Original post on mastodon.uno

CrystalX: accesso remoto, furto di dati e scherzi
I ricercatori di #kaspersky hanno un nuovo #malware denominato #crystalx venduto in abbonamento su #telegram e pubblicizzato su #youtube I cybercriminali possono personalizzarlo tramite un pannello di controllo e scegliere quindi varie […]

📰 Malware Infostealer Baru "Torg Grabber" Targetkan 728 Dompet Kripto

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/04/04/malware-infos...

#beritaTeknologi #clickfix #dompetKripto #ekstensiBrowser #infostealer #keamananSiber #malw

📰 Paket PyPI Populer LiteLLM Disusupi Backdoor untuk Curi Kredensial dan Token

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/04/04/paket-pypi-po...

#beritaTeknologi #infostealer #keamananSiber #kredensialCloud #litellm #malware #pypi

Claude Code leak used to push infostealer malware on GitHub Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.

#ClaudeCode leak used to push #infostealer #malware on #GitHub

www.bleepingcomputer.com/news/security/claude-cod...

#Claude #AI #cybersecurity #DataBreach

New CrystalRAT malware adds RAT, stealer and prankware features A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities.

New #CrystalRAT #malware adds #RAT, stealer and #prankware features

www.bleepingcomputer.com/news/security/new-crysta...

#cybersecurity #infostealer

Original post on mastodon.uno

Claude Code: falsi repository GitHub distribuiscono malware
GitHub è da sempre sfruttata per distribuire malware. Un cybercriminale ha prontamente sfruttato il leak del codice sorgente di Claude Code per creare falsi repository che nascondono il noto infostealer Vidar. È sufficiente una ricerca […]

Because the user manually initiates the execution through the native Windows Run dialog, this tactic frequently bypasses standard EDR behavioral alerts.

#InfoSec #CyberSecurity #RedTeam #Malware #Infostealer #Technology #Microsoft #ClickFix #Armada #ArmadaOps #Hacking #ThreatIntel

Storm Infostealer Sold as Service, Targets Browsers, Wallets and Accounts Hackers are selling Storm Infostealer, a tool that bypasses Chrome encryption to steal cookies, credentials, crypto wallets and accounts across browsers.

📢⚠️ Hackers are selling “Storm Infostealer,” a tool that bypasses Chrome encryption, steals cookies, hijacks sessions, and targets crypto wallets across browsers.

Read: hackread.com/storm-infost...

#CyberSecurity #Malware #Infostealer #Chrome

Beware of BlankGrabber Stealer! This Python-based malware uses fake certificate loaders to hide its delivery chain, stealing sensitive data. Stay vigilant! #CyberSecurity #MalwareAlert #InfoStealer Link: thedailytechfeed.com/blankgrabber...

Original post on webpronews.com

Inside the GitHub Trap: How Fake VS Code Alerts Are Luring Developers Into Installing Malware Threat actors are filing fake security issues on GitHub repositories, tricking developers into download...

#CybersecurityUpdate #DevNews #developer #social […]

[Original post on webpronews.com]

Original post on mastodon.uno

Torg Grabber: nuovo malware per furto di criptovalute
I ricercatori di Gen Digital hanno individuato un nuovo #malware denominato #torggrabber che viene sfruttato principalmente per rubare #criptovalute Si tratta quindi di un #infostealer ma offre funzionalità più avanzate rispetto ai suoi […]

Breach & Build — cybersecurity news

Watch out, crypto holders! A new threat, Torg Grabber, is actively targeting a shocking 728 crypto wallets. This...

#CyberSecurity #BreachAndBuild #TorgGrabber #Infostealer #CryptoSecurity

breachandbuild.com/torg-grabber-infostealer...

New Infinity Stealer malware grabs macOS data via ClickFix lures A new info-stealing campaign called Infinity Stealer targets macOS by delivering a Python payload compiled into a native executable with the Nuitka compiler and lures users via a ClickFix fake Cloudflare CAPTCHA. The payload performs anti-analysis checks, harvests browser credentials, macOS Keychain entries, cryptocurrency wallets and plaintext developer secrets, and exfiltrates data to a C2 via HTTP while notifying operators via Telegram; users should never paste unknown commands into Terminal. #InfinityStealer #Nuitka

New Infinity Stealer malware targets macOS by delivering Python payloads compiled with Nuitka, using fake ClickFix Cloudflare CAPTCHAs to steal browser credentials, Keychain data, crypto wallets, and dev secrets. #macOSMalware #InfoStealer

Awakari App

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer. The post Cloudfl...

#Malware #& #Threats #ClickFix #infostealer #Mac #malware

Origin | Interest | Match

New research reveals that infostealer malware can expose corporate credentials on the dark web within 48 hours. Stay vigilant and enhance your cybersecurity measures. #CyberSecurity #Infostealer #DataBreach Link: thedailytechfeed.com/infostealer-...

