The post Let’s Encrypt Slashes Certificate Lifespans and Sunsets mTLS on May 13 appeared first on Daily CyberSecurity.

The post Trust Hijacked: Official JDownloader Website Breached to Distribute Malicious Installers appeared first on Daily CyberSecurity.

The post Exploited in the Wild: “Dirty Frag” Linux Vulnerability Grants Instant Root Access appeared first on Daily CyberSecurity.

The post New “ClickFix” Campaign Bypasses Gatekeeper to Hijack macOS Devices appeared first on Daily CyberSecurity.

Braintrust warned customers to rotate API keys after hackers breached an AWS account, exposing secrets tied to cloud-based AI models.

AI observability startup Braintrust warned customers to rotate API keys after attackers gained unauthorized access to one of the company’s AWS accounts, potentially exposing secrets used to connect to cloud-based AI models.

The company said it discovered suspicious activity on May 4 and immediately locked down the affected account, restricted access to related systems, and rotated internal credentials. The firm launched an investigation into the security incident.

“We’ve identified a security incident that involved unauthorized access to one of our AWS accounts. We are actively investigating, and we have engaged incident response experts.” reads the security breach notice published by the company. “We have contained the incident by locking down the compromised account, auditing and restricting access across related systems, rotating internal secrets, and engaging incident response experts to support our investigation. As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust.”

Braintrust notified customers the following day and shared indicators of compromise and remediation guidance.

Although Braintrust says the impact appears limited, experts warn the breach highlights growing AI supply chain risks, as AI platforms increasingly store valuable API credentials targeted by attackers.

The potential exposure could affect organizations relying on Braintrust to manage AI provider keys across services and applications.

Researchers note that once threat actors obtain valid API keys, they can abuse AI services while appearing as legitimate users, often bypassing traditional security controls.

“To date, we’ve confirmed the issue affected one customer. Three additional customers reported suspicious spikes in AI provider usage, and we’re investigating those alongside them.” continues the notice. “We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing.”

The incident also reflects a broader trend of attackers targeting cloud accounts and SaaS providers to gain indirect access to downstream customers and interconnected AI infrastructure.

The company plans to add new safeguards, including timestamps and user attribution for API key changes, while the investigation into the incident remains ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.

The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.

In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.

“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”

The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.

Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.

The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.

RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.

The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Poland’s ABW confirmed hackers breached ICS at five water plants, gaining ability to alter equipment settings. Russia-linked APT groups suspected.

Poland’s Internal Security Agency (ABW) has published a detailed account of a sustained campaign targeting the country’s water plants, documenting security breaches at five water treatment facilities in 2025. The incidents mark one of the clearest documented cases in Europe of state-linked hackers gaining direct access to industrial control systems managing public water supplies.

The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In several cases, attackers didn’t just observe, they obtained the ability to modify operational parameters of equipment in real time, creating a direct and concrete risk to the continuity of public water services. A breach of this kind isn’t a data theft. It is the digital equivalent of sabotage.

“In some cases, the attackers gained access to industrial control systems and obtained the capability to modify device operating parameters.” reads the report published by ABW. “This created a direct threat to the continuity of water supply processes and the proper functioning of municipal infrastructure.”

The attack vectors ABW identified are as unglamorous as they are alarming: weak password policies and systems left directly exposed to the internet. These are not sophisticated zero-day exploits. They are basic security failures that the OT and ICS security community has been warning about for years.

“The incidents were made possible by inadequate security measures, including weak password policies and the exposure of management interfaces directly to the public internet.” continues the report. “In several cases, systems responsible for operational technology were accessible without sufficient protection mechanisms.”

The attribution points firmly eastward. ABW identified Russian APT groups APT28 and APT29, the same actors linked to election interference across Europe and the SolarWinds supply chain attack, as well as UNC1151, a Belarusian-aligned group previously connected to the Ghostwriter operation targeting NATO countries.

