infections Archives

AppWizard

July 8, 2025

Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception

A newly identified Android malware family, Qwizzserial, has emerged as a significant threat in Uzbekistan, disguising itself as legitimate financial and government applications. It spreads primarily through Telegram, using deceptive channels to impersonate authorities and financial institutions, luring victims with offers of financial assistance. Upon installation, Qwizzserial requests permissions related to SMS and phone state, prompting users to input sensitive information such as phone numbers and bank card details, which it exfiltrates via the Telegram Bot API or HTTP POST requests. The malware intercepts incoming SMS messages, including one-time passwords (OTPs) for two-factor authentication, and can extract financial information from messages. Analysts from Group-IB have tracked around 100,000 infections linked to Qwizzserial, with confirmed financial losses exceeding ,000,000 within three months. The malware's infection pattern follows a Pareto distribution, with a small subset of samples causing the majority of infections, particularly those impersonating financial institutions. Security solutions have developed detection rules for Qwizzserial, and organizations are encouraged to implement user education and monitoring to mitigate risks. End-users are advised against installing applications from untrusted sources and to scrutinize app permissions. Indicators of Compromise (IOC) include specific C2 domains and file hashes for both example and latest samples of Qwizzserial.

AppWizard

July 7, 2025

Qwizzserial Android Malware Masquerades as Legit Apps to Steal Banking Data and Intercept 2FA SMS

A new Android malware family named Qwizzserial has emerged, primarily affecting users in Uzbekistan. Identified by Group-IB in March 2024, it functions as an SMS stealer that intercepts two-factor authentication codes and banking information. The malware disguises itself as legitimate applications and spreads through deceptive messages on Telegram, leading to approximately 100,000 infections from around 1,200 samples. Qwizzserial employs social engineering tactics, such as enticing file names and fake Telegram channels, to lure victims. Once installed, it requests permissions for phone calls and SMS access to exfiltrate sensitive data using Telegram bots. Advanced variants utilize obfuscation tools and may request users to disable battery optimization. The financial impact is significant, with one group reportedly generating around 0,000 between mid-March and mid-June 2025. The malware targets banking notifications and large transactions, exploiting the local banking sector's reliance on SMS authentication. Group-IB has developed detection methods to combat this threat.

Tech Optimizer

July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.

AppWizard

July 3, 2025

Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS

A sophisticated Android malware campaign named Qwizzserial has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. Initially identified in mid-2024, it disguises itself as legitimate applications to deceive users into installation. Analysts from Group-IB uncovered it, noting its distribution network resembles the Classiscam fraud infrastructure. The campaign has reportedly infected around 100,000 users, resulting in financial losses exceeding ,000 within three months. The primary distribution channel is Telegram, where cybercriminals pose as government entities. Qwizzserial requests critical permissions upon installation and collects personal and financial information, systematically harvesting existing SMS messages. Recent iterations have incorporated obfuscation techniques and enhanced persistence mechanisms.

Tech Optimizer

July 1, 2025

Don’t Let a Fake Virus Scam You—Clap Back with These Quick Fixes

Android users may encounter fake virus warning pop-ups, often triggered by visiting malicious websites. To remove these pop-ups, users should close all browser windows, force stop the active browser, and clear its cache. For prevention, users should keep their Chrome app updated, disable pop-ups and ads, and enable prompts for automatic downloads. While the risk of actual viruses on unrooted Android devices is low, users should uninstall suspicious apps and use malware detection apps like Malwarebytes and CCleaner to ensure their devices are malware-free. If a virus warning appears outside the browser, it may indicate a compromised browser due to a malicious add-on.

Tech Optimizer

June 27, 2025

ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector

The ClickFix attack vector has increased by 517% since the latter half of 2024, becoming the second most exploited method for cyberattacks, following phishing. Hackers are using ClickFix to deploy various infostealing malware, including Lumma Stealer, VidarStealer, StealC, and Danabot. The ClickFix mechanism involves a counterfeit reCAPTCHA that misleads users into executing harmful Powershell commands. This method is primarily spread through phishing emails directing users to fraudulent websites. ESET’s Threat Report indicates that SnakeStealer has surpassed Agent Tesla as the most frequently detected infostealer, targeting businesses in the US and EU for credential theft. The ransomware landscape has been disrupted by internal conflicts among groups, with DragonForce launching defacement campaigns against other ransomware entities. On mobile devices, Kaleidoscope infections have caused a 160% increase in Android adware detections, and the SparkKitty malware has been found in both the Apple App Store and Google Play Store. Kaleidoscope generates revenue through intrusive ads while infecting devices with a malicious app from third-party stores.

TrendTechie

June 27, 2025

5 Best VPNs for uTorrent in 2025: Fast & Secure Downloads

ExpressVPN is recommended as the best VPN for torrenting with uTorrent in 2025, offering support for P2P sharing in 105 countries, high download speeds, and strong security features. It includes a Lightway protocol, split tunneling, and Advanced Protection, along with a 30-day money-back guarantee. Other notable VPNs include Private Internet Access, which supports P2P on all servers in 91 countries and offers a SOCKS5 proxy; CyberGhost, with torrent-optimized servers in over 85 countries; NordVPN, known for its advanced security features and support for torrenting in over 110 countries; and Surfshark, which provides automatic IP rotation in 49+ countries. The testing methodology focused on reliable P2P support, strong security measures, fast download speeds, user-friendly apps, and value for money.

Tech Optimizer

June 13, 2025

‘BrowserVenom’ Windows Malware Preys on Users Looking to Run DeepSeek AI

A new strain of Windows malware called "BrowserVenom" is exploiting interest in DeepSeek's AI models by targeting users through deceptive Google ads. These ads lead to a counterfeit website, "https[:]//deepseek-platform[.]com," where users are tricked into downloading a harmful file named “AILauncher1.21.exe.” This malware monitors and manipulates internet traffic, allowing attackers to intercept sensitive data. The operation is believed to involve Russian-speaking threat actors, and the malware has infected users in several countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The fraudulent domain has been suspended, but the malware can evade many antivirus solutions. Users are advised to verify official domains when downloading software.

Winsage

June 11, 2025

Patch your Windows PC now before bootkit malware takes it over

Microsoft's June updates address a significant vulnerability identified as CVE-2025-3052, which allows attackers to gain control over a PC via bootkit malware by bypassing the Secure Boot feature. This memory corruption issue enables unsigned code to run during the boot process, compromising the system's chain of trust. The vulnerability allows an attacker to sign a compromised UEFI application with Microsoft’s third-party certificates, granting it unrestricted execution rights. Although the flaw has not been exploited in real-world scenarios, it has been present since late 2022. Microsoft has released a patch for this flaw, and users of Windows 10 or 11 are advised to download the latest updates to protect their PCs. Additionally, June's Patch Tuesday addressed a total of 66 weaknesses, including another Secure Boot flaw (CVE-2025-4275) and a zero-day vulnerability (CVE-2025-33053).

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31