ALL POSTS

Key Findings An NPM package named 'Lotusbail' with over 56,000 downloads has been stealing WhatsApp credentials and data The package is a fork of the legitimate 'Baileys' WhatsApp Web API library, making it hard to detect It intercepts and exfiltrates user credentials, messages, contacts, and media, encrypting the data with custom RSA before sending it to the attacker The malware also hijacks the WhatsApp device pairing process, secretly linking the attacker's device to the v

Key Findings A new variant of the MacSync Stealer malware has been discovered, which uses a digitally signed and notarized Swift application to bypass macOS Gatekeeper security checks. The malicious application is distributed via a disk image (DMG) named "zk-call-messenger-installer-3.9.2-lts.dmg" hosted on the "zkcall[.]net/download" website. The application is code-signed and successfully notarized by Apple, giving it a veneer of legitimacy and allowing it to run on macOS w

Key Findings: Two malicious Google Chrome extensions named "Phantom Shuttle" have been discovered secretly stealing user credentials from over 170 websites. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. The extensions execute complete traffic interception, operate as man-in-the-middle proxies, and continuously exfiltrate user data to a command-and-control server. Once users make a subscription paymen

Key Findings: A malicious npm package named "lotusbail" has been discovered that poses as a functional WhatsApp API, but actually steals users' messages, contacts, and login tokens. The package has been downloaded over 56,000 times since it was first uploaded in May 2025. The package is designed to capture authentication tokens, session keys, message history, contact lists, media files, and documents, and transmit the stolen data to an attacker-controlled server. The package

Key Findings The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection Background The Kimwolf botnet was f

Key Findings Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy The scale of Infy's current activity is significantly larger than previously assessed The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant Attack chains have evolved from macro-laced documents to embedded execut

Key Findings: A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader. GachiLoader is written in Node.js and deploys a second-stage

Key Findings In August 2025, Kaspersky researchers discovered a new Android banking Trojan dubbed "Frogblight" targeting individuals in Turkey. The malware initially disguised itself as an app for accessing court case files via an official government webpage, but later adopted more universal disguises like the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials and has spyware capabilities to collect SMS message

Key Findings: Sophisticated phishing campaign targeting Russian finance sector, using high-quality social engineering to bypass defenses. Malware dubbed "Phantom Stealer" deployed via malicious ISO files attached to phishing emails. Phantom Stealer equipped with aggressive data-harvesting modules targeting crypto wallets, chat apps, and browser data. Malware includes anti-analysis checks to evade security researchers. Campaign highlights shift towards ISO-based initial access

Key Findings Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations. NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect. The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert

Key Findings A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. The malicious repositories, often themed as development utilities or OSINT tools, contain code responsible for silently downloading and executing a remote HTA file. PyStoreRAT is a modular, multi-stage implant that can execute various payloads, including an information stealer known as Rhadamanthys.

Key Findings: A high-severity unpatched security vulnerability in Gogs (CVE-2025-8110) with a CVSS score of 8.7 is under active exploitation, affecting over 700 compromised instances accessible online. The vulnerability allows for file overwrite in the file update API, enabling an attacker to achieve arbitrary code execution through a four-step process. The malware deployed in the attacks is a payload based on Supershell, an open-source command-and-control (C2) framework ofte

Key Findings React2Shell vulnerability (CVE-2025-55182) in React version 19 and React Server Components (RSC) is being heavily exploited by threat actors Exploitation attempts have been observed targeting a wide range of sectors, particularly construction and entertainment industries Attackers are leveraging the vulnerability to deliver cryptocurrency miners and a variety of previously undocumented malware, including: PeerBlight Linux backdoor CowTunnel reverse proxy tunnel Z

Key Findings Trend Micro's AI-driven threat hunting pipeline discovered a previously unknown and undetectable Linux backdoor called "GhostPenguin" GhostPenguin had zero detections on VirusTotal for over four months before being identified The sophisticated, multi-threaded backdoor is written in C++ and uses RC5-encrypted UDP for covert Command and Control (C2) communications Background GhostPenguin was first submitted to VirusTotal on July 7, 2025, but remained completely inv

Key Findings: Cybersecurity agencies in the US and Canada have issued an alert about a new malware called BRICKSTORM, believed to be used by state-sponsored hackers from China. BRICKSTORM is a backdoor that gives attackers stealthy access and control over targeted systems, primarily focusing on VMware vSphere platforms. The hackers have been observed targeting organizations in the Government Services, Facilities, and Information Technology sectors. The malware uses advanced t

Key Findings North Korea-linked actors behind the Contagious Interview campaign have uploaded 197 new malicious npm packages to distribute a new version of the OtterCookie malware. The Contagious Interview campaign, active since November 2023, targets software developers on Windows, Linux, and macOS, with a focus on those working in crypto and Web3. Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and tr

Key Findings North Korean threat actors behind the Contagious Interview campaign have flooded the npm registry with 197 more malicious packages since last month These packages have been downloaded over 31,000 times and are designed to deliver a variant of OtterCookie malware The malware attempts to evade sandboxes and virtual machines, profiles the machine, and establishes a command-and-control (C2) channel to provide the attackers with remote shell access and capabilities to

Key Findings Cybersecurity researchers have discovered a malicious Chrome extension named "Crypto Copilot" that injects hidden Solana transfer fees into Raydium swap transactions. The extension silently appends an extra transfer instruction to each swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The malicious behavior is concealed through obfuscation techniques, and the extension's user interface only shows the legitimate

Key Findings Microsoft Teams' "Guest Access" feature allows attackers to bypass security controls like Microsoft Defender for Office 365, creating a "protection-free zone" for malware delivery. Attackers can easily create basic Microsoft 365 accounts without security features and use them to send phishing links and malware to guest users. A recent Microsoft feature that allows any Teams user to start a chat with any email address makes it even easier for attackers to lure vic

Key Findings CISA has issued an alert warning of threat actors actively using commercial spyware and remote access trojans (RATs) to target users of mobile messaging apps like Signal and WhatsApp. The attackers employ sophisticated social engineering and targeting techniques to deliver spyware and gain unauthorized access to victims' messaging apps, enabling further device compromise. The targeting appears opportunistic but often focuses on high-value individuals such as gove