malware

GoPlus Chinese community issued a warning on platform X, stating that North Korean hackers have published a set of 26 malicious packages to the npm registry. These malicious packages come with an installation script ("install.js") that automatically executes during the package installation process, running malicious code located in "vendor/scrypt-js/version.js".The malicious code downloads and executes a remote access trojan (RAT) via the same malicious URL, implementing malicious activities such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity known as "Famous Chollima".

According to Cointelegraph, hackers are using the "ClickFix" attack method to steal cryptocurrencies, with the latest two attacks involving impersonating venture capital firms and hijacking browser extensions.Cybersecurity company Moonlock Lab reports that scammers impersonate fake VCs such as SolidBit, MegaBit, and Lumax Capital, contacting users via LinkedIn to offer collaboration opportunities, then directing them to click on fake Zoom and Google Meet links. After clicking the link, users are led to a page with a forged Cloudflare "I'm not a robot" verification box; clicking this box copies malicious commands to the clipboard and prompts users to open a terminal to paste the so-called verification code, thus executing the attack.Moonlock Lab points out that this method turns victims into execution mechanisms, bypassing defenses in the security industry. Meanwhile, hackers are also spreading malware by hijacking the Chrome extension QuickLens. This extension allows users to run Google Lens searches directly in the browser, and after ownership was transferred, the new version contains malicious scripts that can initiate ClickFix attacks and steal information.The extension has about 7,000 users, and once hijacked, it searches for cryptocurrency wallet data and recovery phrases to steal funds, as well as scraping Gmail inbox content, YouTube channel data, and login credentials or payment information entered in web forms. The extension has been removed from the Chrome Web Store. The ClickFix technique has been popular among hackers since last year, forcing victims to manually execute malicious payloads, affecting thousands of businesses and multiple industries worldwide.

GoPlus Security warns users to be cautious of a new type of Android malware called PromptSpy. This malware lures users into downloading APK files through phishing websites (such as those disguised as bank websites) and can remotely control devices after obtaining accessibility permissions.What makes PromptSpy unique is its use of the Google Gemini API to analyze the device interface and develop attack strategies, allowing it to better adapt to different phone brands and system versions, thereby increasing the stealth and success rate of the attacks.

Hackers are stealing cryptocurrency users' assets by placing fake Windows 11 update ads on Facebook. These ads use professional Microsoft branding and, when clicked by users, lead to a cloned Microsoft website where malware is subsequently downloaded.The malware installs a framework called "LunarApplication" on the victim's computer, specifically designed to steal cryptocurrency wallet seed phrases, login credentials, and other sensitive information. Hackers use geofencing technology to bypass data center IP addresses, preventing automated scanners from detecting the attack.

According to Cointelegraph, Mandiant, a U.S. cybersecurity company affiliated with Google Cloud, has discovered that a North Korea-linked threat organization is intensifying social engineering attacks against cryptocurrency and fintech companies.The threat group, codenamed UNC1069, has deployed seven malware families, including the newly discovered SILENCELIFT, DEEPBREATH, and CHROMEPUSH, aimed at obtaining sensitive data and stealing digital assets. The attackers exploit compromised Telegram accounts and use AI-generated deepfake videos to lure victims into fake Zoom meetings.Mandiant has been tracking this organization since 2018, but advancements in artificial intelligence have helped the group expand its malicious activities since November 2025. In one intrusion incident, the attackers used a stolen Telegram account of a cryptocurrency founder to initiate contact, inducing victims to execute "troubleshooting" commands containing hidden instructions through a so-called ClickFix attack.

According to Cointelegraph, Mandiant, a U.S. cybersecurity company affiliated with Google Cloud, has discovered that a North Korea-linked threat organization is intensifying social engineering attacks against cryptocurrency and fintech companies.The threat group, codenamed UNC1069, has deployed seven malware families, including the newly discovered SILENCELIFT, DEEPBREATH, and CHROMEPUSH, aimed at obtaining sensitive data and stealing digital assets. The attackers exploit compromised Telegram accounts and use AI-generated deepfake videos to lure victims into fake Zoom meetings.Mandiant has been tracking this organization since 2018, but advancements in artificial intelligence have helped the group scale up its malicious activities since November 2025. In one intrusion incident, the attackers used a stolen Telegram account of a cryptocurrency founder to initiate contact, inducing victims to execute "troubleshooting" commands containing hidden instructions through a so-called ClickFix attack.

