tldrdailynews.com logo
Tag

Malware

All articles tagged with #malware

GlassWorm Expands IDE Infection with Zig-Compiled Dropper
technology18 hours ago

GlassWorm Expands IDE Infection with Zig-Compiled Dropper

Security researchers warn that the GlassWorm campaign uses a Zig-compiled native dropper embedded in an Open VSX extension masquerading as WakaTime to scan a host for multiple IDEs (including VS Code, VS Code Insiders, and forks), download a malicious VSIX, and silently install it across all IDEs. A second-stage dropper then exfiltrates data, deploys a remote-access trojan, and installs an info-stealing Chrome extension, with indicators suggesting broad compromise for affected users.

via The Hacker News|
#glassworm#ide-infection#malware
Axios supply-chain breach delivers cross-platform RAT through fake dependency
security11 days ago

Axios supply-chain breach delivers cross-platform RAT through fake dependency

Axios was hit by a supply-chain attack after attackers used compromised maintainer credentials to publish axios v1.14.1 and v0.30.4, which inject the fake dependency [email protected]. The postinstall script in that dependency drops a cross-platform RAT on macOS, Windows, and Linux, contacting a C2 server and delivering platform-specific payloads before self-deleting. Users should downgrade to 1.14.0 or 0.30.3, rotate credentials, remove plain-crypto-js from node_modules, audit CI/CD for the affected installs, and block egress to the C2 domain sfrclak.com. Axios itself wasn’t modified; the malicious behavior resided entirely in a transitive dependency, with additional vendored packages also distributing the malware.

via The Hacker News|
#axios#malware#npm
Perseus Android Banking Malware Expands Tactics by Monitoring Notes and Enabling Live Control
technology21 days ago

Perseus Android Banking Malware Expands Tactics by Monitoring Notes and Enabling Live Control

Security researchers warn of Perseus, a new Android banking malware evolved from Cerberus and Phoenix, distributed via phishing dropper apps and using Accessibility-based remote sessions to takeover devices. It performs overlay attacks, keystroke logging, and notably monitors note apps (Google Keep, Samsung Notes, Evernote, OneNote, etc.) to exfiltrate data, while allowing operators to issue remote commands through a C2 panel (examples include scan_notes, start_vnc, click_coord) and even stream the victim’s screen. Perseus also conducts anti-analysis checks and focuses on targets in Turkey, Italy and several European markets, highlighting a trend toward more adaptable, data-focused Android threats.

via The Hacker News|
#android#banking#cybersecurity
Google reveals 24-hour window to bypass Android app verification for sideloaded apps
technology22 days ago

Google reveals 24-hour window to bypass Android app verification for sideloaded apps

Google plans a phased Android app verification rollout, restricting sideloading to verified developers starting September 2026. An “advanced flow” buried in developer settings lets power users bypass verification after a 24-hour wait, while non‑Play Store apps must have identity verification, signing-key uploads, and a $25 fee. The approach aims to curb malware, with the initial rollout in Brazil, Singapore, Indonesia, and Thailand before expanding globally.

via Ars Technica|
#android#app-verification#google
MacSync Infostealer Lures Mac Users Through ClickFix Social-Engineering Campaigns
technology25 days ago

MacSync Infostealer Lures Mac Users Through ClickFix Social-Engineering Campaigns

Three ClickFix campaigns have been found delivering the macOS infostealer MacSync by tricking users into pasting Terminal commands to download and run a shell script that fetches the payload and exfiltrates credentials, keychains, and seed phrases. The campaigns (Nov 2025 using OpenAI Atlas bait via Google ads; Dec 2025 via ChatGPT-related pages; Feb 2026 with a new variant) rely on social-engineering lures, malvertising, and trusted platforms to disguise malicious commands and payloads, with in-memory AppleScript execution to evade detection. Defenders are urged to patch hosting platforms (e.g., WordPress), monitor for ClickFix/trojan lures, and maintain zero-trust principles as attackers adapt tactics.

via The Hacker News|
#clickfix#cybersecurity#macos
FBI Probes Malware Hidden in Steam Indie Games
technology28 days ago

FBI Probes Malware Hidden in Steam Indie Games

The FBI’s Seattle Division has issued a public call for information from victims of indie games on Steam that were embedded with malware over roughly May 2024 to January 2026. Seven games are named as targets (BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, Tokenova); the affected titles were removed from Valve’s storefront earlier this year. The agency says a single threat actor is behind the campaign and notes victims may be eligible for restitution and other rights under federal/state law as the investigation continues.

via Kotaku|
#cybercrime#fbi#indie-games
AI Accelerates Cyberattacks Across the Kill Chain, Microsoft Warns
cybersecurity1 month ago

AI Accelerates Cyberattacks Across the Kill Chain, Microsoft Warns

Microsoft's Threat Intelligence report finds threat actors are using generative AI to speed up and scale cyberattacks across the entire lifecycle—drafting phishing emails, creating malware, developing infrastructure, and fabricating realistic identities for remote‑worker schemes—while defenders should strengthen identity, detect credential abuse, and secure AI systems; the trend is echoed by Google and Amazon.

via BleepingComputer|
#ai#cyberattacks#cybersecurity
OAuth Redirect Attacks Deliver Malware and Bypass MFA
security1 month ago

