SecuriTricks - cryptocurrency

Affidavit in Support of Application for Criminal Complaint

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage camp…

cryptocurrency

cyber espionage

russia-aligned

2026-06-11

denis obrezko

office 365 compromise

proxy infrastructure

session token theft

void blizzard

Published: June 11, 2026

Downloadable IOCs: 2

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX …

Published: May 28, 2026

Downloadable IOCs: 35

Infostealer Campaign Using Trading App as Lure

A sophisticated infostealer operation was discovered masquerading as a cryptocurrency trading application called Tralert FX. The malicious MSI installer achieved only 3/52 AV detections by using a valid EV code signing certificate from a likely front company, AgilusTech LLC. The campaign has been a…

Published: May 20, 2026

Downloadable IOCs: 4

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet a…

cryptocurrency

ransomware-as-a-service

Published: May 13, 2026

Linked vulnerabilities : CVE-2024-55591 (CVSS 9.8), CVE-2025-32433 (CVSS 10.0), CVE-2025-33073 (CVSS 8.8)

Downloadable IOCs: 33

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-deve…

Published: April 23, 2026

Downloadable IOCs: 14

Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including…

Published: March 18, 2026

Downloadable IOCs: 5

Fake Pudgy World site steals crypto passwords

A sophisticated phishing campaign is targeting users of the newly-launched Pudgy World browser game, exploiting the game's requirement to connect cryptocurrency wallets. The fake site mimics the official game's appearance and wallet connection process, presenting convincing forgeries of 11 differen…

Published: March 18, 2026

Downloadable IOCs: 0

GoPix banking Trojan targeting Brazilian financial institutions

GoPix is an advanced persistent threat targeting Brazilian financial institutions and cryptocurrency users. It uses memory-only implants and obfuscated PowerShell scripts, evolving from previous RAT and ATS threats. The malware employs sophisticated techniques, including malvertising via Google Ads…

Published: March 16, 2026

Downloadable IOCs: 10

BeatBanker: both banker and miner for Android

BeatBanker is a sophisticated Android malware campaign targeting Brazil. It spreads through phishing attacks using a fake Google Play Store website. The malware combines a cryptocurrency miner and a banking Trojan capable of hijacking devices and overlaying screens. It employs creative persistence …

Published: March 10, 2026

Downloadable IOCs: 5

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

A sophisticated iOS exploit kit named Coruna has been discovered, targeting iPhones running iOS 13.0 to 17.2.1. The kit contains five full iOS exploit chains and 23 exploits, using advanced techniques and mitigation bypasses. Initially used by a surveillance vendor, it was later employed in targete…

Published: March 3, 2026

Linked vulnerabilities : CVE-2023-43000 (CVSS 8.8), CVE-2023-41974, CVE-2024-23222, CVE-2023-32434, CVE-2023-32409, CVE-2024-23296, CVE-2023-38606, CVE-2020-27950, CVE-2021-30952, CVE-2020-27932, CVE-2022-48503, CVE-2024-23225

Downloadable IOCs: 77

Banners, Bots and Butchers: The AI-Driven Long Con in Asia

This intelligence report details a hybrid cryptocurrency investment scam campaign targeting users in Asia, particularly Japan. The scam combines malvertising techniques to attract victims with pig butchering tactics using AI-powered chatbots for sustained engagement. Victims are lured through socia…

Published: February 19, 2026

Downloadable IOCs: 0

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl command…

credential harvesting

Published: February 19, 2026

Linked vulnerabilities : CVE-2026-25253 (CVSS 8.8)

Downloadable IOCs: 5

Arkanix Stealer targets a variety of data, offers a MaaS referral program

Arkanix Stealer, a newly discovered malware operating under a Malware-as-a-Service model, targets a wide range of user data including cryptocurrencies, gaming, and online banking information. The stealer, available in both Python and C++ versions, offers configurable features and employs various te…

