malware

Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer

A new variant of Atomic macOS Stealer (AMOS) is being distributed through malicious OpenClaw skills, exploiting AI agentic workflows to trick users into installing the malware. The malware, disguised as a harmless skill, uses a fake dialogue box to request the user’s password and then exfiltrates sensitive data, including Apple and KeePass keychains, user documents, and system information. TrendAI™ Managed Detection and Response (MDR) customers are protected from this threat.

https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html

Fake Zoom Meeting “Update” Silently Installs Surveillance Software

Fake Zoom meeting website installs surveillance software, Teramind, on Windows without user consent. Visitors encounter a fraudulent Zoom interface that prompts an automatic update, leading to malicious file download. The stealthily installed software monitors user activity without knowledge, resembling legitimate business surveillance tools. Users are advised not to open suspicious files from the site and to check for unauthorized installations. This exploit illustrates the rising trend of attackers using legitimate software for illicit purposes.

https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software

Facebook Ads Spread Fake Windows 11 Downloads That Steal Passwords and Crypto Wallets

Malicious Facebook ads mimicking Microsoft promote fake Windows 11 downloads, leading users to download malware instead of updates. This malware stealthily collects passwords and cryptocurrency data. It employs sophisticated evasion techniques, targeting regular users while avoiding detection by security systems. If affected, users should avoid logging in to accounts, scan their devices, change passwords on a secure device, and take precautions with any financial information. Security teams are advised to block phishing domains and monitor for specific malware signatures.

https://www.malwarebytes.com/blog/scams/2026/02/facebook-ads-spread-fake-windows-11-downloads-that-steal-passwords-and-crypto-wallets

Android Malware Taps Gemini to Navigate Infected Devices

Android malware named PromptSpy employs generative AI (Gemini) for adaptive navigation on infected devices. It mainly functions to deploy remote access via VNC, utilizing natural language prompts to interact with user interfaces, enhancing the malware's versatility across different devices. Developed by Chinese speakers, PromptSpy is still largely theoretical, with no live telemetry reports from ESET, but suspected distribution domains hint at potential real-world application. The malware can intercept security codes, record screens, and prevent uninstallation, indicating a disturbing evolution in Android threats.

https://www.theregister.com/2026/02/19/genai_malware_android/

Infostealer Malware Found Stealing OpenClaw Secrets for First Time

Infostealer malware has been detected stealing sensitive data from OpenClaw, an AI assistant framework, marking a new trend in targeting personal AI configurations. The stolen files include API keys and login information, with a potential full compromise of victims' digital identities. Hudson Rock identified the malware as having similarities to the Vidar infostealer. As OpenClaw gains traction, its configuration files, containing sensitive authentication secrets, are increasingly being targeted by cybercriminals.

https://www.bleepingcomputer.com/news/security/infostealer-malware-found-stealing-openclaw-secrets-for-first-time/

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft revealed a new ClickFix attack utilizing nslookup for malware staging. Attackers trick users into running DNS lookups to retrieve malicious payloads, circumventing security measures by having victims infect their own machines. This technique has evolved into various forms and leverages DNS traffic as a stealthy method of signaling to malicious infrastructure. The attack can lead to further malware deployment, including remote access trojans and information stealers, particularly targeting both Windows and macOS users amidst rising incidents of cryptocurrency theft.

https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

As Ransomware Recedes, a New More Dangerous Digital Parasite Rises

Ransomware declines as “sleeperware” ascends: Picus Labs' report shows a shift from ransomware to stealthy malware that remains dormant until opportune moments, focusing on data theft rather than system disruption. This change reflects a significant drop in ransomware incidents, prompting new cybersecurity strategies.

https://www.zdnet.com/article/sleeperware-malware-sneaks-waits-ransomware-decline/

Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

Malicious Chrome extensions, including CL Suite, are stealing sensitive data from Meta Business Suite users. These extensions exfiltrate TOTP codes, Business Manager analytics, and contact lists to attackers' servers. Other threats include over 500,000 VKontakte account hijackings and 32 AI-themed extensions that siphon user credentials. These attacks emphasize the growing misuse of browser extensions for data theft, prompting recommendations for cautious installation practices and regular audits.

https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html

LummaStealer Is Getting a Second Life Alongside CastleLoader

TLDR: LummaStealer, a prominent info-stealer malware, resurfaces alongside CastleLoader after law enforcement disruptions. It primarily spreads via social engineering tactics, tricking users into executing malware through fake software or media downloads. CastleLoader enhances LummaStealer's distribution, employing in-memory execution and heavy obfuscation. The partnership suggests shared infrastructure between both malware, posing severe privacy risks by harvesting sensitive data like credentials and financial information.

https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader

WSL in the Malware Ecosystem

WSL (Windows Subsystem for Linux) enables running a Linux environment on Windows, allowing developers and cybersecurity workflows to leverage Linux tools. It poses security risks, as malware can exploit WSL by checking for its presence and executing commands. An infostealer trojan, “ottercookie-socketScript-module-3.js,” utilizes WSL to access the Windows filesystem and obtain user information.

https://isc.sans.edu/diary/rss/32704

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan

New Clickfix variant ‘CrashFix' uses social engineering to deploy Python Remote Access Trojan. It disrupts browsers, luring users into executing malicious commands after a deceptive browser extension installation. Attackers exploit native OS utilities to bypass defenses, emphasizing the need for behavior-based detection and user awareness. The model connects to C2 servers to gather information and maintain future access, highlighting evolving attack techniques. Organizations are urged to enable cloud protection and restrict unnecessary outbound access to mitigate risks.

https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/

From Magic to Malware: How OpenClaw’s Agent Skills Become an Attack Surface

TLDR: OpenClaw presents security risks as its agent skills access sensitive data through markdown files that can disguise harmful commands. Instances of malware disguised as “skills” have been identified, posing threats to corporate devices. Users are warned against using OpenClaw on work devices, emphasizing the importance of security measures for skill registries and agent frameworks to prevent exploitation.

https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface

Notepad++ Hijacked by State-Sponsored Hackers

Notepad++ was hijacked by state-sponsored hackers, likely Chinese, compromising update traffic from June to December 2025. The former hosting provider confirmed the server was breached, allowing attackers to redirect Notepad++ updates. All security vulnerabilities were addressed by December 2, 2025, and the site was migrated to a more secure host. Users are advised to download v8.9.1, which includes security enhancements, and manual updates. No specific indicators of compromise were found during the investigation.

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Spyware Maker Is Hijacking Diplomatic Efforts to Limit Commercial Hacking, Civil Society Warns

Civil society alleges NSO Group, a spyware manufacturer with a history of human rights violations, is using diplomatic initiatives like the Pall Mall Process to rehabilitate its image despite reports of abuses. While NSO claims engagement in reining in spyware misuse, officials from France and the UK affirm they did not invite NSO's participation. Critics stress that NSO's history, including targeting journalists and activists, undermines its claims of responsible governance, while calls for exclusion from future negotiations are growing amid concerns over accountability and transparency.

https://therecord.media/spyware-maker-pall-mall-process-reputation

Scroll to Top