1025 matches found
Lumma/Amadey: fake CAPTCHAs want to know if you’re human
Attackers are increasingly distributing malware through a rather unusual method: a fake CAPTCHA as the initial infection vector. Researchers from various companies reported this campaign in August and September. The attackers, primarily targeting gamers, initially delivered the Lumma stealer to...
Threat landscape for industrial automation systems, Q2 2024
Statistics across all threats In the second quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.9 pp from the previous quarter to 23.5%. The percentage has decreased by 3.3 pp compared to the second quarter of 2023, when the indicator reached it...
An AI gateway designed to steal your data
A significant proportion of cyberincidents are linked to supply chain attacks, and this proportion is constantly growing. Over the past year, we have seen a wide variety of methods used in such attacks, ranging from creation of malicious but seemingly legitimate open-source libraries or delayed...
Coruna: the framework used in Operation Triangulation
Introduction On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices. According to Google, the exploit kit was first discovered in targeted attacks conducted by a customer of an unnamed surveillance vendor. It was later used b...
Following the digital trail: what happens to data stolen in a phishing attack
Introduction A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a...
Signal in the noise: what hashtags reveal about hacktivism in 2025
What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research...
Forensic journey: hunting evil within AmCache
Introduction When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time o...
Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers
Introduction In this article, we explore how the Model Context Protocol MCP — the new "plug-in bus" for AI assistants — can be weaponized as a supply chain foothold. We start with a primer on MCP, map out protocol-level and supply chain attack paths, then walk through a hands-on proof of concept:...
Modern vehicle cybersecurity trends
Modern vehicles are transforming into full-fledged digital devices that offer a multitude of features, from common smartphone-like conveniences to complex intelligent systems and services designed to keep everyone on the road safe. However, this digitalization, while aimed at improving comfort an...
Scammers mass-mailing the Efimer Trojan to steal crypto
Introduction In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient's domain name infringed on the sender's rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script als...
Code highlighting with Cursor AI for $500,000
Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with reports of infected packages in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on thes...
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
Update 25.06.2025: Apple removed the malicious app from the App Store. In January 2025, we uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims' crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a...
From cause to cash: a cross-border look at hacktivist activity
While tracking the activities of 4BID we uncovered a new string of campaigns that appear to be the work of several interconnected actors. While politically motivated groups generally limit their scope to specific nations – for 4BID and its peers, primarily Russian and occasionally Belarusian...
Free real estate: GoPix, the banking Trojan living off your memory
Introduction GoPix is an advanced persistent threat targeting Brazilian financial institutions' customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automate...
To buy or not to buy: How cybercriminals capitalize on Black Friday
The global e‑commerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global e‑commerce is projected to grow by 7–9% annually through 2040. At Kaspersky, we track how this surge in...
Inside the dark web job market
In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active. So, what does this job...
Blockchain and Node.js abused by Tsundere: an emerging botnet
Introduction Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created...
The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts
Introduction Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team GERT investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered...
Financial cyberthreats in 2025 and the outlook for 2026
In 2025, the financial cyberthreat landscape continued to evolve. While traditional PC banking malware declined in relative prevalence, this shift was offset by the rapid growth of credential theft by infostealers. Attackers increasingly relied on aggregation and reuse of stolen data, rather than...
PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations
Introduction Back in 2024, we gave a brief description of a complex cyberespionage campaign that we dubbed "PassiveNeuron". This campaign involved compromising the servers of government organizations with previously unknown APT implants, named "Neursite" and "NeuralExecutor". However, since its...
How we trained an ML model to detect DLL hijacking
DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the numbe...
Detecting DLL hijacking with machine learning: real-world cases
Introduction Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the mode...
Shai Hulud 2.0, now with a wiper flavor
In September, a new breed of malware distributed via compromised Node Package Manager npm packages made headlines. It was dubbed "Shai-Hulud", and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malwa...
Post-exploitation framework now also delivered via npm
Incident description The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was first observed being used for malicious means. In October...
How attackers adapt to built-in macOS protection
If a system is popular with users, you can bet it's just as popular with cybercriminals. Although Windows still dominates, second place belongs to macOS. And this makes it a viable target for attackers. With various built-in protection mechanisms, macOS generally provides a pretty much end-to-end...