“APT28, APT29 and UNC1151 are among the most active state-linked cyber espionage groups operating against European targets.” concludes the report. “Their activities combine intelligence collection, disruptive cyber operations and coordinated information warfare campaigns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Water Plants)

Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.

Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.

The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.

“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.

“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”

What was exposed, however, tells a different story about the scale of the incident.

The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.

“In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their “pay or leak” campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records.” reads the alert by HIBP. “The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara’s parent company Inditex advised that the incident didn’t affect passwords or payment information.”

The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.

“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”

ShinyHunters has previously claimed breaches at Google, Cisco, Vimeo, Rockstar Games, Instructure, and the European Commission.

The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.

Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.

Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.

Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076, this malware represents a major update to the older Maverick and SORVEPOTEL families.

It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via WhatsApp and Microsoft Outlook.

The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.

By using a technique known as DLL side-loading, the hackers trick the legitimate Logitech application into loading a malicious file instead of its normal system components. Once activated, this hidden loader takes control of the system to prepare the next stages of the attack.

TCLBANKER is carefully built to hide from security researchers. Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt, keeping the malware completely hidden from automated security scanners.

TCLBANKER Malware Targets Users

Once the malware confirms it is on a real victim’s machine, it launches the main banking trojan.

This tool continuously monitors the user’s web browser to detect whether the user visits one of 59 targeted banks, financial technology platforms, or cryptocurrency websites. When a match is found, the malware connects to a remote server.

To steal passwords, the trojan uses full-screen overlays built with Microsoft’s Windows Presentation Foundation. These overlays cover the entire screen and look exactly like real banking prompts or official Windows Update screens.

They freeze the desktop, block keyboard shortcuts such as the Windows key or Escape, and turn off screen-capture tools so the victim cannot record the fraud. The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

What makes TCLBANKER incredibly dangerous is its ability to spread automatically. The first worm module targets WhatsApp Web. The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts.

Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data. It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim’s contacts. Because the messages come from a trusted friend, new victims are highly likely to download the file.

Elastic Security Labs has uncovered that the second worm module focuses on email. It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim’s email account.

The bot searches the address book and inbox to harvest contacts. It then drafts completely new phishing emails and sends them from the infected user’s actual email address. This technique easily bypasses standard email security filters because the emails originate from a legitimate, trusted source.

All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses.

The hackers also host their malicious files on Cloudflare, making the download links look safe to the average user. Researchers note that this campaign is still in its early stages, suggesting that the threat actors are likely preparing to expand their targets.

To protect against TCLBANKER, organizations should look for unusual background processes spawned by Logitech applications.

Security teams must monitor for unauthorized browser profile cloning and watch for unusual spikes in outbound emails from Microsoft Outlook. Using advanced endpoint protection that detects unauthorized full-screen overlays is also essential to keeping systems safe from this evolving threat.

IoC

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules appeared first on Cyber Security News.

A data breach at GFN.AM, an authorized NVIDIA GeForce NOW cloud gaming service provider operating under “GFN CLOUD INTERNET SERVICES” LLC, has exposed personal information belonging to registered users.

The company disclosed the incident on May 5, 2026, revealing that unauthorized access to its database occurred as far back as March 9, 2026, nearly two months before discovery.

The breach was first detected on May 2, 2026, leaving a roughly 54-day window during which threat actors may have had access to user records.

GFN.AM confirmed that the unauthorized party gained access to its backend database, allowing sensitive user data to be exfiltrated or viewed by third parties.

Critically, only users registered on or before March 9, 2026, are affected. The incident did not impact accounts created after that date.

NVIDIA Data Breach

According to the official disclosure, the following categories of personal data may have been compromised:

• Email addresses
• Phone numbers, for users who registered via a mobile operator
• Date of birth
• Full name (first and last), for users who authenticated through Google Sign-In
• GFN.AM platform username

The company emphasized that account passwords were not compromised in this incident, reducing the immediate risk of account takeover.

