Malware

Russian GRU's APT28 uses new PRISMEX malware suite with steganography and COM hijacking to target Ukraine defense and NATO logistics. Includes wiper capability.

Attackers compromised Nextend's update infrastructure to push a malicious Smart Slider 3 Pro version with four layers of backdoors. Here's who's affected and how to recover.

Contagious Interview campaign escalates with trojanized developer tools across five ecosystems. Packages impersonate logging utilities and steal credentials.

Over 1,000 exposed ComfyUI instances targeted by cryptomining campaign. Attackers exploit custom nodes for RCE, deploy XMRig and Hysteria V2 botnet with persistence.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Brazilian threat actor Augmented Marauder targets Latin America and Europe with Casbaneiro banking trojan, using dynamically generated court summons PDFs and Horabot for worm-like propagation.

Microsoft Defender Experts identify multi-stage malware campaign using WhatsApp messages to deliver VBS scripts that bypass UAC and establish persistent Windows backdoors.

Security researchers expose KadNap malware targeting ASUS routers to build a criminal proxy network. 60% of infected devices located in the US, linked to Doppelganger service.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

McAfee discovered NoVoice malware hiding in 50+ Google Play apps, using 22 exploits to root devices and clone WhatsApp sessions. Factory reset won't remove it.

New Storm infostealer bypasses Chrome's App-Bound Encryption by shipping encrypted credentials to attacker infrastructure for decryption. Endpoint tools can't detect it.

Kaspersky exposes CrystalX RAT, a new malware-as-a-service combining stealer, RAT, and prankware. It rotates screens, swaps mouse buttons, and drains crypto via clipboard hijacking.

New DeepLoad malware combines ClickFix delivery with AI-generated obfuscation to bypass security scanners. WMI persistence survives remediation for days.

Russian-linked AuraStealer infostealer operates 48 C2 domains, steals crypto wallets and 2FA tokens, and spreads through fake software activation videos on TikTok.

Attackers compromised the Axios npm package to deploy a cross-platform RAT targeting Windows, macOS, and Linux. Here's what happened and what you need to do.

TeamPCP compromised the popular telnyx Python SDK on PyPI, hiding credential-stealing malware inside WAV audio files. Versions 4.87.1 and 4.87.2 affected—downgrade immediately.

Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.

Attackers are posting thousands of fake Visual Studio Code vulnerability alerts in GitHub Discussions, using fabricated CVEs and urgent language to trick developers into downloading malware.

A new macOS infostealer combines ClickFix social engineering with Nuitka-compiled Python to evade detection. First documented campaign pairing these techniques.

A new payment skimmer uses WebRTC data channels instead of HTTP to exfiltrate stolen card data, bypassing Content Security Policy controls on Magento stores.

Fake copyright infringement notices target healthcare and government organizations in Germany and Canada with fileless PureLog Stealer malware. Campaign uses language-matched lures.

New Torg Grabber infostealer targets 728 cryptocurrency wallet extensions and 103 password managers. Spreads via ClickFix clipboard hijacking with Cloudflare-based exfiltration.

Stolen CI credentials from Trivy breach enabled TeamPCP to compromise Checkmarx KICS GitHub Actions, poisoning all 35 version tags with credential-stealing malware in four-hour window.

Malicious LiteLLM versions 1.82.7 and 1.82.8 deployed credential harvester, Kubernetes lateral movement tools, and persistent backdoor. Package sees 3 million daily downloads.

TeamPCP's supply chain attack expands with a Kubernetes wiper that detects Iranian systems via timezone and locale, wiping clusters while backdooring everyone else.

VoidStealer v2.0 becomes the first infostealer to extract Chrome's v20_master_key using hardware breakpoints. No injection or privilege escalation required.

TeamPCP threat actors hijacked Aqua Security's Trivy vulnerability scanner, compromising 75 GitHub Action tags and spreading credential-stealing malware to 47 npm packages via blockchain C2.

New infostealer parasitizes legitimate document security software, exfiltrating data through trusted server infrastructure. Targets include Dongfeng-27 ballistic missile documents.

GlassWorm campaign expands across Open VSX, npm, and GitHub with invisible Unicode payloads and Solana-based C2. Developers urged to audit dependencies immediately.

Multiple threat actors deploy DarkSword, a six-CVE iOS exploit chain stealing crypto wallets, credentials, and messages from millions of vulnerable iPhones.

Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.

LeakNet ransomware now uses ClickFix social engineering via hacked websites and a Deno-based in-memory loader to evade detection. Here's how the attack chain works.

Iran-linked hackers wiped tens of thousands of Stryker devices using Microsoft Intune's remote wipe feature. Here's what security teams should learn.

Three ClickFix campaigns target macOS users with MacSync infostealer disguised as ChatGPT and AI coding tools. Latest variant adds in-memory execution to evade detection.

Global campaign hijacks WordPress sites in 12 countries to serve fake Cloudflare CAPTCHAs that deploy Vidar, VodkaStealer, and other credential theft malware.

Russian-linked AuraStealer infostealer uses TikTok videos and 48 C2 domains to steal credentials. ABE bypass defeats Chrome's cookie encryption.

Storm-1811 actors flood inboxes with spam, then call via Microsoft Teams posing as IT support. Quick Assist grants access for A0Backdoor deployment.

GlassWorm supply chain attack spreads via 72 Open VSX extensions using invisible Unicode obfuscation. Targets crypto wallets, API tokens, and CI/CD pipelines.

Attackers compromised AppsFlyer's domain registrar to inject crypto-stealing JavaScript into their Web SDK. The malware swaps wallet addresses for Bitcoin, Ethereum, Solana, and more.

IBM X-Force discovers Hive0163 using LLM-generated Slopoly malware in Interlock ransomware attacks, marking a shift in how threat actors weaponize AI to accelerate malware development.

New Android trojan BeatBanker mines Monero while stealing banking credentials. Spreads via fake Starlink and government apps in Brazil.

New infostealer MicroStealer uses NSIS, Electron, and Java in a layered delivery chain that bypasses most security tools. Targets browser credentials and crypto wallets.

Researchers discovered five packages on crates.io masquerading as time utilities while exfiltrating developer credentials and API keys to attacker infrastructure.