How the Attacks Unfolded -Zestix Infostealer

Researchers link the activity to a threat actor known as Zestix, also operating under the alias Sentap. The actor accessed cloud storage platforms such as ShareFile, Nextcloud, and OwnCloud, affecting around 50 organizations.

The impacted companies span sectors including aviation, healthcare, finance, defense, and government services. In several cases, attackers were able to access and extract large volumes of sensitive data.

The attacks typically start when employees unknowingly download malicious files that install infostealer malware such as RedLine, Lumma, or Vidar. These programs silently collect saved credentials and browser data from infected systems.

The stolen information is later aggregated into underground databases. The attacker then searches these datasets for corporate cloud credentials and uses them to gain unauthorized access to enterprise environments.

Researchers found that the main weakness was not an advanced exploit, but the lack of multi-factor authentication. Without MFA in place, attackers were able to access systems using only stolen usernames and passwords, some of which had been exposed in infostealer logs for years.

The impact of the breaches is significant. An engineering firm supporting U.S. utilities lost sensitive infrastructure data, while a robotics company exposed defense-related design files.

An airline also saw internal maintenance and safety documents leaked. In another case, health records and personal data tied to Brazilian military personnel were exposed, totaling several terabytes of sensitive information.

How Credentials Are Stolen and Abused

The attacks follow a simple but effective flow that makes them hard to stop if basic controls are missing.

• An employee downloads what looks like a normal file or software update from email or the web.
• An infostealer runs quietly in the background, often blending into legitimate system activity.
• The malware collects saved passwords and session data from browsers, password managers, and apps like email or collaboration tools.
• The stolen data is encrypted and sent to attacker-controlled servers.
• Attackers search through large credential dumps to find logins tied to corporate systems such as cloud storage and business platforms.

This method is dangerous because it is cheap, scalable, and easy to repeat. Access to corporate accounts is then sold on underground forums, allowing multiple attackers to reuse the same stolen credentials.

Many organizations were compromised not due to a lack of training, but because multi-factor authentication was not enforced across critical systems.

The fix is simple but urgent: enable MFA everywhere it matters and actively monitor for exposed credentials before they are used by attackers.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Infostealers Lead to Cloud Account Compromises appeared first on First Hackers News.

A fake npm package called “@acitons/artifact” had already reached 206,000 downloads before it was removed. This package looked almost identical to the real “@actions/artifact” package. The attacker simply swapped two letters — “ti” became “it” — hoping developers would mistype the name and install the wrong package.

How the Attack Worked

Veracode discovered six versions of the malicious package. Each one had a post-install script that ran automatically after installation.

This script downloaded hidden malware that antivirus tools could not detect at the time — it showed zero detections on VirusTotal.

The malware used an obfuscated shell script compiled with the Shell Script Compiler (shc). When executed, it restarted itself, changed environment variables, and then ran a hidden Node.js package containing an obfuscated file called “verify.js.”

The script was designed to check for GitHub-specific environment variables, meaning the attack was aimed directly at GitHub Actions workflows.

The malware was built to target only specific GitHub repositories. It quietly exited unless the repository owner matched the attacker’s chosen targets — including GitHub itself.

More importantly, the malware attempted to steal authentication tokens from the build environment. With these tokens, attackers could publish fake artifacts that looked like they came from GitHub, putting developers and downstream users at serious risk of a wider supply chain attack.

The attackers showed a high level of planning. Each malicious file had a built-in expiry date, causing it to stop working after a certain time. One sample expired on November 6 (UTC), and another expired the following day.

This indicates the campaign was designed to run only for a short period to avoid detection. GitHub later identified the malicious activity, and the involved GitHub accounts have since been removed.

The stolen data was sent out through encrypted channels. The malware first downloaded an AES encryption key from a remote command-and-control server and then used it to send encrypted information to a GitHub App–based endpoint. This made it even harder to trace the attacker’s real infrastructure.

Veracode quickly reported the malicious package to npm, which led to its removal. Customers using Veracode Package Firewall were protected immediately once the threat was analyzed.

Researchers also found and blocked 12 additional versions of another malicious package called “8jfiesaf83”, released earlier in November by the same attacker.

This incident highlights the increasing danger of supply chain attacks, now listed as the third most serious security risk in the OWASP Top 10 for 2025.

It also shows that typosquatting is still a highly effective method for compromising CI/CD pipelines and stealing sensitive authentication tokens.