However, the exposed combination of email addresses, phone numbers, and full names poses a significant risk of phishing, SIM swapping, and social engineering targeting affected users.

Following the discovery of the breach, GFN.AM stated it took immediate steps to eliminate the root cause of the unauthorized access. The company has also implemented additional organizational and technical security controls to harden its information systems and reduce the likelihood of a similar incident.

No further technical specifics, such as whether the access involved a compromised credential, an unpatched vulnerability, or a misconfigured database, were disclosed in the public notice.

Security professionals warn that even without password exposure, the leaked data is highly valuable to cybercriminals. Personal identifiers such as full names, phone numbers, and email addresses are routinely used in targeted phishing and credential-stuffing campaigns.

Users who authenticated via Google should review their account activity, as their full names were among the exposed fields.

Users registered on or before March 9, 2026, should take the following precautions:

• Monitor email accounts for unusual login attempts or phishing messages.
• Be cautious of unsolicited calls or SMS messages referencing GFN.AM.
• Enable multi-factor authentication on linked Google and email accounts.
• Consider placing a fraud alert with relevant financial institutions if additional personal data is suspected to be involved.

GFN.AM has not publicly indicated whether affected users will be notified individually or whether regulatory authorities have been informed of the breach.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users appeared first on Cyber Security News.

Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026, after engineers identified a critical issue involving a cross-signed certificate linking the organization’s Generation X root to its upcoming Generation Y root infrastructure.

The incident triggered a complete shutdown of issuance across both production and staging environments before services were restored within hours.

At 18:37 UTC on May 8, Let’s Encrypt engineers became aware of a potential incident and immediately halted all certificate issuance as a precautionary measure.

The affected components included the production and staging ACME API endpoints (acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org), as well as the production and staging portal environments hosted across two high-assurance datacenters.

By 21:03 UTC, roughly two and a half hours later, the organization confirmed that issuance had resumed. However, as a direct result of the cross-signed certificate issue, all certificate generation was rolled back to the Generation X root.

This rollback specifically impacts two ACME certificate profiles: tlsserver and shortlived.

The timing of the incident is notable given that Let’s Encrypt had already announced three significant platform changes scheduled to go live on May 13, 2026, just five days away. Those changes include:

The tlsserver ACME profile will begin issuing 45-day certificates as part of Let’s Encrypt’s phased roadmap to reduce certificate lifetimes from 90 days down to 45 days over the next two years.

The tlsclient profile, used for TLS client authentication certificates, will be restricted exclusively to ACME accounts that have previously requested certificates from that profile. Full support for tlsclient certificates will end on July 8, 2026.

The classic ACME profile was also scheduled to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots a change designed to maintain broad compatibility across client environments.

All three changes are currently live in Let’s Encrypt’s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.

Let’s Encrypt has not disclosed details about whether any incorrectly issued certificates were distributed before issuance was halted.

Administrators relying on automated ACME-based renewal workflows, particularly those using the tlsserver or shortlived profiles should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support remain available at community.letsencrypt.org.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident appeared first on Cyber Security News.

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

Microsoft’s Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 as part of its ongoing commitment to transparency in its cloud services.

All three vulnerabilities carry a Critical severity rating and fall under the Information Disclosure impact category.

Microsoft has already fully mitigated all three flaws on its end, consistent with its cloud CVE transparency initiative outlined in the “Toward Greater Transparency: Unveiling Cloud Service CVEs” program.

Microsoft 365 Copilot Vulnerabilities

CVE-2026-26129 affects Microsoft 365 Copilot’s Business Chat. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, potentially allowing an unauthorized attacker to disclose sensitive information over a network.

Although full CVSS metrics were not published for this CVE, the critical severity label reflects the high confidentiality risk inherent in Copilot’s enterprise data access model.

CVE-2026-26164 also targets M365 Copilot and is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component — Injection).

The attack vector is network-based, requires no privileges or user interaction, and has a high confidentiality impact. The exploitability assessment is rated “Exploitation Less Likely,” and exploit code maturity is listed as unproven.

CVE-2026-33111 affects Copilot Chat embedded in Microsoft Edge and is classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command — Command Injection).

It shares the same CVSS score of 7.5 / 6.5 (temporal) as CVE-2026-26164, with an identical attack profile: network-accessible, no privileges required, no user interaction, and high confidentiality impact.

This is particularly concerning given the widespread deployment of Edge across enterprise environments.

All three vulnerabilities highlight a growing attack surface unique to AI-powered productivity tools.

Because M365 Copilot aggregates and processes vast amounts of organizational data, including emails, documents, and Teams conversations, weaknesses in how it handles special elements or injected commands can allow sensitive information to leak across trust boundaries.

In environments where Copilot has broad access to corporate data sources, the impact could include exposure of intellectual property, confidential communications, or restricted internal records.

Microsoft credited Estevam Arantes of Microsoft for discovering both CVE-2026-26129 and CVE-2026-26164, with additional credit to independent researcher 0xSombra for CVE-2026-26164.

No acknowledgment was listed for CVE-2026-33111. Microsoft confirmed that none of the three vulnerabilities were publicly disclosed or actively exploited prior to publication.

Since all three are cloud-side vulnerabilities, Microsoft has already deployed mitigations at the service layer. Enterprises do not need to install patches or apply configuration changes.

However, security teams are advised to review Copilot’s data access permissions and enforce least-privilege principles to reduce exposure from any future similar flaws.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information appeared first on Cyber Security News.

A new backdoor called PamDOORa has emerged as a serious and growing threat to Linux systems, targeting one of the most trusted components of the operating system to silently steal SSH credentials.

The malware was advertised for sale on a Russian-speaking cybercrime forum called Rehub, with its complete source code initially listed at $1,600 before the seller slashed the price to $900. That sudden drop raised red flags among researchers, suggesting either limited buyer interest or a deliberate rush to offload the tool quickly.

PamDOORa works by hijacking the Pluggable Authentication Module, or PAM, framework that Linux systems use to handle user logins and identity verification.

Unlike traditional malware that plants itself as a visible running process, this backdoor injects a malicious module directly into the authentication layer, where it waits silently for login attempts and harvests credentials before they can be logged. This makes it especially dangerous because the attack happens at a level most monitoring tools do not watch closely.

Researchers from Group-IB identified the technique being used in this backdoor and noted that it exploits pam_exec, a standard PAM module designed to run external commands during authentication events.

The Group-IB DFIR team found that this specific abuse method had not yet been included in the MITRE ATT&CK framework, making it a novel technique that many security teams may not be actively defending against.

How PamDOORa Operates on Linux Systems

The threat actor behind PamDOORa operates under the alias “darkworm” on the Rehub forum and demonstrates notable technical knowledge of Linux internals. Analysis of code snippets shared in the advertisement showed realistic and credible techniques that align with known PAM exploitation methods. The seller was assessed as more technically capable and serious compared to other individuals reusing the same alias on lower-tier forums.

What makes PamDOORa especially concerning is not just what it does, but how well it hides. The backdoor is built to manipulate authentication log files including lastlog, btmp, utmp, and wtmp, wiping away any trace that an attacker connected to the server. This means incident response teams called in to investigate a breach may unknowingly have their own credentials stolen the moment they SSH into the compromised machine.

PamDOORa is designed as a post-exploitation tool, meaning the attacker must already have root access before deploying it. Once installed, the backdoor injects a malicious PAM module that produces a file called pam_linux.so, loaded into the authentication stack alongside legitimate system modules.

This design allows it to blend in with normal system files rather than replacing them, making detection significantly harder.

