Tag: cryptocurrency

70 Attack Reports | 0 Vulnerabilities

Attack reports

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …
android
cryptocurrency
trojan
credential theft
triada
sms interception
firmware
reverse proxy
2025-04-25
Published: April 25, 2025
Downloadable IOCs: 0

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…
social engineering
cryptocurrency
beavertail
frostyferret
2025-04-24
blocknovas
invisible ferret
anonymization networks
Published: April 24, 2025
Downloadable IOCs: 45

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and…
cryptocurrency
pypi
supply-chain-attack
2025-04-16
api-hijacking
ccxt
mexc
Published: April 16, 2025
Downloadable IOCs: 2

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…
social engineering
north korea
python
infostealer
cryptocurrency
2025-04-14
rn stealer
rn loader
dpkr
slow pisces
yaml deserialization
Published: April 14, 2025
Downloadable IOCs: 41

Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wa…
cryptocurrency
persistence
npm
atomic
software supply chain
exodus
patching
2025-04-10
wallet
2025-04-14
trojanized code
atomic wallet
Published: April 14, 2025
Downloadable IOCs: 1

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …
powershell
cryptocurrency
persistence
autoit
clipbanker
2025-04-08
miner
sourceforge
Published: April 8, 2025
Downloadable IOCs: 0

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, …
north korea
cryptocurrency
beavertail
invisibleferret
2025-04-08
Published: April 8, 2025
Downloadable IOCs: 6

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…
phishing
cryptocurrency
supply chain
2025-04-04
2025-04-07
crm
coinbase
bulk email
ledger
seed phrase poisoning
Published: April 7, 2025
Downloadable IOCs: 45

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency

Cybercriminals are exploiting a live stream featuring Elon Musk, Cathie Wood, and Jack Dorsey discussing cryptocurrency to conduct scams. They modify the original video, adding frames that advertise malicious websites claiming to double users' cryptocurrency investments. Multiple YouTube channels w…
cryptocurrency
youtube
scam
fake websites
2025-04-02
social media exploitation
elon musk
live stream
double investment
Published: April 2, 2025
Downloadable IOCs: 10

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Wi…
backdoor
north korea
cryptocurrency
clickfix
2025-04-01
golangghost
frostyferret
job interviews
cefi
Published: April 1, 2025
Downloadable IOCs: 86

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…
malware
ransomware
cryptocurrency
spam
cybercrime
email security
w32.file.malparent
coinminer:mbt.26mw.in14.talos
2025-03-28
trojan.generickd.33515991
money laundering
simple_custom_detection
regulatory changes
Published: March 28, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information
Published: March 21, 2025
Downloadable IOCs: 2

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …
phishing
social engineering
cryptocurrency
scams
e-commerce fraud
2025-03-14
charitable fraud
wallet draining
fake giveaways
ramadan
Published: March 14, 2025
Downloadable IOCs: 28

Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platfor…
impersonation
cryptocurrency
telegram
2025-03-13
mobile applications
investment scam
pyramid scheme
Published: March 13, 2025
Downloadable IOCs: 36

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

DeepSeek Lure Used To Spread Malware

Cybercriminals are exploiting DeepSeek's popularity by creating fake look-alike domains to deliver the Vidar information stealer. The attack chain involves a deceptive website that prompts users to complete a fake partner registration, leading to a malicious CAPTCHA page. This page injects a PowerS…
cryptocurrency
vidar
captcha
brand impersonation
deepseek
2025-02-25
clipboard injection
Published: February 25, 2025
Downloadable IOCs: 40

Fake GitHub projects distribute stealers in GitVenom campaign

The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented…
cryptocurrency
stealer
asyncrat
open-source
github
quasar
2025-02-24
gitvenom
clipboard-hijacker
fake-projects
Published: February 24, 2025
Downloadable IOCs: 2

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…
north korea
spearphishing
infostealer
cryptocurrency
beavertail
invisibleferret
2025-02-21
job scams
freelancers
Published: February 21, 2025
Downloadable IOCs: 0

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer
Published: February 17, 2025
Downloadable IOCs: 14

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…
phishing
social engineering
cryptocurrency
financial fraud
social media
e-commerce
brand impersonation
oauth
2025-02-15
valentine's day
Published: February 15, 2025
Downloadable IOCs: 0

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…
malware
espionage
north korea
cryptocurrency
beavertail
invisibleferret
remote work
2025-02-13
ottercookie
front companies
it workers
Published: February 13, 2025
Downloadable IOCs: 43

