A new banking trojan known as TCLBANKER has been quietly making rounds, and its delivery method is as clever as it is concerning. Attackers are using a trojanized version of a legitimate, digitally signed installer to slip malware onto victims’ machines without raising immediate suspicion.

The campaign, tracked as REF3076, bundles a malicious MSI installer inside a ZIP file and exploits the trust people place in recognizable software names.

The infection begins when a victim runs what appears to be a legitimate Logitech application installer. Inside the package, threat actors have weaponized the Logi AI Prompt Builder, abusing a technique called DLL sideloading to sneak a malicious file into the process. Once the application starts, it automatically loads the harmful DLL without the user ever knowing anything went wrong.

Analysts at Elastic Security Labs identified this new Brazilian banking trojan, assessing it to be a significant evolution of an older malware family known as MAVERICK and SORVEPOTEL. The campaign appears to be in its early stages, with developer artifacts and an incomplete phishing page suggesting the attackers are still actively building out their infrastructure.

TCLBANKER primarily targets users in Brazil, specifically those who visit banking, fintech, and cryptocurrency websites. The trojan monitors the victim’s browser in real time, watching for visits to any of 59 targeted financial domains.

Hackers Abuse Signed Logitech Installer

When a match is found, it opens a live connection to the attacker’s command server and puts the operator in full control.

The scope of potential damage goes well beyond simple credential theft. The malware can display fake full-screen overlays that look like real banking interfaces, freeze the apparent desktop to confuse victims, and kill the Task Manager to prevent users from ending the malicious process. It is a coordinated operation designed to make fraud feel seamless from the attacker’s side.

The attackers took care to make the infection chain look as normal as possible. The malicious ZIP file contains an MSI installer that mimics the legitimate Logi AI Prompt Builder, a real Flutter-based application.

When installed, the trojanized package drops a fake DLL called screen_retriever_plugin.dll, which masquerades as a genuine Flutter plugin and gets loaded automatically at startup.

The loader inside this DLL is packed with tricks to avoid detection. It checks whether the system is running inside a sandbox or virtual machine, verifies that the user’s default language is Brazilian Portuguese, and even measures timing to catch emulation frameworks that speed up sleep calls.

If anything seems off, the malware simply stops running without leaving obvious traces. This environment-gating approach means the payload only decrypts itself on real, qualifying machines.

Self-Spreading Worm Modules Amplify the Threat

What makes TCLBANKER particularly dangerous is not just what it does on a single machine, but how far it can spread from there. The malware comes with two worm modules designed to send itself to the victim’s contacts using channels those contacts already trust.

The first hijacks the victim’s active WhatsApp Web session in the browser, silently messaging Brazilian contacts with a link to download the malware. The second abuses Microsoft Outlook through automation, sending phishing emails directly from the victim’s own email account.

Because these messages come from real, known senders, they are far harder for security filters to catch. The Outlook bot first harvests the victim’s contact list, then sends targeted emails that look completely authentic.

Elastic researchers noted that all command and file-serving infrastructure runs on Cloudflare Workers under a single account, making it easy for operators to rotate infrastructure quickly when needed.

Organizations and individuals can take several steps to reduce exposure. Keeping security software updated ensures the latest detection signatures are in place.

Being cautious about ZIP files or MSI installers received through messaging apps or email, even from known contacts, is critical given this trojan’s self-spreading behavior. Monitoring for unusual scheduled tasks, unexpected DLL loads alongside legitimate software, and suspicious outbound connections can also help flag infections early.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan appeared first on Cyber Security News.

A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.

The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.

PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.

One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.

Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”

The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.

The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.

It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.

PCPJack’s Worm-Like Propagation and CVE Exploitation

PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.

This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.

The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.

Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.

Sliver Backdoor and Enterprise-Wide Credential Targeting

SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.

The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.

Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.

To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.

Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft appeared first on Cyber Security News.

A new and evolving threat has caught the attention of cybersecurity researchers worldwide. A Windows-based information stealer known as NWHStealer has resurfaced with a more sophisticated delivery chain, now using the Bun JavaScript runtime as part of its infection process.

This shift makes it clear that the attackers behind this campaign are actively experimenting with lesser-known tools to stay ahead of security defenses.

NWHStealer is a Rust-based malware capable of stealing sensitive data from infected Windows systems. It spreads through Node.js scripts, MSI installers, and fake software downloads hosted on trusted platforms such as GitHub, GitLab, SourceForge, and Itch.io. Since it blends into legitimate-looking software packages, many users unknowingly download and run it without any suspicion.

Analysts at Malwarebytes identified the new delivery method during routine threat hunting activities.

Researcher Gabriele Orini noted that attackers have now incorporated Bun, a modern JavaScript toolkit built as a high-performance alternative to Node.js, into the malware’s delivery chain. Its relative newness in security circles makes it particularly appealing to attackers trying to slip past detection.

Once inside a system, NWHStealer is highly capable. It collects system information, steals saved browser data and passwords, drains cryptocurrency wallets, and targets applications like Discord, Steam, and FTP clients such as FileZilla.

It can also inject malicious code into browser processes, bypass Windows User Account Control, persist through scheduled tasks, and pull new command-and-control addresses from Telegram to keep the operation alive after partial takedowns.

The scale of this campaign is notable. Attackers continue to create fresh profiles on legitimate platforms to push new lures, making it difficult for moderators to respond quickly. The combination of data theft, persistence, and self-updating infrastructure makes NWHStealer a serious threat to both everyday users and organizations.

Bun Loader, Anti-VM Checks, and Encrypted C2

The infection begins with a ZIP archive disguised as a game trainer, software crack, or utility tool. Detected archive names include MOUSE_PI_Trainer_v1.0.zip, FiveM Mod.zip, TradingView-Activation-Script-0.9.zip, and AutoTune 2026.zip.

Inside sits Installer.exe, which carries JavaScript code bundled with the Bun runtime hidden within its .bun section.

The malicious JavaScript is divided into two key files. The first, sysreq.js, runs PowerShell and WMI commands to check whether the system is a real machine or a virtual one. It inspects CPU count, disk space, screen resolution, hardware manufacturers, and even the username, using a scoring system to decide whether to proceed with infection or stop entirely. This anti-VM layer is designed to avoid detection in automated security analysis environments.

The second file, memload.js, handles communication with the attacker’s command-and-control server. Strings and configurations are encrypted using XOR combined with base64 encoding, making static analysis much harder. The loader sends a report containing the victim’s public IP, system details, and a screenshot to the C2, then fetches an AES-encrypted payload and deploys NWHStealer directly into memory with minimal traces on disk.

Some analyzed ZIP files also include a secondary loader called dw.exe inside a folder labeled “DW.” A Readme.txt inside the archive tells users to run dw.exe manually if the main installer fails, giving attackers a fallback option if the primary C2 server goes offline. This dual-loader setup reflects a deliberate backup plan to ensure delivery regardless of temporary disruptions.

Staying Safe From NWHStealer

Given how widely this stealer is distributed, users should take practical steps to protect themselves. Only download software from official, verified sources and avoid file-sharing platforms unless the publisher’s identity and reputation are clearly established.

Always check a file’s digital signature before running it, as legitimate software will carry consistent, verifiable signing details.

It is also worth inspecting any downloaded archive before opening it. Malicious archives often have unusual file structures, mismatched content, or naming patterns that do not match what was advertised.

Staying cautious with downloads that seem too good to be true, whether a game cheat, a software activator, or a free tool, remains one of the most effective defenses against threats like NWHStealer.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 appeared first on Cyber Security News.

Hackers are using convincing fake pages for Claude AI to trick users into running malware on their own systems. The campaign, known as “InstallFix” or the Fake Claude Installer threat, marks a sharp shift in how cybercriminals exploit the trust people place in artificial intelligence tools.

Instead of targeting software vulnerabilities, these attackers are targeting human behavior, knowing that users will follow installation steps without question.

The method is simple and effective. Attackers set up fake Claude AI installation pages and use paid Google Ads to push those pages to the top of search results.

When someone searches for “Claude Code” or “Claude Code install,” a sponsored link appears first, looking exactly like a trusted result. One click leads to a fraudulent site that provides step-by-step instructions with commands tailored to the user’s operating system, either Windows or macOS.

Researchers at Trend Micro identified and documented the campaign, noting that the malware is not a simple infection. It is a multi-stage attack chain that collects system information, disables security features, creates scheduled tasks to survive reboots, and connects to attacker-controlled servers for further instructions.

Confirmed attacks span the United States, Malaysia, the Netherlands, and Thailand, hitting industries from government and education to electronics and food and beverage.

