Threats Tagged 'infostealer'

Threat actors are leveraging TikTok and Instagram Reels to distribute the Vidar infostealer through fake software tutorials. Two distinct campaigns use short-form videos disguised as tutorials for unlocking premium software like Spotify. The first campaign uses accounts mimicking official Windows profiles with AI-voiced clips instructing users to run PowerShell commands that download Vidar from lookalike domains. One video achieved over 100,000 views. The second campaign uses ordinary accounts posting music-backed clips that bait users in comments to receive malicious links via direct message. These campaigns exploit platform recommendation algorithms by encouraging saves and shares. Vidar is sold as a service for $300 lifetime license and harvests credentials, financial data and authentication tokens.

Threat actors are exploiting short-form video platforms like TikTok and Instagram Reels to conduct social engineering attacks. Two distinct campaign methods have been identified: professional-looking fake tutorials with AI-generated voiceovers promising free premium software, and casual videos showcasing premium features to generate engagement through comments. Both approaches direct victims to malicious websites hosting infostealer malware, particularly Vidarstealer. The campaigns leverage platform algorithms through high engagement rates including saves, shares, and comments. Attackers use multiple accounts with Windows-themed branding and manipulate PowerShell commands to download malicious executables. These techniques are difficult to counter as creators can delete warning comments and platform reporting mechanisms prove ineffective. The attacks target non-technical users seeking free access to premium services like Spotify, Microsoft Office, and other software, making social media feeds an emerging p...

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

MediumMalwareUkraine#vbscript#gammaworm#cyberespionage

Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

MediumMalwareSwitzerland#infostealer#blockchain c&c#clickfix

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.

MediumCampaignUnited StatesUnited Kingdom#fileless powershell#infostealer#ai platform impersonation

A sophisticated infostealer operation was discovered masquerading as a cryptocurrency trading application called Tralert FX. The malicious MSI installer achieved only 3/52 AV detections by using a valid EV code signing certificate from a likely front company, AgilusTech LLC. The campaign has been active since June 2025, utilizing a three-module malware kit that includes system reconnaissance, keylogging, and browser credential theft capabilities. Stolen data is exfiltrated through five GitLab repositories via automated git commits on 30-minute cycles. Hardcoded credentials exposed the entire backend infrastructure, revealing over 4,100 commits, 90+ compromised hosts, and ongoing victim compromise. The operation demonstrates clear financial motivation with focus on cryptocurrency traders for account takeover. Three ProtonMail-linked GitLab accounts operate the infrastructure, assessed as a single operator or small team. The final payload is MoonPeak, a custom variant of XenoRAT.

The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush.