malware campaign Archives

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

Tech Optimizer

November 14, 2025

Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it

A recent malware campaign has seen attackers disguising the DarkComet remote access trojan as Bitcoin-related applications to target cryptocurrency users. DarkComet RAT allows attackers to gain extensive control over compromised systems, despite its original creator discontinuing it years ago. The malware features capabilities such as keystroke logging, file theft, webcam surveillance, and remote desktop control, posing significant risks to users. The malicious file was distributed as a compressed RAR archive named “94k BTC wallet.exe,” which helps evade email filters. Security analysts at Point Wild discovered that the malware ensures persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key for automatic execution at system startup. It attempts to connect to a command-and-control server at kvejo991.ddns.net over TCP port 1604. The malware injects its payload into legitimate Windows processes to perform keylogging and screen capture while remaining undetected. Captured keystrokes are stored in log files and exfiltrated through the command-and-control channel. Users are advised to avoid downloading cryptocurrency tools from untrusted sources and to keep security software updated.

Tech Optimizer

November 13, 2025

New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

Security researchers have identified a malware campaign using the ClickFix social engineering technique to spread information-stealing malware on Windows and macOS. The campaign targets users searching for cracked software, leading them to malicious Google-hosted landing pages. Victims encounter fake security warnings that prompt them to execute a malicious command, resulting in the installation of infostealer malware. Windows users receive the ACR stealer, while macOS users get the Odyssey stealer, both delivered in password-protected ZIP files. ACR also loads additional malware like SharkClipper, which hijacks cryptocurrency clipboard data. The campaign has seen a 700% increase in ACR logs in May 2025, with ClickFix becoming the most common initial access method, accounting for 47% of all initial access schemes. The malware collects various user data, including passwords and cryptocurrency wallets, and operates in a fileless manner to evade detection. Security experts advise against executing unverified commands and recommend enhancing endpoint detection capabilities to combat these threats.

Tech Optimizer

September 26, 2025

Malware Campaign Spreads Trojans via Hijacked Ads on Facebook, Google, YouTube

A recent malware campaign has transitioned from Meta’s advertising ecosystem to Google Ads and YouTube, initially targeting Facebook users through compromised business accounts. The threat originated from a Norwegian design agency’s hijacked Facebook Business account, promoting fraudulent ads for a fictitious “TradingView Premium” app that directed users to download malware. The malware is disseminated on YouTube through hijacked verified channels, leading victims to a downloader that installs Trojan.Agent.GOSL, capable of data theft and remote device control. Over 250 malicious apps targeting Android devices have been identified, equipped for credential theft and unauthorized access. Attackers compromise verified accounts to bypass scrutiny, altering page names to mimic official entities. The campaign exploits vulnerabilities in both Meta's and Google’s ad networks, utilizing OAuth URLs and ad placements to evade detection. Security experts recommend multi-layered defenses, enabling two-factor authentication, and verifying app sources to mitigate risks.

Tech Optimizer

September 25, 2025

LastPass: GitHub hosts atomic stealer malware campaign

Cybersecurity researchers have identified a malware campaign targeting Mac users, with attackers creating fraudulent GitHub pages to distribute an infostealer known as Atomic Stealer (AMOS). The campaign was first detected on September 16, 2025, involving pages that falsely claimed to offer LastPass software. Users are misled into clicking links that redirect them to malicious sites, where they are prompted to execute a command that installs malware on their systems. The attackers impersonate reputable companies and use multiple GitHub usernames to avoid detection, employing SEO techniques to rank their malicious links higher in search results. LastPass is actively monitoring the situation and working on takedowns. Users are advised to download software only from official sources, avoid executing commands from unknown sites, keep software updated, use antivirus protection, enable regular backups, and be cautious of unexpected links and emails.

Tech Optimizer

September 25, 2025

LNK Malware Leverages Windows Binaries to Evade Security Tools and Run Malicious Code

Cybersecurity researchers have identified a malware campaign utilizing Windows shortcut (.LNK) files distributed via Discord to deploy a Remote Access Trojan (RAT). The malicious file, named “cyber security.lnk,” lures users with a fake job offer PDF while executing PowerShell commands in the background. It displays a decoy document titled “Cyber Security.pdf” to distract victims during the infection process. The malware exploits the legitimate Windows utility odbcconf.exe to execute a malicious DLL named Moq.dll without triggering security alerts. A PowerShell script extracts a ZIP file containing the payload and runs it using the command: odbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}. This approach bypasses standard security measures by utilizing trusted binaries. Moq.dll employs advanced evasion techniques, including modifying the AmsiScanBuffer function to disable the Anti-Malware Scan Interface (AMSI) and altering the EtwEventWrite function in ntdll.dll to prevent monitoring through event logs. The malware ensures persistence by modifying the Windows registry to run with explorer.exe at user login and communicates with its command and control server at hotchickenfly.info. The RAT can capture screenshots, gather system information, and exfiltrate data via Dropbox’s API, using AES encryption for its communications. This threat was first observed in Israel and highlights the trend of malware authors leveraging legitimate Windows tools to evade detection. Security researchers from K7 Labs have identified the malware and recommend application whitelisting and monitoring of LOLBin usage as countermeasures. Indicators of Compromise (IOCs) include specific hash values associated with the Trojan.

Tech Optimizer

September 12, 2025

Shamos malware tricks Mac users with fake fixes

A new malware campaign targeting Mac users has been identified, featuring a variant called Shamos, part of the Atomic macOS Stealer (AMOS) family, created by the cybercriminal group COOKIE SPIDER. The malware spreads through deceptive tactics that lure victims to counterfeit websites or GitHub repositories, where they are tricked into executing a command in Terminal that downloads Shamos, bypassing macOS Gatekeeper protections. Once installed, Shamos seeks sensitive information such as Apple Notes, Keychain items, browser passwords, and cryptocurrency wallets, sending the stolen data to attackers along with additional malware. The fraudulent distribution of these "fixes" is facilitated through malvertising campaigns and imitation tech support sites. Victims are encouraged to execute commands that download malicious scripts, which can capture passwords and disable file protections, allowing Shamos to maintain control even after system restarts. To protect against Shamos, users are advised to avoid running unfamiliar commands, steer clear of sponsored search results, be cautious with GitHub projects, use strong antivirus protection, consider personal data removal services, and keep macOS updated to close vulnerabilities.

Winsage

August 30, 2025

Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV

In mid-2025, a campaign attributed to the Silver Fox Advanced Persistent Threat (APT) began exploiting a vulnerable Microsoft-signed WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise modern Windows environments. The attackers use the driver's arbitrary process termination capability to bypass endpoint detection and antivirus protections on fully patched Windows 10 and 11 systems. The attack starts with a loader that checks for virtual machines and sandboxes before dropping two drivers into a new directory. These drivers are registered as kernel services, and the loader ensures persistence. The campaign's logic then terminates security service processes by exploiting the driver's vulnerabilities, allowing the injection of a ValleyRAT downloader module that connects to Chinese-hosted C2 servers. After the vulnerability was disclosed, a patched driver (wamsdk.sys, version 1.1.100) was released, but Silver Fox adapted by modifying the driver's signature timestamp to evade detection while maintaining the signature's validity.