The backdoor grants persistent SSH access through a combination of a specific TCP port and a secret “magic password” that only the attacker knows. A special routine scans open connections and applies conditional logic to identify when the attacker is connecting, granting silent access while normal users see nothing unusual.

Credentials submitted by legitimate users during login are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and written to /tmp with randomly generated filenames and timestamps.

Anti-Forensics and the Challenge of Detection

What sets PamDOORa apart from simpler backdoors is its built-in anti-forensic capability. The tool actively erases attacker login traces from system logs, leaving behind only failed login entries that investigators are likely to dismiss as noise.

Since credential theft happens inside the PAM layer, application-level logging tools never capture the stolen data, and detection methods focused on user-space processes will miss it entirely.

Security teams are advised to treat any compromised Linux server as having fully exposed credentials, regardless of how limited the breach appears.

Researchers recommend enabling SELinux and AppArmor for stronger process isolation, installing Auditd with DISA-STIG recommended rules to monitor changes to system files, and deploying rkhunter to detect rootkits and unauthorized software. Disabling root login over SSH, locking the root account, and restricting sudo access to authorized users only are essential steps in reducing the attack surface that PamDOORa relies on.

Indicators of Compromise (IoCs):-

Based on information disclosed in the source material, the following indicators were identified from the malicious script executed during SSH authentication:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials appeared first on Cyber Security News.

A newly identified malware campaign is targeting senior executives and government investigators across Southeast Asia, using a modular Remote Access Trojan capable of stealing credentials, capturing screenshots, and maintaining deep persistence on infected systems.

The operation, dubbed Operation GriefLure, is running two simultaneous campaigns hitting Vietnam’s military-linked telecom sector and the Philippine healthcare industry.

What makes this threat especially alarming is how it reaches victims. Attackers are not guessing or fabricating stories. In one case, they harvested real legal documents from an ongoing data breach lawsuit, including signed police reports, corporate admission letters, and personal medical records.

Victims who opened the archive received a completely authentic document on screen, with no sign that anything had gone wrong behind the scenes.

Researchers at Seqrite Labs identified and named the campaign, noting that the entire system compromise completes in under 10 seconds with zero visible indicators to the victim. The malware arrives inside a nested compressed archive delivered through a targeted spear phishing email, and its infection chain is engineered to bypass most conventional security tools.

The operation targets two groups simultaneously. The first campaign focuses on senior executives at Viettel Group, Vietnam’s largest telecom operator running under the Ministry of National Defence, as well as cybercrime investigators from Thanh Hoa Provincial Police.

The second targets compliance and audit staff at St. Luke’s Medical Center in the Philippines, using a fabricated whistleblower complaint that invokes alleged financial fraud and accreditation violations worth over PHP 1.5 million.

Both campaigns use the same underlying infrastructure and payload, confirming a single threat actor running a coordinated, modular attack operation across two countries at the same time.

Modular RAT With Credential Theft and Screenshot Capture

At the technical core of this campaign sits a sophisticated modular RAT acting as a multi-purpose implant. Once loaded into memory through a layered execution chain, it harvests credentials from web browsers including Chrome’s stored login data, cookies, and history. It also targets FTP client configurations, remote access tools like Sunlogin and ToDesk, and SSH session files from Xshell, making it a serious threat to anyone who manages privileged system access.

The screenshot capture module retrieves full screen dimensions, accounts for multi-monitor setups, and dynamically adjusts image resolution based on network conditions before transmitting a reconstructed BMP image to the attacker’s command-and-control server. The malware also scans all running processes to build a profile of installed security products, then adjusts its behavior accordingly to reduce detection.

The payload is never stored as a complete file inside the archive. Binary chunks disguised as ordinary document files are assembled at runtime using Windows’ native copy command, and a time-based mechanism randomizes the payload hash on every execution to defeat signature-based scanning. The final executable is then injected into a trusted Windows process, making it appear as normal system activity to most forensic tools.

