für Malware-infizierte Geschäftskommunikation
Die Bitdefender Labs beobachten seit 28. Februar 2026, dem Beginn der Auseinandersetzungen zwischen USA, Iran und Israel, einen deutlichen Anstieg von Malware-Kampagnen in der Golf-Region. Im Schnitt wuchs dabei das Volumen von E-Mail-Phishing um mehr als 130 Prozent im Vergleich zum Aufkommen vor dem Beginn der kriegerischen Eskalation. Die Inhalte der eher opportunistisch motivierten Mails…
-
GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.”It logs keystrokes, dumps cookies and session tokens, captures screenshots, and First seen…
-
When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com Part Five
Tags: backdoor, control, data, detection, encryption, infrastructure, leak, malicious, malware, network, resilience, software, windowsDear blog readers, Continuing the “When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Four” blog post series in this post I’ll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success. …
-
China-Backed Hackers Target Southeast Asian Military Systems in Ongoing Spy Campaign
China-linked threat actors have been identified targeting Southeast Asian military networks in a long-running cyber espionage campaign focused on intelligence collection and operational surveillance. The activity, tracked as CL-STA-1087, demonstrates a highly disciplined approach that combines custom malware, stealth techniques, and long-term persistence. Rather than large-scale data theft, the attackers focus on high-value intelligence such…
-
Obfuscated VBS and PNG Loaders Power New Open Directory Malware Campaign with RAT Payloads
A sophisticated, multi-stage delivery framework leveraging obfuscated Visual Basic Script (VBS) files, fileless PowerShell loaders, and payloads hidden within PNG images. The activity was initially detected by LevelBlue’s Managed Detection and Response (MDR) SOC through a SentinelOne alert involving a suspicious VBS file. The file, identified as Name_File.vbs, was located in a public downloads directory…
-
PyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentials
Tags: access, advisory, api, attack, cloud, container, credentials, data, exploit, extortion, github, group, infrastructure, malicious, malware, open-source, pypi, supply-chain, tactics, tool, vulnerabilityAn expanding supply-chain campaign: The LiteLLM incident has been confirmed to be a part of the rapidly unfolding TeamPCP supply chain campaign that first compromised Trivy.Trivy, developed by Aqua Security, is a widely used open-source vulnerability scanner designed to identify security issues in container images, file systems, and infrastructure-as-code (IaC) configurations. The ongoing attack, attributed…
-
KI-gestützte Malware ist fester Bestandteil im Werkzeugkasten von Cyberkriminellen
KI verändert aktuell nicht nur die Qualität von Malware, sondern auch ihre Verfügbarkeit: Neue Analysen von Arctic Wolf zeigen, dass sich KI-gestützte Malware von einem Experiment zu einem festen Bestandteil im Werkzeugkasten von Angreifern entwickelt hat und dass dadurch die Hürde für Cyberkriminalität deutlich sinkt. Im Fokus steht dabei ein struktureller Wandel: Angreifer nutzen KI,…
-
Mirai Botnets Evolve Into Major DDoS and Proxy Abuse Threats
Mirai-based botnets have evolved from simple IoT malware into large-scale DDoS and proxy abuse platforms that now underpin record-breaking attacks and stealthy cybercrime operations. In total, over 21,000 C2 servers were observed between July and December 2025, with a notable shift towards abusing bots as residential proxies in addition to classic DDoS use. This growth…
-
TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise
Python package LiteLLM compromised with credential-stealing malware linked to TeamPCP threat group First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/teampcp-litellm-pypi-supply-chain/
-
New Study Reveals How Infostealer Infections Lead to Dark Web Exposure in Just 48 Hours
New research is shedding light on how infostealer malware turns a single careless click into full-blown credential exposure on dark web marketplaces in less than 48 hours far faster than traditional breach detection timelines. Unlike database breaches that take weeks or months to uncover, infostealer infections move at machine speed. A typical scenario begins when…
-
AI-Driven ‘OpenClaw Trap’ Campaign Targets Developers and Gamers via Trojanized GitHub Repos
A large-scale malware operation abusing GitHub to deliver a custom LuaJIT-based trojan to developers, gamers, and everyday users through convincing but trojanized repositories. The campaign, tracked as “TroyDen’s Lure Factory,” spans more than 300 delivery packages and uses AI-assisted lures ranging from OpenClaw deployment tools to game cheats, Roblox scripts, crypto bots, VPN crackers, and…
-
Stryker says malware was involved in recent cyberattack as production lines reopen
The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices. First seen on therecord.media Jump to article: therecord.media/stryker-cyberattack-malware-iran
-
LiteLLM loses game of Trivy pursuit, gets compromised
Python interface for LLMs infected with malware via polluted CI/CD pipeline First seen on theregister.com Jump to article: www.theregister.com/2026/03/24/trivy_compromise_litellm/
-
Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.”The campaign abuses Google Ads to serve rogue ScreenConnect ( First seen…
-
New Npm ‘Ghost Campaign’ Uses Fake Install Logs to Hide Malware
Ghost npm campaign fakes install logs to steal sudo passwords and drop RATs that loot crypto and data First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/
-
Self-propagating malware poisons open source software and wipes Iran-based machines
Development houses: It’s time to check your networks for infections. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/