Organizations using GitHub Actions should carefully review their dependencies and add extra security checks before installing any packages.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post npm Package With 206K Downloads Steals GitHub Tokens appeared first on First Hackers News.

Symantec has detected this threat and provides protection through multiple security measures. The malware is identified using adaptive detection indicators such as ACM.Ps-Base64!g1, ACM.Ps-Http!g2, ACM.Ps-Wscr!g1, and ACM.Wscr-Ps!g1.

VMware Carbon Black blocks related threats and enforces policies to prevent suspicious programs from running while using cloud scanning for added security.

Symantec’s email security products and Email Threat Isolation (ETI) technology offer an extra layer of protection against email-based attacks.

File-based detection tools, including CL.Downloader!aat171 and ISB.Downloader!gen80, help identify and stop malware. Machine learning models like Heur.AdvML.B further enhance threat detection by identifying advanced threats.

Web-based protection is also in place, with WebPulse-enabled products blocking access to malicious domains and IPs.

Recommendation

• Avoid downloading images or files from untrusted sources.
• Security tools like Symantec and VMware Carbon Black can help prevent infections.
• Regularly update systems with the latest security patches.
• Use advanced threat detection tools to identify hidden malware.
• Understanding these tactics can help protect sensitive information.

The post New malware uses JPEG files to hide and spread infostealers appeared first on First Hackers News.

This infostealer can gather private information from the Chrome browser, similar to a few other strains like Lumma, Vidar, and Meduza. Security experts must stay informed about emerging threats like PureLogs in today’s landscape.

PureLogs Infostealer

In 2022, PureLogs was first sold on underground markets and has since been advertised on various forums. It also has a site on the clearnet that redirects users to a Telegram bot for sales inquiries. Pricing starts at $99 for one month, making it one of the cheapest infostealers available.

The author also sells other tools, including a cryptocurrency miner, clipboard replacement tools, a DDoS botnet, and a covert Virtual Network Computing client.

According to the Flashpoint Intel Team, PureLogs works in three phases

1. First Stage: This is the loading and execution phase.
2. Second Stage: This phase runs anti-sandbox tests and sets up network configurations before loading the final infostealer.
3. Third Stage: This contains the actual infostealer code.

PureLogs collects the following information:

• Browsing data
• Extensions from Chrome, Edge, and Opera
• Cryptocurrency wallet applications
• Desktop applications
• Information about the victim’s machine

PureLogs can extract folders, files by extension, or by name and location. It can also download and execute additional payloads from a remote URL.

Users can choose to send the stolen data to Telegram, which includes victim details, stolen data amounts, captured screenshots, and downloadable log files.

To protect against this threat, security teams need immediate access to comprehensive threat intelligence.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post PureLogs, a low-cost infostealer, is targeting Chrome browsers appeared first on First Hackers News.

Hackers use fake AI editor websites to trick users into providing personal information, downloading malware, and paying for fraudulent services.

Fake AI Editor 

The threat actor promotes fake photo editing sites through sponsored ads. When users download software from these sites, they inadvertently install a tool that, while appearing harmless, is actually embedded with malicious code. This allows hackers to control the users’ devices remotely, enabling them to deploy credential stealers or access valuable data.

Threat actors send phishing messages to social media page admins, using personalized links or Facebook’s open redirect URLs to appear legitimate. Once they access the accounts, they post malicious ads linking to fake AI photo editor sites.

These platforms mimic real services like Evoto but actually distribute endpoint management software.

The campaign has generated notable traffic, with about 16,000 downloads for the Windows version and 1,200 hits on a non-functional macOS version, showing its broad reach and effectiveness in deceiving users.

Victims’ devices are unknowingly enrolled in ITarian’s remote management system, disguised as a photo editor MSI package. This setup allows full control without using obvious malicious components.

Two key actions occur:

1. A Python script downloads and runs Lumma Stealer, encrypted with PackLab Crypter.
2. Another script disables Microsoft Defender scans for the C: drive.

Lumma Stealer then communicates with its command and control server via POST requests to receive a base64 encoded configuration. This configuration directs the stealer to target and exfiltrate social media credentials and other sensitive data.

Recommendations for protecting against fake AI editor scams:

1. Verify Sources: Only download software from official and trusted sources. Be cautious of links from unsolicited emails or social media ads.
2. Check URLs: Ensure that the URL of the website is legitimate and not a lookalike or misspelled version of a real site.
3. Use Security Software: Keep your antivirus and anti-malware software up to date to detect and block malicious downloads.
4. Enable Browser Security Features: Use browser extensions or settings that warn you about potentially dangerous sites and downloads.
5. Be Cautious with Permissions: Avoid granting excessive permissions to software or apps that request more access than necessary.
6. Educate Yourself and Others: Stay informed about common phishing tactics and scams to better recognize and avoid them.
7. Report Suspicious Activity: Report any suspicious ads or websites to the relevant platforms or authorities to help prevent others from falling victim.
8. Regularly Update Software: Ensure that your operating system and applications are up-to-date with the latest security patches.

The post Beware: Fake AI Editor Stealing Logins appeared first on First Hackers News.

INFOSTEALER SPREADS IN FAKE ADOBE READER 

The recent attack campaign, identified by ASEC Intelligence Center, initiates with email spam containing a PDF attachment. The content of these messages is in Portuguese, indicating a specific targeting of Brazil and Portugal.

Within the PDF file, users encounter a pop-up prompt urging them to install Adobe Reader under the guise of document access necessity. It’s worth noting that modern web browsers are capable of handling PDFs efficiently regardless of complexity.

Upon following the document’s instructions, a file named Reader_Install_Setup.exe is downloaded. This file masquerades as a legitimate installation file for Adobe Reader, complete with a replicated icon, further complicating the deception. However, running the file, which is actually a loader, initiates the execution of the malware.

However, this process doesn’t occur immediately. The malware executes a series of actions to perform DLL hijacking and run the final payload with maximum privileges. Initially, it spawns an executable file and drops a DLL containing the actual payload, then initiates the msdt.exe process. Interestingly, msdt.exe is a legitimate Windows diagnostics tool that the malware leverages to invoke a subordinate service.

The command used to invoke MSDT, specifically its Bluetooth Diagnostic tool, is as follows:

C:\Windows\SysWOW64\msdt.exe” -path “C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml” -skip yes

This service subsequently loads the malicious DLL mentioned earlier. This DLL, in turn, executes the aforementioned executable file, thereby legitimizing the infostealer and granting it maximum privileges.

While the malware employed in the campaign seems to be unique and not affiliated with any known malware families, its functionality is hardly unconventional. This infostealer follows a typical pattern: it collects basic system information, sends it to the command server, and creates a directory to store the gathered data.

Additionally, the malware adds this directory to the list of Microsoft Defender exclusions to avoid detection. Furthermore, it disguises itself by mimicking the legitimate Chrome folder, adding a fake executable file and other files typical of a genuine browser folder.

The C2 servers used by some of the samples confirm the attack targeting hypotheses mentioned earlier. Both hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive AutoFill data from all browsers. Although this is less than what modern infostealers typically gather, it’s still significant, as browsers store almost all of our passwords.

Recommendation

To protect against infostealer malware, follow these essential security practices:

1. Keep Software Updated: Ensure all software, including operating systems, browsers, and security applications, are regularly updated with the latest patches and security fixes to address known vulnerabilities.
2. Use Reliable Security Software: Install reputable antivirus and anti-malware software on all devices and keep them up-to-date to detect and prevent infostealer infections.
3. Exercise Caution with Email Attachments: Be cautious when opening email attachments, especially from unknown or suspicious senders. Verify the legitimacy of attachments before downloading or opening them.
4. Avoid Clicking on Suspicious Links: Refrain from clicking on links in emails, messages, or websites from untrusted sources. Hover over links to verify their destination URLs before clicking.
5. Implement Strong Passwords: Use strong, unique passwords for all accounts and enable two-factor authentication (2FA) wherever possible to add an extra layer of security.
6. Educate Users: Educate users about the risks of downloading files from unknown sources, clicking on suspicious links, and sharing sensitive information online.
7. Enable Firewall Protection: Activate firewalls on all devices to monitor and block unauthorized network traffic, preventing malicious programs from accessing your system.
8. Regularly Back Up Data: Regularly back up important files and data to an external storage device or cloud service. In the event of a malware infection, you can restore your data without paying ransomware demands.
9. Implement Web Filtering: Use web filtering tools or services to block access to malicious websites and prevent users from inadvertently downloading malware.
10. Stay Informed: Stay updated on the latest cybersecurity threats and trends by monitoring reputable security blogs, forums, and news sources.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Adobe Reader Infostealer Spreads Through Email in Brazil appeared first on First Hackers News.

