cryptocurrency Archives

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31

Tech Optimizer

June 9, 2025

Cryptostealing Malware Found in Printer Software Highlights Growing Supply Chain Threat

A cybersecurity incident involving Procolored printers revealed vulnerabilities in everyday hardware, as users may have downloaded malware capable of stealing cryptocurrencies like Bitcoin. Tech content creator Cameron Coward reported an antivirus alert linked to Procolored printer software, prompting an investigation by G Data researchers who found malicious code in installation files on the manufacturer's website. The identified threats included a remote access tool (Win32.Backdoor.XRedRAT.A) and a cryptocurrency wallet stealer (MSIL.Trojan-Stealer.CoinStealer.H). Compromised files were last updated in October 2024 and distributed through official channels. The company initially denied the issue but later removed the downloads from their website in May 2025 and acknowledged the malware might have been introduced via USB transfers. An analysis of an attacker’s wallet showed a total of 9.3 BTC accumulated across 330 transactions before it was emptied. Cybersecurity experts recommend that users conduct antivirus scans and consider reformatting drives and reinstalling operating systems if infections are suspected.

AppWizard

June 8, 2025

These apps tricked Google to list them in the Play Store and you must delete them from your phone

The Google Play Store has been infiltrated by deceptive applications that are part of a phishing campaign, as revealed by an investigation by Cyble. These applications mimic legitimate digital wallets, including names like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, and have utilized over 50 domains to evade detection. The primary threat involves the extraction of users' mnemonic phrases, which are critical for accessing cryptocurrency and tokens. Users are advised to uninstall nine specific apps identified by Cyble: Pancake Swap, Suite Wallet, Hyperliquid, Raydium, BullX Crypto, OpenOcean Exchange, Meteora Exchange, SushiSwap, and Harvest Finance Blog, to protect their digital assets. Although many of these malicious apps have been removed from the Play Store, the risk persists for those who still have them installed.

Tech Optimizer

June 5, 2025

CISA releases TTPs & IoCs for Play Ransomware That Hacked 900+ Orgs

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Australian Cyber Security Centre, released an advisory on the Play ransomware group, which has targeted around 900 entities since its inception in June 2022. The group employs a double extortion model, exploiting vulnerabilities in public-facing applications and using tools for lateral movement and credential dumping. Their operations involve recompiling ransomware binaries for each attack to evade detection. The advisory highlights mitigation measures such as multifactor authentication and regular software patching. The Play ransomware specifically targets virtual environments and encrypts files using AES-256 encryption. Indicators of Compromise (IoCs) include: - SVCHost.dll (Backdoor) - SHA-256: 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E - Backdoor - SHA-256: 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A - PSexesvc.exe (Custom Play “psexesvc”) - SHA-256: 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 - HRsword.exe (Disables endpoint protection) - SHA-256: 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 - Hi.exe (Associated with ransomware) - SHA-256: 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6

Winsage

June 2, 2025

The Tech Circus: AI’s Grand Finale, Elon Musk’s Punchline, and Microsoft’s Notepad Bold Move

Mary Meeker has released a comprehensive 340-page AI report highlighting rapid advancements and widespread adoption of artificial intelligence. Venture capitalists are heavily investing in AI across various sectors, including healthcare and coffee shops. Elon Musk recently left Washington, D.C. with a black eye from a playful encounter with his son, reflecting his unpredictable standing. The DOGE project has left behind issues such as water damage and pests. Microsoft has updated Notepad to include text formatting features like bold, italics, hyperlinks, and Markdown support, currently available for Windows 11 Canary and Dev Channel testers.

Tech Optimizer

May 28, 2025

Watch out – that antivirus website could be a fake, and infecting your PC with malware

Researchers have discovered a fraudulent website, "bitdefender-download[.]com," posing as Bitdefender antivirus, which is used to distribute the VenomRAT Remote Access Trojan. The site, hosted on an Amazon S3 bucket, tricks users into downloading harmful software through an executable file named "StoreInstaller.exe," which is linked to VenomRAT and contains code from post-exploitation frameworks SilentTrinity and StormKitty stealer. VenomRAT allows cybercriminals to gain unauthorized control over Windows systems, steal sensitive information, log keystrokes, access webcams, and execute commands remotely. The primary goal of this campaign is to steal cryptocurrency by compromising credentials and crypto wallets. The investigation also found connections to other fraudulent operations impersonating banks and IT services, including the Armenian IDBank and the Royal Bank of Canada.

AppWizard

May 28, 2025

Google’s latest fraud advisory update keeps users keen on emerging threats

Google has released an updated fraud and scam advisory in anticipation of its inaugural Scams Summit, highlighting prevalent scam tactics such as customer support, package tracking, and toll road scams. The company has enhanced its Phone and Messages app with advanced scam protection features for Android users, integrating Gemini technology to detect and block potential scams. Google’s updated advisory also addresses risks from malvertising and counterfeit travel websites, while Chrome has received an update featuring AI-driven warnings for potential scams. Additionally, new scam protection features for calls and texts have been introduced, focusing on blocking actions when potential call scams are detected and identifying various scams related to toll roads, billing, cryptocurrency, and financial impersonation.

Tech Optimizer

May 28, 2025

Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data

Cybercriminals are executing a sophisticated malware campaign through a counterfeit Bitdefender antivirus website, specifically the domain “bitdefender-download[.]co,” which mimics the legitimate site. This fraudulent site distributes three types of malware: VenomRAT, StormKitty, and SilentTrinity, aimed at stealing financial data and maintaining persistent access to victims’ computers. When users click the “Download For Windows” button, they inadvertently download a ZIP file containing these malicious programs. VenomRAT acts as a remote access tool, allowing attackers to steal files, cryptocurrency wallets, and browser data, including credit card information. StormKitty quickly harvests sensitive credentials, while SilentTrinity provides stealthy long-term access for further exploitation. The fake Bitdefender site is linked to other malicious domains impersonating banks, indicating a coordinated phishing operation. The attackers utilize the same command and control infrastructure, with the IP address 67.217.228.160:4449 identified as a connection point. Bitdefender is working to take down the fraudulent site, and Google Chrome has begun flagging the link as malicious. Security experts recommend verifying website authenticity and downloading software only from official sources.

BetaBeacon

May 28, 2025

Flappy Bird Returns to Android Without Crypto Elements Via Epic Games Store

- The original Flappy Bird game has been re-released on the Epic Games Store without any crypto features. - The new version includes enhanced features such as local leaderboards and achievement systems. - The return of Flappy Bird to the Epic Games Store signifies a shift in the Android gaming distribution landscape. - The creators of Flappy Bird are still considering incorporating crypto features in the future, but the current version is crypto-free. - Android users can currently only access the game on the Epic Games Store, with no information on availability on iOS or Google Play Store.

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.