malware

According to Cointelegraph, Mandiant, a U.S. cybersecurity company affiliated with Google Cloud, has discovered that a North Korea-linked threat organization is intensifying social engineering attacks against cryptocurrency and fintech companies.The threat group, codenamed UNC1069, has deployed seven malware families, including the newly discovered SILENCELIFT, DEEPBREATH, and CHROMEPUSH, aimed at obtaining sensitive data and stealing digital assets. The attackers exploit compromised Telegram accounts and use AI-generated deepfake videos to lure victims into fake Zoom meetings.Mandiant has been tracking this organization since 2018, but advancements in artificial intelligence have helped the group expand its malicious activities since November 2025. In one intrusion incident, the attackers used a stolen Telegram account of a cryptocurrency founder to initiate contact, inducing victims to execute "troubleshooting" commands containing hidden instructions through a so-called ClickFix attack.

According to Cointelegraph, Mandiant, a U.S. cybersecurity company affiliated with Google Cloud, has discovered that a North Korea-linked threat organization is intensifying social engineering attacks against cryptocurrency and fintech companies.The threat group, codenamed UNC1069, has deployed seven malware families, including the newly discovered SILENCELIFT, DEEPBREATH, and CHROMEPUSH, aimed at obtaining sensitive data and stealing digital assets. The attackers exploit compromised Telegram accounts and use AI-generated deepfake videos to lure victims into fake Zoom meetings.Mandiant has been tracking this organization since 2018, but advancements in artificial intelligence have helped the group scale up its malicious activities since November 2025. In one intrusion incident, the attackers used a stolen Telegram account of a cryptocurrency founder to initiate contact, inducing victims to execute "troubleshooting" commands containing hidden instructions through a so-called ClickFix attack.

According to Cointelegraph, cybersecurity researcher Jeremiah Fowler discovered a public database containing approximately 149 million usernames and passwords, which were collected from infected personal devices through information-stealing malware. The database includes account information related to multiple major platforms, with at least 420,000 login credentials associated with Binance users.Experts emphasize that this is not a breach of Binance's systems, but rather the extraction of saved login information from infected devices via "information-stealing" malware. This malware disguises itself as game cheating tools or modifiers, specifically targeting cryptocurrency wallets and browser extensions, affecting over 100 browsers and at least 80 cryptocurrency exchanges, including Binance, Coinbase, Crypto.com, and MetaMask.

According to market news, a sophisticated phishing attack targeting Cardano users is spreading announcements disguised as the "Eternl Desktop" wallet, luring users to download and install a malicious MSI file containing remote control tools.The attackers have forged an official tone and referenced NIGHT and ATMA token incentives, using the domain download.eternldesktop.network to distribute unsigned installation packages. Security researchers revealed that the file contains the LogMeIn Resolve component, which allows for remote command execution and persistent system control. Users are advised to obtain wallet software only through official channels.

According to financefeeds, global cybersecurity company Kaspersky has issued an urgent alert regarding a new sophisticated information-stealing tool named "Stealka," which has begun launching large-scale attacks against Windows users.This malware was discovered at the end of 2025 and is specifically designed to collect sensitive financial data, browser credentials, and cryptocurrency wallet information. Stealka is primarily distributed through deceptive platforms like GitHub and SourceForge, disguised as "cracks" for pirated software or high-demand applications.The malware is particularly dangerous because it employs advanced obfuscation techniques to bypass traditional signature-based security solutions, often remaining undetected during comprehensive scans of the victim's device. This threat emerges at a time when password theft detection has surged nearly 60% throughout the year, marking a more aggressive phase in the evolution of digital financial crime.

The Chief Information Security Officer of Slow Fog, 23pds, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already being stolen.The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguising itself as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server, completing the information theft process.The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple’s signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.

