A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076, this malware represents a major update to the older Maverick and SORVEPOTEL families.

It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via WhatsApp and Microsoft Outlook.

The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.

By using a technique known as DLL side-loading, the hackers trick the legitimate Logitech application into loading a malicious file instead of its normal system components. Once activated, this hidden loader takes control of the system to prepare the next stages of the attack.

TCLBANKER is carefully built to hide from security researchers. Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt, keeping the malware completely hidden from automated security scanners.

TCLBANKER Malware Targets Users

Once the malware confirms it is on a real victim’s machine, it launches the main banking trojan.

This tool continuously monitors the user’s web browser to detect whether the user visits one of 59 targeted banks, financial technology platforms, or cryptocurrency websites. When a match is found, the malware connects to a remote server.

To steal passwords, the trojan uses full-screen overlays built with Microsoft’s Windows Presentation Foundation. These overlays cover the entire screen and look exactly like real banking prompts or official Windows Update screens.

They freeze the desktop, block keyboard shortcuts such as the Windows key or Escape, and turn off screen-capture tools so the victim cannot record the fraud. The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

What makes TCLBANKER incredibly dangerous is its ability to spread automatically. The first worm module targets WhatsApp Web. The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts.

Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data. It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim’s contacts. Because the messages come from a trusted friend, new victims are highly likely to download the file.

Elastic Security Labs has uncovered that the second worm module focuses on email. It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim’s email account.

The bot searches the address book and inbox to harvest contacts. It then drafts completely new phishing emails and sends them from the infected user’s actual email address. This technique easily bypasses standard email security filters because the emails originate from a legitimate, trusted source.

All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses.

The hackers also host their malicious files on Cloudflare, making the download links look safe to the average user. Researchers note that this campaign is still in its early stages, suggesting that the threat actors are likely preparing to expand their targets.

To protect against TCLBANKER, organizations should look for unusual background processes spawned by Logitech applications.

Security teams must monitor for unauthorized browser profile cloning and watch for unusual spikes in outbound emails from Microsoft Outlook. Using advanced endpoint protection that detects unauthorized full-screen overlays is also essential to keeping systems safe from this evolving threat.

IoC

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules appeared first on Cyber Security News.

A data breach at GFN.AM, an authorized NVIDIA GeForce NOW cloud gaming service provider operating under “GFN CLOUD INTERNET SERVICES” LLC, has exposed personal information belonging to registered users.

The company disclosed the incident on May 5, 2026, revealing that unauthorized access to its database occurred as far back as March 9, 2026, nearly two months before discovery.

The breach was first detected on May 2, 2026, leaving a roughly 54-day window during which threat actors may have had access to user records.

GFN.AM confirmed that the unauthorized party gained access to its backend database, allowing sensitive user data to be exfiltrated or viewed by third parties.

Critically, only users registered on or before March 9, 2026, are affected. The incident did not impact accounts created after that date.

NVIDIA Data Breach

According to the official disclosure, the following categories of personal data may have been compromised:

• Email addresses
• Phone numbers, for users who registered via a mobile operator
• Date of birth
• Full name (first and last), for users who authenticated through Google Sign-In
• GFN.AM platform username

The company emphasized that account passwords were not compromised in this incident, reducing the immediate risk of account takeover.

However, the exposed combination of email addresses, phone numbers, and full names poses a significant risk of phishing, SIM swapping, and social engineering targeting affected users.

Following the discovery of the breach, GFN.AM stated it took immediate steps to eliminate the root cause of the unauthorized access. The company has also implemented additional organizational and technical security controls to harden its information systems and reduce the likelihood of a similar incident.

No further technical specifics, such as whether the access involved a compromised credential, an unpatched vulnerability, or a misconfigured database, were disclosed in the public notice.

Security professionals warn that even without password exposure, the leaked data is highly valuable to cybercriminals. Personal identifiers such as full names, phone numbers, and email addresses are routinely used in targeted phishing and credential-stuffing campaigns.

Users who authenticated via Google should review their account activity, as their full names were among the exposed fields.

Users registered on or before March 9, 2026, should take the following precautions:

• Monitor email accounts for unusual login attempts or phishing messages.
• Be cautious of unsolicited calls or SMS messages referencing GFN.AM.
• Enable multi-factor authentication on linked Google and email accounts.
• Consider placing a fraud alert with relevant financial institutions if additional personal data is suspected to be involved.