Infrastructure, Attribution, and Defensive Measures

The malware communicates with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on IP address 38[.]54[.]122[.]188. This server sits within KAOPU-HK, a Hong Kong-based network with a documented history of providing abuse-resistant hosting to threat actors across Asia-Pacific. Passive intelligence tags the host as bulletproof infrastructure, a strong indicator of deliberate operational security.

Seqrite researchers assess with moderate-to-high confidence that this campaign is linked to a China-nexus threat cluster. Supporting indicators include the use of bulletproof Chinese hosting, an embedded security detection list that enumerates vendors such as 360Safe, Qianxin, and Sangfor, direct targeting of WeChat data within the credential harvesting module, and a broader Southeast Asian footprint spanning military telecom and healthcare.

Organizations in telecom, government, and healthcare across Southeast Asia should treat this as an active and evolving threat. Security teams are advised to block the known C2 domain and IP, monitor for LNK file executions that invoke ftp.exe, flag any process dropping chunked doc files into the Public directory, and audit systems for signs of explorer.exe being respawned under a restricted security context. Because this attack weaponizes genuine legal documents and trusted system binaries, standard user awareness training alone will not stop it.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities appeared first on Cyber Security News.

Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data.

During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software to infiltrate the system.

Upon discovery, Škoda immediately activated containment measures and took the online shop offline as a precautionary step.

The vulnerability has since been fully remediated, and an external IT forensics firm has been commissioned to conduct a thorough technical post-incident analysis.

The breach was also formally reported to the relevant data protection supervisory authority in compliance with regulatory obligations.

Škoda Security Incident

The Škoda online shop stores a range of personal customer data, including full names, postal addresses, email addresses, phone numbers, order history, and account login credentials.

Passwords were stored using cryptographic hashing rather than plaintext, which provides a meaningful layer of protection.

Critically, credit card details are not retained in the shop system; payment data is handled exclusively by third-party payment service providers, ruling out direct financial data exposure based on current forensic findings.

Forensic analysis confirmed that access to stored data was theoretically possible during the intrusion window. However, due to limitations in existing server-side logging protocols, investigators cannot definitively confirm whether data was actively exfiltrated or merely accessed.

Škoda states that no concrete evidence of customer data misuse has been identified so far, but is notifying affected customers as a precautionary measure, given that unauthorized access cannot be entirely excluded.

Customers whose data may have been exposed face two primary threat scenarios. First, phishing attacks where threat actors use known order details or personal information to craft convincing fraudulent emails or messages designed to harvest additional credentials or prompt victims to click malicious links.

Second, credential stuffing attacks, in which adversaries attempt to use compromised email-and-password combinations to gain unauthorized access to other online accounts, particularly when users reuse the same password across multiple services.

This incident underscores the persistent risk of e-commerce platform vulnerabilities, particularly when standard third-party shop software is deployed without sufficient hardening and continuous security monitoring.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Škoda Security Incident Exposes Customers Data From Online Shop appeared first on Cyber Security News.

A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been active since at least February 2026.

The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.

Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.

The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”

Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.

Hackers Use Fake OpenClaw Installer

If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.

After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.

The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.

That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.

Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.

The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.

A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.

A Rapidly Evolving Threat With Rotating Infrastructure

What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.

All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.

Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.

Indicators of Compromise (IoCs):-

File Hashes

Domains

IP Addresses

Dead-drop and Staging URLs

Mutexes

Registry Keys

Files and Paths

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials appeared first on Cyber Security News.

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

This approach is unusual because the malware never communicates with a private server that security tools could flag or block, making it harder to detect through standard network monitoring.

The threat was uncovered after a series of malicious Python packages were found on PyPI, the widely used Python Package Index, starting in July 2025. The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.

Analysts at Securelist identified and named the malware after analyzing samples through their threat analysis pipeline. Their research confirmed ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group.