PHEMEDRONE STEALER CAMPAIGN EXPLOITS CVE-2023-36025

Researchers from Trend Micro discovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The campaign is associated with the Phemedrone Stealer, capable of extracting various sensitive data.

The infection chain starts with cloud-hosted malicious URL files, frequently camouflaged through URL shorteners. When executed, these files leverage CVE-2023-36025 to initiate the download of the malware.

The campaign focuses specifically on social media, where hackers distribute URL files disguised as innocent link shortcuts. Clicking on these links triggers a call to the GitHub repository, retrieving the necessary shellcode to download and execute the payload. While targeting social media for fraudulent activities is not novel, the use of URL files enhances the efficacy of the trick. Essentially serving as a lockpick, they simultaneously bypass user trust, spam filters, and system protection.

CVE-2023-36025: A GATEWAY FOR CYBERCRIMINALS

In summary, CVE-2023-36025 is a critical vulnerability impacting Microsoft Windows Defender SmartScreen, enabling attackers to circumvent security warnings and checks through manipulation of Internet Shortcut (.url) files.

Despite Microsoft’s patch released on November 14, 2023, cybercriminals have actively exploited this vulnerability, resulting in its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

In the Phemedrone campaign, cybercriminals employ advanced evasion tactics by incorporating a control panel item (.cpl) file to evade Windows Defender SmartScreen. Ordinarily, users should receive a warning upon clicking the URL shortcut. However, the use of a specially crafted file variant bypasses this protection, allowing for the execution of malicious downloads in the background.

Additionally, the campaign exploits a few other well-known weaknesses in Windows, with a particular focus on vulnerabilities within the Windows Control Panel binary.

Phemedrone Stealer is disseminated through cloud hosting and URL shorteners, exploiting CVE-2023-36025 via .url file trickery. Evading Windows Defender SmartScreen, attackers use a .cpl file and MITRE ATT&CK technique T1218.002. The malware employs a DLL loader calling Windows PowerShell to download a loader from GitHub. The second-stage loader, Donut, operates in memory, targeting various applications and services to pilfer sensitive information.

The malware gathers system information, compressing it into a ZIP file using MemoryStream and ZipStorage classes. Following this, it verifies the Telegram API token and transmits the compressed data to the attacker through the SendMessage and SendZip methods. The SendZip method utilizes an HTTP POST request to compress the data into a document and forward it to the Telegram API.

Mitigation Steps

1. Keep your OS, apps, and security solution updated to stay protected against evolving cyber threats.
2. Exercise caution with Internet Shortcut (.url) files, especially from unverified sources, to avoid potential malware gateways. Verify the legitimacy of URLs before opening them.
3. Implement advanced security solutions with real-time monitoring to detect and neutralize malware, providing an extra layer of protection against potential threats.

