malicious JavaScript Archives

AppWizard

March 9, 2025

New Android Spyware Warning—Do Not Play This Video

A new malware targeting Android users on Telegram has been discovered, involving videos that conceal malicious code activated upon download. The malware, named EvilLoader, exploits how Telegram processes media files, misclassifying '.htm' files as videos, which allows HTML code to execute in a browser. This malware can lead to credential theft, private data loss, and the installation of banking trojans. It can bypass security measures by redirecting users to their browsers or prompting them to open files as HTML documents, executing malicious JavaScript that sends IP information to attackers. EvilLoader has evolved to check for sandbox environments and generate fake security warnings. Users are advised to update their Telegram app and be cautious with unfamiliar video files. Telegram has stated that the exploit does not indicate a flaw in their platform and has implemented a server-side fix for enhanced protection.

Winsage

February 23, 2025

Microsoft Windows Warning—Do Not Install This Critical Update

A significant alert has been issued regarding a new browser update threat targeting Microsoft Windows users, as reported by Palo Alto Networks’ Unit 42. Attackers are injecting malicious JavaScript into legitimate websites, misleading users into believing they need to update their browsers. These deceptive messages often use realistic branding and create urgency, prompting users to download and execute scripts that enable malware to retrieve the NetSupport RAT code. This malware allows for remote device control, data exfiltration, and modification of the Windows Registry, complicating its removal. On February 18, 2025, the NetSupport RAT delivered StealC, a credential-stealing malware designed to capture sensitive login information. The SmartApeSG campaign highlights the risks of social engineering and fileless attack techniques, exploiting trusted software update mechanisms. Recommended mitigation strategies include blocking domains linked to SmartApeSG, deploying signatures to detect malicious JavaScript, monitoring anomalous process relationships, restricting PowerShell execution policies, and educating employees about fake update prompts. Users are advised to follow conventional methods for browser updates, check for updates through their browsers, and ensure automatic updates are enabled.

Winsage

September 28, 2024

New Malware Alert: How A Simple Movie Download Could Put Your Windows PC At Risk

A new malware strain called Peaklight is targeting Windows PCs through illegal movie downloads. It operates exclusively in a computer's memory (RAM), allowing it to evade traditional detection methods. Peaklight is distributed by hackers who disguise harmful Windows shortcut files within ZIP folders of popular films. When users attempt to access these files, they unknowingly connect to a hidden content delivery network that triggers a PowerShell script to activate Peaklight, which then downloads additional malware such as Lumma Stealer, Hijack Loader, and CryptBot. To protect against Peaklight, experts advise avoiding illegal download sites and using legal streaming services along with updated antivirus software.

AppWizard

September 27, 2024

SilentSelfie Exploited 25 Websites To Deploy Malicious Android Application

Researchers uncovered a cyber espionage campaign called “SilentSelfie” targeting Kurdish communities, exploiting 25 compromised websites with four variants of malicious JavaScript. The campaign, active since late 2022, utilized watering hole attacks and a covert Android application disguised as a news app to collect sensitive data, including location and contacts. The attackers employed obfuscation techniques and used compromised web servers for communication. A total of 21 Kurdish websites were affected, primarily linked to “Rojava” and Kurdish political entities. The campaign remained undetected for over 18 months, with potential links to Turkish intelligence, Syrian government agencies, and the Kurdistan Regional Government of Iraq. Compromised sites included ‘RojNews’ and ‘YPG Rojava.’