According to Cointelegraph, cybersecurity researcher Jeremiah Fowler discovered a public database containing approximately 149 million usernames and passwords, which were collected from infected personal devices through information-stealing malware. The database includes account information related to multiple major platforms, with at least 420,000 login credentials associated with Binance users.Experts emphasize that this is not a breach of Binance's systems, but rather the extraction of saved login information from infected devices via "information-stealing" malware. This malware disguises itself as game cheating tools or modifiers, specifically targeting cryptocurrency wallets and browser extensions, affecting over 100 browsers and at least 80 cryptocurrency exchanges, including Binance, Coinbase, Crypto.com, and MetaMask.

According to market news, a sophisticated phishing attack targeting Cardano users is spreading announcements disguised as the "Eternl Desktop" wallet, luring users to download and install a malicious MSI file containing remote control tools.The attackers have forged an official tone and referenced NIGHT and ATMA token incentives, using the domain download.eternldesktop.network to distribute unsigned installation packages. Security researchers revealed that the file contains the LogMeIn Resolve component, which allows for remote command execution and persistent system control. Users are advised to obtain wallet software only through official channels.

According to financefeeds, global cybersecurity company Kaspersky has issued an urgent alert regarding a new sophisticated information-stealing tool named "Stealka," which has begun launching large-scale attacks against Windows users.This malware was discovered at the end of 2025 and is specifically designed to collect sensitive financial data, browser credentials, and cryptocurrency wallet information. Stealka is primarily distributed through deceptive platforms like GitHub and SourceForge, disguised as "cracks" for pirated software or high-demand applications.The malware is particularly dangerous because it employs advanced obfuscation techniques to bypass traditional signature-based security solutions, often remaining undetected during comprehensive scans of the victim's device. This threat emerges at a time when password theft detection has surged nearly 60% throughout the year, marking a more aggressive phase in the evolution of digital financial crime.

The Chief Information Security Officer of Slow Fog, 23pds, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already being stolen.The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguising itself as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server, completing the information theft process.The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple’s signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.

According to 23pds, the Chief Information Security Officer of Slow Fog Technology, a new variant of the information-stealing malware MacSync has emerged, successfully bypassing the macOS Gatekeeper security mechanism, resulting in the theft of user assets.This malware employs various techniques to evade detection, including file inflation, network connection validation, and self-destruct scripts after execution. Attackers can use this software to steal sensitive data from victims, such as iCloud keychains, browser passwords, and cryptocurrency wallets. Users should remain vigilant, avoid downloading software from unknown sources, promptly update operating system security patches, and take additional measures to protect the security of their crypto assets.

The nonprofit organization Security Alliance warns that they are currently discovering multiple scam attempts initiated by North Korean hackers every day, with these attacks luring victims through fake Zoom meetings.The scam technique involves inducing victims to download malware during a "fake Zoom call," thereby stealing sensitive information, including passwords and private keys. Security researcher Taylor Monahan warns that this tactic has siphoned off over $300 million in assets from users.The scam typically begins with a message from a Telegram account, which often belongs to someone the victim "knows." Due to the familiar identity, the victim lets their guard down. The conversation then naturally transitions to an invitation to "catch up over Zoom." Once the call starts, the hacker pretends to encounter audio issues and sends a so-called "patch file." When the victim opens this file, malware is implanted on their device. The hacker then ends the fake call under the pretext of "rescheduling for another day."

According to Hackread.com, cybersecurity company Hudson Rock discovered an infected device while analyzing a LummaC2 information-stealing malware log, with the operator suspected to be a malware developer from a North Korean state-sponsored hacking group.The device was used to build the infrastructure supporting the $1.4 billion theft from the cryptocurrency exchange Bybit in February 2025. Analysis indicated that the credentials found on the device were linked to domains registered prior to the attack, which were used to impersonate Bybit. The device itself was high-end, equipped with development tools such as Visual Studio and Enigma Protector, as well as communication and data storage applications like Astrill VPN, Slack, and Telegram. Its activity traces also showed that the attackers purchased relevant domain names and prepared fake Zoom installers to carry out phishing attacks. This finding rarely reveals the internal operational details of asset sharing in North Korean-supported hacking activities.

According to Cointelegraph, Trustwave's cybersecurity research team SpiderLabs reported that a banking Trojan named "Eternidade Stealer" is spreading widely in Brazil through WhatsApp.Attackers use social engineering tactics such as fake government program notifications, courier messages, and investment groups to lure users into clicking malicious links. Once clicked, the malware simultaneously infects the device and hijacks the WhatsApp account, automatically spreading to the victim's contact list. The Trojan is capable of scanning and stealing login credentials from multiple Brazilian banks, fintech companies, and cryptocurrency exchanges. To avoid detection, the malware uses a preset Gmail account to receive commands instead of a fixed server address. Security experts advise users to remain vigilant about any links, even those from trusted contacts, and to keep software updated to prevent such attacks.

Thai officials announced on Wednesday that they have successfully recovered over $432,000 in stolen digital assets from an Eastern European cybercriminal hiding in Phuket. According to local media, Major General Surapol Premphet, who leads the Cyber Crime Investigation Bureau (CCIB) of Thailand, revealed that "Operation 293" successfully seized and returned $320,000 worth of cryptocurrency to Thai victims.The hacker allegedly deployed malware to infiltrate victims' devices to steal authentication keys and mnemonic phrases, which are critical access credentials for cryptocurrency accounts.

According to a report by Decrypt, Google's Threat Analysis Group has found at least five new types of malware that are dynamically generating and hiding malicious code using large language models (LLMs). Among them, the North Korea-linked hacker group UNC1069 has been discovered using Gemini to probe wallet data and create phishing scripts with the intent to steal digital assets.These malware employ "real-time code creation" techniques to evade traditional security detection by calling external AI models such as Gemini or Qwen 2.5-Coder. Google stated that it has disabled the relevant accounts and strengthened security measures for model access.

ChainCatcher news, according to SlowMist's Yu Xian news, the North Korean hacker-related Trojan SilentSiphon is capable of extracting data from Apple Notes, Telegram, and browser extensions, as well as obtaining credentials from browsers and password managers, and extracting confidential information from configuration files related to various services.Users should enhance their security awareness, regularly update software versions, avoid downloading applications from unknown sources, and use reliable security software for protection.

ChainCatcher news, according to Decrypt, the Google Threat Analysis Group has discovered that North Korean hackers are using EtherHiding malware for cyber attacks. This malware facilitates cryptocurrency theft by hiding malicious code within blockchain smart contracts, primarily targeting Ethereum and BNB Chain.

ChainCatcher news, Slow Mist Technology's Chief Information Security Officer 23pds posted on X platform that a variant of the AMOS espionage Trojan, Odyssey, is distributing fake AI tool advertisements through channels like Twitter, enticing users to download malware disguised as AI tool clients.It uses AppleScript as the main payload to steal sensitive data such as system information, browser data, and cryptocurrency wallet information.

ChainCatcher news, according to Cointelegraph, based on research by security company Mosyle, the newly discovered malware ModStealer is targeting cryptocurrency users on macOS, Windows, and Linux systems, stealing wallet private keys and login credentials.The malware went undetected by mainstream antivirus engines for nearly a month after being uploaded to the VirusTotal platform. ModStealer spreads through fake job advertisements, particularly targeting Web3 developers. Once users install the malicious package, the program embeds itself to run in the system background, stealing clipboard data, taking screenshots, and executing remote commands. Its code specifically targets wallet extensions for Safari and Chromium browsers.ModStealer maintains persistence on macOS by registering a background agent, with servers located in Finland but potentially masking the operator's origin through German infrastructure. The technical director of blockchain security company Hacken advises developers to verify the authenticity of the hiring party and domain names, require sharing test tasks through public code repositories, and open files in a temporary virtual machine without wallets or keys. It emphasizes the need to strictly differentiate between the development environment and wallet storage environment, use hardware wallets, and verify transaction addresses on the device's display.