The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

The attack begins with a convincing trap: a website made to look like the official 7-Zip page. The domain closely resembles the real one, so users trust it and download what seems like a normal installer. The software appears to function properly, which helps the infection remain hidden.

The campaign surfaced after a user shared their experience online. While building a new PC and following a tutorial, they downloaded 7-Zip from the fake site. The system showed some strange errors, but nothing serious enough to stop usage. Nearly two weeks later, Microsoft Defender finally detected a generic trojan, revealing the compromise.

How the Fake Installer Hides the Malware

Security analysis revealed that the installer includes a legitimate copy of 7-Zip along with hidden malicious files. These components are placed in system folders that most users never check, helping them stay unnoticed. The installer was digitally signed, which made it appear trustworthy during installation — although that certificate has since been revoked.

After installation, the malware establishes strong persistence. It creates Windows services that launch automatically with high privileges every time the system starts. It also modifies firewall settings to ensure its traffic can move freely without being blocked.

Turning Infected PCs into Proxy Nodes

The malware collects system details such as hardware information and network configuration, then communicates with remote servers for instructions. Its main role is to convert infected devices into residential proxy nodes.

◆ Connects to attacker-controlled servers for commands
◆ Routes third-party internet traffic through the victim’s IP address
◆ Uses encryption and obfuscation to hide communications
◆ Operates over unusual network ports to avoid detection

This setup is typical of residential proxy services, where real home IP addresses are valuable. Criminals can rent this access for fraud, scraping websites, ad abuse, and other illicit activities — all traced back to the victim’s internet connection.

Anyone who downloaded 7-Zip from the fake site should assume their system is compromised. Security tools may remove known variants, but some users may prefer a full operating system reinstall for complete safety.

To reduce risk

Always download software from official sources, double-check domain names, and watch for unexpected system changes like unknown services or firewall rule modifications.

Organizations should also block known malicious domains and monitor outbound traffic to stop infected machines from contacting attacker infrastructure.

The post Malicious 7-Zip Files Converting PCs into Proxy Nodes appeared first on First Hackers News.

The extensions captured conversations from tools like ChatGPT and DeepSeek, along with users’ complete browsing histories, and sent the data to external servers controlled by attackers.

The issue was uncovered by researchers at OX Security, who found that the extensions were designed to closely resemble the popular AITOPIA AI sidebar. One of the fake extensions even gained extra visibility by appearing as a recommended option in the Chrome Web Store.

Both tools offered AI chat features powered by models such as GPT and Claude, making them appear legitimate to users. To avoid suspicion, they asked for permission under the label of “anonymous analytics,” while secretly harvesting data.

Further investigation showed that the attackers used third-party hosting services to publish privacy policies and linked the two extensions together so that removing one would lead users to the other.

How the Malware Works

Once installed, the malicious extensions quietly watch what users do in their browser. They track open tabs and assign a unique ID to each victim.

When a user opens ChatGPT or DeepSeek, the extensions jump into action. They read the page content and copy chat messages, questions, replies, and session details directly from the browser window. This information is temporarily saved on the device.

Every 30 minutes, the collected data is packaged, encoded, and sent to attacker-controlled servers. This allows the attackers to harvest sensitive content that users may never expect to leave their browser.

The stolen data can include:

• Proprietary code and internal discussions
• Business plans and strategy conversations
• Personal information and search activity
• Internal links and system references

Beyond chat data, the extensions also record browsing activity. This gives attackers insight into user behavior, company structures, and online habits—information that can later be used for targeted phishing, fraud, or identity theft.

As of early January 2026, both extensions were still available for download. Although one lost its featured status after being reported, it continued to receive updates, helping it appear legitimate.

Users are strongly advised to review installed extensions, remove any unknown or suspicious ones, and avoid relying on store badges alone. Only install extensions from trusted developers and limit permissions whenever possible.

IoCs

Network and C2 IoCs

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Chrome Extension Used to Steal AI Chat Data appeared first on First Hackers News.