How the Fake Installer Attack Works

What makes this campaign especially dangerous is that it targets both technical and non-technical users. Developers who work with command-line tools are often comfortable copying setup commands from documentation pages, and non-technical users are equally likely to follow on-screen steps that look official. The attackers crafted these fake pages to closely resemble a real Claude installation guide, making the deception very hard to spot.

The threat goes beyond a single download. After the user runs the malicious command, the infection unfolds across multiple stages, each designed to evade detection and remain hidden. Trend Micro’s telemetry confirmed outbound network connections to attacker-controlled servers, and the indicators found align closely with those tied to RedLine Stealer campaigns from 2023.

The attack begins with a Google Ads placement that intercepts users searching for Claude Code. The fake landing page uses a technique called ClickFix, presenting an OS-specific command framed as a required installation step. On Windows, running the command triggers a hidden chain beginning with mshta.exe, a legitimate Windows tool that attackers commonly abuse to execute remote payloads.

The downloaded file, named claude.msixbundle, appears to be a genuine Microsoft package with valid Marketplace signatures, allowing it to pass basic security checks. Embedded inside is an HTA payload that silently executes a VBScript, with the window resized to zero pixels so nothing appears on screen.

That script launches obfuscated PowerShell commands through the SysWOW64 subsystem, bypassing detection by reconstructing the word “powershell” at runtime using split variables.

The stager generates a unique ID for the victim machine by hashing the computer name and username together. It uses this hash to build a custom command-and-control URL for each victim, fetching the final payload from a subdomain on oakenfjrod[.]ru. This per-victim URL approach makes bulk network-level blocking extremely difficult to execute.

Persistence, Data Theft, and RedLine Stealer Connections

Once the shellcode runs in memory, the malware establishes persistence by creating scheduled tasks, allowing it to survive reboots and keep running silently. Dynamic analysis showed the malware reaching out to external IP addresses, collecting browser data, and targeting e-wallet applications installed on the infected machine.

The indicators tied to this campaign match techniques and infrastructure previously linked to RedLine Stealer.

To reduce risk, organizations should block known malicious domains and IP addresses at the firewall and use DNS filtering to prevent users from reaching suspicious or newly registered domains. Legacy scripting tools like mshta.exe should be restricted wherever possible.

Users should also be trained to avoid running commands from sites reached through sponsored search results, to verify download pages against official vendor websites, and to rely on trusted package managers like npm, pip, brew, or winget rather than manual scripts from unknown sources.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using Fake Claude AI Installer Pages to Trick Users Into Running Malware on Their Systems appeared first on Cyber Security News.

Phone-based scams are evolving faster than most security filters can keep up with. Attackers are now leaning heavily on Voice over Internet Protocol (VoIP) numbers that disappear before detection systems can flag them, leaving users exposed and defenders scrambling.

These scam campaigns arrive through email, where attackers embed phone numbers directly into message bodies, subject lines, and file attachments.

The goal is simple: get the recipient to call a fraudulent number and hand over sensitive personal or financial details. By keeping victims on a live call, scammers can manipulate targets far more effectively than a link or attachment alone ever could.

Researchers at Cisco Talos identified that this shift toward phone-oriented attack delivery, known as telephone-oriented attack delivery (TOAD), has become one of the leading tactics in modern email threats.

Their analysis, covering a study window from late February to late March 2025, found that the largest scam campaigns all relied on VoIP infrastructure to operate at scale with minimal cost.

Scammers Game the System With VoIP Numbers

What makes VoIP so appealing to scammers is how easily numbers can be obtained and discarded in bulk. With API-driven provisioning available from a small number of providers, threat actors spin up hundreds of numbers quickly, use them briefly, and abandon them before reputation systems catch on. The median phone number lifespan observed during the study was roughly 14 days.

The impact goes well beyond individual users. Organized scam call centers are running campaigns that impersonate major brands like PayPal, Geek Squad, McAfee, and Norton LifeLock, all while directing victims to the same centralized fraudulent operation.

This infrastructure is deliberately built to resist tracing, blending seamlessly into legitimate telecom networks worldwide.

Scammers are not randomly picking phone numbers. They deliberately acquire large sequential blocks of numbers, often by purchasing Direct Inward Dialing (DID) blocks from providers.

When one number gets flagged, they simply rotate to the next in the sequence, a tactic known as sequential number grouping that keeps operations running without interruption.

Cisco Talos found that six of the ten largest campaigns detected during the study period relied entirely on VoIP infrastructure. Sinch was identified as the most commonly abused CPaaS provider, referring to communications-platform-as-a-service companies offering programmable APIs for voice and messaging. These platforms are built for automation and high call volumes, which makes them attractive and widely exploited tools for large-scale scam operations.

The reuse patterns are equally calculated. Of 1,962 unique phone numbers analyzed, 68 were reused across multiple consecutive days. Scammers often apply a cool-down period, pausing a number for several days before bringing it back into a new campaign. This timing is designed to outlast update cycles of third-party reputation services, which can take days to distribute fresh intelligence.

Recycling Lures to Stay Under the Radar

One of the most telling tactics Cisco Talos documented is the recycling of the same phone number across completely unrelated lures. A single number might appear in emails posing as an order confirmation, a subscription renewal, and a financial alert all within a short span. This deliberate variation in lure type helps attackers avoid patterns that automated filters would otherwise quickly detect.

In one campaign, the same number was embedded in both HEIC and PDF attachment formats, showing how attackers avoid relying on a single delivery method. HEIC files, commonly associated with iPhone photos, were used to bypass traditional file-type detection while maintaining high image quality. Talos confirmed seeing campaigns with even broader attachment variety, underscoring just how adaptable these threat actors have become.

Security and telecom teams are advised to move beyond email sender filtering, which grows less effective as senders cycle rapidly through disposable domains. Talos recommends treating phone numbers as primary indicators of compromise and applying clustering techniques to connect seemingly unrelated campaigns that share the same phone infrastructure. Real-time reputation monitoring across communication channels and active collaboration between telecom providers are among the most effective steps toward stopping these organized scam networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scammers Use Short-Lived VoIP Numbers and Reuse Windows to Defeat Reputation-Based Blocking appeared first on Cyber Security News.

A sophisticated China-linked hacker group known as UAT-8302 has been quietly targeting government agencies across South America and southeastern Europe, using a mix of custom malware and widely available open-source tools to steal sensitive data.

The group has been active since at least late 2024 and stepped up its operations against government bodies in southeastern Europe through 2025. Their goal is clear: get in, stay hidden, and walk out with as much information as possible.

What makes UAT-8302 particularly dangerous is its ability to blend in. By pairing legitimate cloud services and open-source tools with custom-built malware, the group makes it harder for defenders to separate genuine network activity from a hostile intrusion.

The attackers display a high level of patience, conducting deep and methodical reconnaissance on every endpoint they can reach before pushing further into the target environment. This careful, deliberate approach is widely recognized as a hallmark of state-sponsored threat operations targeting high-value government infrastructure.

Researchers at Cisco Talos identified UAT-8302 as a China-nexus advanced persistent threat group tasked primarily with gaining and maintaining long-term access to government and related entities around the world.

Talos analysts assessed with high confidence that the group shares tooling with several previously disclosed China-nexus clusters, including a threat cluster they track as LongNosedGoblin. The overlap in tools and techniques points to a close operational relationship between these groups.

UAT-8302’s Custom Malware Arsenal

The post-compromise activity follows a familiar and thorough playbook. Once inside a network, the group collects credentials, gathers Active Directory information, and maps out the entire environment before deploying additional malware.

Tools like Impacket, custom PowerShell scripts, and open-source scanning engines are used to discover every reachable endpoint. This approach ensures that attackers fully understand the scope of the environment they now control before deciding on their next move.

The variety of malware families deployed by UAT-8302 shows the group has access to a well-stocked toolkit. The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant. In one documented intrusion, the group also deployed SNAPPYBEE and ZingDoor together, a tactic independently highlighted by Trend Micro in 2024 reporting on similar China-linked activity.

NetDraft is one of the most notable tools in UAT-8302’s arsenal. It is delivered through a DLL side-loading technique where a benign executable loads a malicious DLL-based loader, which then decodes and runs NetDraft within an existing process on the compromised system.

The malware uses the Microsoft Graph API to communicate with its OneDrive-based command-and-control server, allowing it to blend into normal cloud traffic and avoid detection. Talos tracks the embedded helper library used by NetDraft as “FringePorch.”

CloudSorcerer version 3 behaves differently depending on which process it runs inside. If injected into “dnapimg.exe,” it collects system details and pivots into explorer.exe to receive commands through a named pipe channel.

If running inside “spoolsv.exe,” it contacts a GitHub repository to pull down command-and-control information. This shape-shifting behavior makes detection harder for conventional security tools. Talos also noted the use of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager seen in intrusions attributed to other China-nexus clusters.

Open-Source Tools and Lateral Movement

UAT-8302 relies heavily on open-source tools when moving through compromised networks. After gaining initial access, the group runs scanning tools including gogo, naabu, httpx, and PortQry to map services across internal networks and discover new systems to pivot toward.

Credentials are harvested from MobaXterm sessions and Active Directory using tools like adconnectdump.py and SharpGetUserLoginRDP.

To maintain persistent backdoor access, the group deploys Stowaway, a proxy tunneling tool written in Simplified Chinese, routing outside traffic into infected hosts within the enterprise. SoftEther VPN clients were also observed in use.

Government agencies should keep endpoint detection tools updated to flag these threat signatures, monitor outbound traffic to cloud platforms like OneDrive and GitHub for unusual patterns, and regularly audit scheduled tasks and DLL side-loading behavior across all managed endpoints.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies appeared first on Cyber Security News.

Hackers are using fake Google ads to steal login credentials from ManageWP users, GoDaddy’s popular platform for managing WordPress websites from a single dashboard. The campaign, which researchers have dubbed “WrongPress,” plants a fraudulent sponsored search result directly above the real ManageWP listing, trapping users before they even realize something is wrong.

ManageWP is widely used by web developers, digital agencies, and enterprises who need to oversee dozens or even hundreds of client websites at once. Because a single account can control that many sites, stealing one set of credentials gives an attacker a massive foothold into an entire web portfolio.

According to WordPress.org, the ManageWP Worker plugin is active on more than one million websites, making the stakes extraordinarily high.

The attack begins the moment a user types “managewp” into Google. The malicious sponsored result appears at the very top of the page, sitting right above the legitimate one.

Researchers at Guardio Labs were the first to identify this campaign and raise the alarm, warning that even cautious users could fall for the trap simply because the fake result appears so convincingly placed.

What makes this campaign especially difficult to spot is that the fake login page is a near-perfect copy of the real ManageWP screen. There are no obvious red flags for the average user. By the time a victim types their username and password, those credentials have already been silently sent to an attacker-controlled Telegram channel.

Hackers Abuse Google Ads

Guardio Labs confirmed at least 200 unique victims at the time of writing and has been actively reaching out to alert those affected. The research team also managed to infiltrate the attacker’s command-and-control infrastructure, giving them a rare look at the full scale of how this operation runs in real time.

The infection chain is built to dodge Google’s ad review systems and the suspicion of real users alike. When a victim clicks the malicious ad, they first pass through a cloaker, a tool that filters out automated inspectors while letting genuine users through. This step helps the attackers conceal who actually authorized the sponsored result and avoid triggering Google’s ad inspection mechanisms.

Once the cloaker approves a genuine visitor, they are redirected to a fake ManageWP login page where the adversary-in-the-middle, or AiTM, technique takes over. The attacker’s server acts as a live go-between, forwarding stolen credentials to the real ManageWP platform in real time.

The victim is then shown a fake prompt asking for their two-factor authentication code, which the attacker uses simultaneously to complete the actual login, rendering 2FA completely useless.

The operation is managed through a command-and-control server that gives the attacker a live dashboard for steering ongoing phishing sessions. Guardio Labs noted the kit appears to be a private framework rather than a commodity tool sold on underground forums. Embedded in the code was also a Russian-language disclaimer in which the author denies responsibility for illegal activity and prohibits targeting systems based in Russia.

The Broader Risk to WordPress Site Owners

The danger here extends far beyond a single stolen password. Because ManageWP is a centralized hub, one compromised account can hand an attacker control over hundreds of websites simultaneously. Guardio Labs head researcher Nati Tal confirmed that each account typically hosts hundreds of sites, meaning attackers could inject malware, redirect traffic, or harvest visitor data at a sweeping scale.

Security experts advise avoiding sponsored search results when navigating to login pages for services you use regularly. Bookmarking the official URL or typing it directly into the browser address bar is a far safer habit. Users should also monitor their accounts for unexpected logins and consider adopting phishing-resistant authentication methods, such as hardware security keys, where supported.

The WrongPress campaign is a reminder that even routine actions like Googling a login page can carry serious risk. As attackers grow more creative with search advertising abuse, verifying where a link actually leads before clicking has never mattered more.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Google Ads to Steal Users GoDaddy ManageWP login Credentials appeared first on Cyber Security News.

A new wave of fraudulent Android apps quietly racked up millions of downloads on Google Play before being taken down. These apps, now tracked under the name CallPhantom, promised users something irresistible: the ability to look up the call history of any phone number. What they actually delivered was nothing more than fake data and a very real financial loss.

The scheme worked by exploiting a simple but powerful hook. People are naturally curious about who has called a specific number, and these apps claimed to deliver that information instantly.

Users were shown what looked like partial results and then prompted to pay to unlock the full call history. That history was entirely fabricated right from the start.

Researchers at WeLiveSecurity identified and reported 28 such fraudulent applications on the Google Play Store.

Their analysis found the apps had been cumulatively downloaded over 7.3 million times before Google removed them following ESET’s disclosure in December 2025.

The apps primarily targeted Android users in India and the broader Asia-Pacific region. Many came with India’s country code pre-selected and supported UPI, a payment system widely used across India. A screenshot of the fabricated call history data was even included in the app’s Play Store listing, presented as proof the app actually worked.

Fake Call History Apps on Google Play

Despite looking different on the surface, all 28 apps shared the same core purpose: generate fake communication data and charge victims for access. Subscription packages ranged from weekly to yearly, with the highest price reaching up to $80.

The CallPhantom apps fell into two main clusters. The first group had hardcoded names, country codes, and call log templates embedded directly in their code. These were combined with randomly generated phone numbers and shown to users as partial results, pushing them to pay to see more.

The second cluster asked users to enter an email address, claiming the retrieved call history would be delivered there. No data was generated until after payment, and even then, nothing real was ever sent. The apps had no actual capability to access call logs, SMS records, or WhatsApp data from any device.

This shows how deeply the deception was built into the code, with fixed names and timestamps baked in before the app ever reached a user’s phone.

Three payment methods appeared across the apps. Some used Google Play’s official billing system. Others redirected users to third-party UPI apps, with payment details either hardcoded or fetched dynamically from a Firebase real-time database, letting operators swap receiving accounts at will.

A third method embedded payment card checkout forms directly inside the app, violating Google Play’s payments policy and making refunds significantly harder.

Bypassing Refunds and Staying Under the Radar

One of the most deliberate tactics used by CallPhantom was steering users toward payment channels Google could not reverse. When payments went through third-party UPI apps or direct card entry inside the app, Google had no ability to cancel transactions or issue refunds. Victims were left fully dependent on external payment providers or the scam developers themselves.

In at least one case, the app sent deceptive notifications styled as email alerts, falsely claiming call history results had arrived. Tapping the notification led straight to a subscription screen, keeping the pressure on even after users had exited without paying.

Anyone who subscribed through Google Play’s official billing system may be eligible for a refund, as existing subscriptions were canceled when the apps were removed. Requests must fall within Google’s allowed refund window. For purchases made outside Google Play, contacting the payment provider or card issuer directly to dispute the charge is the recommended step.

The most practical protection is verification before downloading. Checking developer credibility, reading user reviews carefully, and staying skeptical of apps claiming to access private data belonging to other people are all steps that help avoid traps like these.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post 28 Fake Call History Apps on Google Play with 7.3M+ Downloads Trick Users to Steal Payments appeared first on Cyber Security News.

A fresh wave of malicious packages has been quietly spreading through the NuGet ecosystem, one of the most widely used registries in the .NET developer world. Five rogue packages have been discovered posing as legitimate Chinese software libraries, secretly stealing browser credentials, SSH private keys, and cryptocurrency wallet data.

The attack takes a clever approach. Instead of creating obviously suspicious packages, the threat actor built each malicious library on top of real, functional code that developers in Chinese enterprise environments would recognize.

By mimicking trusted tools like AntdUI, a popular WinForms component library, the packages appear legitimate enough to pass casual inspection.

Researchers at Socket.dev identified all five packages, published under a single NuGet account named bmrxntfj. The packages accumulated approximately 64,784 downloads across all versions, placing tens of thousands of developer machines and CI/CD build systems at risk. The campaign traces back to at least September 2025, with all five packages still live at the time of writing.

What makes this campaign persistent is the version rotation technique the operator used. Out of 224 total versions published, 219 were deliberately hidden from public search. By keeping only one version visible while regularly swapping in fresh ones, the attacker invalidated hash-based detection and forced security teams to constantly update their blocklists.

