The evolution of these tactics marks a significant shift in the cybercrime landscape, as threat actors move away from slow, malware-heavy infections toward agile, identity-based intrusions. By targeting administrative accounts within Single Sign-On platforms, attackers can gain broad access to sensitive data stored across various cloud services, often completing their data theft and extortion demands within hours of the initial breach.

The initial phase of these attacks typically begins with a high-pressure voice phishing call, often referred to as vishing. In these scenarios, a threat actor poses as a member of the corporate IT help desk or security team, contacting a specific employee to report a fabricated technical issue. The goal is to convince the target to share their login credentials or to accept a push notification on their authentication app. Because these calls rely on social engineering and psychological manipulation rather than malicious software, they frequently bypass automated security filters that look for suspicious code or links.

Once the attackers gain entry into the corporate environment, they immediately target the Single Sign-On or SSO provider. SSO is designed to streamline user access by allowing one set of credentials to unlock multiple applications, but in the hands of a criminal, it becomes a master key. By abusing SSO configurations, the intruders can grant themselves persistent access to a wide array of Software-as-a-Service platforms, such as document storage, customer databases, and communication tools like Slack or Microsoft Teams. This centralized control allows them to navigate the network with the same privileges as a legitimate administrator.

After securing access to the various SaaS platforms, the group focuses on rapid data exfiltration rather than deploying ransomware to encrypt files. They identify the most sensitive corporate data—financial records, legal documents, or customer personal information—and transfer it to their own servers. The speed of this process is a defining characteristic of modern extortion groups; they aim to steal as much information as possible before the internal security team can detect the anomaly. By the time an alert is triggered, the data has often already left the company's control.

Claim Your Workspace

The extortion phase begins shortly after the data has been stolen. Instead of leaving a digital ransom note on a server, the attackers often contact company executives directly via email or even phone calls to demand payment. They threaten to leak the stolen data on public forums or sell it to competitors if their demands are not met. Because the attackers have already demonstrated their ability to move through the cloud environment at will, the pressure on the victim organization to pay is immense, as the threat of a massive data breach becomes an immediate reality.

Defending against these rapid-fire attacks requires a move beyond traditional antivirus software toward robust identity security and employee awareness. Organizations are being urged to implement more secure forms of multi-factor authentication, such as hardware keys, which are much harder to compromise through vishing. Additionally, monitoring for unusual behavior within SSO logs, such as logins from unexpected locations or at odd hours, is essential for catching these intruders before they can complete their mission. As cybercrime groups continue to refine their social engineering and cloud exploitation techniques, the speed of response has become the most critical factor in modern digital defense.

Subscribe now

Source: https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/

The Cybersecurity and Infrastructure Security Agency recently expanded its Known Exploited Vulnerabilities catalog to include CVE-2026-31431, a logic flaw in the Linux kernel’s cryptographic template. This vulnerability, discovered by researchers at Xint Code, affects a wide range of popular distributions including Ubuntu, Red Hat Enterprise Linux, SUSE, and Amazon Linux. The flaw is particularly dangerous because it allows a local user to execute a deterministic 4-byte write into the page cache of any readable file, which can lead to a full system takeover. Because the exploit targets memory rather than the physical disk, the changes are silent and difficult for traditional security tools to detect.

The technical root of the issue lies in the interaction between the kernel's crypto subsystem and the splice system call. By using an unprivileged AF_ALG socket, an attacker can map sensitive file pages into a cryptographic operation. A specific error in the authencesn algorithm causes the kernel to use the output buffer as a scratch space, inadvertently writing controlled data past the intended boundary. This extra write lands directly in the page cache of a chosen file, such as a setuid-root binary. Because the kernel does not mark these corrupted pages as dirty, the file on the disk remains original while the version running in memory is compromised.

To carry out the attack, an operator uses a small script to target a common binary like the su utility. After binding to the vulnerable cryptographic mode and setting the parameters, the attacker uses the recv system call to trigger the decryption process. This process repeats until enough shellcode has been injected into the cached version of the binary. When the attacker subsequently executes the utility, the kernel loads the corrupted code from the cache. Since the utility naturally runs with root privileges, the injected code provides the attacker with total control over the operating system.

