Evolution of Zanubis, a banking Trojan for Android

Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control. The malware has undergone significant development, incorporating features like SMS hijacking, screen recording, and device credential stealing. Recent versions show improved obfuscation, encryption, and silent installation techniques. The threat actors, likely based in Peru, continue to refine the malware's capabilities and targeting strategy, focusing on high-value financial targets in the region.

Pulse ID: 68374e978eb7b411096dc0b4
Pulse Link: https://otx.alienvault.com/pulse/68374e978eb7b411096dc0b4
Pulse Author: AlienVault
Created: 2025-05-28 17:57:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #DataTheft #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SMS #Trojan #bot #AlienVault

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The malware establishes persistence via scheduled tasks, performs hardware fingerprinting, and extensively harvests data from various browsers and crypto wallet extensions. It uses encryption for data exfiltration and employs cleanup routines to evade detection. The malware's origin is unclear, but Russian influences are suggested by embedded transliterated rap lyrics. Its advanced evasion techniques and targeted data theft capabilities make it a significant threat to personal and financial information.

Pulse ID: 683651c90fd2313d5a105355
Pulse Link: https://otx.alienvault.com/pulse/683651c90fd2313d5a105355
Pulse Author: AlienVault
Created: 2025-05-27 23:59:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #DataTheft #Encryption #Google #ICS #InfoSec #InfoStealer #Malware #NET #OTX #OpenThreatExchange #PowerShell #RAT #Russia #Rust #bot #cryptocurrency #AlienVault

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data stealing, keylogging, and remote control. Its infrastructure included C&C servers, an administration panel, and proxy servers. Distribution methods varied from email spam to Google Ads misuse. The takedown operation involved multiple cybersecurity companies and law enforcement agencies, leading to the identification of individuals responsible for Danabot's development and operations.

Pulse ID: 683357a6f329fa7aedccd8a8
Pulse Link: https://otx.alienvault.com/pulse/683357a6f329fa7aedccd8a8
Pulse Author: AlienVault
Created: 2025-05-25 17:47:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #CandC #CyberSecurity #DanaBot #DataTheft #ESET #Email #Google #InfoSec #InfoStealer #LawEnforcement #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #RCE #Spam #Trojan #bot #AlienVault

Danabot: Analyzing a fallen empire

The infostealer Danabot has been disrupted in a multinational law enforcement operation. ESET has been tracking Danabot since 2018, contributing to the effort by providing technical analyses and identifying C&C servers. Danabot operates as a malware-as-a-service, offering various features like data theft, keylogging, and remote control. It has been used to distribute additional malware, including ransomware. The malware's authors promote their toolset through underground forums, providing affiliates with an administration panel, backconnect tool, and proxy server application. Distribution methods have included email spam, other malware, and misuse of Google Ads. Danabot employs a proprietary encrypted communication protocol and offers multiple build options for affiliates.

Pulse ID: 6830d7d901805bebfd4e9d74
Pulse Link: https://otx.alienvault.com/pulse/6830d7d901805bebfd4e9d74
Pulse Author: AlienVault
Created: 2025-05-23 20:17:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CandC #CyberSecurity #DanaBot #DataTheft #ESET #Email #Google #InfoSec #InfoStealer #LawEnforcement #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #RCE #RansomWare #Spam #bot #AlienVault

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. The malware performs minimal system discovery, collects files from the desktop, and captures a screenshot. It packages stolen data into a ZIP archive and sends it to the attacker through Telegram's Bot API. PupkinStealer doesn't employ persistence mechanisms, relying on quick execution and low-profile behavior. Its primary evasion technique is leveraging legitimate Telegram infrastructure for communication.

Pulse ID: 682f21f740ee536b48e48783
Pulse Link: https://otx.alienvault.com/pulse/682f21f740ee536b48e48783
Pulse Author: AlienVault
Created: 2025-05-22 13:09:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #DataTheft #Discord #InfoSec #InfoStealer #Malware #NET #Nim #OTX #OpenThreatExchange #Password #Passwords #RAT #SMS #Telegram #Word #ZIP #bot #AlienVault

Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs

A campaign targeting the Google Chrome Web Store has deployed over 100 malicious browser extensions masquerading as legitimate tools like VPNs, AI assistants, and crypto utilities. These extensions, while offering some promised functionality, secretly connect to threat actor infrastructure to steal user information and execute remote scripts. They can modify network traffic, deliver ads, perform redirections, and act as proxies. The campaign, discovered by DomainTools researchers, involves numerous fake domains promoting these tools. The extensions request permissions that enable cookie theft, DOM-based phishing, and dynamic script injection. Risks include account hijacking, data theft, and browsing activity monitoring. Some extensions remain on the Chrome Web Store despite Google's removal efforts.

Pulse ID: 682f07b89e80683352ba4d5a
Pulse Link: https://otx.alienvault.com/pulse/682f07b89e80683352ba4d5a
Pulse Author: AlienVault
Created: 2025-05-22 11:17:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #ChromeExtension #CyberSecurity #DataTheft #Google #InfoSec #OTX #OpenThreatExchange #Phishing #VPN #YouTube #bot #AlienVault

#Cybercrime #Hacking #Crime #Criminals #MarksandSpencer #ransomware #fraud #Shopping #UK #DataTheft #CyberFraud
In an ideal world, the public will become sick of personal data theft, and companies will tire of profit losses due to cyber crime. A pipe dream I know… but it might inspire people to use the high street again.

https://www.bbc.co.uk/news/articles/c93llkg4n51o

Telegram bans $35B black markets used to sell stolen data, launder crypto https://arstechni.ca/3uWp #moneylaundering #pigbutchering #blackmarket #onlinescams #datatheft #SilkRoad #telegram #Policy

Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcare, technology, financial services, and telecommunications sectors across multiple countries. NETXLOADER employs sophisticated methods such as JIT hooking, API obfuscation, and memory manipulation to deploy payloads like Agenda ransomware and SmokeLoader. The attack chain involves multiple stages of evasion, discovery, and command and control communications. This evolution in tactics poses increased risks of data theft and device compromise for potential targets.

