malware

Malicious Infrastructure Finds Stability With Aurologic GmbH

TLDR: aurologic GmbH is a key German hosting provider supporting high-risk networks linked to cybercrime. Established in 2023, it provides services to many threat activity enablers like Aeza Group and Global-Data System, despite increasing scrutiny and sanctions. The company’s operational neutrality raises concerns about accountability in the internet hosting ecosystem, as it facilitates malicious activities while complying legally. Notable downstream customers have been linked to various malware and cybercrime infrastructures, indicating aurologic's significant role in the ongoing challenges of managing malicious online activities.

https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh

Malicious Android Apps on Google Play Downloaded 42 Million Times

Malicious Android apps on Google Play were downloaded over 42 million times between June 2024 and May 2025, with a 67% rise in mobile malware, especially spyware and banking trojans. Shift in cybercriminal tactics towards social engineering-based attacks is noted. The report highlights three significant malware families affecting users: Anatsa (banking trojan), Android Void (backdoor for Android TV boxes), and Xnotice (RAT targeting job seekers). Key advice for users includes applying security updates and using reputable app sources.

https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-google-play-downloaded-42-million-times/

Massive Surge of NFC Relay Malware Steals Europeans’ Credit Cards

NFC relay malware significantly increased in Eastern Europe, with over 760 malicious Android apps identified stealing credit card data. This malware utilizes Android’s Host Card Emulation to capture payment information and perform unauthorized transactions without the card present. It first appeared in Poland and has spread to several countries. Security experts advise Android users to avoid installing risky apps, check permissions, and utilize built-in anti-malware tools.

https://www.bleepingcomputer.com/news/security/massive-surge-of-nfc-relay-malware-steals-europeans-credit-cards/

Compromised YouTube Accounts Distribute Infostealer Malware

A large-scale malware campaign called the “YouTube Ghost Network” exploited over 3,000 malicious YouTube videos, hosted on fake or compromised accounts, to distribute infostealers targeting users seeking pirated software or game hacks. The top targets were Adobe and FL Studio products, with videos guiding users to download files from third-party sites and often to disable Windows Defender. The operation relied on a structure that quickly replaced banned accounts and faked user trust with positive comments. Main infostealers included Lumma, Rhadamanthys, StealC, and Redline. The report highlights the risks of using cracked software and notes the increasing sophistication of such attacks on popular platforms.

https://thecyberexpress.com/compromised-youtube-accounts-infostealer-malware/

Large-Scale Attack Targeting Macs Via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware

TLDR: A large-scale cyberattack targets Mac users through fake GitHub pages impersonating companies, promoting the installation of an infostealer malware called Atomic. The malicious sites use SEO tactics to appear high in search results, redirecting users to download malware after entering commands. LastPass has taken down some fraudulent sites and continues to monitor the situation.

https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages

Lumma Stealer: Breaking Down the Delivery Techniques and Capabilities of a Prolific Infostealer

Lumma Stealer Overview: Lumma Stealer is a sophisticated infostealer malware targeting various industries, utilizing diverse delivery methods including phishing, malvertising, and exploiting legitimate services. Operated as Malware-as-a-Service (MaaS) by threat actor Storm-2477, it facilitates credential theft from browsers and applications, particularly cryptocurrency wallets. Unlike previous variants, it employs multi-vector strategies and adaptive infrastructure to evade detection. Microsoft is actively working to disrupt Lumma's operations, having recently taken down around 2,300 associated domains and providing recommendations for mitigation against this evolving cyber threat.

https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware

Email campaign distributing Ratty RAT malware exploits legitimate invoicing tactics and geofencing to bypass security. Attackers use a trusted email service and file-sharing platforms, manipulate recipients through social engineering, and employ Ngrok for covert links. Targeting mainly Italy, the campaign exemplifies advanced evasion strategies and challenges conventional detection systems. Fortinet provides protections, urging users to stay vigilant against such phishing threats.

https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware

CISA and FBI Warn Fast Flux Is Powering Resilient Malware, C2, and Phishing Networks

CISA and FBI warn that “fast flux” technique aids malware, C2, and phishing networks by obscuring malicious server locations through rapid DNS record changes. It's a persistent network security threat, complicating tracking and blocking by authorities. Recommended countermeasures include blocking malicious IPs and domains and enhancing monitoring.

https://thehackernews.com/2025/04/cisa-and-fbi-warn-fast-flux-is-powering.html

Malware Is Harder to Find When Written in Obscure Languages

Malware authors are increasingly using obscure programming languages like Delphi and Haskell to evade detection. Researchers found that using less common languages complicates static analysis, making malware harder to identify and analyze. While C and C++ remain prevalent, many threat groups now employ diverse languages and compilers to obscure malicious code. This shift makes automated detection less effective, as unique signatures are harder to create for various programming languages, leading to greater challenges for security analysts. More focus on these lesser-used languages in security measures is necessary.

https://www.theregister.com/2025/03/29/malware_obscure_languages/

FBI Warnings Are True—fake File Converters Do Push Malware

FBI warns fake online document converters distribute malware, including ransomware, targeting users' sensitive information. Cybercriminals create deceptive sites mimicking legitimate converters. Victims report scams to IC3, leading to malware like Gootloader, causing serious breaches. Not all converters are harmful, but users should research before using them.

https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-file-converters-do-push-malware/

Microsoft Trusted Signing Service Abused to Code-sign Malware

Microsoft's Trusted Signing service is exploited by cybercriminals to code-sign malware using short-lived three-day certificates. These signed executables can bypass security filters. Criminals prefer this method due to easier access compared to Extended Validation certificates. Microsoft monitors and revokes misuse of their signing service, citing active threat intelligence measures.

https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/

New XCSSET Malware Adds New Obfuscation, Persistence Techniques to Infect Xcode Projects

New XCSSET malware variant enhances techniques for infecting Xcode projects, employing improved obfuscation, persistence methods, and novel infection strategies. This modular macOS malware targets developers via their Xcode projects, using encoded payloads and enhanced scripting for stealth. Its modular design enables complex multi-stage infections, focusing on stealing user information and while remaining difficult to detect. Mitigation includes using updated OS versions, inspecting Xcode projects, and employing Microsoft Defender for security against threats.

https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/

DeepSeek Lure Used To Spread Malware

DeepSeek malware campaign exploits the popularity of the DeepSeek AI chatbot, using look-alike domains to mislead users into executing malware. This includes techniques such as clipboard injection via a fake CAPTCHA page, leading to the installation of the Vidar information stealer. Key concerns raised include the increased risk of data theft and the need for organizations to enforce security measures around generative AI tools.

https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

Microsoft Spots XCSSET macOS Malware Variant Used for Crypto Theft

Microsoft has identified a new variant of the XCSSET macOS malware targeting sensitive user information for crypto theft. This updated malware features improved obfuscation, persistence methods, and novel infection techniques, typically spread via contaminated Xcode projects. Key modifications include sophisticated encoding methods, persistent payload behaviors, and the ability to manipulate Xcode project settings. Microsoft recommends users verify their Xcode projects to prevent potential compromises.

https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos-malware-variant-used-for-crypto-theft/

Hacker Infects 18,000 “script Kiddies” With Fake Malware Builder

Hacker infects 18,000 “script kiddies” globally with fake malware builder, a trojanized XWorm RAT, which steals data and controls infected systems. The malware was spread through various platforms and included a kill switch, but many systems remain compromised. Security researchers disrupted the botnet using a mass uninstall command. Users are warned against trusting unsigned software from other criminals.

https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/

Scroll to Top