IOCS

SHA256
f32964087462ba3c96a87ee8387f89de8fa605f2f5bb84cb5f754cd736683f2d
5f1a027f1c1468f93671a4c7fc7b5da00a3c559a9116f5417baa6c1f89550d9f
c6765d92e540af845b3cbc4caa4f9e9d00d5003a36c9cb548ea79bb14c7e8f66
a841cd16062702462fdffdd7eef9fc3d88cde65d19c8d5a384e33066d65f9424
815b2125d6f0a5d99750614731aaad2c6936a1dc107a969408a88973f35064c0
ccd19ef6e81e936fc944ebafaefd2ad99ccd11dd15fbc7d3460726bb38237595
ea9b0dee3b7583ce60bba277e2189acb660284abf6b3b9273b6a60c85b0a5ce3
9a96406ae06b703d827fffd1f1ced0781f89ca2af6d5041721e9fbd2647c8430
22236e50b5f700f5606788dcd5ab1fb69ee092e8dffdd783ac3cab47f1f445ab
1433efd142007ce809aff5b057810f5a1919ea1e3ff740ff0fcc2fc729226be5
ad513d2cba6cc82a50ee6531b275e937480d8fee20af2b4f41da5f88e408a4e9
7c0a1e11610805bd187ef6e395c8fa31c1ae756962e26cdbff704ce54b9e678a
4ae28a44c38edc516e449ddd269b5aa9924d549d763773dcd312b48fe6bb91ab
c9743e7ffb6f6978f08f86e970ddb82e24920d266b32bd242254fbf51abfe6ce
c3bfaa1f52abdbb673d83af67090112dfdfe9ea8ff7a613f62bd48bace205f75
6bd8449de1e1bdd62a86284ed17266949654f758e00e10d8cd59ec4d233c32e5
4446d5b475ce8aed5244da917ae42b6cb9744ffc4efd766af8e4dee7dd5a3e19
70c23213096457df852b66443d9a632e66816e023fdf05a93b9087ffb753d916
69941417f26c207f7cbbbe36ce8b4d976640a3d7f407d316932428e427f1980b
e2d19a23b19a07d35d16990e78c5cfaa3dd97b9ce92201f4db18a7da95fe6ff8
b7f53c507a1aa4254b66a883285e27b42d65ea4ea4206fe674e0d03738f52141
4ae28a44c38edc516e449ddd269b5aa9924d549d763773dcd312b48fe6bb91ab
c6765d92e540af845b3cbc4caa4f9e9d00d5003a36c9cb548ea79bb14c7e8f66
f24a8b3144e89b9bececfbf76add87ddefbd19a024a85692026e97f3a9911902
e64b185c149cb523d13cb46ea3911e2c0595b6f10ae86e6a14b15e8d45c0cdcb
cb58bf466675be9e11cfb404503cb122514f47b9708d033e381f28a60535812c
80f88566fda41ebc1b4e35d89748a804740bba0d03049c33c536cffd5e0491e2
4a36cc607ca5c2acc536510fd1b0ddd43a9403dac168d2420d474611909ed9e6
89caa1568fcff162086dae91e6bd34fd04facba50166ebff800d45a999d0be8b
188c72f995ebd5e1e8d0e3b9d34eeeec2ec95d4d0fee30d2ea0f317ab1596eef
e326c1b9e61cca6823300158e55381c6951b09d2327a89a8d841539cad3b4df3
4da33c7fe62f71962913d7b40ff76aff9f1586e57db707b3d6b88162c051f402
ff44e502bd5ea36e17b3fc39b480e65971b36002f27fb441e4acadd6bf604a20
b7980f64f892d70b1cd72a8c80f8319f50c3c410aba4e4bc63fd6494bcb4f313
480fae3bdc2604cba846779dd7dced95b3ce036bdef629ded247771a2e4d5d58
348aea633c99e5f6a0ac7b850961be0a145a35678e5bd074b4852f7a2419f518
1c53dffcb4c474a2b08708609466e7d234d6d51139b6532af54fac5bb8d37415
b37ec923451dd15a0f68df0b392b0f1b243fe50c709de9e574ac14cf6fabdd53
f2814a4b3796fb44045c33b9d0d9972bf40478e5bc74b587486900c6cfa02f3d
5f1a027f1c1468f93671a4c7fc7b5da00a3c559a9116f5417baa6c1f89550d9f
8b73d7aa8bb8db8a9ecbf9f713934fbbb5caf4745d7a61a6f34a100c4d84fd9d
9b9ba722b314febfc44919551a03dde1539f115333183c2cb5e74b8e644ba5b3
568b4b868b225f06bb34da0dc23603c9dedccc2b319353407c814983d5322563
5ecad303475e180f8879871d8571d1a7eeb99e0b3c63cc77fdd02cb9b8c51211
d5b1214f1817a16b2bc8a76daa48c9a3c5af0e411cf4f0c17b0e364d437a454b
5f0ff1fd6ca89a0ddd3178e023dea8f79ff3c3f3d8ff7900378eb014e83ed326
40c6fa38e44e00d8cf113d0a079cd46f8b7654331f12e50d2af5a9f1ddc6d266
3a34cd3a3221d83a1cca8913b2afbb5b780027d48b44d3ce15dfe4a402064871



URLs
hxxps[://]raw[.]githubusercontent[.]com/nateeintanan2527/Joyce_Data/main/DATA3[.]txt
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1175808264479449138/DocuSign3[.]url?ex=656c93c7&is=655a1ec7&hm=6e8b316f2112cfaf27bc8cf35089098e4a0f2d16054e8d199c13588c31b2e383&
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1177255995156742144/DocuSign4[.]url?ex=6571d815&is=655f6315&hm=f9e208714ffc862f97cb6363fb887f11fda0020802a020a56a571c4195114854&
hxxps[://]shorturl[.]at/ixEZ7
file[://]51[.]79[.]185[.]145/pdf/data4[.]zip/pdf4[.]cpl
hxxp[://]51[.]79[.]185[.]145/pdf/kay[.]zip/kay[.]cpl
hxxp[://]51[.]79[.]185[.]145/pdf/data2[.]zip/pdf2[.]cpl
hxxp[://]51[.]79[.]185[.]145/pdf/
hxxps[://]shorturl[.]at/flEK5
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1167767477921513512/SecureDocuSign_pdf[.]url?ex=654f5336&is=653cde36&hm=08ea24126262ff865a1ab0c79f20e41e9e53896d9cda8e0c374c077f5a500b00&
hxxps[://]shorturl[.]at/vzAD2
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1170627585105997854/DocuSign2[.]url?ex=6559bae5&is=654745e5&hm=ab8a5d275414768c20bd9a8a0e434c4b8fe7c0bd8006c3b5f69cc80b7fe57cb1&
hxxps[://]shorturl[.]at/bsuCR
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1170627584627855481/DocuSign1[.]url
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1170627584627855481/DocuSign1[.]url?ex=6559bae5&is=654745e5&hm=acf93c3a4f79068689d20d197ac297533dc28d94bb93f4ec1021c7c258c8dbda&
file[://]51[.]79[.]185[.]145/pdf/data1[.]zip/pdf1[.]cpl
file[://]51[.]79[.]185[.]145/pdf/data2[.]zip/pdf2[.]cpl
hxxps[://]shorturl[.]at/flEK5
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1167767477921513512/SecureDocuSign_pdf[.]url?ex=654f5336&is=653cde36&hm=08ea24126262ff865a1ab0c79f20e41e9e53896d9cda8e0c374c077f5a500b00&
file[://]51[.]79[.]185[.]145/pdf/data[.]zip/docusign_pdf[.]cpl
hxxps[://]shorturl[.]at/clpIO
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1171355007245893653/DocuSignDocument[.]url?ex=655c605c&is=6549eb5c&hm=2aeb65239a890e6b070957136681600ca33584e578816faeab471a5e11004538&
file[://]51[.]79[.]185[.]145/pdf/data3[.]zip/pdf3[.]cpl
hxxps[://]shorturl[.]at/eqxU0
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1175808264479449138/DocuSign3[.]url?ex=656c93c7&is=655a1ec7&hm=6e8b316f2112cfaf27bc8cf35089098e4a0f2d16054e8d199c13588c31b2e383&
file[://]51[.]79[.]185[.]145/pdf/kay[.]zip/kay[.]cpl
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1177255994775064717/kay[.]url?ex=6571d815&is=655f6315&hm=5edd3e4b0cc773a06fe9f1a8177f99239a105079f23eb7707c225be4867160df&
hxxps[://]shorturl[.]at/dMY69
hxxps[://]cdn[.]discordapp[.]com/attachments/853270434422456330/1184415259717533726/My_Photo_Album[.]url
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1177255995156742144/DocuSign4[.]url?ex=6571d815&is=655f6315&hm=f9e208714ffc862f97cb6363fb887f11fda0020802a020a56a571c4195114854&
hxxps[://]shorturl[.]at/ixEZ7
hxxps[://]cdn[.]discordapp[.]com/attachments/853270434422456330/1183676616564547624/image_reported[.]url?ex=658933c1&is=6576bec1&hm=b60477e0a798182a1dc0ea65def7305b111ce06a398667a1c567b3f9afd253b2&
file[://]51[.]79[.]185[.]145/pdf/data2[.]zip/pdf2[.]cpl
hxxps[://]shorturl[.]at/oORV9
file[://]51[.]79[.]185[.]145/pdf/data3[.]zip/pdf3[.]cpl
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1172211288303206400/DocuSign3[.]url?ex=655f7dd5&is=654d08d5&hm=26a68927b4c05c243d910f3a5ebcf2c6ec43bcb7f460acd45891b3b21b308cdc&
hxxps[://]cdn[.]discordapp[.]com/attachments/853270434422456330/1176802586481922098/image_reported[.]url
hxxps[://]shorturl[.]at/gnL15
hxxps[://]cdn[.]discordapp[.]com/attachments/1083311514368360519/1170627585680609280/DocuSign3[.]url
hxxps[://]shorturl[.]at/dKOR6
hxxps[://]github[.]com/nateeintanan2527/Joyce_Data[.]git
hxxps[://]github[.]com/nateeintanan2527/Data_Document[.]git
hxxps[://]raw[.]githubusercontent[.]com/nateeintanan2527/Joyce_Data
hxxps[://]raw[.]githubusercontent[.]com/nateeintanan2527/Data_Document

IP
51[.]79[.]185[.]145

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Windows SmartScreen Bypass Exploited by Information Stealer appeared first on First Hackers News.

