Kaspersky MDR uncovered a large-scale malware campaign after investigating a single ScreenConnect incident. Threat actors built a network of 90+ spoofed freeware download sites (mimicking OBS Studio, DNS Jumper, DS4Windows, Bandicam, and others) optimized with SEO to rank in Google and Bing results. Victims downloading from these sites receive a ZIP archive containing a legitimate Microsoft-signed binary alongside a malicious DLL loaded via DLL sideloading. This silently installs ScreenConnect as a hidden service, which then deploys AsyncRAT through a multi-stage chain involving PowerShell, VBScript, XOR-decrypted shellcode, and process hollowing into RegAsm.exe. The campaign, active from October 2025 through March 2026, spans 10 languages and targets both individual users and corporate networks. Mitigations include application allowlisting, blocking MSI execution from untrusted sources, monitoring for new remote admin services, and user training on safe download practices. Full IOCs including C2 domains, malicious hashes, and fake site addresses are provided.
Nguồn: https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
Vào ngày 24/6/2026, tin tặc đã phát tán phiên bản độc hại của 20 package npm thuộc hệ sinh thái Leo Platform chỉ trong vòng chưa đầy 3 giây, sử dụng toolkit 'Phantom Gyp' tương tự chiến dịch Miasma trước đó. Phần mềm độc hại đánh cắp bí mật từ GitHub Actions, kho lưu trữ đa đám mây (AWS, GCP, Azure), registry package, HashiCorp Vault, Kubernetes và trình quản lý mật khẩu, sau đó exfiltrate qua token GitHub của nạn nhân để tránh bị phát hiện. Nó còn hoạt động như một worm trong chuỗi cung ứng, tự động phát tán phiên bản độc hại các package mà nạn nhân có quyền publish bằng cách vượt qua xác thực 2FA.
Lập trình viên nên đọc bài này để hiểu cách một cuộc tấn công supply chain mới sử dụng các kỹ thuật phức tạp—như obfuscation và evasion Bun—để tránh phát hiện và khai thác quyền truy cập vào các hệ thống quan trọng từ các gói npm phổ biến, từ đó cảnh báo về rủi ro khi sử dụng các thư viện công cộng mà không kiểm tra nguồn gốc và bảo mật.
Các nhà nghiên cứu của Mozilla 0DIN phát hiện ra cách tấn công tinh vi khiến các AI coding agent như Claude Code vô tình chạy malware từ kho GitHub sạch. Kẻ tấn công sử dụng ba thành phần hợp pháp: kho chứa tiêu chuẩn, gói Python gây lỗi và hướng dẫn chạy lệnh init, cùng script init tải payload từ record DNS TXT do kẻ tấn công kiểm soát. AI agent tự động sửa lỗi sẽ vô tình kích hoạt toàn bộ chuỗi tấn công, tạo ra reverse shell với quyền của nhà phát triển.
Lập trình viên nên đọc bài này để hiểu cách các công cụ AI tự động hóa có thể bị lừa bằng các kỹ thuật social engineering nhẹ nhàng trong mã nguồn, từ đó bảo vệ dự án của mình khỏi các cuộc tấn công không trực tiếp mà vẫn có thể gây thiệt hại nghiêm trọng.
Cyble Research and Intelligence Labs has identified a new Android malware family called Glitch SPY, distributed via a fake Polish apartment rental website that tricks users into sideloading an APK. The dropper is the known Brokewell Android Loader, which installs the Glitch SPY payload. Once installed, the RAT abuses Android Accessibility Service to auto-grant permissions and supports over 70 C&C commands covering live screen streaming, keylogging, SMS/contact/call log theft, camera and microphone surveillance, file management, shell execution, and remote browser control. A crypto-clipper module silently replaces copied cryptocurrency wallet addresses (ETH, TRON, Bitcoin) with attacker-controlled ones. A hidden remote browser runs on the victim's device using their IP and cookies, enabling stealthy web-based account takeover. The Builder module allows operators to generate customized payloads with configurable names, icons, and decoy URLs, indicating a reusable multi-campaign platform still under active development.