Any developer workstation or build server that ran a package restore referencing these five IDs has potentially been exposed since late 2025. That long lifespan and high download count make this one of the more quietly damaging supply chain threats discovered this year.

Malicious NuGet Packages

The payload fires through a .NET module initializer, which the runtime calls automatically when a matching assembly loads. No user interaction is needed beyond a routine package restore. Once triggered, the malware uses JIT hooking to replace the compiler’s dispatch pointer, gaining control over every method compiled afterward.

A second-stage infostealer named we4ftg.exe then executes. It targets saved credentials across 12 Chromium-based browsers including Chrome, Edge, Brave, Firefox, and Opera, collecting passwords, autofill data, session cookies, and payment cards. It handles both legacy and AppBound Chrome encryption formats, confirming the payload has been recently maintained.

Cryptocurrency assets are a major focus. Browser extension wallets including MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet are targeted, along with desktop applications like Exodus, Electrum, Atomic, Guarda, Ledger, and Binance. SSH private keys, Outlook profiles, Steam credentials, and files from Documents, Desktop, and Downloads are also collected.

All harvested data is staged under a folder path mimicking a legitimate Microsoft OneDrive directory. Legitimate OneDrive never creates a file by that specific name, making its presence a clear detection signal. Data is then sent to a command-and-control server registered 33 days before the NuGet publishing burst began.

C2 Infrastructure and Attribution

The primary C2 domain resolves to a server in Amsterdam operated through a virtual hosting provider. Its nameservers run through Njalla, a privacy registrar frequently used by threat actors to obstruct takedown requests. The domain was engineered to resemble a legitimate DNS provider so it would blend into routine firewall logs.

A secondary domain linked to an Alibaba Cloud server in Shanghai appears to host the attacker’s development environment. It produced no hits in public malware databases and was not observed receiving stolen data.

Attribution was confirmed through a unique RSA-1024 key embedded in every .NET Reactor-protected package. That same key appeared in four other malicious files on VirusTotal, including memory dumps predating the NuGet campaign by weeks. Labels on those files point to known malware families including Lumma, Quantum, AgentRacoon, and ArrowRAT.

Developers should immediately check project and lock files for any reference to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI. Any machine that restored these packages should be treated as compromised, with all credentials, API keys, SSH keys, and wallet seeds rotated. Security teams should configure alerts for connections to the known C2 domain and watch for unexpected file creation at the OneDrive staging path.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets appeared first on Cyber Security News.

A dangerous new piece of malware called Remus has surfaced, quietly picking up where one of the most feared information stealers left off.

Designed to steal browser passwords, cookies, and cryptocurrency wallets, Remus carries the DNA of Lumma Stealer, one of the most technically advanced stealers-as-a-service seen in recent history.

Remus first appeared in the wild around January and February 2026, arriving shortly after Lumma Stealer suffered a major disruption. Between late August and October 2025, alleged core members behind Lumma were exposed through a doxxing campaign that rattled the group’s operations.

Researchers believe some of Lumma’s authors split off or chose to rebuild under a new name, and Remus appears to be the result.

Analysts at Gen Threat Labs identified this new threat, tracing its roots to test builds labeled as Tenzor. Dated September 16, 2025, those builds served as a bridge between Lumma and what would become Remus.

Researchers Vojtech Krejsa and Jan Rubin attributed Remus as a new 64-bit variant of the Lumma family, noting that Lumma was originally a 32-bit operation.

What makes Remus especially concerning is how closely it mirrors Lumma in design and behavior. The two share the same string obfuscation method, anti-virtual machine checks, nearly identical code structure, and a browser encryption bypass that researchers had only ever seen Lumma use. This level of overlap points strongly to a shared origin.

While Lumma campaigns continue globally, Remus is not a direct replacement. It is more of a natural evolution, upgrading the architecture to 64-bit and adding newer evasion techniques. Both threats represent a widening footprint for an actor that has already proven very hard to stop.

Lumma-Style Browser Key Theft

One of Remus’s most alarming inherited capabilities is its method for breaking into browser-protected data. It targets Application-Bound Encryption, a security layer Chromium browsers use to protect sensitive keys stored on disk.

Rather than reading the key off disk, Remus injects a small shellcode into the live browser process to locate and decrypt the master key from inside the browser’s own memory.

This technique had previously only been observed in Lumma Stealer. Remus searches for a specific byte pattern inside the browser’s code, locates the encrypted key in memory, and uses the browser’s own decryption functions to unlock it.

The shellcode Remus injects is more compact at 51 bytes versus Lumma’s 62, suggesting active refinement.

If injection into an existing browser process fails, Remus launches a hidden browser on a separate desktop, invisible to the user.

Unlike Lumma, which used a hardcoded desktop name, Remus generates a random 16-character string each time. This makes detection harder for tools that rely on fixed naming patterns.

EtherHiding and Anti-Analysis Evasion

Beyond encryption bypass, Remus introduces a key upgrade in how it contacts its command-and-control servers. Lumma relied on platforms like Steam and Telegram to store server addresses.

Remus replaces this with EtherHiding, embedding the server address inside an Ethereum blockchain smart contract, making its infrastructure far harder to disrupt.

Because blockchain data is decentralized and cannot be removed by any platform operator, there is no single point of failure for defenders to target.

Remus queries the smart contract at runtime over a public endpoint and pulls the current server address, removing a defensive lever that had worked against Lumma.

Remus also adds checks to detect analysis tools and sandbox environments before executing. It scans for DLLs linked to known analysis platforms and checks for a specific honeypot file on disk.

If either check triggers, the malware exits silently. These capabilities make Remus a stealthier and more sophisticated threat that security teams need to address without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Remus Infostealer Uses Lumma-Style Browser Key Theft and Application-Bound Encryption Bypass appeared first on Cyber Security News.

The aviation and aerospace sector has become one of the most actively targeted industries by ransomware operators and data extortion groups in 2025 and 2026.

From passenger-processing platforms to satellite-dependent navigation systems, attackers are finding that disrupting even a single vendor in the tightly connected aviation ecosystem can produce cascading effects across airlines, airports, and ground operations worldwide.

The risk profile of the aviation sector makes it a particularly attractive target for cybercriminals. Airlines, airports, aerospace manufacturers, ground handlers, reservation platforms, and maintenance providers all operate as an interconnected ecosystem.

An attack on any one node within this system can cause disruption far beyond the entity that was initially compromised, often resulting in delays, manual operations, and cascading impacts on passengers.

The September 2025 cyberattack on Collins Aerospace’s MUSE passenger-processing platform demonstrated this risk clearly, with confirmed disruptions at major European hubs including Heathrow, Brussels, Berlin, and Dublin.

It was later disclosed that the incident involved ransomware, requiring manual recovery operations at multiple airports.

Ransomware Attacks Targeting Aviation

The threat landscape has not slowed in 2026. In April 2026, travel-sector sources reported a separate wave of cyber-related IT disruptions affecting European airports between April 4 and April 6, with impacts to check-in, boarding, baggage handling, and flight schedules.

While technical attribution in the public record remains limited for this event, the reported disruptions highlight that aviation IT environments continue to be under active pressure.

Earlier in January 2026, Tulsa Airports Improvement Trust confirmed that an unauthorized third party accessed and acquired files from its systems between January 17 and January 20.

Ransomware tracking and media reporting later linked this incident to the Qilin ransomware group, which allegedly posted stolen documents on its leak site.

PolySwarm analysts identified multiple malware families and threat actor groups that are actively targeting the aviation and aerospace sector.

These include ransomware families such as Qilin, LockBit, and Cl0p, as well as threat actor groups including Scattered Spider, Refined Kitten, Wicked Panda, and Fancy Bear, each presenting distinct risk profiles and attack motivations.

The analysts noted that shared IT platforms, identity-based intrusion, and supply chain dependencies are among the most concerning attack vectors across this sector in 2026.

Beyond ransomware, the sector also faces growing exposure from satellite-dependent systems and GNSS spoofing. Aerospace and aviation rely on satellite-enabled navigation, communications, weather data, and tracking systems.

Interference with ground stations, satellite communications links, or signal reliability can create upstream disruption, particularly for military aviation, remote routes, and regions affected by geopolitical conflict.

Scattered Spider and Identity-Based Intrusion

One of the most concerning attack vectors currently affecting the aviation sector is identity-based intrusion, largely associated with the threat actor known as Scattered Spider.

The FBI warned in 2025 that Scattered Spider had expanded its targeting to include the airline sector.

