NewApp Digest
search bot

cybersecurity threat

LofyStealer Uses Node.js Loader Against Minecraft Gamers
AppWizard
April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.
silver Android smartphone
Tech Optimizer
April 22, 2026

New STX RAT Uses Hidden Remote Desktop and Infostealer Features to Evade Detection

A newly identified remote access trojan, STX RAT, emerged in 2026, integrating hidden remote desktop access with credential theft features. The name "STX" comes from the Start of Text magic byte x02, which it appends to communications with its command-and-control (C2) server. Initial sightings were reported in late February 2026, when it was delivered via a browser-downloaded VBScript file to a financial organization. By early March, Malwarebytes noted a campaign distributing STX RAT through compromised FileZilla installers. Researchers from eSentire’s Threat Response Unit analyzed the malware, which includes extensive anti-analysis measures and employs techniques like AMSI-ghosting. Once operational, STX RAT connects to a C2 server at 95.216.51.236, transmitting system information securely. It targets saved credentials from applications like FileZilla and includes a Hidden Virtual Network Computing (HVNC) module, allowing attackers to control a victim's machine without detection. Security teams are advised to block the C2 IP and implement detection rules to mitigate the threat.
New malware can read your chats and steal your money
Tech Optimizer
December 25, 2025

New malware can read your chats and steal your money

The Android banking trojan Sturnus has emerged as a significant cybersecurity threat, capable of taking control of a device's screen, stealing banking credentials, and accessing encrypted communications from trusted applications. It operates stealthily, capturing decrypted messages without breaking encryption. To protect against Sturnus, users should employ robust antivirus software, be vigilant with app prompts, and exercise caution with links and attachments, as malware is often spread through these channels. Attackers can remotely control devices to execute financial transactions without user knowledge.
Android warning issued as fake apps spread DroidLock ransomware demanding payment
AppWizard
December 11, 2025

Android warning issued as fake apps spread DroidLock ransomware demanding payment

DroidLock is a newly identified ransomware targeting Android users in Europe, capable of locking users out of their devices and demanding ransom for access or threatening permanent data deletion. It spreads through deceptive websites promoting counterfeit applications and gains access to devices by monitoring user passcodes. Victims report ransom demands displayed on their screens, often accompanied by a countdown timer. The ransomware employs phishing tactics to lure users into downloading harmful software, which can lock screens, obtain app lock credentials, exploit device administrator privileges, capture images, and silence devices. While it has not yet reached the UK, experts advise users to download applications only from official sources like the Google Play Store and to verify developer credentials for third-party software.
Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems
Tech Optimizer
December 3, 2025

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

A malicious Rust package named "evm-units," uploaded by a user called "ablerust" to crates.io in mid-April 2025, poses a significant threat to developers on Windows, macOS, and Linux. It has over 7,000 downloads and is designed to execute its payload stealthily, depending on the victim's operating system and the presence of Qihoo 360 antivirus. The package disguises itself as a function that returns the Ethereum version number and can detect Qihoo 360 antivirus software. It downloads and executes different payloads based on the operating system: a script for Linux, a file for macOS, and a PowerShell script for Windows. If the antivirus is not detected, it creates a Visual Basic Script wrapper to run a hidden PowerShell script. The package targets the Web3 community, particularly developers, and is linked to the widely used "uniswap-utils" package. Both "evm-units" and "uniswap-utils" have been removed from the repository.
JSON services hijacked by North Korean hackers to send out malware
Tech Optimizer
November 17, 2025

JSON services hijacked by North Korean hackers to send out malware

The Lazarus Group, a North Korean state-sponsored hacking organization, has been using JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host malicious software. They lure victims through deceptive LinkedIn job offers to deploy malware such as BeaverTail, InvisibleFerret, and TsunamiKit, the latter being a multi-stage toolkit that can act as an information stealer or cryptojacker by installing XMRig to mine Monero. Additional malware variants like Tropidoor and AkdoorTea have been deployed through the BeaverTrail framework, targeting software developers for sensitive data and crypto wallet information. The group's use of legitimate websites and code repositories aims to blend malicious activities with normal internet traffic, increasing their chances of success and posing a significant cybersecurity threat.
Act Now — Microsoft Issues Emergency Windows Update As Attacks Begin
Winsage
October 25, 2025

Act Now — Microsoft Issues Emergency Windows Update As Attacks Begin

Microsoft has announced an emergency fix for a critical vulnerability, CVE-2025-59287, affecting Windows Server users, specifically within the Windows Server Update Service (WSUS). The Cybersecurity and Infrastructure Security Agency (CISA) has indicated that attacks exploiting this vulnerability are already occurring. The WSUS Server Role is not enabled by default, meaning only servers with this role activated are at risk unless the fix is applied. CISA has mandated that certain federal agencies address this issue within two weeks and advises organizations to follow Microsoft's guidance to prevent unauthorized remote code execution. Recommended steps include identifying vulnerable servers, applying the security update released on October 23, 2025, and rebooting WSUS servers post-installation. For those unable to update immediately, disabling the WSUS server role and blocking inbound traffic to ports 8530 and 8531 is advised.
Worried About 2FA Codes? Pixnapping on Android Might Steal Them
AppWizard
October 15, 2025

Worried About 2FA Codes? Pixnapping on Android Might Steal Them

A new cybersecurity threat called "Pixnapping" has been identified, targeting Android users. This attack can capture sensitive information displayed on a user's screen, such as two-factor authentication codes and chat messages, in under 30 seconds. It operates through a seemingly harmless app that prompts a target application to display confidential content and then analyzes the phone's rendering pipeline pixel by pixel to reconstruct the displayed information. The technique has been successfully demonstrated on Google Pixel devices and Samsung's Galaxy S25, exploiting timing discrepancies in graphics rendering. Google has released a patch (CVE-2025-48561) in September to address this vulnerability, though no real-world exploitation has been reported.
CISA Warns of Rising Play Ransomware Threat to Infrastructure
Tech Optimizer
June 7, 2025

CISA Warns of Rising Play Ransomware Threat to Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical advisory on December 18, 2023, regarding the rising threat of Play Ransomware, which targets various organizations, particularly critical infrastructure and public sector entities. The advisory details the tactics used by Play Ransomware actors, including exploiting unpatched systems and phishing campaigns, leading to severe consequences like data encryption and high ransom demands. The ransomware can disable antivirus software and exfiltrate sensitive data before encryption. Play Ransomware employs double extortion tactics, threatening to leak stolen data if ransoms are not paid. CISA recommends organizations prioritize patch management, implement multi-factor authentication, train employees to recognize phishing attempts, and maintain regular offline data backups. The advisory calls for collaboration between public and private sectors to combat this threat and emphasizes the importance of information sharing to stay ahead of ransomware tactics.
Search