Ransomware News

Attackers compromised CPUID's website API for six hours, redirecting CPU-Z and HWMonitor downloads to trojanized installers that steal browser credentials using advanced evasion techniques.

Russian GRU's APT28 uses new PRISMEX malware suite with steganography and COM hijacking to target Ukraine defense and NATO logistics. Includes wiper capability.

Attackers compromised Nextend's update infrastructure to push a malicious Smart Slider 3 Pro version with four layers of backdoors. Here's who's affected and how to recover.

Contagious Interview campaign escalates with trojanized developer tools across five ecosystems. Packages impersonate logging utilities and steal credentials.

Over 1,000 exposed ComfyUI instances targeted by cryptomining campaign. Attackers exploit custom nodes for RCE, deploy XMRig and Hysteria V2 botnet with persistence.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Brazilian threat actor Augmented Marauder targets Latin America and Europe with Casbaneiro banking trojan, using dynamically generated court summons PDFs and Horabot for worm-like propagation.

Microsoft Defender Experts identify multi-stage malware campaign using WhatsApp messages to deliver VBS scripts that bypass UAC and establish persistent Windows backdoors.

Security researchers expose KadNap malware targeting ASUS routers to build a criminal proxy network. 60% of infected devices located in the US, linked to Doppelganger service.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

Die Linke confirms Qilin stole internal data and employee info from party headquarters. Officials suggest attack may be politically motivated hybrid warfare.

McAfee discovered NoVoice malware hiding in 50+ Google Play apps, using 22 exploits to root devices and clone WhatsApp sessions. Factory reset won't remove it.

New Storm infostealer bypasses Chrome's App-Bound Encryption by shipping encrypted credentials to attacker infrastructure for decryption. Endpoint tools can't detect it.

Kaspersky exposes CrystalX RAT, a new malware-as-a-service combining stealer, RAT, and prankware. It rotates screens, swaps mouse buttons, and drains crypto via clipboard hijacking.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

Toy giant Hasbro filed an SEC 8-K disclosing unauthorized network access discovered March 28. Systems remain offline with recovery expected to take weeks.

New DeepLoad malware combines ClickFix delivery with AI-generated obfuscation to bypass security scanners. WMI persistence survives remediation for days.

Russian-linked AuraStealer infostealer operates 48 C2 domains, steals crypto wallets and 2FA tokens, and spreads through fake software activation videos on TikTok.

Attackers compromised the Axios npm package to deploy a cross-platform RAT targeting Windows, macOS, and Linux. Here's what happened and what you need to do.

Bearlyfy has hit 70+ Russian companies since January 2025, now deploying custom GenieLocker ransomware. The group blends financial extortion with politically motivated sabotage.

TeamPCP compromised the popular telnyx Python SDK on PyPI, hiding credential-stealing malware inside WAV audio files. Versions 4.87.1 and 4.87.2 affected—downgrade immediately.

Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.

Attackers are posting thousands of fake Visual Studio Code vulnerability alerts in GitHub Discussions, using fabricated CVEs and urgent language to trick developers into downloading malware.

A new macOS infostealer combines ClickFix social engineering with Nuitka-compiled Python to evade detection. First documented campaign pairing these techniques.

Armenian national Hambardzum Minasyan extradited to face charges for developing RedLine malware infrastructure. Follows 2024 international takedown operation.

A new payment skimmer uses WebRTC data channels instead of HTTP to exfiltrate stolen card data, bypassing Content Security Policy controls on Magento stores.

Aleksei Volkov sentenced to nearly 7 years for selling network access to ransomware gangs. Facilitated dozens of attacks causing over $9 million in losses to US organizations.

Fake copyright infringement notices target healthcare and government organizations in Germany and Canada with fileless PureLog Stealer malware. Campaign uses language-matched lures.

New Torg Grabber infostealer targets 728 cryptocurrency wallet extensions and 103 password managers. Spreads via ClickFix clipboard hijacking with Cloudflare-based exfiltration.

Stolen CI credentials from Trivy breach enabled TeamPCP to compromise Checkmarx KICS GitHub Actions, poisoning all 35 version tags with credential-stealing malware in four-hour window.

Malicious LiteLLM versions 1.82.7 and 1.82.8 deployed credential harvester, Kubernetes lateral movement tools, and persistent backdoor. Package sees 3 million daily downloads.

Hackers infected a contractor's device to steal Okta credentials, then pivoted to Crunchyroll's Zendesk. Support ticket data for 6.8 million subscribers extracted.

TeamPCP's supply chain attack expands with a Kubernetes wiper that detects Iranian systems via timezone and locale, wiping clusters while backdooring everyone else.

Unit 42 uncovers phishing campaign distributing trojanized Israeli civil defense app. Malicious APK harvests location data, contacts, and messages from Android devices amid regional tensions.

VoidStealer v2.0 becomes the first infostealer to extract Chrome's v20_master_key using hardware breakpoints. No injection or privilege escalation required.

TeamPCP threat actors hijacked Aqua Security's Trivy vulnerability scanner, compromising 75 GitHub Action tags and spreading credential-stealing malware to 47 npm packages via blockchain C2.

New infostealer parasitizes legitimate document security software, exfiltrating data through trusted server infrastructure. Targets include Dongfeng-27 ballistic missile documents.

GlassWorm campaign expands across Open VSX, npm, and GitHub with invisible Unicode payloads and Solana-based C2. Developers urged to audit dependencies immediately.

Pakistan-linked APT36 uses LLM coding tools to mass-produce malware variants in Nim, Zig, and Crystal, targeting Indian government and embassies.

Multiple threat actors deploy DarkSword, a six-CVE iOS exploit chain stealing crypto wallets, credentials, and messages from millions of vulnerable iPhones.

Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.

LeakNet ransomware now uses ClickFix social engineering via hacked websites and a Deno-based in-memory loader to evade detection. Here's how the attack chain works.