trojan

The security research organization Elastic Security Labs has disclosed a new social engineering attack targeting personnel in the finance and cryptocurrency industries. The attackers impersonate venture capital firms on LinkedIn and Telegram, tricking targets into opening an Obsidian note repository that contains a built-in malicious payload, thereby deploying a previously unrecorded Windows remote access Trojan called PHANTOMPULSE.This attack does not exploit any software vulnerabilities but instead abuses the Shell Commands plugin of Obsidian to automatically execute malicious code when the note repository is opened. On the macOS side, it uses an obfuscated AppleScript launcher in conjunction with a Telegram channel as a backup command and control server, while on the Windows side, it leverages Ethereum transaction data to achieve blockchain-based C2 address resolution.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) ([email protected] and [email protected]), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.

GoPlus Chinese community issued a warning on platform X, stating that North Korean hackers have published a set of 26 malicious packages to the npm registry. These malicious packages come with an installation script ("install.js") that automatically executes during the package installation process, running malicious code located in "vendor/scrypt-js/version.js".The malicious code downloads and executes a remote access trojan (RAT) via the same malicious URL, implementing malicious activities such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity known as "Famous Chollima".

The Chief Information Security Officer of Slow Fog, 23pds, reminded on the X platform that a fake recruitment campaign named "graphalgo" is exploiting remote access trojans (RAT) to target cryptocurrency developers.

The Chief Information Security Officer of Slow Fog, 23pds, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already being stolen.The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguising itself as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server, completing the information theft process.The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple’s signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.

ChainCatcher news, Slow Mist Technology's Chief Information Security Officer 23pds posted on X platform that a variant of the AMOS espionage Trojan, Odyssey, is distributing fake AI tool advertisements through channels like Twitter, enticing users to download malware disguised as AI tool clients.It uses AppleScript as the main payload to steal sensitive data such as system information, browser data, and cryptocurrency wallet information.

ChainCatcher news, according to Cointelegraph, security company Check Point warned that a malware named "JSCEAL," active since March 2024, has been inducing users to download a trojan through ads by impersonating nearly 50 popular crypto applications such as Binance, MetaMask, and Kraken, potentially affecting over ten million people worldwide. This trojan is written in JavaScript and has anti-detection mechanisms, capable of stealing wallet information, account passwords, Telegram data, and browser cookies, primarily disseminated through ads on platforms like Facebook.

ChainCatcher news, according to Cointelegraph, U.S. Congresswoman Marjorie Taylor Greene stated that the "GENIUS Stablecoin Act" opens a "backdoor" for the government to implement central bank digital currency (CBDC), merely disguised as privately issued crypto tokens. She pointed out that regulated stablecoins possess "functional monitoring capabilities," which are essentially no different from CBDCs.Greene further stated on social media: "This bill paves the way for CBDCs by regulating stablecoins. The Federal Reserve has been planning CBDCs for years, and this is a key step towards a cashless society. It could evolve into a digital currency system controlled by a totalitarian government, deciding whether you have the right to buy and sell goods."Her remarks align with the increasingly strong concerns within the crypto community—more and more people are wary that regulated stablecoins may just be a prelude to state control over digital assets.

ChainCatcher message, the latest intelligence from the SlowMist security team indicates that the North Korean Lazarus hacker group is using a new type of espionage Trojan called OtterCookie to launch targeted attacks against cryptocurrency and financial professionals.The total methods include faking high-paying job interviews/investor meetings, using deepfake videos to impersonate recruiters, and disguising malware as "programming test questions" or "system update packages."The targets for theft include login credentials saved in browsers, passwords and digital certificates in the macOS Keychain, as well as cryptocurrency wallet information and private keys.SlowMist recommends being vigilant about unsolicited job/investment offers, requiring multi-factor authentication for remote interviews, avoiding running executable files from unknown sources, especially so-called "technical test questions" or "update patches," strengthening endpoint protection (EDR), deploying antivirus software, and regularly checking for abnormal processes.

ChainCatcher message, SlowMist has released a security alert that the Android banking Trojan "Crocodilus" has recently upgraded, leading to attacks targeting global cryptocurrency users and banking applications. The main threats include: spreading through fake browser updates in Facebook ads; using overlay attacks to steal login credentials; extracting cryptocurrency wallet recovery phrases and private keys; injecting fake "bank support" numbers into contact lists; malware as a service: available for rent (100-300 USD per attack). Users are reminded to avoid unknown app updates and ad links.

ChainCatcher news, Slow Mist Technology's Chief Information Security Officer 23pds posted on X platform, warning cryptocurrency users to be cautious of trojans disguised as TradingView cracked versions. Recently, AMOS and Lumma information stealers are spreading through Reddit posts, specifically targeting cryptocurrency users to steal wallets and personal data, with victims including Mac and Windows users.

