Search results for powershell-logging-script | Breaking Cybersecurity News | The Hacker News

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. "The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box," Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat act...

Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack. Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL. "GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said . "This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner." It all starts with an executable file ("Tiworker.exe"), which is used to run a PowerShell script that retrieves an obfuscated Power...

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware. "NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes ...

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge , a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project," Kaspersky said in a report published today. "The description and contents of officepackage provided below were also taken from GitHub." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. On top of that, hovering over the download button reveals a seemi...

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163 . "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take," IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News. Hive0163's operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week. Slo...

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization's reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran's nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure. How USB drive attacks propagate Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.  Drop attacks : Infected USB drives are deliberatel...

Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT). "The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic," Elastic Security Labs said in a Friday report. According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. The campaign was discovered earlier this month. It's also assessed to share tactic...

A new variant of the Snake Keylogger malware is being used to actively target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain. Fortinet FortiGuard Labs said the new version of the malware has been behind over 280 million blocked infection attempts worldwide since the start of the year. "Typically delivered through phishing emails containing malicious attachments or links, Snake Keylogger is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard," security researcher Kevin Su said . Its other features allow it to exfiltrate the stolen information to an attacker-controlled server using the Simple Mail Transfer Protocol (SMTP) and Telegram bots, allowing the threat actors to access stolen credentials and other sensitive data." What's notable about the latest set of attacks is that it makes use of the AutoIt scripting language ...

Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. It's assessed that the batch script is distributed via traditional approaches like phishing. It's currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful. "Based on our current a...

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. "PROMPTFLUX is written in VB Script and interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques to facilitate 'just-in-time' self-modification, likely to evade static signature-based detection," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. The novel feature is part of its "Thinking Robot" component, which periodically queries the large language model (LLM), Gemini 1.5 Flash or later in this case, to obtain new code so as to sidestep detection. This, in turn, is accomplished by using a hard-coded API key to send the query to the Gemini API endpoint. The prompt sent to the model is both highly speci...

Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that's targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site. The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using game-related lures. It's possible that users searching for pirated versions of these games are the target. Regardless of the method used, the fake MSI installer is designed to install Node...