stolen data Archives

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

AppWizard

November 4, 2025

Hackers Hit Android Users, Drain Bank Accounts Remotely Through 760 Apps: Report

Cybersecurity experts have identified over 760 malicious applications that exploit Near Field Communication (NFC) technology to target Android devices, compromising sensitive user data and financial information. These apps often disguise themselves as legitimate banking and government services, convincing users to set them as default NFC payment methods. Once installed, they can intercept critical information such as login credentials and card details, which is then transmitted to hackers via Telegram channels. The campaign, which began in April 2024, affects users in countries including Russia, Poland, the Czech Republic, Slovakia, and Brazil, impersonating banks like Santander and VTB. Stolen data is sent to over 70 command-and-control servers managed by automated Telegram bots.

Tech Optimizer

November 1, 2025

maCERT Warns of Rapidly Spreading Spyware “Acreed”

maCERT, the Moroccan national cybersecurity agency, has issued an alert about a new spyware toolkit called Acreed, which emerged in February 2025. Acreed has become one of the most prevalent information stealers on the dark web, accounting for approximately 17% of underground cyber activity. Its primary function is to infiltrate computers and extract sensitive information, which is then sold or exploited by hackers. Acreed spreads through deceptive emails, infected advertisements, and pirated software downloads. It collects data such as usernames, passwords, browser information, cryptocurrency wallet details, and session tokens for cloud services. The data is transmitted to remote servers controlled by cybercriminals. The risks associated with Acreed affect both individuals and business networks. Recommendations to mitigate the threat include keeping antivirus software updated, monitoring for suspicious activity, avoiding unofficial software downloads, and being cautious with unsolicited emails. Users who suspect infection are encouraged to report it to maCERT for assistance.

AppWizard

October 24, 2025

New Python-Based RAT Disguised as Minecraft App Steals Sensitive User Data

Threat researchers at Netskope have identified a new Remote Access Trojan (RAT) named “Nursultan Client,” disguised as a legitimate application for Minecraft enthusiasts. This malware, developed in Python, uses the Telegram Bot API for command-and-control operations, enabling data exfiltration and persistent access to compromised systems. It was first detected as a 68.5 MB executable compiled with PyInstaller, which is often used for legitimate software but can also bundle malicious scripts. Upon execution, the RAT misleads users with a fake installation progress bar. Its core functionalities operate across Windows, Linux, and macOS platforms, targeting the gaming community through social engineering tactics. The malware contains hardcoded Telegram credentials, allowing attackers to issue commands to infected machines while obscuring their communications. The RAT can execute various commands, including stealing Discord authentication tokens and conducting system reconnaissance. It also offers surveillance capabilities, such as capturing screenshots and webcam images, and has adware functionalities that can open URLs or display pop-up messages. The operation appears to be aimed at lower-tier threat actors, lacking advanced anti-analysis techniques and sophisticated tradecraft. Organizations are advised to monitor encrypted traffic and educate users on software authenticity to mitigate risks.

Tech Optimizer

October 15, 2025

What Is Open Source Malware And Why Is It So High?

Open source malware refers to malicious code hidden within software packages on platforms like npm, PyPI, and Hugging Face, which are increasingly targeted by cybercriminals. In the third quarter of this year, Sonatype identified 34,319 malicious open source packages, contributing to a total of 877,522 over the past six years. Attackers are using artificial intelligence to embed malware in tools developers rely on, focusing on stealthy operations to avoid detection. Data exfiltration malware made up 37% of detected malicious packages in Q3, targeting sensitive information. Nearly 38% of threats were categorized as “droppers,” which install additional malware. The prevalence of backdoor-laden packages increased by 143% from the previous quarter. Financial organizations were the primary targets, with 47% of blocked malware attempts aimed at banks and financial services. Notable incidents include the npm hijacking of the “chalk” and “debug” packages and the Shai-Hulud campaign, which spread automatically across repositories. In the first quarter of 2025, 17,954 malicious packages were reported, with over half targeting confidential data, indicating a shift towards organized attacks on trusted dependencies.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Tech Optimizer