Claim Your Workspace

Research shows that this vulnerability has been present in the Linux kernel since an optimization made in 2017. It is highly portable and effective across different architectures, making it a more reliable threat than previous kernel exploits like Dirty Cow. The simplicity of the exploit is a major concern, as a script under one kilobyte in size can consistently achieve root access on modern systems such as Ubuntu 24.04 or RHEL 10.1. Furthermore, because it exploits the shared page cache, the vulnerability can be used to escape Kubernetes containers and move laterally within cloud environments.

In response to the active exploitation of this flaw, CISA has issued a directive requiring federal agencies to remediate the vulnerability by May 15, 2026. While the mandate specifically applies to Federal Civilian Executive Branch agencies, cybersecurity experts strongly advise private organizations to prioritize patching their Linux infrastructure. Most major distributions have released updates to address the logic bug in the cryptographic subsystem, and administrators are encouraged to apply these kernel patches immediately to prevent unauthorized privilege escalation.

Subscribe now

Source: https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog

Scammers have discovered a new method to exploit PayPal's email system, sending fraudulent messages that appear to be legitimate notifications from PayPal. These emails, which are not spoofed and pass standard security checks, are designed to deceive recipients into believing there is an unauthorized charge on their account. The scam involves altering the subject line of PayPal payment notifications to include a fake tech support number, urging recipients to call and resolve the supposed issue.

The scam works by sending emails from PayPal's genuine address, service@paypal.com, with a misleading subject line that suggests a pending charge of $987.90. The body of the email, however, shows a trivial transaction amount, creating confusion and urgency for the recipient. The scammers include personalized details such as the recipient's name and a real transaction ID to enhance the email's authenticity. The phone number provided in the subject line is fake, while the legitimate PayPal contact number is buried within the email body.

The technical mechanism behind the altered subject line remains unclear. It is suspected that scammers may be exploiting PayPal's note or remittance field, which can appear in certain payout templates, including the email's subject line. This manipulation allows the scam email to pass security checks like DKIM, SPF, and DMARC, making it appear as a genuine PayPal communication.

The impact of this scam is significant, as it can lead to victims inadvertently providing sensitive information to scammers. Once contacted, these scammers may attempt to collect banking details, convince victims to install remote access tools, or gain control over their accounts and devices. This can result in financial loss and unauthorized access to personal information.

Claim Your Workspace

To protect against such scams, it is essential to stay informed about common phishing tactics and recognize red flags in suspicious emails. Always use verified contact methods to reach companies and avoid calling numbers listed in dubious emails. Report any suspicious PayPal emails to phishing@paypal.com and monitor your accounts for unusual activity. If you suspect you have been scammed, take immediate action by contacting your bank, changing compromised passwords, and running security scans on your devices. Utilizing tools like Malwarebytes Scam Guard can also help identify and prevent potential scams.

Subscribe now

Source: https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams

Unit 42 has recently uncovered a significant threat posed by certain AI browser extensions. These extensions, which are often marketed as productivity tools, have been found to engage in malicious activities such as data theft, prompt interception, and password exfiltration. This discovery highlights the growing risks associated with seemingly benign software that users integrate into their daily digital routines.

The extensions in question are cleverly disguised, making them appear as useful tools for enhancing productivity. However, beneath this facade, they are designed to capture sensitive information from users. This includes intercepting prompts and exfiltrating passwords, which can lead to severe privacy breaches and potential financial loss for unsuspecting users.

Technically, these extensions operate by embedding themselves within the browser environment, where they gain access to a wide range of user data. Once installed, they can monitor user activity, capture keystrokes, and transmit collected information to external servers. This level of access allows them to bypass traditional security measures, making detection and prevention more challenging.

The impact of these malicious extensions is far-reaching, affecting both individual users and organizations. Personal data, including login credentials and sensitive communications, can be compromised, leading to identity theft and unauthorized access to accounts. For businesses, the risk extends to corporate data breaches and potential regulatory violations.

Claim Your Workspace

To mitigate these risks, users are advised to exercise caution when installing browser extensions. It is essential to verify the legitimacy of extensions by checking reviews and permissions before installation. Regularly reviewing and updating browser settings can also help in identifying and removing any suspicious extensions. Additionally, employing robust security software can provide an extra layer of protection against such threats.

Subscribe now

Source: https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/

A sophisticated malware campaign known as PromptMink has emerged, targeting the software development community, particularly those involved with autonomous crypto trading projects. This campaign exploits AI coding assistants to introduce malicious code into legitimate projects, marking a new tactic in cybercriminal activities. The attack was first identified when a malicious npm package was introduced into a crypto trading agent project through a code commit co-authored by an AI model from Anthropic.

The attack began on February 28, 2026, with a commit to the open-source project openpaw-graveyard. This commit added a seemingly benign package, @solana-launchpad/sdk, which in turn imported a malicious package, @validate-sdk/v2. The latter masquerades as a data validation tool while secretly collecting sensitive credentials and sending them to a remote server controlled by attackers. This method of using AI tools to plant harmful code represents a significant shift in cybercriminal strategies.

ReversingLabs researchers were the first to uncover this campaign, which they named PromptMink. Their investigation revealed that the campaign is linked to the North Korean threat group Famous Chollima, known for previous attacks on software developers. The campaign uses a two-layer structure to evade detection, with the first layer appearing legitimate and the second containing the harmful code. Over 60 unique malicious packages have been identified, with no signs of the campaign ceasing.

Claim Your Workspace

The malware’s payload is designed to scan for sensitive files related to cryptocurrency transactions and exfiltrate them to an attacker-controlled server. On Linux systems, it also creates a persistent backdoor by adding the attacker’s SSH key to the victim’s machine. The campaign has evolved to include versions written in Rust, capable of stealing entire project directories, indicating a focus on intellectual property theft.

To mitigate the risk of such attacks, developers and security teams should thoroughly review AI-generated code commits and verify all new dependencies through trusted sources. Monitoring for unusual network activity and auditing SSH authorized keys files are also recommended practices to detect and prevent unauthorized access. These measures are essential to safeguarding development environments from sophisticated supply chain attacks like PromptMink.

Subscribe now

Source: https://cybersecuritynews.com/claude-generated-commit-adds-promptmink-malware/

Vidar, a credential-stealing malware that has been active since 2018, has recently ascended to the top of the infostealer market. This rise follows the takedown of its two major competitors, Lumma and Rhadamanthys, by law enforcement last year. Vidar's author capitalized on this disruption by releasing a significant upgrade and expanding its distribution network, making it a favored choice among cybercriminals, according to a report by Intrinsec.

The report from Intrinsec highlights Vidar's dominance on the Russian Market, a prominent cybercrime marketplace, since late 2025. The malware has become a go-to tool for various threat actors, including high-profile groups like Scattered Spider. Vidar's broad-spectrum capabilities allow it to harvest a wide range of sensitive data, such as passwords, cookies, and session tokens from major web browsers, as well as cryptocurrency wallet information. This data is often sold on underground marketplaces, enabling further malicious activities like account takeovers and ransomware deployment.

Claim Your Workspace

Vidar’s distribution methods are diverse, with attackers employing phishing emails, social engineering tactics on platforms like YouTube, and Trojanized software packages to spread the malware. A notable strategy involves collaboration with ‘Cloud’ channels on Telegram, where cybercriminals share stolen credential logs. These channels, with names like Kata Cloud and Omega Cloud, have significantly contributed to Vidar’s popularity by advertising its capabilities to potential clients.

The malware’s infrastructure is designed to withstand takedown attempts. Vidar uses ‘dead drop resolvers’ to conceal its command-and-control (C2) systems, embedding C2 addresses within legitimate public platforms like Telegram. This method allows the malware to dynamically retrieve C2 details, making it difficult for defenders to detect and block its communications.

To defend against Vidar, Intrinsec recommends several measures. Organizations should enable multifactor authentication for accounts related to web browsers to reduce the risk of credential theft. Additionally, deploying DNS filtering and secure web gateways can help block access to known malicious domains and IP addresses. Using sandbox solutions to analyze email attachments and URLs can further enhance protection against this pervasive threat.

Subscribe now

Source: https://www.darkreading.com/vulnerabilities-threats/vidar-top-chaotic-infostealer-market

GitHub swiftly addressed a critical security vulnerability in their internal git infrastructure that could have led to remote code execution. The flaw was discovered by Wiz Research, who utilized AI models to identify the potential threat. This vulnerability posed a significant risk as it could have allowed attackers to access millions of public and private code repositories hosted on GitHub's platform.

Upon receiving the bug bounty report, GitHub's security team acted promptly to validate the findings. Within 40 minutes, they managed to reproduce the vulnerability internally and confirmed its severity. This rapid response was crucial in mitigating the risk associated with the vulnerability.

The technical details of the vulnerability have not been disclosed, but it was significant enough to warrant immediate attention from GitHub's engineering team. They worked diligently to develop and deploy a fix in less than six hours, showcasing their commitment to maintaining the security of their platform.

Claim Your Workspace

The impact of this vulnerability could have been severe, potentially exposing millions of code repositories to unauthorized access. Such access could have led to data breaches or manipulation of code, affecting both individual developers and organizations relying on GitHub for their software development needs.

To ensure continued security, users are encouraged to stay informed about updates from GitHub and apply any recommended security measures. GitHub’s quick response highlights the importance of having robust security protocols and a responsive team to address vulnerabilities as they arise.

Subscribe now

Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

A significant flaw has been discovered in the Vect 2.0 ransomware, which causes it to wipe large files instead of encrypting them, rendering recovery impossible. This flaw was identified by Check Point Research during an investigation into the latest version of the ransomware. Vect is a ransomware-as-a-service (RaaS) program that has been active since December 2025 and has gained notoriety through partnerships with other cybercriminal groups.

Vect 2.0 was launched in February 2026 and is written in C++, supporting Windows, Linux, and VMware ESXi systems. The ransomware was allegedly built from scratch and includes features such as cloud lockers targeting various cloud storage services. However, the encryption implementation contains a critical flaw that discards three out of four decryption nonces, leading to the permanent destruction of files larger than 128 KB.

The encryption system uses raw ChaCha20-IETF without authentication, contrary to the advertised ChaCha20-Poly1305 AEAD. This lack of integrity protection effectively turns Vect into a wiper for files containing important data, including virtual machine disks, databases, and backups. The flaw is present across all publicly available versions of Vect and affects all targeted platforms.

Claim Your Workspace

Check Point Research also identified several additional bugs and design failures in Vect 2.0, such as ineffective string obfuscation and a thread scheduler that degrades performance. Despite its ambitious threat profile and multi-platform coverage, the technical implementation of Vect 2.0 falls short of its claims.

Organizations using Windows, Linux, or VMware ESXi systems should ensure their security measures are up to date to protect against ransomware threats. It is advisable to implement additional protective measures and regularly back up critical data to mitigate the impact of potential ransomware attacks.

Subscribe now

Source: https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/

Sandworm, a state-sponsored threat group also known as FROZENBARENTS, has adopted a new technique involving SSH-over-Tor tunneling to maintain long-term, covert access to targeted networks. This development marks a significant evolution in their tradecraft, allowing them to remain undetected for extended periods. Sandworm has been active since 2014 and is known for targeting government bodies, energy firms, and research institutions, primarily for intelligence collection purposes.

The attack typically begins with spear-phishing, a common tactic used by threat actors to gain initial access to a network. Once inside, Sandworm employs SSH-over-Tor tunneling to establish a secure and anonymous communication channel. This method enables them to bypass traditional security measures and maintain persistence within the network without raising alarms.

Claim Your Workspace

SSH-over-Tor tunneling combines the secure shell (SSH) protocol with the anonymity network Tor. This combination provides a double layer of security and anonymity, making it challenging for defenders to detect and trace the malicious activity back to its source. By using this technique, Sandworm can effectively hide their presence and activities from network monitoring tools.

The impact of this new tactic is significant, as it allows Sandworm to conduct prolonged espionage operations without detection. Organizations in the targeted sectors face increased risks of data breaches and intelligence theft, which can have severe consequences for national security and business operations.

To counter this threat, organizations should enhance their network monitoring capabilities and implement advanced security measures. This includes deploying intrusion detection systems, conducting regular security audits, and training employees to recognize spear-phishing attempts. By taking these steps, organizations can better protect themselves against sophisticated threats like those posed by Sandworm.

Subscribe now

Source: https://gbhackers.com/ssh-over-tor-tunnel/

A recent investigation by researchers has revealed a deceptive campaign that exploits fake CAPTCHA pages to trick mobile users into incurring hefty international SMS charges. This scam, known as International Revenue Share Fraud (IRSF), takes advantage of the complex pricing structures of international calls and SMS traffic to generate revenue for cybercriminals without the need to install malware on the victim's device.

Claim Your Workspace

The scam operates by luring victims through malvertising or redirects from typosquatted telecom domains to a page mimicking a CAPTCHA. Instead of verifying the user as human, the page prompts them to send prefilled SMS messages to multiple international numbers. These numbers are strategically chosen from countries with high termination fees, such as Azerbaijan, Myanmar, and Egypt, resulting in significant charges on the victim’s phone bill.

To ensure victims remain trapped, the scam employs back-button hijacking techniques using JavaScript, which prevents users from easily leaving the page. The campaign is further supported by a Click2SMS-style affiliate network that promotes the scam as a monetization strategy for dubious publishers, defrauding both individuals and telecom carriers.

The impact on victims includes unexpected premium SMS charges and difficulties in tracing the source of these charges. Telecom carriers also suffer financial losses due to revenue-sharing agreements with the perpetrators and potential chargebacks from customer disputes.

To protect against such scams, users should never send SMS messages to verify CAPTCHAs, as legitimate CAPTCHAs do not require such actions. Regularly reviewing mobile bills for unfamiliar charges and disputing them promptly is advised. Additionally, users can enhance their security by using mobile protection apps that block known malicious sites associated with these scams.

Subscribe now

Source: https://www.malwarebytes.com/blog/news/2026/04/fake-captcha-scam-turns-a-quick-click-into-a-costly-phone-bill

A new phishing campaign has been identified targeting users of the financial services platform Robinhood. Ripple's former Chief Technology Officer, David Schwartz, has issued a warning about this threat, which is exploiting users through emails that mimic official Robinhood communications. This campaign is particularly concerning as it coincides with the period leading up to Robinhood's earnings report, a time when users may be more susceptible to such scams due to increased communication from the company.

The phishing emails are crafted to appear as though they are legitimate messages from Robinhood, making it challenging for users to distinguish them from genuine communications. These emails may include links or attachments that, when interacted with, could lead to the compromise of sensitive personal information. The attackers are leveraging the timing of Robinhood's earnings report to increase the likelihood of users engaging with these fraudulent emails.

Claim Your Workspace

Technically, the phishing emails are designed to bypass common email security filters by closely mimicking the appearance and language of official Robinhood correspondence. This includes using similar email addresses, logos, and formatting to deceive recipients. Such tactics are a common method used by cybercriminals to gain trust and prompt users to take actions that could compromise their accounts.

The impact of this phishing campaign could be significant, potentially leading to unauthorized access to users’ financial accounts and personal data. If successful, attackers could exploit this information for financial gain or further identity theft. Robinhood users are at risk of losing funds or having their personal information exposed if they fall victim to this scam.

To protect themselves, Robinhood users should remain vigilant and skeptical of any unsolicited emails claiming to be from the company. It is advisable to verify the authenticity of any communication by contacting Robinhood directly through official channels. Users should avoid clicking on links or downloading attachments from suspicious emails and ensure their email security settings are up to date to help filter out potential phishing attempts.

Subscribe now

Source:

A newly discovered vulnerability, dubbed 'Pack2TheRoot', has been found in PackageKit, a widely used package management system in Linux environments. This security flaw is particularly concerning as it allows unprivileged users to escalate their privileges to root level, posing a significant risk to system integrity and security.

Claim Your Workspace

The vulnerability arises from a race condition within PackageKit. Race conditions occur when a system’s behavior is dependent on the sequence or timing of uncontrollable events, leading to unpredictable outcomes. In this case, the flaw allows attackers to manipulate the package installation process, gaining unauthorized root access.

Technical details reveal that the issue is easily exploitable, making it a high-priority concern for systems running PackageKit. The vulnerability affects systems that rely on PackageKit for managing software packages, which includes a wide range of Linux distributions. The exploitability of this flaw means that attackers with minimal privileges can potentially gain full control over affected systems.

The impact of this vulnerability is significant, as gaining root access allows attackers to execute any command, modify system settings, and access sensitive data. This could lead to data breaches, system disruptions, and unauthorized access to critical infrastructure.

To protect against this vulnerability, users and administrators are advised to update their systems to the latest version of PackageKit, where the issue has been addressed. Regularly applying security patches and updates is essential to maintaining system security and protecting against potential exploits.

Subscribe now

Source: https://www.securityweek.com/easily-exploitable-pack2theroot-linux-vulnerability-leads-to-root-access/

A new variant of the Vidar infostealer malware is making rounds, employing deceptive tactics to infiltrate systems. This version is distributed through fake CAPTCHA challenges, a method designed to trick users into downloading malicious files. Once the user interacts with these fake CAPTCHAs, the malware is delivered, often concealed within JPEG and TXT files.

Vidar infostealer is known for its ability to extract sensitive information from infected systems. This includes data from web browsers and cryptocurrency wallets, making it particularly dangerous for individuals who store financial information online. The malware's use of fileless attack techniques allows it to execute without leaving a trace on the hard drive, making detection more challenging.

Claim Your Workspace

The technical sophistication of Vidar’s latest iteration lies in its ability to hide within seemingly innocuous file types. By embedding itself in JPEG and TXT files, it bypasses traditional security measures that might not scrutinize these file types as rigorously. This method of delivery is part of a broader trend where cybercriminals use everyday file formats to mask their malicious activities.

The impact of this malware can be severe, especially for users who are unaware of the threat. Compromised browser data can lead to unauthorized access to online accounts, while stolen cryptocurrency wallet information can result in financial loss. The stealthy nature of fileless attacks further exacerbates the risk, as users may not realize their systems have been compromised until it’s too late.

To protect against this threat, users should be vigilant when encountering CAPTCHA prompts, especially those that appear unexpectedly. It’s advisable to keep security software updated to detect and block such malware. Additionally, users should regularly back up important data and consider using multi-factor authentication to secure online accounts.

Subscribe now

Source: https://hackread.com/vidar-infostealer-fake-captchas-jpeg-txt-files/

Cybercriminals have devised a new method to exploit fake CAPTCHA pages, turning these routine security checks into a tool for international SMS fraud. This scheme involves tricking users into participating in international revenue share fraud, a type of scam where attackers profit from inflated phone charges. The fraudulent activity is masked behind seemingly legitimate CAPTCHA requests, which users encounter during their online activities.

The attackers set up lookalike and scam domains that mimic legitimate websites. These domains are part of a traffic distribution system (TDS) that eventually leads victims to a fake CAPTCHA page. Once users interact with these pages, they unknowingly become part of the fraud scheme. The process is designed to be seamless, making it difficult for users to detect the scam until they notice unusual charges on their phone bills.

Claim Your Workspace

Technically, the scam operates by redirecting users through a series of web pages that culminate in the fake CAPTCHA. This redirection is orchestrated by the TDS, which is a network of compromised or malicious websites designed to funnel traffic to the scam pages. The fake CAPTCHA pages are crafted to look convincing, often indistinguishable from legitimate ones, which increases the likelihood of users falling victim to the scam.

The impact of this scam is significant, as it can lead to unexpected charges on victims’ phone bills due to the international revenue share fraud mechanism. This type of fraud not only affects individual users but can also have broader implications for telecom companies and service providers, who may face increased customer complaints and potential financial losses.

To mitigate the risk of falling victim to this scam, users should exercise caution when encountering CAPTCHA requests, especially on unfamiliar websites. It is advisable to verify the legitimacy of a website before entering any personal information. Additionally, users should regularly monitor their phone bills for any unusual charges and report suspicious activity to their service providers immediately.

Subscribe now

Source: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

Cybercriminals are employing a novel method to hijack Telegram sessions by utilizing a PowerShell script hosted on Pastebin. This script is disguised as a Windows telemetry update, providing a unique opportunity for cybersecurity professionals to observe the construction and testing of such malicious tools.

Unlike traditional malware that often seeks to extract passwords or browser credentials, this particular script is designed specifically to target Telegram's desktop client data. By focusing solely on session data, the attackers can potentially gain unauthorized access to Telegram accounts without needing to compromise other sensitive information.

Claim Your Workspace

The script’s presence on Pastebin, a popular text storage site, allows it to be easily distributed and accessed by potential attackers. This method of delivery also helps the script evade detection by traditional security measures, which may not flag it as suspicious due to its appearance as a legitimate Windows update.

The impact of this attack vector is significant for users of Telegram’s desktop client, as it could lead to unauthorized access to private communications and data. This highlights the ongoing need for vigilance and robust security practices among users of messaging platforms.

To mitigate the risk of such attacks, users should be cautious of unexpected updates and verify the authenticity of any scripts before executing them. Employing comprehensive security solutions and staying informed about emerging threats can also help protect against session hijacking attempts.

Subscribe now

Source: https://flare.io/learn/resources/blog/telegram-session-stealerpastebin-hosted-powershell-script-targets-desktop-web-sessions

The Trigona ransomware group has adopted a new strategy by employing a custom-developed tool for data exfiltration in their recent attacks. This marks a departure from the typical use of off-the-shelf utilities like Rclone or MegaSync, which are commonly used by ransomware groups. The attacks, which took place in March 2026, indicate a significant evolution in the tactics of Trigona affiliates, although the exact reasons for this shift remain unclear. It is speculated that the move towards proprietary tools is an attempt to avoid detection by security solutions that are adept at identifying known utilities.

