All CosmicBytez Labs articles tagged #Malware, across news, security advisories, how-to guides, and projects.
This week's security roundup covers Iranian threat actors tracking US military personnel's phones, the newly discovered CrashStealer macOS infostealer, a coordinated vulnerability disclosure blueprint, ransomware targeting naval defense firm TKMS, and more.
Group-IB researchers discovered ClickLock, a new macOS infostealer distributed via ClickFix lures that terminates all visible system processes in a loop until the victim surrenders their login password — with zero AV detections at discovery.
Checkmarx researchers uncovered ViteVenom — seven malicious npm packages impersonating the Vite ecosystem that use blockchain-based command-and-control infrastructure to deploy a remote access trojan. The campaign is an expansion of the ChainVeil threat actor.
Group-IB researchers discovered ClickLock, a macOS infostealer that uses ClickFix social engineering to install a kill loop firing pkill every 210ms — trapping victims into surrendering their system password to restore their desktop.
Trend Micro researchers discovered a Russian-speaking threat actor named 'bandcampro' who jailbroke Google's open-source Gemini CLI to operate an 8-machine botnet inside a dental clinic, including autonomously migrating C2 infrastructure in just 6 minutes.
The U.S. Treasury's OFAC has designated two individuals and a VPN service provider for enabling ransomware actors and other cybercriminals — marking a significant escalation in targeting the infrastructure that makes ransomware operations possible.
Google and Microsoft have removed ModHeader — a popular HTTP header editor with 1.6 million installs across Chrome and Edge — after researchers discovered a dormant browsing-history collector hidden inside the extension's official store version.
The US Treasury's OFAC sanctioned First VPN Service (1VPNS) and its Ukrainian administrator for providing anonymization cover to ransomware groups attacking US critical infrastructure, causing billions in losses. Action is coordinated with the UK and follows a May 2026 European infrastructure takedown.
A new RedHook variant abuses Android's Wireless Debugging feature to gain shell-level privileges without a USB connection — a novel technique that bypasses traditional physical access requirements.
The popular jscrambler npm package was hijacked in version 8.14.0, silently dropping and executing a cross-platform Rust-based infostealer via a malicious...
An unprotected 800MB server left open for three weeks exposed the full toolkit of a webshell access brokerage operation targeting 1.4 million domains....
GodDamn ransomware — a rebrand of Beast/Monster — uses PoisonX, a malicious kernel driver that passed Microsoft's signing process, to terminate 400+...
A new ransomware strain dubbed 'GodDamn' is leveraging a Microsoft-signed malicious kernel driver through the Bring Your Own Vulnerable Driver technique...
Microsoft has dissected GigaWiper, a destructive Windows backdoor that combines three distinct destructive capabilities — full disk wiping, fake...
Cisco Talos researchers have identified new LONGLEASH malware deployed by Chinese APT group UAT-7810 to expand its Operational Relay Box network,...
A new banking fraud campaign tracked as REF6045 is deploying SCMBANKER malware through fake CAPTCHA ClickFix lures to steal credentials from customers of...
A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service, letting even low-skill criminals take...
Kaspersky researchers have detailed a new campaign by Armored Likho — a threat actor overlapping with Eagle Werewolf — deploying modular RATs and the...
The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer...
This week's threat roundup covers residential proxy botnets hiding in streaming boxes, browser-based ransomware campaigns, AI agent abuse techniques, and...
JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...
Jamf Threat Labs has discovered PamStealer, a sophisticated two-stage macOS infostealer that impersonates the Maccy clipboard manager, delivers a...
Blackpoint Cyber researchers have uncovered Avalon, an AI-assisted modular malware framework that chains phishing, credential theft, lateral movement, and...
Researchers have uncovered a novel malware artifact generated using DeepSeek that weaponizes the Chromium File System Access API to encrypt files entirely...
A malicious extension masquerading as the Perplexity AI answer engine was discovered on the Chrome Web Store, intercepting search traffic and collecting...
Hackers are actively exploiting CVE-2026-48558 in SimpleHelp remote support software to deploy Djinn Stealer, a previously undocumented cross-platform...
