Free Spotify Premium hacks on social media are spreading infostealers

Short-form video platforms like TikTok and Instagram Reels have become the latest way cybercriminals spread malware. We've already seen attackers move away from traditional phishing emails and toward tactics that trick people into installing malware themselves. Now they're being lured with slick...

A week in security (May 25 – May 31)

Last week on Malwarebytes Labs: Payment apps are watching what you say Lock and Code S07E11 Scammers pretending to be Microsoft had help from US executives 700+ education and tech websites hijacked in huge ClickFix malware campaign Fake software on GitHub and SourceForge distribute Deno RAT Fake...

108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control C2 infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary...

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

In this article 1. A wide range of tax-themed campaigns 2. How to protect users and organization against tax-themed campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise During tax season, threat actors reliably take advantage of the urgency and familiarity of...

Malicious code in nokire-nana76 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5d268b79e41c70b71875b918b4ccf3aeee0dab2d5b788247979cdc91fbf5fc9f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-122866 Malicious code in riana-bakwan94-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 657fb5fe38da756e2e2ab40ac89dc53cfe3fe9590135fbc5be9a46ce77fa8238 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

TA829 and UNK_GreenSec Share Tactics and Infrastructure in Ongoing Malware Campaigns

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader. Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group...

AI and collaboration tools: how cyberattackers are targeting SMBs in 2025

Cyberattackers often view small and medium-sized businesses SMBs as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as trusted relationship attacks, remain one of the top three methods used to brea...

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis...

State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy...

OPSEC Failure Exposes Coquettte's Malware Campaigns on Bulletproof Hosting Servers

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting BPH provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect.com hosted...

Semrush impersonation scam hits Google Ads

This blog post was co-authored with Elie Berreby, Senior SEO Strategist Criminals are highly interested in online marketing and advertising tools that they can leverage as part of their ongoing malware campaigns. In particular, we have previously detailed how Google advertiser accounts can be...

5 Active Malware Campaigns in Q1 2025

The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods. Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments...

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control C2 server, in some cases a fake browser...

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Identity and access management IAM services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential pro...

Microsoft Warns of New Tax Returns Phishing Scams Targeting You

By Waqas About to pay your taxes? Watch out for tax return phishing and malware campaigns targeting individual taxpayers and businesses. This is a post from HackRead.com Read the original post: Microsoft Warns of New Tax Returns Phishing Scams Targeting You...

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth aka Guildma, Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increase...

North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious...

Understanding the Phobos affiliate structure and activity

Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures TTPs, and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019. We...

PT-2023-6942

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the November 2023 patch Description A security-feature bypass vulnerability in Microsoft Windows SmartScreen allows attackers to bypass security measures, potentially leading to the execution of malicious...