Suspected RedLine infostealer malware admin extradited to US An Armenian suspect was extradited to the United States to face criminal charges for allegedly helping manage RedLine, one of the most prolific infostealer malware operations in recent years. [...]

Suspected #RedLine #infostealer #malware admin extradited to US

www.bleepingcomputer.com/news/security/suspected-...

#cybersecurity #cybercrime

A fake website impersonating Avast antivirus is tricking people into infecting their own computers. The site looks legitimate, runs what appears to be a virus scan, and claims your system is full of threats. But the results are fake: when you’re prompted to “fix” the problem, the download you’re given is actually **Venom Stealer** —a type of malware designed to steal passwords, session cookies, and cryptocurrency wallet data. This is a classic scare-and-fix scam: create panic, then offer a solution. In this case, the “solution” abuses the trusted Avast brand to deliver the attack. ## **A scan that finds exactly what the attacker wants you to see** The phishing page is a recreation of the Avast brand, complete with navigation bar, logo, and reassuring certification badges. Visitors are invited to run what appears to be a comprehensive virus scan. Once they click, the page stages a brief animation before delivering its predetermined verdict: three threats found, three threats removed, system protected. A scrolling console log names a specific detection—`Trojan:Win32/Zbot.AA!dll`—to lend the performance an air of specificity. The victim is then prompted to download the cure: a file called `Avast_system_cleaner.exe`. This is the payload. And far from cleaning anything, it immediately begins stealing. ## **A Chrome service that is not Chrome** When the victim launches `Avast_system_cleaner.exe`, the binary—a 64-bit Windows PE executable roughly 2 MB in size—copies itself into a location designed to blend in with legitimate software: `C:\Program Files\Google\Chrome\Application\v20svc.exe`. The dropped file is byte-for-byte identical to the parent, sharing the same MD5 hash (`0a32d6abea15f3bfe2a74763ba6c4ef5`). It then launches the copy with the command-line flag `--v20c`, a meaningless argument whose sole purpose is to signal to the malware that it is running in its second-stage role. The disguise is deliberate. A process named v20svc.exe sitting inside Chrome’s application directory looks, at a glance, like a legitimate browser service component. Anyone scanning their task manager would likely scroll past it without a second thought. This is a textbook example of masquerading: naming a malicious binary to match the conventions of trusted software so it escapes casual inspection. A debug artifact baked into the binary confirms its lineage: the PDB path reads `crypter_stub.pdb`, indicating the executable was packed using a crypter, which is a tool designed to scramble a payload’s code so antivirus engines cannot recognise it from its signature alone. At the time of analysis, only 27% of engines on VirusTotal flagged the sample, meaning roughly three in four commercial antivirus products missed it entirely. YARA rules matched the sample to the **Venom Stealer** malware family, a known descendant of the Quasar RAT framework that has been sold on underground forums since at least 2020. Venom Stealer is purpose-built for data theft: browser credentials, session cookies, cryptocurrency wallets, and credit card details stored in browsers. ## **Every cookie, every wallet, every saved password** Once running, the malware works through a checklist of high-value targets on the victim’s machine. It starts with browsers. Behavioral analysis confirms the malware harvests saved credentials and session cookies. In the analysis environment, it was observed directly accessing Firefox’s cookie database at `C:\Users\<USER>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\cookies.sqlite-shm`. Process memory also contained fully-formed JSON structures with stolen cookie data from Microsoft Edge and Google Chrome, including active sessions for Netflix, YouTube, Reddit, Facebook, LinkedIn, AliExpress, Outlook, Adobe, and Google. Stolen session cookies give the attacker the ability to hijack authenticated browser sessions without needing the victim’s password, including sessions protected by two-factor authentication. The malware also targets cryptocurrency wallets. Behavioral signatures confirm it searches for and attempts to steal locally-stored wallet data, and Venom Stealer is documented as targeting desktop wallet applications. For anyone holding crypto assets on a hot wallet, the implications are immediate. Beyond credentials, the stealer captures a screenshot of the victim’s desktop, saved temporarily as `C:\Users\<USER>\AppData\Local\Temp\screenshot_5sIczFxY95t2IQ5u.jpg`, and writes a session tracking file to `C:\Users\<USER>\AppData\Roaming\Microsoft\fd1cd7a3\sess`. A small marker file is also dropped at `C:\Users\Public\NTUSER.dat`—a path