Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
page 1 / 16
301 résultats taggé malware  ✕
That DeepSeek installer you just clicked? It's malware https://www.theregister.com/2025/06/11/deepseek_installer_or_infostealing_malware/
12/06/2025 09:19:50
QRCode
archive.org
thumbnail

Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".

The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.

This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.

To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.

Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.

This campaign used the URL https[:]//deepseek-platform[.]com.

The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".

theregister EN 2025 BrowserVenom malware DeepSeek fake installer
Dero miner spreads inside containerized Linux environments | Securelist https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
01/06/2025 17:15:18
QRCode
archive.org
thumbnail

Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.

During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:

The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:

nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.

The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.

After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.

securelist EN 2025 Compromise-assessment Containers Cryptocurrencies Docker Linux Malware Malware-Descriptions Malware-Technologies Miner
SVG Phishing Malware Being Distributed with Analysis Obstruction Feature https://asec.ahnlab.com/en/87078/
26/05/2025 10:56:55
QRCode
archive.org
thumbnail

AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. SVG is an XML-based vector image file format commonly used for icons, logos, charts, and graphs, and it allows the use of CSS and JS scripts within the code. In November 2024, the ASEC Blog introduced SVG […]

asec.ahnlab.com EN 2025 ASEC SVG Phishing Malware XML-based vector image analysis
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog https://any.run/cybersecurity-blog/adversary-telegram-bot-abuse
21/05/2025 13:17:49
QRCode
archive.org
thumbnail

Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.

While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts.

Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog.

The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.

Key outcomes of this analysis include:

Examination and technical analysis of a lesser known phishing campaign
Demonstration of Telegram API-based data interception techniques
Collection of threat intelligence (TI) indicators to help identify the actor
Recommendations for detecting this type of threat

any.run EN 2025 Telegram analysis malware indicators bots
Printer company provided infected software downloads for half a year https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads
16/05/2025 15:12:51
QRCode
archive.org

When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems.

The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth.

All these software downloads are available on mega.nz with a different mega folder link for each product. Overall, there are 8 GB of files and archives for all six products. Most files were last updated in October 2024, which is six months ago at the time of writing.

gdatasoftware EN 2025 UVprinter printer driver malware Floxif
LockBit Ransomware v4.0 https://chuongdong.com/reverse%20engineering/2025/03/15/Lockbit4Ransomware/
30/04/2025 11:30:36
QRCode
archive.org

Malware Analysis Report - LockBit Ransomware v4.0

In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme.

This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families.

As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.

chuongdong EN 2025 Malware Analysis Report LockBit LockBit4.0 ransomware
CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-industrial-systems/
27/04/2025 11:57:14
QRCode
archive.org
thumbnail

Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.

wired EN 2025 CyberAv3ngers iran malware Critical-Infrastructure state-sponsored
New Rust Botnet "RustoBot" is Routed via Routers https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers
23/04/2025 08:30:04
QRCode
archive.org

FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Learn more about this malware targeting these devices.

fortinet EN 2025 TOTOLINK Botnet Rust Routers RustoBot malware
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation
21/04/2025 09:20:01
QRCode
archive.org
thumbnail

This report details a newly identified and active fraud campaign, highlighting the emergence of sophisticated mobile malware leveraging innovative techniques:

  • SuperCard X Malware: A novel Android malware offered through a Malware-as-a-Service (MaaS) model, enabling NFC relay attacks for fraudulent cash-outs.
  • Evolving Threat Landscape: Demonstrates the continuous advancement of mobile malware in the financial sector, with NFC relay representing a significant new capability.
  • Combined Attack Vectors: Employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud.
  • Low Detection Rate: SuperCard X currently exhibits a low detection rate among antivirus solutions due to its focused functionality and minimalistic permission model.‍
  • Broad Target Scope: The fraud scheme targets customers of banking institutions and card issuers, aiming to compromise payment card data.
cleafy.com EN 2025 SuperCardX Malware NFC report campaign mobile
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/?_bhlid=7cad219df2b33b89940e503424edaf8ccb6df9b1
20/04/2025 12:38:06
QRCode
archive.org
thumbnail

Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.

microsoft EN 2025 Node.js malware ClickFix exfiltration analysis campaign
Microsoft Warns of Node.js Abuse for Malware Delivery https://www.securityweek.com/microsoft-warns-of-node-js-abuse-for-malware-delivery/
16/04/2025 14:38:27
QRCode
archive.org

In the past months Microsoft has seen multiple campaigns involving Node.js to deliver malware and other malicious payloads.

Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads.

The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.

securityweek EN 2025 malware node.js Microsoft Abuse
A miner and the ClipBanker Trojan being distributed via SourceForge | Securelist https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/?ref=metacurity.com
09/04/2025 20:20:08
QRCode
archive.org
thumbnail

Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques.

securelist EN 2025 officepackage ClipBanker Cryptocurrencies Malware Malware-Descriptions Malware-Technologies Microsoft-Office Miner Piracy SourceForge Trojan
Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective — Elastic Security Labs https://www.elastic.co/security-labs/outlaw-linux-malware
06/04/2025 11:21:09
QRCode
archive.org
thumbnail

OUTLAW is a persistent yet unsophisticated auto-propagating coinminer package observed across multiple versions over the past few years [1], [2], [3], [4]. Despite lacking stealth and advanced evasion techniques, it remains active and effective by leveraging simple but impactful tactics such as SSH brute-forcing, SSH key and cron-based persistence, and manually modified commodity miners and IRC channels. This persistence highlights how botnet operators can achieve widespread impact without relying on sophisticated techniques.

elastic EN 2025 OUTLOW linux malware analisys
Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/
02/04/2025 14:56:40
QRCode
archive.org
thumbnail

New malware targets Apache Tomcat servers, hijacking resources through stealthy payloads & lateral movement. What to watch for to protect your workloads

aquasec EN 2025 Tomcat Ongoing Attacks malware workloads
Hidden Malware Strikes Again: Mu-Plugins Under Attack https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-under-attack.html
31/03/2025 19:30:17
QRCode
archive.org
thumbnail

Hidden malware strikes WordPress mu-plugins. Our latest findings reveal how to safeguard your site against these threats.

sucuri EN 2025 Wordpress Mu-Plugins malware Hidden plugin
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
23/03/2025 10:56:48
QRCode
archive.org
thumbnail

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]

microsoft EN 2025 microsoft Phishing campaign credential-stealing malware Booking.com ClickFix
WordPress ClickFix Malware Causes Google Warnings and Infected Computers https://blog.sucuri.net/2025/02/wordpress-clickfix-malware-causes-google-warnings-and-infected-computers.html
23/02/2025 21:00:41
QRCode
archive.org
thumbnail

Learn about the fake Google reCAPTCHA campaign infecting machines by tricking unsuspecting users into running malicious Powershell commands.

sucuri EN 2025 WordPress ClickFix Malware reCAPTCHA
Microsoft spots XCSSET macOS malware variant used for crypto theft https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos-malware-variant-used-for-crypto-theft/
18/02/2025 15:37:22
QRCode
archive.org
thumbnail

A new variant of the XCSSET macOS modular malware has emerged in attacks that target users' sensitive information, including digital wallets and data from the legitimate Notes app.

bleepingcomputer EN 2025 Apple Malware Supply-Chain-Attack Xcode XCSSET Security
Hidden Backdoors Uncovered in WordPress Malware Investigation https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-malware-investigation.html
16/02/2025 14:38:31
QRCode
archive.org
thumbnail

Dive into our investigation of WordPress malware and find out how mu-plugins are used to hide backdoor threats.

sucuri E*N 2025 WordPress malware backdoor plugin php mu-plugins
PirateFi game on Steam caught installing password-stealing malware https://www.bleepingcomputer.com/news/security/piratefi-game-on-steam-caught-installing-password-stealing-malware/
16/02/2025 14:28:40
QRCode
archive.org
thumbnail

A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users.

bleepingcomputer EN 2025 Games Gaming Malware Steam Valve
page 1 / 16
4395 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio