stolen data Archives

Tech Optimizer

April 18, 2025

Breached Identities and Infostealers: One of the Largest Ongoing Data Leak in History

Breached identities due to infostealer malware are a significant threat to corporate information security in 2024. Infostealers are a type of remote access trojan that exfiltrate sensitive data, including saved credentials, session cookies, browser history, crypto wallet information, screen captures, and host data. Infections often stem from downloading cracked software, malicious advertising, fake Windows updates, and repackaged games. Infostealers do not require local administrative privileges, making them easy to execute. Threat actors primarily aim to profit from breached bank accounts and crypto wallets, often bypassing multi-factor authentication by targeting session cookies. They also seek credentials for subscription services and corporate access. Research shows that 90% of breached companies had leaked corporate credentials in a stealer log, with 78% experiencing leaks within six months of a breach. In comparison, 76% of similar companies without breaches had experienced a corporate stealer log compromise. The investigation identified high-criticality credentials from various corporate applications, indicating that a single user often has access to multiple credentials. The rise of infostealer malware represents a broad threat, encompassing a wide range of sensitive data. Organizations are advised to implement strategies such as restricting download privileges, avoiding illegal content, disabling macros, and regularly updating software to mitigate risks associated with infostealer malware.

AppWizard

April 1, 2025

Google’s Play Store Warning—Do Not Update This Setting

A sophisticated trojan named TsarBot is targeting over 750 legitimate banking and shopping applications on Android devices. It overlays a counterfeit login screen on real apps to capture user credentials. TsarBot is believed to have Russian origins and can remotely control the device's screen, simulating user interactions and capturing device lock credentials through a deceptive lock screen. The trojan is typically installed from phishing websites, where a dropper application delivers the TsarBot APK file. Once installed, it disguises itself as the Google Play Services app and urges users to enable Accessibility services. Users are advised to avoid installing apps from outside the Google Play Store, ensure Play Protect is enabled, and only enable Accessibility Services when necessary to mitigate risks.

AppWizard

March 26, 2025

Devious new Android malware uses a Microsoft tool to avoid being spotted

Cybercriminals are using legitimate software tools to create deceptive Android applications that steal sensitive user information. McAfee's findings indicate that hackers are exploiting the .NET MAUI framework to develop sophisticated malware that can evade traditional antivirus detection. The malware uses a multi-stage dynamic loading process, incrementally loading and decrypting code, making it difficult for security software to identify the applications' true nature. Hackers add extraneous settings and permissions to confuse security scanners and use encrypted communications for data transmission instead of standard internet requests. These malicious applications are not found in reputable app stores like Google Play but are distributed through unofficial app stores, often accessed via phishing links. Examples include a counterfeit banking app and a fraudulent social networking service targeting the Chinese-speaking community. The main goal of these apps is to secretly extract user data and send it to the attackers' servers. Users are advised to download apps only from official repositories and to be cautious by reviewing user feedback before installation.

AppWizard

March 11, 2025

PlayPraetor Malware Targets Android Users via Fake Play Store Apps to Steal Passwords

A malware campaign called PlayPraetor has been identified by cybersecurity firm CTM360, involving counterfeit Google Play Store websites that trick users into downloading malicious Android applications. These apps are advanced banking Trojans that steal sensitive information, including banking credentials and clipboard data. The operation spans over 6,000 fraudulent web pages designed to mimic the official Play Store, prompting users to install APK files that contain the PlayPraetor Trojan. This malware can log keystrokes, capture screen content, and monitor clipboard activity. Distribution occurs mainly through Meta Ads and SMS messages, exploiting psychological triggers to deceive users. The malware communicates with a command and control server to target specific banking and cryptocurrency wallet applications. The attackers aim for financial gain by draining compromised accounts, executing unauthorized transactions, and potentially engaging in ad fraud. The operation is particularly focused on South-East Asia, and users are advised to download apps only from the official Google Play Store and to maintain updated security software.

Winsage

February 19, 2025

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

Cybersecurity experts at FortiGuard Labs have identified a new variant of the Snake Keylogger, known as AutoIt/Injector.GTY!tr, which targets Windows users and has blocked over 280 million infection attempts worldwide, particularly in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads primarily through phishing emails with malicious attachments or links and focuses on popular web browsers to steal sensitive information by logging keystrokes, capturing credentials, and monitoring clipboard activity. It exfiltrates data to its command-and-control server via email and Telegram bots. The malware uses AutoIt scripting to create standalone executables that evade antivirus detection. It installs itself by dropping "ageless.exe" in the %Local_AppData%supergroup folder and "ageless.vbs" in the %Startup% folder to ensure persistence. The malware employs process hollowing to inject its payload into a legitimate .NET process, allowing it to hide from detection. Additionally, the Snake Keylogger can retrieve the victim’s geolocation and extract sensitive information from browser autofill systems, including credit card details. It utilizes various techniques for data collection, credential access, defense evasion, and exfiltration, posing a significant threat to Windows users.