Russian FSB-linked APT group Gamaredon has mounted 35 distinct spear-phishing campaigns against Ukrainian targets in 2025, deploying an expanded malware...
Microsoft uncovered a fake Perplexity AI Chrome extension that silently captured every search query and address bar keystroke, routing the data to an...
Attackers poisoned at least 18 npm and Go packages with a novel technique: hiding malware in .vscode/tasks.json auto-run tasks, bypassing npm v12's...
Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...
Researchers demonstrate how a seemingly clean, scanner-safe GitHub repository can silently execute a malicious payload when an AI coding agent clones and...
The Miasma supply chain malware family — an evolution of Mini Shai-Hulud and linked to the Hades worm — has compromised hundreds of npm packages, abused...
Security researchers at Island discovered that 'Adblock for YouTube,' a Chrome extension with over 10 million installs and a Featured badge, contains a...
Zscaler researchers exposed 'Edgecution', a rogue Microsoft Edge extension that exploits Chrome's Native Messaging protocol to escape the browser sandbox...
Unit 42 researchers identified five persistent malicious skill packages on ClawHub — OpenClaw's AI agent marketplace — including infostealers disguised as...
ESET research reveals FSB-sponsored Gamaredon has significantly upgraded its C2 infrastructure obfuscation and malware delivery capabilities, running 35...
A two-week joint operation by Microsoft and Europol dismantled three major malware-as-a-service platforms — StealC, Amadey, and SocGholish — seizing 326...
A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...
Microsoft, Europol, and international law enforcement partners have dismantled infrastructure supporting the Amadey malware loader and StealC infostealer...
A malicious Microsoft Edge extension dubbed 'Edgecution' abused the Native Messaging API to escape the browser sandbox and deliver a Python backdoor used...
Security researchers have identified a new backdoor malware named Mistic being deployed by KongTuke, a ransomware initial access broker, in financially...
Microsoft and Europol jointly targeted the full CaaS supply chain, seizing 300+ servers and disrupting SocGholish, Amadey, and StealC malware infrastructure.
The FortiBleed campaign's operators weaponize Fortinet's own built-in diagnostic command to run a custom Golang sniffer that intercepts 24 authentication...
Elastic Security Labs has uncovered OXLOADER, a sophisticated new malware loader using malvertising via Google Ads to target developers searching for...
Attackers are abusing compromised WhatsApp accounts to distribute malicious VBScript files disguised as financial documents, ultimately deploying a...
Researchers at QiAnXin's XLab have identified AryStinger, a novel malware targeting end-of-life D-Link routers and QNAP NAS devices to build a distributed...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack, with attackers injecting backdoor code into Pro plugin releases...
This week's threat roundup covers the Usbliter8 iPhone boot exploit, NarwhalRAT spread via fake Microsoft alerts, The Gentlemen ransomware's GentleKiller...
Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage — identity-based...
An active malware campaign is targeting WhatsApp users across multiple countries with deceptive messages pushing VBScript-based droppers disguised as...
A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated D-Link routers, converting them into malicious proxy...
A self-spreading USB worm active since February 2026 hides real files behind malicious .lnk shortcuts, hijacks clipboard cryptocurrency addresses, hunts...
A newly detailed malware family called CryptoBandits routes all traffic through a local SOCKS5 proxy and the Tor network, blending credential theft with...
Microsoft Threat Intelligence has exposed a cryptocurrency clipboard-hijacking campaign active since February 2026 that spreads via malicious USB LNK...
A joint law enforcement operation led by Dutch authorities and including partners from Canada, Germany, and the US has disrupted SocGholish malware...
The Gentlemen ransomware-as-a-service operation is actively developing and maintaining a suite of EDR killer tools to help affiliates evade detection and...
International law enforcement cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the...
Researchers have uncovered a coordinated malware campaign involving 15 malicious JetBrains Marketplace plugins posing as DeepSeek-powered AI coding...
North Korean state-sponsored group APT37 (ScarCruft) is conducting spear-phishing campaigns impersonating Microsoft Account security notifications to...
New analysis reveals the 'Lorem Ipsum' malware campaign has adopted ClickFix social engineering as its primary delivery mechanism, leveraging compromised...
DragonForce ransomware operators deployed a custom implant called Backdoor.Turn to camouflage command-and-control communications inside legitimate...
A China-linked espionage campaign targeted exposed REDCap servers, deploying the InfiniteRed malware to steal sensitive medical research data from a North...
The latest supply chain attacks against PyPI, which hit 37 wheels and 19 code packages, show a continued evolution of the persistent Shai-Hulud software...
IronWorm, a self-propagating supply chain worm written in Rust, is targeting npm developers to steal credentials and reuse them to spread across the...
A new analysis of The Gentlemen ransomware operation reveals the financially motivated group has claimed 478 victims and evolved a worm-like...
This week's threat intelligence roundup covers a supply chain attack kit posted publicly, a $5,000-per-month RAT that clones browser sessions, AI agents...
Attackers increasingly favor stolen credentials over exploits, and infostealers have become the primary access broker feeding ransomware and cybercrime...
The Miasma credential-stealing worm framework was briefly open-sourced on GitHub before removal, potentially enabling copycat attacks against open-source...
Security researchers warn that adaptive agentic AI worms — described as 'viruses with wings and brains' — will likely strike enterprise environments within a…
Chinese espionage group UNC5221 is actively using the Brickstorm backdoor alongside two newly discovered malware families — Plenet and AgentPSD — to maintain…
The Windows version of the Hola Browser has been hit by a supply chain attack that bundled a cryptocurrency miner with the official installer, silently…
This week's cybersecurity roundup covers Anthropic's new AI threat taxonomy, an unpatched Comodo security flaw, Palantir's Alex Karp reportedly under…
Two distinct malware campaigns have hit the npm ecosystem simultaneously — IronWorm deploys a Rust-based infostealer via 50+ poisoned packages, while a new…
A maximum-severity input validation vulnerability in Product Slider Pro for WooCommerce allows attackers to implant malicious software. Affects all versions…
Researchers have uncovered a large-scale SEO poisoning campaign that uses fake open-source and freeware project sites to funnel victims through a Traffic…
Threat actors are exploiting ChatGPT's content-sharing feature to publish fake OpenAI outage pages that trick users into downloading trojanized ChatGPT…
Dutch authorities took offline a massive botnet of 17 million infected devices and seized more than 200 servers from a local hosting provider that...
CISA adds CVE-2026-8398 to KEV — a high-severity embedded malicious-code flaw in Daemon Tools Lite impacting confidentiality, integrity, and availability.
CrowdStrike, Google, and Shadowserver dismantled the Glassworm botnet, stripping operators of infrastructure used to inject malware into OSS packages.
CrowdStrike, Google, and Shadowserver simultaneously disrupted GlassWorm C2 channels, ending a supply-chain campaign targeting developers via packages.
Nimbus Manticore, an Iranian advanced persistent threat group, has continued operations targeting aviation and software companies during and after the US.
A coordinated cross-ecosystem supply chain attack campaign dubbed TrapDoor has compromised 34 packages across 384+ versions on npm, PyPI, and Crates.io.
The Belarus-aligned Ghostwriter APT (UAC-0057/UNC1151) has launched a new phishing campaign impersonating Prometheus, a Ukrainian e-learning platform, to...
Cybersecurity researchers have uncovered Megalodon, an automated attack campaign that pushed 5,718 malicious commits to over 5,500 GitHub repositories in...
A supply chain attack targeting Laravel Lang localization packages has exposed developers to credential-stealing malware after attackers abused GitHub...
Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...
A coordinated supply chain attack campaign has infected eight Packagist Composer packages with malicious code that downloads and executes a Linux binary...
Ukrainian cyberpolice, working with US law enforcement, identified an 18-year-old from Odesa suspected of running an infostealer malware operation that...
Microsoft has disrupted a malware-signing-as-a-service operation that exploited the company's Artifact Signing service to produce fraudulent code-signing...
Researchers at HUMAN Security uncovered Trapdoor, a sophisticated Android ad fraud and malvertising operation that used 455 malicious apps and 183...
