Information Stealers | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical sectors. "The threat actor leverages fear-based lures delivered via phishing emails, designed to pressure recipients into clicking a malicious link," Morphisec Labs researcher Nadav Lorber said in a report shared with The Hacker News. "Once accessed, the link directs the user to download and open a file that triggers the ResolverRAT execution chain." The activity, observed as recently as March 10, 2025, shares infrastructure and delivery mechanism overlap with phishing campaigns that have distributed information stealer malware such as Lumma and Rhadamanthys, as documented by Cisco Talos and Check Point last year. A notable aspect of the campaign is the use of localized phishing lures, with the emails crafted in the languages predominantly spoken in the targeted countries. This includ...

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions , customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a statement. Superstar is alleged to have run a pay-per-install service that enabled its customers to gain unauthorized access to victim machines, using the loader as a conduit to deploy next-stage payloads of their choice. According to the European law enforcement agency, the access afforded by the botnet was used for various purposes such as keylogging, webcam access, ransomware deployment, and cryptocurrency mining. The latest action, part of an ongoing coordinated exercise called Operation Endgame , which led to the dismantling of online infrastructure associated with...

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting ( BPH ) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it identified an operational security (OPSEC) failure in the domain that left its malicious infrastructure exposed, thereby revealing the malicious payloads staged on the server.  "This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte – an amateur cybercriminal leveraging Proton66's bulletproof hosting to distribute malware and engage in other illicit activities," it said in a report shared with The Hacker News. Proton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns distribut...

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems," Trend Micro researcher Aliakbar Zahravi said in an analysis. The vulnerability in question is CVE-2025-26633 (CVSS score: 7.0), described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console ( MMC ) that could allow an attacker to bypass a security feature locally. It was fixed by the company earlier this month as part of its Patch Tuesday update. Trend Micro has given the exploit the moniker MSC EvilTwin, tracking the suspected Russian activity cluster under the name Water...

Cybersecurity researchers are alerting to a new campaign that leverages web injects to deliver a new Apple macOS malware known as FrigidStealer . The activity has been attributed to a previously undocumented threat actor known as TA2727, with the information stealers for other platforms such as Windows ( Lumma Stealer or DeerStealer ) and Android ( Marcher ). TA2727 is a "threat actor that uses fake update themed lures to distribute a variety of malware payloads," the Proofpoint Threat Research Team said in a report shared with The Hacker News.  It's one of the newly identified threat activity clusters alongside TA2726, which is assessed to be a malicious traffic distribution system (TDS) operator that facilitates traffic distribution for other threat actors to deliver malware. The financially motivated threat actor is believed to be active since at least September 2022. TA2726, per the enterprise security firm, acts as a TDS for TA2727 and another threat actor ca...

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders. "This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said . "This PowerShell-based downloader is being tracked as PEAKLIGHT." Some of the malware strains distributed using this technique are Lumma Stealer , Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot , all of which are advertised under the malware-as-a-service (SaaS) model. The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques -- e.g., when users look up a movie on search engines. It's worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies. The LNK file connects to a content delivery network...