A naukri.com initiative
Malware News
Arstechnica
1d
353
Image Credit: Arstechnica
Ransomware kingpin “Stern” apparently IDed by German law enforcement
- German law enforcement has identified the leader of the Russian cybercrime cartel Trickbot known as 'Stern'.
- The leader, using the name 'Stern', orchestrated attacks on thousands of victims including hospitals and schools over roughly six years.
- The real-world name of the cybercriminal leader 'Stern' is identified as Vitaly Nikolaevich Kovalev, a 36-year-old Russian man.
- Germany has issued an Interpol red notice for Kovalev, who is believed to be in Russia, for allegedly leading a criminal organization.
Read Full Article
21 Likes
Dynamicbusiness
3d
23
Image Credit: Dynamicbusiness
Ransomware reporting rules begin in June: 5 CEO questions answered
- Australia's new Ransomware Payment Reporting Rules will become effective from May 30, 2025, requiring businesses to report ransom payments within 72 hours of a cyberattack.
- CEOs are advised to be prepared for ransomware attacks by understanding reporting requirements, considering the implications of paying a ransom, and establishing communication plans and protocols.
- Preparedness for ransomware attacks is crucial, including clear identification of responsible parties, backup protocols, and a proactive approach to cybersecurity strategy.
- CEO questions regarding ransomware reporting rules include considerations about the necessity of reporting, implications of paying a ransom, response strategies during an attack, and the balance between transparency and potential consequences of reporting.
Read Full Article
1 Like
Securelist
5d
93
Image Credit: Securelist
Zanubis in motion: Tracing the active evolution of the Android banking malware
- Zanubis is a banking Trojan for Android that targeted banks, virtual cards, and crypto wallets in Peru, utilizing the accessibility permissions to steal banking data and credentials.
- The malware evolved in functionality and obfuscation methods, continuously refining its code, encryption algorithms, and social engineering tactics for a broader impact.
- Initially targeting financial institutions in Peru, Zanubis expanded its reach and capabilities over time, including overlay-based attacks and data exfiltration.
- New versions of Zanubis introduced significant obfuscation techniques, such as Obfuscapk, and integrated features like keylogging, screen recording, SMS interception, and fake system update blocks.
- In 2024, newer variants of Zanubis focused on reinforcing encryption, stealing device credentials, and expanding its target list to include virtual card providers and cryptocurrency wallets.
- 2025 saw further updates with new distribution tactics, deceptive strategies, silent installations, and a refined focus on targeting banks and financial institutions exclusively.
- Attributed to threat actors possibly based in Peru, Zanubis continues to pose a significant threat, emphasizing the importance of vigilance and awareness in combating evolving malware.
- The malware's continuous evolution and adaptability highlight the need for proactive measures to mitigate risks and safeguard against sophisticated cyber threats.
- Users and organizations are urged to stay informed, implement robust security measures, and remain vigilant in the face of evolving malware threats like Zanubis.
Read Full Article
5 Likes
Securityaffairs
5d
4
Image Credit: Securityaffairs
DragonForce operator chained SimpleHelp flaws to target an MSP and its customers
- Sophos reports that a DragonForce ransomware operator exploited three vulnerabilities in SimpleHelp software to target a managed service provider.
- The vulnerabilities in SimpleHelp software (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) allowed attackers to gain initial access and carry out various malicious activities.
- These vulnerabilities enabled unauthorized downloading and uploading of files, remote code execution, and privilege escalation, posing a serious security risk to customer machines.
- Arctic Wolf observed a campaign targeting SimpleHelp servers utilizing the disclosed vulnerabilities. Sophos identified an attacker using a legitimate SimpleHelp tool from an MSP to access client networks and extract sensitive information.
Read Full Article
Like
TechJuice
6d
168
Image Credit: TechJuice
Katz Stealer Malware Targets Major Web Browsers, Crypto Wallets
- Katz Stealer malware is targeting popular web browsers like Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox to steal sensitive data including login credentials and cryptocurrency wallet information.
- The malware uses a multi-stage infection method involving obfuscated JavaScript code, PowerShell scripts, and a .NET-based loader payload to evade detection and inject itself into legitimate processes.
- Katz Stealer employs evasion tactics like geofencing, virtual machine detection, and sandbox evasion to avoid detection, while also exploiting Windows tools to elevate its capabilities without user intervention.
- The malware can exfiltrate data from various applications and platforms such as cryptocurrency wallets, communication platforms, email clients, gaming platforms, VPN setups, and FTP clients, showcasing its versatility and extensive threat scope.
Read Full Article
10 Likes
Securityaffairs
6d
210
Image Credit: Securityaffairs
Marlboro-Chesterfield Pathology data breach impacted 235,911 individuals
- SafePay ransomware attacked Marlboro-Chesterfield Pathology, compromising personal data of 235,000 individuals.
- The breach occurred on January 16, 2025, leading to the unauthorized access of internal systems.
- Stolen information included names, addresses, birth dates, medical treatment details, and health insurance data.
- Marlboro-Chesterfield Pathology notified the US Department of Health and Human Services about the breach affecting 235,911 people.
Read Full Article
12 Likes
Silicon
7d
53
Image Credit: Silicon
UK, US Police Target Ransomware Gangs In Latest Action
- Law enforcement authorities in the UK, the US, and five other countries collaborated in a Europol-coordinated action targeting ransomware gangs.
- The action resulted in the takedown of 300 servers, seizure of 650 internet domains, and 3.5 million euros in cryptocurrency.
- Notorious malware strains like Trickbot and Danabot were neutralized, along with other malware such as Bumblebee, Lactrodectus, Qakbot, Hijackloader, and Warmcookie.
- Authorities issued international arrest warrants against 20 key actors providing or operating initial access services to ransomware gangs, with many suspects being Russian citizens or Russian-language speakers.
Read Full Article
3 Likes
Silicon
4h
34
Image Credit: Silicon
Victoria’s Secret, Adidas Hit By Cyber-Attacks
- Victoria's Secret and Adidas were hit by cyber-attacks, affecting their online and in-store services.
- Victoria's Secret paused online orders and some in-store services after a security incident, while Adidas reported stolen customer contact information from a third-party provider.
- Recent incidents of cyber-attacks also impacted British retailers like Marks & Spencer and the Co-op Group in late April.
- UK authorities are investigating potential connections to a hacking group called Scattered Spider, which has a history of targeting companies in various sectors using social engineering techniques.
Read Full Article
2 Likes
Securityaffairs
4d
270
Image Credit: Securityaffairs
China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware
- China-linked group APT41 used Google Calendar as a command-and-control (C2) channel to control its TOUGHPROGRESS malware, targeting government entities through a compromised website.
- APT41 used spear phishing emails with a ZIP file hosted on a hacked government site to distribute the TOUGHPROGRESS malware, which operates in three stealthy stages with advanced evasion tactics.
- TOUGHPROGRESS decrypts and runs stages in memory, uses process hollowing for injection, and communicates with operators through Google Calendar to exfiltrate data and receive commands.
- Google has developed custom fingerprints to disrupt APT41 and TOUGHPROGRESS malware, terminated attacker-controlled projects, updated file detections, and shared threat intel with affected organizations.
Read Full Article
16 Likes
Securityaffairs
4d
60
Image Credit: Securityaffairs
New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
- GreyNoise researchers discovered the AyySSHush botnet compromising over 9,000 ASUS routers by adding a persistent SSH backdoor.
- The attackers used stealthy tactics like auth bypasses and abusing legit settings to avoid detection, gaining durable control over the routers.
- GreyNoise identified an ongoing exploitation campaign targeting specific ASUS router models, ensuring persistent backdoor access through firmware updates.
- Nearly 9,000 ASUS routers have been compromised, with only 30 related requests observed over three months, indicating the stealthiness of the campaign.
