Threats Tagged 'information stealer'

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

A sophisticated multi-stage infection chain was identified through proactive threat hunting, beginning with the execution of MicrosoftToolkit.exe, a commonly abused hack tool. The attack employed file masquerading techniques, renaming a .dot file to .bat format to evade detection. The malware performed process discovery and attempted to terminate security-related processes before extracting payloads using extract32.exe. An AutoIt-compiled executable (Replies.scr) functioned as a loader, processing an external encrypted payload file and establishing command-and-control communication with infrastructure associated with Vidar Stealer. The malware demonstrated advanced anti-analysis capabilities, including debugger detection and instrumentation callback queries. It targeted credentials, browser data, cryptocurrency wallets, and system information. Post-execution cleanup routines deleted artifacts and terminated processes to minimize forensic evidence and evade detection, significantly complicating incident res...

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

A sophisticated five-stage malware operation delivers two new malware families: Direct-Sys Loader and CGrabber Stealer. The attack begins with ZIP archives distributed via GitHub user attachment URLs, exploiting a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading. Direct-Sys Loader employs ChaCha20 encryption, direct syscall execution, and multiple anti-analysis checks including text file verification, enumeration of 67 analysis tool processes, and hypervisor detection. CGrabber Stealer collects extensive system metadata, browser credentials, cryptocurrency wallets, password managers, VPN configurations, and application artifacts from over 150 applications and extensions. The stealer excludes CIS region systems and uses ChaCha20 encryption with HMAC SHA256 authentication for data exfiltration via custom HTTP headers. Both families share identical cryptographic implementations, suggesting common development origin and representing operationally mature infrastructure designed for larg...

This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commodity malware designed to harvest sensitive data. The attack chain includes PowerShell scripts, position-independent shellcode, and a PE downloader, utilizing techniques like reflective PE loading, API hashing, and process injection to evade detection. StealC's capabilities include stealing browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, and system information. The malware uses encrypted C2 communication and operates without persistence, making it particularly stealthy.

MediumMalwareGermanyFranceUnited Kingdom+4#process injection#credential theft#social engineering

Marco Stealer, discovered in June 2025, is an information stealer targeting browser data, cryptocurrency wallets, and sensitive files. It employs anti-analysis techniques, string encryption, and terminates security tools. The malware collects system information, exfiltrates browser data using embedded files, and extracts cryptocurrency wallet data from browser extensions. It also targets popular services and cloud storage. Marco Stealer uses AES-256 encryption for C2 communication over HTTP. Despite recent law enforcement actions against similar threats, information stealers continue to pose significant risks to corporate environments.

MediumMalwareGermanyUnited KingdomFrance+2#marco stealer#aes encryption#data exfiltration

The Evelyn Stealer campaign targets software developers through weaponized Visual Studio Code extensions, employing a multistage delivery of information-stealing malware. The attack chain involves a downloader disguised as a legitimate Lightshot DLL, an injector that uses process hollowing to inject the final payload, and the Evelyn Stealer itself. The malware implements sophisticated anti-analysis techniques, collects sensitive information including browser credentials and cryptocurrency data, and exfiltrates the stolen data via FTP. This campaign highlights the increasing threat to developer communities and the need for enhanced security measures in development environments.

MediumMalwareGermanyUnited KingdomFrance+4#ftp exfiltration#anti-analysis techniques#visual studio code

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with the PDF editor initially appearing harmless but later activating malicious capabilities. The threat actor used Google advertising to promote the PDF editor, with at least 5 different campaign IDs observed. The malware's activation occurred 56 days after the campaign's start, coinciding with a typical Google ad campaign duration. The threat actor has a history of distributing malicious code disguised as free utility tools, and this campaign has successfully affected several European organizations.

MediumMalwareGermanyFranceUnited Kingdom+5#google advertising#information stealer#obfuscation

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.

MediumMalwareTurkeySri LankaBangladesh+1#android malware#rafel rat#information stealer