cybersecurity researchers Archives

Tech Optimizer

December 3, 2025

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

A malicious Rust package named "evm-units," uploaded by a user called "ablerust" to crates.io in mid-April 2025, poses a significant threat to developers on Windows, macOS, and Linux. It has over 7,000 downloads and is designed to execute its payload stealthily, depending on the victim's operating system and the presence of Qihoo 360 antivirus. The package disguises itself as a function that returns the Ethereum version number and can detect Qihoo 360 antivirus software. It downloads and executes different payloads based on the operating system: a script for Linux, a file for macOS, and a PowerShell script for Windows. If the antivirus is not detected, it creates a Visual Basic Script wrapper to run a hidden PowerShell script. The package targets the Web3 community, particularly developers, and is linked to the widely used "uniswap-utils" package. Both "evm-units" and "uniswap-utils" have been removed from the repository.

AppWizard

December 1, 2025

Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks

A new malware-as-a-service (MaaS) called Albiriox has emerged, targeting banking and cryptocurrency applications, particularly focusing on Austrian users. It is marketed on the dark web and employs deceptive tactics, such as mimicking legitimate businesses and creating fake landing pages and app listings on the Google Play Store. Victims are tricked into providing their phone numbers, leading to the delivery of a malicious APK file via SMS or WhatsApp. This APK acts as a dropper, designed to bypass detection methods and requests permissions under the guise of a “software update” to download the actual malicious payload. Once installed, it can take control of the device or function as an infostealer, extracting sensitive information like phone numbers and passwords, which is sent to a Telegram channel. Cleafy researchers suggest that the Albiriox campaign is linked to Russian cyber actors based on their activities on cybercrime forums and communication style.

Tech Optimizer

November 17, 2025

JSON services hijacked by North Korean hackers to send out malware

The Lazarus Group, a North Korean state-sponsored hacking organization, has been using JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host malicious software. They lure victims through deceptive LinkedIn job offers to deploy malware such as BeaverTail, InvisibleFerret, and TsunamiKit, the latter being a multi-stage toolkit that can act as an information stealer or cryptojacker by installing XMRig to mine Monero. Additional malware variants like Tropidoor and AkdoorTea have been deployed through the BeaverTrail framework, targeting software developers for sensitive data and crypto wallet information. The group's use of legitimate websites and code repositories aims to blend malicious activities with normal internet traffic, increasing their chances of success and posing a significant cybersecurity threat.

Winsage

November 14, 2025

All Microsoft Windows Users Warned As New Bot Attacks Confirmed

A t-shirt states, "It gets worse before it gets worse," reflecting the current situation for Microsoft users facing a zero-day vulnerability in Windows. Cybersecurity researchers report a resurgence of DanaBot, a trojan previously thought diminished after Operation Endgame, which resulted in the arrest of 16 individuals and the seizure of millions in stolen cryptocurrency. DanaBot is now operating under version 669, utilizing a new infrastructure and employing malicious emails and malvertising campaigns for attacks. Experts advise Microsoft Windows users to enhance security measures with advanced monitoring and detection systems while remaining vigilant against phishing and malvertising threats.

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

AppWizard

October 30, 2025

More Than 700 Malicious Android Apps Using NFC Relay to Exfiltrate Banking Credentials

Cybersecurity researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) and Host Card Emulation (HCE) technologies to steal payment data and facilitate fraudulent transactions. Since April 2024, these applications have evolved into a coordinated global operation targeting financial institutions in countries such as Russia, Poland, the Czech Republic, Slovakia, and Brazil. The threat actors have established around 70 command-and-control servers and use Telegram bots for data exfiltration. The malicious apps impersonate about 20 legitimate entities, focusing on Russian banks and international institutions like Santander and Google Pay. They utilize various strategies to compromise payment credentials, including scanner and tapper tools, and employ simplified interfaces resembling legitimate banking portals. The malware activates a Host Card Emulation service during NFC payment events for real-time data relay. To evade detection, the threat actors use name masquerading, code obfuscation, and software packing techniques. This campaign represents a significant escalation in NFC-based financial fraud, highlighting the risks associated with NFC payment privileges.

Tech Optimizer

October 29, 2025

Talk about geriatric – This devious Android malware escapes detection by typing like an old person

Herodotus malware mimics human typing patterns to evade detection by traditional antivirus systems. It spreads through SMS phishing, tricking users into downloading it, and installs silently by using deceptive screens and bypassing permission requests. Cybersecurity researchers recommend Android users activate Google Play Protect and avoid downloading apps from unofficial sources to enhance their defenses against this threat.

AppWizard

October 10, 2025

Popular VPN app can empty your bank accounts, security experts warn

Cybersecurity researchers have identified a dangerous Android malware disguised as the Mobdro Pro IP TV + VPN app, which has already affected over 3,000 devices in Europe. The malware, known as Klopatra, gains remote control of infected devices by exploiting Android Accessibility Services, allowing cybercriminals to access users' bank accounts. The app prompts users to grant permissions that facilitate the attack, and it is suspected to originate from a Turkish-speaking group. Cleafy estimates around 1,000 individuals have been affected, raising concerns that other criminal organizations may replicate this scheme, complicating detection efforts.

AppWizard

October 2, 2025

This dangerous new Android malware disguises itself as a VPN or IPTV app – so be on your guard

Cybersecurity researchers from Cleafy have identified an Android trojan named Klopatra, which targets banking and cryptocurrency users by stealing funds from banking applications and cryptocurrency from hot wallets. This malware, attributed to a Turkish threat actor, has been active since March 2025 and has undergone 40 iterations. It is distributed through a deceptive app called Modpro IP TV + VPN, which requests Accessibility Services permissions upon installation. Klopatra employs advanced techniques to evade detection, including the use of Virbox for code protection, minimizing Java and Kotlin usage, NP Manager string encryption, and multiple anti-debugging features. Currently, at least 3,000 devices in Europe have been compromised by this malware.

AppWizard

October 2, 2025

Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal

Cybersecurity researchers have discovered two families of Android spyware that impersonate messaging applications Signal and ToTok, linked to campaigns named ProSpy and ToSpy. ToTok was discontinued in 2020 after being identified as a surveillance tool for the UAE government, but the spyware is disguised as an enhanced version called ToTok Pro. The spyware requests extensive permissions upon installation and exfiltrates sensitive data. It was distributed through third-party websites posing as legitimate services, with confirmed detections in the UAE, indicating a targeted operation. The spyware campaigns primarily aim at privacy-conscious residents in the UAE, as suggested by the domain name ending in “ae.net.”