Ransomware News

Supply chain attack targets PHP developers via fake Laravel utilities containing encrypted RAT payload. The malware gains full access to database credentials and API keys.

Russian-speaking developers behind AuraStealer infostealer scale infrastructure to 48 command-and-control domains, targeting 110+ browsers and 250+ extensions.

Security researchers uncover 26 malicious npm packages using steganography to hide command infrastructure in computer science essays. Famous Chollima cluster targets developers with RAT.

Ryan Goldberg and Kevin Martin pleaded guilty to deploying ALPHV BlackCat ransomware while working in incident response and negotiation roles. Sentencing set for March 12.

Updated CISA analysis reveals RESURGE implant uses advanced evasion techniques and can persist undetected on Ivanti Connect Secure devices until remote activation.

Malicious QuickLens browser add-on combines Google Lens functionality with ClickFix social engineering to drain cryptocurrency wallets through fake CAPTCHA prompts.

Trend Micro finds 2,200+ malicious skills weaponizing AI agents to deploy AMOS. The campaign marks a shift from prompt injection to using AI as a trusted intermediary for malware delivery.

New botnet loader stores encrypted commands in smart contracts on Polygon, making traditional infrastructure takedowns ineffective. Operating costs are under $1 for 100+ commands.

ReversingLabs caught StripeApi.Net typosquatting the official Stripe library. The package processed payments normally while exfiltrating API keys in the background.

North Korean APT37 deploys six new malware tools to breach air-gapped systems using USB drives and cloud C2. Zscaler reveals RESTLEAF, THUMBSBD, and FOOTWINE surveillance capabilities.

Cisco Talos uncovers UAT-10027 deploying Dohdoor malware against American hospitals and schools. The backdoor uses DNS-over-HTTPS to evade detection.

Microsoft uncovers developer-targeting campaign using fake coding assessments to deliver JavaScript backdoors through VS Code automation triggers and Vercel-hosted payloads.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Japanese semiconductor test equipment maker Advantest hit by ransomware on Feb 15. Investigation ongoing as company assesses potential data exposure.

Threat actors bypass ClawHub security by hiding Base64 payloads in fake troubleshooting comments. Atomic Stealer delivered to unsuspecting OpenClaw users.

ShinyHunters claims 800,000+ Wynn Resorts employee records including SSNs, salaries, and personal details. Group demands 22 Bitcoin by February 23, exploited Oracle PeopleSoft.

Iranian APT MuddyWater launches Operation Olalampo against MENA organizations, deploying four new malware families including GhostFetch and CHAR, a Rust backdoor controlled via Telegram.

Kaspersky exposes Arkanix Stealer, a Python and C++ infostealer likely built with LLM assistance. After two months of targeting crypto wallets and VPNs, the operation vanished.

Banking trojan disguised as IPTV streaming apps targets users in Portugal and Greece, enabling device takeover and credential theft through overlay attacks.

University of Mississippi Medical Center shuts 35 clinics statewide after ransomware attack disables Epic EHR access. FBI investigating as doctors resort to pen and paper for patient care.

ESET discovers PromptSpy, the first Android malware weaponizing Google's Gemini AI to maintain persistence by analyzing UI and generating real-time tap instructions to stay pinned in recent apps.

Elastic Security Labs uncovers ClickFix campaign abusing compromised bincheck.io to deliver MIMICRAT, a custom C++ RAT with SOCKS5 tunneling and token impersonation capabilities.

SANS ISC analyzes DynoWiper's internals revealing Mersenne Twister seeding, 16-byte overwrite buffers, and directory exclusions. Technical breakdown of Sandworm's latest wiper.

Microsoft warns of ClickFix variant using nslookup commands to stage malware via DNS traffic. Delivers ModeloRAT through fileless attack chain.

Microsoft Defender Experts track expanding infostealer campaigns hitting macOS via ClickFix prompts, malicious DMG installers, and Python-based stealers. DigitStealer, MacSync, and AMOS lead the wave.

Cloud-native worm campaign by TeamPCP has compromised 60,000+ servers by exploiting Docker APIs, Kubernetes, and React2Shell. Flare researchers detail the industrialized operation.

Xavier Mertens discovers 846 images reusing the same Base64 steganography technique to deliver .NET malware via Equation Editor exploits. Here's how defenders can hunt for copycats.

Hudson Rock detects Vidar infostealer exfiltrating OpenClaw AI agent files for the first time. Stolen configs include gateway tokens and cryptographic keys.

CTM360 exposes 4,000+ malicious Google Groups delivering Lumma Stealer and Ninja Browser malware. Attackers pose as tech support in forums to bypass network detection.

Microsoft warns of ClickFix variant that deliberately crashes Chrome, then social-engineers victims into running PowerShell. Only domain-joined hosts targeted.

Researchers expose three Chrome extension campaigns stealing Meta Business Suite exports, VK accounts, and AI chatbot conversations from over 760,000 users.

Google's threat intelligence reveals APT groups from China, Iran, North Korea, and Russia using Gemini for recon, malware development, and phishing. Two AI-powered malware families discovered.

Google Mandiant exposes UNC1069's use of AI-generated deepfake video, compromised executive accounts, and ClickFix attacks to deploy macOS malware against cryptocurrency firms.

New Linux botnet SSHStalker infected 7,000 cloud servers using brute-force SSH attacks and 2009-era kernel exploits. Uses IRC for command-and-control while apparently staging for future operations.

New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.

Commercial mobile spyware on Telegram offers live surveillance, OTP interception, and crypto theft across Android 5-16 and iOS up to version 26.

BridgePay confirms ransomware attack crippled its payment processing platform, forcing merchants nationwide to cash-only. FBI and Secret Service are investigating.

Conpet, operator of 3,800km of Romanian oil pipelines, confirms cyberattack. Qilin claims 1TB of stolen data including financial records and passports.

The January 2025 ransomware attack on govtech giant Conduent keeps growing—15.4M in Texas, 10.5M in Oregon, with more states still counting.

Sophos finds 7,000+ servers with identical hostnames from ISPsystem VMmanager templates. LockBit, Qilin, and Conti all used the same bulletproof hosting VMs.

Rapid7 attributes the six-month Notepad++ supply chain compromise to Chinese APT Lotus Blossom, revealing a custom Chrysalis backdoor and three distinct infection chains.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

Over 1,000 IPs exploit CVE-2025-55182 to inject malicious NGINX configs that redirect web traffic through attacker infrastructure, targeting Asian government and education sites.

Securonix uncovers multi-stage fileless campaign using IPFS-hosted VHD files and process injection into signed Windows binaries to deploy AsyncRAT.