Pulse ID: 681bc89f39996f610a89a741
Pulse Link: https://otx.alienvault.com/pulse/681bc89f39996f610a89a741
Pulse Author: AlienVault
Created: 2025-05-07 20:54:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #Healthcare #ICS #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RansomWare #Telecom #Telecommunication #XLoader #bot #AlienVault

StealC v2 is rewriting the rules of cyberattack—with stealth upgrades, multi-method payloads, and even real-time alerts via Telegram. Are your defenses ready for a subscription-based cyber weapon that's as adaptable as it is dangerous?

https://thedefendopsdiaries.com/stealc-v2-a-new-era-of-information-stealing-malware/

#stealc
#malware
#cybersecurity
#infosec
#datatheft

Fake Social Security Statement emails trick users into installing remote tool

A phishing campaign is targeting users with fake emails purportedly from the US Social Security Administration. These emails aim to trick recipients into installing ScreenConnect, a legitimate remote access tool that can be misused by cybercriminals. The campaign, attributed to a group called Molatori, sends emails with links to download the ScreenConnect client under misleading names. Once installed, attackers can remotely access the victim's computer, potentially leading to data theft and financial fraud. The campaign is difficult to detect due to the use of compromised WordPress sites for sending emails, image-based content to evade filters, and the legitimacy of the ScreenConnect application itself.

Pulse ID: 68133275aea46cd7781eec41
Pulse Link: https://otx.alienvault.com/pulse/68133275aea46cd7781eec41
Pulse Author: AlienVault
Created: 2025-05-01 08:36:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #ELF #Email #FinancialFraud #InfoSec #Mac #OTX #OpenThreatExchange #Phishing #RAT #RDP #ScreenConnect #Word #Wordpress #bot #AlienVault

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware performs system profiling, captures screenshots, and exfiltrates targeted files. It includes a crypto clipper module and is controlled via a dedicated C2 user panel. Advertised on various forums, it employs geofencing, domain-matching, and comprehensive data theft techniques. The stealer is likely a rebranded version of earlier SHARP and TX Stealers, with minimal innovation beyond updated communication methods.

Pulse ID: 6811dd434197b551215abaf3
Pulse Link: https://otx.alienvault.com/pulse/6811dd434197b551215abaf3
Pulse Author: AlienVault
Created: 2025-04-30 08:20:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #CyberSecurity #DataTheft #InfoSec #Malware #NET #Nim #OTX #OpenThreatExchange #RAT #Troll #VPN #bot #cryptocurrency #AlienVault

@briankrebs ⬆️ #labor #union #DataTheft #Russia ⏫

DPP Law, a firm in the United Kingdom, didn't think a data theft was worth reporting to the authorities.

#law #cyberattack #cybersecurity #datatheft #datasecurity

https://cnews.link/law-firm-data-breach-fine-dark-web-1/

New Google Phishing Scam Targets Crypto Users with Legitimate Emails.

#cryptocurrency #Cybercrime #datatheft #google #Phishing
https://blazetrends.com/new-google-phishing-scam-targets-crypto-users-with-legitimate-emails/?fsp_sid=14109

Ouch, that Hertz

"Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks."

https://www.bleepingcomputer.com/news/security/hertz-confirms-customer-info-and-drivers-licenses-stolen-in-data-breach/

#datatheft #breach #cybersecurity

A company producing goods for #consumer and/or #enterprises putting them #Online, #stealing their #data has no respect towards the customers and should be blow off the market. Furthermore if they steal without info they should be fined really hard!

This affects #car manufactures in the same way the the ones of mobiles, computers and so call smart devices.

We definitely should fight hard against people stealing our data!

#MassSurveilance #datatheft #privacy #security #selfhosing #foss

@bignose @ebay Yet more #Enshitification from #ThievingFucks This time its #Ebay merrily engaging in #DataTheft with Sneaky BS account feature release.

#OptOut of #garbage #AI training using your account data Now!

Oshawa, Ont., man charged after allegedly stealing, leaking Texas Republican Party data
An Ontario man is facing charges in an alleged theft and leak of Texas Republican Party data in 2021. The accused gained unauthorized access to a third-party hosting company's computer system to "deface and download a backup of Texas Republican Party's...
#Politics #Crime #DataTheft #Oshawa #Texas #Ontario
https://www.cbc.ca/news/canada/toronto/oshawa-man-charged-texas-republican-party-data-1.7502188?cmp=rss

Oshawa, Ont., man charged after allegedly stealing, leaking Texas Republican Party data
An Ontario man is facing charges in an alleged theft and leak of Texas Republican Party data in 2021. The accused gained unauthorized access to a third-party hosting company's computer system to "deface and download a backup of Texas Republican Party's...
#Politics #Crime #DataTheft #Oshawa #Texas #Ontario
https://www.cbc.ca/news/canada/toronto/oshawa-man-charged-texas-republican-party-data-1.7502188?cmp=rss