infostealer Archives

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

April 27, 2025

New Security Warning After 1 Billion Windows Users Told Do Not Delete

Microsoft's recent security update for Windows has raised concerns among users due to the introduction of a new vulnerability. The update, intended to address the CVE-2025-21204 vulnerability, inadvertently created a folder named inetpub, which Microsoft claims is essential for user protection. Security researcher Kevin Beaumont has warned that this update has introduced a denial of service vulnerability that allows non-admin users to halt future Windows security updates. Microsoft has classified the issue as moderate in severity and suggested that deleting the inetpub symlink and retrying the update may resolve the problem. The report has been forwarded to the Windows security team for potential further action.

Tech Optimizer

April 18, 2025

Breached Identities and Infostealers: One of the Largest Ongoing Data Leak in History

Breached identities due to infostealer malware are a significant threat to corporate information security in 2024. Infostealers are a type of remote access trojan that exfiltrate sensitive data, including saved credentials, session cookies, browser history, crypto wallet information, screen captures, and host data. Infections often stem from downloading cracked software, malicious advertising, fake Windows updates, and repackaged games. Infostealers do not require local administrative privileges, making them easy to execute. Threat actors primarily aim to profit from breached bank accounts and crypto wallets, often bypassing multi-factor authentication by targeting session cookies. They also seek credentials for subscription services and corporate access. Research shows that 90% of breached companies had leaked corporate credentials in a stealer log, with 78% experiencing leaks within six months of a breach. In comparison, 76% of similar companies without breaches had experienced a corporate stealer log compromise. The investigation identified high-criticality credentials from various corporate applications, indicating that a single user often has access to multiple credentials. The rise of infostealer malware represents a broad threat, encompassing a wide range of sensitive data. Organizations are advised to implement strategies such as restricting download privileges, avoiding illegal content, disabling macros, and regularly updating software to mitigate risks associated with infostealer malware.

Winsage

April 7, 2025

EncryptHub’s dual life: Cybercriminal vs Windows bug-bounty researcher

EncryptHub has been linked to breaches affecting 618 organizations and is associated with the disclosure of two Windows zero-day vulnerabilities, CVE-2025-24061 and CVE-2025-24071, to Microsoft. The vulnerabilities were addressed during the March 2025 Patch Tuesday updates, and the reporter was acknowledged as 'SkorikARI with SkorikARI.' Investigations revealed a connection between EncryptHub and SkorikARI, following an incident where EncryptHub exposed their credentials. SkorikARI's accounts were used to report the vulnerabilities, contributing to Windows security. Evidence linking SkorikARI to EncryptHub includes password files exfiltrated from EncryptHub's system and a GitHub account associated with SkorikARI. EncryptHub has previously attempted to market zero-day vulnerabilities on underground forums and is believed to have affiliations with ransomware groups. The threat actor has executed social engineering campaigns, phishing attacks, and developed a custom infostealer known as Fickle Stealer. They created fictitious social media profiles and websites, such as a fake project management application called GartoriSpace, which installed malicious files on unsuspecting users. EncryptHub has also been implicated in exploiting a Microsoft Management Console vulnerability, CVE-2025-26633.

Tech Optimizer

March 31, 2025

Watch Out for This Info-Stealing Malware on Windows

A new malware strain called CoffeeLoader has been identified, posing a significant risk to gamers by masquerading as a legitimate ASUS utility, specifically the Armoury Crate software. Once it infiltrates a system, it deploys the Rhadamanthys infostealer, which can extract sensitive information such as credentials from web browsers, email clients, cryptocurrency wallets, and password managers. CoffeeLoader evades detection by most security tools by operating on the GPU instead of the CPU and using advanced techniques like call stack spoofing, sleep obfuscation, and exploiting Windows fibers. To protect against CoffeeLoader, users should exercise caution when downloading software, navigate directly to official websites, avoid suspicious links, and adhere to basic cybersecurity practices. If infection is suspected, users should disconnect from the internet, reboot in safe mode, delete temporary files, and check Task Manager for unusual activity. Employing a reliable malware scanner can help identify and eliminate infections.

Tech Optimizer

March 27, 2025

This dangerous new Windows malware hides from your antivirus while impersonating a popular PC brand

A new strain of malware called CoffeeLoader targets Windows users by pretending to be an ASUS utility, specifically imitating ASUS's Armoury Crate. It has sophisticated evasion techniques that allow it to bypass antivirus software. Once installed, it deploys infostealers like Rhadamanthys Infostealer to extract sensitive information. CoffeeLoader operates undetected by executing code on the GPU instead of the CPU, using Call Stack Spoofing to disguise its activities, and employing Sleep Obfuscation to encrypt itself in memory when inactive. It also exploits Windows Fibers to evade detection. To protect against CoffeeLoader, users should download Armoury Crate only from the official ASUS website and be cautious of deceptive links and ads that may lead to malware installation.

Tech Optimizer

March 25, 2025

What the Tech? Avoiding malware threats

The ABC 6 News Team reports on the Infostealer malware, which has compromised over 2 billion credentials by using fake websites to trick users into providing sensitive information. Infostealer targets searches for free software, cracked software, game cheats, and activation tools, employing tactics such as search engine ads, SEO manipulation, social media promotions, and typosquatting to lure victims. Once installed, Infostealer can steal passwords, credit card information, cryptocurrency wallet data, and personal information. To mitigate risks, users are advised to download software from reputable sources, be cautious of offers that seem too good to be true, install robust antivirus software, enable ad blockers, verify URLs, use multi-factor authentication, keep software updated, and stay informed about cybersecurity threats. Additionally, users can check if their email addresses or passwords have been involved in data breaches at www.haveibeenpwned.com.

AppWizard

March 24, 2025

Malicious Game Infects Steam Users With Info-Stealing Malware

Steam removed the game Sniper: Phantom's Resolution due to a security breach involving malware designed to extract sensitive user information. The malware was disguised as a legitimate Windows process and employed tactics like executing Node.js scripts and establishing startup persistence. A month earlier, another game, PirateFi, was found to be spreading the Vidar infostealer, affecting up to 1,500 users. Both incidents highlight the risks associated with malware hosted on trusted platforms like Steam, which may exploit vulnerabilities in submission processes. Users often identified suspicious behavior before the platforms did, indicating delayed detection and response times. The lack of timely communication regarding breaches further exacerbates user concerns.