data theft | Breaking Cybersecurity News | The Hacker News

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks. The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex . The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval. "The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said . Contagious Interview is the name assigned to a long-running campaign that seeks to en...

Russian organizations have been targeted as part of an ongoing campaign that delivers a previously undocumented Windows spyware called Batavia. The activity, per cybersecurity vendor Kaspersky, has been active since July 2024. "The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract," the Russian company said . "The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents." The email messages are sent from the domain "oblast-ru[.]com," which is said to be owned by the attackers themselves. The links embedded within the digital missives lead to the download of an archive file containing a Visual Basic Encoded script (.VBE) file. When executed, the script profiles the compromised host and exfiltrates the system information to the remote server. This is followed by the retrieval of a next-stage payload from t...

The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector. To that end, the agency said it's actively working with aviation and industry partners to combat the activity and help victims. "These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the FBI said in a post on X. "These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts." Scattered Spider attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware. In a statement shared ...

Cybersecurity researchers have uncovered a fresh batch of malicious npm packages linked to the ongoing Contagious Interview operation originating from North Korea. According to Socket , the ongoing supply chain attack involves 35 malicious packages that were uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 times. The complete list of the JavaScript libraries is below - react-plaid-sdk sumsub-node-websdk vite-plugin-next-refresh vite-plugin-purify nextjs-insight vite-plugin-svgn node-loggers react-logs reactbootstraps framer-motion-ext serverlog-dispatch mongo-errorlog next-log-patcher vite-plugin-tools pixel-percent test-topdev-logger-v1 test-topdev-logger-v3 server-log-engine logbin-nodejs vite-loader-svg struct-logger flexible-loggers beautiful-plugins chalk-config jsonpacks jsonspecific jsonsecs util-buffers blur-plugins proc-watch node-orm-mongoose prior-config use-videos lucide-node, and router-parse ...

Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead. The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package Index (PyPI) repository with bogus packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems. The findings build on a previous report from the SANS's Internet Storm Center in November 2024 that detailed a supposed "steam-account-checker" tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that can inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server ("dieserbenni[.]ru"). Further analysis of the repository a...

The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky said . "The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts." The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan. Rare Werewolf , also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of...

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damages. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both from Novosibirsk, Russia, are currently at large. Stepanov has been charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication. Kalinkin has been charged with cons...

North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry – BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co) – to spread malware via 'job interview lures," Silent Push said in a deep-dive analysis. The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret , and OtterCookie . Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment. The activity is tracked by the broader cybersecu...

Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro , a paid offering that removes advertising and analytics features. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an A...

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...

Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024. "The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence. The phishing campaigns , per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat. It's worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-b...

The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul . The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known as GOFFEE, is assessed to have conducted at least seven campaigns since 2022, according to BI.ZONE, with the attacks mainly aimed at government, energy, financial, media, and other organizations. Attack chains mounted by the threat actor have also been observed incorporating a disruptive component, wherein the intrusions go beyond distributing malware for espionage purposes to also change passwords belonging to employee accounts. The attacks themselves are initiated via phishing emails that contain a macro-laced lure document, which, upon opening and enabling macros, paves the way for th...

The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview , also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023. "It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors," Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé said , attributing the effort to the infamous Lazarus Group , a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic Pe...

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins , refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware. "This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis. In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory - "wp-content/mu-plugins/redirect.php," ...