cryptocurrency wallet Archives

Tech Optimizer

November 1, 2025

maCERT Warns of Rapidly Spreading Spyware “Acreed”

maCERT, the Moroccan national cybersecurity agency, has issued an alert about a new spyware toolkit called Acreed, which emerged in February 2025. Acreed has become one of the most prevalent information stealers on the dark web, accounting for approximately 17% of underground cyber activity. Its primary function is to infiltrate computers and extract sensitive information, which is then sold or exploited by hackers. Acreed spreads through deceptive emails, infected advertisements, and pirated software downloads. It collects data such as usernames, passwords, browser information, cryptocurrency wallet details, and session tokens for cloud services. The data is transmitted to remote servers controlled by cybercriminals. The risks associated with Acreed affect both individuals and business networks. Recommendations to mitigate the threat include keeping antivirus software updated, monitoring for suspicious activity, avoiding unofficial software downloads, and being cautious with unsolicited emails. Users who suspect infection are encouraged to report it to maCERT for assistance.

AppWizard

October 28, 2025

Telegram Messenger Abused by Android Malware to Seize Full Device Control

Security researchers at Doctor Web have identified a sophisticated Android backdoor, named Android.Backdoor.Baohuo.1.origin, disguised as Telegram X, which has compromised over 58,000 devices globally, with around 20,000 active infections. The malware propagates through malicious websites posing as app catalogs and targets approximately 3,000 different models of devices. It features unprecedented control mechanisms via Redis database integration, allowing extensive manipulation of victims' accounts and devices, including hiding evidence of compromise and autonomously managing messaging functionalities. The malware extracts sensitive data, including SMS messages and clipboard contents, and uploads information to attacker servers every three minutes. Brazil and Indonesia are primary targets, with the malware available on third-party app stores under fraudulent identities.

AppWizard

October 26, 2025

Hackers Weaponizing Telegram Messenger with Dangerous Android Malware to Gain Full System Control

A sophisticated backdoor known as Android.Backdoor.Baohuo.1.origin has been identified in malicious versions of the Telegram X messenger, granting attackers comprehensive control over victims’ accounts. This malware has compromised over 58,000 devices across approximately 3,000 smartphone models and other Android-based systems, primarily targeting users in Brazil and Indonesia. It spreads through misleading advertisements and third-party app stores, often masquerading as legitimate applications. The malware can exfiltrate sensitive information, manage user interactions, and manipulate messenger functionality without detection. It utilizes a Redis database for command-and-control operations, representing a novel approach in Android malware. The backdoor monitors clipboard contents and collects device information, sending data to attackers every three minutes while disguising its activities.

AppWizard

October 24, 2025

Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

A new Android malware, identified as Android.Backdoor.Baohuo.1.origin, is disguised as counterfeit versions of the messaging app Telegram X. It has been labeled as one of the most sophisticated Android backdoors this year. The malware is distributed through online advertisements promising enhanced features and connects to remote servers to grant attackers full control over the user’s Telegram account. It can conceal unauthorized logins, erase chat traces, and manipulate app behavior in real-time using the Xposed framework. Over 58,000 devices have been infected, primarily in India, Brazil, and Indonesia. Baohuo communicates directly with a Redis database for command-and-control, allowing seamless operation even if primary servers are down. It can intercept clipboard data and perform regular check-ins on user activity. The malware has been found in third-party app stores, falsely attributed to Telegram’s developer. Users are advised to download Telegram only from official sources.

Tech Optimizer

October 21, 2025

Luma Infostealer Malware Launches Attacks to Steal Browser Cookies, Cryptocurrency, and Remote Access Accounts

Lumma Infostealer is a sophisticated information-stealing malware that targets high-value credentials and sensitive assets on Windows systems. It is distributed through a Malware-as-a-Service (MaaS) model, allowing inexperienced attackers to conduct data theft campaigns. Lumma is primarily deployed via phishing campaigns disguised as cracked or pirated software, often hosted on legitimate platforms like MEGA Cloud. Upon execution, Lumma uses a multi-stage decryption process and process injection techniques to activate its payload while evading detection. The latest samples utilize the Nullsoft Scriptable Install System (NSIS) as a deceptive installer, extracting malicious payloads into the %Temp% directory and launching a counterfeit document that triggers a sequence of commands to deploy Lumma’s core. Once activated, Lumma communicates with command-and-control servers (including rhussois[.]su, diadtuky[.]su, and todoexy[.]su) to gather stored browser credentials, session cookies, Telegram data, remote access configuration files, and cryptocurrency wallet information, which is then exfiltrated for exploitation. The malware avoids detection by checking for security solutions and has a modular architecture that complicates signature-based detection. Effective detection requires behavior-based Endpoint Detection and Response (EDR) systems that monitor real-time activities. To mitigate exposure, security professionals recommend avoiding storing credentials in browsers, enforcing multi-factor authentication (MFA), and monitoring suspicious processes. Indicators of Compromise (IoC) include: - E6252824BE8FF46E9A56993EEECE0DE6 - E1726693C85E59F14548658A0D82C7E8 - 19259D9575D229B0412077753C6EF9E7 - 2832B640E80731D229C8068A2F0BCC39 Command-and-control domains include: - diadtuky[.]su - rhussois[.]su - todoexy[.]su

Tech Optimizer

October 20, 2025

TikTok Videos Spread ClickFix Malware, Stealing User Credentials

Cybercriminals are increasingly using TikTok to spread malware through seemingly harmless videos that promise free software activations for applications like Windows, Spotify, or Netflix. These videos employ a technique called ClickFix, which tricks users into executing harmful PowerShell commands that install infostealers, compromising sensitive information such as login credentials and financial data. The malware can self-compile on the victim's device, making it harder to detect. Reports indicate a shift in these tactics from platforms like YouTube and Meta to TikTok, with over 30,000 websites compromised in related DNS malware campaigns. Artificial intelligence is also being used to create deceptive videos that resemble legitimate content, complicating the identification of malicious material. Android users face similar threats from apps impersonating popular services, such as WhatsApp or TikTok. Experts recommend enabling two-factor authentication, using reputable antivirus software, avoiding unverified commands, and adjusting privacy settings on TikTok to mitigate these risks.

Tech Optimizer

October 7, 2025

New Fully Undetectable FUD Android RAT Discovered and Publicly Released for Download on GitHub

A new Android Remote Access Trojan (RAT) has appeared on GitHub, described as fully undetectable and capable of bypassing advanced permission and background process restrictions in customized Chinese ROMs like MIUI and EMUI. This malware utilizes a multi-layer dropper to integrate its payload within legitimate applications, allowing it to overcome autostart restrictions and battery optimization features. Upon installation, it escalates privileges to gain comprehensive access to the device, using AES-128-CBC encryption for command-and-control communication to evade detection. The RAT can record and delete call logs, intercept voice calls, manipulate SMS messages, and capture keystrokes through a keylogger. It also has capabilities for live screen captures, camera access, audio and video recording, and clipboard hijacking. Additionally, it can encrypt files and lock the device, demanding a ransom for access. The malware employs social engineering tactics, such as spoofed notifications and phishing prompts, to facilitate credential theft. Its persistence mechanisms allow it to operate with minimal resource usage, making detection difficult. The attacker interface is web-based, enabling control from any standard browser without specialized infrastructure. The public release of this RAT raises concerns about the misuse of open-source repositories for distributing malicious tools, prompting calls for stricter oversight on platforms like GitHub.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.

Tech Optimizer

September 13, 2025

Researchers Uncover Undetectable Malware Draining Crypto Browser Wallets

A new strain of malware called ModStealer has emerged, capable of evading antivirus detection while targeting cryptocurrency wallets on Windows, Linux, and macOS. It has reportedly gone undetected by major antivirus engines for nearly a month and is being disseminated through deceptive job recruitment ads aimed at developers. ModStealer scans for browser-based cryptocurrency wallet extensions, system credentials, and digital certificates, exfiltrating the data to remote Command and Control servers. On macOS, it uses a persistence method to run automatically at startup, disguising itself as a benign program. It combines persistence with strong obfuscation techniques, making it resilient against traditional security measures. The malware poses significant risks to cryptocurrency users and platforms, with potential compromises of private keys and wallet data leading to asset losses and large-scale exploits.

Tech Optimizer

September 12, 2025

Modstealer malware bypasses antivirus, targets crypto wallets

A newly identified strain of malware called ModStealer can bypass antivirus protections to steal data from cryptocurrency wallets on Windows, Linux, and macOS. It operated undetected for nearly a month, infiltrating systems through misleading job advertisements targeting software developers. ModStealer has multi-platform support and a stealthy execution chain, allowing it to launch simultaneous attacks across various operating systems. Upon execution, it scans for browser-based cryptocurrency wallet extensions, system credentials, and digital certificates. On macOS, it disguises itself as a background helper program to ensure continuous operation. Indicators of potential ModStealer infections include a hidden file named “.sysupdater.dat,” outbound connections to suspicious servers, unexpected background processes, unusual behavior from wallet extensions, and unauthorized access attempts to digital certificates. The malware poses significant risks to individual users by compromising private keys and seed phrases, and it could lead to large-scale thefts in the cryptocurrency industry. To protect against ModStealer, users are advised to use hardware wallets, enable multi-factor authentication, update antivirus software, avoid suspicious job ads, monitor startup processes, back up seed phrases offline, and use separate devices for transactions.