-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Search results for loader.t | Breaking Cybersecurity News | The Hacker News

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

Jun 16, 2026 Malware / Endpoint Security
Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader , Lorem Ipsum Loader , and Potemkin , per independent reports from Morphisec , BlueVoyant , and Huntress , respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. "Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages," Morphisec researcher Shmuel Uzan said. "This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility." The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader, which is then used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, i...
YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader

YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader

Apr 18, 2023 Threat Intelligence / Cyber Risk
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named " in2al5d p3in4er " (read: invalid printer) that's used to deliver the Aurora information stealer malware. "The in2al5d p3in4er loader is compiled with  Embarcadero RAD Studio  and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec  said  in a report shared with The Hacker News. Aurora  is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through  YouTube videos  and SEO-poised fake cracked software download websites. Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility. The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card i...
Claude Code Security and Magecart: Getting the Threat Model Right

Claude Code Security and Magecart: Getting the Threat Model Right

Mar 18, 2026 Supply Chain Attack / Web Security
When a Magecart payload hides inside the EXIF data of a dynamically loaded third-party favicon, no repository scanner will catch it – because the malicious code never actually touches your repo. As teams adopt Claude Code Security for static analysis, this is the exact technical boundary where AI code scanning stops and client-side runtime execution begins. A detailed analysis of where Claude Code Security stops — and what runtime monitoring covers — is available here . A Magecart skimmer recently found in the wild used a three-stage loader chain to hide its payload inside a favicon's EXIF metadata — never touching the merchant's source code, never appearing in a repository, and executing entirely in the shopper's browser at checkout. The attack raises a question that’s worth getting precise about: which category of tool is actually supposed to catch this? Magecart Lives Outside Your Codebase Magecart‑style attacks are rarely about classic vulnerabilities in your own ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

Mar 30, 2026 Threat Intelligence / Browser Security
A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad . "It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked," ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News. The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses "mshta.exe," a legitimate Windows utility to download and run an obfuscated PowerShell loader. The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It's ass...
Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Dec 08, 2025 Malware / Enterprise Security
Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware. "NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes ...
SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools

SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools

Jul 07, 2025 Malware / Malvertising
Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization ( SEO ) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader). The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals searching for these programs into installing them instead. "Upon execution, a backdoor known as Oyster/Broomstick is installed," the company said in a brief published last week. "Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism." The names of some of the bogus websites are listed below - updaterputty[.]com zephyrhype[.]com putty[.]run putty[.]bet, and puttyy[.]org...
DarkComet-RAT v5.1 Released - Remote Administration Tool

DarkComet-RAT v5.1 Released - Remote Administration Tool

Mar 18, 2012
DarkComet-RAT v5.1 Released - Remote Administration Tool This new version of the famous darkcomet RAT , a remote management tool created by DarkCoderSc . DarkComet is also considered as the most stable RAT around and it is even regarded more stable than some professional ones. Change Log: - [GUI ] Control center GUI change a little bit - [FUNC] New functions added in control center >> Network category, called WIFI Access points, now you can see near wifi networks and hardware wifi card(s) - [GUI ] Now in layout settings you can change the main windows GUI if you don't like the default one. - [FIX ] Fix the ftp upload keylogger problem - [SYS ] Edit server settings system was revised and optimized - [FIX ] DNS/IP backups issue fixed - [SYS ] DNS/IP backups algorythm revised and more reliable - [SYS ] Big problem fixed in client / server system - [SYS ] Loader environement is more lite, unused function / variables been track and clean also few important functions been ...
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Aug 25, 2025 Malware / Cloud Security
Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said . "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others. UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromi...
ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

Jan 27, 2026 Malware / Enterprise Security
Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix -style fake CAPTCHAs with a signed Microsoft Application Virtualization ( App-V ) script to distribute an information stealer called Amatera . "Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths," Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week. In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity. The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks. The supplied command, rather than invokin...
10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

Jul 15, 2024 Cyber Crime / Data Protection
Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we slowly learning its full destructive potential. In this article, we will describe how the entire cybercriminal ecosystem operates, the ways various threat actors exploit data originating from it, and most importantly, what you can do about it. Let’s start with what infostealer malware actually is. As the name suggests, it’s malware that... steals data. Depending on the specific type, the information it extracts might differ slightly, but most will try to extract the following: Cryptocurrency wallets Bank account information and saved credit card details Saved passwords from various apps Bro...
ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

Dec 25, 2025 Cybersecurity / Hacking News
It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion. The newest campaigns don’t shout for attention — they whisper through familiar interfaces, fake updates, and polished code. The danger isn’t just in what’s being exploited, but in how ordinary it all looks. ThreatsDay pulls these threads together — from corporate networks to consumer tech — revealing how quiet manipulation and automation are reshaping the threat landscape. It’s a reminder that the future of cybersecurity won’t hinge on bigger walls, but on sharper awareness. Open-source tool exploited Abuse of Nezha for Post-Exploitation Bad actors are le...
Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

Aug 16, 2024 Cyber Attack / Malware
Chinese-speaking users are the target of an ongoing campaign that distributes a malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said . "Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim's system." Details about the campaign first emerged in June 2024, when Zscaler ThreatLabz detailed attacks involving an updated version of the malware. Exactly how the latest iteration of ValleyRAT is distributed is currently not known, although previous campaigns have leveraged email messages containing URLs pointing to compressed executables. "Based on the filenames of the executables we found, they're likely using phis...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources