#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

Information Stealer | Breaking Cybersecurity News | The Hacker News

Category — Information Stealer
Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer

Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer

Jan 16, 2025 Malware / Ransomware
Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns. "In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads," HP Wolf Security said in its Threat Insights Report for Q3 2024 shared with The Hacker News. The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft Excel documents, that, when opened, exploits a known security flaw in Equation Editor ( CVE-2017-11882 ) to download a VBScript file. The script, for its part, is designed to decode and run a PowerShell script that retrieves an image hosted on archive[.]org and extracts a Base64-encoded code, which is subsequently decoded into a .NET executable and executed. The .NET executable ser...
DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites, Fake CAPTCHA Pages

DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites, Fake CAPTCHA Pages

Dec 16, 2024 Malvertising / Threat Intelligence
Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds . "Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily 'ad impressions' [in the last ten days] and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News. The campaigns, as documented by several cybersecurity companies in recent months, involve directing visitors of pirated movie sites and others to bogus CAPTCHA verification pages that instruct them to copy and execute a Base64-encoded PowerShell command, ultimately leading to the deployment of information st...
Watch Out For These 8 Cloud Security Shifts in 2025

Watch Out For These 8 Cloud Security Shifts in 2025

Feb 04, 2025Threat Detection / Cloud Security
As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving realities, including the increasing reliance on cloud infrastructure for AI-driven workflows and the vast quantities of data being migrated to the cloud. But there are other developments that could impact your organizations and drive the need for an even more robust security strategy. Let's take a look… #1: Increased Threat Landscape Encourages Market Consolidation Cyberattacks targeting cloud environments are becoming more sophisticated, emphasizing the need for security solutions that go beyond detection. Organizations will need proactive defense mechanisms to prevent risks from reaching production. Because of this need, the market will favor vendors offering comprehensive, end-to-end security platforms that streamline risk mitigation and enhance operational efficiency. #2: Cloud Security Unifies with SOC Priorities Security operations centers (SOC) and cloud security functions are c...
Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Oct 15, 2024 Threat Detection / Malware
Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...
cyber security

Webinar: 5 Ways New AI Agents Can Automate Identity Attacks | Register Now

websitePush SecurityAI Agents / Identity Security
Watch how Computer-Using Agents can be used by attackers to automate account takeover and exploitation.
Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines

Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines

Oct 08, 2024 Malware / Cybercrime
Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware strain is highly prevalent across North America, South America, Europe, Asia, and even Australia." Details about the campaign were first documented by OALabs in March 2024, in which users were lured into downloading a malware loader written in Lua by exploiting a quirk in GitHub to stage malicious payloads. McAfee Labs, in a subsequent analysis , detailed threat actors' use of the same technique to deliver a variant of the RedLine information stealer by hosting the malware-bearing ZIP archives within legitimate Microsoft repositories. "We disabled user accounts an...
Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Jul 16, 2024 Data Security / Vulnerability
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida . Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, said the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files. "Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said . "The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide." The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortc...
New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

Jun 20, 2024 Threat Intelligence / Cybercrime
A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer. The PowerShell script ("bypass.ps1" or "u.ps1") is also designed to periodically send information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it's running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate da...
Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer

Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer

Jun 18, 2024 Malware / Cybercrime
Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader , which then deploys an information stealer known as Vidar Stealer . "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security researcher Ale Houspanossian said in a Monday analysis. "When unsuspecting victims extracted and executed a 'Setup.exe' binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module." The starting point is a RAR archive file that contains an executable name "Setup.exe," but in reality is a copy of Cisco Webex Meetings's ptService module. What makes the campaign noteworthy is the use of DLL side-loading techniques to stealthily launch Hijack Loader (aka DOI...
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

May 08, 2024 Encryption / Information Stealer
A newer version of a malware loader called  Hijack Loader  has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. "These enhancements aim to increase the malware's stealthiness, thereby remaining undetected for longer periods of time," Zscaler ThreatLabz researcher Muhammed Irfan V A  said  in a technical report. "Hijack Loader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing." Hijack Loader, also called IDAT Loader, is a malware loader that was  first documented  by the cybersecurity company in September 2023. In the intervening months, the tool has been used as a conduit to deliver various malware families. This includes Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, ...
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

Apr 27, 2024 Malware / Software Security
An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name  DEV#POPPER , linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said . "The software contained a malicious Node JS payload that, once executed, compromised the developer's system." Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed  Contagious Interview  in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and Invisib...
New StrelaStealer Phishing Attacks Hit Over 100 Organizations in E.U. and U.S.

New StrelaStealer Phishing Attacks Hit Over 100 Organizations in E.U. and U.S.

Mar 22, 2024 Email Security / Threat Intelligence
Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as  StrelaStealer . The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today. "These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer's DLL payload," researchers Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri said . "In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns." First disclosed in November 2022, StrelaStealer is  equipped  to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server. Since then, two large-scale campaigns involving the ma...
Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Mar 18, 2024 Cryptocurrency / Malspam
Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called  AZORult  in order to facilitate information theft. "It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara  said  in a report published last week. The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums. AZORult, also called PuffStealer and Ruzalto, is an  information stealer  first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising. Once installed, it's capable of g...
Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

Mar 16, 2024 Malware / Cybercrime
Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro. The campaign, codenamed  gitgub , includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary. "The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company  said . "Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency." The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file - andreastanaj/AVAST andreastanaj...
New Python-Based Snake Info Stealer Spreading Through Facebook Messages

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Mar 07, 2024 Vulnerability / Information Stealer
Facebook messages are being used by threat actors to distribute a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino  said  in a technical report. Details about the campaign  first emerged  on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence. The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository. Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is d...
TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

Feb 28, 2024 Phishing Attack / Malware
Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called  TimbreStealer . Cisco Talos, which  discovered  the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as  Mispadu  in September 2023. Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations. Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven's Gate to execute 64-bit code within a 32-bit process, an approach that was also rece...
New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

Dec 12, 2023 Cryptocurrency / Cyber Attack
A phishing campaign has been observed delivering an information stealer malware called  MrAnon Stealer  to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin  said . "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which i...
Expert Insights / Articles Videos
Cybersecurity Resources