Read Full Article
3 Likes
Dev
4d
330
Image Credit: Dev
The Trojan Horse Job Offer - How a Hacked LinkedIn Profile & Stolen Project Delivered Malware
- A hacked LinkedIn account led to a job offer for a Web3 role, with malware delivered through a GitHub repo with Node.js backend.
- The malware aimed to scan for sensitive data, steal clipboard content, and install a remote shell backdoor.
- The recruiter claimed their account was hacked later, emphasizing the need to verify all sources.
- The LinkedIn profile appeared legitimate, gradually building trust before sharing the malicious GitHub repository.
- The repository contained a React frontend and a Node.js backend with obfuscated malware in bootstrap.js.
- The malware fetched and executed code from a remote server, with capabilities like file scanning, data theft, and installing backdoors.
- The attackers used stolen concepts to add credibility to the scam, promoting a fake project akin to a real one.
- The experience highlights the importance of isolating unknown code, scrutinizing dynamic code execution, and trusting instincts.
- Developers are advised to use virtual machines, verify sources thoroughly, and have emergency protocols in case of suspected compromise.
- This incident serves as a reminder to stay cautious in the face of sophisticated malware attempts leveraging seemingly trustworthy platforms.
Read Full Article
19 Likes
Siliconangle
4d
114
Image Credit: Siliconangle
Delinea report finds 69% of firms hit by ransomware last year
- 69% of organizations faced ransomware breaches last year with recovery time stretching to two weeks, according to a report by Delinea Inc.
- U.S. breach rates climbed from 53% in 2023 to 71% in 2024, with over a quarter of firms targeted multiple times by ransomware.
- Fewer U.S. firms paid ransoms in 2024 (57%) compared to 2023 (76%), but payment does not guarantee success in retrieving all data.
- Only 18% of victims fully restored operations within 24 hours, while three-quarters took up to two weeks to recover fully, indicating the operational disruptions post-ransomware attacks.
Read Full Article
6 Likes
Securityaffairs
5d
48
Image Credit: Securityaffairs
Crooks use a fake antivirus site to spread Venom RAT and a mix of malware
- A fake Bitdefender website has been discovered spreading the Venom RAT by deceiving users into downloading it as antivirus software.
- Researchers found a malicious campaign using the fake website to distribute Venom RAT, a Remote Access Trojan (RAT) designed for password theft and stealthy access.
- Upon clicking the fake download button, users are redirected to an Amazon S3 link to download a ZIP file containing the VenomRAT malware.
- VenomRAT, a fork of the Quasar RAT, supports remote control, credential theft, keylogging, and data exfiltration, with attackers aiming for financial gain and persistent system control.
Read Full Article
2 Likes
Securityaffairs
5d
110
Image Credit: Securityaffairs
Iranian Man pleaded guilty to role in Robbinhood Ransomware attacks
- Iranian national Sina Gholinejad pleaded guilty to his role in a Robbinhood ransomware scheme that caused over $19 million in damages to Baltimore.
- The ransomware attack disrupted key services like billing and citations in cities like Baltimore and Greenville.
- Gholinejad and his co-conspirators utilized sophisticated methods like using VPNs and crypto mixers to demand Bitcoin ransoms and launder payments.
- Gholinejad faces up to 30 years in prison for computer and wire fraud conspiracy, with sentencing scheduled for August.
Read Full Article
6 Likes
Securityaffairs
7d
274
Image Credit: Securityaffairs
China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
- China-linked APT group exploits two Ivanti EPMM flaws, CVE-2025-4427 and CVE-2025-4428, to target organizations in Europe, North America, and Asia-Pacific.
- The flaws include an authentication bypass and a remote code execution vulnerability, allowing attackers to access protected resources and execute arbitrary code.
- Ivanti has released updates addressing the vulnerabilities after threat actors actively exploited them to achieve remote code execution without authentication.
- The attacks are linked to China-linked group UNC5221, which targeted critical sectors and used techniques like Java Reflection and KrustyLoader malware for espionage campaigns.
Read Full Article
16 Likes
For uninterrupted reading, download the app