In August, a multinational law enforcement initiative named Operation Duck Hunt successfully infiltrated the servers of the QakBot admin, meticulously mapping out the botnet’s infrastructure.

Upon obtaining the botnet’s encryption keys, which were crucial for malware communication, the FBI seized control and deployed a customized Windows DLL module to compromised devices. This DLL executed a command that effectively terminated the QakBot malware, leading to the successful disruption of the entire botnet.

All about the return of Qbot malware

Microsoft has issued a warning about QakBot’s resurgence in a phishing campaign masquerading as an email from an IRS employee. The observed attack, initially targeting the hospitality sector, was first detected on December 11th.

The email disguises itself as a PDF file resembling a guest list with a message stating “Document preview is not available.” Subsequently, it urges the user to download the PDF for proper viewing. However, upon clicking the download button, recipients unwittingly download an MSI file. Upon installation, this MSI file activates the Qakbot malware DLL, injecting it into the system’s memory.

On the very day the phishing campaign commenced, December 11th, Microsoft reveals that the DLL was generated. It operates under the campaign code ‘tchk06’ and connects to command and control servers at 45.138.74.191:443 and 65.108.218.24:443.

Microsoft tweeted, “Most notably, the Qakbot payload delivered is configured with the previously unseen version 0x500,” underscoring the malware’s ongoing evolution.

Security researchers Pim Trouerbach and Tommy Madjar have independently verified that the distributed Qakbot payload is indeed a new iteration, featuring some minor modifications.

According to Trouerbach, there are slight modifications in the latest QakBot DLL, such as the use of AES for decrypting strings instead of XOR, as seen in the previous version.

Additionally, Trouerbach suggests that the new version is likely still in development, citing the presence of some unusual bugs.

While it is too soon to tell if Qbot will have trouble regaining its former size, admins and users need to be on the lookout for reply-chain phishing emails that are commonly used to distribute the malware.

Before executing downloaded files from the internet, it’s advisable to scan them using your antivirus (AV) tool. Most modern security tools are equipped to detect the old threat, even if its authors have implemented evasion-enhancing refinements in the code.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Qbot malware resurfaces in a new campaign focusing on the hospitality sector. appeared first on First Hackers News.

This incident led to the proliferation of the Remcos Remote Access Trojan (RAT) malware and marked the ascent of Formbook as a dominant malware strain, following the decline of Qbot.

What is Formbook?

Formbook is a type of malware, specifically a form-grabber and keylogger, that is designed to steal sensitive information from infected computers. It primarily targets Windows operating systems.

It is known for its ability to capture data entered into web forms, such as login credentials, credit card information, and other personal details, as well as keystrokes made by the user.

It’s worth highlighting that in August 2023, the FBI successfully intervened to disrupt Qbot, which also goes by the names Qakbot and Pinkslipbot, after it had infected 700,000 computers globally.

However, despite this intervention, a recent report by the Cisco Talos Intelligence Group has unveiled that the threat actors behind Qbot are still active. They have shifted their focus to distributing a fresh malware variant called Ransom Knight.

In September, Check Point found a major phishing campaign in Colombia targeting 40+ prominent businesses, aiming to silently install Remco’s RAT on victim computers.

In September, Remcos was the second most prevalent malware, known for its sophistication and full control over infected systems, leading to serious consequences like data theft, additional malware infections, and account takeovers.

Maya Horowitz, VP of Research at Check Point Software, emphasized the need for cyber resilience in the face of aggressive evasion techniques employed by hackers in the Colombian campaign.

The Official Global Threat Index for September highlighted a notable reshuffling of the malware rankings, with Formbook, an Infostealer targeting Windows operating systems, claiming the leading position, impacting organizations across the globe at a rate of 3%.

