Malware

The U.S. Department of Justice (DoJ) has announced the indictment of 54 individuals for their alleged involvement in an automated teller machine (ATM) “jackpotting” scheme that diverted millions of dollars. The large-scale conspiracy involved the use of Ploutus malware to force ATMs across the country to dispense cash. According to authorities, the defendants are part of the Venezuelan criminal group Tren de Aragua (TdA), which has been designated as a foreign terrorist organization by the US Department of State. ...

North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims. Distribution and Deception Mechanism The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows: Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs. Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application. Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources. DocSwap Malware Technical Analysis Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities: ...

The threat actor Water Saci is evolving its tactics, now employing a sophisticated infection chain that uses HTA files and PDFs to propagate a worm. This worm deploys a banking trojan via WhatsApp, targeting users in Brazil. The attackers have shifted from PowerShell to a Python-based variant to spread malware via WhatsApp Web. The new multi-format attack chain uses AI to convert propagation scripts, enabling Water Saci to bypass security controls, exploit user trust, and increase infection rates. Users receive messages on WhatsApp with malicious PDF or HTA attachments, which activate the infection chain and drop a banking trojan. The infection chain involves: ...

North Korean threat actors responsible for the “Contagious Interview” campaign have flooded the npm registry with 197 additional malicious packages since last month. According to a Socket analysis, these packages have accumulated more than 31,000 downloads and are designed to distribute a variant of OtterCookie that combines features from BeaverTail and previous versions of OtterCookie. Infection Mechanism and Malware Capabilities The malware, once executed, performs various evasion actions, profiles the compromised machine and establishes a command and control (C2) channel. This channel provides attackers with remote shell and data theft capabilities, including: ...

Multiple security companies have warned of a second wave of attacks affecting the npm registry, reminiscent of the Shai-Hulud attack of September 2025. This new campaign, called Sha1-Hulud, has compromised hundreds of npm packages between November 21 and 23, 2025. According to Wiz researchers, the new variant of the attack executes malicious code during the preinstall phase, significantly increasing exposure in build and runtime environments. The Evolution of the Sha1-Hulud Attack The Sha1-Hulud attack shares similarities with the previous wave, which also posted stolen secrets on GitHub under the description “Sha1-Hulud: The Second Coming.” The previous wave was characterized by compromising legitimate packages to search for secrets on developer machines using the TruffleHog credential scanner and propagate in a self-replicating manner. ...

A new command and control (C2) platform called Matrix Push C2 is being used by cybercriminals to distribute malware, taking advantage of a legitimate feature of web browsers: push notifications. According to a report by BlackFrog, this malicious platform tricks users with fake system notifications, redirects them to malicious websites, monitors victims in real time, and scans for cryptocurrency wallets. How Does the Matrix Push C2 Attack Work? Matrix Push C2 abuses the browser’s push notification system to create a C2 communication channel. The attack process takes place in several stages: ...

The cyber threat landscape targeting Chinese-speaking users has intensified with the detection of multiple malware campaigns. Two recent reports highlight the sophistication of threat actors using the Gh0st RAT remote access trojan, a malware known for its versatility. One of the campaigns involves the threat actor known as Dragon Breath (also APT-Q-27 or Golden Eye), which uses a multi-phase loader called RONINGLOADER to deliver a modified variant of Gh0st RAT. Simultaneously, another series of large-scale phishing campaigns have been distributing the same malware. ...