Tag: infostealer

111 Attack Reports | 0 Vulnerabilities

Attack reports

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…
phishing
social engineering
infostealer
credential theft
reconnaissance
microsoft teams
2025-12-03
quick assist
Published: December 3, 2025
Downloadable IOCs: 1

Arkanix Stealer: Newly discovered short term profit malware

A new information stealer named Arkanix has emerged, likely designed for short-term financial gains. Advertised on Discord, it has rapidly evolved from a Python-based to a C++ version. The malware steals data from various browsers, crypto wallets, VPN accounts, and system information. It employs so…
python
infostealer
discord
c++
vmprotect
crypto wallets
browser data
2025-12-01
arkanix stealer
chrome elevator
arkanix
Published: December 1, 2025
Downloadable IOCs: 3

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…
phishing
windows
infostealer
credential theft
autoit
nsis
lumma
maas
process hollowing
2025-11-27
Published: November 27, 2025
Downloadable IOCs: 7

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a stand…
social engineering
lummac2
rhadamanthys
infostealer
steganography
clickfix
multi-stage
2025-11-24
windows update
Published: November 24, 2025
Downloadable IOCs: 32

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…
rat
social engineering
north korea
infostealer
cryptocurrency
beavertail
web3
invisibleferret
ottercookie
trojanized code
2025-11-14
json storage
tsunami payload
Published: November 14, 2025
Downloadable IOCs: 84

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT.
python
infostealer
purecrypter
service
purelogs
telegram
winrar
zip archive
purerat
pxa stealer
2025-10-10
lonenone
cryptoloader
netloader
pythonloader
Published: October 10, 2025
Downloadable IOCs: 7

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …
rat
phishing
infostealer
macos
remote access
clickfix
deerstealer
captcha
odyssey
2025-10-10
clipboard
iuam
clickfix generator
Published: October 10, 2025
Downloadable IOCs: 59

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…
evasion
powershell
infostealer
persistence
data exfiltration
system reconnaissance
telegram bot
browser targeting
2025-10-08
shuyal stealer
Published: October 8, 2025
Downloadable IOCs: 1

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…
obfuscation
phishing
social engineering
infostealer
steganography
stealc
filefix
2025-09-16
multistage payload
Published: September 16, 2025
Downloadable IOCs: 17

August 2025 Infostealer Trend Report

This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable varian…
lummac2
rhadamanthys
infostealer
seo poisoning
dll-sideloading
acrstealer
slack
2025-09-16
domain masquerading
Published: September 16, 2025
Downloadable IOCs: 0

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…
obfuscation
phishing
powershell
infostealer
hijackloader
lumma
deerstealer
anti-vm
multi-stage
castleloader
2025-09-12
castlebot
nekostealer
Published: September 12, 2025
Downloadable IOCs: 14

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …
evasion
windows
infostealer
cryptocurrency
persistence
malware-as-a-service
maas
russian-speaking
browser credentials
2025-09-06
salat stealer
web_rat
go-based
2025-09-10
Published: September 10, 2025
Downloadable IOCs: 14

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeti…
infostealer
anti-analysis
cybercrime
data exfiltration
snake keylogger
stealerium
2025-09-04
warp stealer
phantom stealer
Published: September 4, 2025
Downloadable IOCs: 8

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

New Variant of ACRStealer Actively Distributed with Modifications

A modified version of the ACRStealer infostealer is being actively distributed, featuring enhanced detection evasion and analysis obstruction techniques. The malware uses the Heaven's Gate technique for executing x64 code in WoW64 processes and implements low-level NT functions for C2 communication…
infostealer
anti-analysis
c2 communication
heaven's gate
acrstealer
2025-08-21
data encryption
detection evasion
amaterastealer
Published: August 21, 2025
Downloadable IOCs: 0