OceanLotus, also known as APT32, is a well-established threat group that has historically focused on targets in the Asia-Pacific region. However, recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now a global supply chain attack through PyPI. This shift reflects a clear effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. Still, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service, letting its traffic blend in with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

The malware operates through two separate channel-topic pairs within the Zulip platform. One pair sends basic system information about the infected machine back to the attacker. The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread. Once a command runs, the malware replies with a heart emoji in the chat to signal completion, showing how carefully attackers disguised operations as routine activity.

The Windows version of ZiChatBot is a DLL file named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in. On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

PyPI Supply Chain Attack Used to Deliver the Payload

The attack started with three fake Python libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects. The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions. In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain. This layered method made the attack far less visible to automated tools that only scan surface-level code.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads. After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection. Researchers advise adding helper.zulipchat.com to network denylists to identify any machines still reaching out to the now-deactivated attacker infrastructure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server appeared first on Cyber Security News.

An active malware distribution campaign abusing two prominent AI platforms, Hugging Face and ClawHub, to deliver trojans, cryptominers, and infostealers disguised as legitimate AI tools and agent extensions.

The campaign marks a significant evolution in supply chain attacks, shifting from traditional software repositories to trusted AI ecosystems.

Within the OpenClaw ecosystem distributed through ClawHub, Acronis TRU identified 575 malicious skills published across 13 developer accounts.

The campaign appears to be primarily driven by two threat actors: “hightower6eu,” responsible for 334 malicious skills (58%), and “sakaen736jih,” responsible for 199 skills (34.6%), with the remaining 11 accounts contributing smaller volumes.

These trojanized skills masquerade as useful tools such as a YouTube transcript summarizer while secretly instructing users to download password-protected archives or execute encoded commands.

Hugging Face and ClawHub Leveraged

For Windows targets, payloads were detected as trojans packed with VMProtect. For macOS, a base64-encoded command connects to an external IP (91.92.242[.]30) and silently downloads and executes AMOS Stealer, a macOS-focused infostealer commonly sold as malware-as-a-service (MaaS) through Telegram and underground forums.

A second Windows payload used a 30-byte XOR key to decrypt strings at runtime, dynamically resolved NT APIs, and performed in-memory process injection into explorer.exe.

The injected code established AES-encrypted C2 communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence via scheduled tasks and Windows Defender exclusion paths.

A critical technique observed across ClawHub campaigns is indirect prompt injection, which embeds hidden, malicious instructions within skill files that AI agents read and execute on behalf of users.

Because OpenClaw agents are designed to act autonomously based on instructions in skill definitions, attackers can effectively turn these agents into unwitting intermediaries, expanding attack impact far beyond the initial victim.

On Hugging Face, which hosts over one million machine learning models, Acronis TRU identified repositories serving as multi-stage infection chain staging points, hosting payloads across Windows, Linux, and Android. Two tracked campaigns illustrate this abuse in practice.

The ITHKRPAW campaign, targeting Vietnamese financial sector organizations in January, used a malicious LNK file to invoke Cloudflare Workers, which served a PowerShell dropper that fetched a payload from a Hugging Face dataset repository while opening a decoy cat image to mask activity.

Researchers assess with moderate confidence that the PowerShell script was LLM-generated, based on embedded Vietnamese-language comments.

The FAKESECURITY campaign used a batch script (CDC1.bat) containing an encoded PowerShell blob that downloaded a heavily obfuscated secondary batch script from a Hugging Face repository.

After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and dropped a file masquerading as Windows Security.

Organizations and developers should treat AI models, datasets, and agent extensions as untrusted inputs requiring the same validation applied to any third-party code.

Specific steps include auditing installed OpenClaw skills for encoded commands or external download instructions, monitoring for unexpected process injection into explorer.exe, blocking known malicious indicators (91.92.242[.]30, velvet-parrot[.]com), and restricting Windows Defender exclusion path modifications via Group Policy.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware appeared first on Cyber Security News.