Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web server for publication. It can bypass Chrome's cookie V20 protection and supports various Chromium and Gecko-based browsers. Gremlin Stealer also targets cryptocurrency wallets, Telegram and Discord sessions, and system information. The stolen data is compressed into a ZIP archive and sent to the attacker's server using a Telegram bot. This evolving threat highlights the need for robust cybersecurity measures to protect against such information stealers.

Pulse ID: 6810fddff4691fd89f0a9aa7
Pulse Link: https://otx.alienvault.com/pulse/6810fddff4691fd89f0a9aa7
Pulse Author: AlienVault
Created: 2025-04-29 16:27:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involves a multi-stage operation, downloading various scripts and executables. The ransomware checks for sandbox environments, decrypts its payload, and drops a ransom note. FOG ransomware has targeted multiple sectors, including technology, education, manufacturing, and transportation. The campaign either involves original FOG operators using DOGE references to troll users or other actors embedding FOG ransomware for impersonation purposes.

Pulse ID: 68063d6f5beb7958a54e2952
Pulse Link: https://otx.alienvault.com/pulse/68063d6f5beb7958a54e2952
Pulse Author: AlienVault
Created: 2025-04-21 12:43:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Downloader Malware Written in JPHP Interpreter

A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.

Pulse ID: 68012d9425b7ccf942f5f065
Pulse Link: https://otx.alienvault.com/pulse/68012d9425b7ccf942f5f065
Pulse Author: AlienVault
Created: 2025-04-17 16:34:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2, a variant of the SectopRAT information stealer. This malware is capable of harvesting sensitive data, including browser credentials and cryptocurrency wallet information. The attackers use deceptive tactics such as simulated processing, fake CAPTCHA prompts, and psychological manipulation to lower users' guards. The malware delivery process involves a complex redirection chain, ultimately leading to the download of a malicious payload disguised as 'adobe.zip'.

Pulse ID: 67fec5aca07a171e2e6c67ea
Pulse Link: https://otx.alienvault.com/pulse/67fec5aca07a171e2e6c67ea
Pulse Author: AlienVault
Created: 2025-04-15 20:46:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Zip Co ( #ZIP ) has released " 3Q FY25 Results Update " on Wed 16 Apr at 08:20 AEST #today #UnitedStates #Australia #media #Strategy
https://grafa.com/asset/zip-co-limited-5162-zip.asx?utm_source=asxmktsensitive&utm_medium=mastodon&utm_campaign=zip.asx

Falla di sicurezza in WinRAR bypassa il MotW di Windows

https://gomoot.com/falla-di-sicurezza-in-winrar-bypassa-il-motw-di-windows/

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.

Pulse ID: 67efe85af4503af2018d414e
Pulse Link: https://otx.alienvault.com/pulse/67efe85af4503af2018d414e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

Pulse ID: 67ef0696f2790ccbd23c46a9
Pulse Link: https://otx.alienvault.com/pulse/67ef0696f2790ccbd23c46a9
Pulse Author: AlienVault
Created: 2025-04-03 22:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.

Pulse ID: 67ebfca624fc8265928a8775
Pulse Link: https://otx.alienvault.com/pulse/67ebfca624fc8265928a8775
Pulse Author: AlienVault
Created: 2025-04-01 14:48:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Something I learned recently is that because a zip file can have arbitrary data before its first header and a jpeg can have arbitrary data after its "end of image" marker, you can concatenate a jpeg and a zip file to make a file that is both.

Looking for a simple way to provide a compressed archive from a web application with the requirement to create the archive in the browser, not on the server.

- JSZip: 12 (transitive) dependencies
- tar-js: 0 dependencies

While zip may be more common, the 0-dependencies is a unique selling point for me!

WinRAR and RAR 7.11 Released! https://www.rarlab.com/rarnew.htm #7zip #compression #rar #zip

I was bulk downloading #TheSims2 mods. #Zip archives. Had 50 - 80 of them per directory. Wanted to unpack this fast, tried in one line for loop in bash. Cool. But few days later I started downloading grom other website. When some archives had spaces in filenames. And my smart way stopped working... Now time to create whole #Bash script for this, I guess...

Ich empfehle die elektronische Patientenakte (#ePA) als sicheren Cloud-Speicher für private #Backups. Einfach das #ZIP in #PDF umbenennen, verschlüsseln und hochladen – schon habt ihr #kostenlosen #Speicherplatz! Und das Beste: Die #Krankenkasse übernimmt die #Hosting-Kosten. #ePA #CloudBackup #Datensicherheit

Un día recibes un paquete que te envía una amiga desde San Diego, y descubres dentro la confirmación de que tiene muy presente tu gusto por la tecnología vintage.

Unidad IOMEGA ZIP y dos cajas selladas de discos ZIP de 100 y 250 Mb para #MacOS