Behind the Curtain: How Lumma Affiliates Operate

This analysis reveals the complex operations of Lumma affiliates within a vast information-stealing ecosystem. Affiliates utilize various tools and services, including proxy networks, VPNs, anti-detect browsers, and crypting services. The investigation uncovered previously undocumented tools and sh…
infostealer
cybercrime
vidar
proxy
vpn
stealc
lumma
meduza stealer
affiliate
craxsrat
underground forums
2025-08-20
crypting
anti-detect browser
Published: August 20, 2025
Downloadable IOCs: 0

Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

A massive distribution of SmartLoader malware has been discovered through GitHub repositories masquerading as legitimate projects. These repositories focus on topics like game cheats, software cracks, and automation tools to attract users. The malware is distributed via compressed files containing …
obfuscation
rhadamanthys
infostealer
persistence
lumma stealer
redline
c2
github
smartloader
2025-08-13
game-cheats
software-cracks
luascript
Published: August 13, 2025
Downloadable IOCs: 11

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

A VBS-based infostealer called Cmimai Stealer has emerged, targeting Windows systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via Discord webhooks. The malware uses PowerShell scripts for browser data collection and screen capture, runnin…
powershell
windows
infostealer
exfiltration
discord
vbs
browser-data
2025-08-13
wmi
screenshot
cmimai stealer
Published: August 13, 2025
Downloadable IOCs: 0

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an arch…
obfuscation
infostealer
anti-analysis
infection chain
process hollowing
confuserex
darkcloud stealer
2025-08-07
visual basic 6
runpe
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 10

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 uniq…
python
infostealer
data theft
credential harvesting
telegram
2025-08-04
pxa stealer
Published: August 4, 2025
Downloadable IOCs: 5

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan ca…
windows
infostealer
lumma stealer
credential theft
drive-by download
brand impersonation
2025-08-03
telegram premium
Published: August 3, 2025
Downloadable IOCs: 0

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

Raven Stealer is a modern information-stealing malware developed in Delphi and C++, designed to extract sensitive data from victim machines. It targets Chromium-based browsers, extracting passwords, cookies, payment details, and autofill information. The malware uses a modular architecture and a bu…
infostealer
credential theft
information-stealing
data exfiltration
github
telegram
c++
browser data
delphi
octalyn stealer
2025-07-26
raven stealer
upx packing
2025-08-01
Published: August 1, 2025
Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…
backdoor
infostealer
cryptocurrency
persistence
macos
amos
2025-07-17
code-signing
notarization
odyssey
odyssey stealer
Published: July 17, 2025
Downloadable IOCs: 0

June 2025 Infostealer Trend Report

This analysis provides insights into Infostealer malware trends observed in June 2025. The data, collected through various automated systems, reveals changes in distribution methods and malware types. While LummaC2 has been dominant, June saw increased activity from Rhadamanthys, ACRStealer, Vidar,…
lummac2
rhadamanthys
infostealer
seo poisoning
vidar
stealc
dll-sideloading
2025-07-16
acrstealer
anti-analysis techniques
Published: July 16, 2025
Downloadable IOCs: 0

NordDragonScan: Quiet Data-Harvester on Windows

A sophisticated infostealer dubbed NordDragonScan has been discovered, targeting Windows systems through weaponized HTA scripts. The malware is distributed via shortened links leading to RAR archives containing malicious LNK shortcuts. Once installed, NordDragonScan performs extensive reconnaissanc…
infostealer
browser data theft
2025-07-14
norddragonscan
Published: July 14, 2025
Downloadable IOCs: 11

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…
rat
social engineering
typosquatting
powershell
infostealer
lumma stealer
latrodectus
autoit
clickfix
netsupport rat
clipboard hijacking
2025-07-10
Published: July 10, 2025
Downloadable IOCs: 65

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…
phishing
spearphishing
infostealer
russia
malware-as-a-service
keylogger
maas
snake keylogger
credential stealer
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 34

Part 2: Tracking LummaC2 Infrastructure

An investigation into domains associated with the LummaC2 infostealing-malware campaign revealed a broader network of nearly 500 domains with highly malicious risk scores. These domains share similar registration patterns, including the use of Eastern European names and the inbox[.]eu email domain.…
lummac2
infostealer
malicious domains
2025-06-19
acreed
domain infrastructure
technical education lure
eastern european names
Published: June 19, 2025
Downloadable IOCs: 504