GFN.AM has not publicly indicated whether affected users will be notified individually or whether regulatory authorities have been informed of the breach.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users appeared first on Cyber Security News.

Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026, after engineers identified a critical issue involving a cross-signed certificate linking the organization’s Generation X root to its upcoming Generation Y root infrastructure.

The incident triggered a complete shutdown of issuance across both production and staging environments before services were restored within hours.

At 18:37 UTC on May 8, Let’s Encrypt engineers became aware of a potential incident and immediately halted all certificate issuance as a precautionary measure.

The affected components included the production and staging ACME API endpoints (acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org), as well as the production and staging portal environments hosted across two high-assurance datacenters.

By 21:03 UTC, roughly two and a half hours later, the organization confirmed that issuance had resumed. However, as a direct result of the cross-signed certificate issue, all certificate generation was rolled back to the Generation X root.

This rollback specifically impacts two ACME certificate profiles: tlsserver and shortlived.

The timing of the incident is notable given that Let’s Encrypt had already announced three significant platform changes scheduled to go live on May 13, 2026, just five days away. Those changes include:

The tlsserver ACME profile will begin issuing 45-day certificates as part of Let’s Encrypt’s phased roadmap to reduce certificate lifetimes from 90 days down to 45 days over the next two years.

The tlsclient profile, used for TLS client authentication certificates, will be restricted exclusively to ACME accounts that have previously requested certificates from that profile. Full support for tlsclient certificates will end on July 8, 2026.

The classic ACME profile was also scheduled to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots a change designed to maintain broad compatibility across client environments.

All three changes are currently live in Let’s Encrypt’s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.

Let’s Encrypt has not disclosed details about whether any incorrectly issued certificates were distributed before issuance was halted.

Administrators relying on automated ACME-based renewal workflows, particularly those using the tlsserver or shortlived profiles should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support remain available at community.letsencrypt.org.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident appeared first on Cyber Security News.

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

Microsoft’s Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 as part of its ongoing commitment to transparency in its cloud services.

All three vulnerabilities carry a Critical severity rating and fall under the Information Disclosure impact category.

Microsoft has already fully mitigated all three flaws on its end, consistent with its cloud CVE transparency initiative outlined in the “Toward Greater Transparency: Unveiling Cloud Service CVEs” program.

Microsoft 365 Copilot Vulnerabilities

CVE-2026-26129 affects Microsoft 365 Copilot’s Business Chat. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, potentially allowing an unauthorized attacker to disclose sensitive information over a network.

Although full CVSS metrics were not published for this CVE, the critical severity label reflects the high confidentiality risk inherent in Copilot’s enterprise data access model.

CVE-2026-26164 also targets M365 Copilot and is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component — Injection).

The attack vector is network-based, requires no privileges or user interaction, and has a high confidentiality impact. The exploitability assessment is rated “Exploitation Less Likely,” and exploit code maturity is listed as unproven.

CVE-2026-33111 affects Copilot Chat embedded in Microsoft Edge and is classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command — Command Injection).

It shares the same CVSS score of 7.5 / 6.5 (temporal) as CVE-2026-26164, with an identical attack profile: network-accessible, no privileges required, no user interaction, and high confidentiality impact.

This is particularly concerning given the widespread deployment of Edge across enterprise environments.

All three vulnerabilities highlight a growing attack surface unique to AI-powered productivity tools.

Because M365 Copilot aggregates and processes vast amounts of organizational data, including emails, documents, and Teams conversations, weaknesses in how it handles special elements or injected commands can allow sensitive information to leak across trust boundaries.

In environments where Copilot has broad access to corporate data sources, the impact could include exposure of intellectual property, confidential communications, or restricted internal records.

Microsoft credited Estevam Arantes of Microsoft for discovering both CVE-2026-26129 and CVE-2026-26164, with additional credit to independent researcher 0xSombra for CVE-2026-26164.

No acknowledgment was listed for CVE-2026-33111. Microsoft confirmed that none of the three vulnerabilities were publicly disclosed or actively exploited prior to publication.

Since all three are cloud-side vulnerabilities, Microsoft has already deployed mitigations at the service layer. Enterprises do not need to install patches or apply configuration changes.

However, security teams are advised to review Copilot’s data access permissions and enforce least-privilege principles to reduce exposure from any future similar flaws.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information appeared first on Cyber Security News.

A new backdoor called PamDOORa has emerged as a serious and growing threat to Linux systems, targeting one of the most trusted components of the operating system to silently steal SSH credentials.

The malware was advertised for sale on a Russian-speaking cybercrime forum called Rehub, with its complete source code initially listed at $1,600 before the seller slashed the price to $900. That sudden drop raised red flags among researchers, suggesting either limited buyer interest or a deliberate rush to offload the tool quickly.

PamDOORa works by hijacking the Pluggable Authentication Module, or PAM, framework that Linux systems use to handle user logins and identity verification.

Unlike traditional malware that plants itself as a visible running process, this backdoor injects a malicious module directly into the authentication layer, where it waits silently for login attempts and harvests credentials before they can be logged. This makes it especially dangerous because the attack happens at a level most monitoring tools do not watch closely.

Researchers from Group-IB identified the technique being used in this backdoor and noted that it exploits pam_exec, a standard PAM module designed to run external commands during authentication events.

The Group-IB DFIR team found that this specific abuse method had not yet been included in the MITRE ATT&CK framework, making it a novel technique that many security teams may not be actively defending against.

How PamDOORa Operates on Linux Systems

The threat actor behind PamDOORa operates under the alias “darkworm” on the Rehub forum and demonstrates notable technical knowledge of Linux internals. Analysis of code snippets shared in the advertisement showed realistic and credible techniques that align with known PAM exploitation methods. The seller was assessed as more technically capable and serious compared to other individuals reusing the same alias on lower-tier forums.

What makes PamDOORa especially concerning is not just what it does, but how well it hides. The backdoor is built to manipulate authentication log files including lastlog, btmp, utmp, and wtmp, wiping away any trace that an attacker connected to the server. This means incident response teams called in to investigate a breach may unknowingly have their own credentials stolen the moment they SSH into the compromised machine.

PamDOORa is designed as a post-exploitation tool, meaning the attacker must already have root access before deploying it. Once installed, the backdoor injects a malicious PAM module that produces a file called pam_linux.so, loaded into the authentication stack alongside legitimate system modules.

This design allows it to blend in with normal system files rather than replacing them, making detection significantly harder.

The backdoor grants persistent SSH access through a combination of a specific TCP port and a secret “magic password” that only the attacker knows. A special routine scans open connections and applies conditional logic to identify when the attacker is connecting, granting silent access while normal users see nothing unusual.

Credentials submitted by legitimate users during login are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and written to /tmp with randomly generated filenames and timestamps.

Anti-Forensics and the Challenge of Detection

What sets PamDOORa apart from simpler backdoors is its built-in anti-forensic capability. The tool actively erases attacker login traces from system logs, leaving behind only failed login entries that investigators are likely to dismiss as noise.

Since credential theft happens inside the PAM layer, application-level logging tools never capture the stolen data, and detection methods focused on user-space processes will miss it entirely.

Security teams are advised to treat any compromised Linux server as having fully exposed credentials, regardless of how limited the breach appears.

Researchers recommend enabling SELinux and AppArmor for stronger process isolation, installing Auditd with DISA-STIG recommended rules to monitor changes to system files, and deploying rkhunter to detect rootkits and unauthorized software. Disabling root login over SSH, locking the root account, and restricting sudo access to authorized users only are essential steps in reducing the attack surface that PamDOORa relies on.

Indicators of Compromise (IoCs):-

Based on information disclosed in the source material, the following indicators were identified from the malicious script executed during SSH authentication:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials appeared first on Cyber Security News.

A newly identified malware campaign is targeting senior executives and government investigators across Southeast Asia, using a modular Remote Access Trojan capable of stealing credentials, capturing screenshots, and maintaining deep persistence on infected systems.

The operation, dubbed Operation GriefLure, is running two simultaneous campaigns hitting Vietnam’s military-linked telecom sector and the Philippine healthcare industry.

What makes this threat especially alarming is how it reaches victims. Attackers are not guessing or fabricating stories. In one case, they harvested real legal documents from an ongoing data breach lawsuit, including signed police reports, corporate admission letters, and personal medical records.

Victims who opened the archive received a completely authentic document on screen, with no sign that anything had gone wrong behind the scenes.

Researchers at Seqrite Labs identified and named the campaign, noting that the entire system compromise completes in under 10 seconds with zero visible indicators to the victim. The malware arrives inside a nested compressed archive delivered through a targeted spear phishing email, and its infection chain is engineered to bypass most conventional security tools.

The operation targets two groups simultaneously. The first campaign focuses on senior executives at Viettel Group, Vietnam’s largest telecom operator running under the Ministry of National Defence, as well as cybercrime investigators from Thanh Hoa Provincial Police.

The second targets compliance and audit staff at St. Luke’s Medical Center in the Philippines, using a fabricated whistleblower complaint that invokes alleged financial fraud and accreditation violations worth over PHP 1.5 million.

Both campaigns use the same underlying infrastructure and payload, confirming a single threat actor running a coordinated, modular attack operation across two countries at the same time.

Modular RAT With Credential Theft and Screenshot Capture

At the technical core of this campaign sits a sophisticated modular RAT acting as a multi-purpose implant. Once loaded into memory through a layered execution chain, it harvests credentials from web browsers including Chrome’s stored login data, cookies, and history. It also targets FTP client configurations, remote access tools like Sunlogin and ToDesk, and SSH session files from Xshell, making it a serious threat to anyone who manages privileged system access.

The screenshot capture module retrieves full screen dimensions, accounts for multi-monitor setups, and dynamically adjusts image resolution based on network conditions before transmitting a reconstructed BMP image to the attacker’s command-and-control server. The malware also scans all running processes to build a profile of installed security products, then adjusts its behavior accordingly to reduce detection.

The payload is never stored as a complete file inside the archive. Binary chunks disguised as ordinary document files are assembled at runtime using Windows’ native copy command, and a time-based mechanism randomizes the payload hash on every execution to defeat signature-based scanning. The final executable is then injected into a trusted Windows process, making it appear as normal system activity to most forensic tools.

Infrastructure, Attribution, and Defensive Measures

The malware communicates with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on IP address 38[.]54[.]122[.]188. This server sits within KAOPU-HK, a Hong Kong-based network with a documented history of providing abuse-resistant hosting to threat actors across Asia-Pacific. Passive intelligence tags the host as bulletproof infrastructure, a strong indicator of deliberate operational security.

Seqrite researchers assess with moderate-to-high confidence that this campaign is linked to a China-nexus threat cluster. Supporting indicators include the use of bulletproof Chinese hosting, an embedded security detection list that enumerates vendors such as 360Safe, Qianxin, and Sangfor, direct targeting of WeChat data within the credential harvesting module, and a broader Southeast Asian footprint spanning military telecom and healthcare.

Organizations in telecom, government, and healthcare across Southeast Asia should treat this as an active and evolving threat. Security teams are advised to block the known C2 domain and IP, monitor for LNK file executions that invoke ftp.exe, flag any process dropping chunked doc files into the Public directory, and audit systems for signs of explorer.exe being respawned under a restricted security context. Because this attack weaponizes genuine legal documents and trusted system binaries, standard user awareness training alone will not stop it.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities appeared first on Cyber Security News.

Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data.

During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software to infiltrate the system.

Upon discovery, Škoda immediately activated containment measures and took the online shop offline as a precautionary step.

The vulnerability has since been fully remediated, and an external IT forensics firm has been commissioned to conduct a thorough technical post-incident analysis.

The breach was also formally reported to the relevant data protection supervisory authority in compliance with regulatory obligations.

Škoda Security Incident

The Škoda online shop stores a range of personal customer data, including full names, postal addresses, email addresses, phone numbers, order history, and account login credentials.

Passwords were stored using cryptographic hashing rather than plaintext, which provides a meaningful layer of protection.

Critically, credit card details are not retained in the shop system; payment data is handled exclusively by third-party payment service providers, ruling out direct financial data exposure based on current forensic findings.

Forensic analysis confirmed that access to stored data was theoretically possible during the intrusion window. However, due to limitations in existing server-side logging protocols, investigators cannot definitively confirm whether data was actively exfiltrated or merely accessed.

Škoda states that no concrete evidence of customer data misuse has been identified so far, but is notifying affected customers as a precautionary measure, given that unauthorized access cannot be entirely excluded.

Customers whose data may have been exposed face two primary threat scenarios. First, phishing attacks where threat actors use known order details or personal information to craft convincing fraudulent emails or messages designed to harvest additional credentials or prompt victims to click malicious links.

Second, credential stuffing attacks, in which adversaries attempt to use compromised email-and-password combinations to gain unauthorized access to other online accounts, particularly when users reuse the same password across multiple services.

This incident underscores the persistent risk of e-commerce platform vulnerabilities, particularly when standard third-party shop software is deployed without sufficient hardening and continuous security monitoring.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Škoda Security Incident Exposes Customers Data From Online Shop appeared first on Cyber Security News.

A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been active since at least February 2026.

The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.

Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.

The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”

Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.

Hackers Use Fake OpenClaw Installer

If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.

After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.

The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.

That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.

Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.

The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.

A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.

A Rapidly Evolving Threat With Rotating Infrastructure

What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.

All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.

Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.

Indicators of Compromise (IoCs):-

File Hashes

Domains

IP Addresses

Dead-drop and Staging URLs

Mutexes

Registry Keys

Files and Paths

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials appeared first on Cyber Security News.

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

This approach is unusual because the malware never communicates with a private server that security tools could flag or block, making it harder to detect through standard network monitoring.

The threat was uncovered after a series of malicious Python packages were found on PyPI, the widely used Python Package Index, starting in July 2025. The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.

Analysts at Securelist identified and named the malware after analyzing samples through their threat analysis pipeline. Their research confirmed ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group.

OceanLotus, also known as APT32, is a well-established threat group that has historically focused on targets in the Asia-Pacific region. However, recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now a global supply chain attack through PyPI. This shift reflects a clear effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. Still, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service, letting its traffic blend in with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

The malware operates through two separate channel-topic pairs within the Zulip platform. One pair sends basic system information about the infected machine back to the attacker. The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread. Once a command runs, the malware replies with a heart emoji in the chat to signal completion, showing how carefully attackers disguised operations as routine activity.

The Windows version of ZiChatBot is a DLL file named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in. On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

PyPI Supply Chain Attack Used to Deliver the Payload

The attack started with three fake Python libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects. The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions. In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain. This layered method made the attack far less visible to automated tools that only scan surface-level code.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads. After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection. Researchers advise adding helper.zulipchat.com to network denylists to identify any machines still reaching out to the now-deactivated attacker infrastructure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server appeared first on Cyber Security News.

An active malware distribution campaign abusing two prominent AI platforms, Hugging Face and ClawHub, to deliver trojans, cryptominers, and infostealers disguised as legitimate AI tools and agent extensions.

The campaign marks a significant evolution in supply chain attacks, shifting from traditional software repositories to trusted AI ecosystems.

Within the OpenClaw ecosystem distributed through ClawHub, Acronis TRU identified 575 malicious skills published across 13 developer accounts.

The campaign appears to be primarily driven by two threat actors: “hightower6eu,” responsible for 334 malicious skills (58%), and “sakaen736jih,” responsible for 199 skills (34.6%), with the remaining 11 accounts contributing smaller volumes.

These trojanized skills masquerade as useful tools such as a YouTube transcript summarizer while secretly instructing users to download password-protected archives or execute encoded commands.

Hugging Face and ClawHub Leveraged

For Windows targets, payloads were detected as trojans packed with VMProtect. For macOS, a base64-encoded command connects to an external IP (91.92.242[.]30) and silently downloads and executes AMOS Stealer, a macOS-focused infostealer commonly sold as malware-as-a-service (MaaS) through Telegram and underground forums.

A second Windows payload used a 30-byte XOR key to decrypt strings at runtime, dynamically resolved NT APIs, and performed in-memory process injection into explorer.exe.

The injected code established AES-encrypted C2 communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence via scheduled tasks and Windows Defender exclusion paths.

A critical technique observed across ClawHub campaigns is indirect prompt injection, which embeds hidden, malicious instructions within skill files that AI agents read and execute on behalf of users.

Because OpenClaw agents are designed to act autonomously based on instructions in skill definitions, attackers can effectively turn these agents into unwitting intermediaries, expanding attack impact far beyond the initial victim.

On Hugging Face, which hosts over one million machine learning models, Acronis TRU identified repositories serving as multi-stage infection chain staging points, hosting payloads across Windows, Linux, and Android. Two tracked campaigns illustrate this abuse in practice.

The ITHKRPAW campaign, targeting Vietnamese financial sector organizations in January, used a malicious LNK file to invoke Cloudflare Workers, which served a PowerShell dropper that fetched a payload from a Hugging Face dataset repository while opening a decoy cat image to mask activity.

Researchers assess with moderate confidence that the PowerShell script was LLM-generated, based on embedded Vietnamese-language comments.

The FAKESECURITY campaign used a batch script (CDC1.bat) containing an encoded PowerShell blob that downloaded a heavily obfuscated secondary batch script from a Hugging Face repository.

After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and dropped a file masquerading as Windows Security.

Organizations and developers should treat AI models, datasets, and agent extensions as untrusted inputs requiring the same validation applied to any third-party code.

Specific steps include auditing installed OpenClaw skills for encoded commands or external download instructions, monitoring for unexpected process injection into explorer.exe, blocking known malicious indicators (91.92.242[.]30, velvet-parrot[.]com), and restricting Windows Defender exclusion path modifications via Group Policy.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware appeared first on Cyber Security News.

A sophisticated Brazilian banking trojan named TCLBANKER, deployed through a trojanized Logitech installer and capable of hijacking victims’ WhatsApp and Outlook accounts to spread itself to new targets. The campaign, tracked as REF3076, delivers TCLBANKER through a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech application, Logi AI Prompt Builder, via […]

The post TCLBANKER Malware Leverages WhatsApp and Outlook Worm Features in Active Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A highly evasive multi-stage malware campaign deploying the Vidar Infostealer. First discovered in late 2018 and built on the Arkei stealer source code, Vidar is notorious for aggressively harvesting user credentials, browser session cookies, cryptocurrency wallets, and detailed system data. According to an analysis by researcher Mahadev Joshi, this recent campaign utilizes AutoIt scripting and […]

The post Vidar Infostealer Campaign Steals Passwords, Cookies, Crypto Wallets, and Device Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

GFN Cloud Internet Services, operating as the regional NVIDIA GeForce NOW cloud gaming partner, GFN.AM has officially confirmed a significant data breach. The security incident exposed personal information of users registered on their streaming platform. While the company has now secured its database, the delayed discovery of the network intrusion highlights ongoing challenges in protecting […]

The post NVIDIA Confirms GeForce Data Breach Exposed Users’ Personal Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A newly observed Linux backdoor technique, dubbed Pam, is exploiting the flexibility of Pluggable Authentication Modules (PAM) to capture SSH credentials and maintain persistence on compromised systems stealthily. Since its introduction in 1991 by Linus Torvalds, Linux has been designed for simplicity, modularity, and flexibility. This modular architecture allows administrators to customize nearly every component, from […]

The post Pam Backdoor Targets Linux Systems to Steal SSH Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A new banking trojan known as TCLBANKER has been quietly making rounds, and its delivery method is as clever as it is concerning. Attackers are using a trojanized version of a legitimate, digitally signed installer to slip malware onto victims’ machines without raising immediate suspicion.

The campaign, tracked as REF3076, bundles a malicious MSI installer inside a ZIP file and exploits the trust people place in recognizable software names.

The infection begins when a victim runs what appears to be a legitimate Logitech application installer. Inside the package, threat actors have weaponized the Logi AI Prompt Builder, abusing a technique called DLL sideloading to sneak a malicious file into the process. Once the application starts, it automatically loads the harmful DLL without the user ever knowing anything went wrong.

Analysts at Elastic Security Labs identified this new Brazilian banking trojan, assessing it to be a significant evolution of an older malware family known as MAVERICK and SORVEPOTEL. The campaign appears to be in its early stages, with developer artifacts and an incomplete phishing page suggesting the attackers are still actively building out their infrastructure.

TCLBANKER primarily targets users in Brazil, specifically those who visit banking, fintech, and cryptocurrency websites. The trojan monitors the victim’s browser in real time, watching for visits to any of 59 targeted financial domains.

Hackers Abuse Signed Logitech Installer

When a match is found, it opens a live connection to the attacker’s command server and puts the operator in full control.

The scope of potential damage goes well beyond simple credential theft. The malware can display fake full-screen overlays that look like real banking interfaces, freeze the apparent desktop to confuse victims, and kill the Task Manager to prevent users from ending the malicious process. It is a coordinated operation designed to make fraud feel seamless from the attacker’s side.

The attackers took care to make the infection chain look as normal as possible. The malicious ZIP file contains an MSI installer that mimics the legitimate Logi AI Prompt Builder, a real Flutter-based application.

When installed, the trojanized package drops a fake DLL called screen_retriever_plugin.dll, which masquerades as a genuine Flutter plugin and gets loaded automatically at startup.

The loader inside this DLL is packed with tricks to avoid detection. It checks whether the system is running inside a sandbox or virtual machine, verifies that the user’s default language is Brazilian Portuguese, and even measures timing to catch emulation frameworks that speed up sleep calls.

If anything seems off, the malware simply stops running without leaving obvious traces. This environment-gating approach means the payload only decrypts itself on real, qualifying machines.

Self-Spreading Worm Modules Amplify the Threat

What makes TCLBANKER particularly dangerous is not just what it does on a single machine, but how far it can spread from there. The malware comes with two worm modules designed to send itself to the victim’s contacts using channels those contacts already trust.

The first hijacks the victim’s active WhatsApp Web session in the browser, silently messaging Brazilian contacts with a link to download the malware. The second abuses Microsoft Outlook through automation, sending phishing emails directly from the victim’s own email account.

Because these messages come from real, known senders, they are far harder for security filters to catch. The Outlook bot first harvests the victim’s contact list, then sends targeted emails that look completely authentic.

Elastic researchers noted that all command and file-serving infrastructure runs on Cloudflare Workers under a single account, making it easy for operators to rotate infrastructure quickly when needed.

Organizations and individuals can take several steps to reduce exposure. Keeping security software updated ensures the latest detection signatures are in place.

Being cautious about ZIP files or MSI installers received through messaging apps or email, even from known contacts, is critical given this trojan’s self-spreading behavior. Monitoring for unusual scheduled tasks, unexpected DLL loads alongside legitimate software, and suspicious outbound connections can also help flag infections early.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan appeared first on Cyber Security News.

A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.

It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.

DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.

Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.

The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.

DarkMoon AI-Powered Platform

When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.

The platform dynamically triggers agents tailored to discovered technologies:

• CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
• Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
• Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
• Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
• GraphQL Agent — handles GraphQL-specific attack surfaces
• Headless Browser Agent — deployed when browser rendering is required

Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.

DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.

Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.

All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.

DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.

The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.

DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.

The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.

Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.

Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.

Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.

In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.

The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.

The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.

Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.

RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.

The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.

Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.

The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.

A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.

The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.

PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.

One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.

Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”

The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.

The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.

It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.

PCPJack’s Worm-Like Propagation and CVE Exploitation

PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.

This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.

The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.

Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.

Sliver Backdoor and Enterprise-Wide Credential Targeting

SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.

The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.

Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.

To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.

Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft appeared first on Cyber Security News.

A new and evolving threat has caught the attention of cybersecurity researchers worldwide. A Windows-based information stealer known as NWHStealer has resurfaced with a more sophisticated delivery chain, now using the Bun JavaScript runtime as part of its infection process.

This shift makes it clear that the attackers behind this campaign are actively experimenting with lesser-known tools to stay ahead of security defenses.

NWHStealer is a Rust-based malware capable of stealing sensitive data from infected Windows systems. It spreads through Node.js scripts, MSI installers, and fake software downloads hosted on trusted platforms such as GitHub, GitLab, SourceForge, and Itch.io. Since it blends into legitimate-looking software packages, many users unknowingly download and run it without any suspicion.

Analysts at Malwarebytes identified the new delivery method during routine threat hunting activities.

Researcher Gabriele Orini noted that attackers have now incorporated Bun, a modern JavaScript toolkit built as a high-performance alternative to Node.js, into the malware’s delivery chain. Its relative newness in security circles makes it particularly appealing to attackers trying to slip past detection.

Once inside a system, NWHStealer is highly capable. It collects system information, steals saved browser data and passwords, drains cryptocurrency wallets, and targets applications like Discord, Steam, and FTP clients such as FileZilla.

It can also inject malicious code into browser processes, bypass Windows User Account Control, persist through scheduled tasks, and pull new command-and-control addresses from Telegram to keep the operation alive after partial takedowns.

The scale of this campaign is notable. Attackers continue to create fresh profiles on legitimate platforms to push new lures, making it difficult for moderators to respond quickly. The combination of data theft, persistence, and self-updating infrastructure makes NWHStealer a serious threat to both everyday users and organizations.

Bun Loader, Anti-VM Checks, and Encrypted C2

The infection begins with a ZIP archive disguised as a game trainer, software crack, or utility tool. Detected archive names include MOUSE_PI_Trainer_v1.0.zip, FiveM Mod.zip, TradingView-Activation-Script-0.9.zip, and AutoTune 2026.zip.