The group operates through help-desk social engineering, MFA manipulation, SIM swapping, and impersonation of employees or contractors, which are particularly effective in aviation environments because airlines and airports rely on distributed workforces, third-party IT providers, and shared identity workflows.

What makes Scattered Spider especially dangerous in this context is the scale of potential damage from a single identity compromise.

If an attacker gains access to a shared service provider or identity layer, the compromise can cascade across multiple organizations simultaneously.

For aviation environments, this means that a single successful social engineering attempt targeting a help desk contractor could potentially grant access to systems spanning multiple airlines or airport operators.

Organizations in aviation and aerospace should take several protective steps to reduce their exposure. Shared airport IT platforms must be treated as high-priority single points of failure, and contingency planning for manual operations should be regularly tested and updated.

Identity verification processes, particularly those involving help desks and contractors, need to go beyond standard MFA to resist social engineering and SIM-swapping tactics.

Aviation supply chain partners and third-party vendors should be assessed regularly for security maturity, especially smaller regional providers that may lack dedicated internal security teams.

GNSS interference and satellite dependency risks should be incorporated into operational resilience planning, particularly for routes and operations in geopolitically sensitive regions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ransomware and Data Extortion Groups Intensify Targeting of Aviation and Aerospace Sector appeared first on Cyber Security News.

A large-scale phishing campaign has been caught using fake “code of conduct” emails to trick employees into giving up their account credentials.

The attackers did not just steal passwords. They went a step further by hijacking active authentication sessions through an adversary-in-the-middle (AiTM) technique, making standard multi-factor authentication (MFA) protection largely ineffective.

The campaign ran between April 14 and 16, 2026, hitting more than 35,000 users across over 13,000 organizations in 26 countries.

The United States was the primary target, accounting for 92% of all affected users. Industries such as healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) were among the most impacted.

The emails were sent in multiple distinct waves, starting at 06:51 UTC on April 14 and concluding at 03:54 UTC on April 16.

The phishing emails were crafted to look like internal compliance or regulatory notices. Display names used in the messages included “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.”

Subject lines such as “Internal case log issued under conduct policy” warned recipients that a code of conduct review had been opened against them.

Each message instructed users to open a personalized PDF attachment to review their case materials. A green banner at the bottom of the emails falsely stated that the contents had been encrypted using Paubox, a legitimate HIPAA-compliant service, to give the campaign a professional and trustworthy appearance.

Microsoft Defender Research analysts identified and tracked this campaign across multiple organizations, noting that the messages were distributed through a legitimate email delivery service and likely originated from a cloud-hosted Windows virtual machine.

The team noted that attacker-controlled sending domains were used, including addresses such as cocpostmaster@cocinternal.com and nationalintegrity@harteprn.com.

Researchers also noted that the email templates used polished, enterprise-style HTML layouts with preemptive authenticity statements, making them far more convincing than typical phishing messages.

Once a recipient opened the attached PDF, which carried filenames like “Awareness Case Log File – Tuesday 14th, April 2026.pdf” and “Disciplinary Action – Employee Device Handling Case.pdf”, they were directed to click a “Review Case Materials” link.

This link led to attacker-controlled landing pages hosted on domains such as compliance-protectionoutlook[.]de, where a Cloudflare CAPTCHA was presented to filter out automated security tools and sandboxes.

Inside the Multi-Stage Attack Chain

After passing the first CAPTCHA, users landed on an intermediate page that claimed the requested documentation was encrypted and required account verification.

This page prompted users to click a “Review and Sign” button and then enter their email address, followed by a second CAPTCHA involving image selection.

Once these steps were completed, users saw a confirmation message stating that their “case” was being prepared.

The final stage varied depending on whether the user was on a mobile device or a desktop. In both cases, users were told their case materials had been “securely logged” and “time-stamped,” and they were asked to sign in to schedule a discussion.

Clicking “Sign in with Microsoft” launched a real Microsoft authentication page, but the entire session was being proxied in real time by the attacker.

This is the core of an AiTM attack as the attacker sits between the user and the legitimate service, capturing authentication tokens the moment they are issued.

These tokens give direct account access without needing the user’s password again, bypassing standard MFA entirely.

Organizations and users should take the following steps to reduce risk from this type of attack. Reviewing recommended settings for Exchange Online Protection and enabling Zero-hour auto purge (ZAP) in Defender for Office 365 helps quarantine malicious messages after delivery.

Turning on Safe Links and Safe Attachments adds another detection layer for PDF-embedded phishing links. Enabling network protection in Microsoft Defender for Endpoint and encouraging use of browsers that support SmartScreen help block access to attacker-controlled domains.

Organizations should also enable phishing-resistant MFA methods such as FIDO keys, Windows Hello, or the Microsoft Authenticator app, and apply Conditional Access policies to strengthen privileged accounts.

Running user awareness training and phishing simulation exercises helps staff recognize social engineering tactics like this campaign.

Finally, configuring automatic attack disruption in Microsoft Defender XDR can limit the impact of active intrusions while security teams work to contain the threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Code of Conduct Phishing Emails Target 35,000 Users in Multi-Stage AiTM Attack appeared first on Cyber Security News.

Threat actors are increasingly turning to Amazon’s own cloud email infrastructure to deliver phishing messages that look completely genuine, passing every standard security check along the way.

Phishing has always been about deception. Attackers craft emails designed to look real, hoping recipients will trust what they see and hand over their credentials or money.

For years, security tools have gotten better at spotting suspicious senders, unknown domains, and failed email authentication checks.

So attackers adapted. Instead of building fake infrastructure, they are now hijacking real, trusted services to do the dirty work.

The latest target of this strategy is Amazon Simple Email Service, widely known as Amazon SES, a cloud-based platform used by businesses around the world to send transactional and marketing emails reliably.

Amazon SES is deeply embedded in the AWS ecosystem, which makes it a trusted name for both users and security filters alike.

Emails sent through this service carry valid SPF, DKIM, and DMARC authentication headers, meaning they pass every technical check that most email security systems run.

The Message-ID headers in these messages almost always include “.amazonses.com,” further reinforcing the appearance of legitimacy.

From a purely technical standpoint, a phishing email sent through Amazon SES looks no different from a legitimate business communication. This is precisely what makes the abuse of this platform so dangerous.

Securelist researchers identified a clear and growing uptick in phishing campaigns abusing Amazon SES in early 2026.

The team noted that attackers are exploiting this platform not because it is vulnerable in the traditional sense, but because it is legitimate.

By routing phishing emails through trusted infrastructure, threat actors effectively sidestep reputation-based blocklists.

Blocking the sender’s IP address is not a viable solution either, because doing so would cut off all legitimate emails sent through Amazon SES for any organization, generating an unmanageable volume of false positives.

The most common lure observed in early 2026 involved fake notifications from electronic signature services, such as emails impersonating Docusign.

Victims received messages asking them to click a link to review and sign a document. The link appeared to point to amazonaws.com, which most users would consider safe.

Clicking it redirected victims to a credential-harvesting form hosted on AWS infrastructure, making the deception even harder to detect.

Beyond credential theft, attackers have also been using Amazon SES to conduct Business Email Compromise (BEC) campaigns, where they impersonate employees and send fabricated invoice threads to finance departments, requesting urgent wire transfers.

The PDF attachments in these BEC emails contained no malicious URLs or QR codes, only forged payment details and supporting documents designed to appear as a legitimate business exchange.

How Attackers Gain Access

The entry point for these campaigns is almost always leaked IAM (AWS Identity and Access Management) access keys.

Developers routinely expose these keys by leaving them in public GitHub repositories, ENV configuration files, Docker images, or unsecured S3 buckets.

Attackers use automated scanning tools, including bots built on the open-source utility TruffleHog, specifically designed to hunt for exposed secrets across public code repositories.

Once a key is found, the attacker verifies its sending permissions and email limits, then begins blasting out phishing messages at scale.

The entire operation takes advantage of someone else’s legitimate account, meaning the sending IP carries a clean reputation and the emails arrive with full authentication stamps intact.

This makes detection at the gateway level extremely difficult, because the email is technically doing everything right.

Securelist researchers recommend that organizations treat IAM access key security as a top priority. Applying the principle of least privilege ensures that keys carry only the permissions required for specific tasks, reducing the damage potential if a key is exposed.

Transitioning from static IAM access keys to AWS IAM roles is a stronger approach, as roles provide scoped, temporary permissions.

Enabling multi-factor authentication, configuring IP-based access restrictions, setting up automated key rotation, and running regular security audits all help reduce exposure.

Using the AWS Key Management Service to manage encryption keys centrally also adds an important layer of control.

On the user side, emails should never be trusted based solely on the sender name or domain.