May 2025 Infostealer Trend Report

This analysis examines the distribution trends of Infostealer malware in May 2025. It highlights the use of SEO poisoning to distribute malware disguised as cracks and keygens. LummaC2, Vidar, StealC, Rhadamanthys, and Amadey were the main Infostealers observed. Distribution methods included posts …
lummac2
rhadamanthys
infostealer
seo poisoning
amadey
bat script
vidar
stealc
dll-sideloading
2025-06-18
keygens
wormhole
unicode passwords
cracks
Published: June 18, 2025
Downloadable IOCs: 3

Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data

A multistage malware campaign targeting Minecraft users has been discovered, distributed through the Stargazers Ghost Network on GitHub. The malware impersonates popular Minecraft mods and cheats, using a Java-based downloader that evades detection. The infection chain includes multiple stages: a J…
infostealer
minecraft
stargazers ghost network
2025-06-18
java malware
minecraft mods
Published: June 18, 2025
Downloadable IOCs: 17

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…
social engineering
infostealer
lumma
clickfix
multi-stage attack
remote access trojan
ghostpulse
arechclient2
eddiestealer
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 47

The strange tale of ischhfd83: When cybercriminals eat their own

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leadin…
backdoor
obfuscation
rat
infostealer
remcos
lumma stealer
asyncrat
github
telegram
2025-06-04
Published: June 4, 2025
Downloadable IOCs: 52

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…
powershell
infostealer
cryptocurrency
rust
data exfiltration
captcha
2025-05-29
eddiestealer
Published: May 29, 2025
Downloadable IOCs: 27

Vietnam-Nexus Hackers Distribute Malware Via Fake AI Video Generators

A hacking group with alleged ties to Vietnam has been exploiting social media ads promoting AI video generators to distribute malware since mid-2024. The campaign, discovered by Mandiant, uses fake websites mimicking legitimate AI tools to deploy payloads including Python-based infostealers and bac…
backdoor
xworm
infostealer
vietnam
2025-05-28
noodlophile stealer
frostrift
grimpull
social media ads
starkveil
ai video generators
Published: May 28, 2025
Downloadable IOCs: 1

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The ma…
obfuscation
powershell
infostealer
persistence
data-exfiltration
2025-05-27
crypto-wallet-theft
chihuahua infostealer
browser-data-theft
.net-malware
Published: May 27, 2025
Downloadable IOCs: 10

Malicious attack method on hosted ML models now targets PyPI

A new malicious campaign has been discovered targeting the Python Package Index (PyPI) by exploiting the Pickle file format in machine learning models. Three malicious packages posing as an Alibaba AI Labs SDK were detected, containing infostealer payloads hidden inside PyTorch models. The packages…
infostealer
ai
pypi
machine learning
supply chain attack
pytorch
2025-05-26
pickle format
Published: May 26, 2025
Downloadable IOCs: 2

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…
infostealer
lumma stealer
credential theft
malware-as-a-service
disruption
2025-05-26
c&c infrastructure
Published: May 26, 2025
Downloadable IOCs: 113

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

Inside DanaBot's Infrastructure: In Support of Operation Endgame II

DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to it…
infostealer
danabot
malware-as-a-service
banking trojan
c2 infrastructure
2025-05-23
stealth tactics
Published: May 23, 2025
Downloadable IOCs: 65

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …
rat
social engineering
powershell
infostealer
lumma
netsupport rat
sectoprat
captcha
clipboard injection
2025-05-22
Published: May 22, 2025
Downloadable IOCs: 10

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. Th…
infostealer
credential theft
2025-05-22
session hijacking
pupkinstealer
Published: May 22, 2025
Downloadable IOCs: 1

The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website

A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious fi…
malvertising
infostealer
purehvnc
facebook ads
2025-05-21
crypto theft
Published: May 21, 2025
Downloadable IOCs: 42

