One in eight UK workers admits to selling their company login credentials - or knowing someone who has - in the past 12 months. The really alarming bit? Their bosses are even more relaxed about it. Read more in my article on the Fortra blog.

A new backdoor called PamDOORa has emerged as a serious and growing threat to Linux systems, targeting one of the most trusted components of the operating system to silently steal SSH credentials.

The malware was advertised for sale on a Russian-speaking cybercrime forum called Rehub, with its complete source code initially listed at $1,600 before the seller slashed the price to $900. That sudden drop raised red flags among researchers, suggesting either limited buyer interest or a deliberate rush to offload the tool quickly.

PamDOORa works by hijacking the Pluggable Authentication Module, or PAM, framework that Linux systems use to handle user logins and identity verification.

Unlike traditional malware that plants itself as a visible running process, this backdoor injects a malicious module directly into the authentication layer, where it waits silently for login attempts and harvests credentials before they can be logged. This makes it especially dangerous because the attack happens at a level most monitoring tools do not watch closely.

Researchers from Group-IB identified the technique being used in this backdoor and noted that it exploits pam_exec, a standard PAM module designed to run external commands during authentication events.

The Group-IB DFIR team found that this specific abuse method had not yet been included in the MITRE ATT&CK framework, making it a novel technique that many security teams may not be actively defending against.

How PamDOORa Operates on Linux Systems

The threat actor behind PamDOORa operates under the alias “darkworm” on the Rehub forum and demonstrates notable technical knowledge of Linux internals. Analysis of code snippets shared in the advertisement showed realistic and credible techniques that align with known PAM exploitation methods. The seller was assessed as more technically capable and serious compared to other individuals reusing the same alias on lower-tier forums.

What makes PamDOORa especially concerning is not just what it does, but how well it hides. The backdoor is built to manipulate authentication log files including lastlog, btmp, utmp, and wtmp, wiping away any trace that an attacker connected to the server. This means incident response teams called in to investigate a breach may unknowingly have their own credentials stolen the moment they SSH into the compromised machine.

PamDOORa is designed as a post-exploitation tool, meaning the attacker must already have root access before deploying it. Once installed, the backdoor injects a malicious PAM module that produces a file called pam_linux.so, loaded into the authentication stack alongside legitimate system modules.

This design allows it to blend in with normal system files rather than replacing them, making detection significantly harder.

The backdoor grants persistent SSH access through a combination of a specific TCP port and a secret “magic password” that only the attacker knows. A special routine scans open connections and applies conditional logic to identify when the attacker is connecting, granting silent access while normal users see nothing unusual.

Credentials submitted by legitimate users during login are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and written to /tmp with randomly generated filenames and timestamps.

Anti-Forensics and the Challenge of Detection

What sets PamDOORa apart from simpler backdoors is its built-in anti-forensic capability. The tool actively erases attacker login traces from system logs, leaving behind only failed login entries that investigators are likely to dismiss as noise.

Since credential theft happens inside the PAM layer, application-level logging tools never capture the stolen data, and detection methods focused on user-space processes will miss it entirely.

Security teams are advised to treat any compromised Linux server as having fully exposed credentials, regardless of how limited the breach appears.

Researchers recommend enabling SELinux and AppArmor for stronger process isolation, installing Auditd with DISA-STIG recommended rules to monitor changes to system files, and deploying rkhunter to detect rootkits and unauthorized software. Disabling root login over SSH, locking the root account, and restricting sudo access to authorized users only are essential steps in reducing the attack surface that PamDOORa relies on.

Indicators of Compromise (IoCs):-

Based on information disclosed in the source material, the following indicators were identified from the malicious script executed during SSH authentication:-

Type	Indicator	Description
File Name	pam_linux.so	Malicious PAM shared object injected into the authentication stack
File Name	tn.sh	Script executed via pam_exec during SSH authentication attempts
Directory	/tmp/	Location where captured credential files are written with dynamic names
Network Port	1234	Remote port used by netcat (nc) to exfiltrate stolen credential data
PAM Config Path	/etc/pam.d/sshd	SSH PAM configuration file modified to load the malicious module
PAM Module	pam_exec.so	Legitimate PAM module abused to execute the malicious script silently

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials appeared first on Cyber Security News.

A newly identified malware campaign is targeting senior executives and government investigators across Southeast Asia, using a modular Remote Access Trojan capable of stealing credentials, capturing screenshots, and maintaining deep persistence on infected systems.

The operation, dubbed Operation GriefLure, is running two simultaneous campaigns hitting Vietnam’s military-linked telecom sector and the Philippine healthcare industry.

What makes this threat especially alarming is how it reaches victims. Attackers are not guessing or fabricating stories. In one case, they harvested real legal documents from an ongoing data breach lawsuit, including signed police reports, corporate admission letters, and personal medical records.

Victims who opened the archive received a completely authentic document on screen, with no sign that anything had gone wrong behind the scenes.

Researchers at Seqrite Labs identified and named the campaign, noting that the entire system compromise completes in under 10 seconds with zero visible indicators to the victim. The malware arrives inside a nested compressed archive delivered through a targeted spear phishing email, and its infection chain is engineered to bypass most conventional security tools.

The operation targets two groups simultaneously. The first campaign focuses on senior executives at Viettel Group, Vietnam’s largest telecom operator running under the Ministry of National Defence, as well as cybercrime investigators from Thanh Hoa Provincial Police.

The second targets compliance and audit staff at St. Luke’s Medical Center in the Philippines, using a fabricated whistleblower complaint that invokes alleged financial fraud and accreditation violations worth over PHP 1.5 million.

Both campaigns use the same underlying infrastructure and payload, confirming a single threat actor running a coordinated, modular attack operation across two countries at the same time.

Modular RAT With Credential Theft and Screenshot Capture

At the technical core of this campaign sits a sophisticated modular RAT acting as a multi-purpose implant. Once loaded into memory through a layered execution chain, it harvests credentials from web browsers including Chrome’s stored login data, cookies, and history. It also targets FTP client configurations, remote access tools like Sunlogin and ToDesk, and SSH session files from Xshell, making it a serious threat to anyone who manages privileged system access.

The screenshot capture module retrieves full screen dimensions, accounts for multi-monitor setups, and dynamically adjusts image resolution based on network conditions before transmitting a reconstructed BMP image to the attacker’s command-and-control server. The malware also scans all running processes to build a profile of installed security products, then adjusts its behavior accordingly to reduce detection.

The payload is never stored as a complete file inside the archive. Binary chunks disguised as ordinary document files are assembled at runtime using Windows’ native copy command, and a time-based mechanism randomizes the payload hash on every execution to defeat signature-based scanning. The final executable is then injected into a trusted Windows process, making it appear as normal system activity to most forensic tools.

Infrastructure, Attribution, and Defensive Measures

The malware communicates with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on IP address 38[.]54[.]122[.]188. This server sits within KAOPU-HK, a Hong Kong-based network with a documented history of providing abuse-resistant hosting to threat actors across Asia-Pacific. Passive intelligence tags the host as bulletproof infrastructure, a strong indicator of deliberate operational security.

Seqrite researchers assess with moderate-to-high confidence that this campaign is linked to a China-nexus threat cluster. Supporting indicators include the use of bulletproof Chinese hosting, an embedded security detection list that enumerates vendors such as 360Safe, Qianxin, and Sangfor, direct targeting of WeChat data within the credential harvesting module, and a broader Southeast Asian footprint spanning military telecom and healthcare.

Organizations in telecom, government, and healthcare across Southeast Asia should treat this as an active and evolving threat. Security teams are advised to block the known C2 domain and IP, monitor for LNK file executions that invoke ftp.exe, flag any process dropping chunked doc files into the Public directory, and audit systems for signs of explorer.exe being respawned under a restricted security context. Because this attack weaponizes genuine legal documents and trusted system binaries, standard user awareness training alone will not stop it.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
File Hash (SHA256)	35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43	LNK dropper — Viettel-themed lure (Campaign 1)
File Hash (SHA256)	bc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b	LNK dropper — Whistleblowing_Report_SLMC lure (Campaign 2)
File Hash (SHA256)	197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6	LNK — Philippine National ID decoy file
File Hash (SHA256)	f34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416	LNK — iPad_Pro_Display_Spec_Final_CONFIDENTIAL.docx decoy
File Hash (SHA256)	bc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b	360.8.dll — multi-stage shellcode loader
File Hash (SHA256)	61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f	th5znehec.exe — malicious executable
File Hash (SHA256)	ee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387	a.dll — malicious DLL component
File Hash (SHA256)	91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067	SlULIRDJOiq — unnamed payload artifact
File Hash (SHA256)	a49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b	Batch script — payload assembly (variant 1)
File Hash (SHA256)	7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d	Batch script — payload assembly (variant 2)
Domain	whatsappcenter[.]com	C2 domain masquerading as legitimate service
IP Address	38[.]54[.]122[.]188	C2 server hosted on KAOPU-HK bulletproof infrastructure

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities appeared first on Cyber Security News.