chosen to mimic a legitimate Windows registry hive file and avoid suspicion. ## **Disguised as analytics, delivered over plain HTTP** All stolen data is exfiltrated to a single command-and-control domain: `app-metrics-cdn[.]com`, which resolved to `104.21.14.89` (a Cloudflare address) during analysis. The domain name is crafted to look like a benign analytics or content delivery service, the kind of traffic that might not raise alarm bells in a corporate proxy log. The exfiltration follows a structured four-step sequence over unencrypted HTTP. First, a multipart form-data POST to `/api/upload` transmits the collected file—screenshots, wallet data, cookie databases—totalling around 140 KB. A second POST to /`api/upload-json` sends a structured JSON payload of approximately 29 KB containing parsed credentials and cookies. A confirmation POST to `/api/upload-complete` signals that the theft is finished. The malware then enters a heartbeat loop, periodically checking in at `/api/listener/heartbeat` to maintain contact with the operator’s infrastructure. All of this traffic uses a generic Mozilla/5.0 user-agent string, another attempt to blend in with ordinary web browsing. ## **Syscalls, sleep loops, and debugger checks** Venom Stealer does not simply steal and leave. It takes significant steps to avoid being caught. The most notable evasion technique is the use of direct and indirect system calls, a method where the malware invokes Windows kernel functions directly rather than routing through the standard `ntdll.dll `library. Because most endpoint detection tools work by intercepting calls to that library, this technique effectively blinds them. This behaviour was flagged in both the parent and the dropped child process. The malware also checks whether it is being debugged, queries CPU vendor and model information, reads the volume serial number of the system drive, creates guard pages in memory that can crash debuggers attempting to step through the code, and enumerates running processes. These are common techniques for detecting virtual machines and analysis environments. To frustrate automated analysis further, it incorporates sleep calls exceeding three minutes. ## **This is not a new trick** Impersonating security software to distribute malware is one of the oldest tricks in the book. A user who believes their system is infected is primed to act urgently, and a page that looks like a trusted antivirus vendor is exactly the kind of authority they will defer to. By staging a fake scan that “finds” threats and then offering a cure, the attacker exploits both fear and trust in a single interaction. This is not an isolated tactic. In May 2025, DomainTools documented a separate campaign in which attackers built a convincing clone of Bitdefender’s website and used it to distribute Venom RAT alongside the StormKitty stealer. The playbook is nearly identical: impersonate a security brand, manufacture urgency, and deliver a Trojan dressed as protection. It suggests this is a repeatable template, not a one-off experiment. ## What to do if you may have been affected Only download security software from official vendor websites. Avast’s legitimate site is avast.com. Do not trust search engine results, ads, or links in unsolicited emails. If you interacted with a site like this or downloaded the file, act quickly: * **Check if your system is infected**. Look for the file `v20svc.exe` in `C:\Program Files\Google\Chrome\Application\`. If it exists, your system was likely compromised by this malware. * **Run a full system scan immediately**. Use a trusted, up-to-date anti-malware tool (such as Malwarebytes) to detect and remove the infection. If the scan finds threats, follow the tool’s recommendations to quarantine or delete them. * **Change your password right away.** Start with email, banking, and any important accounts. Assume anything saved in your browser has been exposed. * **Sign out of all active sessions**. Log out of services like Google, Microsoft, Facebook, and Netflix. Stolen session cookies allow an attacker to bypass two-factor authentication entirely. * **Protect cryptocurrency funds**. If you use a desktop cryptocurrency wallet, transfer your funds to a new wallet generated on a clean device as soon as possible. ## **Indicators of Compromise (IOCs)** **File hashes** * SHA-256: `ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d` **Domains** * `app-metrics-cdn[.]com` **Network indicators** * `104.21.14.89` **C2 URLs** * `http://app-metrics-cdn[.]com/api/upload` * `http://app-metrics-cdn[.]com/api/upload-json` * `http://app-metrics-cdn[.]com/api/upload-complete` * `http://app-metrics-cdn[.]com/api/listener/heartbeat` * * * **We don’t just report on threats—we remove them** Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Bogus Avast website fakes virus scan, installs Venom Stealer instead A fake Avast scan tells you your PC is infected, then installs the malware that steals passwords, session data and crypto wallet...

