Android malware
-
ESET: Fake Signal and ToTok Android Apps used to deploy spyware in UAE
ESET researchers warned that two spyware campaigns in the UAE use fake Signal and ToTok Android apps disguised as plugins or add‑ons to collect contacts, messages, backups and files; the spyware has been traced to mid‑2022 and is blocked by Google Play Protect for devices with Google Play Services.
-
XWorm backdoor resurfaces with ransomware module and dozens of plugins
Researchers at Trellix told BleepingComputer that new XWorm variants 6.0, 6.4 and 6.5 are circulating in phishing campaigns, include more than 35 plugins and a ransomware module that encrypts user files and drops ransom instructions.
-
Trend Micro: SORVEPOTEL self‑propagating malware spreads via WhatsApp, hits Brazil hard
Trend Micro researchers said a self‑propagating malware campaign called SORVEPOTEL is spreading via WhatsApp and email to Windows desktops, concentrating in Brazil; it propagates through malicious ZIP attachments and PowerShell, aims for rapid spread rather than data theft, and has led to mass spam and account suspensions.
-
Malicious PyPI package ‘soopsocks’ acted as SOCKS5 proxy and Windows backdoor, researchers say
Researchers say a PyPI package called soopsocks posed as a SOCKS5 proxy but included Windows backdoor capabilities, downloaded 2,653 times before removal; analysis attributes reconnaissance, privilege elevation, firewall changes and data exfiltration to a compiled executable and accompanying scripts.
-
New Android banking trojan Klopatra has infected more than 3,000 devices, Cleafy says
Cleafy said a new Android banking trojan called Klopatra has infected over 3,000 devices, mainly in Spain and Italy, using VNC remote control, dynamic overlays and abuse of Android accessibility services to steal credentials and perform fraudulent transfers.
-
Fake Microsoft Teams installers promoted in search ads deliver Oyster backdoor, researchers say
Search ads and SEO poisoning have been used to promote fake Microsoft Teams installers that deliver the Oyster backdoor to Windows machines, researchers said; the trojanized installer drops a DLL and creates a scheduled task for persistence.
-
Malicious Rust crates impersonating fast_log steal Solana and Ethereum wallet keys, researchers say
Cybersecurity researchers say two malicious Rust crates impersonating the fast_log logging library were used to harvest Solana and Ethereum wallet keys from source code, with Crates.io removing the packages and preserving logs for analysis after responsible disclosure.
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
-
GitHub Tightens npm Publishing Security with 2FA, Short-Lived Tokens and Trusted Publishing
GitHub announced a sweeping set of security measures for npm publishing, including deprecating legacy tokens, migrating to FIDO-based 2FA, and introducing seven-day, short-lived granular tokens plus trusted publishing that uses OpenID Connect and cryptographic provenance attestations to bolster npm’s supply-chain security.
-
SEO-poisoning BadIIS malware tied to Operation Rewrite targets East and Southeast Asia, researchers say
Security researchers say a Chinese-speaking actor is using the BadIIS malware in an Operation Rewrite SEO-poisoning campaign to hijack search results via a compromised IIS proxy, targeting East and Southeast Asia with Vietnam as a focus.