According to 23pds, the Chief Information Security Officer of Slow Fog Technology, a new variant of the information-stealing malware MacSync has emerged, successfully bypassing the macOS Gatekeeper security mechanism, resulting in the theft of user assets.This malware employs various techniques to evade detection, including file inflation, network connection validation, and self-destruct scripts after execution. Attackers can use this software to steal sensitive data from victims, such as iCloud keychains, browser passwords, and cryptocurrency wallets. Users should remain vigilant, avoid downloading software from unknown sources, promptly update operating system security patches, and take additional measures to protect the security of their crypto assets.

The nonprofit organization Security Alliance warns that they are currently discovering multiple scam attempts initiated by North Korean hackers every day, with these attacks luring victims through fake Zoom meetings.The scam technique involves inducing victims to download malware during a "fake Zoom call," thereby stealing sensitive information, including passwords and private keys. Security researcher Taylor Monahan warns that this tactic has siphoned off over $300 million in assets from users.The scam typically begins with a message from a Telegram account, which often belongs to someone the victim "knows." Due to the familiar identity, the victim lets their guard down. The conversation then naturally transitions to an invitation to "catch up over Zoom." Once the call starts, the hacker pretends to encounter audio issues and sends a so-called "patch file." When the victim opens this file, malware is implanted on their device. The hacker then ends the fake call under the pretext of "rescheduling for another day."

According to Hackread.com, cybersecurity company Hudson Rock discovered an infected device while analyzing a LummaC2 information-stealing malware log, with the operator suspected to be a malware developer from a North Korean state-sponsored hacking group.The device was used to build the infrastructure supporting the $1.4 billion theft from the cryptocurrency exchange Bybit in February 2025. Analysis indicated that the credentials found on the device were linked to domains registered prior to the attack, which were used to impersonate Bybit. The device itself was high-end, equipped with development tools such as Visual Studio and Enigma Protector, as well as communication and data storage applications like Astrill VPN, Slack, and Telegram. Its activity traces also showed that the attackers purchased relevant domain names and prepared fake Zoom installers to carry out phishing attacks. This finding rarely reveals the internal operational details of asset sharing in North Korean-supported hacking activities.

According to Cointelegraph, Trustwave's cybersecurity research team SpiderLabs reported that a banking Trojan named "Eternidade Stealer" is spreading widely in Brazil through WhatsApp.Attackers use social engineering tactics such as fake government program notifications, courier messages, and investment groups to lure users into clicking malicious links. Once clicked, the malware simultaneously infects the device and hijacks the WhatsApp account, automatically spreading to the victim's contact list. The Trojan is capable of scanning and stealing login credentials from multiple Brazilian banks, fintech companies, and cryptocurrency exchanges. To avoid detection, the malware uses a preset Gmail account to receive commands instead of a fixed server address. Security experts advise users to remain vigilant about any links, even those from trusted contacts, and to keep software updated to prevent such attacks.

Thai officials announced on Wednesday that they have successfully recovered over $432,000 in stolen digital assets from an Eastern European cybercriminal hiding in Phuket. According to local media, Major General Surapol Premphet, who leads the Cyber Crime Investigation Bureau (CCIB) of Thailand, revealed that "Operation 293" successfully seized and returned $320,000 worth of cryptocurrency to Thai victims.The hacker allegedly deployed malware to infiltrate victims' devices to steal authentication keys and mnemonic phrases, which are critical access credentials for cryptocurrency accounts.

According to a report by Decrypt, Google's Threat Analysis Group has found at least five new types of malware that are dynamically generating and hiding malicious code using large language models (LLMs). Among them, the North Korea-linked hacker group UNC1069 has been discovered using Gemini to probe wallet data and create phishing scripts with the intent to steal digital assets.These malware employ "real-time code creation" techniques to evade traditional security detection by calling external AI models such as Gemini or Qwen 2.5-Coder. Google stated that it has disabled the relevant accounts and strengthened security measures for model access.

ChainCatcher news, according to SlowMist's Yu Xian news, the North Korean hacker-related Trojan SilentSiphon is capable of extracting data from Apple Notes, Telegram, and browser extensions, as well as obtaining credentials from browsers and password managers, and extracting confidential information from configuration files related to various services.Users should enhance their security awareness, regularly update software versions, avoid downloading applications from unknown sources, and use reliable security software for protection.