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

A novel infostealer named Chihuahua Stealer has been detected, blending standard malware techniques with advanced features. This .NET-based malware employs a multi-stage PowerShell script infection process, utilizing Base64 encoding, hex-string obfuscation, and scheduled tasks for persistence. It t…
powershell
infostealer
.net
multi-stage infection
crypto wallets
browser data
2025-05-14
chihuahua stealer
aes-gcm
Published: May 14, 2025
Downloadable IOCs: 2

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…
infostealer
cryptocurrency
exfiltration
open-source
pypi
blockchain
supply-chain-attack
2025-05-13
solana
solana-token
Published: May 13, 2025
Downloadable IOCs: 0

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…
powershell
infostealer
exfiltration
persistence
encryption
.net
multi-stage
2025-05-13
browser-data
chihuahua stealer
crypto-wallets
Published: May 13, 2025
Downloadable IOCs: 8

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promi…
xworm
python
infostealer
worm
credential theft
remote access
ai
morphisec
facebook
2025-05-12
word document
noodlophile
capcutloader
video dream
Published: May 12, 2025
Downloadable IOCs: 32

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…
obfuscation
social engineering
powershell
infostealer
vbscript
clickfix
2025-05-06
lampion
Published: May 6, 2025
Downloadable IOCs: 10

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web…
infostealer
cryptocurrency
vpn
data exfiltration
telegram
browser
2025-04-29
c#
ftp
gremlin stealer
Published: April 29, 2025
Downloadable IOCs: 2

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor
Published: April 22, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 7

Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution p…
infostealer
shellcode
autoit
agent tesla
snake keylogger
remcos rat
xloader
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 0

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…
social engineering
north korea
python
infostealer
cryptocurrency
2025-04-14
rn stealer
rn loader
dpkr
slow pisces
yaml deserialization
Published: April 14, 2025
Downloadable IOCs: 41

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germa…
obfuscation
phishing
infostealer
2025-03-11
stellar loader
strela stealer
2025-04-13
locale-verification
Published: April 13, 2025
Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.
powershell
infostealer
ukraine
c server
gamaredon
shuckworm
2025-04-10
gammasteel
desktop folder
armageddon
Published: April 10, 2025
Downloadable IOCs: 56

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

PJobRAT makes a comeback, takes another crack at chat apps

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.
android
infostealer
c2 server
github
2025-03-27
code issues
pull
breadcrumbs
history
pjobrat package
pjobrat domain
pjobrat
eio4
domain hosting
Published: March 27, 2025
Downloadable IOCs: 12

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).
backdoor
windows
infostealer
zero-day
github
trojanspy
sha256
detection
CVE-2025-26633
2025-03-25
disease vector
msc eviltwin
filename
water gamayun
files
related
domain
description
encrypthub
Published: March 25, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 58

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

Infostealer Campaign against ISPs

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained thr…
infostealer
persistence
cryptomining
brute force
2025-03-11
scripting
Published: March 11, 2025
Downloadable IOCs: 0

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…
north korea
spearphishing
infostealer
cryptocurrency
beavertail
invisibleferret
2025-02-21
job scams
freelancers
Published: February 21, 2025
Downloadable IOCs: 0

Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors

A malicious campaign is targeting Chinese-speaking users by distributing backdoored executables through fake download pages for popular apps like Signal, Line, and Gmail. The attackers use seemingly unrelated domain names and rely on search engine manipulation to lure victims. The malware follows a…
backdoor
infostealer
search engine manipulation
2025-02-18
signal
line
chinese-speaking
microclip
gmail
fake download
Published: February 18, 2025
Downloadable IOCs: 0

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

Fileless Python InfoStealer Targeting Exodus

A new Python-based info stealer targeting the Exodus crypto wallet has been discovered. This malware employs fileless techniques, clipboard monitoring, and keylogging to capture wallet passwords and sensitive data. It checks for the existence of 'passphrase.json' and, if not found, uses a keylogger…
python
infostealer
keylogger
2025-01-28
exodus
crypto-wallet
Published: January 28, 2025
Downloadable IOCs: 1