Researchers have uncovered four malicious npm packages embedding infostealer malware and a Phantom Bot DDoS payload — one of which is a direct clone of...
The public release of the Shai-Hulud worm source code by TeamPCP has triggered a wave of copycat variants appearing across the npm ecosystem. Security...
A Flare threat intelligence analysis breaks down the REMUS infostealer — a rapidly evolving credential theft tool built around stolen browser sessions and...
Russia's Turla APT has transformed its long-running Kazuar backdoor into a modular peer-to-peer botnet architecture engineered for stealth and deep...
Secret Blizzard, a Russian state-sponsored threat group, has evolved its long-running Kazuar backdoor into a sophisticated modular peer-to-peer botnet...
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout...
Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication npm package, in a new...
The hacking group TeamPCP has publicly released the source code for its Shai-Hulud supply chain worm, actively encouraging other threat actors to...
Attackers are running a sophisticated malvertising campaign that hijacks Google Ads and legitimate Claude.ai shared chat sessions to deliver Mac malware...
A newly discovered Linux implant called Quasar Linux RAT (QLNX) is silently targeting software developers to harvest credentials, log keystrokes, and...
Cybersecurity researchers discovered 28 fraudulent Android apps on Google Play claiming to offer call history lookups, which instead enrolled users in...
A malicious repository impersonating OpenAI's "Privacy Filter" project climbed to Hugging Face's trending list and delivered information-stealing malware...
The official website for JDownloader, one of the most widely-used open-source download managers, was compromised to distribute malicious Windows and Linux...
Security researchers have uncovered a coordinated supply chain attack campaign dubbed 'mini Shai-H' targeting SAP-related npm packages, injecting...
Pro-Ukrainian hacktivist group PhantomCore has been attributed to a sustained campaign targeting TrueConf video conferencing servers across Russia since...
This week's cybersecurity roundup covers the discovery of pre-Stuxnet Fast16 malware targeting engineering software, the emergence of the XChat...
CISA and the UK's NCSC have revealed that a US federal civilian agency's Cisco Firepower device running ASA software was compromised in September 2025...
SentinelOne has discovered 'fast16', a 2005-era Lua-based cyber sabotage implant that predates Stuxnet by five years and targeted high-precision...
UNC6692 employs email bombing and Teams impersonation to deliver a three-component Snow malware suite — SnowBelt, SnowGlaze, and SnowBasin — enabling full...
Zscaler ThreatLabz has uncovered a Tropic Trooper (APT23) campaign that delivers the AdaptixC2 post-exploitation beacon via trojanized SumatraPDF...
US and UK cybersecurity agencies are warning about Firestarter, a custom implant that persists on Cisco Firepower and Secure Firewall devices running ASA...
SentinelOne's AI-driven behavioral defense stopped three recent zero-day supply chain attacks before any payload signatures existed — demonstrating how...
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in end-of-life D-Link DIR-823X...
A newly discovered supply chain attack targeting the npm ecosystem steals developer authentication tokens and uses compromised accounts to publish...
Cybersecurity researchers at Darktrace have identified ZionSiphon, a new malware specifically designed to target Israeli water treatment and desalination...
Researchers have discovered a SystemBC proxy botnet of over 1,570 compromised hosts linked to Gentlemen ransomware operations. The gang's affiliate is...
The Vercel security breach originated at Context.ai after an employee downloaded Lumma Stealer disguised as Roblox cheat software. The incident exposes...
This week's cybersecurity recap covers the Vercel supply chain breach via a compromised AI tool, push fraud campaigns, attackers abusing QEMU virtual...
Russia's APT28 (Forest Blizzard) is conducting a malwareless espionage campaign by modifying a single DNS setting in vulnerable SOHO routers to silently...
Russian state-sponsored threat actor APT28 (Forest Blizzard / Pawn Storm) has launched a targeted spear-phishing campaign deploying a newly documented...
A massive campaign targeting nearly 100 Magento e-commerce stores embeds credit card-stealing JavaScript inside a pixel-sized SVG image, bypassing visual...
