RedHook Android RAT Weaponizes Wireless ADB for Shell Access
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
237 articles
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
Attackers hijacked the jscrambler npm package to deploy a cross-platform Rust infostealer that harvests credentials from AI coding assistants, cloud platforms, and crypto wallets.
China-based threat actor Lurking Lizard operates 230+ lookalike domains serving trojanized 7-Zip installers and the WireVPN app to recruit victims into a residential proxy botnet without consent.
Unit 42 uncovers Node.js-based RAT using Ethereum smart contracts for C2. Attackers impersonate IT staff on Teams calls to install remote access tools before deploying EtherRAT.
Symantec exposes GodDamn ransomware's BYOVD attack using Microsoft-signed PoisonX kernel driver to blind EDR tools. Here's how Hyadina's latest variant works and what defenders should watch for.
17 malicious packages masquerading as payment processor SDKs exfiltrate API keys, AWS credentials, and GitHub tokens from developer environments. Packages flagged within 6 minutes of upload.
Technical analysis reveals Everest ransomware wakes sleeping machines via ARP cache parsing before encryption. ConfuserEx obfuscation and deceptive crypto declarations complicate response.
Malicious Python PoC repositories on GitHub deliver ChocoPoC RAT to security researchers. The trojan steals credentials and provides remote access via Mapbox dead drops.
Kaspersky uncovers Umbrij, a .NET tool used by APT group ToddyCat to steal Gmail OAuth tokens through browser remote debugging—no credentials needed.
Group-IB tracks Y2K Operators distributing upgraded Millennium RAT through game cheats and cracked software. Telegram serves as C2 channel.
New infostealer campaign abuses EdgeUpdate and GoogleUpdater binaries through DLL sideloading to target Mexican businesses. Invoice-themed lures deliver credential theft malware.
New modular malware framework Avalon combines credential theft, lateral movement, and CrownX ransomware in one package. AI-assisted development suspected.
Malwarebytes documents a new loader that abuses a legitimate driver to terminate EDR processes, then uses process hollowing to inject the StealC infostealer through fake Google and Cloudflare verification pages.
Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.
Check Point Research reveals InfernoGrabber, an AI-generated ransomware that encrypts files through Chrome's File System Access API without installing malware or exploiting any vulnerability.
The Blackfield ransomware gang claims a breach at Nidec Corporation, demanding $2 million to prevent data leakage. This marks Nidec's second ransomware incident in two years.
BabaDeda, Lorem Ipsum, and Potemkin loaders emerge from ClickFix social engineering attacks, deploying infostealers and linking to Rhysida ransomware operations.
18 compromised packages hide execution in VS Code folder-open tasks, fetch encrypted payloads from blockchain transactions, and deploy Python infostealers.
Microsoft Threat Intelligence tracks active campaign deploying TonRAT malware against hospitality sector in Europe and Asia via fake guest complaint emails.
SentinelOne discovers Gaslight, a Rust-based macOS backdoor embedding 38 fake system messages designed to crash or confuse AI-powered malware analysis tools.
A malicious Edge extension abuses Chrome's Native Messaging protocol to deploy a Python backdoor with full system access, linked to Payouts King ransomware operations.
Symantec links the stealthy Mistic backdoor to KongTuke, an initial access broker supplying corporate network access to major ransomware gangs.
Three malicious packages impersonating PostCSS tools deploy a multi-stage Windows RAT. The payload steals saved passwords by bypassing Chrome's app-bound encryption.
Attackers hijacked orphaned AUR packages to push malicious npm payloads. The rootkit hides processes at kernel level while the stealer exfiltrates developer credentials.
Unit 42 uncovers ClickFix campaign using hdiutil -nobrowse to silently mount disk images on macOS. Victims never see the DMG—just Atomic Stealer harvesting credentials.
Kaspersky uncovers a multi-country malware campaign using WhatsApp to distribute VBScript files that install ManageEngine remote access tools. Malaysia accounts for 80% of victims.
A previously undocumented botnet exploits 13-year-old D-Link flaws to build a distributed proxy network. South Korea and China account for 80% of infections.
Prinz Eugen ransomware prioritizes recently modified files for encryption, maximizing business disruption. Learn how this Go-based threat works and who's at risk.
ESET unmasks GentleKiller, an 8-variant EDR killer framework targeting 400+ security processes. The gang ships updates to affiliates like a software vendor.
Microsoft warns of CryptoBandits campaign spreading clipboard-hijacking malware through USB drives. The worm uses Tor C2, steals seed phrases, and replaces wallet addresses mid-transaction.
Malicious JetBrains IDE plugins disguised as AI coding assistants exfiltrated OpenAI and DeepSeek API keys from developers. All 15 plugins have been removed and publisher accounts terminated.
144 packages in the Mastra AI framework compromised via hijacked maintainer account. The malicious easy-day-js dependency deploys a crypto-stealing RAT affecting 1.1M weekly downloads.
Kaspersky uncovers malware campaign using Wallpaper Engine's Steam Workshop to distribute DarkKomet, Lumma, and Vidar. China-focused attacks stole Steam accounts and deployed cryptominers.
North Korean hackers impersonate Microsoft Account security notifications to deliver NarwhalRAT, a Python-based RAT with keylogging, screen capture, and cloud-based C2.
China-linked FishMonger APT expands its Linux-only SprySOCKS backdoor to Windows with WIN_DRV and WIN_PLUS variants featuring kernel drivers and Print Spooler abuse.
Socket researchers expose a coordinated network of 152 Chrome 'live wallpaper' extensions stealing user data and generating fake Google organic search traffic.
Cybercriminals are using TikTok and Instagram Reels videos to distribute Vidar malware through fake software tutorials. One campaign accumulated over 100,000 views promoting 'free Spotify Premium' hacks.
Qilin's affiliate network hit healthcare, manufacturing, and critical infrastructure across nine countries in early June. The gang maintains 12-month dominance.
Attackers adopted orphaned AUR packages to push credential-stealing malware with kernel-level rootkit capabilities. Here's what Arch users need to do now.
BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.
Attackers exploited CVE-2026-26980 SQL injection in Ghost CMS to compromise 700+ websites including Harvard and Oxford, deploying ClickFix social engineering malware through fake CAPTCHA prompts.
Self-replicating Miasma malware compromises 73 Microsoft repositories across Azure, Microsoft, and MicrosoftDocs orgs. GitHub disables access as durabletask package gets reinfected.
GoDaddy researchers uncover campaign infecting 2,000 WordPress sites with malware that extracts commands from invisible Unicode characters in Steam Community comments.
Sophos discovers ransomware framework using Claude Opus 4.5 to automate EDR evasion and Active Directory discovery. Toolkit tested 80+ modules against Sophos, CrowdStrike, and Defender.
Unit 42 uncovers FlutterShell backdoor campaign targeting macOS users through Google-verified shell companies. Malware evades detection via WebView architecture and Apple notarization.
Fortinet exposes C0xmo, a modular Gafgyt variant exploiting CVE-2021-27137 in DD-WRT routers to recruit IoT devices for DDoS attacks while killing rival malware.
Sophos discovered a cryptocurrency miner bundled with Hola Browser for Windows. The malware creates a Windows service, adds Defender exclusions, and mines when idle.
New Magecart campaign stores payment card skimmer payloads in Stripe customer metadata, then exfiltrates stolen cards as fake customer records. CSP rules won't help.