#malvertising -> Fake Apple Site -> #infostealer
Fake Apple Site:
mac-cleanup-space.gitlab[.]io
urlscan.io/result/019d9...

Malicious Domain:
peaecagent[.]com
#malware

MacSync Stealer Campaign Impacting U.S. SLTT macOS Users MacSync Stealer is an active macOS infostealer campaign leveraging SEO poisoning and ClickFix fake CAPTCHA social engineering to trick U.S. SLTT users into pasting Terminal commands that fetch and execute Zsh and AppleScript payloads. The campaign features a Loader-as-a-Service model with API key‑gated C2 infrastructure and in-memory AppleScript execution to evade...

MacSync Stealer targets U.S. SLTT macOS users via SEO poisoning and fake CAPTCHA "ClickFix" pages, deploying in-memory AppleScript and trojanized Ledger apps to steal seed phrases. #MacSyncStealer #US #Infostealer

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them Group Unknown cybercriminal operator(s); attribution unconfirmed Type Infostealer-as-a-Service Malware Storm; a session-...

#Infostealer #browser #credential #theft #Session […]

[Original post on cybersecsentinel.com]

Executive Identity Risks

~Recordedfuture~
VIP credentials are prime targets for attackers using infostealers to bypass security controls.
-
IOCs: (None identified)
-
#IdentitySecurity #Infostealer #ThreatIntel

The silent “Storm”: New infostealer hijacks sessions, decrypts server-side Storm is a subscription-based infostealer that emerged in early 2026, harvesting browser credentials, session cookies, crypto wallets, files, and other sensitive data for remote decryption and automated exploitation. By performing server-side decryption across Chromium and Gecko browsers and automating cookie restore, Storm evades endpoint telemetry tied to local SQLite access and enables silent access to SaaS and cloud accounts. #Storm #Microsoft365

Storm, a new subscription-based infostealer, exfiltrates passwords, session cookies, and crypto wallets, using server-side decryption to bypass local telemetry and silently access cloud accounts. #Infostealer #CloudSecurity #Microsoft365

#malvertising -> Fake Apple Site -> #infostealer
Fake Apple Site:
macstorage.gitlab[.]io
urlscan.io/result/019d8...
#malware

Google Chrome Update Disrupts Infostealer Cookie Theft Google adds Device Bound Session Credentials (DBSC) to Chrome 146, using hardware keys to block infostealer use of stolen session cookies on Windows.

📢⚠️⛔ Google Chrome rolled out an update that disrupts infostealer attacks by making stolen session cookies useless.

Read: hackread.com/google-chrom...

#Cybersecurity #Infostealer #Malware #Chrome #Google

Google Chrome adds infostealer protection against session cookie theft Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies.

#Google #Chrome adds #infostealer protection against session cookie theft

www.bleepingcomputer.com/news/security/google-chr...

#cybersecurity

Google Chrome adds infostealer protection against session cookie theft reconbee.com/google-chrom...

#googlechrome #infostealer #sessioncookie #cookie

#malvertising -> Fake Apple Site -> #infostealer
Fake Apple Site:
macclean-fixer.gitlab[.]io
urlscan.io/result/019d7...

Malicious domain:
isgilan[.]com
#malware

New macOS stealer campaign uses Script Editor in ClickFix attack A new campaign delivering the Atomic Stealer malware to macOS users abuses the Script Editor in a variation of the ClickFix attack that tricked users into executing commands in Terminal.

New #macOS stealer campaign uses Script Editor in #ClickFix attack

www.bleepingcomputer.com/news/security/new-macos-...

#cybersecurity #AtomicStealer #malware #infostealer #Apple

Original post on mastodon.uno

CrystalX: accesso remoto, furto di dati e scherzi
I ricercatori di #kaspersky hanno un nuovo #malware denominato #crystalx venduto in abbonamento su #telegram e pubblicizzato su #youtube I cybercriminali possono personalizzarlo tramite un pannello di controllo e scegliere quindi varie […]

📰 Malware Infostealer Baru "Torg Grabber" Targetkan 728 Dompet Kripto

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/04/04/malware-infos...

#beritaTeknologi #clickfix #dompetKripto #ekstensiBrowser #infostealer #keamananSiber #malw

📰 Paket PyPI Populer LiteLLM Disusupi Backdoor untuk Curi Kredensial dan Token

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/04/04/paket-pypi-po...

#beritaTeknologi #infostealer #keamananSiber #kredensialCloud #litellm #malware #pypi

Claude Code leak used to push infostealer malware on GitHub Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.

