#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

data theft | Breaking Cybersecurity News | The Hacker News

Category — data theft
Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

Dec 07, 2024 Malware / Web3 Security
Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings. "The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said . "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer." The activity has been codenamed Meeten by the security company, owing to the use of names such as Clusee, Cuesee, Meeten, Meetone, and Meetio for the bogus sites. The attacks entail approaching prospective targets on Telegram to discuss a potential investment opportunity, urging them to join a video call hosted on one of the dubious platforms. Users who end up on the site are prompted to download a Windows or macOS version dep...
SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan

SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan

Dec 02, 2024 Malware / Cryptocurrency
Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said in a report shared with The Hacker News. "While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its [command-and-control] server." SmokeLoader , a malware downloader first advertised in cybercrime forums in 2011, is chiefly designed to execute secondary payloads. Additionally, it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency. "SmokeLoader detects analysis environments, generates fake network t...
Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data?

Crowdstrike Named A Leader In Endpoint Protection Platforms

Nov 22, 2024Endpoint Security / Threat Detection
CrowdStrike is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time, positioned highest on Ability to Execute and furthest to the right on Completeness of Vision.
New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

Nov 18, 2024 Threat Intelligence / Ransomware
Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza . BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday. Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software. Loaders have become an increasingly prevalent method to deliver malware, like stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a be...
cyber security

Breaking Barriers: Strategies to Unite AppSec and R&D for Success

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

Nov 18, 2024 Data Theft / Cybercrime
A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said . The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. The phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store, and .vip, often typosquatting legitimate e-commerce organi...
SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

Nov 07, 2024 Cryptocurrency / Malware
An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024. Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys . Targeted regions include the United States, Europe, East Asia, and South America. "The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity," the company said in a technical analysis. "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors." The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future's Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition ...
Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Nov 06, 2024 Malware / Online Security
Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities. "Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions," Fortinet FortiGuard Labs said in a report shared with The Hacker News. "Rebuilt from Gh0st RAT , it includes several modular components, each handling distinct functions." Campaigns distributing Winos 4.0 were documented back in June by Trend Micro and the KnownSec 404 Team. The cybersecurity companies are tracking the activity cluster under the names Void Arachne and Silver Fox. These attacks have been observed targeting Chinese-speaking users, leveraging black hat Search Engine Optimization (SEO) tactics, social media, and messaging platforms like Te...
Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Oct 30, 2024 Cybercrim / Cryptocurrency
Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets. The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300 times before being taken down from PyPI. "The malware activated automatically upon installation, targeting both Windows and macOS operating systems," Checkmarx said in a new report shared with The Hacker News. "A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware performed its malicious ac4vi4es in the background." The package is designed to unleash its malicious behavior immediately after installation through code injected into its "__init__.py" file that first determines if the target system is Windows or macOS ...
Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services

Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services

Oct 28, 2024 Cloud Security / Cyber Attack
A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as Evasive Panda that infected them with a previously undocumented post-compromise toolset codenamed CloudScout. "The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies," ESET security researcher Anh Ho said . "Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda's signature malware framework." The use of the .NET-based malware tool, per the Slovak cybersecurity company, was detected between May 2022 and February 2023. It incorporates 10 different modules, written in C#, out of which three are meant for stealing data from Google Drive, Gmail, and Outlook. The purpose of the remaining modules remains unknown. Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has a track record of striking various entitie...
Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

Oct 22, 2024 Malware / Threat Intelligence
Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns. Bumblebee and Latrodectus , which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts. Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578. In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot. "Although Latrodectus was not mentioned in the operation, it was also affected and its ...
Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

Sep 09, 2024 Financial Security / Malware
The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) referred to as Quasar RAT since June 2024. "Attacks have originated with phishing emails impersonating the Colombian tax authority," Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis published last week. The advanced persistent threat (APT), also known as AguilaCiega, APT-C-36, and APT-Q-98, has a track record of focusing on organizations and individuals in South America, particularly related to the government and finance sectors in Colombia and Ecuador. The attack chains, as recently documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious links that serve as the launchpad for the infection process. The links, either embedded within a PDF attachment or directly in the email body, point to ZIP archives hosted on ...
FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals

FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals

Sep 07, 2024 Cybercrime / Dark Web
Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information. Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud. Khodyrev and Kublitskii, between 2014 and 2024, acted as the main administrators of WWH Club (wwh-club[.]ws) and various other sister sites – wwh-club[.]net, center-club[.]pw, opencard[.]pw, skynetzone[.]org – that functioned as dark web marketplaces, forums, and training centers to enable cybercrime. The indictment follows an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after determining that WWH Club's primary domain (www-club[.]ws]) resolved to an IP address belonging to DigitalOcean, allowing them to issue a federal search warrant to t...
Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32

Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32

Aug 29, 2024 Cyber Espionage / Malware
A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts. Cybersecurity company Huntress attributed the activity to a threat cluster tracked as APT32, a Vietnamese-aligned hacking crew that's also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is believed to have been ongoing for at least four years. "This intrusion has a number of overlaps with known techniques used by the threat actor APT32/OceanLotus, and a known target demographic which aligns with APT32/OceanLotus targets," security researchers Jai Minton and Craig Sweeney said . OceanLotus , active since at least 2012, has a history of targeting company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos, and Cambodia with the end goal of cyber espionage and intellectual property theft. Attack chains typically make use of...
macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Aug 27, 2024 Cyber Espionage / Malware
Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT . The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said . HZ RAT was first documented by German cybersecurity company DCSO in November 2022, with the malware distributed via self-extracting zip archives or malicious RTF documents presumably built using the Royal Road RTF weaponizer . The attack chains involving RTF documents are engineered to deploy the Windows version of the malware that's executed on the compromised host by exploiting a years-old Microsoft Office flaw in the Equation Editor ( CVE-2017-11882 ). The second distribution method, on the other hand, masquerades as an installer for legitimate software such as OpenVPN, PuTTYgen, or E...
New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards

New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards

Aug 26, 2024 Financial Fraud / Mobile Security
Cybersecurity researchers have uncovered new Android malware that can relay victims' contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations. The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia. The malware "has the unique ability to relay data from victims' payment cards, via a malicious app installed on their Android devices, to the attacker's rooted Android phone," researchers Lukáš Štefanko and Jakub Osmani said in an analysis. The activity is part of a broader campaign that has been found to target financial institutions in Czechia since November 2023 using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024. The end goal of the attacks is to clone near-field communication (NFC) data from victims' physical payment ca...
Latvian Hacker Extradited to U.S. for Role in Karakurt Cybercrime Group

Latvian Hacker Extradited to U.S. for Role in Karakurt Cybercrime Group

Aug 23, 2024 Cyber Crime / Ransomware
A 33-year-old Latvian national living in Moscow, Russia, has been charged in the U.S. for allegedly stealing data, extorting victims, and laundering ransom payments since August 2021. Deniss Zolotarjovs (aka Sforza_cesarini) has been charged with conspiring to commit money laundering, wire fraud and Hobbs Act extortion. He was arrested in Georgia in December 2023 and has since been extradited to the U.S. as of this month. "Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world," the U.S. Department of Justice (DoJ) said in a press release this week. "Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download." Zolotarjovs is believed to have been an active member of the e-crime group, engaging with ot...
Styx Stealer Creator's OPSEC Fail Leaks Client List and Profit Details

Styx Stealer Creator's OPSEC Fail Leaks Client List and Profit Details

Aug 21, 2024 Cyber Espionage / Threat Intelligence
In what's a case of an operational security (OPSEC) lapse, the operator behind a new information stealer called Styx Stealer leaked data from their own computer, including details related to the clients, profit information, nicknames, phone numbers, and email addresses. Styx Stealer, a derivative of the Phemedrone Stealer , is capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency wallet information, cybersecurity company Check Point said in an analysis. It first emerged in April 2024. "Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features found in newer versions such as sending reports to Telegram, report encryption, and more," the company noted . "However, the creator of Styx Stealer added some new features: auto-start, clipboard monitor and crypto-clipper, additional sandbox evasion, and anti-analysis techniques, and re-implemented sending dat...
CERT-UA Warns of New Vermin-Linked Phishing Attacks with PoW Bait

CERT-UA Warns of New Vermin-Linked Phishing Attacks with PoW Bait

Aug 21, 2024 Cyber Warfare / Threat Intelligence
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new phishing attacks that aim to infect devices with malware. The activity has been attributed to a threat cluster it tracks as UAC-0020, which is also known as Vermin . The exact scale and scope of the attacks are presently unknown. The attack chains commence with phishing messages with photos of alleged prisoners of war (PoWs) from the Kursk region, urging recipients to click on a link pointing to a ZIP archive. The ZIP file contains a Microsoft Compiled HTML Help (CHM) file that embeds JavaScript code responsible for launching an obfuscated PowerShell script. "Opening the file installs components of known spyware SPECTR, as well as the new malware called FIRMACHAGENT," CERT-UA said. "The purpose of FIRMACHAGENT is to retrive the data stolen by SPECTR and send it to a remote management server." SPECTR is a known malware linked to Vermin as far back as 2019. The group is assessed to be ...
Czech Mobile Users Targeted in New Banking Credential Theft Scheme

Czech Mobile Users Targeted in New Banking Credential Theft Scheme

Aug 20, 2024 Mobile Security / Banking Fraud
Mobile users in the Czech Republic are the target of a novel phishing campaign that leverages a Progressive Web Application (PWA) in an attempt to sidestep security protections and steal their banking account credentials. The attacks have targeted the Czech-based Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and a Georgian Bank, according to Slovak cybersecurity company ESET. "The phishing websites targeting iOS instruct victims to add a Progressive Web Application ( PWA ) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser," security researcher Jakub Osmani said . "At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic." What's notable about this tactic is that users are deceived into installing a PWA, or even WebAPKs in some cases on Android, from a third-party site without having to specificall...
Expert Insights / Articles Videos
Cybersecurity Resources