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…
phishing
cryptocurrency
credential theft
scams
2025-02-06
deepseek
qr code scams
wallet drainers
fake websites
Published: February 6, 2025
Downloadable IOCs: 0

Uncovering Cyber Threat Networks: SmartApeSG & NetSupport RAT

This investigation explores the connections between SmartApeSG, a FakeUpdate threat, and NetSupport RAT. Through analysis of Internet telemetry data, the research uncovered related C2 management hosts, active NetSupport RAT servers, and cross-connections to suspicious infrastructure. Key findings i…
cryptocurrency
socgholish
quasar rat
netsupport rat
clearfake
c2 infrastructure
2025-02-04
moldovan ips
pivoting analysis
fakeupdate
landupdate808
ispmanager
smartapesg
lycantrox
Published: February 4, 2025
Downloadable IOCs: 57

Analysis of Astral Stealer

Astral Stealer v1.8 is a powerful malware tool coded in Python, C#, and JavaScript, designed for data theft and crypto wallet exploitation. It targets gaming accounts, browser credentials, and cryptocurrency wallets while employing anti-debugging and VM bypass techniques. The stealer offers advance…
cryptocurrency
stealer
data exfiltration
information theft
2025-01-31
browser injection
discord injection
astral stealer
Published: January 31, 2025
Downloadable IOCs: 3

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…
north korea
cryptocurrency
data exfiltration
software supply chain
command-and-control
2025-01-30
phantom circuit
Published: January 30, 2025
Downloadable IOCs: 13

APT-C-26 (Lazarus) continues to upgrade its attack weapons, using Electron programs to target the cryptocurrency industry

The APT-C-26 (Lazarus) group has been observed using Electron-packaged malicious programs disguised as cryptocurrency trading tools to target individuals in the cryptocurrency industry. The attack involves a multi-stage process, including the use of poisoned open-source projects, obfuscated malicio…
cryptocurrency
data theft
electron
2025-01-22
uniswapsniperbot
Published: January 22, 2025
Downloadable IOCs: 0

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authe…
obfuscation
phishing
aitm
cryptocurrency
telegram
2025-01-17
Published: January 17, 2025
Downloadable IOCs: 26

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…
obfuscation
phishing
powershell
lummac2
infostealer
cryptocurrency
captcha
2025-01-13
clipbanker
Published: January 13, 2025
Downloadable IOCs: 4

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

CoinLurker: The Stealer Powering the Next Generation of Fake Updates

CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive ent…
cryptocurrency
2024-12-17
coinlurker
Published: December 17, 2024
Downloadable IOCs: 50

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader
Published: December 16, 2024
Downloadable IOCs: 0

CURLing for Crypto on Honeypots

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The a…
cryptocurrency
ddos
botnet
mining
telegram
siem
2024-12-09
curl
honeypot
cowrie
Published: December 9, 2024
Downloadable IOCs: 37

Malicious PyPI crypto pay package aiocpa implants infostealer code

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…
obfuscation
infostealer
cryptocurrency
pypi
machine learning
software supply chain
2024-11-29
threat hunting
Published: November 29, 2024
Downloadable IOCs: 0

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…
cryptocurrency
ddos
iot
botnet
mirai
discord
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
CVE-2017-17215
telegram
2024-11-27
CVE-2014-8361
brute-force
CVE-2017-18368
script kiddie
CVE-2018-9995
pybot
CVE-2024-27348
CVE-2017-17106
discordgo
CVE-2022-30525
CVE-2022-30075
Published: November 27, 2024
Linked vulnerabilities : CVE-2024-27348, CVE-2021-20090, CVE-2022-30525, CVE-2018-10562, CVE-2018-10561, CVE-2022-30075, CVE-2018-9995, CVE-2017-17106, CVE-2017-18368, CVE-2014-8361, CVE-2017-17215
Downloadable IOCs: 12

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud
Published: November 6, 2024
Downloadable IOCs: 56

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…
obfuscation
phishing
android
cryptocurrency
craxs rat
privilege escalation
2024-11-04
apk distribution
transaction hijacking
sms interception
g700 rat
Published: November 4, 2024
Downloadable IOCs: 3

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer

This analysis examines three emerging malware threats: Divulge Stealer, DedSec Stealer, and Duck Stealer. These stealers, often promoted on platforms like GitHub and Telegram, target browser data, game information, and sensitive personal details. Divulge Stealer, a successor to Umbral Stealer, feat…
infostealer
cryptocurrency
browser data theft
2024-10-21
anti-vm
doenerium
divulge stealer
umbral stealer
duck stealer
azstealer
dedsec stealer
Published: October 21, 2024
Downloadable IOCs: 3

