MAL-2026-5164 Malicious code in @emcd-vue/b2b-pay-form (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform...

New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations NGOs and suspected universities to deliver a newly identified malware family, "LucidRook." LucidRook is a sophisticated stager that embeds a Lua...

New Android SpyAgent Malware Uses OCR to Steal Crypto Wallet Recovery Keys

Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent. The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an...

Living off the land with Bluetooth PAN

TL:DR Bluetooth is enabled by default on the majority of Windows laptops Bluetooth PAN can be used to bridge connections locally between a client laptop and attacking device Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is accessible to...

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft. The attack chains involve the use of a purported virtual meeting...

Iranian MuddyWater Hackers Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control C2 infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or...

Starry Addax targets human rights defenders in North Africa with new malware

Cisco Talos is disclosing a new threat actor we deemed "Starry Addax" targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic SADR cause with a novel mobile malware. Starry Addax conducts phishing attacks tricking their targets into installing malicious Androi...

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor. RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering...

Researchers Uncover Ongoing Attacks Targeting Asian Governments and Telecom Giants

High-profile government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 that's designed to deploy basic backdoors and loaders for delivering next-stage malware. Cybersecurity company Check Point is tracking the activity under the name Stayin' Alive. Targe...

Focus on DroxiDat/SystemBC

Recently we pushed a report to our customers about an interesting and common component of the cybercrime malware set - SystemBC. And, in much the same vein as the 2021 Darkside Colonial Pipeline incident, we found a new SystemBC variant deployed to a critical infrastructure target. This time, the...

Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks

An analysis of the "evasive and tenacious" malware known as QBot has revealed that 25% of its command-and-control C2 servers are merely active for a single day. What's more, 50% of the servers don't remain active for more than a week, indicating the use of an adaptable and dynamic C2...

SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics

The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features...

MagicRAT: Lazarus’ latest gateway into victim networks

By Jung soo An, Asheer Malhotra and Vitor Ventura. Cisco Talos has discovered a new remote access trojan RAT we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. Lazarus deployed MagicRAT after the...

Suspected DarkHotel APT Activity Update

Suspected DarkHotel APT activity update One Hotel to rule them all, One Hotel to find them, One Hotel to bring them all and in the darkness bind them. By John Fokker · March 17, 2022 This story was also written by Thibault Seret Introduction: Our advanced threat research team has discovered a...

Notorious Emotet Botnet Makes a Comeback with the Help of TrickBot Malware

The notorious Emotet malware is staging a comeback of sorts nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. According to a new report from security researcher Luca Ebach, the infamous TrickBot malware is being...

Russian Turla APT Group Deploying New Backdoor on Targeted Systems

State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan. Cisco Talos attributed the attacks to the Turla advanced persistent threat APT group, coining the malware...

Lemon Duck Cryptojacking Botnet Changes Up Tactics

The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers. That’s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework...

Experts Uncover Malware Attacks Against Colombian Government and Companies

Cybersecurity researchers took the wraps off an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries. In a report published by ESET on Tuesday, the Slovak internet security company said the attacks — dubb...

Sunburst: connecting the dots in the DNS requests

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting...

Operation North Star: Summary Of Our Latest Analysis | McAfee Blogs

Operation North Star: Summary Of Our Latest Analysis By Trellix · NOV 05, 2020 McAfee’s Advanced Threat Research ATR today released research that uncovers previously undiscovered information on how Operation North Star evaluated its prospective victims and launched attacks on organizations in...