September 12, 2025

Shamos malware tricks Mac users with fake fixes

A new malware campaign targeting Mac users has been identified, featuring a variant called Shamos, part of the Atomic macOS Stealer (AMOS) family, created by the cybercriminal group COOKIE SPIDER. The malware spreads through deceptive tactics that lure victims to counterfeit websites or GitHub repositories, where they are tricked into executing a command in Terminal that downloads Shamos, bypassing macOS Gatekeeper protections. Once installed, Shamos seeks sensitive information such as Apple Notes, Keychain items, browser passwords, and cryptocurrency wallets, sending the stolen data to attackers along with additional malware. The fraudulent distribution of these "fixes" is facilitated through malvertising campaigns and imitation tech support sites. Victims are encouraged to execute commands that download malicious scripts, which can capture passwords and disable file protections, allowing Shamos to maintain control even after system restarts. To protect against Shamos, users are advised to avoid running unfamiliar commands, steer clear of sponsored search results, be cautious with GitHub projects, use strong antivirus protection, consider personal data removal services, and keep macOS updated to close vulnerabilities.

Tech Optimizer

September 12, 2025

New “ModStealer” Malware Targets Crypto Wallets, Evades Antivirus Detection

A new cross-platform malware called "ModStealer" targets cryptocurrency wallets on macOS, Windows, and Linux systems and has evaded detection by major antivirus software for nearly a month. It spreads through deceptive job recruitment ads aimed at developers and seeks out credential files, configuration details, and certificates using an obfuscated JavaScript file. ModStealer establishes persistence on macOS by exploiting Apple's launchctl tool and sends stolen data to a remote server in Finland linked to infrastructure in Germany. It specifically targets 56 different browser wallet extensions, including those on Safari, to extract private keys, and has the capability to capture clipboard data, take screenshots, and execute remote code. Researchers suggest ModStealer exemplifies a "Malware-as-a-Service" operation, highlighting the need for behavior-based defenses rather than relying solely on signature-based protections.

AppWizard

August 13, 2025

Beware the strange file in your messages: This “antivirus” app fakes scans, then watches everything

A new Android app called LunaSpy poses as an antivirus or banking protection tool but is actually sophisticated spyware. It spreads mainly through messaging platforms like Telegram, using social engineering tactics to prompt users to grant extensive permissions by generating fake “threats found” notifications. Once granted access, LunaSpy can read text messages, extract credentials, track locations, and record audio or video. The app is distributed through links that encourage users to sideload an APK rather than downloading from the official Play Store. It requests excessive permissions that legitimate antivirus apps would not demand, making devices vulnerable to data exfiltration. Users are advised to avoid installing APKs from chat links, uninstall suspicious applications, review and revoke excessive permissions, and take steps to secure their accounts.

AppWizard

July 22, 2025

Cybercriminals Merge Android Malware with Click Fraud Apps to Harvest Credentials

Researchers have identified a sophisticated cluster of Android malware that merges brand impersonation with traffic monetization strategies, utilizing Android Package Kit (APK) files to compromise user trust and extract sensitive information. The malware disguises itself as legitimate services and uses social engineering techniques to encourage manual installations. Once installed, it exploits Android's permission model to access device resources and hijack network traffic for advertising fraud. The malware includes various categories such as ad fraud apps, credential stealers, background data harvesters, task reward apps, and gambling apps, each designed to manipulate user interactions and collect sensitive data. Common strategies include redirecting traffic through monetized domains and employing encrypted command-and-control communications. A notable variant is a spoofed Facebook APK that requests extensive permissions and retrieves encrypted configuration files from specific domains. The malware's infrastructure allows it to circumvent Android signature verification and adapt its behavior based on the environment, evading detection. Analysis suggests involvement from Chinese-speaking operators, with connections to underground economies trading stolen data. The campaign combines ad fraud and credential theft, highlighting a dual purpose of monetization and intelligence gathering. Users are advised to limit installations to trusted sources and scrutinize unsolicited APKs to mitigate threats.