Initially identified in 2016, the Formbook data-stealing malware has garnered attention as a service (Malware as a Service – MaaS) within underground hacker communities, owing to its formidable evasion techniques and affordable pricing. Its functionalities encompass extracting certificates from web browsers, taking screenshots, recording keystrokes, and executing files upon the attacker’s directives.

The most notable shift in the malware landscape occurred with Qbot’s exit from the top malware rankings. In August, the FBI seized control of the Qbot network, effectively ending its prolonged dominance as the most prevalent malware for much of 2023.

Nevertheless, considering that the group behind Qbot remains active and has started disseminating new malware, the significance of disrupting the malware’s infrastructure may have been somewhat mitigated.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Formbook is a highly prevalent malware strain appeared first on First Hackers News.

This malicious software has been linked to the activities of the Stealth Falcon APT hackers, also known as Project Raven or FruityArmor, a state-affiliated hacking group based in the United Arab Emirates (UAE).

Stealth Falcon hackers have been targeting activists, journalists and dissidents for nearly a decade.

During the LABScon cybersecurity conference, ESET researcher Filip Jurčacko unveiled a comprehensive analysis of a recently discovered malware and its method of infecting devices running the Windows operating system.

Deadglyph backdoor malware

While ESET currently lacks information regarding the precise initial infection method, there is a suspicion that a malicious executable file, potentially an installer, may be involved.

Conversely, the company has successfully uncovered the majority of components within the infection chain. The sequence of events in the Deadglyph backdoor malware’s loading chain commences with a registry shellcode loader (DLL).

This loader extracts code from the Windows registry to activate the executor (x64) component, subsequently initiating the Orchestrator (.NET) components.

Only the original component exists on the disk of the compromised system, as a DLL file, thus minimizing the possibility of detection.

ESET reports that the loader is designed to retrieve encrypted shellcode from the Windows Registry, a measure taken to increase the complexity of analysis.

Given that the DLL component is stored in the file system, it is more susceptible to detection. Consequently, hackers employed an attack homoglyph technique within the VERSIONINFO resource, utilizing distinct Greek and Cyrillic Unicode characters to imitate Microsoft information and create the illusion of a legitimate Windows file.

“We detected a homoglyph attack impersonating Microsoft Corporation in the VERSIONINFO resource of this and other PE components“, explains ESET.

The Executor component is responsible for loading AES-encrypted configurations for the backdoor, initiating the .NET runtime on the system, and subsequently loading the .NET component of the backdoor, serving as its library.

Ultimately, the Orchestrator assumes responsibility for communicating with the Command and Control (C2) server. In the event that the backdoor is unable to establish contact with the C2 server within a predefined timeframe, it activates a self-removal mechanism to deter security researchers from analyzing it.

The Deadglyph malware deployed by the Stealth Falcon hackers is highly modular, enabling it to fetch new modules from the C2 server. These modules contain diverse shellcodes designed to be executed by the Executor component.

In essence, this modularity grants cybercriminals the ability to craft new modules tailored to their specific attack objectives, which can subsequently be deployed to victims to carry out additional malicious actions. These capabilities encompass a range of activities such as file operations, executable file loading, Token Impersonation access, and encryption and hashing operations.

ESET’s assessment suggests the existence of between nine to fourteen distinct modules; however, a comprehensive analysis of all these modules remains pending.

One of the modules functions as an information collector, supplying the Orchestrator component with the following data about the compromised system:

1. Operating system
2. Network adapters
3. Installed software
4. Drives
5. Services
6. Drivers
7. Processes
8. Users
9. Environmental variables
10. Security software

Even though ESET has disclosed only a limited subset of the malware’s functionalities, it is evident that the Deadglyph backdoor malware, employed by the Stealth Falcon hackers in cyber espionage operations, poses a significant and substantial threat.

Regrettably, due to the lack of comprehensive information regarding the initial infection method, providing precise defense strategies against the malware is currently unfeasible. At present, system defenders can depend on the published Indicators of Compromise (IoCs) detailed in the ESET report as their primary resource for protection.

Backdoor malware is highly dangerous, enabling cybercriminals to control systems, steal personal data, or incorporate them into botnets. These attacks are hard to detect and treat. Protecting against them demands a proactive cybersecurity approach, with software updates, robust data protection, and staying vigilant to new cybercriminal tactics.

The post Stealth Falcon hackers are using the new Deadglyph malware appeared first on First Hackers News.