Search results for Redline threat detection | Breaking Cybersecurity News | The Hacker News

Threat actors are increasingly abusing legitimate and commercially available packer software such as BoxedApp to evade detection and distribute malware such as remote access trojans and information stealers. "The majority of the attributed malicious samples targeted financial institutions and government industries," Check Point security researcher Jiri Vinopal said in an analysis. The volume of samples packed with BoxedApp and submitted to the Google-owned VirusTotal malware scanning platform witnessed a spike around May 2023, the Israeli cybersecurity firm added, with the artifact submissions mainly originating from Turkey, the U.S., Germany, France, and Russia. Among the malware families distributed in this manner are Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell. Packers are self-extracting archives that are often used to bundle software and make them smaller. But over the year...

Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly. ⚡ Threat of the Week Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashio...

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today. The cybersecurity company said the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors. The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities.

A new study conducted by Uptycs has uncovered a stark increase in the distribution of information stealing (a.k.a. infostealer or stealer) malware. Incidents have more than doubled in Q1 2023, indicating an alarming trend that threatens global organizations. According to the new Uptycs' whitepaper,  Stealers are Organization Killers , a variety of new info stealers have emerged this year, preying on Windows, Linux, and macOS systems. Telegram has notably been used extensively by these malware authors for command, control, and data exfiltration. What is a Stealer? A stealer is a type of malware that targets its victim by stealing sensitive information that can include passwords, login credentials, and other personal data. After collecting such data, the stealer sends it to the threat actor's command and control (C2) system. RedLine and Vidar, two well-known stealers, took advantage of log-providing services to infiltrate private systems. RedLine primarily targets credenti...

A .NET-based evasive crypter named  DarkTortilla  has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely  since 2015 . "It can also deliver 'add-on packages' such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks  said  in a Wednesday report. "It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging." Malware delivered by the crypter includes information steakers and remote access trojans (RATs) such as Agent Tesla, AsyncRat, NanoCore, and RedLine Stealer. "DarkTortilla has versatility that similar malware does not," the researchers noted. Crypters are  software tools  that use a  combination  of encryption, obfuscation, and code manipulation of malware so as to  bypass detection  by security solutions. The delive...

A new campaign leveraging an exploit kit has been observed abusing an Internet Explorer flaw patched by Microsoft last year to deliver the RedLine Stealer trojan. "When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server," Bitdefender  said  in a new report shared with The Hacker News. Most of the infections are located in Brazil and Germany, followed by the U.S., Egypt, Canada, China, and Poland, among others. Exploit kits or exploit packs are comprehensive tools that contain a collection of exploits designed to take advantage of vulnerabilities in commonly-used software by scanning infected systems for different kinds of flaws and deploying additional malware. The primary infection method used by attackers to distribute exploit kits, in this case the...

Behind every security alert is a bigger story. Sometimes it’s a system being tested. Sometimes it’s trust being lost in quiet ways—through delays, odd behavior, or subtle gaps in control. This week, we’re looking beyond the surface to spot what really matters. Whether it’s poor design, hidden access, or silent misuse, knowing where to look can make all the difference. If you're responsible for protecting systems, data, or people—these updates aren’t optional. They’re essential. These stories reveal how attackers think—and where we’re still leaving doors open. ⚡ Threat of the Week Google Releases Patches for Actively Exploited Chrome 0-Day — Google has released Google Chrome versions 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to address a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine that it said has been exploited in the wild. Google credited Clement Lecigne and Benoît Sevens of Google T...

Threat hunters have unmasked the latest tricks adopted by a malware strain called  GuLoader  in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic  said  in a report published this week. First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions. A  steady stream  of  open-source reporting  into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside oth...

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years. "Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. "However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself." Broadcom's ...

Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don’t start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that’s all it takes. Staying safe isn’t just about reacting fast. It’s about catching these early signs before they blow up into real problems. That’s why this week’s updates matter. From stealthy tactics to unexpected entry points, the stories ahead reveal how quickly risk can spread—and what smart teams are doing to stay ahead. Dive in. ⚡ Threat of the Week U.S. Disrupts N. Korea IT Worker Scheme — Prosecutors said they uncovered the North Korean IT staff working at over 100 U.S. companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data and plundering virtual currency more than $900,000 in one incident targeting an unnamed blockchain company in ...

A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines. "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin  said . Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information. The loader, written in .NET, employs a technique called binary padding by adding null bytes to increase the file's size to 400 MB in an attempt to evade detection by security software. The activation of the loader triggers a multi-stage process to ...

Cybersecurity experts have discovered yet another malware-as-a-service ( MaaS ) threat called  BunnyLoader  that's being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh  said  in an analysis published last week. Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasio...

Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as  StrelaStealer . The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today. "These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload," researchers Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri said . "In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns." First disclosed in November 2022, StrelaStealer is  equipped  to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server. Since then, two large-scale campaigns involving the ma...

A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal." It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails. The newest addition is Godot Engine , a game development platform that allows users to design 2D and 3D games across platforms , including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. The multi-platform support also makes it an attract...

Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization ( SEO ) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader). The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals searching for these programs into installing them instead. "Upon execution, a backdoor known as Oyster/Broomstick is installed," the company said in a brief published last week. "Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism." The names of some of the bogus websites are listed below - updaterputty[.]com zephyrhype[.]com putty[.]run putty[.]bet, and puttyy[.]org...

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats. AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge. Let’s dive into the threats making noise behind the scenes. ⚡ Threat of the Week Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise...

A joint international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms. Coinciding with the infrastructure seizure, the major crackdown, which involved authorities from 17 countries, culminated in 119 arrests and 208 property searches in 13 nations. However, the  .onion mirror of the market  appears to be still up and running . The "unprecedented"  law   enforcement   exercise  has been codenamed  Operation Cookie Monster . Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials. A majority of infections associated with Genesis Market related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy,...

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions. Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.  This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar " The Rise of the Rookie Hacker - a new trend to reckon with " on January 11th. Leaked credentials will continue to be the main attack vect...