Published: February 19, 2026

Downloadable IOCs: 10

Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations

Threat actors have been observed exploiting Net Monitor for Employees Professional and SimpleHelp software in ransomware operations. These legitimate tools were used for remote access, command execution, and persistence. The attackers disguised Net Monitor as Microsoft OneDrive and configured Simpl…

Published: February 12, 2026

Downloadable IOCs: 8

Cryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering

North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The at…

Published: February 9, 2026

Downloadable IOCs: 15

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The at…

Published: February 9, 2026

Downloadable IOCs: 15

Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw

Almost 400 fake crypto trading add-ons in the Moltbot/OpenClaw AI assistant project have been discovered, potentially leading users to install information-stealing malware. These add-ons, known as skills, masquerade as cryptocurrency trading automation tools and target various platforms. The malici…

Published: February 4, 2026

Downloadable IOCs: 1

LABYRINTH CHOLLIMA Evolves into Three Adversaries

The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYR…

backdoor.apt.fakewinhttphelper

Published: January 30, 2026

Downloadable IOCs: 33

PurpleBravo’s Targeting of the IT Software Supply Chain

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cry…

software supply chain

browser credential theft

it services

Published: January 21, 2026

Downloadable IOCs: 187

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based appro…

Published: January 21, 2026

Downloadable IOCs: 6

Analyzing the MonetaStealer macOS Threat

Security researchers discovered a suspicious Mach-O binary masquerading as a Windows .exe file, named MonetaStealer. This PyInstaller-compiled malware targets macOS systems and is believed to be in early development. MonetaStealer focuses on stealing Chrome browser data, cryptocurrency wallet infor…

Published: January 19, 2026

Linked vulnerabilities : CVE-2025-24277

Downloadable IOCs: 4

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The inf…

Published: January 15, 2026

Downloadable IOCs: 8

Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations

RedVDS, a virtual dedicated server provider, has been utilized by multiple financially motivated threat actors for business email compromise, phishing, account takeover, and financial fraud. The service offers inexpensive Windows-based RDP servers with full administrator control, attracting cybercr…

business email compromise

Published: January 14, 2026

Downloadable IOCs: 1

Malicious NPM Packages Deliver NodeCordRAT

Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for com…

Published: January 8, 2026

Downloadable IOCs: 0

EmEditor Homepage Download Button Served Malware for 4 Days

Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings…

Published: December 30, 2025

Downloadable IOCs: 1

NuGet malware targets crypto wallets, OAuth tokens

ReversingLabs discovered malicious packages on NuGet targeting the crypto ecosystem. The campaign, starting in July 2025, involved 14 packages impersonating legitimate crypto-related tools. The malware aimed to steal crypto funds by redirecting transactions or exfiltrating secrets for wallet access…

Published: December 17, 2025

Downloadable IOCs: 0

How Lazarus's IT Workers Scheme Was Caught Live on Camera

This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruit…

it worker infiltration

sandbox analysis

Published: December 9, 2025

Downloadable IOCs: 12

Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets

Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities,…

Published: December 3, 2025

Downloadable IOCs: 4

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvn…

Published: November 26, 2025

Downloadable IOCs: 2

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…

Published: November 14, 2025

Downloadable IOCs: 84

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder an…

Published: November 14, 2025

Downloadable IOCs: 5

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…

Published: November 14, 2025

Downloadable IOCs: 16

From primitive crypto theft to sophisticated AI-based deception

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group…

Published: November 9, 2025

Downloadable IOCs: 1

LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modi…

Published: November 7, 2025

Downloadable IOCs: 5

"Sneaky" new Android malware takes over your phone, hiding in fake news and ID apps

A sophisticated Android Trojan has been discovered that masquerades as trusted apps like news readers or digital ID applications. Once installed, it quietly operates in the background, stealing sensitive information such as login credentials and financial data. The malware exploits Android's Access…

accessibility services

2025-11-05

android/trojan.spy.banker.aur9b9b491bc44

Published: November 5, 2025

Downloadable IOCs: 0

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitm…

Published: October 28, 2025

Downloadable IOCs: 90

IIS servers owned by RudePanda like it's 2003

A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scam…

remote command execution

Published: October 22, 2025

Downloadable IOCs: 36

New Stealit Campaign Abuses Node.js Single Executable Application

A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed a…

single executable application

stealit

Published: October 11, 2025

Downloadable IOCs: 12

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

An analysis of robots.txt files revealed over 60 cryptocurrency phishing pages impersonating hardware wallet brands Trezor and Ledger. The actor behind these pages attempted to block phishing reporting sites by including their endpoints in the robots.txt file, demonstrating a misunderstanding of it…

Published: September 30, 2025

Downloadable IOCs: 2

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techni…

Published: September 25, 2025

Downloadable IOCs: 33

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …

Published: September 10, 2025

Downloadable IOCs: 14

The Rise of RatOn: From NFC heists to remote control and ATS

A new Android banking trojan named RatOn has emerged, combining NFC relay attacks with remote access and automated transfer capabilities. Discovered by analysts monitoring the NFSkate threat group, RatOn targets cryptocurrency wallets and banking applications, particularly in the Czech Republic and…

Published: September 9, 2025

Downloadable IOCs: 23

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverag…

infrastructure monitoring

contagiousdrop

Published: September 4, 2025

Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…

Published: September 4, 2025

Downloadable IOCs: 0

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …

Published: September 3, 2025

Downloadable IOCs: 0

Boxing Clever: Uncovering a $1M Task Scam Cluster Exploiting Major Brands

A sophisticated task scam cluster has been discovered, exploiting major brands like Delta Airlines, AMC Theatres, and Universal Studios. The scam uses API-driven templates and cryptocurrency payments, with over $1 million in attributable transactions. Victims are lured into 'earning' money by compl…

Published: August 26, 2025

Downloadable IOCs: 7

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES ru…

financial institutions

2025-08-22

harly

facestealer

Published: August 22, 2025

Downloadable IOCs: 0

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…

ai-generated websites

lovable platform

Published: August 21, 2025

Downloadable IOCs: 0

Uncovering a Web3 Interview Scam

A Ukrainian Web3 team's interview process involved cloning a GitHub repository containing malicious components. Analysis revealed the project replaced a legitimate dependency with a malicious NPM package, [email protected]. This package collected sensitive data, including cryptocurrency wallet info…

Published: August 13, 2025

Downloadable IOCs: 0

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…

Published: August 12, 2025

Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…

Published: August 8, 2025

Downloadable IOCs: 6

Efimer Trojan delivered via email and hacked WordPress websites

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-contr…

Published: August 8, 2025

Downloadable IOCs: 16

PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT

A large-scale Malware-as-a-Service operation, orchestrated by Chinese-speaking threat actors, has infected over 11,000 Android devices globally with the PlayPraetor Remote Access Trojan. The campaign primarily targets Europe, with significant presence in Portugal, Spain, and France, but also affect…

accessibility services

2025-08-07

playpraetor

Published: August 7, 2025

Downloadable IOCs: 0

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

SentinelLABS has uncovered a series of cryptocurrency scams where threat actors distribute malicious smart contracts disguised as trading bots to drain user wallets. The campaign has stolen over $900,000 US and uses aged YouTube accounts with curated comment sections to create a false sense of legi…

