cryptocurrency wallets Archives

Tech Optimizer

May 28, 2025

Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data

Cybercriminals are executing a sophisticated malware campaign through a counterfeit Bitdefender antivirus website, specifically the domain “bitdefender-download[.]co,” which mimics the legitimate site. This fraudulent site distributes three types of malware: VenomRAT, StormKitty, and SilentTrinity, aimed at stealing financial data and maintaining persistent access to victims’ computers. When users click the “Download For Windows” button, they inadvertently download a ZIP file containing these malicious programs. VenomRAT acts as a remote access tool, allowing attackers to steal files, cryptocurrency wallets, and browser data, including credit card information. StormKitty quickly harvests sensitive credentials, while SilentTrinity provides stealthy long-term access for further exploitation. The fake Bitdefender site is linked to other malicious domains impersonating banks, indicating a coordinated phishing operation. The attackers utilize the same command and control infrastructure, with the IP address 67.217.228.160:4449 identified as a connection point. Bitdefender is working to take down the fraudulent site, and Google Chrome has begun flagging the link as malicious. Security experts recommend verifying website authenticity and downloading software only from official sources.

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

Winsage

May 22, 2025

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

Microsoft, in collaboration with law enforcement, has taken legal action against the Lumma malware operation, which has affected over 394,000 Windows PCs globally, particularly in Brazil, Europe, and the United States. A federal court authorized the seizure of 2,300 domains used as command and control servers for Lumma, and the Justice Department confiscated five additional domains related to its infrastructure. Lumma is primarily spread through questionable games or cracked applications and extracts sensitive information such as logins, passwords, credit card details, and cryptocurrency wallets, which is then sold to other cybercriminals. Lumma also facilitates the deployment of additional malware, including ransomware, and has been linked to significant cyberattacks on major tech companies like PowerSchool and Snowflake, resulting in substantial data theft.

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

Tech Optimizer

March 31, 2025

Watch Out for This Info-Stealing Malware on Windows

A new malware strain called CoffeeLoader has been identified, posing a significant risk to gamers by masquerading as a legitimate ASUS utility, specifically the Armoury Crate software. Once it infiltrates a system, it deploys the Rhadamanthys infostealer, which can extract sensitive information such as credentials from web browsers, email clients, cryptocurrency wallets, and password managers. CoffeeLoader evades detection by most security tools by operating on the GPU instead of the CPU and using advanced techniques like call stack spoofing, sleep obfuscation, and exploiting Windows fibers. To protect against CoffeeLoader, users should exercise caution when downloading software, navigate directly to official websites, avoid suspicious links, and adhere to basic cybersecurity practices. If infection is suspected, users should disconnect from the internet, reboot in safe mode, delete temporary files, and check Task Manager for unusual activity. Employing a reliable malware scanner can help identify and eliminate infections.

AppWizard

March 24, 2025

Malicious Game Infects Steam Users With Info-Stealing Malware

Steam removed the game Sniper: Phantom's Resolution due to a security breach involving malware designed to extract sensitive user information. The malware was disguised as a legitimate Windows process and employed tactics like executing Node.js scripts and establishing startup persistence. A month earlier, another game, PirateFi, was found to be spreading the Vidar infostealer, affecting up to 1,500 users. Both incidents highlight the risks associated with malware hosted on trusted platforms like Steam, which may exploit vulnerabilities in submission processes. Users often identified suspicious behavior before the platforms did, indicating delayed detection and response times. The lack of timely communication regarding breaches further exacerbates user concerns.

TrendTechie

March 17, 2025

Новый вирус стал атаковать криптокошельки пользователей ПК

Cybersecurity experts from CyberArk have identified a new malware strain called MassJacker, which targets users who download unauthorized software to steal cryptocurrency. MassJacker is categorized as a "clipper" that alters clipboard data, replacing a user's cryptocurrency wallet address with a hacker's address during transactions. The attack often starts from a website posing as a free software download platform. Upon downloading, the Amadey virus first infiltrates the computer, followed by MassJacker, which disguises itself as a legitimate Windows process and uses encryption and command spoofing to avoid detection. Research shows that cybercriminals have created over 778,000 wallets for cryptocurrency theft, with 423 wallets accumulating approximately ,000, leading to potential total losses of around ,000. MassJacker shares similarities with another malware variant, MassLogger, but the identities of the attackers remain unknown.

Winsage

March 8, 2025

Nearly 1 million Windows devices targeted in advanced “malvertising” spree

A recent cyber campaign targeted nearly 1 million devices across various sectors, using GitHub as the primary platform for hosting malicious payloads, with Discord and Dropbox also involved. The malware exfiltrated sensitive information from infected systems, including critical browser files that store login cookies, passwords, and browsing histories. Compromised files included specific SQLite and JSON files from Mozilla Firefox, Google Chrome, and Microsoft Edge, as well as files stored on Microsoft's OneDrive. The malware also targeted cryptocurrency wallet applications like Ledger Live and Trezor Suite. Microsoft identified that the domains hosting malicious advertisements were linked to unauthorized streaming platforms. Microsoft Defender has been updated to detect the attack-related files, and guidance has been provided for those who may have been affected.