#ClaudeCode leak used to push #infostealer #malware on #GitHub

www.bleepingcomputer.com/news/security/claude-cod...

#Claude #AI #cybersecurity #DataBreach

New CrystalRAT malware adds RAT, stealer and prankware features A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities.

New #CrystalRAT #malware adds #RAT, stealer and #prankware features

www.bleepingcomputer.com/news/security/new-crysta...

#cybersecurity #infostealer

Original post on mastodon.uno

Claude Code: falsi repository GitHub distribuiscono malware
GitHub è da sempre sfruttata per distribuire malware. Un cybercriminale ha prontamente sfruttato il leak del codice sorgente di Claude Code per creare falsi repository che nascondono il noto infostealer Vidar. È sufficiente una ricerca […]

Because the user manually initiates the execution through the native Windows Run dialog, this tactic frequently bypasses standard EDR behavioral alerts.

#InfoSec #CyberSecurity #RedTeam #Malware #Infostealer #Technology #Microsoft #ClickFix #Armada #ArmadaOps #Hacking #ThreatIntel

Storm Infostealer Sold as Service, Targets Browsers, Wallets and Accounts Hackers are selling Storm Infostealer, a tool that bypasses Chrome encryption to steal cookies, credentials, crypto wallets and accounts across browsers.

📢⚠️ Hackers are selling “Storm Infostealer,” a tool that bypasses Chrome encryption, steals cookies, hijacks sessions, and targets crypto wallets across browsers.

Read: hackread.com/storm-infost...

#CyberSecurity #Malware #Infostealer #Chrome

Beware of BlankGrabber Stealer! This Python-based malware uses fake certificate loaders to hide its delivery chain, stealing sensitive data. Stay vigilant! #CyberSecurity #MalwareAlert #InfoStealer Link: thedailytechfeed.com/blankgrabber...

Original post on webpronews.com

Inside the GitHub Trap: How Fake VS Code Alerts Are Luring Developers Into Installing Malware Threat actors are filing fake security issues on GitHub repositories, tricking developers into download...

#CybersecurityUpdate #DevNews #developer #social […]

[Original post on webpronews.com]

Breach & Build — cybersecurity news

Watch out, crypto holders! A new threat, Torg Grabber, is actively targeting a shocking 728 crypto wallets. This...

#CyberSecurity #BreachAndBuild #TorgGrabber #Infostealer #CryptoSecurity

breachandbuild.com/torg-grabber-infostealer...

New Infinity Stealer malware grabs macOS data via ClickFix lures A new info-stealing campaign called Infinity Stealer targets macOS by delivering a Python payload compiled into a native executable with the Nuitka compiler and lures users via a ClickFix fake Cloudflare CAPTCHA. The payload performs anti-analysis checks, harvests browser credentials, macOS Keychain entries, cryptocurrency wallets and plaintext developer secrets, and exfiltrates data to a C2 via HTTP while notifying operators via Telegram; users should never paste unknown commands into Terminal. #InfinityStealer #Nuitka

New Infinity Stealer malware targets macOS by delivering Python payloads compiled with Nuitka, using fake ClickFix Cloudflare CAPTCHAs to steal browser credentials, Keychain data, crypto wallets, and dev secrets. #macOSMalware #InfoStealer

Awakari App

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer. The post Cloudfl...

#Malware #& #Threats #ClickFix #infostealer #Mac #malware

Origin | Interest | Match

New research reveals that infostealer malware can expose corporate credentials on the dark web within 48 hours. Stay vigilant and enhance your cybersecurity measures. #CyberSecurity #Infostealer #DataBreach Link: thedailytechfeed.com/infostealer-...

Suspected RedLine infostealer malware admin extradited to US An Armenian suspect was extradited to the United States to face criminal charges for allegedly helping manage RedLine, one of the most prolific infostealer malware operations in recent years. [...]

Suspected #RedLine #infostealer #malware admin extradited to US

www.bleepingcomputer.com/news/security/suspected-...

#cybersecurity #cybercrime

A fake website impersonating Avast antivirus is tricking people into infecting their own computers. The site looks legitimate, runs what appears to be a virus scan, and claims your system is full of threats. But the results are fake: when you’re prompted to “fix” the problem, the download you’re given is actually **Venom Stealer** —a type of malware designed to steal passwords, session cookies, and cryptocurrency wallet data. This is a classic scare-and-fix scam: create panic, then offer a solution. In this case, the “solution” abuses the trusted Avast brand to deliver the attack. ## **A scan that finds exactly what the attacker wants you to see** The phishing page is a recreation of the Avast brand, complete with navigation bar, logo, and reassuring certification badges. Visitors are invited to run what appears to be a comprehensive virus scan. Once they click, the page stages a brief animation before delivering its predetermined verdict: three threats found, three threats removed, system protected. A scrolling console log names a specific detection—`Trojan:Win32/Zbot.AA!dll`—to lend the performance an air of specificity. The victim is then prompted to download the cure: a file called `Avast_system_cleaner.exe`. This is the payload. And far from cleaning anything, it immediately begins stealing. ## **A Chrome service that is not Chrome** When the victim launches `Avast_system_cleaner.exe`, the binary—a 64-bit Windows PE executable roughly 2 MB in size—copies itself into a location designed to blend in with legitimate software: `C:\Program Files\Google\Chrome\Application\v20svc.exe`. The dropped file is byte-for-byte identical to the parent, sharing the same MD5 hash (`0a32d6abea15f3bfe2a74763ba6c4ef5`). It then launches the copy with the command-line flag `--v20c`, a meaningless argument whose sole purpose is to signal to the malware that it is running in its second-stage role. The disguise is deliberate. A process named v20svc.exe sitting inside Chrome’s application directory looks, at a glance, like a legitimate browser service component. Anyone scanning their task manager would likely scroll past it without a second thought. This is a textbook example of masquerading: naming a malicious binary to match the conventions of trusted software so it escapes casual inspection. A debug artifact baked into the binary confirms its lineage: the PDB path reads `crypter_stub.pdb`, indicating the executable was packed using a crypter, which is a tool designed to scramble a payload’s code so antivirus engines cannot recognise it from its signature alone. At the time of analysis, only 27% of engines on VirusTotal flagged the sample, meaning roughly three in four commercial antivirus products missed it entirely. YARA rules matched the sample to the **Venom Stealer** malware family, a known descendant of the Quasar RAT framework that has been sold on underground forums since at least 2020. Venom Stealer is purpose-built for data theft: browser credentials, session cookies, cryptocurrency wallets, and credit card details stored in browsers. ## **Every cookie, every wallet, every saved password** Once running, the malware works through a checklist of high-value targets on the victim’s machine. It starts with browsers. Behavioral analysis confirms the malware harvests saved credentials and session cookies. In the analysis environment, it was observed directly accessing Firefox’s cookie database at `C:\Users\<USER>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\cookies.sqlite-shm`. Process memory also contained fully-formed JSON structures with stolen cookie data from Microsoft Edge and Google Chrome, including active sessions for Netflix, YouTube, Reddit, Facebook, LinkedIn, AliExpress, Outlook, Adobe, and Google. Stolen session cookies give the attacker the ability to hijack authenticated browser sessions without needing the victim’s password, including sessions protected by two-factor authentication. The malware also targets cryptocurrency wallets. Behavioral signatures confirm it searches for and attempts to steal locally-stored wallet data, and Venom Stealer is documented as targeting desktop wallet applications. For anyone holding crypto assets on a hot wallet, the implications are immediate. Beyond credentials, the stealer captures a screenshot of the victim’s desktop, saved temporarily as `C:\Users\<USER>\AppData\Local\Temp\screenshot_5sIczFxY95t2IQ5u.jpg`, and writes a session tracking file to `C:\Users\<USER>\AppData\Roaming\Microsoft\fd1cd7a3\sess`. A small marker file is also dropped at `C:\Users\Public\NTUSER.dat`—a path chosen to mimic a legitimate Windows registry hive file and avoid suspicion. ## **Disguised as analytics, delivered over plain HTTP** All stolen data is exfiltrated to a single command-and-control domain: `app-metrics-cdn[.]com`, which resolved to `104.21.14.89` (a Cloudflare address) during analysis. The domain name is crafted to look like a benign analytics or content delivery service, the kind of traffic that might not raise alarm bells in a corporate proxy log. The exfiltration follows a structured four-step sequence over unencrypted HTTP. First, a multipart form-data POST to `/api/upload` transmits the collected file—screenshots, wallet data, cookie databases—totalling around 140 KB. A second POST to /`api/upload-json` sends a structured JSON payload of approximately 29 KB containing parsed credentials and cookies. A confirmation POST to `/api/upload-complete` signals that the theft is finished. The malware then enters a heartbeat loop, periodically checking in at `/api/listener/heartbeat` to maintain contact with the operator’s infrastructure. All of this traffic uses a generic Mozilla/5.0 user-agent string, another attempt to blend in with ordinary web browsing. ## **Syscalls, sleep loops, and debugger checks** Venom Stealer does not simply steal and leave. It takes significant steps to avoid being caught. The most notable evasion technique is the use of direct and indirect system calls, a method where the malware invokes Windows kernel functions directly rather than routing through the standard `ntdll.dll `library. Because most endpoint detection tools work by intercepting calls to that library, this technique effectively blinds them. This behaviour was flagged in both the parent and the dropped child process. The malware also checks whether it is being debugged, queries CPU vendor and model information, reads the volume serial number of the system drive, creates guard pages in memory that can crash debuggers attempting to step through the code, and enumerates running processes. These are common techniques for detecting virtual machines and analysis environments. To frustrate automated analysis further, it incorporates sleep calls exceeding three minutes. ## **This is not a new trick** Impersonating security software to distribute malware is one of the oldest tricks in the book. A user who believes their system is infected is primed to act urgently, and a page that looks like a trusted antivirus vendor is exactly the kind of authority they will defer to. By staging a fake scan that “finds” threats and then offering a cure, the attacker exploits both fear and trust in a single interaction. This is not an isolated tactic. In May 2025, DomainTools documented a separate campaign in which attackers built a convincing clone of Bitdefender’s website and used it to distribute Venom RAT alongside the StormKitty stealer. The playbook is nearly identical: impersonate a security brand, manufacture urgency, and deliver a Trojan dressed as protection. It suggests this is a repeatable template, not a one-off experiment. ## What to do if you may have been affected Only download security software from official vendor websites. Avast’s legitimate site is avast.com. Do not trust search engine results, ads, or links in unsolicited emails. If you interacted with a site like this or downloaded the file, act quickly: * **Check if your system is infected**. Look for the file `v20svc.exe` in `C:\Program Files\Google\Chrome\Application\`. If it exists, your system was likely compromised by this malware. * **Run a full system scan immediately**. Use a trusted, up-to-date anti-malware tool (such as Malwarebytes) to detect and remove the infection. If the scan finds threats, follow the tool’s recommendations to quarantine or delete them. * **Change your password right away.** Start with email, banking, and any important accounts. Assume anything saved in your browser has been exposed. * **Sign out of all active sessions**. Log out of services like Google, Microsoft, Facebook, and Netflix. Stolen session cookies allow an attacker to bypass two-factor authentication entirely. * **Protect cryptocurrency funds**. If you use a desktop cryptocurrency wallet, transfer your funds to a new wallet generated on a clean device as soon as possible. ## **Indicators of Compromise (IOCs)** **File hashes** * SHA-256: `ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d` **Domains** * `app-metrics-cdn[.]com` **Network indicators** * `104.21.14.89` **C2 URLs** * `http://app-metrics-cdn[.]com/api/upload` * `http://app-metrics-cdn[.]com/api/upload-json` * `http://app-metrics-cdn[.]com/api/upload-complete` * `http://app-metrics-cdn[.]com/api/listener/heartbeat` * * * **We don’t just report on threats—we remove them** Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Bogus Avast website fakes virus scan, installs Venom Stealer instead A fake Avast scan tells you your PC is infected, then installs the malware that steals passwords, session data and crypto wallet...

#News #Threat #Intel #avast #infostealer

Origin | Interest | Match

New Torg Grabber infostealer malware targets 728 crypto wallets A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets.

New #TorgGrabber #infostealer #malware targets 728 #crypto wallets

www.bleepingcomputer.com/news/security/new-torg-g...

#cybersecurity

Suspected Armenian Extradited for Operating RedLine Malware Scheme Following Co-Conspirator Arrest Hambardzum Minasyan was extradited for developing and administering the RedLine infostealer malware scheme, according to court documents.

Full Article: www.technadu.com/suspected-ar...

👉 Do you think going after infrastructure operators will slow down malware campaigns? Comment your thoughts.
#Cybersecurity #Malware #CyberCrime #Infostealer #InfoSec

Suspected RedLine infostealer malware admin extradited to US Hambardzum Minasyan was extradited to the United States and charged with helping manage the RedLine infostealer operation by registering servers, domains, a cryptocurrency account, and file-sharing repositories used to distribute the malware and receive affiliate payments. International law enforcement actions, including the Dutch Operation Magnus seizure and U.S. charges against other suspects, underscore a coordinated effort to disrupt RedLine and pursue those responsible. #RedLine #HambardzumMinasyan

Hambardzum Minasyan extradited to the US, charged with managing infrastructure for the RedLine infostealer, including server registration, crypto accounts, and file-sharing used in malware distribution. #RedLineMalware #InfoStealer #USA