Search results for file-extension-for-powershell-script | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data. "Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack," Positive Technologies security researcher Klimentiy Galkin said in a report. "The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent." The Russian cybersecurity company, which is tracking the activity under the name Operation Phantom Enigma , said the malicious extension was downloaded 722 times from across Brazil, Colombia, the Czech Republic, Mexico, Russia, and Vietnam, among others. As many as 70 unique victim companies have been identified. Some aspects of the campaign were disclosed in early April by a researcher who goes by th...

Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics. "Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol," SentinelOne researchers Phil Stokes and Raffaele Sabato said in a report shared with The Hacker News. "A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted." The cybersecurity company is tracking the malware components collectively under the name NimDoor. It's worth noting that some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin , but with differences in the payloads deployed. The attack chains involve social enginee...

Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader , which then deploys an information stealer known as Vidar Stealer . "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security researcher Ale Houspanossian said in a Monday analysis. "When unsuspecting victims extracted and executed a 'Setup.exe' binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module." The starting point is a RAR archive file that contains an executable name "Setup.exe," but in reality is a copy of Cisco Webex Meetings's ptService module. What makes the campaign noteworthy is the use of DLL side-loading techniques to stealthily launch Hijack Loader (aka DOI...

A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT. "The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background." The campaign stands out for a couple of reasons. First, it uses multiple public cloud services to distribute different kinds of payloads. While GitHub is mainly used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, effectively improving resilience. Another "defining characteristic" of the campaign, per Fortinet, is the operational abuse of defendnot to d...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, facilities the deployment of two pieces of malware, a PowerShell script taken from the PSSW100AVB ("Powershell Scripts With 100% AV Bypass") GitHub repository that opens a reverse shell, and a previously undocumented stealer dubbed GIFTEDCROOK. "File names and email subject lines reference relevant and sensitive issues such as demining, administrative fines, UAV production, and compensation for destroyed property," CERT-UA said. "These spreadsheets contain malicious code which, ...

The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts. "An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky  said  in a report published last week. Ducktail , alongside  Duckport  and  NodeStealer , is part of a  cybercrime ecosystem  operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts. Such attacks primarily single out users who may have access to a Facebook Business account. The fraudsters then use the unauthorized access to place advertisements for financial gain, perpetuatin...

In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems. Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021. Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set,  reported in April , took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines. Then in August, the malware was  observed  targeting healthcare and education sectors with the goal of gathering credentials and sensitive in...

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension " susvsex ," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com." "Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.  According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any even...

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution. The security hole is tracked as CVE-2024-50623 (CVSS score: 9.8), with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code. The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE-2024-55956), warning of a separate "unauthenticated malicious hosts vulnerability that could lead to remote code execution." The development comes after Huntress said the pat...

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX . Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. ViperSoftX, which first  came to light  in February 2020, was characterized by  Fortinet  as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst  Colin Cowie  earlier this year. "This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher ...

Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix -like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix, observed earlier this month, has been codenamed CrashFix by Huntress. KongTuke , also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery. Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware , Interlock ransomware , and TA866 (aka Asylu...

A recent malware campaign has been found to leverage  Satacom downloader  as a conduit to deploy stealthy malware capable of siphoning cryptocurrency using a rogue extension for Chromium-based browsers. "The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim's account by performing web injections into targeted cryptocurrency websites," Kaspersky researchers Haim Zigel and Oleg Kupreev  said . Targets of the campaign include Coinbase, Bybit, KuCoin, Huobi, and Binance users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. Satacom downloader, also called  Legion Loader , first emerged in 2019 as a dropper for next-stage payloads, including information stealers and cryptocurrency miners. Infection chains involving the malware begin when users searching for cracked software are redirected to bogus websites that host ZIP archive files containing the malware. "Various types ...

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape. How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. " Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as p...

The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul . The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known as GOFFEE, is assessed to have conducted at least seven campaigns since 2022, according to BI.ZONE, with the attacks mainly aimed at government, energy, financial, media, and other organizations. Attack chains mounted by the threat actor have also been observed incorporating a disruptive component, wherein the intrusions go beyond distributing malware for espionage purposes to also change passwords belonging to employee accounts. The attacks themselves are initiated via phishing emails that contain a macro-laced lure document, which, upon opening and enabling macros, paves the way for th...