A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been active since at least February 2026.

The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.

Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.

The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”

Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.

Hackers Use Fake OpenClaw Installer

If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.

After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.

The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.

That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.

Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.

The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.

A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.

A Rapidly Evolving Threat With Rotating Infrastructure

What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.

All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.

Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.

Indicators of Compromise (IoCs):-

File Hashes

Type	Indicator	Description
SHA256	4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a	OpenClaw_x64[.]exe — Hologram dropper v1.7.16 (Rust, 130MB padded)
SHA256	f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2	OpenClaw_x64[.]7z — Hologram dropper container archive
SHA256	f554b6f34fd2710929d74af550ddb50633d36eaf0533f2d0cbbde75670676486	OpenClaw_x64[.]exe — Pathfinder dropper v3.7.16 (Rust, 118MB padded)
SHA256	40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378	svc_service[.]exe — Stealth Packer C2 beacon / CLR loader (Hologram)
SHA256	4fcfcb83145223cca6db85e7c840876ec8a56d78efba856ab70287b0e5c8a696	svc_service[.]exe — Stealth Packer C2 beacon wave 2, beacons to 193.202.84.14:56001 (Pathfinder)
SHA256	605096b9729bd8eedab460dbd4baf702029fb59842020a27fc0f99fd2ef63040	virtnetwork[.]exe — Stealth Packer HTTPS C2 tunnel (Hologram)
SHA256	6ae9f9cfa8e638e933ad8b06de7434c395ec68ee9cc4e735069bfb64646bb180	onedrive_sync[.]exe — Reflective PE loader via memexec (Hologram)
SHA256	0c4a9d3579485eaf8801e5ac479cd322ee1e7161b54cc24689b891fa82ba0f1e	audioeq[.]exe — System fingerprinter / recon (Hologram)
SHA256	fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690	WinHealhCare[.]exe — Telegram-bot dropper v2.0 (Hologram)
SHA256	d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846	OneSync[.]exe — Telegram-bot dropper v1.6 (Hologram)
SHA256	787a28aff72f2ecd2f5e75baf284e61bda9ab8dd3905822c6f620cce809952e8	vicloud[.]exe — Vidar infostealer (Pathfinder)
SHA256	1478ccc61b69cee462ea98621ba53adf2de0ce28355c5c4eafaed6d779c8acda	dbau[.]exe — Unknown role (Pathfinder)

Domains

Type	Indicator	Description
Domain	openclaw-installer.com	All waves — Delivery / typosquat site
Domain	hkdk.events	All waves — C2 Hookdeck relay
Domain	dev.azure.com	All waves — Payload staging (org: sagonbretzpr)
Domain	api.telegram.org	All waves — C2 / victim telemetry
Domain	frr.rubensbruno.adv.br	Hologram — Primary C2 (hijacked Brazilian law firm domain)
Domain	mikolirentryifosttry.info	Hologram — Secondary C2
Domain	transcloud.cc	Hologram — C2 for svc_service[.]exe
Domain	steamhostserver.cc	Hologram — C2 rotation
Domain	serverconect.cc	Hologram — C2 rotation and loader staging
Domain	jollymccalister.lol	Hologram — Dead C2
Domain	t.me/b8bz11	Hologram — Telegram dead-drop
Domain	snippet.host	Hologram — Dead-drop
Domain	loclx.io	Hologram — C2 tunnel
Domain	hwd.hidayahnetwork.com	Pathfinder — Primary C2
Domain	zkevopenanu.cfd	Pathfinder — Secondary C2
Domain	Rr3Ueff.pw	Pathfinder — Candidate C2 / dead-drop (unconfirmed)
Domain	t.me/hgo9tx	Pathfinder — Telegram dead-drop
Domain	pastebin.com	Pathfinder — Dead-drop

IP Addresses

Type	Indicator	Description
IP	188.114.97.3	Hologram — Proxy for frr.rubensbruno.adv.br primary C2
IP	45.55.35.48	Hologram — svc_service[.]exe C2 beacon (port 57001); steamhostserver[.]cc / serverconect[.]cc
IP	193.202.84.14	Pathfinder — svc_service[.]exe wave-2 C2 beacon (port 56001)
IP	185.196.9.98	Hologram — transcloud[.]cc resolution (svc_service[.]exe)
IP	91.92.242.30	Hologram — Infrastructure
IP	147.45.197.92	Hologram — Encrypted beacon from nested payload
IP	94.228.161.88	Hologram — Encrypted beacon from nested payload
IP	86.54.42.72	Hologram — jollymccalister.lol historical resolution; dead C2

Dead-drop and Staging URLs

Type	Indicator	Description
URL	https://snippet.host/efguhk/raw	Hologram
URL	https://snippet.host/iqqmib/raw	Hologram
URL	https://snippet.host/wtbtew/raw	Hologram
URL	https://snippet.host/uikosx/raw	Hologram and Pathfinder
URL	https://pastebin.com/raw/M6KthA5Z	Hologram
URL	https://pastebin.com/raw/csi5UqpEw	Hologram
URL	https://pastebin.com/raw/fTxiyhbL	Hologram
URL	https://pastebin.com/raw/mcwWi1Ue	Hologram
URL	https://pastebin.com/raw/w6BVFFWQ	Pathfinder
URL	https://dev.azure.com/sagonbretzpr/	All waves

Mutexes

Type	Indicator	Description
Mutex	Global\StealthPackerMutex_9A8B7C	svc_service[.]exe, virtnetwork[.]exe
Mutex	Global{CoreTask1461}_	onedrive_sync[.]exe
String	–johnpidar	Developer string in svc_service[.]exe

Registry Keys

Type	Indicator	Description
Registry	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit	WinLogon Userinit hijack via svc_service[.]exe
Registry	HKCU\Software\Microsoft\Windows\CurrentVersion\Run{NetworkManager}	Autorun persistence via onedrive_sync[.]exe
Registry	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderHelper	Autorun persistence via svc_service[.]exe

Files and Paths

Type	Indicator	Description
Path	C:\Users\Public\	Stage-2 binary drop location
Path	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveSync[.]lnk	Startup persistence LNK
Path	%APPDATA%\Roaming\Data\Config\manager[.]exe	Dropped secondary executable via onedrive_sync[.]exe
Path	%APPDATA%\Ledger Live	Ledger hardware wallet theft target

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials appeared first on Cyber Security News.

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

This approach is unusual because the malware never communicates with a private server that security tools could flag or block, making it harder to detect through standard network monitoring.

The threat was uncovered after a series of malicious Python packages were found on PyPI, the widely used Python Package Index, starting in July 2025. The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.

Analysts at Securelist identified and named the malware after analyzing samples through their threat analysis pipeline. Their research confirmed ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group.

OceanLotus, also known as APT32, is a well-established threat group that has historically focused on targets in the Asia-Pacific region. However, recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now a global supply chain attack through PyPI. This shift reflects a clear effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. Still, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service, letting its traffic blend in with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

The malware operates through two separate channel-topic pairs within the Zulip platform. One pair sends basic system information about the infected machine back to the attacker. The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread. Once a command runs, the malware replies with a heart emoji in the chat to signal completion, showing how carefully attackers disguised operations as routine activity.

The Windows version of ZiChatBot is a DLL file named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in. On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

