Malware | Breaking Cybersecurity News | The Hacker News

Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk. Clipper malware is a type of cryware (as coined by Microsoft) that's designed to monitor a victim's clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target. "The infection chain begins at a site called pesktop[.]com," security researcher Ari Novick said in an analysis published earlier this week. "This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware." The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey , as well as two other .NET binaries, each compiled for 32- and 64-bit architect...

A new malware campaign has been observed leveraging social engineering tactics to deliver an open-source rootkit called r77 . The activity, condemned OBSCURE#BAT by Securonix, enables threat actors to establish persistence and evade detection on compromised systems. It's currently not known who is behind the campaign. The rootkit "has the ability to cloak or mask any file, registry key or task beginning with a specific prefix," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News. "It has been targeting users by either masquerading as legitimate software downloads or via fake captcha social engineering scams." The campaign is designed to mainly target English-speaking individuals, particularly the United States, Canada, Germany, and the United Kingdom. OBSCURE#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script that, in turn, executes PowerShell commands to activ...

Microsoft has shed light on an ongoing phishing campaign that has targeted the hospitality sector by impersonating online travel agency Booking.com using an increasingly popular social engineering technique called ClickFix to deliver credential-stealing malware. The activity, the tech giant's threat intelligence team said, started in December 2024 and operates with the end goal of conducting financial fraud and theft. It's tracking the campaign under the moniker Storm-1865 . "This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency," Microsoft said in a report shared with The Hacker News. The ClickFix technique has become widespread in recent months, as it tricks users into executing malware under the guise of fixing a supposed...

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...

The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX Series routers from Juniper Networks as part of a campaign designed to deploy custom backdoors, highlighting their ability to focus on internal networking infrastructure. "The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device," Google-owned Mandiant said in a report shared with The Hacker News. The threat intelligence firm described the development as an evolution of the adversary's tradecraft, which has historically leveraged zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to breach networks of interest and establish persistence for remote access. First documented in September 2022, the hacking crew is assessed to be "highly adept" and capable of targeting edge devices and virtualization technologies with the ultima...

Microsoft on Tuesday released security updates to address 57 security vulnerabilities in its software, including a whopping six zero-days that it said have been actively exploited in the wild. Of the 56 flaws, six are rated Critical, 50 are rated Important, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are remote code execution bugs and 22 relate to privilege escalation. The updates are in addition to 17 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of last month's Patch Tuesday update , one of which is a spoofing flaw specific to the browser ( CVE-2025-26643 , CVSS score: 5.4). The six vulnerabilities that have come under active exploitation are listed below - CVE-2025-24983 (CVSS score: 7.0) - A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally CVE-2025-24984 (CVSS score: 4.6) - A Windows NTFS information disclosu...

The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024. "The monitored campaigns targeted Colombian judicial institutions and other government or private organizations, with high infection rates," Check Point said in a new analysis. "More than 1,600 victims were affected during one of these campaigns which took place around December 19, 2024. This infection rate is significant considering Blind Eagle's targeted APT approach." Blind Eagle, active since at least 2018, is also tracked as AguilaCiega, APT-C-36, and APT-Q-98. It's known for its hyper-specific targeting of entities in South America, specifically Colombia and Ecuador. Attack chains orchestrated by the threat actor entail the use of social engineering tactics, often in the form of spear-phishing emails, to gain initial access to target systems and ultimately drop readily available re...

Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team. "The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet," security researchers Ofek Vardi and Matan Mittelman said in a technical report shared with The Hacker News. CVE-2023-1389 is a high-severity security flaw impacting TP-Link Archer AX-21 routers that could lead to command injection, which could then pave the way for remote code execution. The earliest evidence of active exploitation of the flaw dates back to April 2023, with unidentified threat actors using it to drop Mirai botnet malware. Since then, it has also been abused to propagate other malware families like Condi and AndroxGh0st . Cato CTRL said it detected the Ballista campaign on January 10, 2025. The most recent exploitation attempt was recorded on Februa...

Inside the most innocent-looking image, a breathtaking landscape, or a funny meme, something dangerous could be hiding, waiting for its moment to strike. No strange file names. No antivirus warnings. Just a harmless picture, secretly concealing a payload that can steal data, execute malware, and take over your system without a trace. This is steganography, a cybercriminal’s secret weapon for concealing malicious code inside harmless-looking files. By embedding data within images, attackers evade detection, relying on separate scripts or processes to extract and execute the hidden payload. Let’s break down how this works, why it’s so dangerous, and most importantly, how to stop it before it’s too late. What is Steganography in Cybersecurity? Steganography is the practice of concealing data within another file or medium. Unlike encryption, which scrambles data to make it unreadable, steganography disguises malicious code inside harmless-looking images, videos, or audio files, makin...

Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group dubbed SideWinder. The attacks, observed by Kaspersky in 2024, spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Other targets of interest include nuclear power plants and nuclear energy infrastructure in South Asia and Africa, as well as telecommunication, consulting, IT service companies, real estate agencies, and hotels. In what appears to be a wider expansion of its victimology footprint, SideWinder has also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The targeting of India is significant as the threat actor was previously suspected to be of Indian origin. "It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend per...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-57968 - An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx CVE-2025-25181 - An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands CVE-2024-13159 - An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information CVE-2024-13160 - An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information CVE-2024-13161 - An absolute path traversal vulnerability...

Cybersecurity researchers have demonstrated a novel technique that allows a malicious web browser extension to impersonate any installed add-on. "The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX said in a report published last week. The harvested credentials could then be abused by the threat actors to hijack online accounts and gain unauthorized access to sensitive personal and financial information. The attack affects all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The approach banks on the fact that users commonly pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension m...