Winsage

February 19, 2025

New Snake Keylogger infects Windows using AutoIt freeware

A new variant of the Snake Keylogger is targeting Windows users in Asia and Europe, utilizing the AutoIt scripting language for deployment to evade detection. This malware, built on the Microsoft .NET framework, infiltrates systems through spam email attachments, logging keystrokes, capturing screenshots, and collecting clipboard data to steal sensitive information like usernames, passwords, and credit card details from browsers such as Chrome, Edge, and Firefox. The keylogger transmits stolen data to its command-and-control server using methods like SMTP email, Telegram bots, and HTTP POST requests. The executable file is an AutoIt-compiled binary that unpacks and executes the keylogger upon opening. The keylogger replicates itself in the %Local_AppData%supergroup directory as ageless[.]exe and places a file named ageless[.]vbs in the Startup folder to ensure it runs automatically on system reboot. This persistence mechanism allows continued access to the infected machine without requiring administrative privileges. Once activated, the keylogger injects its payload into a legitimate .NET process, specifically targeting RegSvcs.exe through process hollowing. It logs keystrokes using the SetWindowsHookEx API with a low-level keyboard hook, capturing sensitive information. Additionally, it retrieves the victim's public IP address by pinging hxxp://checkip[.]dyndns[.]org for geolocation purposes.

Tech Optimizer

February 11, 2025

Millions of Mac owners urged to be on alert for info-stealing malware

Mac owners should be vigilant in 2025 due to a significant rise in macOS infostealers, as indicated by the State of Malware report from Malwarebytes. These infostealers can extract sensitive personal information, such as credit card details and passwords, putting Mac users at risk similar to Windows users. Notable infostealers like Poseidon and Atomic Stealer can target over 160 cryptocurrency wallets and compromise VPN configurations. Most macOS infostealers rely on user deception for installation, making user caution essential. Recommendations for protection include downloading software only from trusted sources, using robust antivirus software, verifying links from unknown sources, enabling two-factor authentication, and considering a password manager or VPN. Cybercriminals are increasingly targeting Macs as their popularity grows.

Tech Optimizer

February 6, 2025

Beware of Nova Stealer Malware Sold for $50 on Hacking Forums

Nova Stealer is a malware operating under the Malware-as-a-Service (MaaS) model, available for a low cost for a 30-day license. It is a modified version of the SnakeLogger malware designed to extract sensitive information from compromised systems. Its distribution primarily occurs through aggressive phishing campaigns targeting sectors such as finance, retail, and IT, especially in regions like Russia. Nova Stealer infiltrates systems via phishing emails disguised as legitimate documents and employs techniques like steganography and process hollowing to evade detection. It can harvest data including saved credentials, keystrokes, clipboard contents, screenshots, cryptocurrency wallet information, and session cookies from platforms like Discord and Steam. The stolen data is transmitted through channels such as SMTP, FTP, or Telegram APIs. The malware's developers offer additional services, including cryptors to bypass antivirus detection, and a Telegram group for promotion and technical support. The MaaS model lowers entry barriers for cybercriminals, enabling those with minimal experience to conduct sophisticated attacks. Organizations are advised to implement strong email security measures, educate employees on phishing recognition, and utilize endpoint detection and response solutions to monitor unusual activities. Regular updates to antivirus software and operating systems are also recommended to mitigate vulnerabilities.

Tech Optimizer

December 16, 2024

AI-powered deception: The sneaky macOS malware masquerading as your next video call

Artificial intelligence (AI) is being used by cybercriminals to enhance their scams, exemplified by a malware called Realst that masquerades as video-calling software. This malware targets macOS and Windows users and has been active for about four months. The hackers behind Realst operate under the fake company name "Meetio" and have used various aliases. They employ social engineering tactics, often contacting victims through platforms like Telegram, presenting fraudulent business opportunities, and leading them to download the malware from a deceptive website. Once installed, Realst scans for sensitive information, organizes it, and sends it to a remote server. It can extract credentials from applications like Telegram and web browsers. To protect against such malware, users are advised to verify software sources, be cautious of unexpected contacts, enable two-factor authentication, use strong passwords, keep software updated, and consider personal data removal services.

Winsage

December 15, 2024

Dangerous New Windows Drive-By Security Alert—What You Need To Know

Cloak ransomware, emerging in 2022, has quickly become a significant threat in the cyber landscape, with a new variant raising concerns due to its advanced capabilities. The group uses initial access brokers and social engineering techniques, including phishing and malicious advertising, to gain network access. The ransomware employs a drive-by download method, disguising itself as legitimate system updates. Cloak may have connections to the Good Day ransomware group and utilizes a variant derived from leaked Babuk ransomware source code. Once delivered, it employs sophisticated mechanisms for extraction and privilege escalation, terminating security processes and modifying system settings to hinder recovery. The encryption process uses Curve25519 and SHA512 algorithms, and it exhibits advanced evasion techniques. Cloak ensures payload persistence by altering Windows registry entries and restricting user actions, disrupting essential system utilities and leading to operational downtime. Its extortion tactics include disguising ransom notes as desktop wallpapers and employing intermittent encryption to maximize damage. The ransomware deletes shadow copies and backups, complicating recovery efforts. Cloak also utilizes a data leak site to publish or sell stolen data if ransom demands are not met, claiming a ransom payment success rate of 91% to 96%. Windows users are advised to implement comprehensive security measures to reduce the risk of attacks.