PyPI Supply Chain Attack Used to Deliver the Payload

The attack started with three fake Python libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects. The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions. In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain. This layered method made the attack far less visible to automated tools that only scan surface-level code.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads. After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection. Researchers advise adding helper.zulipchat.com to network denylists to identify any machines still reaching out to the now-deactivated attacker infrastructure.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
File Name	termncolor-3.1.0-py3-none-any.whl	Malicious PyPI wheel package (termncolor)
File Name	uuid32_utils-1.x.x-py3-none-xxxx.whl	Malicious PyPI wheel package (uuid32-utils)
File Name	colorinal-0.1.7-py3-none-xxxx.whl	Malicious PyPI wheel package (colorinal)
File Name	terminate.dll	ZiChatBot dropper (Windows)
File Name	terminate.so	ZiChatBot dropper (Linux)
File Name	Backward.dll	Alternate dropper name (Windows)
File Name	Backward.so	Alternate dropper name (Linux)
File Name	libcef.dll	ZiChatBot DLL payload (Windows)
File Name	vcpktsvr.exe	Legitimate loader executable used by ZiChatBot
Domain	helper.zulipchat.com	Zulip C2 organization used by attackers (now deactivated)
Hash (SHA256)	5152410aeef667ffaf42d40746af4d840a5a06fa	Malicious file hash
Hash (SHA256)	2e74a57fd5ed8e85f04a483ae4a0ad38fd18a0e1	Malicious file hash
Hash (SHA256)	1199d1c52751908b5598baa59c716590d8841c63	Malicious file hash
Hash (SHA256)	12d8349e968782b4feb4236858e3253f77ecf4b0	Malicious file hash
Hash (SHA256)	b55b6e364be44f27e3fecdce5ad69eca02f47015	Malicious file hash
Hash (SHA256)	59fc40067e69bb426776a54fe200f2f6a2120286	Malicious file hash
Hash (SHA256)	f9056743bc94a49d22538214a3c917ff3b13a9e2	Malicious file hash
Hash (SHA256)	035ca521ba2f1868f2af9e191ebf47a5fab5cbabc	Malicious file hash
Hash (SHA256)	33782c94c29dd268a42cbe03542bca5454b85dc3	Malicious file hash
Hash (SHA256)	2dc8023cd2be04e4501f16afce65c540d8186d95	Malicious file hash
Hash (SHA256)	06e2f84c38a57c4652f4da6c467838957de19eed	Malicious file hash
Hash (SHA256)	40d39da1995682d600e329b7833003a0160925238b75af6cbdb60127decd59140	Malicious file hash
Hash (SHA256)	d10640a26019b68ef060e593b8651262cbd0f6	Malicious file hash
Hash (MD5)	48be833b0b0ca1ad3cf99c66dc89c3f4	vcpktsvr.exe (legitimate loader)
Auth Token	TW9yaWFuLWJvdEBoZWxwZXIuenVsaXBjaGF0LmNvbTpVOFJFWGxJNktmOHFYQjlyUXpPUEJpSUE0YnJKNThxRw==	Zulip API auth token (Base64-encoded, C2 authentication)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server appeared first on Cyber Security News.

This Threat Analysis report is part of the “Purple Team Series” in which the LevelBlue Global Security Operations Center (GSOC) provides a technical overview of some of the methods that threat actors are using to compromise their victims.

A new banking trojan known as TCLBANKER has been quietly making rounds, and its delivery method is as clever as it is concerning. Attackers are using a trojanized version of a legitimate, digitally signed installer to slip malware onto victims’ machines without raising immediate suspicion.

The campaign, tracked as REF3076, bundles a malicious MSI installer inside a ZIP file and exploits the trust people place in recognizable software names.

The infection begins when a victim runs what appears to be a legitimate Logitech application installer. Inside the package, threat actors have weaponized the Logi AI Prompt Builder, abusing a technique called DLL sideloading to sneak a malicious file into the process. Once the application starts, it automatically loads the harmful DLL without the user ever knowing anything went wrong.

Analysts at Elastic Security Labs identified this new Brazilian banking trojan, assessing it to be a significant evolution of an older malware family known as MAVERICK and SORVEPOTEL. The campaign appears to be in its early stages, with developer artifacts and an incomplete phishing page suggesting the attackers are still actively building out their infrastructure.

TCLBANKER primarily targets users in Brazil, specifically those who visit banking, fintech, and cryptocurrency websites. The trojan monitors the victim’s browser in real time, watching for visits to any of 59 targeted financial domains.

Hackers Abuse Signed Logitech Installer

When a match is found, it opens a live connection to the attacker’s command server and puts the operator in full control.

The scope of potential damage goes well beyond simple credential theft. The malware can display fake full-screen overlays that look like real banking interfaces, freeze the apparent desktop to confuse victims, and kill the Task Manager to prevent users from ending the malicious process. It is a coordinated operation designed to make fraud feel seamless from the attacker’s side.

The attackers took care to make the infection chain look as normal as possible. The malicious ZIP file contains an MSI installer that mimics the legitimate Logi AI Prompt Builder, a real Flutter-based application.

When installed, the trojanized package drops a fake DLL called screen_retriever_plugin.dll, which masquerades as a genuine Flutter plugin and gets loaded automatically at startup.

The loader inside this DLL is packed with tricks to avoid detection. It checks whether the system is running inside a sandbox or virtual machine, verifies that the user’s default language is Brazilian Portuguese, and even measures timing to catch emulation frameworks that speed up sleep calls.

If anything seems off, the malware simply stops running without leaving obvious traces. This environment-gating approach means the payload only decrypts itself on real, qualifying machines.

Self-Spreading Worm Modules Amplify the Threat

What makes TCLBANKER particularly dangerous is not just what it does on a single machine, but how far it can spread from there. The malware comes with two worm modules designed to send itself to the victim’s contacts using channels those contacts already trust.

The first hijacks the victim’s active WhatsApp Web session in the browser, silently messaging Brazilian contacts with a link to download the malware. The second abuses Microsoft Outlook through automation, sending phishing emails directly from the victim’s own email account.

Because these messages come from real, known senders, they are far harder for security filters to catch. The Outlook bot first harvests the victim’s contact list, then sends targeted emails that look completely authentic.

Elastic researchers noted that all command and file-serving infrastructure runs on Cloudflare Workers under a single account, making it easy for operators to rotate infrastructure quickly when needed.

Organizations and individuals can take several steps to reduce exposure. Keeping security software updated ensures the latest detection signatures are in place.

Being cautious about ZIP files or MSI installers received through messaging apps or email, even from known contacts, is critical given this trojan’s self-spreading behavior. Monitoring for unusual scheduled tasks, unexpected DLL loads alongside legitimate software, and suspicious outbound connections can also help flag infections early.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626	TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256	8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059	TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256	668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40	TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256	63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394	TCLBanker initial ZIP file (XXL_21042026-181516.zip)
Domain	campanha1-api.ef971a42[.]workers.dev	TCLBanker C2
Domain	mxtestacionamentos[.]com	TCLBanker C2
Domain	documents.ef971a42.workers[.]dev	TCLBanker file server
Domain	arquivos-omie[.]com	TCLBanker phishing page (under development)
Domain	documentos-online[.]com	TCLBanker phishing page (under development)
Domain	afonsoferragista[.]com	TCLBanker phishing page (under development)
Domain	doccompartilhe[.]com	TCLBanker phishing page (under development)
Domain	recebamais[.]com	TCLBanker phishing page (under development)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan appeared first on Cyber Security News.

A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.

The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.

PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.

One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.

Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”

The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.

The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.

It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.

PCPJack’s Worm-Like Propagation and CVE Exploitation

PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.

This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.

The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.

Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.

Sliver Backdoor and Enterprise-Wide Credential Targeting

SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.

The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.

Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.

To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.

Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
URL	hxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com	Payload host (PAYLOAD_HOST) used by bootstrap.sh to download additional modules
URL	hxxps://cdn[.]cloudfront-js[.]com:8443/u	Credential exfiltration endpoint; typosquats CloudFront over ports 8443/7443
File	bootstrap.sh	Initial dropper shell script; sets up working directory, installs Python, downloads payloads
File	monitor.py (worm.py)	Main orchestrator script; manages all modules, credential theft, propagation, and C2 via Telegram
File	utils.py (parser.py)	Credential extraction and categorisation module
File	_lat.py (lateral.py)	Lateral movement module; targets SSH, Kubernetes, Docker, Redis, RayML, and MongoDB
File	_cu.py (crypto_util.py)	Credential encryption module; uses X25519 ECDH and ChaCha20-Poly1305
File	_cr.py (cloud_ranges.py)	Collects IP ranges for AWS, GCP, Azure, Cloudflare, Cloudfront, and Fastly; refreshes every 24 hours
File	_csc.py (cloud_scan.py)	External cloud port scanner; targets Docker, Kubernetes, MongoDB, RayML, and Redis
File	check.sh	Secondary shell script on attacker infrastructure; detects CPU architecture and fetches Sliver binary
File	extractor.py	Credential extraction script targeting environment variables from cloud services
File	run_script.py	Script downloaded and executed via Telegram RUN command from attacker C2
File	update.bin	Sliver backdoor binary compiled for x86_64 (64-bit) systems
File	update-386.bin	Sliver backdoor binary compiled for x86 (32-bit) or 32-bit containers
File	update-arm.bin	Sliver backdoor binary compiled for ARM processor architectures
Directory	/var/lib/.spm/	Hidden working directory created by bootstrap.sh on compromised systems
File	/var/tmp/apt-daily-upgrade	Local path where Sliver binary (update.bin) is saved to blend with system processes
CVE	CVE-2025-29927	Authentication bypass in Next.js middleware via crafted header
CVE	CVE-2025-55182	Server Actions deserialization flaw in React and Next.js (“React2Shell”)
CVE	CVE-2026-1357	Unauthenticated file upload in WPVivid Backup plugin
CVE	CVE-2025-9501	PHP injection in W3 Total Cache via cached mfunc comment
CVE	CVE-2025-48703	Shell injection in CentOS Web Panel Filemanager changePerm functionality

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft appeared first on Cyber Security News.