Published: August 7, 2025

Downloadable IOCs: 0

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…

Published: July 31, 2025

Downloadable IOCs: 268

Chinese Malware Delivery Domains: Part III

This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake applicat…

Published: July 18, 2025

Downloadable IOCs: 1159

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…

Published: July 17, 2025

Downloadable IOCs: 31

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…

Published: July 17, 2025

Downloadable IOCs: 0

The Solidity Language open-source package was used in a $500,000 crypto heist

A blockchain developer in Russia lost $500,000 in crypto assets due to a malicious Solidity Language extension for Cursor AI IDE. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithms. It installed malware that allowed remot…

heur:trojan-psw.msil.purelogs.gen

Published: July 16, 2025

Linked vulnerabilities : CVE-2024-3721

Downloadable IOCs: 0

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…

Published: July 16, 2025

Downloadable IOCs: 1

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…

Published: July 4, 2025

Downloadable IOCs: 9

The new SparkKitty Trojan spy in the App Store and Google Play

A new spyware campaign dubbed SparkKitty has been discovered targeting both iOS and Android devices. The malware, believed to be connected to the previously identified SparkCat campaign, is distributed through official app stores and unofficial sources. It primarily steals photos from infected devi…

Published: June 23, 2025

Downloadable IOCs: 20

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…

Published: June 20, 2025

Downloadable IOCs: 0

Crypto Phishing Applications On The Play Store

An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds…

Published: June 20, 2025

Downloadable IOCs: 36

Hiding in GitHub

An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and…

Published: June 20, 2025

Downloadable IOCs: 4

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…

Published: June 19, 2025

Downloadable IOCs: 18

Famous Chollima deploying Python version of GolangGhost RAT

In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with exper…

Published: June 18, 2025

Downloadable IOCs: 67

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE varia…

powershell

cryptocurrency

stealer

multi-stage infection

browser extensions

2025-06-17

kimjongrat

content delivery network

Published: June 17, 2025

Downloadable IOCs: 0

Crocodilus Mobile Malware: Evolving Fast, Going Global

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce a…

Published: June 3, 2025

Downloadable IOCs: 4

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…

Published: May 29, 2025

Downloadable IOCs: 27

Katz Stealer Threat Analysis

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScri…

Published: May 26, 2025

Downloadable IOCs: 34

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…

Published: May 13, 2025

Downloadable IOCs: 0

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …

Published: May 12, 2025

Downloadable IOCs: 0

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…

financial institutions

Published: May 11, 2025

Downloadable IOCs: 0

New Finance Scam Discovered Abusing Niche X/Twitter Advertising Loophole

A new financial scam has been uncovered that exploits a loophole in X/Twitter's advertising display URL feature. The scam spoofs legitimate domains like CNN while directing users to a cryptocurrency scam website impersonating Apple's brand. The fraudulent site promotes a fake 'iToken' and includes …

Published: May 9, 2025

Downloadable IOCs: 65

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking se…

redirection techniques

search engine poisoning

wallet theft

Published: May 9, 2025

Downloadable IOCs: 71

Unmasking the FreeDrain Network

A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lur…

phishing

cryptocurrency

infrastructure analysis

Published: May 8, 2025

Downloadable IOCs: 0

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

This report analyzes common techniques, tactics, and procedures (TTPs) used by several investment scam actors who lure victims with fake platforms, including crypto exchanges. Key TTPs include registering large numbers of domains algorithmically, embedding similar web forms to collect user data, hi…

registered domain generation algorithms

Published: May 6, 2025

Downloadable IOCs: 87

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware perf…

Published: April 30, 2025

Downloadable IOCs: 4

Pentagon Stealer: Go and Python Malware Targeting Crypto

Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sens…

Published: April 30, 2025

Downloadable IOCs: 19

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web…

Published: April 29, 2025

Downloadable IOCs: 2

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …

Published: April 25, 2025

Downloadable IOCs: 0

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…

anonymization networks

Published: April 24, 2025

Downloadable IOCs: 45

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…

Published: April 23, 2025

Downloadable IOCs: 4

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and…

Published: April 16, 2025

Downloadable IOCs: 2

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…

Published: April 14, 2025

Downloadable IOCs: 41

Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wa…

software supply chain

Published: April 14, 2025

Downloadable IOCs: 1

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …

Published: April 8, 2025

Downloadable IOCs: 0

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, …

Published: April 8, 2025

Downloadable IOCs: 6

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…

seed phrase poisoning

Published: April 7, 2025

Downloadable IOCs: 45

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…

Published: April 3, 2025

Downloadable IOCs: 6

Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency

Cybercriminals are exploiting a live stream featuring Elon Musk, Cathie Wood, and Jack Dorsey discussing cryptocurrency to conduct scams. They modify the original video, adding frames that advertise malicious websites claiming to double users' cryptocurrency investments. Multiple YouTube channels w…

social media exploitation

elon musk

live stream

double investment

Published: April 2, 2025

Downloadable IOCs: 10

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Wi…

Published: April 1, 2025

Downloadable IOCs: 86

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…

coinminer:mbt.26mw.in14.talos

2025-03-28

trojan.generickd.33515991

money laundering

simple_custom_detection

regulatory changes

Published: March 28, 2025

Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …

Published: March 25, 2025

Downloadable IOCs: 5

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…

Published: March 21, 2025

Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…

Published: March 21, 2025

Downloadable IOCs: 2

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …

Published: March 14, 2025

Downloadable IOCs: 28

Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platfor…

Published: March 13, 2025

Downloadable IOCs: 36

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…

russian-speaking cybercriminals

Published: March 13, 2025

Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…

Published: February 26, 2025

Downloadable IOCs: 0

DeepSeek Lure Used To Spread Malware

Cybercriminals are exploiting DeepSeek's popularity by creating fake look-alike domains to deliver the Vidar information stealer. The attack chain involves a deceptive website that prompts users to complete a fake partner registration, leading to a malicious CAPTCHA page. This page injects a PowerS…

Published: February 25, 2025

Downloadable IOCs: 40

Fake GitHub projects distribute stealers in GitVenom campaign

The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented…

Published: February 24, 2025

Downloadable IOCs: 2

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…

Published: February 21, 2025

Downloadable IOCs: 0

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…

Published: February 18, 2025

Downloadable IOCs: 5

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…

Published: February 17, 2025

Downloadable IOCs: 14

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…

Published: February 15, 2025

Downloadable IOCs: 0

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…

Published: February 13, 2025

Downloadable IOCs: 43

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…

Published: February 6, 2025

Downloadable IOCs: 0

Uncovering Cyber Threat Networks: SmartApeSG & NetSupport RAT

This investigation explores the connections between SmartApeSG, a FakeUpdate threat, and NetSupport RAT. Through analysis of Internet telemetry data, the research uncovered related C2 management hosts, active NetSupport RAT servers, and cross-connections to suspicious infrastructure. Key findings i…

Published: February 4, 2025

Downloadable IOCs: 57

Analysis of Astral Stealer

Astral Stealer v1.8 is a powerful malware tool coded in Python, C#, and JavaScript, designed for data theft and crypto wallet exploitation. It targets gaming accounts, browser credentials, and cryptocurrency wallets while employing anti-debugging and VM bypass techniques. The stealer offers advance…

Published: January 31, 2025

Downloadable IOCs: 3

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…

north korea

cryptocurrency

data exfiltration

software supply chain

command-and-control

2025-01-30

phantom circuit

Published: January 30, 2025

Downloadable IOCs: 13

APT-C-26 (Lazarus) continues to upgrade its attack weapons, using Electron programs to target the cryptocurrency industry

The APT-C-26 (Lazarus) group has been observed using Electron-packaged malicious programs disguised as cryptocurrency trading tools to target individuals in the cryptocurrency industry. The attack involves a multi-stage process, including the use of poisoned open-source projects, obfuscated malicio…