ChainCatcher news, according to Decrypt, the Google Threat Analysis Group has discovered that North Korean hackers are using EtherHiding malware for cyber attacks. This malware facilitates cryptocurrency theft by hiding malicious code within blockchain smart contracts, primarily targeting Ethereum and BNB Chain.

ChainCatcher news, Slow Mist Technology's Chief Information Security Officer 23pds posted on X platform that a variant of the AMOS espionage Trojan, Odyssey, is distributing fake AI tool advertisements through channels like Twitter, enticing users to download malware disguised as AI tool clients.It uses AppleScript as the main payload to steal sensitive data such as system information, browser data, and cryptocurrency wallet information.

ChainCatcher news, according to Cointelegraph, based on research by security company Mosyle, the newly discovered malware ModStealer is targeting cryptocurrency users on macOS, Windows, and Linux systems, stealing wallet private keys and login credentials.The malware went undetected by mainstream antivirus engines for nearly a month after being uploaded to the VirusTotal platform. ModStealer spreads through fake job advertisements, particularly targeting Web3 developers. Once users install the malicious package, the program embeds itself to run in the system background, stealing clipboard data, taking screenshots, and executing remote commands. Its code specifically targets wallet extensions for Safari and Chromium browsers.ModStealer maintains persistence on macOS by registering a background agent, with servers located in Finland but potentially masking the operator's origin through German infrastructure. The technical director of blockchain security company Hacken advises developers to verify the authenticity of the hiring party and domain names, require sharing test tasks through public code repositories, and open files in a temporary virtual machine without wallets or keys. It emphasizes the need to strictly differentiate between the development environment and wallet storage environment, use hardware wallets, and verify transaction addresses on the device's display.

ChainCatcher news, according to market reports, security company Mosyle has disclosed a cross-platform malware called ModStealer, which can disguise itself as a background helper program to bypass mainstream antivirus detection, specifically targeting the browser cryptocurrency wallet data on Windows, Linux, and macOS systems.The software spreads by masquerading as job advertisements, targeting developers who have a Node.js environment installed. ModStealer can run automatically and collect wallet extensions, system credentials, and digital certificates, subsequently uploading the data to a remote C2 server. Security experts warn that this malware poses a direct threat to cryptocurrency users and platforms, potentially leading to the leakage of private keys, recovery phrases, and API keys, triggering large-scale on-chain attacks.

ChainCatcher news, DuckDB's official Twitter account stated that the DuckDB Node.js and Wasm packages were compromised with malware in a recent npm supply chain attack. The official team has investigated and deprecated the affected versions, while releasing new versions. DuckDB stated that, according to npm data, no users have downloaded the affected packages. The team has released a security announcement detailing the post-analysis and response measures.

ChainCatcher news, according to researchers from ReversingLabs, the NPM packages "colortoolsv 2" and "mimelib 2" released in July utilize Ethereum smart contracts to hide malicious URLs, avoiding security scans. These packages operate as downloaders, retrieving command and control server addresses from the smart contracts, and then downloading second-stage malware, making blockchain traffic appear legitimate, thereby increasing detection difficulty.The research indicates that this is the first time Ethereum smart contracts have been found to host malicious command URLs, demonstrating that attackers' strategies to evade detection in open-source repositories are rapidly evolving.

ChainCatcher news, according to Cointelegraph, based on research by the digital asset compliance company ReversingLabs, hackers have recently utilized Ethereum smart contracts to store malicious instructions and spread new types of malware through the Node Package Manager (NPM) software package repository.The "colortoolsv2" and "mimelib2" packages released in July obtain the download addresses for the second stage of malicious software by querying blockchain smart contracts, evading traditional security scans. This attack is part of a large social engineering scam, where hackers create fake cryptocurrency trading bot repositories on GitHub, establishing a credible image through forged commit records, maintaining accounts, and professional documentation.Researchers point out that while the North Korean hacker group Lazarus has used similar techniques, the use of smart contracts to host malicious URLs is a first discovery, indicating that attack strategies continue to evolve.