The extension looked and worked like a normal icon theme, so users didn’t suspect anything. But inside, it carried two Rust-based implants that could run native code on both operating systems and connect to a remote command server.

Nextron Systems discovered these implants in version 5.29.1, tied to a loader script called extension.js in the dist/extension/desktop folder.

The malicious payloads — os.node for Windows and darwin.node for macOS — were placed inside a structure that copied the real extension’s layout, making the backdoor harder to spot.

After activation, extension.js runs the matching Rust implant and hands control to the attackers, turning the extension into a loader for further remote payloads.

Inside the Attack Chain

This part explains how the malicious implants communicate with their command server and pull additional payloads.

The Rust binaries don’t use a fixed URL. Instead, they get their instructions from data stored in a Solana blockchain wallet, making the control channel difficult to block.

A simplified version of the loader logic in extension.js looks like this:

function activate() { const bin = process.platform === "win32" ? "os.node" : "darwin.node"; const native = require(__dirname + "/desktop/" + bin); native.run(); }

Once loaded, the native code reads the data from the wallet, decodes it from Base64, and then connects to a command server. It downloads a large Base64 blob, which is actually an AES-256-CBC encrypted JavaScript file.

The attackers also use a hidden Google Calendar event—with an invisible Unicode URL—as a fallback source for the next payload, adding another layer to the C2 chain.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Malicious VS Code Icon Theme Targets Windows & macOS appeared first on First Hackers News.

The Chrome Web Store listing never mentions any fees or hidden transfers — a key sign of the extension’s malicious intent.

Behind its clean interface, the extension runs advanced code to quietly steal SOL from users.

After creating the normal Raydium swap instructions, it calculates a “platform fee” using hardcoded values and adds a secret SystemProgram.transfer that sends SOL to the attacker’s wallet: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7.

The fee is the higher of 0.0013 SOL or 0.05% of the swap.
Small trades pay the fixed fee, while larger trades pay the percentage.
Example: a 100 SOL swap sends 0.05 SOL to the attacker.

The malicious code is heavily minified and renamed to hide how the fee works.

The hidden transfer is bundled inside the same transaction as the real swap, and most wallet pop-ups don’t show each instruction clearly.

As a result, users think they are approving one simple swap — but both instructions run together on-chain.

Fake Setup

The extension connects to a backend (crypto-coplilot-dashboard[.]vercel[.]app) and main site (cryptocopilot[.]app) that don’t work.

The backend shows a blank page, the main site is parked, and the typo “coplilot” signals disposable, malicious infrastructure.

On-chain activity shows only a few fee transfers so far, but the risk remains.

The fees grow with transaction size and volume, meaning active traders could lose significant amounts over time, turning the extension into a steady profit source for the attacker.

Recommendations for Users

Crypto Copilot is still on the Chrome Web Store, though Socket has asked Google to remove it.

• Avoid closed-source trading extensions that request signing permissions.
• Install wallet extensions only from verified publisher pages, not search results.
• If you used Crypto Copilot, move your assets to a clean wallet and revoke all connected sites.
• Always check each transaction instruction before signing, especially on Solana, and watch for unexpected SystemProgram.transfer actions.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Malware in Chrome Extension Found Stealing SOL via Hidden Swap Fees appeared first on First Hackers News.

The attackers have improved their methods by using smarter social engineering techniques that are harder to detect.

Lampion banking trojan

In this latest campaign, they are using a tactic called ClickFix, which tricks users into thinking they need to “fix” a fake technical issue. When users follow the instructions, the malware is unknowingly executed.

The attack starts with phishing emails that look like legitimate bank transfer notifications. These emails are sent from compromised email accounts, making them appear more credible.

Instead of links, the attackers now attach ZIP files containing the malware — a strategy they started using around mid-September 2024 to avoid security filters.

According to Bitsight researchers, the attackers changed their methods over three phases, with the biggest shift in mid-December 2024 when ClickFix was added to the infection process.

Researchers observed dozens of new infections every day, with hundreds of devices already under the attackers’ control. This shows how effective and well-planned the campaign is.

The malware uses multiple steps to avoid being detected. After the victim opens the attached file, a fake Windows error message appears, making everything look legitimate while the malware continues to run in the background.

The ClickFix trick gets users to click a link, making them believe they’re fixing an issue while the malware installs silently in the background.

Infection Process & Persistence

This campaign shows a high level of technical skill and planning.

The malware infection happens in multiple steps using hidden (obfuscated) Visual Basic scripts. Each step hides the true purpose of the malware until it finally loads the main DLL file, which is responsible for stealing information.

Around June 2025, the attackers added a persistence feature, allowing the malware to stay active even after the computer is restarted.

The threat actors use servers spread across different cloud providers, making it harder to trace or shut down their operations. Their system also blocks certain IP addresses, preventing security researchers from analyzing the full attack sequence.

Researchers found hundreds of unique malware files at every stage of the infection, suggesting that the group uses automated tools to generate new versions quickly and operate at scale while staying hidden.

The post Lampion Stealer Evolves: Silent Credential Theft via ClickFix Attacks appeared first on First Hackers News.

Rising Activity Detected in September 2025

More than 30,000 malware samples of this type were detected and blocked by Wordfence during September 2025.
All known variants are now covered by both premium and free malware signatures provided by Wordfence.

Variable Functions Exploited

PHP’s variable function capability, which allows function names to be stored in variables and executed dynamically, has been heavily abused by attackers.
This technique, originally meant for flexible coding, is being used to execute arbitrary commands on compromised sites.

For example, malicious code may assign “eval” and “base64_decode” to variables, chaining them together to download and execute remote payloads.
When these function names are dynamically built or encoded, detection becomes significantly harder.
Simple patterns like eval(base64_decode()) are easily caught, but reordered or encoded calls can bypass traditional signature scans.

Cookie-Based Payloads

The malware also replaces typical user-input triggers with browser cookies.
In several cases, execution occurs only when a specific number of cookies—often 11 or 22—are present, along with a unique marker such as “array11.”

Cookie values are concatenated to rebuild PHP function names like “base64_decode” or “create_function.”
The payload is then decoded and executed on the server.
Some variants even check mathematical conditions, such as one cookie being divisible by 283, before activating.

Because all commands are controlled through cookies, attackers can trigger code execution without leaving visible traces in logs or form submissions.

Key Detection Traits

According to Wordfence, these scripts can be identified by several behavioral clues:

• Unusually dense and unformatted PHP code
• Use of variable functions
• Conditional checks based on cookies or superglobals

By focusing on these traits rather than static signatures, Wordfence’s malware engine can detect even heavily obfuscated variants.

Ongoing Protection Efforts

Wordfence continues to invite researchers and users to submit undetected samples to expand their coverage.
Their layered defense system—including Wordfence Premium, Care, Response, and CLI tools—currently detects over 99% of known malicious variants using these obfuscation tactics.

The company emphasizes that vigilance and updated security plugins remain essential to keeping WordPress sites protected against evolving PHP malware threats.

The post PHP Variable Function Malware Targets WordPress Sites, Wordfence Reports appeared first on First Hackers News.

All about Android Zygote Flaw

The Zygote process is a core part of Android, responsible for launching new apps and system processes. Running with system privileges, it’s a prime target for attackers aiming for elevated access.

The vulnerability stems from how the System Server handles the hidden_api_blacklist_exemptions setting, which lets some apps bypass Android’s hidden API restrictions.

The issue occurs because the System Server doesn’t properly escape newlines in this setting when passing it to Zygote, allowing attackers to inject arbitrary commands into the Zygote process.

Mitigation Steps

To mitigate the risks, users can restore normal Zygote behavior by deleting the modified hidden_api_blacklist_exemptions setting through ADB Shell and rebooting the device. However, this will also remove any injected payloads, requiring attackers to repeat the exploitation process to regain elevated access.

