Yandex Archives

Winsage

August 5, 2025

North Korean Cyberattackers Conceal Malicious Software Inside JPEG Images

North Korean state-sponsored hackers, part of the APT37 group, are using advanced steganography techniques to embed malicious software within JPEG image files. The RoKRAT malware variant employs a two-stage encryption process, starting with the creation of large malicious shortcut files disguised as legitimate documents. These .lnk files download JPEG images from cloud storage services, which appear to contain valid image headers but actually conceal encrypted malware code. The malware is revealed through multiple XOR decryption operations. Security researchers have identified the steganographic payload at offset 0x4201 within the images. The malware generates temporary files in the %LOCALAPPDATA% directory and executes through rundll32.exe, complicating detection. APT37 also uses fileless attack strategies, injecting shellcode into legitimate Windows processes and exploiting cloud services for command and control operations. Recent attacks have targeted South Korean organizations using social engineering tactics. Traditional antivirus solutions are inadequate against these techniques, prompting experts to recommend Endpoint Detection and Response (EDR) systems for real-time monitoring of anomalous activities.

Winsage

August 5, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A new variant of the RoKRAT malware, attributed to North Korea's APT37 group, utilizes advanced techniques such as steganography to hide malicious code within JPEG image files, complicating detection efforts. This malware is primarily distributed in South Korea through compressed archives containing Windows shortcut files that lead to a multi-stage infection process. The process involves executing PowerShell commands to decrypt and run the malware, which can inject itself into trusted Windows processes like mspaint.exe and notepad.exe, leaving minimal forensic traces. The malware also exfiltrates sensitive information using legitimate cloud APIs, making attribution difficult. APT37 has demonstrated adaptability by changing its injection targets and camouflaging its development artifacts, highlighting the need for advanced Endpoint Detection and Response (EDR) solutions and proactive security measures.

Winsage

August 4, 2025

Malware disguises itself as an innocent photo on Dropbox. APT37’s steganographic strategy

Specialists at the Genians Security Center have identified a new version of the RoKRAT malware linked to the North Korean APT37 group. This version uses steganography to hide its code in JPEG images, allowing it to bypass antivirus systems. The infection begins with a malicious .LNK link in a ZIP archive, which contains a large .LNK file that misleads users. The malware employs various encrypted components, including shellcode, PowerShell scripts, and batch files. Upon execution, PowerShell decrypts the shellcode using a XOR operation, and the malware injects itself into legitimate Windows processes without leaving traces on the disk. The RoKRAT loader is embedded in a JPEG image hosted on Dropbox, and it uses a double XOR transformation to extract the shellcode. The malware is activated through sideloading techniques using legitimate utilities and downloads from cloud platforms. RoKRAT can collect data, take screenshots, and transmit them to external servers. Recent samples have targeted “notepad.exe” for code injection, indicating ongoing development. Endpoint detection and response (EDR) systems are essential for monitoring unusual activities and protecting against these sophisticated attacks, as traditional defenses are inadequate.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.

Tech Optimizer

August 2, 2025

Gamers at risk as scammers are using malware-infected cheats and mods to steal passwords and crypto — here’s how to stay safe

Recent research from Dr.Web has identified a malware family called Trojan.Scavenger that targets Windows users by disguising itself as game performance boosters or enhancements. This malware exploits vulnerabilities in games like Grand Theft Auto 5 and Oblivion Remastered, typically arriving as modified dynamic libraries with extensions like .ASI. When installed, it can automatically load if the game does not validate its libraries properly. Once activated, it connects to a command-and-control server using encrypted communication and can deploy additional trojans that infiltrate Chromium-based browsers, disrupting their security features and replacing legitimate extensions with malicious ones. This puts applications at risk, including crypto wallets like MetaMask and Phantom, and password managers like Bitwarden and LastPass, as the malware captures sensitive information and sends it to attackers. Exodus wallet is also targeted, with the malware extracting critical JSON entries for private key generation. To mitigate these risks, users are advised to avoid downloading unofficial content from unverified sources, keep antivirus software updated, manage social media interactions carefully, and verify file paths and digital signatures.

AppWizard

June 16, 2025

Russian Lawmakers Authorize Creation Of National Messaging Service

Russian lawmakers passed legislation on June 10 to establish a national instant messaging service, envisioned as a multifunctional information exchange service similar to WhatsApp. The service aims to facilitate bureaucratic and legal functions, including electronic document signing. VK, a Kremlin-aligned social media platform, is reportedly developing a new digital platform named Max, which will include chat, messaging, and payment services. The Russian government has previously launched the Gosuslugi e-government service portal, which serves around 100 million citizens and is being integrated with VK. President Vladimir Putin has expressed support for the new messaging service, instructing officials to transition services from government agencies to the platform.

AppWizard

June 4, 2025

Meta found ‘covertly tracking’ Android users through Instagram and Facebook

Experts at Radboud University and IMDEA Networks found that Meta and Yandex have been covertly tracking Android users by monitoring browser activity without consent. This tracking was first identified in January and involves apps like Facebook, Instagram, and Yandex Maps operating in the background and loading scripts that transmit data back to their respective apps. These scripts bypass Android's security measures, allowing the companies to track users' web browsing activities. The tracking affects all major Android browsers, including incognito mode. Google confirmed that Meta and Yandex exploited Android's capabilities in violation of security and privacy principles. Meta is investigating the issue and has paused the feature, while Yandex claims to adhere to data protection standards. Meta's tracking has been ongoing for about eight months, while Yandex's practices date back to 2017. Facebook tracked users on around 16,000 websites in the EU, and Yandex was active on 1,300 sites. Google has begun implementing changes to address these tracking techniques and is conducting its own investigation. Browsers like Firefox, Microsoft Edge, and DuckDuckGo are also affected, with efforts underway to prevent future incidents.

AppWizard

June 4, 2025

Meta Pixel halts Android localhost tracking after disclosure

Security researchers have found that Meta and Yandex used native Android applications to access localhost ports, allowing them to link web browsing data with user identities and bypass privacy protections. Following these findings, Meta stopped its data transmission to localhost and removed much of the tracking code to comply with Google Play policies. A report from researchers at IMDEA Networks, Radboud University, and KU Leuven detailed how apps like Facebook and Instagram collected web cookie data via the loopback interface. This method allowed the companies to associate browsing sessions with user identities, undermining privacy measures. Meta's tracking process involved the Meta Pixel script, which transmitted cookies to native apps through various protocols. Meta began using this technique in September 2024 but ceased these practices by June 3rd, 2025. Yandex's localhost tracking dates back to 2017, and while they did not respond to inquiries, browser vendors have implemented mitigations against these practices. Proposed solutions include a new permission for local network access to prevent such tracking in the future.