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

YUNIT STEALER

Yunit Stealer is a sophisticated malware targeting sensitive user data through credential theft and system manipulation. It employs advanced evasion techniques to bypass security measures, maintaining persistence on compromised systems. The malware performs comprehensive data extraction, including …
cryptocurrency
data theft
2024-10-07
gaming
credential extraction
yunit stealer
Published: October 7, 2024
Downloadable IOCs: 0

VILSA STEALER

A new malware called Vilsa Stealer has emerged on GitHub, notable for its speed and efficiency in extracting sensitive data. This sophisticated tool targets browser credentials, tokens, and various application data. It supports major browsers and over 40 crypto wallets, using Python as its programm…
cryptocurrency
data theft
exfiltration
persistence
anti-analysis
2024-10-07
vilsa stealer
browser credentials
Published: October 7, 2024
Downloadable IOCs: 3

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12

WalletConnect Scam: A Case Study in Crypto Drainer Tactics

An investigation uncovered a malicious app on Google Play targeting mobile users to steal cryptocurrency. The app, posing as a legitimate WalletConnect tool, used advanced evasion techniques to avoid detection for nearly five months. It achieved over 10,000 downloads through fake reviews and brandi…
android
cryptocurrency
mobile malware
2024-09-26
ms drainer
Published: September 26, 2024
Downloadable IOCs: 6

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large clus…
phishing
cryptocurrency
2024-09-20
political spoofing
us elections
Published: September 20, 2024
Downloadable IOCs: 6

Deep Fake Crypto Scams

Cybercriminals exploited the U.S. presidential debate to launch a cryptocurrency scam using deep fake videos. The scam featured fake streams on hijacked YouTube channels, claiming to show Elon Musk and Donald Trump debating Kamala Harris. The videos directed viewers to invest in cryptocurrency duri…
cryptocurrency
2024-09-20
deep fake
presidential debate
Published: September 20, 2024
Downloadable IOCs: 24

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

A Network of Harm: Gigabud Threat and Its Associates

An investigation reveals a significant connection between Gigabud and Spynote malware families, targeting over 50 financial apps including banks and cryptocurrency platforms. The campaign utilizes sophisticated distribution methods, including 11 command and control servers and 79 phishing websites …
phishing
cryptocurrency
spynote
banking trojan
2024-09-17
gigabud
android rat
Published: September 17, 2024
Downloadable IOCs: 116

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken
Published: September 13, 2024
Downloadable IOCs: 4

BLX STEALER

Identified as a sophisticated dropper binary designed to deploy an information stealer dubbed BLX Stealer or XLABB Stealer, this malware has been actively promoted on Telegram and Discord platforms. It targets credentials, browser data, cryptocurrency wallets, and other sensitive personal informati…
cryptocurrency
stealer
persistence
credential
data exfiltration
2024-09-11
xlabb stealer
blx stealer
Published: September 11, 2024
Downloadable IOCs: 5

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer
Published: August 23, 2024
Downloadable IOCs: 9

TodoSwift Disguises Malware Download Behind Bitcoin PDF

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's t…
cryptocurrency
macos
dropper
2024-08-19
rustbucket
kandykorn
todoswift
Published: August 19, 2024
Downloadable IOCs: 7

2024 Paris Olympic Games Infrastructure Attack Report

This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
phishing
cryptocurrency
cybercrime
fraud
olympics
2024-08-16
Published: August 16, 2024
Downloadable IOCs: 148

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…
phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper
Published: August 16, 2024
Downloadable IOCs: 68

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
phishing
social engineering
cryptocurrency
financial fraud
cybercrime
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 14

We're not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

While cryptocurrency and blockchain have lost mainstream attention, cybercriminals continue to exploit these technologies through various scams like memecoins, rug pulls, and unregulated social media platforms. This report also highlights the SneakyChef threat actor's ongoing campaign targeting gov…
espionage
cryptocurrency
sugargh0st
spicerat
2024-06-28
Published: June 28, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 4

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
evasion
cryptocurrency
vulnerability
persistence
apache
2024-06-06
irc
rocketmq
lateral
muhstik
CVE-2023-33246
Published: June 6, 2024
Linked vulnerabilities : CVE-2023-33246
Downloadable IOCs: 21

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports