Tag

Malware

All articles tagged with #malware

technology2 days ago•3 min saved

AI-assisted Arkanix Stealer: a fleeting dark-web info-stealer experiment

Kaspersky researchers say Arkanix Stealer, promoted on dark-web forums in Oct 2025, was likely an AI-assisted, short-lived information-stealer project with Python and native C++ versions, a Discord community, and a referral scheme. It could harvest browser data (including 0Auth2 tokens), cryptocurrency wallet data, and credentials from Telegram and Discord, plus local-file exfiltration and modular plugins. The premium variant added anti-sandbox/debugging, RDP credential theft, and advanced post-exploitation tools like ChromElevator to bypass protections. The operation’s unclear purpose points to rapid, low-cost AI-driven malware development rather than a sustained campaign, with IoCs published by Kaspersky.

via BleepingComputer|

#cybersecurity #dark-web #information-stealer

technology4 days ago•3 min saved

PromptSpy Uses Gemini AI to Permanently Bind Itself to Android’s Recent Apps

Researchers identify PromptSpy as the first Android malware to leverage Google’s Gemini AI to analyze on-screen UI and issue step-by-step instructions that pin the app to the recent apps list, making it hard to uninstall. The malware can capture lockscreen data, take screenshots, and record video, and uses a built-in VNC module and accessibility services to enable remote access and ongoing data collection, including PINs and screen content, via a hard-coded C2. It is distributed via mgardownload.com masquerading as JPMorgan Chase (MorganArg), appears aimed at Argentina, and is not on Google Play; Chinese-language strings hint at its development context.

via The Hacker News|

#ai #android #cybersecurity

technology5 days ago•5 min saved

PromptSpy: Android malware harnesses AI at runtime to harden persistence

Researchers from ESET describe PromptSpy, the first Android malware to run a generative AI model (Google Gemini) at runtime to adapt its persistence across devices. The malware uses Gemini to receive JSON instructions via screen data (UI elements, coordinates) and perform actions to pin itself in the Android Recent Apps list, executing via Accessibility Service. It also includes a VNC module for remote control, enabling data exfiltration, screen recording, and real-time surveillance such as intercepting PINs, recording unlock gestures, and capturing screenshots. It even overlays invisible UI elements to hinder uninstallation. It’s unclear whether PromptSpy is a proof-of-concept or in the wild, but distribution appears limited and tied to a domain used for initial drops. The case highlights how AI can enable dynamic, real-time modification of malware behavior.

via BleepingComputer|

#android #cybersecurity #generative-ai

technology6 days ago•4 min saved

AI Assistants Turned Stealthy Malware Relays for C2 Traffic

Researchers show that AI assistants like Grok and Microsoft Copilot can be abused as covert command-and-control relays for malware, directing the AI to fetch attacker-controlled URLs and relay results back via WebView2, potentially bypassing safeguards; Microsoft acknowledges the risk and recommends defense-in-depth to block infections and limit post-compromise activity.

via BleepingComputer|

#ai #command-and-control #cybersecurity

cybersecurity7 days ago•3 min saved

AI Chat Assistants Could Serve as Stealthy Malware C2 Relays

Cybersecurity researchers warn that AI assistants with web-browsing capabilities (such as Microsoft Copilot and xAI Grok) can be hijacked as stealthy, bidirectional command-and-control relays. By feeding crafted prompts, attackers can issue commands to a compromised host and exfiltrate data via trusted AI services, effectively turning living-off-trusted-sites (LOTS) into C2 channels and enabling AI-assisted malware operations and real-time evasion, without requiring API keys.

via The Hacker News|

#ai #command-and-control #cybersecurity

technology10 days ago•7 min saved

DNS-Driven ClickFix: nslookup-based staging delivers Windows malware payloads

Microsoft reveals a new DNS-based variant of the ClickFix social-engineering tactic that tricks users into running commands via the Windows Run dialog to perform a DNS lookup with a hard-coded external server. The output’s Name: field becomes the second-stage payload, followed by a ZIP download from azwsappdev[.]com that leads to a Python script, a VBScript launcher for ModeloRAT, and persistence through a startup LNK. The campaign Fos’s broader ecosystem includes loaders and stealers (CastleLoader, Lumma Stealer, RenEngine Loader, Hijack Loader) across Windows and macOS, leveraging fake CAPTCHA pages, social-engineering lures, and aged domains to blend into normal traffic and evade detections.}

via The Hacker News|

#cybersecurity #dns #malware

technology18 days ago•4 min saved

Google warns a billion Android users to upgrade for security

Google says about 40% of Android devices are vulnerable to new malware because 42.1% no longer receive security updates and only 7.5% run the latest Android 16; with 57.9% on Android 13 or newer, fragmentation leaves roughly a billion users exposed, prompting a recommendation to upgrade to a phone running Android 13+ to get monthly security patches (Play Protect supports older devices too).

via PhoneArena|

#android #fragmentation #malware

technology22 days ago•4 min saved

ClawHub OpenClaw Case: 341 Malicious Skills Steal Data

Security researchers found 341 malicious skills in ClawHub’s OpenClaw marketplace out of 2,857 analyzed, linked to the ClawHavoc campaign that pushes a macOS data-stealer via fake prerequisites and staged installers, exfiltrating API keys and credentials. Attackers use a GitHub installer flow, obfuscated scripts, and a C2 server (91.92.242.30) to fetch payloads, highlighting supply‑chain-like risks in open-source AI tooling. OpenClaw has added a reporting feature to auto‑hide disputed skills after multiple reports, while researchers warn about memory-based, delayed-execution attacks enabled by persistent AI agent state.

via The Hacker News|

#clawhub #macos #malware

security25 days ago•4 min saved

Google halts large-scale IPIDEA residential proxy network tied to malware

Google Threat Intelligence Group and partners disrupted IPIDEA's large residential proxy network, seizing domains and exposing trojanized Android apps and Windows binaries that turned devices into exit nodes used by thousands of threat groups for credential theft, account takeovers, and DDoS; IPIDEA operated about 19 brands under a two-tier C2 with ~7,400 second-tier servers; Google Play Protect now blocks IPIDEA SDKs; no arrests reported; users should avoid dubious free VPN/proxy apps.

via BleepingComputer|

#botnets #cybersecurity #google-threat-intelligence

technology27 days ago•3 min saved

WinRAR CVE-2025-8088 Seized by State and Criminal Actors After Patch

Google’s Threat Intelligence Group reports active exploitation of WinRAR CVE-2025-8088 by both state-backed and financially motivated actors, even after a patch (WinRAR 7.13, July 30, 2025). The flaw is used for initial access via a path-traversal method that drops a malicious LNK in the Windows Startup folder/ADS, with campaigns tied to RomCom/UNC4895, UNC2596 (Cuba ransomware), Sandworm, Gamaredon, Turla, and a China-based actor delivering Poison Ivy, deploying payloads such as SnipBot, AsyncRAT, and XWorm and even browser extensions for Brazilian banking sites. The widespread activity underscores an active underground market for exploits and persistent defense gaps, with a separate flaw CVE-2025-6218 also being exploited by multiple groups.

via The Hacker News|

#cve-2025-8088 #malware #ransomware

technology28 days ago•3 min saved

Fake Moltbot VS Code Extension Delivers Stealth Remote-Access Backdoor

Security researchers flagged a fake Moltbot AI coding assistant extension for Visual Studio Code that auto-runs on launch, fetches payloads from malicious domains, and installs a remote-access backdoor (via ScreenConnect) with a DLL sideloading fallback, highlighting broader Moltbot misconfigurations and credential exposure across deployments.

via The Hacker News|

#backdoor #malware #remote-desktop

technology29 days ago•3 min saved

Malicious AI Extensions for VS Code Steal Code and Report to China

Security researchers uncovered two VS Code extensions marketed as AI coding assistants—ChatGPT-中文版 and ChatMoss—that secretly siphon every opened file and edits to China-based servers, with about 1.5 million total installs; the same spyware runs in both extensions and can exfiltrate up to 50 files on command, plus a hidden iframe loads Chinese analytics SDKs for device fingerprinting. The report also highlights six zero-day flaws in JavaScript package managers (PackageGate) affecting npm, pnpm, vlt, and Bun, with npm declining to fix them; guidance emphasizes vetting packages, disabling lifecycle scripts, and enforcing strong token and 2FA practices to secure the software supply chain.

via The Hacker News|

#cybersecurity #data-exfiltration #malware

security1 month ago•3 min saved

17 Malicious Browser Extensions Spanning Firefox, Chrome, Edge Exposed

Security researchers at LayerX disclosed 17 malicious browser extensions across Firefox, Chrome and Edge that were downloaded more than 840,000 times and could stay active for years. Mozilla and Microsoft have removed them from official stores; users who installed any should uninstall immediately. The GhostPoster campaign used steganography to hide code and delayed execution to cloak malicious actions, including rewriting HTTP headers, hijacking affiliate traffic, injecting scripts for click fraud and user tracking, auto-solving CAPTCHAs, and granting attackers extended control. Notable extensions included Google Translate in Right Click and Translate Selected Text with Google, with Urban VPN Proxy cited as another high-risk example.

via PCMag|

#browser-extensions #malware #privacy

technology1 month ago•42 min saved

Don’t Fall for the ‘you’re hacked’ browser scareware in Chrome or Safari

Security experts warn that pop‑ups claiming your device is hacked—common in Chrome and Safari—are a form of scareware designed to scare you into paying, installing dubious software, or divulging credentials. Do not click any buttons in the warning. Instead, close the tab, run a trusted antivirus, update your browser and OS, and protect yourself with pop‑up blockers and safe browsing habits. If in doubt, verify alerts through official security sources rather than following in‑page prompts.

via Forbes|

#browsers #cybersecurity #malware

technology1 month ago•4 min saved

Untold Credential Hoard Exposed: 149 Million Logins Leaked Across Major Platforms

A security researcher found an unsecured database containing about 149 million usernames and passwords from services including Gmail, Facebook, Yahoo, Netflix, and more. The data, accessed without authentication and likely compiled by infostealing malware, was hosted on a Canadian provider and expanded over a month before being removed after notification. The breach enables potential account takeovers and identity theft across email, social media, streaming, banking, and government services. Experts advise using unique passwords with a password manager, enabling multi-factor authentication, and monitoring accounts for suspicious activity.

via | Cord Cutters News|

#credentials #cybersecurity #data-breach