-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Malware | Breaking Cybersecurity News | The Hacker News

Category — Malware
New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Jul 16, 2026 Cybercrime / Endpoint Security
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026. "The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril François said in a technical report. "While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth." The disclosure makes it the second new threat actor after SCMBANKER to be propagated via ClickFix , a pervasive social engineering attack that tricks users into manually running malicious commands by disguising them as innocent fixes for fake browser errors, software updates, or CAPTCHA verifications. Underpinning the technique is an approach called clipboard hijacking. Because web pages using ClickFix inject malicious script or commands into...
New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

Jul 16, 2026 Malware / Cryptocurrency
ClickLock Stealer , a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and the major browsers start dying every 210 milliseconds, for up to 83 hours, leaving one password box on a dead desktop. Type it, and the machine gives up the Keychain, the browser credentials, and the crypto wallets. Group-IB's telemetry counts at least 100 targets across 33 countries since May, over half of them in Europe. Its analysts assume from the code structure that the malware is still under development. Uploaded to VirusTotal on June 9, the orchestrator script had  zero detections  there when Group-IB analyzed it. And the analysts never found the front door. They have the ...
20+ Hijacked Government Websites Became
an Attack Channel

20+ Hijacked Government Websites Became
an Attack Channel

Jul 16, 2026 Malware / Endpoint Security
More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN , a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden. For the complete technical analysis, infrastructure details, indicators, and detection guidance, read the full PhantomEnigma investigation report Trusted Government Infrastructure Became the Lure The attack began with fake police-themed documents presented as official “Ofício Polícia Civil” or “Procuração Digital” notices. Some ...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

Jul 16, 2026 Cyber Espionage / Malware
An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig . Daxin ("srt64.sys"), as the kernel-mode rootkit is referred to, was first documented by Broadcom-owned Symantec in March 2022, with evidence indicating its use in targeted attacks aimed at governments and other critical infrastructure targets since 2013. The latest findings from the Symantec and Carbon Black Threat Hunter Team show that Daxin is still operational, after it was found running on a compromised host in Taiwan in 2026. The same machine, belonging to a Taiwan-based subsidiary of a multinational high-tech manufacturer, is also said to have been infected with Stupig ("a.dll" or "kbdus1.dll"). The file name is an attempt to masquerade as "kbdus.dll," a legitimate Microsoft DLL associated with the U.S. English keyboard layout...
TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

Jul 15, 2026 IoT Security / Network Security
Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," Palo Alto Networks Unit 42 said . "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly." The cybersecurity company said a manual code review would have resolved these errors and that it's possible more polished iterations of the malware exist out there in the wild. The botnet framework consists of multiple components: a C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources