Information Stealer | Breaking Cybersecurity News | The Hacker News

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing a rogue installer from fraudulent websites that masquerade as legitimate software like Binance or TradingView. The downloaded installer comes embedded with a dynamic-link library ("CustomActions.dll") that's responsible for harvesting basic system information using Windows Management Instrumentation (WMI) and setting up persistence on the host via a scheduled task. In an attempt to keep up the ruse, the DLL launches a browser window via " msedge_proxy.exe " that displays the legitimate cryptocurrency trading website. It's worth noting that "msedge_proxy.exe" can be used to display any website as a web application. The scheduled task, in the meanwhile...

The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on February 26, 2025. "The initial infection vector used by the attackers appears to have been an infected removable drive," the Broadcom-owned threat intelligence division said in a report shared with The Hacker News. The attack started with the creation of a Windows Registry value under the UserAssist key, followed by launching "mshta.exe" using "explorer.exe" to initiate a multi-stage infection chain and launch two files. The first file, named "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," is used to establish communications with a command-and...

A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming cybercriminal, who, about 10 years ago, fled his hometown in Kharkov, Ukraine, to a new place somewhere near the Romanian coast. The vulnerabilities were credited by Microsoft to a party named "SkorikARI with SkorikARI," which has been assessed to be another username used by EncryptHub. The flaws in question, both of which were fixed by Redmond as part of its Patch Tuesday update last month, are below - CVE-2025-24061 (CVSS score: 7.8) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2025-24071 (CVSS score: 6.5) - Microsoft Windo...

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant. Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho, which it said bears a "strong resemblance" to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon). "However, Angry Likho's attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors," the Russian company said . It's suspected that the threat actors are likely native Russian speakers given the use of fluent Russian in the bait files used to trigger the infection chain. Last month, cybersecurity company F6 (formerly F.A.C.C.T.) described it as a "pro-Ukrainian cyberspy group." The attackers have been found...

Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub . The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky. "The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game," the Russian cybersecurity vendor said. "All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard." The malicious activity has facilitated the theft of 5 bitcoins, approximately worth $456,600 as of writing. It's believed the campaign has been ongoing for at least two years, when some of the fake projects were published. A majority of the infection attempts...

Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns. "In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads," HP Wolf Security said in its Threat Insights Report for Q3 2024 shared with The Hacker News. The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft Excel documents, that, when opened, exploits a known security flaw in Equation Editor ( CVE-2017-11882 ) to download a VBScript file. The script, for its part, is designed to decode and run a PowerShell script that retrieves an image hosted on archive[.]org and extracts a Base64-encoded code, which is subsequently decoded into a .NET executable and executed. The .NET executable ser...

Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds . "Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily 'ad impressions' [in the last ten days] and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News. The campaigns, as documented by several cybersecurity companies in recent months, involve directing visitors of pirated movie sites and others to bogus CAPTCHA verification pages that instruct them to copy and execute a Base64-encoded PowerShell command, ultimately leading to the deployment of information st...

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...

Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware strain is highly prevalent across North America, South America, Europe, Asia, and even Australia." Details about the campaign were first documented by OALabs in March 2024, in which users were lured into downloading a malware loader written in Lua by exploiting a quirk in GitHub to stage malicious payloads. McAfee Labs, in a subsequent analysis , detailed threat actors' use of the same technique to deliver a variant of the RedLine information stealer by hosting the malware-bearing ZIP archives within legitimate Microsoft repositories. "We disabled user accounts an...

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida . Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, said the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files. "Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said . "The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide." The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortc...

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer. The PowerShell script ("bypass.ps1" or "u.ps1") is also designed to periodically send information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it's running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate da...

Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader , which then deploys an information stealer known as Vidar Stealer . "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security researcher Ale Houspanossian said in a Monday analysis. "When unsuspecting victims extracted and executed a 'Setup.exe' binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module." The starting point is a RAR archive file that contains an executable name "Setup.exe," but in reality is a copy of Cisco Webex Meetings's ptService module. What makes the campaign noteworthy is the use of DLL side-loading techniques to stealthily launch Hijack Loader (aka DOI...

A newer version of a malware loader called  Hijack Loader  has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. "These enhancements aim to increase the malware's stealthiness, thereby remaining undetected for longer periods of time," Zscaler ThreatLabz researcher Muhammed Irfan V A  said  in a technical report. "Hijack Loader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing." Hijack Loader, also called IDAT Loader, is a malware loader that was  first documented  by the cybersecurity company in September 2023. In the intervening months, the tool has been used as a conduit to deliver various malware families. This includes Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, ...

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name  DEV#POPPER , linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said . "The software contained a malicious Node JS payload that, once executed, compromised the developer's system." Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed  Contagious Interview  in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and Invisib...

Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as  StrelaStealer . The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today. "These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer's DLL payload," researchers Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri said . "In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns." First disclosed in November 2022, StrelaStealer is  equipped  to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server. Since then, two large-scale campaigns involving the ma...

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called  AZORult  in order to facilitate information theft. "It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara  said  in a report published last week. The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums. AZORult, also called PuffStealer and Ruzalto, is an  information stealer  first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising. Once installed, it's capable of g...