Unexpected documents should be verified through a separate communication channel before any action is taken, and every link in an email body should be inspected carefully before clicking.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Abuse Amazon SES to Send Authenticated Phishing Emails That Bypass Security appeared first on Cyber Security News.

Tracking Advanced Persistent Threat (APT) groups has never been a simple task. For years, security organizations have relied on identifying consistent behaviors, tools, and infrastructure to pin activity to a known threat actor.

But that approach is showing serious cracks, as APT groups are not the rigid, predictable entities they were once assumed to be.

The old method of following Tactics, Techniques, and Procedures (TTPs) was practical when threat actors stayed consistent.

The problem today is that adversaries change operators, swap tools, rebuild infrastructure, and reshape objectives, sometimes within a single campaign cycle.

This leaves analysts working with fragmented signals and no reliable thread to connect the dots. The growing gap between how defenders track threats and how those threats actually behave has pushed researchers toward a fundamentally different way of thinking about attribution.

DarkAtlas analysts identified this structural gap and introduced a campaign-based attribution framework designed to address the limitations of traditional group-centric models.

Rather than treating APT groups as fixed identities, the framework focuses on discrete, time-bound clusters of activity called campaigns, where each cluster is defined by its objectives, infrastructure patterns, and operational behavior.

The key insight is that continuity between campaigns does not require identical TTPs. Instead, it is inferred through partial overlaps across multiple independent evidence layers.

The framework draws on what researchers describe as the “Ship of Theseus” problem in attribution. If an adversary group replaces every component of its operation, from personnel to tools to infrastructure, is it still the same group? Traditional attribution models would struggle to answer that question confidently.

The new campaign-linkage approach sidesteps this paradox by measuring relationships between campaigns rather than assuming a stable group identity.

This framework does not eliminate uncertainty. Instead, it introduces a confidence-based attribution model where conclusions are expressed as high, medium, or low confidence depending on how many independent evidence layers converge.

High-confidence attribution requires strong, multi-layered overlap across strategic, operational, technical, infrastructure, and human dimensions.

Medium confidence reflects partial alignment, and low confidence applies when only a single dimension shows similarity or when data is limited.

How the Overlap Model Works in Practice

At the core of the framework is what DarkAtlas researchers call the Overlap Model, a multi-dimensional correlation approach that replaces single-indicator attribution with layered analysis.

No single artifact, whether a reused IP address, a shared tool, or a matching technique, is treated as sufficient evidence of continuity. Attribution confidence builds only when multiple dimensions align independently.

The model examines six analytical layers. The strategic layer looks at geopolitical alignment and targeting intent, which tends to remain stable even as tactics evolve.

The operational layer tracks targeting patterns, campaign timing, and victim sequencing. The tactical layer maps procedural execution against frameworks like MITRE ATT&CK, while the technical layer examines custom malware characteristics, encryption routines, and build artifacts.

The infrastructure layer studies domain naming conventions, TLS certificate reuse, and DNS behavior, and the human layer captures operator-specific traits like coding style, language artifacts, and OPSEC habits.

Together, these layers feed into a Campaign Linkage Graph, a structured network where each node represents a distinct campaign and each edge represents a weighted relationship between campaigns.

Strong links indicate substantial overlap across multiple layers, medium links reflect partial alignment, and weak links flag tentative connections that require further validation.

This graph-based approach handles adversary evolution naturally, absorbing tooling changes as new nodes, treating infrastructure rotation as weaker but traceable connections, and capturing group fragmentation as branching paths within the network.

Security teams and threat intelligence practitioners should consider the following based on the framework’s findings:-

• Move away from single-indicator attribution and require multi-layer evidence before drawing conclusions about campaign origin or group identity.
• Treat TTPs as behavioral signals rather than fingerprints, since adversaries routinely modify or share techniques across groups to create false attribution trails.
• Adopt a campaign-centric tracking model where each operation is logged as a discrete unit, making it easier to build relationship graphs over time without depending on group labels.
• Assign confidence tiers to all attribution assessments and revisit earlier conclusions as new campaign data emerges, particularly when infrastructure or tooling patterns resurface.
• Focus additional monitoring resources on stable indicators such as victimology and geopolitical timing, which persist longer than tools or infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Attribution Framework Connects APT Campaigns Through Strategic, Operational, and Technical Layers appeared first on Cyber Security News.

A fake website claiming to offer an official macOS version of the popular text editor Notepad++ has been making rounds online, raising serious cybersecurity concerns across the tech community.

The site, operating under the domain notepad-plus-plus-mac.org, falsely presents itself as the official release of Notepad++ for Apple devices, misleading thousands of users who simply want a trusted code editor on their Mac.

What makes this situation more dangerous is that the website has already managed to fool reputable tech media outlets, including MacRumors and AlternativeTo, into reporting it as a legitimate product launch.

Notepad++ has been a Windows-exclusive text editor for over two decades, and its creator Don Ho has never released any version for macOS.

The fake site, however, boldly claimed that “Notepad++ is now natively available for macOS” with “no Wine, no emulation” and marketed itself as “a full native port for Apple Silicon and Intel Macs.”

To make things worse, the site even used Don Ho’s name and biography on its author page without any permission, creating a false sense of official endorsement.

Ho personally reached out to the site owner to address the trademark violation, but as of May 5, 2026, he has received no reply.

Analysts at International Cyber Digest were among the first to publicly flag the threat, pointing out that the website uses the Notepad++ trademark and the founder’s identity without authorization.

Their warning reached nearly 40,000 views within hours of being posted, signaling just how widespread the confusion had become.

Readers on X’s community notes also added context, clarifying that the site represents an unofficial community port and is not affiliated with the original Notepad++ development team in any capacity.

The developer behind the site, Andrey Letov, a software engineer from New York, built his application based on the open-source Notepad++ code.

While forking open-source software is generally acceptable, branding an independent fork with the original product’s name, logo, and founder’s identity crosses a clear legal and ethical line.

Don Ho acknowledged in a public statement that he has nothing against open-source forking itself, but the issue is the deliberate use of his name and trademark, which creates direct confusion among end users and the press alike.

In the worst case, as Ho himself warned, a product carrying the Notepad++ name could be used to distribute malware or a backdoor to unsuspecting users.

This incident also arrives against a backdrop of Notepad++ already having faced a serious supply chain attack between June and December 2025, where state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.

That prior incident makes the community especially sensitive to anything mimicking the Notepad++ brand.

How the Fake Site Could Harm You

The core risk with any unofficial software build marketed under a trusted name is that users have no way to verify what is actually packaged inside the installer.

Threat actors routinely use this technique, known as brand impersonation or typosquatting, to serve malware, infostealers, or remote access trojans under the cover of a well-known application.

In past campaigns, security researchers have documented fake Notepad++ sites delivering payloads through DLL sideloading methods, where a malicious library file is placed alongside a legitimate binary to silently execute malicious code on the victim’s machine.

When a user downloads an installer from an unverified source, the machine can become compromised without any visible signs, making detection difficult until significant damage is done.

Users should only download Notepad++ or any software from its official website at notepad-plus-plus.org.

Avoid installing applications from third-party domains, even if they appear professional or receive media coverage. Always verify the publisher and check for digital signatures before running any installer.

If you have already downloaded the Mac version from notepad-plus-plus-mac.org, scan your device with a trusted security tool immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine appeared first on Cyber Security News.

The npm ecosystem has long been a target for supply chain attacks, where threat actors exploit the open nature of public package registries to push malicious code into developer environments.

With pnpm 11, the package manager takes a direct step to address this growing risk by enabling key security protections out of the box, making it harder for freshly published malicious packages to silently reach production systems.

For years, every major package manager shipped with an implicit assumption: install whatever is published, no questions asked.

That default behavior has repeatedly allowed attackers to publish a poisoned version of a popular package and watch automated pipelines pull it in within minutes.

Recent supply chain campaigns across the Node.js, Python, and PHP ecosystems have relied on installer-time hooks to download platform-specific payloads, steal credentials, and exfiltrate secrets targeting developers and CI/CD systems.

The attacks used preinstall or postinstall hook mechanisms to download and execute an obfuscated runtime payload, eventually targeting developer and CI/CD secrets.

Researchers at Socket.dev identified and documented how these campaigns move across npm, PyPI, and Packagist registries, noting that most malicious package versions get detected within hours of publication but the damage is done when tools install them the moment they appear.

This pattern, where newly published malicious versions exploit a short window before detection, is exactly what pnpm 11’s new defaults are designed to close.

pnpm 11 arrives as the Go, Rust, and PHP ecosystems were registering responses to a fresh-package supply chain campaign that compromised packages across npm, PyPI, and Packagist.