A new and evolving threat has caught the attention of cybersecurity researchers worldwide. A Windows-based information stealer known as NWHStealer has resurfaced with a more sophisticated delivery chain, now using the Bun JavaScript runtime as part of its infection process.

This shift makes it clear that the attackers behind this campaign are actively experimenting with lesser-known tools to stay ahead of security defenses.

NWHStealer is a Rust-based malware capable of stealing sensitive data from infected Windows systems. It spreads through Node.js scripts, MSI installers, and fake software downloads hosted on trusted platforms such as GitHub, GitLab, SourceForge, and Itch.io. Since it blends into legitimate-looking software packages, many users unknowingly download and run it without any suspicion.

Analysts at Malwarebytes identified the new delivery method during routine threat hunting activities.

Researcher Gabriele Orini noted that attackers have now incorporated Bun, a modern JavaScript toolkit built as a high-performance alternative to Node.js, into the malware’s delivery chain. Its relative newness in security circles makes it particularly appealing to attackers trying to slip past detection.

Once inside a system, NWHStealer is highly capable. It collects system information, steals saved browser data and passwords, drains cryptocurrency wallets, and targets applications like Discord, Steam, and FTP clients such as FileZilla.

It can also inject malicious code into browser processes, bypass Windows User Account Control, persist through scheduled tasks, and pull new command-and-control addresses from Telegram to keep the operation alive after partial takedowns.

The scale of this campaign is notable. Attackers continue to create fresh profiles on legitimate platforms to push new lures, making it difficult for moderators to respond quickly. The combination of data theft, persistence, and self-updating infrastructure makes NWHStealer a serious threat to both everyday users and organizations.

Bun Loader, Anti-VM Checks, and Encrypted C2

The infection begins with a ZIP archive disguised as a game trainer, software crack, or utility tool. Detected archive names include MOUSE_PI_Trainer_v1.0.zip, FiveM Mod.zip, TradingView-Activation-Script-0.9.zip, and AutoTune 2026.zip.

Inside sits Installer.exe, which carries JavaScript code bundled with the Bun runtime hidden within its .bun section.

The malicious JavaScript is divided into two key files. The first, sysreq.js, runs PowerShell and WMI commands to check whether the system is a real machine or a virtual one. It inspects CPU count, disk space, screen resolution, hardware manufacturers, and even the username, using a scoring system to decide whether to proceed with infection or stop entirely. This anti-VM layer is designed to avoid detection in automated security analysis environments.

The second file, memload.js, handles communication with the attacker’s command-and-control server. Strings and configurations are encrypted using XOR combined with base64 encoding, making static analysis much harder. The loader sends a report containing the victim’s public IP, system details, and a screenshot to the C2, then fetches an AES-encrypted payload and deploys NWHStealer directly into memory with minimal traces on disk.

Some analyzed ZIP files also include a secondary loader called dw.exe inside a folder labeled “DW.” A Readme.txt inside the archive tells users to run dw.exe manually if the main installer fails, giving attackers a fallback option if the primary C2 server goes offline. This dual-loader setup reflects a deliberate backup plan to ensure delivery regardless of temporary disruptions.

Staying Safe From NWHStealer

Given how widely this stealer is distributed, users should take practical steps to protect themselves. Only download software from official, verified sources and avoid file-sharing platforms unless the publisher’s identity and reputation are clearly established.

Always check a file’s digital signature before running it, as legitimate software will carry consistent, verifiable signing details.

It is also worth inspecting any downloaded archive before opening it. Malicious archives often have unusual file structures, mismatched content, or naming patterns that do not match what was advertised.

Staying cautious with downloads that seem too good to be true, whether a game cheat, a software activator, or a free tool, remains one of the most effective defenses against threats like NWHStealer.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	whale-ether[.]pro	NWHStealer C2 server
Domain	cosmic-nebula[.]cc	NWHStealer C2 server
Domain	silent-harvester[.]cc	Bun Loader C2 server
Domain	silent-orbit[.]cc	Bun Loader C2 server
Domain	support-onion[.]club	Bun Loader C2 server
SHA-256	d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5	Malicious file hash
SHA-256	96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4	Malicious file hash
SHA-256	3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9	Malicious file hash
SHA-256	33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d	Malicious file hash
SHA-256	5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62	Malicious file hash
SHA-256	308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e	Malicious file hash
SHA-256	021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025	Malicious file hash
SHA-256	c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07	Malicious file hash
SHA-256	0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8	Malicious file hash
SHA-256	0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8	Malicious file hash
SHA-256	0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca	Malicious file hash
SHA-256	15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb	Malicious file hash
SHA-256	20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1	Malicious file hash

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 appeared first on Cyber Security News.

LevelBlue’s Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.

The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.

Hackers are using convincing fake pages for Claude AI to trick users into running malware on their own systems. The campaign, known as “InstallFix” or the Fake Claude Installer threat, marks a sharp shift in how cybercriminals exploit the trust people place in artificial intelligence tools.

Instead of targeting software vulnerabilities, these attackers are targeting human behavior, knowing that users will follow installation steps without question.

The method is simple and effective. Attackers set up fake Claude AI installation pages and use paid Google Ads to push those pages to the top of search results.

When someone searches for “Claude Code” or “Claude Code install,” a sponsored link appears first, looking exactly like a trusted result. One click leads to a fraudulent site that provides step-by-step instructions with commands tailored to the user’s operating system, either Windows or macOS.

Researchers at Trend Micro identified and documented the campaign, noting that the malware is not a simple infection. It is a multi-stage attack chain that collects system information, disables security features, creates scheduled tasks to survive reboots, and connects to attacker-controlled servers for further instructions.

Confirmed attacks span the United States, Malaysia, the Netherlands, and Thailand, hitting industries from government and education to electronics and food and beverage.

How the Fake Installer Attack Works

What makes this campaign especially dangerous is that it targets both technical and non-technical users. Developers who work with command-line tools are often comfortable copying setup commands from documentation pages, and non-technical users are equally likely to follow on-screen steps that look official. The attackers crafted these fake pages to closely resemble a real Claude installation guide, making the deception very hard to spot.

The threat goes beyond a single download. After the user runs the malicious command, the infection unfolds across multiple stages, each designed to evade detection and remain hidden. Trend Micro’s telemetry confirmed outbound network connections to attacker-controlled servers, and the indicators found align closely with those tied to RedLine Stealer campaigns from 2023.

The attack begins with a Google Ads placement that intercepts users searching for Claude Code. The fake landing page uses a technique called ClickFix, presenting an OS-specific command framed as a required installation step. On Windows, running the command triggers a hidden chain beginning with mshta.exe, a legitimate Windows tool that attackers commonly abuse to execute remote payloads.

The downloaded file, named claude.msixbundle, appears to be a genuine Microsoft package with valid Marketplace signatures, allowing it to pass basic security checks. Embedded inside is an HTA payload that silently executes a VBScript, with the window resized to zero pixels so nothing appears on screen.

That script launches obfuscated PowerShell commands through the SysWOW64 subsystem, bypassing detection by reconstructing the word “powershell” at runtime using split variables.

The stager generates a unique ID for the victim machine by hashing the computer name and username together. It uses this hash to build a custom command-and-control URL for each victim, fetching the final payload from a subdomain on oakenfjrod[.]ru. This per-victim URL approach makes bulk network-level blocking extremely difficult to execute.

Persistence, Data Theft, and RedLine Stealer Connections

Once the shellcode runs in memory, the malware establishes persistence by creating scheduled tasks, allowing it to survive reboots and keep running silently. Dynamic analysis showed the malware reaching out to external IP addresses, collecting browser data, and targeting e-wallet applications installed on the infected machine.

The indicators tied to this campaign match techniques and infrastructure previously linked to RedLine Stealer.

To reduce risk, organizations should block known malicious domains and IP addresses at the firewall and use DNS filtering to prevent users from reaching suspicious or newly registered domains. Legacy scripting tools like mshta.exe should be restricted wherever possible.

Users should also be trained to avoid running commands from sites reached through sponsored search results, to verify download pages against official vendor websites, and to rely on trusted package managers like npm, pip, brew, or winget rather than manual scripts from unknown sources.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	download-version[.]1-5-8[.]com	Malicious domain hosting the fake claude.msixbundle payload
Domain	oakenfjrod[.]ru	Attacker-controlled C&C domain; victim-unique subdomains used for Stage 4 payload delivery
URL	hxxps[://]download-version[.]1-5-8[.]com/claude[.]msixbundle	Download URL for the ZIP/HTA polyglot malicious package
URL	https://[nipple].oakenfjrod[.]ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1	Victim-unique C&C URL used to fetch and execute the final in-memory payload
File Name	claude.msixbundle	Malicious payload disguised as a Claude AI installer; ZIP/HTA polyglot file
File Name	Claude.msixbundle.zip	Malicious archive containing obfuscated VBScript payload embedded in an HTML file
SHA1	811fbf0ff6b6acabe4b545e493ec0dd0178a0302	Hash of the recovered Stage 5 payload file (content execution not confirmed)
SHA256	2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74	SHA256 hash of the Stage 5 payload
IP Address	104[.]21[.]0[.]95	Outbound C&C IP observed during dynamic analysis
IP Address	185[.]177[.]239[.]255	Outbound C&C IP observed during dynamic analysis
IP Address	77[.]91[.]97[.]244	IP address contacted over HTTPS port 443; TCP SYN requests observed; resolved to hosted-by[.]yeezyhost[.]net

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using Fake Claude AI Installer Pages to Trick Users Into Running Malware on Their Systems appeared first on Cyber Security News.

Phone-based scams are evolving faster than most security filters can keep up with. Attackers are now leaning heavily on Voice over Internet Protocol (VoIP) numbers that disappear before detection systems can flag them, leaving users exposed and defenders scrambling.

These scam campaigns arrive through email, where attackers embed phone numbers directly into message bodies, subject lines, and file attachments.

The goal is simple: get the recipient to call a fraudulent number and hand over sensitive personal or financial details. By keeping victims on a live call, scammers can manipulate targets far more effectively than a link or attachment alone ever could.

Researchers at Cisco Talos identified that this shift toward phone-oriented attack delivery, known as telephone-oriented attack delivery (TOAD), has become one of the leading tactics in modern email threats.

Their analysis, covering a study window from late February to late March 2025, found that the largest scam campaigns all relied on VoIP infrastructure to operate at scale with minimal cost.

Scammers Game the System With VoIP Numbers

What makes VoIP so appealing to scammers is how easily numbers can be obtained and discarded in bulk. With API-driven provisioning available from a small number of providers, threat actors spin up hundreds of numbers quickly, use them briefly, and abandon them before reputation systems catch on. The median phone number lifespan observed during the study was roughly 14 days.

The impact goes well beyond individual users. Organized scam call centers are running campaigns that impersonate major brands like PayPal, Geek Squad, McAfee, and Norton LifeLock, all while directing victims to the same centralized fraudulent operation.

This infrastructure is deliberately built to resist tracing, blending seamlessly into legitimate telecom networks worldwide.

Scammers are not randomly picking phone numbers. They deliberately acquire large sequential blocks of numbers, often by purchasing Direct Inward Dialing (DID) blocks from providers.

When one number gets flagged, they simply rotate to the next in the sequence, a tactic known as sequential number grouping that keeps operations running without interruption.

Cisco Talos found that six of the ten largest campaigns detected during the study period relied entirely on VoIP infrastructure. Sinch was identified as the most commonly abused CPaaS provider, referring to communications-platform-as-a-service companies offering programmable APIs for voice and messaging. These platforms are built for automation and high call volumes, which makes them attractive and widely exploited tools for large-scale scam operations.

The reuse patterns are equally calculated. Of 1,962 unique phone numbers analyzed, 68 were reused across multiple consecutive days. Scammers often apply a cool-down period, pausing a number for several days before bringing it back into a new campaign. This timing is designed to outlast update cycles of third-party reputation services, which can take days to distribute fresh intelligence.

Recycling Lures to Stay Under the Radar

One of the most telling tactics Cisco Talos documented is the recycling of the same phone number across completely unrelated lures. A single number might appear in emails posing as an order confirmation, a subscription renewal, and a financial alert all within a short span. This deliberate variation in lure type helps attackers avoid patterns that automated filters would otherwise quickly detect.

In one campaign, the same number was embedded in both HEIC and PDF attachment formats, showing how attackers avoid relying on a single delivery method. HEIC files, commonly associated with iPhone photos, were used to bypass traditional file-type detection while maintaining high image quality. Talos confirmed seeing campaigns with even broader attachment variety, underscoring just how adaptable these threat actors have become.

Security and telecom teams are advised to move beyond email sender filtering, which grows less effective as senders cycle rapidly through disposable domains. Talos recommends treating phone numbers as primary indicators of compromise and applying clustering techniques to connect seemingly unrelated campaigns that share the same phone infrastructure. Real-time reputation monitoring across communication channels and active collaboration between telecom providers are among the most effective steps toward stopping these organized scam networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scammers Use Short-Lived VoIP Numbers and Reuse Windows to Defeat Reputation-Based Blocking appeared first on Cyber Security News.

A sophisticated China-linked hacker group known as UAT-8302 has been quietly targeting government agencies across South America and southeastern Europe, using a mix of custom malware and widely available open-source tools to steal sensitive data.

The group has been active since at least late 2024 and stepped up its operations against government bodies in southeastern Europe through 2025. Their goal is clear: get in, stay hidden, and walk out with as much information as possible.

What makes UAT-8302 particularly dangerous is its ability to blend in. By pairing legitimate cloud services and open-source tools with custom-built malware, the group makes it harder for defenders to separate genuine network activity from a hostile intrusion.

The attackers display a high level of patience, conducting deep and methodical reconnaissance on every endpoint they can reach before pushing further into the target environment. This careful, deliberate approach is widely recognized as a hallmark of state-sponsored threat operations targeting high-value government infrastructure.

Researchers at Cisco Talos identified UAT-8302 as a China-nexus advanced persistent threat group tasked primarily with gaining and maintaining long-term access to government and related entities around the world.

Talos analysts assessed with high confidence that the group shares tooling with several previously disclosed China-nexus clusters, including a threat cluster they track as LongNosedGoblin. The overlap in tools and techniques points to a close operational relationship between these groups.

UAT-8302’s Custom Malware Arsenal

The post-compromise activity follows a familiar and thorough playbook. Once inside a network, the group collects credentials, gathers Active Directory information, and maps out the entire environment before deploying additional malware.

Tools like Impacket, custom PowerShell scripts, and open-source scanning engines are used to discover every reachable endpoint. This approach ensures that attackers fully understand the scope of the environment they now control before deciding on their next move.

The variety of malware families deployed by UAT-8302 shows the group has access to a well-stocked toolkit. The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant. In one documented intrusion, the group also deployed SNAPPYBEE and ZingDoor together, a tactic independently highlighted by Trend Micro in 2024 reporting on similar China-linked activity.

NetDraft is one of the most notable tools in UAT-8302’s arsenal. It is delivered through a DLL side-loading technique where a benign executable loads a malicious DLL-based loader, which then decodes and runs NetDraft within an existing process on the compromised system.

The malware uses the Microsoft Graph API to communicate with its OneDrive-based command-and-control server, allowing it to blend into normal cloud traffic and avoid detection. Talos tracks the embedded helper library used by NetDraft as “FringePorch.”

CloudSorcerer version 3 behaves differently depending on which process it runs inside. If injected into “dnapimg.exe,” it collects system details and pivots into explorer.exe to receive commands through a named pipe channel.

If running inside “spoolsv.exe,” it contacts a GitHub repository to pull down command-and-control information. This shape-shifting behavior makes detection harder for conventional security tools. Talos also noted the use of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager seen in intrusions attributed to other China-nexus clusters.

Open-Source Tools and Lateral Movement

UAT-8302 relies heavily on open-source tools when moving through compromised networks. After gaining initial access, the group runs scanning tools including gogo, naabu, httpx, and PortQry to map services across internal networks and discover new systems to pivot toward.

Credentials are harvested from MobaXterm sessions and Active Directory using tools like adconnectdump.py and SharpGetUserLoginRDP.

To maintain persistent backdoor access, the group deploys Stowaway, a proxy tunneling tool written in Simplified Chinese, routing outside traffic into infected hosts within the enterprise. SoftEther VPN clients were also observed in use.