According to ChainCatcher news reported by Cointelegraph, tech giant Microsoft has discovered a new type of Remote Access Trojan (RAT) that specifically targets 20 cryptocurrency wallet extensions in the Google Chrome browser to steal crypto assets.The Microsoft Incident Response team revealed in a blog post on March 17 that they first detected the malware named StilachiRAT last November. This software is capable of stealing credentials, digital wallet information, and clipboard data stored in the browser. Once deployed, attackers can use StilachiRAT to scan the configuration information of the 20 cryptocurrency wallet extensions to steal crypto wallet data, including wallets such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.Microsoft's analysis pointed out: "Research on the WWStartupCtrl64.dll module of StilachiRAT, which contains RAT functionality, indicates that it employs multiple methods to steal information from the target system." Among other features, the malware can extract credentials stored in the Google Chrome local state file and monitor clipboard activity to obtain sensitive information such as passwords and encryption keys. It also has detection evasion and anti-forensics capabilities, such as clearing event logs and checking if it is running in a sandbox to thwart analysis attempts.Currently, Microsoft has not been able to identify the perpetrators behind the malware but hopes to reduce the number of potential victims by publicly sharing information. Microsoft advises users to take measures to avoid becoming victims of the malware, including installing antivirus software, and cloud-based anti-phishing and anti-malware components on their devices.

ChainCatcher news, according to Decrypt, cybersecurity company Kaspersky has discovered that hackers are using copyright complaints to threaten YouTube content creators, forcing them to add the cryptocurrency mining Trojan SilentCryptoMiner in their video descriptions. This malware is based on XMRig and is used to mine cryptocurrencies such as Ethereum, Ethereum Classic, Monero, and Ravencoin, and it controls a botnet via the Bitcoin blockchain.The primary targets of the hackers are YouTubers who provide installation tutorials for the Windows Packet Divert driver. They first launch false copyright complaints against the videos, then contact the creators claiming to be the developers of the driver, demanding that they add malicious links. Currently, it is known that one YouTuber with 60,000 followers has fallen victim, leading to over 40,000 downloads of the infected files. Kaspersky estimates that at least 2,000 devices have been infected.Kaspersky security researcher Leonid Bezvershenko warned that hackers are exploiting the trust between YouTubers and their audiences, and such threats may spread to platforms like Telegram. He advises users not to trust tutorials that request disabling antivirus software and to verify the source before downloading any files to prevent infection by cryptocurrency mining Trojans.

ChainCatcher message, Slow Mist's Chief Information Security Officer 23pds posted a reminder that recently, the well-known cryptocurrency theft Trojan MacOS Stealer has been suddenly open-sourced.Previously, its attack source code was sold for 1 BTC, and now the open-sourcing means that more malicious attackers can easily access this tool. This not only potentially allows attackers to have "one tool per person" for attacks but may also give rise to more covert and complex attack methods, posing greater challenges to the security of cryptocurrency assets.

ChainCatcher news, dYdX Foundation CEO Charles d'Haussy posted on social media that speakers will reveal secrets about the moat, Trojan horse, and flywheel at tomorrow's dYdX Day event.

ChainCatcher news, the cybersecurity company Doctor Web recently reported that it has detected malware disguised as legitimate software, such as office programs, game cheat programs, and online trading bots. This cryptocurrency hijacking and stealing software has infected over 28,000 users, primarily in Russia, but also including Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan, and Turkey.According to Doctor Web, the hackers have only obtained cryptocurrency worth about $6,000. However, it is unclear how much the creators of the malware have earned from cryptocurrency mining. The cybersecurity company stated that the sources of the malware include fraudulent GitHub pages and YouTube video descriptions with malicious links.Once a device is infected, the secretly deployed software hijacks computing resources to mine cryptocurrency. The "Clipper" also monitors cryptocurrency wallet addresses copied to the device's clipboard, then the malware replaces it with an address controlled by the attacker - this is how they steal small amounts of cryptocurrency.

ChainCatcher news, according to Cointelegraph, the cybersecurity company Moonlock warns that the AMOS trojan targeting Mac users can now clone the Ledger Live software and may soon clone other wallet applications.According to a report from cybersecurity company Moonlock Lab on August 5, the program is making a comeback, and the company found that it is being advertised through Google Adsense. In the ads, it disguises itself as popular MacOS programs, including the screen sharing application Loom, the user interface design tool Figma, the VPN Tunnelblick, and the instant messaging application Callzy. The developers of these applications have not authorized the counterfeit version of the AMOS malware.

ChainCatcher news, according to Dune data, the Solana ecosystem Telegram trading bot Trojan on Solana has a historical cumulative trading volume exceeding 6 billion dollars.