cryptocurrency wallets Archives

Winsage

May 22, 2025

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

Microsoft, in collaboration with law enforcement, has taken legal action against the Lumma malware operation, which has affected over 394,000 Windows PCs globally, particularly in Brazil, Europe, and the United States. A federal court authorized the seizure of 2,300 domains used as command and control servers for Lumma, and the Justice Department confiscated five additional domains related to its infrastructure. Lumma is primarily spread through questionable games or cracked applications and extracts sensitive information such as logins, passwords, credit card details, and cryptocurrency wallets, which is then sold to other cybercriminals. Lumma also facilitates the deployment of additional malware, including ransomware, and has been linked to significant cyberattacks on major tech companies like PowerSchool and Snowflake, resulting in substantial data theft.

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

Tech Optimizer

March 31, 2025

Watch Out for This Info-Stealing Malware on Windows

A new malware strain called CoffeeLoader has been identified, posing a significant risk to gamers by masquerading as a legitimate ASUS utility, specifically the Armoury Crate software. Once it infiltrates a system, it deploys the Rhadamanthys infostealer, which can extract sensitive information such as credentials from web browsers, email clients, cryptocurrency wallets, and password managers. CoffeeLoader evades detection by most security tools by operating on the GPU instead of the CPU and using advanced techniques like call stack spoofing, sleep obfuscation, and exploiting Windows fibers. To protect against CoffeeLoader, users should exercise caution when downloading software, navigate directly to official websites, avoid suspicious links, and adhere to basic cybersecurity practices. If infection is suspected, users should disconnect from the internet, reboot in safe mode, delete temporary files, and check Task Manager for unusual activity. Employing a reliable malware scanner can help identify and eliminate infections.

AppWizard

March 24, 2025

Malicious Game Infects Steam Users With Info-Stealing Malware

Steam removed the game Sniper: Phantom's Resolution due to a security breach involving malware designed to extract sensitive user information. The malware was disguised as a legitimate Windows process and employed tactics like executing Node.js scripts and establishing startup persistence. A month earlier, another game, PirateFi, was found to be spreading the Vidar infostealer, affecting up to 1,500 users. Both incidents highlight the risks associated with malware hosted on trusted platforms like Steam, which may exploit vulnerabilities in submission processes. Users often identified suspicious behavior before the platforms did, indicating delayed detection and response times. The lack of timely communication regarding breaches further exacerbates user concerns.

TrendTechie

March 17, 2025

Новый вирус стал атаковать криптокошельки пользователей ПК

Cybersecurity experts from CyberArk have identified a new malware strain called MassJacker, which targets users who download unauthorized software to steal cryptocurrency. MassJacker is categorized as a "clipper" that alters clipboard data, replacing a user's cryptocurrency wallet address with a hacker's address during transactions. The attack often starts from a website posing as a free software download platform. Upon downloading, the Amadey virus first infiltrates the computer, followed by MassJacker, which disguises itself as a legitimate Windows process and uses encryption and command spoofing to avoid detection. Research shows that cybercriminals have created over 778,000 wallets for cryptocurrency theft, with 423 wallets accumulating approximately ,000, leading to potential total losses of around ,000. MassJacker shares similarities with another malware variant, MassLogger, but the identities of the attackers remain unknown.

Winsage

March 8, 2025

Nearly 1 million Windows devices targeted in advanced “malvertising” spree

A recent cyber campaign targeted nearly 1 million devices across various sectors, using GitHub as the primary platform for hosting malicious payloads, with Discord and Dropbox also involved. The malware exfiltrated sensitive information from infected systems, including critical browser files that store login cookies, passwords, and browsing histories. Compromised files included specific SQLite and JSON files from Mozilla Firefox, Google Chrome, and Microsoft Edge, as well as files stored on Microsoft's OneDrive. The malware also targeted cryptocurrency wallet applications like Ledger Live and Trezor Suite. Microsoft identified that the domains hosting malicious advertisements were linked to unauthorized streaming platforms. Microsoft Defender has been updated to detect the attack-related files, and guidance has been provided for those who may have been affected.

Tech Optimizer

February 18, 2025

Microsoft Discovers Return Of Alarming MacOS Malware With Sinister New Tricks

The XCSSET malware, discovered in 2020, allows cybercriminals remote access to developers' MacBooks and has led to a reassessment of macOS security measures. A new variant of XCSSET has been identified, specifically targeting macOS systems and exploiting vulnerabilities, particularly in keychains, to steal sensitive information like usernames and passwords. This variant spreads through Xcode projects and features enhanced functionality that makes detection and removal more challenging. It employs increased randomization in payload generation and uses both xxd and Base64 encoding. The malware can remain undetected, targeting Xcode projects for payload insertion and extracting data from cryptocurrency wallets and the Notes app. Microsoft has confirmed that its Defender for Endpoint on Mac can detect both the old and new variants of XCSSET, but developers are advised to exercise caution by downloading only from trusted sources, using the latest software versions, inspecting Xcode projects before opening them, and avoiding third-party applications.

Tech Optimizer

February 17, 2025

Mac users beware: AI-powered malware threats are on the rise

Apple devices, particularly Macs, are facing an increase in cyberattacks, with a new wave of sophisticated malware targeting sensitive data. The emergence of Atomic Stealer (AMOS) in mid-2023 marked a shift from less harmful adware to more serious threats, with AMOS being marketed as a user-friendly service. By mid-2024, Poseidon became the leading Mac information stealer, responsible for 70% of infections and capable of draining various cryptocurrency wallets and capturing sensitive credentials. Cybercriminals are also using malvertising to lure users into downloading disguised malware. Android users are experiencing an even more severe situation, with a significant rise in phishing attacks. In 2024, researchers identified 22,800 malicious apps designed for phishing, along with thousands capable of reading one-time passwords (OTPs). These apps often mimic legitimate software and can easily infiltrate app stores, including Google Play. While Google Play Protect offers some malware protection, it is not entirely effective. To protect against malware threats, it is recommended to use strong antivirus software, be cautious with downloads and links, keep software updated, use strong and unique passwords, and enable two-factor authentication (2FA) for critical accounts.