The custom tool, named uploader_client.exe, is a command-line utility that connects to a hardcoded server controlled by the attackers. It features several advanced capabilities, including the ability to use multiple parallel connections for rapid data transfer and the ability to rotate TCP connections to evade network monitoring. Additionally, the tool allows attackers to filter out low-value files and uses an authentication key to secure access to the stolen data. This tool was observed targeting high-value documents such as invoices and PDFs stored on networked drives.

Claim Your Workspace

Before deploying the custom uploader, attackers attempted to disable security measures using a variety of tools. They installed the Huorong Network Security Suite tool HRSword as a kernel driver service and used other security-disabling tools like PCHunter and Gmer. These tools exploited vulnerable kernel drivers to terminate endpoint protection processes, allowing the attackers to operate with elevated privileges. Remote access was gained through AnyDesk, and credential theft was conducted using tools like Mimikatz.

The creation of a custom exfiltration tool suggests a higher level of technical sophistication among the attackers. While developing such tools requires significant resources, they offer a level of stealth that generic tools cannot achieve until they are discovered by security researchers. This approach reflects a growing trend among ransomware groups to develop proprietary tools to maintain an advantage over security defenses.

Organizations should take proactive measures to protect against such sophisticated attacks. This includes monitoring for unusual network activity, especially connections to unknown IP addresses, and ensuring that security solutions are updated to detect custom malware tools. Additionally, organizations should regularly review and update their security protocols to address vulnerabilities that could be exploited by attackers using advanced techniques.

Subscribe now

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/trigona-exfiltration-custom

Cybersecurity researchers at Forcepoint have identified a new type of attack targeting AI assistants, specifically focusing on GitHub Copilot. These attacks involve indirect prompt injection, a method that uses hidden code within websites to manipulate the AI's responses and actions.

The discovery highlights a significant vulnerability in AI systems that rely on external inputs to generate responses. By embedding malicious code within a website, attackers can indirectly influence the AI assistant's behavior without direct interaction. This method poses a risk as it can be executed without the user's knowledge, making it a stealthy and effective attack vector.

Claim Your Workspace

Technically, the attack works by embedding specific commands or prompts within the HTML or JavaScript of a webpage. When an AI assistant like GitHub Copilot accesses this page, it inadvertently processes these hidden commands, potentially leading to unintended actions or data exposure. This type of attack exploits the AI’s reliance on external data sources, which are often assumed to be benign.

The impact of such attacks can be significant, especially for developers and organizations that rely on AI assistants for coding and automation tasks. If an AI assistant is compromised, it could lead to the introduction of vulnerabilities in software projects or unauthorized data access. This raises concerns about the security of AI-driven development environments.

To mitigate these risks, users and developers should be cautious about the websites they visit and the data they allow AI systems to access. Implementing security measures such as input validation and monitoring AI interactions with external sources can help protect against these indirect prompt injection attacks. Additionally, staying informed about emerging threats and regularly updating security protocols is essential for safeguarding AI systems.

Subscribe now

Source: https://hackread.com/hackers-hidden-site-instruction-attack-ai-assistants/

A new supply chain threat has emerged within the npm ecosystem, involving malicious versions of packages from Namastex.ai that deliver the CanisterWorm malware. This malware acts as a self-propagating backdoor, mirroring the tactics of the threat actor known as TeamPCP. The attack involves replacing legitimate package contents with infected code, which then spreads across namespaces accessible via stolen credentials.

The threat actor gained access to npm publishing tokens, likely through a compromised CI/CD pipeline, allowing them to strip original functionality from legitimate packages and replace it with malicious code. These packages were then republished under the same trusted names, making detection challenging for developers and automated security tools. The campaign, identified by researchers at Socket.dev, expanded to over 135 malicious package artifacts across more than 64 unique packages by March 2026.

Claim Your Workspace

The CanisterWorm malware communicates with its operators using an Internet Computer Protocol (ICP) canister, acting as a command and control channel. This design allows attackers to rotate payloads without altering the implant on infected systems, making it resistant to standard takedown efforts. The malware’s worm-like behavior is triggered by a hidden postinstall hook that steals npm authentication tokens and uses them to propagate the infection across the npm registry.

Once installed, the malware collects a wide range of sensitive data, including environment variables, SSH keys, cloud credentials, and browser login storage. This data is exfiltrated using RSA public key encryption over HTTPS to the ICP canister endpoint. If no RSA key is available, the malware defaults to plaintext delivery.

Teams using Namastex.ai npm packages should treat all recent versions as potentially compromised. It is advised to immediately rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys from affected systems. Additionally, auditing package publish histories for unexplained version changes and enabling install-time script analysis can help detect and prevent further infections. Python environments sharing the same credentials should also be reviewed due to observed cross-ecosystem propagation logic targeting PyPI.

Subscribe now

Source: https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm

The Harvester APT group has introduced a new Linux variant of its GoGra backdoor, which is designed to evade detection by using legitimate Microsoft services for its command-and-control (C2) operations. This development marks an expansion of Harvester's capabilities, as the group has previously been associated with Windows-based espionage campaigns. The new Linux malware has been linked to these past activities through code similarities, indicating a strategic move towards cross-platform operations by the threat actor.

The GoGra backdoor leverages the Microsoft Graph API and Outlook mailboxes to establish a covert C2 channel, effectively bypassing traditional perimeter network defenses. This tactic allows the malware to communicate with its operators without raising suspicion. The Symantec and Carbon Black Threat Hunter Team have identified this new Linux malware as part of Harvester's ongoing efforts to enhance its espionage capabilities. Initial submissions to VirusTotal suggest that the primary targets of this campaign are located in India and Afghanistan, with localized decoy documents being used to tailor attacks to specific regional demographics.

Technically, the attackers employ social engineering tactics to gain initial access to victim networks, using decoy documents that appear to be legitimate files. These documents are crafted to look like standard document files by appending extensions such as ".pdf" with a subtle space, ensuring execution as Linux binaries. The malware then deploys a Go dropper to embed and execute a 5.9 MB i386 executable, which writes its payload to a specific directory and ensures persistence through system reboots by setting up a systemd user unit and an XDG autostart entry.

Claim Your Workspace

One of the most significant features of this backdoor is its use of hardcoded Azure AD application credentials to request OAuth2 tokens from Microsoft. This allows the malware to poll a specific mailbox folder at regular intervals, filtering for emails with specific subject lines. Upon receiving a command, the malware decrypts the message, executes the payload, and sends the results back to the operator, all while deleting the original tasking message to cover its tracks. This sophisticated use of Microsoft infrastructure highlights the advanced nature of Harvester’s operations.

Security professionals should be vigilant in monitoring for indicators of compromise associated with the GoGra backdoor and ensure that their defenses are updated to detect and mitigate this threat. Organizations in the targeted regions, particularly in South Asia, should be especially cautious and consider implementing additional security measures to protect against potential espionage activities by the Harvester group. For the latest protection updates, consulting resources such as the Symantec Protection Bulletin is recommended.

Subscribe now

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra

North Korean hackers have launched new campaigns targeting financial organizations, specifically those involved in cryptocurrency, venture capital, and blockchain. These attacks are part of a broader strategy to infiltrate and exploit financial systems for potential gain.

The attackers are utilizing AppleScript and ClickFix to carry out their operations on macOS systems. AppleScript is a scripting language used to automate tasks on macOS, and ClickFix is a tool that can be used to bypass security measures. By leveraging these tools, the hackers aim to gain unauthorized access to sensitive financial data.

The technical approach involves using AppleScript to automate malicious activities and ClickFix to circumvent security protocols. This combination allows the attackers to execute their campaigns with a higher degree of stealth and effectiveness. The focus on macOS systems indicates a strategic shift, as these systems are often perceived as more secure.

Claim Your Workspace

The impact of these attacks could be significant, potentially leading to financial losses and compromised data integrity for the targeted organizations. The focus on cryptocurrency and blockchain entities suggests an interest in exploiting emerging financial technologies, which are often less regulated and more vulnerable to sophisticated cyber threats.

Organizations in the affected sectors should prioritize enhancing their cybersecurity frameworks. This includes implementing robust security protocols, conducting regular system audits, and ensuring that all software is up-to-date. Additionally, staff should be trained to recognize and respond to potential phishing attempts and other social engineering tactics that may be used in conjunction with these technical attacks.

Subscribe now

Source: https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/