Inside sits Installer.exe, which carries JavaScript code bundled with the Bun runtime hidden within its .bun section.

The malicious JavaScript is divided into two key files. The first, sysreq.js, runs PowerShell and WMI commands to check whether the system is a real machine or a virtual one. It inspects CPU count, disk space, screen resolution, hardware manufacturers, and even the username, using a scoring system to decide whether to proceed with infection or stop entirely. This anti-VM layer is designed to avoid detection in automated security analysis environments.

The second file, memload.js, handles communication with the attacker’s command-and-control server. Strings and configurations are encrypted using XOR combined with base64 encoding, making static analysis much harder. The loader sends a report containing the victim’s public IP, system details, and a screenshot to the C2, then fetches an AES-encrypted payload and deploys NWHStealer directly into memory with minimal traces on disk.

Some analyzed ZIP files also include a secondary loader called dw.exe inside a folder labeled “DW.” A Readme.txt inside the archive tells users to run dw.exe manually if the main installer fails, giving attackers a fallback option if the primary C2 server goes offline. This dual-loader setup reflects a deliberate backup plan to ensure delivery regardless of temporary disruptions.

Staying Safe From NWHStealer

Given how widely this stealer is distributed, users should take practical steps to protect themselves. Only download software from official, verified sources and avoid file-sharing platforms unless the publisher’s identity and reputation are clearly established.

Always check a file’s digital signature before running it, as legitimate software will carry consistent, verifiable signing details.

It is also worth inspecting any downloaded archive before opening it. Malicious archives often have unusual file structures, mismatched content, or naming patterns that do not match what was advertised.

Staying cautious with downloads that seem too good to be true, whether a game cheat, a software activator, or a free tool, remains one of the most effective defenses against threats like NWHStealer.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 appeared first on Cyber Security News.

Spring Cloud Config provides crucial server-side and client-side support for externalized configuration in distributed systems.

Recently, the Spring development team disclosed four security vulnerabilities impacting the Spring Cloud Config Server.

These flaws range from medium to critical severity, exposing environments to unauthorized arbitrary file access, cloud secrets leakage, and logging misconfigurations.

Because centralized configuration servers often hold sensitive keys for an entire microservice architecture, system administrators must immediately review and patch their infrastructure.

Spring Cloud Vulnerabilities

Directory Traversal Vulnerabilities

The most severe issue is CVE-2026-40982, a critical directory traversal vulnerability affecting the platform.

The Spring Cloud Config module allows applications to serve both text and binary files over the network.

An attacker can exploit this module by sending a specially crafted URL to the server, thereby bypassing restricted directories and accessing arbitrary files on the host system.

Security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi responsibly identified and reported this critical flaw.

Target GCP Secrets and Git Directories

Two additional high-severity vulnerabilities threaten Spring Cloud Config deployments.

CVE-2026-40981 affects organizations that use Google Secrets Manager as the backend for their configuration server.

Malicious actors can craft specific requests to the config server, exposing sensitive secrets from unintended Google Cloud Platform projects.

Meanwhile, CVE-2026-41002 introduces a time-of-check-time-of-use attack surface.

This vulnerability specifically targets the server’s base directory used to clone Git repositories.

Threat actors can manipulate files during the cloning process due to this race condition.

Security researcher Yu Bao from PayPal received credit for discovering and reporting this Git-related vulnerability.

Trace Logging Exposes Sensitive Information

A medium-severity vulnerability (CVE-2026-41004) affects the server’s internal logging mechanisms.

When administrators enable trace logging, the system inadvertently writes sensitive information in plain text directly to the log files.

This misconfiguration could expose credentials or configuration secrets to unauthorized internal users who possess read access to the system logs.

All four vulnerabilities impact the same branches of the Spring Cloud Config ecosystem.

The affected release lines include 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software also remain highly vulnerable to these exploits.

Users must upgrade immediately to secure their environments against potential compromise.

The Spring team has released patched versions across their different support tiers.

Open-source software users must upgrade to 4.3. x environments to version 4.3.3 and their 5.0. x environments to version 5.0.3.

Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.

If immediate patching is impossible for the GCP secrets vulnerability, administrators can implement a temporary configuration workaround.

By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server forces clients to send a valid token.

The system then verifies this token to ensure the client actually has legitimate access to the requested project secrets.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets appeared first on Cyber Security News.