threat actor Archives

Tech Optimizer

February 11, 2026

Hackers Used Hugging Face to Distribute Android Banking Trojans

Cybersecurity researchers have identified a malware campaign that exploited Hugging Face's AI infrastructure to distribute Android banking trojans. The attackers used a deceptive app called TrustBastion, which tricked users into installing what appeared to be legitimate security software. Upon installation, the app redirected users to an encrypted endpoint that linked to Hugging Face repositories, allowing the malware to evade traditional security measures. The campaign generated new malware variants every 15 minutes, resulting in over 6,000 commits in about 29 days. It infected thousands of victims globally, particularly in regions with high smartphone banking usage but lower mobile security awareness. The operation is believed to be linked to an established cybercriminal group. Security experts warn that this incident highlights vulnerabilities in trusted platforms and calls for improved security measures, including behavioral analysis systems and verification of application authenticity. The incident has also sparked discussions about the need for enhanced security protocols for AI platforms.

Tech Optimizer

January 29, 2026

Top antivirus hacked to push out a malicious update – find out if you’re affected

Recent reports indicate that the antivirus program eScan experienced a security breach, leading MicroWorld Technologies to conduct an internal investigation. A threat actor exploited compromised update servers to distribute malware to users who downloaded updates during a two-hour window on January 20, 2026. The exact number of affected users is unknown, but the company has isolated the compromised infrastructure and refreshed credentials while assisting impacted users. The eScan product itself was not altered, and the victims were limited to a specific regional cluster. The malware, identified as CONSCTLX, operates as a backdoor and downloader, allowing attackers to maintain access and execute commands on infected devices. The identity of the attackers is unknown, but North Korean cybercriminals previously exploited eScan's update mechanism in 2024. MicroWorld Technologies has provided support to millions of customers but has not disclosed the total number of eScan users.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.

Winsage

December 18, 2025

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

A newly identified cyber threat cluster called LongNosedGoblin has been linked to cyber espionage attacks targeting governmental entities in Southeast Asia and Japan, with activities traced back to at least September 2023. The group uses Group Policy to spread malware and employs cloud services like Microsoft OneDrive and Google Drive for command and control. Key tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, which perform functions such as collecting browser history, executing commands, and logging keystrokes. ESET first detected LongNosedGoblin's activities in February 2024, identifying malware on a governmental system. The attacks showed a targeted approach, with specific tools affecting select victims. Additionally, a variant of NosyDoor was found targeting an organization in an EU country, indicating a possible connection to other China-aligned threat groups.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

Winsage

December 4, 2025

Microsoft Patches Widely Exploited Windows LNK Zero-Day

Cybercriminals are exploiting a vulnerability in Windows LNK (.lnk shortcut) files, identified as CVE-2025-9491, to deliver malware in targeted attacks. This flaw allows attackers to hide malicious commands within shortcut files, which execute when a user opens the crafted shortcut, leading to malware installation. The vulnerability has been actively exploited by at least 11 threat actor groups, including Evil Corp and Mustang Panda, with malware such as Ursnif and Trickbot being delivered through this exploit. Microsoft released a patch for this vulnerability in November 2025 after initially delaying it, citing the need for user interaction to trigger the exploit. Security recommendations include avoiding suspicious .LNK files, implementing strict email filtering, and applying the latest security updates.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.