For GoSvelte target teams, this release showed how much the role of package managers has changed. They are no longer just tools for resolving and installing dependencies, but are increasingly where supply chain security decisions get enforced.

The update introduces three hardened defaults: a Minimum Release Age of 1,440 minutes (24 hours), blocking of exotic subdependencies by default, and a new Allow Builds model for controlling which packages can execute build scripts during installation.

Teams can override these settings when needed, but the default posture now favors security over immediacy.

Supply Chain Protection On by Default

The most impactful change in pnpm 11 is the Minimum Release Age setting, which now defaults to 1,440 minutes.

Newly published package versions are not resolved until they are at least one day old, reducing exposure during the highest-risk window immediately after publication.

Teams can adjust this value using minimumReleaseAge in their configuration, and specific packages can bypass the wait period using minimumReleaseAgeExclude for cases such as critical hotfixes or security patches.

pnpm 11 also turns on Block Exotic Subdeps by default through the blockExoticSubdeps setting. Exotic subdependencies are transitive packages that resolve from non-standard sources, such as Git repositories or direct tarball URLs, rather than the normal registry.

Blocking them reduces the chance that packages can quickly introduce less critical dependency sources into the install graph, narrowing one of the paths attackers use to hide unexpected code in a dependency tree.

Recent supply chain campaigns rarely rely on just one technique, and defaults that reduce unexpected sources make those chains harder to complete.

The new allowBuilds model gives teams a cleaner way to govern which packages are allowed to execute build scripts during installation.

Instead of scattering a build-script allowlist policy across multiple settings, teams now define it from a package name pattern that maps to booleans.

This change is especially timely because lifecycle scripts remain one of the most used execution paths in npm attacks.

The new Allow Builds model does not remove the need for any dependency review, but it gives teams a clearer way to govern which packages are allowed to execute build scripts during installation.

Teams running pnpm 11 with the new defaults should audit their existing pnpm-workspace.yaml for any onlyBuiltDependencies or ignoredBuiltDependencies entries and migrate them to the new allowBuilds map.

Organizations trying to reduce install-time execution risk should treat minimumReleaseAge as a baseline control, keeping an escape path open for emergency updates via minimumReleaseAgeExclude.

For monorepos or environments relying on git-sourced direct dependencies, the blockExoticSubdeps default should be reviewed carefully to avoid breaking resolution for intentional exotic sources in top-level package.json files, since the setting only restricts transitive dependencies from using such sources.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk appeared first on Cyber Security News.

A new supply chain attack is targeting the SAP developer ecosystem through poisoned npm packages.

The campaign uses a malicious worm called “Mini Shai-Hulud,” which runs silently before any npm install completes and steals credentials from developer machines, cloud platforms, and AI coding tools.

The attack hit four official SAP-published packages: mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service.

When a developer or CI pipeline runs npm install on a compromised version, a hidden preinstall script called setup.mjs fires before installation finishes.

That script downloads the Bun JavaScript runtime and executes an 11.7 MB obfuscated payload named execution.js, which carries out credential theft without touching Node.js at all.

Endor Labs analysts identified the malware as a direct descendant of the original Shai-Hulud worm documented in April 2025.

The researchers noted that Mini Shai-Hulud shares the same Bun v1.3.13 runtime bootstrap, the same custom cipher family (ctf-scramble-v2), and the same PBKDF2 key (5012caa5847ae…) as the earlier campaign.

These shared markers confirm the same threat actor is running a fresh campaign against SAP’s CAP and MTA developer ecosystem with a narrower credential surface and a different propagation keyword.

The four packages sit in the dependency trees of CAP-based applications used broadly across SAP BTP. Any developer who installed a compromised version on a machine holding cloud credentials or GitHub tokens should treat every secret on that host as fully exposed.

How the Worm Collects and Exfiltrates Credentials

The payload runs five credential harvesters in parallel. The first targets npm tokens by scanning npmrc files in the user home, project root, and CI environment variables.

Collected tokens are validated against the npm registry API to confirm publish rights, since only publish-capable tokens allow worm replication.

The second and third collectors sweep GitHub and cloud credentials. On Linux hosts, the payload reads /proc/{pid}/mem to pull GitHub Actions in-memory secrets.

It also scans AWS credential files, queries GetCallerIdentity for IAM context, sweeps Google Cloud Secret Manager, reads Kubernetes service account JSON files, and collects Azure Key Vault credentials.

The fourth collector targets AI coding tools. The payload checks 136 hardcoded paths for Claude Code settings (project/.claude/settings.json) and VS Code task files (project/.vscode/tasks.json), along with Cursor IDE state, shell history, .env files, and SSH private keys.

In CI environments, it sweeps across more than 25 platforms including Jenkins, Travis, and Azure Pipelines.

All collected data is encrypted with AES-256-GCM and the key is wrapped with the attacker’s RSA-4096 public key before uploading to a GitHub dead-drop repository created from the victim’s own stolen account.

If any compromised version was installed, treat the event as a full credential compromise. Uninstall each affected package and reinstall the clean version using the –ignore-scripts flag.

Search all projects on the affected machine for execution.js files over 5 MB, .claude/settings.json files with a SessionStart hook, and any format-check.yml workflow your team did not author.

Revoke all secrets from the affected host, including npm publish tokens, GitHub PATs, AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and all .env file contents.

For long-term defense, scope npm OIDC trusted publishing to a specific workflow file on a specific branch, not the entire repository.

Enforce –ignore-scripts in CI installs and review lifecycle hooks during dependency audits. The detection window was roughly two hours, meaning reactive takedowns are not a reliable protection on their own.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Weaponize SAP npm Packages to Steal GitHub, Cloud, and AI Coding Tool Secrets appeared first on Cyber Security News.

The way cyberattacks are launched has fundamentally changed. Threat actors are no longer spending months hunting for software flaws by hand.

With artificial intelligence in their toolkit, they can now discover and exploit zero-day vulnerabilities in minutes, placing organizations across every sector at serious risk.

For years, finding a zero-day required deep technical skill, long research cycles, and heavy resources.

Only well-funded nation-state groups or elite crews could do it consistently. That barrier no longer holds.

AI has made zero-day discovery faster, cheaper, and accessible to a wider range of attackers, including those without coding knowledge.

An attacker today gives an AI model a target, and the model independently scans the network, hunts for weaknesses, attempts exploits, and switches paths when one fails.

Through standards like the Model Context Protocol, AI agents connect to real environments and execute full attack chains with minimal human input.

Actor activities monitored at Cyberthint indicate that discovering zero-days is no longer a specialized task taking months, but has become a process that can be automated in minutes.

Cyberthint analysts and researchers identified this structural shift in late 2024, noting that AI is now operating not just as an assistant but as an active attacker. Tasks once requiring a ten-person red team for weeks now take just hours.

In February 2025, MITRE expanded its ATT&CK framework to cover AI-orchestrated operations, confirming that this threat category has matured into a serious industry-wide concern.

AI-Driven Espionage and the GAMECHANGE Campaign

The most striking case study in this space is GAMECHANGE, the first documented instance of AI-orchestrated espionage.

Identified in mid-September 2024 and assessed with high confidence as a Chinese state-backed operation, GAMECHANGE targeted roughly 70 global entities including technology companies, financial institutions, and government agencies, with four organizations successfully compromised.

The malware was written in Python, compiled into a Windows PE file using PyInstaller, and delivered from compromised email accounts impersonating Ukrainian ministry representatives.

What set GAMECHANGE apart was that its instructions were not hardcoded into the binary. Instead, it sent queries to Alibaba’s Qwen-Coder model via the Hugging Face API, generating commands to execute in real time.

It embedded unique API tokens to resist blacklisting, collected hardware, process, network, and Active Directory data, and recursively copied Office documents and PDFs.

MITRE’s Black Hat analysis described GAMECHANGE as a pilot program testing LLM capabilities before broader deployment.

Two other experimental AI-powered malware families were also documented. MalTerminal, the earliest known malware that generates malicious payloads at runtime, was presented by SentinelLABS at LABScon 2024.

When run, it offered a choice between ransomware or a reverse shell, sent requests to a GPT-4 endpoint, and generated encryption and exfiltration code in memory without writing to disk.

JSOUTFMUT, discovered by GTID in June 2024, was a VBScript dropper that received its mutations from an external LLM.

Its Thinking Robot module queried the Gemini Flash API for new obfuscation techniques, generating a fresh variant every hour and copying itself to removable drives and network shares.

Security teams must assume attackers now move at machine speed. Mean Time to Contain is more critical than Mean Time to Detect, since reactive strategies fail when attack speed outpaces patching.

