BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaign utilizes a downloader disguised as 'car.dll' and BeaverTail malware masquerading as 'tailwind.config.js'. BeaverTail functions as an infostealer and downloader, targeting web browsers and cryptocurrency wallets. Tropidoor, a backdoor malware, establishes communication with command and control servers, allowing remote execution of various commands. The attack methodology shares similarities with previous North Korean campaigns, including the use of techniques reminiscent of the Lazarus group's LightlessCan malware.

Pulse ID: 67ef0692d6ed151e2be71213
Pulse Link: https://otx.alienvault.com/pulse/67ef0692d6ed151e2be71213
Pulse Author: AlienVault
Created: 2025-04-03 22:07:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

Pulse ID: 67ef0696f2790ccbd23c46a9
Pulse Link: https://otx.alienvault.com/pulse/67ef0696f2790ccbd23c46a9
Pulse Author: AlienVault
Created: 2025-04-03 22:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Thousands of scam emails are hitting inboxes in the US.

#US #malware #tax #hackers #Microsoft

https://cnews.link/hackers-abuse-tax-day-lure-microsoft-warns-1/

Kaspersky experts found a modified version of the Triada RAT capable of stealing sensitive data from Android smartphones.

#Kaspersky #Trojan #Android #datasecurity #cyberthreat #malware

https://cnews.link/android-preloaded-triada-malware-1/

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.

Pulse ID: 67ef069f9224aa64d79e6a8e
Pulse Link: https://otx.alienvault.com/pulse/67ef069f9224aa64d79e6a8e
Pulse Author: AlienVault
Created: 2025-04-03 22:07:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Chinese APT Pounces on Misdiagnosed RCE in Ivanti VPN Appliances  – Source: www.securityweek.com https://ciso2ciso.com/chinese-apt-pounces-on-misdiagnosed-rce-in-ivanti-vpn-appliances-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Malware&Threats #NetworkSecurity #securityweekcom #CVE-2025-22457 #ConnectSecure #PulseConnect #securityweek #Mandiant #UNC5221 #Ivanti

HellCat ransomware: what you need to know – Source: www.tripwire.com https://ciso2ciso.com/hellcat-ransomware-what-you-need-to-know-source-www-tripwire-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #grahamcluleycom #Grahamcluley #ransomware #Guestblog #Malware

Hackers Exploit Stripe API for Web Skimming Card Theft on Online Stores – Source:hackread.com https://ciso2ciso.com/hackers-exploit-stripe-api-for-web-skimming-card-theft-on-online-stores-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #CyberAttack #WooCommerce #WebSkimmer #WordPress #Hackread #security #malware #Stripe #API

New Crocodilus Malware Targets Android Devices

A new mobile banking app has been identified as trojan named “Crocodilus”.
Investigation of this malware shows that this malware employs new sophisticated
features including overlay attacks, accessibility-based data harvesting, remote
access trojan (RAT) functionalities and obfuscated remote control
mechanisms.

Pulse ID: 67ef2e498e6c86a6cd2ffe2c
Pulse Link: https://otx.alienvault.com/pulse/67ef2e498e6c86a6cd2ffe2c
Pulse Author: cryptocti
Created: 2025-04-04 00:56:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Researchers have uncovered a new breed of sophisticated phishing malware hiding in SVG files. With multiple anti-analysis features, this threat can bypass security tools and trick users into revealing credentials. Learn how to protect your organization.

#SecurityLand #ThreatHorizon #Cybersecurity #Malware #Phishing #SVG

https://www.security.land/new-svg-phishing-malware-emerges-with-advanced-anti-analysis-techniques/

Tax-Themed Email Attacks Deliver Malware

Phishing campaigns that are leveraging tax-related themes deploy malware and
steal credentials using redirection methods including URL shorteners and QR
codes.

Pulse ID: 67eefa6981ed9f88b138ace0
Pulse Link: https://otx.alienvault.com/pulse/67eefa6981ed9f88b138ace0
Pulse Author: cryptocti
Created: 2025-04-03 21:15:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

"Fast Flux: A National Security Threat" by US Cybersecurity and Infrastructure Security Agency (CISA) - Advisory about evasion techniques used by bad actors to obscure locations of command & control servers for various types of #malware. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a #cybersecurity #network #tech

Cloudflare shuts down port 80 API access, malware devs turn to obscure languages like FORTH, and password reuse remains rampant. @SGgrc & @leo Laporte unpack the latest on Security Now 1019!

#CyberSecurity #Malware
Download and subscribe here:
https://buff.ly/aqfGWFq

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

An attack involving BeaverTail and Tropidoor malware was discovered, targeting victims through fake recruitment emails from a developer community. The attackers provided a BitBucket link containing malicious code, including BeaverTail disguised as 'tailwind.config.js' and a downloader called 'car.dll'. BeaverTail, known for information theft and downloading additional payloads, was found in South Korea. The downloader shares similarities with the Lazarus group's LightlessCan malware. BeaverTail steals credential information and cryptocurrency wallet data from web browsers, while Tropidoor acts as a backdoor, connecting to C&C servers and executing various commands. The attack is suspected to be carried out by North Korean threat actors, highlighting the need for caution when dealing with executable files from unknown sources.

Pulse ID: 67eec30f88dc6ea426373c6b
Pulse Link: https://otx.alienvault.com/pulse/67eec30f88dc6ea426373c6b
Pulse Author: AlienVault
Created: 2025-04-03 17:19:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.

Pulse ID: 67eec31b26a9b5d94190be7d
Pulse Link: https://otx.alienvault.com/pulse/67eec31b26a9b5d94190be7d
Pulse Author: AlienVault
Created: 2025-04-03 17:19:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

TookPS distributed under the guise of UltraViewer, AutoCAD, and Ableton

A malware campaign is distributing the TookPS downloader by impersonating popular software like UltraViewer, AutoCAD, SketchUp, Ableton, and Quicken. The malware establishes an SSH tunnel for remote access and deploys additional payloads like TeviRat and Lapmon backdoors. The attackers gain full system control through various methods. The campaign targets both individuals and organizations, using domains registered in early 2024. Users are advised to avoid downloading pirated software, while organizations should implement strict security policies and conduct regular awareness training.

Pulse ID: 67eea35a7cea57b67d9c3172
Pulse Link: https://otx.alienvault.com/pulse/67eea35a7cea57b67d9c3172
Pulse Author: AlienVault
Created: 2025-04-03 15:03:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Amateur Hacker Leverages Bulletproof Hosting Server to Spread Malware

A novice cybercriminal, known as 'Coquettte', has been discovered using a Russian bulletproof hosting provider, Proton66, to distribute malware. The hacker's activities include deploying the Rugmi malware loader through a fake cybersecurity product website and selling guides for illegal substances and weapons. Coquettte is believed to be part of a loosely structured hacking collective called Horrid. The threat actor's infrastructure spans multiple domains and platforms, including GitHub, YouTube, and Last.fm. This network appears to serve as an incubator for aspiring cybercriminals, offering malware resources, hosting solutions, and a collaborative environment for underground hacking activities.

Pulse ID: 67eec2fef6857d8d79dbb7e6
Pulse Link: https://otx.alienvault.com/pulse/67eec2fef6857d8d79dbb7e6
Pulse Author: AlienVault
Created: 2025-04-03 17:18:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

FIN7 *again*? Seriously, these guys just don't quit, do they?

Heads up – they've cooked up an Anubis backdoor using Python. And nope, *it's not* the Android Trojan people know. It's pretty wild what this thing packs: we're talking remote shell capabilities, file uploads, messing with the registry... Basically, the keys to the kingdom!

And let me tell you from a pentester's perspective: Just relying on AV? That's *definitely* not gonna cut it anymore. We all know that, right?

Looks like they're slipping in through compromised SharePoint sites now? Yikes. The nasty part? A Python script decrypts the payload *directly in memory*, making it incredibly tough to spot! Plus, their command and control chats happen over a Base64-encoded TCP socket.

So, keep a *sharp eye* on those ZIP attachments! Double-check your SharePoint sites' integrity. You'll also want to monitor network traffic closely (especially that TCP activity!). And make sure your endpoint security is actually up to snuff – remember, they love finding ways to bypass defenses!

How are *you* tackling threats like this one? What are your go-to tools and strategies for defense? Let's share some knowledge!

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks https://gbhackers.com/operation-hollowquill-uses-malicious-pdfs/ #CyberSecurityNews #cybersecurity #Malware

"What 'experts' recommend installing Kaspersky?" Hard pass...

New Triada Trojan comes preinstalled on Android devices https://securityaffairs.com/176143/malware/new-triada-comes-preinstalled-on-android-devices.html