This discovery highlights the importance of securing Android’s core processes and the need for quick patches to prevent such exploits.

The post Android Zygote Flaw Enables Code Execution and Privilege Escalation appeared first on First Hackers News.

Apache Struts2 flaw

Apache Struts2 recently announced a vulnerability with path-traversal, allowing attackers to upload files into restricted directories, potentially enabling remote code execution. If a webshell is uploaded to the web root, hackers could gain control of the system.

This flaw appears related to CVE-2023-50164, which was poorly addressed, leading to the current threat. Patching the issue isn’t simple—users must switch to a new Action File Upload mechanism and interceptor, as the old one leaves systems vulnerable.

Public proof-of-concept (PoC) exploits for CVE-2024-53677 have been released, and attackers are actively targeting vulnerable systems. These attempts use PoC code to identify systems that are susceptible to the exploit.

One common attack method involves sending HTTP POST requests to upload a crafted script file, “exploit.jsp,” which contains a basic script to check for the presence of Apache Struts.

Exploit Code Example:

POST /actionFileUpload HTTP/1.1
Host: [honeypot IP address]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive
Content-Length: 222
Content-Type: multipart/form-data; boundary=0abcfc26e3fa0afbd6db1ba369dfcc37
--0abcfc26e3fa0afbd6db1ba369dfcc37
Content-Disposition: form-data; name="file"; filename="exploit.jsp"
Content-Type: application/octet-stream
<% out.println("Apache Struts"); %>
--0abcfc26e3fa0afbd6db1ba369dfcc37--

If the script is successfully uploaded and executed, attackers can then use HTTP GET requests to remotely execute further malicious actions on the compromised system. This exploit highlights the urgency of addressing the vulnerability to prevent unauthorized access.

ISC reports show that current exploit attempts trace back to IP address 169.150.226.162, actively scanning for vulnerable systems. The attacker initially targeted simple URLs, likely searching for other upload vulnerabilities.

Given the severity of the issue, organizations using Apache Struts2 must update systems promptly and transition to the recommended Action File Upload mechanism. Monitoring network traffic for unusual activities is also essential to identify and prevent potential threats.

Organizations must stay vigilant, as cybersecurity threats are constantly evolving. Immediate action and ongoing security reviews are vital to protect web applications.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Hackers exploit Apache Struts2 flaw to upload malware appeared first on First Hackers News.

GH0ST RAT Trojan Targets Chinese Windows Users

In early June, researchers found a malicious campaign targeting Chinese users. Gh0st RAT is spread via Gh0stGambit through a phishing site, chrome-web[.]com. The fake Chrome installer site uses a drive-by download method, delivering both a legitimate Chrome executable and a malicious installer, WindowsProgram.msi, which installs Gh0stGambit.

Gh0st RAT, a long-standing malware from APT27, has been publicly available since 2008. Its command infrastructure was based in China. Written in C++, it has evolved over the years and was used by China-linked cyber espionage groups, including a modified variant in 2018 campaigns.

Gh0stGambit launches a multi-stage attack. It first checks for anti-malware software like Microsoft Defender or 360 SafeGuard and adds its folder to their exclusions. It then connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 to download Gh0st RAT.

The RAT, delivered encrypted as a Registry Workshop, provides remote access, collects information, and includes a rootkit to hide system elements. It can also drop Mimikatz, enable RDP, access Tencent QQ account details, clear Windows logs, and erase data from various browsers.

It’s unusual for malware of this kind to target users in mainland China, as attackers typically avoid domestic targets due to legal risks. However, APT27 has a history of spying on Chinese citizens, both on the mainland and in Taiwan.

Multi-stage, component-based attacks require advanced security software. It should offer robust real-time and database protection, along with network defense capabilities to filter out phishing sites like the one used in this campaign.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Chinese Users Targeted by Gh0st RAT Malware Through Fake Chrome Page appeared first on First Hackers News.