Government agencies should keep endpoint detection tools updated to flag these threat signatures, monitor outbound traffic to cloud platforms like OneDrive and GitHub for unusual patterns, and regularly audit scheduled tasks and DLL side-loading behavior across all managed endpoints.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	1139b39d3cc151ddd3d574617cf11360812785019 7e9695fef0b6d78df82d6ca	NetDraft / FringePorch
SHA256	e56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b	NetDraft / FringePorch
SHA256	51f0cf80a56f322892eed3b9f5ecae45f143132360 0edbaea5cd1f28b437f6f2	NetDraft / FringePorch
SHA256	35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b	VSHELL
SHA256	199bd156c81b2ef4fb259467a20eacaa9d861eeb2 002f1570727c2f9ff1d5dab	VSHELL
SHA256	071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6	ZingDoor
SHA256	74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea5	gogo
SHA256	2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3	gogo
SHA256	7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001	Stowaway
SHA256	f859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea	Stowaway
SHA256	7d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292	anypoxy
SHA256	57GER1bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38	PortQry scan tool
SHA256	843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c	DracuLoader
SHA256	4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab7	SoftEther VPN
SHA256	3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e7	SoftEther VPN
SHA256	9f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb	SharpGetUserLoginRDP
SHA256	b19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e74042	SharpGetUserLoginRDP
SHA256	45cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f4	PortQry
SHA256	fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00	PortQry
Domain	www[.]drivelivelime[.]com	NetDraft C2 domain
URL	hxxps[://]www[.]drivelivelime[.]com/x	NetDraft C2 URL
URL	hxxps[://]www[.]drivelivelime[.]com/p	NetDraft C2 URL
Domain	msiidentity[.]com	C2 domain
URL	hxxps[://]msiidentity[.]com/pw	C2 URL
Domain	trafficmanagerupdate[.]com	C2 domain
URL	hxxp[://]trafficmanagerupdate[.]com/index[.]php	C2 URL
Domain	update-kaspersky[.]workers[.]dev	C2 domain (Cloudflare Worker)
IP Address	85[.]209[.]156[.]3	Stowaway proxy / C2 server
URL	hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe	Malware download URL
URL	hxxp[://]85[.]209[.]156[.]3:8082/wagent[.]exe	Malware download URL
IP Address	185[.]238[.]189[.]41	C2 server
IP Address	103[.]27[.]108[.]55	C2 server
IP Address	38[.]54[.]32[.]244	Malware staging server
URL	hxxp[://]38[.]54[.]32[.]244/Rar[.]exe	RAR archive download
IP Address	45[.]140[.]168[.]62	C2 server
IP Address	88[.]151[.]195[.]133	C2 server
IP Address	156[.]238[.]224[.]82	C2 server
IP Address	45[.]135[.]135[.]100	C2 server (anypoxy)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies appeared first on Cyber Security News.

Hackers are using fake Google ads to steal login credentials from ManageWP users, GoDaddy’s popular platform for managing WordPress websites from a single dashboard. The campaign, which researchers have dubbed “WrongPress,” plants a fraudulent sponsored search result directly above the real ManageWP listing, trapping users before they even realize something is wrong.

ManageWP is widely used by web developers, digital agencies, and enterprises who need to oversee dozens or even hundreds of client websites at once. Because a single account can control that many sites, stealing one set of credentials gives an attacker a massive foothold into an entire web portfolio.

According to WordPress.org, the ManageWP Worker plugin is active on more than one million websites, making the stakes extraordinarily high.

The attack begins the moment a user types “managewp” into Google. The malicious sponsored result appears at the very top of the page, sitting right above the legitimate one.

Researchers at Guardio Labs were the first to identify this campaign and raise the alarm, warning that even cautious users could fall for the trap simply because the fake result appears so convincingly placed.

Still Google for your account login? Beware not to "WrongPress"!
We found yet another Google Ads phish, this time abusing search results for ManageWP, GoDaddy's WordPress admin platform. The fake result sits right on top of the real one, and one click later you're in an AiTM… pic.twitter.com/RtBTN0L5PE

— Guardio Labs (@GuardioLabs) May 6, 2026

What makes this campaign especially difficult to spot is that the fake login page is a near-perfect copy of the real ManageWP screen. There are no obvious red flags for the average user. By the time a victim types their username and password, those credentials have already been silently sent to an attacker-controlled Telegram channel.

Hackers Abuse Google Ads

Guardio Labs confirmed at least 200 unique victims at the time of writing and has been actively reaching out to alert those affected. The research team also managed to infiltrate the attacker’s command-and-control infrastructure, giving them a rare look at the full scale of how this operation runs in real time.

The infection chain is built to dodge Google’s ad review systems and the suspicion of real users alike. When a victim clicks the malicious ad, they first pass through a cloaker, a tool that filters out automated inspectors while letting genuine users through. This step helps the attackers conceal who actually authorized the sponsored result and avoid triggering Google’s ad inspection mechanisms.

Once the cloaker approves a genuine visitor, they are redirected to a fake ManageWP login page where the adversary-in-the-middle, or AiTM, technique takes over. The attacker’s server acts as a live go-between, forwarding stolen credentials to the real ManageWP platform in real time.

The victim is then shown a fake prompt asking for their two-factor authentication code, which the attacker uses simultaneously to complete the actual login, rendering 2FA completely useless.

The operation is managed through a command-and-control server that gives the attacker a live dashboard for steering ongoing phishing sessions. Guardio Labs noted the kit appears to be a private framework rather than a commodity tool sold on underground forums. Embedded in the code was also a Russian-language disclaimer in which the author denies responsibility for illegal activity and prohibits targeting systems based in Russia.

The Broader Risk to WordPress Site Owners

The danger here extends far beyond a single stolen password. Because ManageWP is a centralized hub, one compromised account can hand an attacker control over hundreds of websites simultaneously. Guardio Labs head researcher Nati Tal confirmed that each account typically hosts hundreds of sites, meaning attackers could inject malware, redirect traffic, or harvest visitor data at a sweeping scale.

Security experts advise avoiding sponsored search results when navigating to login pages for services you use regularly. Bookmarking the official URL or typing it directly into the browser address bar is a far safer habit. Users should also monitor their accounts for unexpected logins and consider adopting phishing-resistant authentication methods, such as hardware security keys, where supported.

The WrongPress campaign is a reminder that even routine actions like Googling a login page can carry serious risk. As attackers grow more creative with search advertising abuse, verifying where a link actually leads before clicking has never mattered more.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Google Ads to Steal Users GoDaddy ManageWP login Credentials appeared first on Cyber Security News.

A new wave of fraudulent Android apps quietly racked up millions of downloads on Google Play before being taken down. These apps, now tracked under the name CallPhantom, promised users something irresistible: the ability to look up the call history of any phone number. What they actually delivered was nothing more than fake data and a very real financial loss.

The scheme worked by exploiting a simple but powerful hook. People are naturally curious about who has called a specific number, and these apps claimed to deliver that information instantly.

Users were shown what looked like partial results and then prompted to pay to unlock the full call history. That history was entirely fabricated right from the start.

Researchers at WeLiveSecurity identified and reported 28 such fraudulent applications on the Google Play Store.

Their analysis found the apps had been cumulatively downloaded over 7.3 million times before Google removed them following ESET’s disclosure in December 2025.

The apps primarily targeted Android users in India and the broader Asia-Pacific region. Many came with India’s country code pre-selected and supported UPI, a payment system widely used across India. A screenshot of the fabricated call history data was even included in the app’s Play Store listing, presented as proof the app actually worked.

Fake Call History Apps on Google Play

Despite looking different on the surface, all 28 apps shared the same core purpose: generate fake communication data and charge victims for access. Subscription packages ranged from weekly to yearly, with the highest price reaching up to $80.

The CallPhantom apps fell into two main clusters. The first group had hardcoded names, country codes, and call log templates embedded directly in their code. These were combined with randomly generated phone numbers and shown to users as partial results, pushing them to pay to see more.

The second cluster asked users to enter an email address, claiming the retrieved call history would be delivered there. No data was generated until after payment, and even then, nothing real was ever sent. The apps had no actual capability to access call logs, SMS records, or WhatsApp data from any device.

This shows how deeply the deception was built into the code, with fixed names and timestamps baked in before the app ever reached a user’s phone.

Three payment methods appeared across the apps. Some used Google Play’s official billing system. Others redirected users to third-party UPI apps, with payment details either hardcoded or fetched dynamically from a Firebase real-time database, letting operators swap receiving accounts at will.

A third method embedded payment card checkout forms directly inside the app, violating Google Play’s payments policy and making refunds significantly harder.

Bypassing Refunds and Staying Under the Radar

One of the most deliberate tactics used by CallPhantom was steering users toward payment channels Google could not reverse. When payments went through third-party UPI apps or direct card entry inside the app, Google had no ability to cancel transactions or issue refunds. Victims were left fully dependent on external payment providers or the scam developers themselves.

In at least one case, the app sent deceptive notifications styled as email alerts, falsely claiming call history results had arrived. Tapping the notification led straight to a subscription screen, keeping the pressure on even after users had exited without paying.

Anyone who subscribed through Google Play’s official billing system may be eligible for a refund, as existing subscriptions were canceled when the apps were removed. Requests must fall within Google’s allowed refund window. For purchases made outside Google Play, contacting the payment provider or card issuer directly to dispute the charge is the recommended step.