China-linked threat actor Mustang Panda has been running two concurrent espionage campaigns targeting Indian government entities and the hydropower sector. The campaigns deploy new malware implants — SHARDLOADER, MINIRECON, and ZOHOMURK — with ZOHOMURK abusing Zoho WorkDrive as a command-and-control channel to blend malicious traffic with legitimate cloud activity. Attack chains use hydropower- and government-themed lure documents delivered via compressed archives, leveraging DLL side-loading. Attribution is high-confidence based on code overlaps with prior Mustang Panda tooling. CISOs are advised to monitor cloud service traffic for anomalies, hunt for DLL side-loading behavior, and model threats around geopolitical and infrastructure-themed lures.
Microsoft's Defender Research team discovered a malicious Chrome extension impersonating the AI search engine Perplexity. Named 'Search for perplexity ai', the extension replaced the default search engine and routed all queries through an attacker-controlled domain, logging search terms, IP addresses, browser headers, and user-agent data before forwarding users to legitimate results. It also intercepted keystrokes in Chrome's address bar before users pressed Enter. Google removed the extension after Microsoft's responsible disclosure. The incident highlights the growing trend of attackers exploiting AI brand trust to distribute malicious extensions, and underscores the need for enterprise browser extension governance, endpoint monitoring, and employee training.
Google Threat Intelligence Group (GTIG) has published a detailed analysis of STOCKSTAY, a multi-component .NET backdoor attributed to the Russian state-linked threat actor Turla (FSB Center 16). Active since at least December 2022, STOCKSTAY targets Ukrainian government and military organizations as well as European entities with foreign affairs interests. The backdoor uses a modular architecture (STOCKBROKER for C2 tunneling, STOCKMARKET for orchestration, STOCKTRADER for execution) communicating over encrypted WebSockets. It masquerades as benign applications like stock market tools, PDF viewers, and calculators. STOCKSTAY shares significant code overlaps with Turla's established KAZUAR toolkit, including a shared string obfuscation mechanism called K1MORPHER based on the Squirrel3 PRNG. Deployment methods include malicious RDP files, HTA files, WinRAR CVE-2025-8088 exploitation, and GitHub-hosted MSI installers. The post includes a detailed operational timeline from 2022–2025, YARA detection rules, and indicators of compromise.
Microsoft and Trend Micro have separately documented phishing campaigns targeting hospitality organizations in Europe and Asia. Attackers impersonate hotel guests with complaints or requests, delivering malicious zip files containing LNK shortcut files disguised as photos. Opening these triggers an obfuscated PowerShell chain that installs persistent malware — either a Node.js implant (Microsoft's findings) or a JavaScript RAT called TONResolver (Trend Micro's findings). A notable technique in the TONResolver campaign involves using The Open Network (TON) blockchain as a dead-drop resolver for C2 infrastructure, making takedowns extremely difficult since attackers can update server addresses via smart contracts. Both campaigns prioritize long-term persistence over immediate financial gain, enabling credential theft and lateral movement. Defenders are advised to restrict PowerShell and Node.js execution on front-desk systems, block blockchain platform access in business environments, and treat photo-themed zip archives as high-risk.
Kaspersky researchers detail Umbrij, a new .NET malware tool used by the ToddyCat APT group to steal OAuth tokens from corporate Gmail accounts. The tool uses DLL sideloading via legitimate binaries (Bitdefender, Visual Studio, Google Desktop) to execute, then launches Chromium-based browsers in headless mode with remote debugging enabled. It connects via the DevTools protocol using Puppeteer Sharp, navigates to a Google OAuth authorization page using the client ID of legitimate Google Workspace tools (GWMMO/GWSMO), and automates clicks to grant permissions — capturing the resulting OAuth authorization code. The technique, dubbed Shadow Token via Remote Debug (STRD), exploits existing authenticated browser sessions to silently obtain API access tokens without triggering EPP/EDR alerts. Detection guidance includes monitoring for DLL loads from vulnerable apps, browser launches with remote debugging flags, and auditing third-party Google account permissions. Mitigation includes disabling browser developer tools via Group Policy and revoking unauthorized OAuth grants.