LotL surveillance should shift to the network layer, as classic IOCs are quickly becoming outdated. Anomaly-based signals like unexpected SMB admin share usage and high-entropy DNS queries offer more persistent detection.

AI API traffic should be added to monitoring lists, and YARA-based API key scanning alongside inspecting binaries for embedded JSON prompt structures are among the most effective ways to catch LLM-embedded malware.

Placing artificial signals inside deception environments can also trigger false positives in attacker AI models.

Ultimately, it is not the speed of patching but the speed of containing the breach that will decide the outcome.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Use AI to Automate 0-Day Discovery and Exploitation at Machine Speed appeared first on Cyber Security News.

A new wave of cyberattacks is targeting employees through a combination of inbox flooding and fake IT support contacts on Microsoft Teams, tricking users into handing over remote access to their own devices.

These attacks have been growing steadily since the start of 2026, and security researchers warn they are far from slowing down.

The attack usually begins with the victim receiving hundreds or even thousands of unwanted emails within a short time.

This technique, known as email bombing, creates panic and confusion, making the target feel like something has gone seriously wrong with their account.

When the victim is at their most anxious, a so-called “IT support specialist” reaches out via Microsoft Teams, offering to help fix the problem.

The contact looks legitimate, uses a professional-sounding name and IT-themed display details, and seems to know exactly what is happening. That is by design.

eSentire analysts identified multiple real-world intrusion cases where this exact pattern played out, leading to confirmed data exfiltration from compromised endpoints.

Researchers noted that in each case, threat actors impersonated internal IT support teams through Microsoft Teams, contacting users from external accounts with display names like “IT Protection Department” or “Windows Security Help Desk.”

These freshly created tenant names were designed to look as official as possible, while the accounts themselves were built using realistic full-name personas such as michaelturner@ or danielfoster@ rather than generic labels like helpdesk@ or admin@.

What makes this campaign especially concerning is how it blends social pressure with a trusted platform. Most employees use Microsoft Teams daily and are conditioned to expect IT messages there.

The attackers exploit that trust directly. Once a victim accepts help, they are asked to grant remote access through tools like Quick Assist or AnyDesk. From that point, the attacker has full control of the device.

According to eSentire’s 2026 Annual Cyber Threat Report, these attacks carried a 72% success rate, with activity increasing sharply between 2024 and 2025.

Groups including Scattered Spider, Payouts King, and UNC6692 have all been linked to variations of this technique.

The infrastructure behind these attacks is not improvised. Most malicious Teams messages originate from bulletproof hosting providers, including NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD.

Single IP addresses have been observed targeting multiple organizations at the same time, pointing to organized, infrastructure-backed operations.

How the Attack Unfolds After Access Is Granted

Once remote access is established, the real damage begins. In several observed cases, attackers downloaded portable versions of WinSCP directly from its official website and used the tool to quietly move files off the compromised system.

WinSCP is a legitimate file transfer application, which makes it harder to flag through standard security controls. By using real, trusted software for malicious purposes, attackers reduce the chance of triggering immediate alerts.

In a separate incident, threat actors used Quick Assist to deliver a malicious ZIP file named Email-Deployment-Process-System.zip onto the target machine.

The archive contained a Java binary that executed a malicious Java application, followed by data theft. This approach shows how attackers layer techniques to bypass defenses.

They use trusted remote access tools for entry and legitimate-looking file names to avoid raising suspicion during delivery.

Security teams and employees can take several steps to reduce the risk from these attacks.

Microsoft Teams should be configured to restrict messages and calls from external organizations unless required for business operations, and any allowed external contacts should be limited to verified, trusted partners.

External collaboration policies should include sender notifications so users know when they are speaking with someone outside the organization.

Remote access tools such as Quick Assist, AnyDesk, and ConnectWise should be blocked by policy unless operationally needed. File transfer utilities like WinSCP, RClone, FileZilla, and MegaSync should also be restricted.

Employees must be trained to recognize these tactics and to verify any unexpected IT request through a secondary channel, such as calling the official helpdesk number, sending a direct email, or logging a ticket through an internal system.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks appeared first on Cyber Security News.

A new and well-planned malware campaign has been actively targeting enterprise administrators, DevOps engineers, and security analysts by hijacking their everyday search habits.

Rather than using mass phishing or broad spam waves, threat actors behind this operation have carefully crafted a delivery chain that puts dangerous software directly in front of high-privilege IT professionals when they search for routine administrative tools online.

The campaign works by poisoning search engine results across multiple major platforms, including Bing, Yahoo, DuckDuckGo, and Yandex.

When IT staff search for tools like PsExec, AzCopy, Sysmon, LAPS, or KustoExplorer, the search results surface fake, professional-looking GitHub repositories at the top of the page.

These repositories appear clean and legitimate, containing no malicious code on their surface.

They act purely as a gateway, quietly redirecting unsuspecting users to a secondary, hidden GitHub account where the actual malware is hosted and distributed.

Atos analysts identified this sophisticated, high-resilience malicious campaign in March.

Researchers confirmed that the campaign remains highly active and has undergone significant technical maturation since its inception, with several distinct variants and additional command-and-control (C2) infrastructure identified over time.

The malware at the center of this campaign is a multi-stage, fileless-style Remote Access Trojan (RAT) written in JavaScript.

Atos researchers confirmed it to be EtherRAT, a recently emerging threat that uses the Ethereum blockchain to store its live C2 server address, effectively preventing traditional domain takedown or IP-blocking efforts.

The malware is distributed through malicious MSI installers disguised as tools like PsExec, AzCopy, Sysmon, LAPS, and KustoExplorer, which are almost exclusively used by personnel with elevated network and system permissions.

A successful infection on an administrator’s workstation can provide threat actors with the keys to an entire enterprise environment.

The psychological element of this campaign is particularly aggressive. Many of the impersonated tools are the same ones security professionals use to investigate and respond to malicious activity.

This creates an ironic situation where a defender, trying to diagnose a perceived issue using a tool like Process Explorer or TCPView, inadvertently introduces the very threat they were trying to find.

Dual-Stage GitHub Delivery Chain

The campaign uses a carefully separated, two-stage delivery architecture designed to stay alive even when parts of it are taken down.

The first GitHub repository serves only as a clean-looking facade. It is SEO-optimized and contains a professional README file with no malicious code, building initial trust with both users and security tools.

Embedded within that README is a link pointing to a second, hidden GitHub account. This secondary repository hosts the actual malicious MSI payload.

By separating the SEO-visible storefront from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched.

Between early December 2024 and April 2026, the threat actors deployed 17 separate GitHub facades, each spoofing a different administrative or developer tool, indicating a sustained effort to maximize search engine visibility and capture a diverse range of high-privilege victims.

When a victim downloads and runs the MSI, four files are extracted and a CMD batch script is launched via a Custom Action at SYSTEM privilege immediately after file extraction.

The entry point is a heavily obfuscated Windows batch script launched at SYSTEM privilege by the MSI Custom Action immediately after file extraction.

Its primary obfuscation mechanism splits all sensitive command names, including curl, tar, copy, start, and cmd, across multiple SET variable assignments that are silently concatenated at runtime, ensuring no recognizable keywords appear in the raw file and defeating simple string-based static analysis.

Stage 2 is a minimal Node.js script, unobfuscated and fully readable, that is never saved to disk.

Its main goal is to read a file containing a second-stage encrypted payload, decrypt it using a hardcoded key and initialization vector (IV), and execute it in memory. It also creates persistence via a registry Run key.

Stage 3 is the malware’s main payload, a JavaScript file that runs silently in the background on every system boot inside conhost.exe, a legitimate Windows process, so it does not stand out in Task Manager.

Organizations can take the following steps to reduce the risk posed by this campaign:

• Block access to the public Ethereum (ETH) RPC endpoints used by EtherRAT, listed in the Appendices section of the Atos TRC GitHub repository.
• Review historical network logs to identify any outbound communications with the listed RPC ETH endpoints and identified historical C2 domains.
• Increase awareness among IT personnel regarding the risks of sourcing critical utilities from search engine results; require use of verified internal software centers or direct, authenticated vendor portals for all administrative tools.
• Look for behavioral patterns in telemetry: repeated, high-frequency beacons (every ~500ms) to suspicious external domains, periodic outbound requests (every ~5 minutes) to public ETH RPC endpoints, and suspicious process trees involving node.exe processes executing shell commands.
• Treat any usage of conhost.exe with the headless argument as a potential indicator of the secondary stages of the EtherRAT payload.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post EtherRAT Campaign Uses SEO Poisoning and GitHub Facades to Target Enterprise Admins appeared first on Cyber Security News.