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…
obfuscation
phishing
powershell
lummac2
infostealer
cryptocurrency
captcha
2025-01-13
clipbanker
Published: January 13, 2025
Downloadable IOCs: 4

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…
phishing
infostealer
remcosrat
redline
autoit
agenttesla
2025-01-10
xloader
snakekeylogger
Published: January 10, 2025
Downloadable IOCs: 3

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

VIPKeyLogger Infostealer in the Wild

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. VIP…
infostealer
CVE-2017-11882
keylogger
snake keylogger
2024-12-16
vipkeylogger
Published: December 16, 2024
Downloadable IOCs: 0

Malicious PyPI crypto pay package aiocpa implants infostealer code

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…
obfuscation
infostealer
cryptocurrency
pypi
machine learning
software supply chain
2024-11-29
threat hunting
Published: November 29, 2024
Downloadable IOCs: 0

RobotDropper Automates the Delivery of Multiple Infostealers

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through …
phishing
infostealer
dll sideloading
2024-11-26
legionloader
robotdropper
Published: November 26, 2024
Downloadable IOCs: 5

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…
supply-chain
typosquatting
infostealer
npm
pypi
2024-11-26
roblox
Published: November 26, 2024
Downloadable IOCs: 11

Life on a crooked RedLine: Analyzing the infamous infostealer's backend

This article provides an in-depth analysis of RedLine Stealer, a notorious information-stealing malware. The research focuses on previously undocumented backend modules and the control panel used by affiliates. Key findings include the identification of over 1,000 unique IP addresses hosting RedLin…
infostealer
data theft
meta stealer
cybercrime
malware-as-a-service
redline stealer
2024-11-17
control panel
windows communication framework
backend analysis
Published: November 17, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research provides a comprehensive analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year, targeting organizations in multiple countries. WezRat's capabilities include executing commands, taking…
backdoor
espionage
phishing
infostealer
iran
modular
2024-11-14
wezrat
c&c
Published: November 14, 2024
Downloadable IOCs: 0

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…
malvertising
powershell
infostealer
persistence
electron
credential theft
sys01
meta
social media
2024-11-04
Published: November 4, 2024
Downloadable IOCs: 26

Threat actors use copyright infringement phishing lure to deploy infostealers

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot dom…
obfuscation
phishing
evasion
lummac2
rhadamanthys
infostealer
taiwan
2024-10-31
facebook
copyright
Published: October 31, 2024
Downloadable IOCs: 0

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…
phishing
powershell
infostealer
dll file
webdav
2024-10-30
javascript code
zip file
webdav server
strela
Published: October 30, 2024
Downloadable IOCs: 103

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1

The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer

This analysis examines three emerging malware threats: Divulge Stealer, DedSec Stealer, and Duck Stealer. These stealers, often promoted on platforms like GitHub and Telegram, target browser data, game information, and sensitive personal details. Divulge Stealer, a successor to Umbral Stealer, feat…
infostealer
cryptocurrency
browser data theft
2024-10-21
anti-vm
doenerium
divulge stealer
umbral stealer
duck stealer
azstealer
dedsec stealer
Published: October 21, 2024
Downloadable IOCs: 3

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

Beware of phishing emails impersonating major domestic entertainment agencies

ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
python
infostealer
pdf
2024-10-16
Published: October 16, 2024
Downloadable IOCs: 0

Observes Targeted Attacks Amid FBI Warnings

The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
malware
backdoor
infostealer
northkorea
2024-09-17
socialengineering
rustdoor
thiefbucket
cryptoindustry
Published: September 17, 2024
Downloadable IOCs: 8

A SOC Team’s Guide to Detecting macOS Atomic Stealers

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …
malware
obfuscation
infostealer
macos
crimeware
poseidon
2024-09-13
rodrigostealer
cthulu
amos atomic
banshee
Published: September 13, 2024
Downloadable IOCs: 3