#News #Threat #Intel #avast #infostealer

Origin | Interest | Match

New Torg Grabber infostealer malware targets 728 crypto wallets A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets.

New #TorgGrabber #infostealer #malware targets 728 #crypto wallets

www.bleepingcomputer.com/news/security/new-torg-g...

#cybersecurity

Suspected Armenian Extradited for Operating RedLine Malware Scheme Following Co-Conspirator Arrest Hambardzum Minasyan was extradited for developing and administering the RedLine infostealer malware scheme, according to court documents.

Full Article: www.technadu.com/suspected-ar...

👉 Do you think going after infrastructure operators will slow down malware campaigns? Comment your thoughts.
#Cybersecurity #Malware #CyberCrime #Infostealer #InfoSec

Suspected RedLine infostealer malware admin extradited to US Hambardzum Minasyan was extradited to the United States and charged with helping manage the RedLine infostealer operation by registering servers, domains, a cryptocurrency account, and file-sharing repositories used to distribute the malware and receive affiliate payments. International law enforcement actions, including the Dutch Operation Magnus seizure and U.S. charges against other suspects, underscore a coordinated effort to disrupt RedLine and pursue those responsible. #RedLine #HambardzumMinasyan

Hambardzum Minasyan extradited to the US, charged with managing infrastructure for the RedLine infostealer, including server registration, crypto accounts, and file-sharing used in malware distribution. #RedLineMalware #InfoStealer #USA

New PXA Stealer Malware Targets Banks, Uses Telegram to Exfiltrate Data CyberProof reports a 10% surge in PXA Stealer attacks targeting financial firms, using phishing and Telegram to steal passwords and crypto assets.

PXA Stealer attacks are rising, with researchers reporting a 10% spike targeting financial firms. The malware uses phishing and Telegram to steal credentials and crypto data.

Read: hackread.com/financial-fi...

#CyberSecurity #Malware #Infostealer #PXAStealer

New Torg Grabber infostealer malware targets 728 crypto wallets Torg Grabber is a rapidly evolving info-stealer that harvests sensitive data from 850 browser extensions — including 728 dedicated to cryptocurrency wallets — and also targets password managers, 2FA tools, note-taking apps, and desktop wallets. Gen Digital researchers found 334 unique samples compiled in three months, weekly-registered C2 domains, advanced evasion techniques, and a standalone extraction tool called Underground that abuses Chrome’s COM Elevation Service. #TorgGrabber #GenDigital

Torg Grabber malware targets 850 browser extensions, including 728 focused on crypto wallets like MetaMask and Coinbase. Uses advanced evasion and a tool abusing Chrome’s COM Elevation Service. #InfoStealer #CryptoTheft #USA

Hackers Use Fake Resumes to Breach
Read More: buff.ly/GroDr2T

#FAUXELEVATE #ResumePhishing #FranceCyber #Infostealer #CryptoMiningMalware #CloudAbuse #EnterpriseSecurity #ThreatIntel

Alert: MioLab, a sophisticated macOS infostealer, is targeting Apple users with advanced tactics. Stay vigilant and protect your data. #CyberSecurity #macOS #MioLab #Infostealer Link: thedailytechfeed.com/miolab-infos...

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions.

#Trivy vulnerability scanner breach pushed #infostealer via #GitHub Actions

www.bleepingcomputer.com/news/security/trivy-vuln...

#cybersecurity #malware

Trivy Hack Spreads Infostealer via Docker Triggers Worm and Kubernetes Wiper credential stealer in trojanized versions read more about Trivy Hack Spreads Infostealer via Docker Triggers Worm and Kubernetes Wiper

Trivy Hack Spreads Infostealer via Docker Triggers Worm and Kubernetes Wiper reconbee.com/trivy-hack-s...

#Trivyhack #infostealer #docker #kuberneteswiper #kubernetes #cybersecurity #cyberattack

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments. The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library. "New image tags 0.69.5 and

iT4iNT SERVER Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper VDS VPS Cloud #TrivyHack #Cybersecurity #Infostealer #Docker #Kubernetes

Trivy Supply Chain Attack Expands to Compromised Docker Images Socket's threat research team discovered additional compromised Trivy Docker images (tags 0.69.5 and 0.69.6) pushed without corresponding GitHub releases, both containing indicators tied to the TeamPCP infostealer. The incident also exposed Aqua Security GitHub resources and prompted recommendations to avoid affected Trivy versions and treat recent executions as potentially compromised. #TeamPCP #Trivy

Trivy Docker images 0.69.5 and 0.69.6 were found compromised with TeamPCP infostealer indicators, pushed without matching GitHub releases. Aqua Security resources also exposed in this supply chain attack. #TeamPCP #DockerAttack #Infostealer

📰 Malware VoidStealer Curi Kunci Utama Chrome Melalui Trik Debugger

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/23/malware-voids...

#beritaTeknologi #debuggerTrick #googleChromeAbe #infostealer #keamananSiber #malwareChrome #malware

VoidStealer malware steals Chrome master key via debugger trick VoidStealer, an infostealer seen in the wild, bypasses Chrome’s Application-Bound Encryption (ABE) by using hardware breakpoints to extract the v20_master_key directly from browser memory. The malware attaches as a debugger to suspended browser processes at startup, reads the register holding the plaintext master key, and uses ReadProcessMemory to steal it, a technique likely adopted from the open-source ElevationKatz project. #VoidStealer #v20_master_key

VoidStealer malware steals Chrome’s v20_master_key by attaching as a debugger to suspended browser processes and using hardware breakpoints to read plaintext keys from memory—no privilege escalation needed. #HardwareBreakpoint #InfoStealer