Tag: malware

Spanish authorities arrest the leader of a cybercrime group

Spanish authorities have arrested a 25-year-old man accused of leading the GXC Team, a group that allegedly engages in the distribution of malicious software and artificial intelligence tools to other cybercriminals. This operation highlights the growing concern about cybersecurity and cybercrime activity in Europe, especially as hacking techniques become more sophisticated. Increasingly common groups The arrest, carried out in collaboration with European cybersecurity agencies, underscores the concerted effort to address emerging threats in the digital realm. The GXC Team has […]

Spanish authorities have arrested a 25-year-old man accused of leading the GXC Team, a group that allegedly engages in the distribution of malicious software and artificial intelligence tools to other cybercriminals. This operation highlights the growing concern about cybersecurity and cybercrime activity in Europe, especially as hacking techniques become more sophisticated.

Groups that are becoming more common

The arrest, made in collaboration with European cybersecurity agencies, highlights the concerted effort to address emerging threats in the digital realm. The GXC Team has been mentioned in several investigations for their alleged involvement in cyberattacks that have affected both companies and individuals in various countries. Authorities suspect that the detainee not only produced malware, but also offered their services for sale, which has expanded the scope of their criminality to a concerning level.

The arrest of this key figure in the GXC Team comes at a time when cyber offenses are on the rise, increasing the vulnerability of systems in critical infrastructures and companies across all industries. In this context, security measures have been intensified, and international cooperation is beginning to show results in the fight against cybercrime.

Although the arrested individual is just a link in the chain of cybercrime, their capture could dismantle part of the network that has been operating in the shadows of the internet. Now, authorities are investigating more about the connections of the GXC Team and the possible involvement of other individuals in this illegal activity. Experts warn that the battle against cybercrime is far from over, suggesting that criminal structures can adapt and evolve quickly.

ProSpy and ToSpy: the latest spyware threats disguised as messaging applications

ESET researchers have recently discovered two families of spyware, identified as ProSpy and ToSpy, that pose as popular messaging applications, Signal and ToTok, apparently targeting residents of the United Arab Emirates. Experts revealed that these malware campaigns were detected in June, although they are believed to date back to early last year. Be very careful with what you install on your mobile ToTok, which had been widely criticized for being a government espionage tool of the UAE, was discontinued in 2020 following an investigation by the New York Times. However, the spyware […]

Researchers from ESET have recently discovered two families of spyware, identified as ProSpy and ToSpy, that impersonate popular messaging applications, Signal and ToTok, apparently targeting residents of the United Arab Emirates. Experts revealed that these malware campaigns were detected in June, although they are believed to date back to early last year.

Be very careful with what you install on your mobile

ToTok, which had been widely criticized for being a spying tool of the UAE government, was discontinued in 2020 following an investigation by the New York Times. However, the spyware is presented as an improved version of that application, called ToTok Pro. When downloading this malware, permissions are requested to access contacts, text messages, and stored files, allowing the leakage of sensitive information, including device data and multimedia content.

It is important to note that the infected applications were not available in the official app stores. Instead, manual installation from third-party sites that mimicked legitimate services was required. For example, one of these malicious sites imitated Samsung’s Galaxy Store, leading users to install fraudulent versions of the ToTok application.

The confirmed detections of this spyware in the UAE, along with the use of phishing techniques and fake app stores, suggest that attackers are carrying out strategic operations focused on this region. This is not the first time a similar phenomenon has been observed, as in the past, ESET has documented the cover-up of malware in fake app updates such as WhatsApp and on sites that pretend to offer Telegram.

According to ESET’s research, since the popularity of the ToTok app was concentrated in the UAE and considering the impersonation tactics used, it is reasonable to think that users in this region are the primary target of spyware campaigns.

This Steam game has exposed its players to malware and has caused them to lose money

The title ‘Block Blasters’, released on Steam, has taken a dark turn after it was discovered to contain malware that compromised user security. This game, which was presented as a normal product in late July, turned out to be a covert trap that infected the computers of those who installed it, accessing cryptocurrency wallets and browser cookies. The security of thousands of users has been compromised. The consequences have been devastating for some of those affected. The streamer known as rastalandTV, who is currently undergoing treatment for stage 4 cancer, has lost more than $30,000 due to this […]

The title ‘Block Blasters’, released on Steam, has taken a dark turn after it was discovered to contain malware that compromised user security. This game, which was presented as a normal product at the end of July, turned out to be a covert trap that infected the computers of those who installed it, accessing cryptocurrency wallets and browser cookies.

The security of thousands of users compromised

The consequences have been devastating for some of those affected. The streamer known as rastalandTV, who is currently undergoing treatment for stage 4 cancer, has lost more than $30,000 due to this attack. His already precarious financial situation has been further compromised after the digital tragedy, as he was raising funds through his broadcasts in search of support for his treatment.

The gaming community has reacted with concern to this incident, highlighting the deficiencies in Steam’s quality control. Although Valve removed ‘Block Blasters’ more than a month after its release, many users had already been affected before any action was taken. This situation has generated a wave of criticism regarding the oversight that the platform exercises over the titles that are constantly published. With so many new games being released, it becomes difficult to vet products like this that contain malicious intentions.

Some researchers have highlighted the seriousness of the problem and the thefts that have been occurring, urging a thorough review of Steam’s security protocols. As concerns about digital security continue to grow, this incident underscores the need to increase vigilance over the content offered on these platforms.

Cybercriminals exploit remote access tools to compromise security

Recently, there has been an increase in the activities of groups of individuals using malicious strategies to compromise the security of users’ computer systems. These threat actors employ various tactics to deceive people, which has led to a significant increase in the installation of unauthorized remote access tools. These tools, although designed to facilitate the control and management of systems remotely, can be maliciously used by attackers to access sensitive information or take control of devices. The danger of working from home The […]

Recently, there has been an increase in the activities of groups of individuals using malicious strategies to compromise the security of users’ computer systems. These threat actors employ various tactics to deceive people, which has led to a significant increase in the installation of unauthorized remote access tools. These tools, although designed to facilitate the control and management of systems remotely, can be maliciously used by attackers to access sensitive information or take control of devices.

The danger of working from home

The most common methods to attract users to install RMM software include phishing and the appearance of misleading offers. Some cybercriminals use emails that appear to be official communications from recognized companies, while others may create ads that promise free solutions or significant discounts on technology products. These tactics aim to exploit the user’s curiosity or need, leading them to execute programs that compromise their security.

Additionally, it is important to highlight that the proliferation of these methods has also been encouraged by the growing dependence of users on digital technologies during the pandemic. With more people working from home, many are unaware of the dangers associated with software that allows remote access. The unintentional installation of these tools can lead to serious intrusions, compromising both personal data and corporate information.

Cybersecurity experts warn that it is always advisable to verify the authenticity of any software you wish to install and to be wary of offers that seem too good to be true. Prevention becomes the first line of defense against these emerging threats that, unfortunately, continue to rise.

Malicious extensions threaten Visual Studio Code users

In recent days, it has been reported that several Visual Studio Code extensions are exploiting a vulnerability that allows the reuse of package names that have been deleted. This issue has raised concerns in the developer community, as it could jeopardize the integrity of the tools used in the coding process. The great concern among developers The vulnerability arises in the Visual Studio Code extension registry, where deleted package names can be reused by new developers. This means that a malicious extension could take on the name of an extension […]

In recent days, it has been reported that several Visual Studio Code extensions are exploiting a vulnerability that allows the reuse of package names that have been deleted. This issue has raised concerns in the developer community, as it could jeopardize the integrity of the tools used in the coding process.

The great concern among developers

The vulnerability arises in the Visual Studio Code extension registry, where the names of deleted packages can be reused by new developers. This means that a malicious extension could adopt the name of a legitimate extension that was previously deleted, which confuses users and can lead to the accidental installation of harmful software. Without robust identity verification systems for packages, the environment becomes a fertile ground for exploitation.

Code extensions can have extensive permissions that allow access to user files and data. This poses a significant danger, as malicious extensions can manipulate or steal sensitive information on the developer’s device. Experts are advising users to be cautious when installing new extensions and to carefully review the developers behind each package.

So far, the extent of the problem and how many developers have been affected is unknown. However, the community is urging Microsoft to implement measures that effectively address this vulnerability. Users of Visual Studio Code, who rely on this powerful development tool, must now remain vigilant and be proactive in protecting their work environments.

This discovery has highlighted the need for constant vigilance within the ecosystem of applications and extensions. In an environment where cybersecurity is increasingly crucial, both developers and users must remain alert to emerging threats.

This phishing campaign uses legitimate RMM software to deceive victims

A new phishing campaign has emerged, marking a significant shift in the tactics used by cybercriminals. According to a report from Abnormal AI, attackers are employing legitimate remote monitoring and management (RMM) software to lure their victims, representing an alarming evolution in the way these digital frauds are carried out. The increasingly sophisticated new tactics The use of legitimate RMM software not only puts unsuspecting users at risk but also makes it harder for security platforms to detect these attacks. The campaign has been specifically designed […]

A new phishing campaign has emerged, marking a significant shift in the tactics used by cybercriminals. According to a report by Abnormal AI, attackers are using legitimate remote management software (RMM) to lure their victims, representing an alarming evolution in the way these digital frauds are carried out.

The increasingly sophisticated new tactics

The use of legitimate RMM software not only puts unsuspecting users at risk but also hinders the detection of these attacks by security platforms. The campaign has been specifically designed to deceive users by offering programs that appear to be safe and trustworthy. This causes victims, believing they are installing a legitimate tool, to grant access to their systems to the attackers.

This advance in phishing methods highlights the growing sophistication of cybercriminals, who are always looking for new ways to exploit user trust. Instead of traditional suspicious emails, this campaign uses a strategy that presents itself as legitimate, increasing the chances of success for the attacks. Experts suggest that users should be increasingly vigilant for warning signs and verify the authenticity of any software they are considering downloading.

Although it is a concerning phenomenon, some analysts believe that this type of attack could be just the tip of the iceberg. Speculation suggests that cybercriminals will continue to refine their tactics in an effort to evade current security measures. The increase in the use of tools that seem trustworthy underscores the importance of ongoing cybersecurity education for users, as well as the need for companies to strengthen their defense protocols.

Be careful with QR codes, because they could be used to hack your mobile phone

Researchers have recently discovered two innovative methods being used by attackers to carry out phishing campaigns through QR codes. These methods are not only clever but also present a new challenge for digital security and the protection of personal data. A new method for introducing malware into your devices The first technique revealed involves splitting malicious QR codes into several parts. By fragmenting these codes, attackers manage to evade detection by security software that typically identifies complete QR codes as potentially dangerous. This approach allows users to fall […]

Researchers have recently discovered two innovative methods being used by attackers to carry out phishing campaigns through QR codes. These methods are not only clever but also present a new challenge for digital security and the protection of personal data.

A new method to introduce malware into your devices

The first revealed technique consists of dividing malicious QR codes into several parts. By fragmenting these codes, attackers manage to evade detection by security software that usually identifies complete QR codes as potentially dangerous. This approach allows users to fall into the trap, as fragmentation makes security analysis more difficult, thus increasing the risk of unsuspecting individuals accessing risky links.

The second technique involves embedding malicious QR codes within legitimate codes. This strategy is especially insidious, as it can lead users to scan a code that, at first glance, appears safe, but actually redirects to a website designed to steal personal information or credentials. The ability to effectively hide malware within legitimate code complicates efforts to identify and neutralize these attacks, exposing more users to significant dangers.

As the use of QR codes has increased, especially after the pandemic, these phishing methods pose a growing concern among cybersecurity experts. It is essential for users to stay alert and educate themselves about the best practices to identify and avoid these threats, such as always verifying the source before scanning a QR code, as well as using trusted security tools.

Investigations continue to better understand these new threats and develop effective solutions that can protect users against this type of emerging attacks.

Avast Free Antivirus DOWNLOAD

Be careful with TikTok links, because they could be used to steal your data

Cybersecurity researchers have discovered a wide-ranging malicious campaign targeting TikTok Shop users worldwide, aimed at stealing credentials and distributing malicious applications. The cybersecurity firm CTM360 has named this operation ClickTok, highlighting how threat actors are exploiting the e-commerce platform through a dual strategy that combines phishing and malware. A not very sophisticated scam, but very effective. More than 15,000 domains that mimic legitimate TikTok URLs have been identified, many of them hosted on top-level domains like .top, .shop, and […]

Cybersecurity researchers have uncovered a widespread malicious campaign targeting TikTok Shop users worldwide, aimed at stealing credentials and distributing malicious applications. The cybersecurity firm CTM360 has named this operation ClickTok, highlighting how threat actors are exploiting the e-commerce platform through a dual strategy that combines phishing and malware.

A not very sophisticated scam, but very effective

More than 15,000 domains that imitate legitimate TikTok URLs have been identified, many of them hosted on top-level domains such as .top, .shop, and .icu. These fake sites are designed to deceive users into believing they are interacting with the official platform or legitimate affiliates. Phishing pages lure users into depositing cryptocurrencies in fraudulent stores by offering discounts and non-existent products.

The heart of this campaign involves the use of a malicious application that contains malware known as SparkKitty. This malware has the ability to collect data from Android and iOS devices, as well as analyze cryptocurrency wallets. Users who download this application are led to enter their login credentials, only to face failures that redirect them to an alternative login through Google.

In addition, another type of phishing targeting users of Meta Business Suite has been identified, through fake emails alerting about policy violations. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network has urged financial institutions to remain vigilant against suspicious activities related to convertible virtual currency kiosks, as criminals continue to exploit innovative technologies to carry out fraud.

TikTok DOWNLOAD

The new Android Trojan infects more than 11,000 devices worldwide

Cybersecurity researchers have discovered a new remote access trojan for Android devices called PlayPraetor that has infected over 11,000 devices in several countries, with a special focus on Europe and Latin America. This malware has shown explosive growth, with over 2,000 new infections per week, primarily targeting Spanish and French speakers, suggesting a strategic shift in its victim base. Fraud and data theft PlayPraetor stands out from other trojans by leveraging Android’s accessibility services to gain full remote control over the infected devices. The operators […]

Cybersecurity researchers have discovered a new remote access trojan for Android devices called PlayPraetor that has infected over 11,000 devices in several countries, with a special focus on Europe and Latin America. This malware has shown explosive growth, with more than 2,000 new infections per week, primarily targeting Spanish and French speakers, suggesting a strategic shift in its victim base.

Fraud and data theft

PlayPraetor stands out from other trojans by leveraging the accessibility services of Android to gain complete remote control over infected devices. The malware operators use this feature to display fraudulent login screens in over 200 banking and cryptocurrency applications, allowing for the theft of sensitive user data.

The trojan is part of a coordinated global operation and uses a malware-as-a-service (MaaS) model. PlayPraetor comes in various variants, each designed to execute different types of fraud. Its distribution methods include misleading advertising through ads on social media platforms and SMS sent to unsuspecting users, leading them to fake domains that host malicious applications.

In addition, PlayPraetor has the ability to monitor clipboard activity and log keystrokes, which allows attackers to carry out fraudulent actions without the victim noticing. The operation has been attributed to Chinese-speaking threat actors, and their campaigns resemble other recent criminal activities, such as those perpetrated by the ToxicPanda Trojan.

Researchers’ analyses highlight that the command and control panel of PlayPraetor not only facilitates real-time interaction with infected devices, but also allows the creation of counterfeit Google Play Store pages, amplifying its reach. With the sustained growth of this malware, the cybersecurity community remains vigilant against the evolution of these threatening fraud techniques.

A new malware threatens the security of WordPress

Cybersecurity researchers have revealed a serious vulnerability in WordPress sites, related to a hidden backdoor in the ‘mu-plugins’ directory. This type of plugin, known as must-use, is automatically activated in all WordPress installations and does not appear in the usual plugin list, making it an attractive target for attackers. What to do to avoid it The malicious PHP script, discovered by the web security company Sucuri, acts as a loader that retrieves a remote payload and stores it in the WordPress database. This payload allows for code execution […]

Cybersecurity researchers have revealed a serious vulnerability in WordPress sites, related to a hidden backdoor in the ‘mu-plugins’ directory. These types of plugins, known as must-use, are automatically activated in all WordPress installations and do not appear in the usual plugin list, making them an attractive target for attackers.

What to do to avoid it

The malicious PHP script, discovered by the web security company Sucuri, acts as a loader that retrieves a remote payload and stores it in the WordPress database. This payload allows for remote PHP code execution, facilitating persistent access for attackers, who can manage files and reinstall the infection if it is removed.

The malware injects a hidden administrator user called ‘officialwp’, allowing attackers to control the site and perform malicious actions without other administrators being aware. Additionally, the malicious code has the ability to change the passwords of administrative accounts to a default value, blocking access to other administrators and ensuring total control of the site.

The threat is amplified by the ability of the malware to steal data and redirect visitors to fraudulent sites, which significantly impacts web security. According to experts, this backdoor allows attackers to perform a variety of actions, from installing more malware to defacing the site.

To mitigate these risks, site owners must periodically update WordPress, themes, and plugins, use two-factor authentication, and regularly audit all sections of the site, including theme and plugin files. Maintaining security is crucial to prevent attacks that could compromise the integrity and trust of the website.