There's Something About CryptBot: Yet Another Silly Stealer

This report provides an in-depth technical analysis of a new variant of the CryptBot infostealer, dubbed Yet Another Silly Stealer (YASS). It details the delivery chain, involving the MustardSandwich downloader, and dissects the YASS payload's functionalities, including its data gathering, encrypti…
malware
infostealer
cryptbot
stealer
exfiltration
netsupport
downloader
2024-09-11
yass
mustardsandwich
Published: September 11, 2024
Downloadable IOCs: 13

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

Emansrepo Stealer: Multi-Vector Attack Chains

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…
phishing
infostealer
remcos
2024-09-04
emansrepo
Published: September 4, 2024
Downloadable IOCs: 42

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
phishing
powershell
infostealer
asyncrat
vbscript
2024-09-02
process hollowing
cryptocurrency wallets
browser data theft
Published: September 2, 2024
Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986
Downloadable IOCs: 8

A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New Disguise

CYFIRMA's research team recently identified a sophisticated dropper binary designed to deploy an information stealer, dubbed 'Angry Stealer,' actively advertised on Telegram and other online platforms. The stealer targets sensitive data from browsers, cryptocurrency wallets, VPN credentials, and sy…
infostealer
exfiltration
dropper
rebranded
telegram
2024-08-28
rage stealer
angry stealer
stepasha.exe
motherrussia.exe
Published: August 28, 2024
Downloadable IOCs: 2

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
malware
obfuscation
powershell
infostealer
cryptbot
javascript
2024-08-23
lummac.v2
shadowladder
Published: August 23, 2024
Downloadable IOCs: 23

Ailurophile: G DATA has sighted a new info stealer in the wild

G DATA has detected a novel information-stealing malware, dubbed 'Ailurophile Stealer'. It is a PHP-based stealer offered through a subscription model on its dedicated website. Customers utilize a web panel to generate customized malware variants, specifying features such as the malware name, icon,…
infostealer
stealer
exfiltration
credential theft
2024-08-19
cryptocurrency theft
ailurophile stealer
Published: August 19, 2024
Downloadable IOCs: 2

Beyond the wail: deconstructing the BANSHEE infostealer

This analysis details the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets. Developed by Russian threat actors, it operates across macOS x86_64 and ARM64 architectures. The malware is designed to evade detection through anti-debugg…
infostealer
macos
2024-08-16
c++
banshee stealer
sysctl api
Published: August 16, 2024
Downloadable IOCs: 2

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…
phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper
Published: August 16, 2024
Downloadable IOCs: 68

InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a…
infostealer
macos
dropper
2024-08-09
swiftui
cryptotrade
Published: August 9, 2024
Downloadable IOCs: 1

LummaC2 Malware Abusing the Game Platform 'Steam'

The report investigates LummaC2, an infostealer malware actively distributed under the guise of illegal software. It highlights LummaC2's tactics of utilizing encrypted strings and abusing legitimate websites like Steam to acquire command-and-control (C2) domains. The malware steals sensitive user …
lummac2
infostealer
data theft
vidar
2024-07-26
Published: July 26, 2024
Downloadable IOCs: 21

RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS

Check Point Research has identified multiple threat actors utilizing Rafel, an open-source remote administration tool (RAT). The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profi…
ransomware
android
infostealer
discord
2024-06-20
google play
rafel rat
data wipe
smartphone
2fa bypass
Published: June 20, 2024
Downloadable IOCs: 6

Fickle Stealer Distributed via Multiple Attack Chain

In May 2024, FortiGuard Labs observed a Rust-based stealer. In addition to its intricate code, the stealer is distributed using a variety of strategies and has a flexible way of choosing its target.
vba
infostealer
rust
2024-06-20
docx
fickle stealer
pdf viewer
Published: June 20, 2024
Downloadable IOCs: 53

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…
malware
obfuscation
phishing
infostealer
2024-06-10
CVE-2017-0199
CVE-2017-11882
agent tesla
spain
Published: June 10, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 6