Cybersecurity researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abused Redis and PostgreSQL connections to harvest...
Threat actors are capitalising on the Claude Code source code leak by creating fake GitHub repositories that impersonate the leaked source to deliver...
Ukraine's Computer Emergency Response Team (CERT-UA) has disclosed a large-scale phishing campaign in which threat actor UAC-0255 impersonated the agency...
A new Android malware named NoVoice was discovered hiding in over 50 apps on the Google Play Store, with a combined download count of at least 2.3...
Two newly published versions of the widely used Axios HTTP client library — v1.14.1 and v0.30.4 — were found to contain a malicious fake dependency that...
Researchers have identified DeepLoad, a previously undocumented malware loader that combines ClickFix social engineering with WMI-based persistence to...
Security researchers have identified a newly discovered malicious implant named RoadK1ll that leverages WebSocket connections to silently move from an...
Three threat activity clusters aligned with China jointly targeted a Southeast Asian government organization in a complex, well-resourced espionage...
Threat actors known as TeamPCP compromised the Telnyx Python package on PyPI, uploading malicious versions that conceal credential-stealing malware inside...
A newly observed ClickFix campaign impersonates Cloudflare's CAPTCHA verification pages to deliver the Python-based Infiniti Stealer to macOS users via a...
A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka...
Cybersecurity researchers have uncovered a sophisticated new payment skimmer that weaponises WebRTC data channels to exfiltrate stolen credit card data...
A novel self-propagating malware dubbed CanisterWorm uses Internet Computer Protocol smart contracts as an untakedownable C2 channel, spreading...
The Trivy open-source vulnerability scanner was compromised in a supply chain attack by the threat group TeamPCP, which hijacked 75 release tags and...
A new infostealer named VoidStealer bypasses Chrome's Application-Bound Encryption by attaching a remote debugger to the browser process and using the...
A newly discovered .NET infostealer dubbed Speagle repurposes compromised Cobra DocGuard servers for C2 and data exfiltration, targeting organizations...
Trivy, Aqua Security's widely used open-source vulnerability scanner, was compromised a second time in a month. Attackers hijacked 75 GitHub Actions tags...
The LeakNet ransomware gang is using ClickFix social engineering for initial access and a Deno-based malware loader to execute fileless payloads from...
Google is testing a new Android Advanced Protection Mode enforcement in Android 17 Beta 2 that automatically strips non-accessibility apps of their...
The GlassWorm threat actor has launched a new sub-campaign called ForceMemo, using stolen GitHub tokens to silently force-push malware into hundreds of...
The GlassWorm self-propagating worm campaign has compromised 72 Open VSX extensions using invisible Unicode Private Use Area characters and a Solana...
Google's Threat Intelligence Group dismantles UNC2814, a China-linked operation that deployed a novel backdoor called GRIDTIDE abusing Google Sheets API...
ESET researchers discover PromptSpy, the first known Android malware family that abuses Google's Gemini AI at runtime to dynamically navigate device UIs...
Threat actors are abusing publicly shared Claude AI artifacts and Google Ads to deliver the MacSync infostealer to macOS users through ClickFix social...
Security researchers have uncovered a malicious Chrome extension called CL Suite that steals TOTP 2FA seeds, Meta Business Manager data, and analytics,...
Google Threat Intelligence Group attributes a previously undocumented JavaScript malware called CANFAIL to a Russian-linked threat actor targeting...
North Korea's Lazarus Group is running a fake recruitment campaign codenamed Graphalgo, planting 192 malicious packages on npm and PyPI that target...
Security researchers discover a new Linux botnet named SSHStalker that leverages the legacy IRC protocol for C2 operations, marking a return to old-school...
Researchers uncover VoidLink, an 88,000-line Zig-based malware framework built with AI assistance that targets AWS, Azure, GCP, and Kubernetes environments.
Cisco Talos uncovers a seven-component Linux framework called DKnife that compromises routers to intercept credentials, replace downloads with trojans,...
Security researchers have discovered malicious code injected into several popular NPM packages with millions of weekly downloads. Developers urged to...