The most practical protection is verification before downloading. Checking developer credibility, reading user reviews carefully, and staying skeptical of apps claiming to access private data belonging to other people are all steps that help avoid traps like these.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-1 Hash	799AA5127CA54239D3D4A14367DB3B712012CF14	all.callhistory.detail.apk — Android/CallPhantom
SHA-1 Hash	56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB	calldetaila.ndcallhisto.rytogetan.ynumber.apk — Android/CallPhantom
SHA-1 Hash	EC5E470753E76614CD28ECF6A3591F08770B7215	callhistoryeditor.callhistory.numberdetails.calleridlocator.apk — Android/CallPhantom
SHA-1 Hash	77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8	com.all_historydownload.anynumber.callhistorybackup.apk — Android/CallPhantom
SHA-1 Hash	9484EFD4C19969F57AFB0C21E6E1A4249C209305	com.any.numbers.calls.history.apk — Android/CallPhantom
SHA-1 Hash	CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A	com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk — Android/CallPhantom
SHA-1 Hash	FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A	com.app.call.detail.history.apk — Android/CallPhantom
SHA-1 Hash	B7B80FA34A41E3259E377C0D843643FF736803B8	com.basehistory.historydownloading.xapk — Android/CallPhantom
SHA-1 Hash	F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C	com.call.detail.caller.history.xapk — Android/CallPhantom
SHA-1 Hash	D021E7A0CF45EECC7EE8F57149138725DC77DC9A	com.call.of.any.number.apk — Android/CallPhantom
SHA-1 Hash	04D2221967FFC4312AFDC9B06A0B923BF3579E93	com.callapp.historyero.apk — Android/CallPhantom
SHA-1 Hash	CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D	com.calldetails.smshistory.callhistoryofanynumber.apk — Android/CallPhantom
SHA-1 Hash	C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C	com.callhistory.anynumber.chapfvor.history.xapk — Android/CallPhantom
SHA-1 Hash	BB6260CA856C37885BF9E952CA3D7E95398DDABF	com.callhistory.calldetails.callerids…callhistorymanager.apk — Android/CallPhantom
SHA-1 Hash	55D46813047E98879901FD2416A23ACF8D8828F5	com.callhistory.callhistoryany.call.apk — Android/CallPhantom
SHA-1 Hash	E23D3905443CDBF4F1B9CA84A6FF250B6D89E093	com.callhistory.callhistoryyourgf.apk — Android/CallPhantom
SHA-1 Hash	89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE	com.callinformative.instantcallhistory…callinfo.xapk — Android/CallPhantom
SHA-1 Hash	8EC557302145B40FE0898105752FFF5E357D7AC9	com.cddhaduk.callerid.block.contact.xapk — Android/CallPhantom
SHA-1 Hash	6F72FF58A67EF7AAA79CE2342012326C7B46429D	com.easyranktools.callhistoryforanynumber.apk — Android/CallPhantom
SHA-1 Hash	28D3F36BD43D48F02C5058EDD1509E4488112154	com.getanynumberofcallhistory…findcalldetailsofanynumber.xapk — Android/CallPhantom
SHA-1 Hash	47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345	com.chdev.callhistory.xapk — Android/CallPhantom
SHA-1 Hash	9199A376B433F888AFE962C9BBD991622E8D39F9	com.name.factor.apk — Android/CallPhantom
SHA-1 Hash	053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A	com.pdf.maker.pdfreader.pdfscanner.apk — Android/CallPhantom
SHA-1 Hash	4B537A7152179BBA19D63C9EF287F1AC366AB5CB	com.phone.call.history.tracker.apk — Android/CallPhantom
SHA-1 Hash	87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD	com.pixelxinnovation.manager.apk — Android/CallPhantom
SHA-1 Hash	583D0E7113795C7D68686D37CE7A41535CF56960	com.rajni.callhistory.apk — Android/CallPhantom
SHA-1 Hash	45D04E06D8B329A01E680539D798DD3AE68904DA	com.sbpinfotech.findlocationofanynumber.xapk — Android/CallPhantom
SHA-1 Hash	34393950A950F5651F3F7811B815B5A21F84A84B	sc.call.ofany.mobiledetail.apk — Android/CallPhantom
IP Address	34.120.160[.]131	Firebase-hosted C2 IP, Google LLC, first seen 2025
IP Address	34.120.206[.]254	Firebase-hosted C2 IP, Google LLC, first seen 2025
Domain	call-history-7cda4-default-rtdb.firebaseio[.]com	Firebase real-time database used for C2 communication
Domain	call-history-ecc1e-default-rtdb.firebaseio[.]com	Firebase real-time database used for C2 communication
Domain	ch-ap-4-default-rtdb.firebaseio[.]com	Firebase real-time database used for payment URL delivery
Domain	chh1-ac0a3-default-rtdb.firebaseio[.]com	Firebase real-time database used for payment URL delivery

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post 28 Fake Call History Apps on Google Play with 7.3M+ Downloads Trick Users to Steal Payments appeared first on Cyber Security News.

A fresh wave of malicious packages has been quietly spreading through the NuGet ecosystem, one of the most widely used registries in the .NET developer world. Five rogue packages have been discovered posing as legitimate Chinese software libraries, secretly stealing browser credentials, SSH private keys, and cryptocurrency wallet data.

The attack takes a clever approach. Instead of creating obviously suspicious packages, the threat actor built each malicious library on top of real, functional code that developers in Chinese enterprise environments would recognize.

By mimicking trusted tools like AntdUI, a popular WinForms component library, the packages appear legitimate enough to pass casual inspection.

Researchers at Socket.dev identified all five packages, published under a single NuGet account named bmrxntfj. The packages accumulated approximately 64,784 downloads across all versions, placing tens of thousands of developer machines and CI/CD build systems at risk. The campaign traces back to at least September 2025, with all five packages still live at the time of writing.

What makes this campaign persistent is the version rotation technique the operator used. Out of 224 total versions published, 219 were deliberately hidden from public search. By keeping only one version visible while regularly swapping in fresh ones, the attacker invalidated hash-based detection and forced security teams to constantly update their blocklists.

Any developer workstation or build server that ran a package restore referencing these five IDs has potentially been exposed since late 2025. That long lifespan and high download count make this one of the more quietly damaging supply chain threats discovered this year.

Malicious NuGet Packages

The payload fires through a .NET module initializer, which the runtime calls automatically when a matching assembly loads. No user interaction is needed beyond a routine package restore. Once triggered, the malware uses JIT hooking to replace the compiler’s dispatch pointer, gaining control over every method compiled afterward.

A second-stage infostealer named we4ftg.exe then executes. It targets saved credentials across 12 Chromium-based browsers including Chrome, Edge, Brave, Firefox, and Opera, collecting passwords, autofill data, session cookies, and payment cards. It handles both legacy and AppBound Chrome encryption formats, confirming the payload has been recently maintained.

Cryptocurrency assets are a major focus. Browser extension wallets including MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet are targeted, along with desktop applications like Exodus, Electrum, Atomic, Guarda, Ledger, and Binance. SSH private keys, Outlook profiles, Steam credentials, and files from Documents, Desktop, and Downloads are also collected.

All harvested data is staged under a folder path mimicking a legitimate Microsoft OneDrive directory. Legitimate OneDrive never creates a file by that specific name, making its presence a clear detection signal. Data is then sent to a command-and-control server registered 33 days before the NuGet publishing burst began.

C2 Infrastructure and Attribution

The primary C2 domain resolves to a server in Amsterdam operated through a virtual hosting provider. Its nameservers run through Njalla, a privacy registrar frequently used by threat actors to obstruct takedown requests. The domain was engineered to resemble a legitimate DNS provider so it would blend into routine firewall logs.

A secondary domain linked to an Alibaba Cloud server in Shanghai appears to host the attacker’s development environment. It produced no hits in public malware databases and was not observed receiving stolen data.

Attribution was confirmed through a unique RSA-1024 key embedded in every .NET Reactor-protected package. That same key appeared in four other malicious files on VirusTotal, including memory dumps predating the NuGet campaign by weeks. Labels on those files point to known malware families including Lumma, Quantum, AgentRacoon, and ArrowRAT.