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

An analysis by McAfee's Mobile Research Team uncovered an Android InfoStealer malware masquerading as a government service app in Bahrain. The malicious app, promoted through deceitful Facebook pages and SMS messages, tricks users into providing personal information like CPR numbers, phone numbers,…
phishing
android
infostealer
fraud
malicious
2024-06-03
android/infostealer
Published: June 3, 2024
Downloadable IOCs: 14

Analysis of APT Attack Cases Using Dora RAT Against Companies

This analysis discusses an APT campaign by the Andariel threat group targeting Korean companies and educational institutions. The campaign employed various malware strains, including Nestdoor backdoor, Dora RAT, keyloggers, infostealers, and proxy tools. The attackers exploited vulnerabilities, suc…
infostealer
dora rat
nestdoor
2024-05-30
Published: May 30, 2024
Linked vulnerabilities : CVE-2021-44228
Downloadable IOCs: 7

Unmasking AsukaStealer: The $80 Malware Threatening Digital Security

AsukaStealer, a malware offered for $80 on a Russian cybercrime forum, is designed to infiltrate popular browsers and extract sensitive data like credentials, cookies, and extension data. It also targets cryptocurrency wallets, messaging platforms, and gaming software. The malware employs customiza…
infostealer
2024-05-30
asukastealer
Published: May 30, 2024
Downloadable IOCs: 4

Threat actors ride the hype for newly released Arc browser

The release of the Arc browser for Windows sparked interest among cyber criminals who quickly launched a malvertising campaign impersonating the new software. The scheme uses Google search ads to lure potential victims with fake Arc installers. These installers employ various techniques, including …
malvertising
infostealer
2024-05-28
arc browser
Published: May 28, 2024
Downloadable IOCs: 9

Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)

AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies, construction firms, and educational institutions. The attackers employed backdoors, keyl…
apt
infostealer
2024-05-20
dora rat
nestdoor
openvpn attack
Published: May 20, 2024
Downloadable IOCs: 10

Profiling Trafficers: Cerberus

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
malware
infostealer
russia
2024-05-05
2024-05-06
2024-05-07
lumma stealer
2024-05-08
aurora stealer
redline
hacking
cybercrime
rhadamanthys stealer
casbaneiro
metamorfo
dracula stealer (samurai)
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 24

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…
obfuscation
infostealer
persistence
macos
spyware
2024-05-05
2024-05-06
2024-05-07
2024-05-08
cuckoo stealer
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 4

Malware: Behaves Like Cross Between Infostealer and Spyware

On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.
infostealer
2024-05-03
spyware
cuckoo
Published: May 3, 2024
Downloadable IOCs: 18

Scaly Wolf’s new loader: the right tool for the wrong job

The report analyzes a recent campaign by the Scaly Wolf threat group targeting organizations in Russia and Belarus. The group employs phishing emails disguised as communications from government agencies, containing legitimate documents and password-protected archives with malicious executables. The…
phishing
infostealer
white snake
winapi
Published: May 2, 2024
Downloadable IOCs: 23

Eight Arms to Hold You: The Cuttlefish Malware

The Black Lotus Labs team at Lumen Technologies is tracking a malware platform named Cuttlefish, targeting enterprise-grade small office/home office (SOHO) routers. This modular malware primarily steals authentication material from web requests transiting the router. It can also perform DNS and HTT…
infostealer
bash
hiatusrat
hijacking
cuttlefish
Published: May 2, 2024
Downloadable IOCs: 40

Distribution of Infostealer Made With Electron

AhnLab Security Intelligence Center (ASEC) has discovered an Infostealer malware strain developed using the Electron framework, which allows the creation of applications using JavaScript, HTML, and CSS. The malware is distributed through Nullsoft Scriptable Install System (NSIS) installer format. O…
infostealer
javascript
node.js
electron
Published: April 30, 2024
Downloadable IOCs: 1
Click here to see more Attack Reports