Android malware
-
France detains Latvian crew member after malware found on Italian ferry
French authorities detained a Latvian crew member from the ferry Fantastic after discovering malware that investigators say could have enabled remote control; a Bulgarian crewmember was released and probes by the DGSI and Italian authorities are ongoing.
-
Kimsuky campaign uses QR codes to deliver DocSwap Android malware, South Korean firm says
South Korean firm ENKI linked the North Korean actor Kimsuky to a campaign distributing a DocSwap Android trojan via QR codes on phishing sites impersonating CJ Logistics; the malware decrypts an embedded APK, registers a RAT service and accepts many remote commands.
-
GhostPoster campaign hid JavaScript in Firefox extension icons to load backdoor
Researchers at Koi Security uncovered the GhostPoster campaign, which hides a JavaScript loader inside Firefox extension icon images to fetch an obfuscated payload that can hijack affiliate links, inject tracking, strip security headers and conduct ad and click fraud; Mozilla said it removed the affected extensions and updated detection systems.
-
CISA sets Dec. 12 deadline to patch React2Shell RSC flaw amid widespread exploitation
CISA has set a December 12 deadline for federal agencies to patch the critical React2Shell RSC vulnerability CVE-2025-55182 after widespread exploitation was observed; security firms report rapid, opportunistic scans and attacks against Next.js and other internet-facing services.
-
CISA adds WinRAR flaw CVE-2025-6218 to known-exploited list after reported active use
CISA added a WinRAR path traversal vulnerability, CVE-2025-6218 (CVSS 7.8), to its Known Exploited Vulnerabilities catalog after reports of active exploitation by multiple threat groups; RARLAB patched the bug in WinRAR 7.12 for Windows in June 2025 and agencies are required to remediate by Dec. 30, 2025.
-
North Korea-linked actors exploit React2Shell flaw to deploy EtherRAT using Ethereum-based C2
Sysdig reported that actors tied to North Korea exploited a critical React Server Components flaw to deploy EtherRAT, a Node.js-based remote access trojan that uses Ethereum smart contracts and RPC consensus for C2 resolution and multiple Linux persistence mechanisms.
-
Researchers find VS Code extensions that install stealer malware, Microsoft removes packages
Researchers and security firms found two malicious Visual Studio Code extensions that stole credentials, screenshots and browser data; Microsoft removed the packages and analysts warned developers to review extensions and supply-chain risks.
-
GoldFactory modifies banking apps to spread Android remote-access trojans across Southeast Asia, Group-IB reports
Group-IB said GoldFactory has been distributing modified banking apps across Thailand, Vietnam and Indonesia to deploy Android remote-access trojans that abuse accessibility services, and researchers uncovered a pre-release variant called Gigaflower with advanced data-extraction features.
-
Malicious Rust crate ‘evm‑units’ delivered cross‑platform payloads and targeted Web3 developers
A malicious Rust crate named evm‑units masqueraded as an Ethereum helper and delivered platform‑specific payloads to Windows, macOS and Linux machines. Published by a crates.io user called ablerust and included as a dependency of uniswap‑utils, the package fetched and executed scripts or PowerShell based on the host OS and the presence of Qihoo 360 antivirus,…
-
Glassworm malware returns with 24 malicious VS Code packages on OpenVSX and Microsoft marketplace
The Glassworm malware has returned in a third wave with 24 malicious VS Code extension packages on OpenVSX and the Microsoft Visual Studio Marketplace, using obfuscation and Rust‑based implants to steal credentials, deploy proxies and enable remote access.
