Cyber-spies suspected of connections with China have infected "dozens" of computers belonging to Russian government agencies and IT providers with backdoors and trojans since late July, according to Kaspersky.  The Russia-based security biz claimed the malware used in the ongoing, targeted attacks, called EastWind, has links to two China-nexus groups tracked as APT27 and APT31. 

After gaining initial access to their victims' devices via phishing emails, the attackers used various cloud services

Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla, Formbook, and Remcos RAT.  Some of the other regions targeted by the campaigns include Italy and Romania.  Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data.

See:  https:/

DEV#POPPER is a social engineering campaign that has been tracked recently by the Securonix Threat Research team.  Social engineering is a topic we have covered many times, but ultimately what it boils down to is that social engineering attacks are generally geared towards tricking victims into compromising themselves.  With that in mind, the primary target for the DEV#POPPER campaign appears to be software developers who are looking for work. 

Job interviews can be an effective cover for socia

A sophisticated Brazilian banking Trojan uses a novel method to hide its presence on Android devices.  A multi-tooled Trojan cuts apart Brazil's premier wire transfer app.  Could similar malware do the same to Venmo, Zelle, or PayPal?

"PixPirate" is multipronged malware specially crafted to exploit Pix, an app for making bank transfers developed by the Central Bank of Brazil. Pix makes a good target for Brazil-nexus cybercriminals since, despite being hardly three years old, it is already integr

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.  Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL). "In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Def

Recently identified Xenomorph Android banking trojan samples show an expanded target list that now includes North American users.  Initially detailed in February 2022 and likely linked to the infamous banking trojan Alien, Xenomorph relies on overlays to steal users’ personal and login information.  It can also intercept notifications and SMS messages to bypass two-factor authentication.

See:  https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-04-20-2023

The mal

A China-based cyber actor group is leveraging the trust associated with popular international brands to orchestrate a large-scale phishing campaign dating back as far as 2019.   The threat actor, Fangxiao, is said to have registered over 42,000 imposter domains, with initial activity observed in 2017.  Fangxiao targets businesses in multiple verticals, including retail, banking, travel, and energy.  The offers promised financial or physical incentives are used to trick victims into further sprea

Cyber threat researchers have identified some of the most prolific mobile banking Trojans that have targeted 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.  Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official

An emerging information-stealing malware, sold and distributed on underground Russian underground forums has been written in Rust, is signaling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts.  Rust is a multi-paradigm, high-level, general-purpose programming language designed for performance and safety, especially safe concurrency.  Rust is syntactically similar to C++ b

The old trick of using a Trojan horse to deceive is still in vogue and using cyber as the lure.  A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords, and other information from victims.  Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts t

A specially crafted update created by Germany's Bundeskriminalamt (BKA) federal police agency created and pushed the uninstall update.  European law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world.  Emotet was thought to be the world's largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a coordinated takedown of Emotet infrastructur

Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.  Also known as Bread, the Joker Trojan was first observed in 2017 when it was originally focused on SMS fraud.  Joker is a malware Trojan that targets Android users. It was packaged in at least two dozen applications that were downloaded from Google Play store over 400,000 times. The main p

IcedID, also known as Bokbot is a banking trojan and information stealer and can be used as an entry point for subsequent attacks, such as manually operated ransomware for high-value targets. It is typically proliferated using another trojan called Emotet, which is often distributed using spam email campaigns. Human-operated ransomware attacks are increasingly common and require the attacker to sit at the keyboard and orchestrate the attack, in contrast to an automated attack.

Microsoft is warni

Ransomware continues to create havoc for organizations of all types and the problem only seems to be getting worse every year. Cyber threat defenders across every type of targeted organization, including government agencies and private businesses - would do well to have more effective defenses in place.  Such defenses would ideally include organizations proactively looking for known ransomware attackers' tactics, techniques and procedures. That kind of threat hunting can help defenders spot atta

A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection. Named LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada. 

According to security vendor Media Trust, the malware checks for a global variable ‘

Brazil is known for its pristine beaches, nightlife, hot dancing, and of course - The Girl from Ipanema.  A recently uncovered Brazilian banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges, and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky.  A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that is a contradiction.  Viruses can execute and r

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by Kaspersky.  Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth operation. Distribution was never c

A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. 

The malware, named Jupyter by its finders at Israeli security firm Morphisec, has been active since at least May 2020, but it escaped detection by most antivirus software until last week; partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a syst

The number of attacks related to Emotet continue to spike after the dangerous botnet re-emerged over the summer with a fresh phishing and spam campaign that is primarily infecting devices with a banking Trojan, according to new research from HP-Bromium, an end-point security company.

Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions o

Hackers are using a phishing campaign to deploy KONNI malware, a remote access trojan (RAT), via Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code, according to a recent Department of Homeland Security (DHS) Cybersecurity and Infrastructure alert (CISA). 

First observed in 2014, the malware was linked to several campaigns tied to North Korea. There are also significant links in code with the NOKKI malware family and researchers possess some evidence that link