OAuth Redirect Attacks Deliver Malware and Bypass MFA

Microsoft Defender researchers warn attackers abuse OAuth 2.0 redirect flows to bypass phishing protections by registering malicious OAuth apps and directing users to attacker-controlled redirect URIs, sometimes via PDFs; victims are taken to phishing pages or intermediaries like EvilProxy that can intercept session cookies to bypass MFA. Other campaigns deliver ZIPs with LNK files that launch PowerShell and DLL side-loading to drop payloads. These are identity-based threats exploiting standard OAuth error handling; Microsoft advises tighter OAuth permissions, stronger identity protections, Conditional Access, and cross-domain detection across email, identity, and endpoints.

via BleepingComputer|
#malware#mfa#oauth
OAuth Redirect Abuse Targets Government Agencies With Malware Delivery
security1 month ago

OAuth Redirect Abuse Targets Government Agencies With Malware Delivery

Microsoft warns of phishing campaigns that exploit OAuth redirect flows to bypass email and browser defenses, steering government and public-sector victims to attacker-controlled landing pages. Attackers use a malicious OAuth app with a redirect URL to rogue domains; victims authenticate, triggering ZIP-delivered payloads that execute PowerShell, DLL sideloading, and in-memory malware to reach a remote C2 server. Some campaigns also employ EvilProxy for credential interception. Defenders are advised to limit user consent, review app permissions, and remove unused or overprivileged apps.

via The Hacker News|
#c2#government-targeted#malware
AI-assisted Arkanix Stealer: a fleeting dark-web info-stealer experiment
technology1 month ago

AI-assisted Arkanix Stealer: a fleeting dark-web info-stealer experiment

Kaspersky researchers say Arkanix Stealer, promoted on dark-web forums in Oct 2025, was likely an AI-assisted, short-lived information-stealer project with Python and native C++ versions, a Discord community, and a referral scheme. It could harvest browser data (including 0Auth2 tokens), cryptocurrency wallet data, and credentials from Telegram and Discord, plus local-file exfiltration and modular plugins. The premium variant added anti-sandbox/debugging, RDP credential theft, and advanced post-exploitation tools like ChromElevator to bypass protections. The operation’s unclear purpose points to rapid, low-cost AI-driven malware development rather than a sustained campaign, with IoCs published by Kaspersky.

via BleepingComputer|
#cybersecurity#dark-web#information-stealer
PromptSpy Uses Gemini AI to Permanently Bind Itself to Android’s Recent Apps
technology1 month ago

PromptSpy Uses Gemini AI to Permanently Bind Itself to Android’s Recent Apps

Researchers identify PromptSpy as the first Android malware to leverage Google’s Gemini AI to analyze on-screen UI and issue step-by-step instructions that pin the app to the recent apps list, making it hard to uninstall. The malware can capture lockscreen data, take screenshots, and record video, and uses a built-in VNC module and accessibility services to enable remote access and ongoing data collection, including PINs and screen content, via a hard-coded C2. It is distributed via mgardownload.com masquerading as JPMorgan Chase (MorganArg), appears aimed at Argentina, and is not on Google Play; Chinese-language strings hint at its development context.

via The Hacker News|
#ai#android#cybersecurity
PromptSpy: Android malware harnesses AI at runtime to harden persistence
technology1 month ago

PromptSpy: Android malware harnesses AI at runtime to harden persistence

Researchers from ESET describe PromptSpy, the first Android malware to run a generative AI model (Google Gemini) at runtime to adapt its persistence across devices. The malware uses Gemini to receive JSON instructions via screen data (UI elements, coordinates) and perform actions to pin itself in the Android Recent Apps list, executing via Accessibility Service. It also includes a VNC module for remote control, enabling data exfiltration, screen recording, and real-time surveillance such as intercepting PINs, recording unlock gestures, and capturing screenshots. It even overlays invisible UI elements to hinder uninstallation. It’s unclear whether PromptSpy is a proof-of-concept or in the wild, but distribution appears limited and tied to a domain used for initial drops. The case highlights how AI can enable dynamic, real-time modification of malware behavior.

via BleepingComputer|
#android#cybersecurity#generative-ai
AI Assistants Turned Stealthy Malware Relays for C2 Traffic
technology1 month ago

AI Assistants Turned Stealthy Malware Relays for C2 Traffic

Researchers show that AI assistants like Grok and Microsoft Copilot can be abused as covert command-and-control relays for malware, directing the AI to fetch attacker-controlled URLs and relay results back via WebView2, potentially bypassing safeguards; Microsoft acknowledges the risk and recommends defense-in-depth to block infections and limit post-compromise activity.

via BleepingComputer|
#ai#command-and-control#cybersecurity
AI Chat Assistants Could Serve as Stealthy Malware C2 Relays
cybersecurity1 month ago

AI Chat Assistants Could Serve as Stealthy Malware C2 Relays

Cybersecurity researchers warn that AI assistants with web-browsing capabilities (such as Microsoft Copilot and xAI Grok) can be hijacked as stealthy, bidirectional command-and-control relays. By feeding crafted prompts, attackers can issue commands to a compromised host and exfiltrate data via trusted AI services, effectively turning living-off-trusted-sites (LOTS) into C2 channels and enabling AI-assisted malware operations and real-time evasion, without requiring API keys.

via The Hacker News|
#ai#command-and-control#cybersecurity