Published: January 22, 2025

Downloadable IOCs: 0

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authe…

Published: January 17, 2025

Downloadable IOCs: 26

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…

Published: January 13, 2025

Downloadable IOCs: 4

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…

Published: January 9, 2025

Downloadable IOCs: 25

CoinLurker: The Stealer Powering the Next Generation of Fake Updates

CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive ent…

cryptocurrency

2024-12-17

coinlurker

Published: December 17, 2024

Downloadable IOCs: 50

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…

Published: December 16, 2024

Downloadable IOCs: 0

CURLing for Crypto on Honeypots

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The a…

Published: December 9, 2024

Downloadable IOCs: 37

Malicious PyPI crypto pay package aiocpa implants infostealer code

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…

software supply chain

2024-11-29

threat hunting

Published: November 29, 2024

Downloadable IOCs: 0

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…

vulnerability exploitation

Published: November 27, 2024

Linked vulnerabilities : CVE-2024-27348, CVE-2021-20090, CVE-2022-30525, CVE-2018-10562, CVE-2018-10561, CVE-2022-30075, CVE-2018-9995, CVE-2017-17106, CVE-2017-18368, CVE-2014-8361, CVE-2017-17215

Downloadable IOCs: 12

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…

Published: November 8, 2024

Downloadable IOCs: 0

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…

Published: November 6, 2024

Downloadable IOCs: 56

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…

transaction hijacking

sms interception

g700 rat

Published: November 4, 2024

Downloadable IOCs: 3

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…

Published: November 4, 2024

Downloadable IOCs: 2

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…

software supply chain

namesquatting

Published: October 25, 2024

Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…

Published: October 23, 2024

Linked vulnerabilities : CVE-2024-4947

Downloadable IOCs: 2

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…

Published: October 21, 2024

Downloadable IOCs: 23

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…

Published: October 21, 2024

Downloadable IOCs: 0

The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer

This analysis examines three emerging malware threats: Divulge Stealer, DedSec Stealer, and Duck Stealer. These stealers, often promoted on platforms like GitHub and Telegram, target browser data, game information, and sensitive personal details. Divulge Stealer, a successor to Umbral Stealer, feat…

Published: October 21, 2024

Downloadable IOCs: 3

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…

Published: October 18, 2024

Downloadable IOCs: 171

YUNIT STEALER

Yunit Stealer is a sophisticated malware targeting sensitive user data through credential theft and system manipulation. It employs advanced evasion techniques to bypass security measures, maintaining persistence on compromised systems. The malware performs comprehensive data extraction, including …

credential extraction

yunit stealer

Published: October 7, 2024

Downloadable IOCs: 0

VILSA STEALER

A new malware called Vilsa Stealer has emerged on GitHub, notable for its speed and efficiency in extracting sensitive data. This sophisticated tool targets browser credentials, tokens, and various application data. It supports major browsers and over 40 crypto wallets, using Python as its programm…

Published: October 7, 2024

Downloadable IOCs: 3

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…

Published: September 30, 2024

Downloadable IOCs: 12

WalletConnect Scam: A Case Study in Crypto Drainer Tactics

An investigation uncovered a malicious app on Google Play targeting mobile users to steal cryptocurrency. The app, posing as a legitimate WalletConnect tool, used advanced evasion techniques to avoid detection for nearly five months. It achieved over 10,000 downloads through fake reviews and brandi…

Published: September 26, 2024

Downloadable IOCs: 6

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large clus…

Published: September 20, 2024

Downloadable IOCs: 6

Deep Fake Crypto Scams

Cybercriminals exploited the U.S. presidential debate to launch a cryptocurrency scam using deep fake videos. The scam featured fake streams on hijacked YouTube channels, claiming to show Elon Musk and Donald Trump debating Kamala Harris. The videos directed viewers to invest in cryptocurrency duri…

Published: September 20, 2024

Downloadable IOCs: 24

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…

Published: September 19, 2024

Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094

Downloadable IOCs: 16

A Network of Harm: Gigabud Threat and Its Associates

An investigation reveals a significant connection between Gigabud and Spynote malware families, targeting over 50 financial apps including banks and cryptocurrency platforms. The campaign utilizes sophisticated distribution methods, including 11 command and control servers and 79 phishing websites …

