malware

The Kimwolf Botnet Is Stalking Your Local Network

TLDR: The Kimwolf botnet has infected over 2 million devices globally, primarily Android TV boxes with poor security, enabling distribution of malicious traffic and DDoS attacks. It spreads via residential proxy networks, exploiting vulnerabilities to access and compromise local devices. Key issues stem from devices being sold with Android Debug Bridge mode enabled, allowing unauthorized access. Users are advised to avoid these devices, use guest networks for visitors, and stick to reputable brands to enhance security.

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Researchers Spot New Shai Hulud Variant

Security researchers at Aikido discovered a new variant of the Shai Hulud malware, likely in the beta stage, uploaded to npm through a GitHub repository. This variant includes modifications to the initial file, main payload, and improved error handling for TruffleHog. The Shai Hulud campaign, first identified in September, involves self-propagating attacks on npm JavaScript packages, data harvesting, and data transmission to attackers’ repositories.

https://www.databreachtoday.com/researchers-spot-new-shai-hulud-variant-a-30409

27 Malicious Npm Packages Used as Phishing Infrastructure to Steal Login Credentials

27 malicious npm packages were discovered in a phishing campaign targeting U.S. and allied organizations, primarily in sales and commercial sectors. The campaign utilized these packages to host phishing infrastructure, mimicking document-sharing portals and Microsoft sign-in pages, to steal login credentials from their targets. Attackers embedded client-side scripts to avoid detection and included checks to filter out bots. Notably, the campaign hard-coded specific email addresses of individuals in targeted firms, raising concerns about the source of this information. To mitigate risks, strong dependency verification, logging unusual CDN requests, enforcing phishing-resistant multi-factor authentication, and monitoring for suspicious activities are recommended.

https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps

New MacSync Stealer malware targets macOS users via digitally signed apps, operating silently unlike older versions. Disguised as a legitimate installer, it steals sensitive information after installation. The malware can bypass macOS security due to being signed with Apple’s Developer ID. Researchers noted a shift from requiring user action to automated processes, complicating detection. Following its identification, the malicious ID was reported and revoked by Apple.

https://cybersecuritynews.com/new-macsync-stealer-malware/

8 Million Users’ AI Conversations Sold for Profit by “Privacy” Extensions

TLDR: Over 8 million users' AI conversations have been harvested and sold for profit by the Urban VPN Proxy extension, which secretly captures data from platforms like ChatGPT and Claude. Despite claiming privacy, the extension transmits sensitive information to servers without user consent. It has passed Google’s reviews, misleading users about its data practices. Users are advised to uninstall it immediately to protect their private conversations.

https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection

Android Mobile Adware Surges in Second Half of 2025

Android adware surged in late 2025, with detections nearly doubling and malicious threats becoming more organized. Cybercriminals shifted from simple scams to sophisticated frameworks, employing tools like MobiDash and Triada for ongoing data theft and fraud. Users should prioritize mobile security by using trusted app stores, scrutinizing permissions, avoiding sideloaded apps, and employing real-time security software.

https://www.malwarebytes.com/blog/mobile/2025/12/android-threats-in-2025-when-your-phone-becomes-the-main-attack-surface

Most Parked Domains Now Serving Malicious Content

TLDR: Most parked domains now redirect to malicious sites, with over 90% leading to scams or malware, reversing a decade-old trend. Researchers at Infoblox found that users typing in expired or misspelled domains face increased risks, especially from residential IP addresses, which leads to deceptive content. Malicious redirects are linked to typosquatting domains mimicking popular sites, exposing users to potential malware and scams.

https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/

The AMOS Infostealer Is Piggybacking ChatGPT’s Chat-sharing Feature

Cybercriminals are spreading the AMOS (Atomic MacOS Stealer) infostealer using convincing Google ads and ChatGPT’s chat-sharing feature. Victims are directed to a legitimate-looking chatgpt.com page showing a fake guide to installing the non-existent Atlas browser for macOS. The guide instructs users to run a terminal command, which downloads malware, steals passwords, browser, and wallet data, and installs a persistent backdoor. Users are advised to avoid running terminal commands from untrusted sources, use trusted security solutions, and seek expert advice if instructions seem suspicious.

https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/

Malicious VSCode Extensions on Microsoft’s Registry Drop Infostealers

Two malicious extensions in Microsoft's Visual Studio Code Marketplace, named Bitcoin Black and Codo AI, infect developers' computers with malware that can steal credentials, screenshots, and cryptocurrency. Codo AI appears as an AI assistant, while Bitcoin Black masquerades as a color theme. Both can execute harmful scripts and have been flagged by antivirus engines. Microsoft has since confirmed their removal from the marketplace. Developers are advised to only install extensions from reputable sources.

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/

How Attackers Use Real IT Tools to Take Over Your Computer

Attackers are exploiting legitimate Remote Monitoring and Management (RMM) tools, like LogMeIn Resolve, to gain remote access to victims' computers without traditional malware. By disguising these tools as common software, they evade security measures. Users are advised to download software from official sources, verify file signatures, and stay informed about social engineering tactics.

https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer

AI Malware: Hype Vs. Reality

AI Malware currently operates at low maturity levels (AIM3 Levels 1-3), mainly assisting existing attack methods rather than enabling fully autonomous threats. Claims of advanced AI malware often stem from limited research demos with unclear impacts. No confirmed instances of fully embedded AI malware exist; most rely on external models. Defenders should focus on monitoring legitimate AI service abuse and strengthening existing controls, rather than reacting to exaggerated scenarios of AI threats.

https://www.recordedfuture.com/blog/ai-malware-hype-vs-reality

4.3 Million Browsers Infected: Inside ShadyPanda’s 7-Year Malware Campaign

4.3M Browsers Infected by ShadyPanda Malware: A seven-year campaign leveraged malicious browser extensions infecting 4.3 million Chrome and Edge users. ShadyPanda employed a phased strategy, transitioning from affiliate fraud to spyware. Initially, they disguised malicious extensions as legitimate tools, then progressively escalated operations to include remote code execution and comprehensive data surveillance. The extensions, some Google-verified, captured and exfiltrated extensive user data, exploiting marketplace oversight flaws. Despite termination of some extensions, others remain active with significant surveillance capabilities, highlighting systemic security vulnerabilities in extension marketplaces.

https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Scroll to Top