Developers should immediately check project and lock files for any reference to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI. Any machine that restored these packages should be treated as compromised, with all credentials, API keys, SSH keys, and wallet seeds rotated. Security teams should configure alerts for connections to the known C2 domain and watch for unexpected file creation at the OneDrive staging path.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
NuGet Package	IR.DantUI	Malicious package impersonating AntdUI
NuGet Package	IR.Infrastructure.Core	Malicious package impersonating Chinese enterprise library
NuGet Package	IR.Infrastructure.DataService.Core	Malicious package impersonating Chinese enterprise library
NuGet Package	IR.iplus32	Malicious package impersonating iplus32 library
NuGet Package	IR.OscarUI	Malicious package impersonating Chinese UI library
NuGet Account	bmrxntfj	Threat actor publisher account
Domain	dns-providersa2[.]com	Primary C2 domain (registered 2026-03-12)
URL	https://dns-providersa2[.]com/check	C2 beacon and operator validation endpoint
URL	https://dns-providersa2[.]com/upload	Exfiltration upload endpoint
IP Address	62[.]84[.]102[.]85	VDSINA VPS, ASN 216071, Amsterdam
Domain	git[.]justdotrip[.]com	Operator development infrastructure (Alibaba Cloud Shanghai)
IP Address	47[.]100[.]60[.]237	Alibaba Cloud Shanghai, operator dev server
Nameserver	1-you.njalla[.]no	Njalla nameserver for C2 domain
Nameserver	2-can.njalla[.]in	Njalla nameserver for C2 domain
Nameserver	3-get.njalla[.]fo	Njalla nameserver for C2 domain
File Path	C:\ProgramData\Microsoft OneDrive\keys.dat	Malware staging path for harvested data
File Name	we4ftg.exe	Second-stage infostealer binary
File Name	s4.exe	Rip-scraper memory dump (live stealer capture)
SHA-256	e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e	s4.exe hash
SHA-256	8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf	we4ftg.exe hash
SHA-256	34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c	IR.DantUI v2.1.55 encrypted stage-2 resource
SHA-256	b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9	IR.Infrastructure.Core v2.1.55 encrypted stage-2 resource
SHA-256	b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa	IR.Infrastructure.DataService.Core v2.1.55 encrypted stage-2 resource
SHA-256	019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824	IR.iplus32 v2.1.55 encrypted stage-2 resource
SHA-256	596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1	IR.OscarUI v2.1.55 encrypted stage-2 resource
Chrome Extension ID	nkbihfbeogaeaoehlefnkodbefgpgknn	MetaMask wallet extension
Chrome Extension ID	ibnejdfjmmkpcnlpebklmnkoeoihofec	TronLink wallet extension
Chrome Extension ID	bfnaelmomeimhlpmgjnjophhpkkoljpa	Phantom wallet extension
Chrome Extension ID	egjidjbpglichdcondbcbdnbeeppgdph	Trust Wallet extension
Chrome Extension ID	hnfanknocfeofbddgcijnmhnfnkdnaad	Coinbase Wallet extension
Git Commit Hash	efb675de4b3af3dac3c9cae91075fd7cc2f4f98e	Shared commit hash across campaign packages
NuGet Tag	Iplusus	Shared package tag used across campaign

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets appeared first on Cyber Security News.

A major QLearn cybersecurity incident has affected thousands of educational institutions globally, including Queensland state schools and universities, after a cyber breach involving third-party education technology provider Instructure exposed personal information linked to students and staff. Queensland Education Minister John-Paul Langbroek confirmed the incident in an official statement, saying the Queensland Department of Education was briefed about the international cybersecurity breach involving Instructure, the provider behind the Department’s online learning platform, QLearn. According to early assessments, the breach may affect more than 200 million people and over 9,000 institutions worldwide, making it one of the largest education-sector cybersecurity incidents disclosed this year.

QLearn Cybersecurity Incident Impacts Queensland Schools

The Department of Education said students and staff who have worked or studied at Education Queensland schools since 2020 may have been affected by the QLearn cybersecurity incident. Authorities stated that compromised information currently appears limited to names, email addresses, and school locations. Officials added there is currently no evidence that passwords, dates of birth, or financial information were accessed during the breach. The online learning platform QLearn was introduced in Queensland schools in 2020 under the previous government and has since become a widely used digital education system across the state. Minister Langbroek said school principals have already begun contacting affected families and teachers to notify them about the breach and provide further guidance. “This morning I have been briefed by the Department of Education about an international cybersecurity breach involving a third-party provider, Instructure, which delivers the Department’s online learning platform, QLearn,” Langbroek said in the statement.

Instructure Data Breach Raises Concerns Across Education Sector

The QLearn cybersecurity incident has once again highlighted the growing cybersecurity risks facing the global education sector, particularly as schools and universities continue relying heavily on third-party digital learning platforms. Because the breach involves Instructure, a provider serving institutions across multiple countries, the incident extends far beyond Queensland. Authorities indicated that educational institutions across Australia and overseas are also impacted. While officials stressed that no sensitive financial or authentication data has been identified as compromised so far, cybersecurity experts often warn that exposed personal information such as names and email addresses can still be valuable to cybercriminals. Threat actors frequently use this type of information in phishing campaigns, identity-based scams, and social engineering attacks targeting students, parents, and school employees. The Department of Education has not publicly disclosed how the cybersecurity breach occurred or whether any ransomware or unauthorized network access was involved. Investigations into the incident are ongoing.

Queensland Department Prioritizes Support for Vulnerable Families

In response to the QLearn cybersecurity incident, the Queensland Department of Education said it is prioritizing support for vulnerable individuals and families potentially affected by the breach. According to the Minister’s statement, the Department is providing priority assistance to families and teachers with known family and domestic violence concerns, as well as individuals connected to Child Safety services. The additional support measures appear aimed at reducing potential risks associated with the exposure of school-related location information and contact details. Government agencies increasingly recognize that cybersecurity incidents affecting education systems can carry broader safety implications, especially for vulnerable groups whose personal or location-related information may require additional protection.

Global Education Sector Continues Facing Cybersecurity Threats

The QLearn cybersecurity incident adds to a growing list of cyberattacks and data breaches targeting educational institutions worldwide. Schools, universities, and online learning providers have become frequent targets due to the large amount of personal information they manage and the widespread use of interconnected digital platforms. Education systems often rely on multiple third-party vendors for online learning, communications, and student management services, increasing the potential attack surface for cybercriminals. The Queensland Department of Education said it will continue updating the public as more information becomes available from the ongoing investigation into the breach. At this stage, authorities have not advised affected individuals to reset passwords or take additional security measures, though officials are continuing to assess the full scope and impact of the incident. The investigation into the Instructure-related breach remains active as educational institutions worldwide work to determine the extent of the exposure and any potential long-term cybersecurity implications.

Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis.

The post Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years appeared first on Unit 42.

A dangerous new piece of malware called Remus has surfaced, quietly picking up where one of the most feared information stealers left off.

Designed to steal browser passwords, cookies, and cryptocurrency wallets, Remus carries the DNA of Lumma Stealer, one of the most technically advanced stealers-as-a-service seen in recent history.

Remus first appeared in the wild around January and February 2026, arriving shortly after Lumma Stealer suffered a major disruption. Between late August and October 2025, alleged core members behind Lumma were exposed through a doxxing campaign that rattled the group’s operations.

Researchers believe some of Lumma’s authors split off or chose to rebuild under a new name, and Remus appears to be the result.

Analysts at Gen Threat Labs identified this new threat, tracing its roots to test builds labeled as Tenzor. Dated September 16, 2025, those builds served as a bridge between Lumma and what would become Remus.

Researchers Vojtech Krejsa and Jan Rubin attributed Remus as a new 64-bit variant of the Lumma family, noting that Lumma was originally a 32-bit operation.

What makes Remus especially concerning is how closely it mirrors Lumma in design and behavior. The two share the same string obfuscation method, anti-virtual machine checks, nearly identical code structure, and a browser encryption bypass that researchers had only ever seen Lumma use. This level of overlap points strongly to a shared origin.

While Lumma campaigns continue globally, Remus is not a direct replacement. It is more of a natural evolution, upgrading the architecture to 64-bit and adding newer evasion techniques. Both threats represent a widening footprint for an actor that has already proven very hard to stop.

Lumma-Style Browser Key Theft

One of Remus’s most alarming inherited capabilities is its method for breaking into browser-protected data. It targets Application-Bound Encryption, a security layer Chromium browsers use to protect sensitive keys stored on disk.

Rather than reading the key off disk, Remus injects a small shellcode into the live browser process to locate and decrypt the master key from inside the browser’s own memory.

This technique had previously only been observed in Lumma Stealer. Remus searches for a specific byte pattern inside the browser’s code, locates the encrypted key in memory, and uses the browser’s own decryption functions to unlock it.

The shellcode Remus injects is more compact at 51 bytes versus Lumma’s 62, suggesting active refinement.

If injection into an existing browser process fails, Remus launches a hidden browser on a separate desktop, invisible to the user.

Unlike Lumma, which used a hardcoded desktop name, Remus generates a random 16-character string each time. This makes detection harder for tools that rely on fixed naming patterns.

EtherHiding and Anti-Analysis Evasion

Beyond encryption bypass, Remus introduces a key upgrade in how it contacts its command-and-control servers. Lumma relied on platforms like Steam and Telegram to store server addresses.

Remus replaces this with EtherHiding, embedding the server address inside an Ethereum blockchain smart contract, making its infrastructure far harder to disrupt.

Because blockchain data is decentralized and cannot be removed by any platform operator, there is no single point of failure for defenders to target.

Remus queries the smart contract at runtime over a public endpoint and pulls the current server address, removing a defensive lever that had worked against Lumma.

Remus also adds checks to detect analysis tools and sandbox environments before executing. It scans for DLLs linked to known analysis platforms and checks for a specific honeypot file on disk.

If either check triggers, the malware exits silently. These capabilities make Remus a stealthier and more sophisticated threat that security teams need to address without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Remus Infostealer Uses Lumma-Style Browser Key Theft and Application-Bound Encryption Bypass appeared first on Cyber Security News.