Published: September 17, 2024

Downloadable IOCs: 116

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…

Published: September 13, 2024

Downloadable IOCs: 4

BLX STEALER

Identified as a sophisticated dropper binary designed to deploy an information stealer dubbed BLX Stealer or XLABB Stealer, this malware has been actively promoted on Telegram and Discord platforms. It targets credentials, browser data, cryptocurrency wallets, and other sensitive personal informati…

Published: September 11, 2024

Downloadable IOCs: 5

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…

Published: September 9, 2024

Downloadable IOCs: 17

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…

Published: August 23, 2024

Downloadable IOCs: 9

TodoSwift Disguises Malware Download Behind Bitcoin PDF

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's t…

Published: August 19, 2024

Downloadable IOCs: 7

2024 Paris Olympic Games Infrastructure Attack Report

This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…

Published: August 16, 2024

Downloadable IOCs: 148

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…

Published: August 16, 2024

Downloadable IOCs: 68

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…

Published: July 10, 2024

Downloadable IOCs: 14

We're not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

While cryptocurrency and blockchain have lost mainstream attention, cybercriminals continue to exploit these technologies through various scams like memecoins, rug pulls, and unregulated social media platforms. This report also highlights the SneakyChef threat actor's ongoing campaign targeting gov…

Published: June 28, 2024

Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)

Downloadable IOCs: 4

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…

Published: June 7, 2024

Downloadable IOCs: 7

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…

Published: June 6, 2024

Linked vulnerabilities : CVE-2023-33246

Downloadable IOCs: 21

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…

Published: May 13, 2024

Downloadable IOCs: 3

Tag: cryptocurrency

Attack reports

Affidavit in Support of Application for Criminal Complaint

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

Infostealer Campaign Using Trading App as Lure

Thus Spoke…The Gentlemen

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

FakeWallet crypto stealer spreading in the App Store

Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto

GlassWorm attack installs fake browser extension for surveillance

Technical Analysis of SnappyClient

Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

Fake Pudgy World site steals crypto passwords

GoPix banking Trojan targeting Brazilian financial institutions

BeatBanker: both banker and miner for Android

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

Banners, Bots and Butchers: The AI-Driven Long Con in Asia

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Arkanix Stealer targets a variety of data, offers a MaaS referral program

Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations

Cryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw

LABYRINTH CHOLLIMA Evolves into Three Adversaries

PurpleBravo’s Targeting of the IT Software Supply Chain

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

Analyzing the MonetaStealer macOS Threat

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations

Malicious NPM Packages Deliver NodeCordRAT

EmEditor Homepage Download Button Served Malware for 4 Days

NuGet malware targets crypto wallets, OAuth tokens

How Lazarus's IT Workers Scheme Was Caught Live on Camera

Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

From primitive crypto theft to sophisticated AI-based deception

LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

"Sneaky" new Android malware takes over your phone, hiding in fake news and ID apps

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

IIS servers owned by RudePanda like it's 2003

New Stealit Campaign Abuses Node.js Single Executable Application

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

The Rise of RatOn: From NFC heists to remote control and ATS

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Ethereum smart contracts used to push malicious code on npm

Three Lazarus RATs coming for your cheese

Boxing Clever: Uncovering a $1M Task Scam Cluster Exploiting Major Brands

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Cybercriminals Abuse AI Website Creation App For Phishing

Uncovering a Web3 Interview Scam

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Atomic macOS Stealer includes a backdoor for persistent access

Efimer Trojan delivered via email and hacked WordPress websites

PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

Chinese Malware Delivery Domains: Part III

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

The Solidity Language open-source package was used in a $500,000 crypto heist

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

The new SparkKitty Trojan spy in the App Store and Google Play

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Crypto Phishing Applications On The Play Store

Hiding in GitHub

Inside the BlueNoroff Web3 macOS Intrusion Analysis

Famous Chollima deploying Python version of GolangGhost RAT

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

Crocodilus Mobile Malware: Evolving Fast, Going Global

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

Katz Stealer Threat Analysis

PyPI package targets Solana developers

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

Additional Features of OtterCookie Malware Used by WaterPlum