Malware

Hidden Logic Bombs in Malicious NuGet Packages Set to Detonate Years After Installation

A sophisticated software supply chain attack has been uncovered, involving nine malicious NuGet packages designed to lie dormant for years before activating their destructive payloads. These “logic bombs,” set to trigger in 2027 and 2028, aim to sabotage databases and corrupt critical industrial control systems, posing a long-term threat to organizations. A Patient and Stealthy […]

Hidden Logic Bombs in Malicious NuGet Packages Set to Detonate Years After Installation Read More »

Vibe-Coded Malicious VS Code Extension Found Containing Built-In Ransomware Functionality

Cybersecurity researchers have uncovered a malicious extension for Microsoft’s Visual Studio Code (VS Code) that contains basic ransomware functionality. The extension, which appears to have been “vibe-coded” or created with the assistance of artificial intelligence, highlights a new frontier in software supply chain threats. A Brazenly Malicious Extension Discovered by Secure Annex researcher John Tuckner,

Vibe-Coded Malicious VS Code Extension Found Containing Built-In Ransomware Functionality Read More »

Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine

A previously unidentified threat actor, aligned with Russian interests, has been discovered impersonating the cybersecurity firm ESET in a sophisticated phishing campaign against Ukrainian targets. The attacks, detected in May 2025, involved distributing malicious software installers that deployed a stealthy backdoor known as Kalambur. Deceptive Phishing Lures and Communication Channels The group, tracked by ESET

Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine Read More »

Operation SkyCloak Uses Tor-Enabled OpenSSH Backdoor to Target Defense Organizations

A sophisticated cyber espionage campaign, dubbed Operation SkyCloak, is using weaponized phishing emails to deploy a highly stealthy backdoor on target systems. The malware establishes persistent remote access by combining a customized OpenSSH server with a Tor hidden service, creating a covert channel that is extremely difficult to trace. The Lure: Phishing with Military Documents The

Operation SkyCloak Uses Tor-Enabled OpenSSH Backdoor to Target Defense Organizations Read More »

Microsoft Detects ‘SesameOp’ Backdoor Using OpenAI API as Stealth Command Channel

Microsoft has exposed a novel and sophisticated backdoor, codenamed SesameOp, that abuses the legitimate OpenAI Assistants API as its primary command-and-control (C2) channel. This technique represents a significant evolution in cyber espionage, allowing attackers to hide their communications within trusted, everyday AI traffic. A New Stealth Tactic: Hiding in Plain Sight Discovered by the Microsoft Detection

Microsoft Detects ‘SesameOp’ Backdoor Using OpenAI API as Stealth Command Channel Read More »

SleepyDuck VSX Extension Uses Ethereum to Sustain Its Command Server

A malicious extension discovered in the Open VSX registry poses a significant threat to developers by embedding a remote access trojan named SleepyDuck. What makes this threat particularly resilient is its innovative use of the Ethereum blockchain to maintain contact with its command server, ensuring it can survive traditional takedown efforts. The Malicious Extension and Its

SleepyDuck VSX Extension Uses Ethereum to Sustain Its Command Server Read More »

Hackers Deliver SSH-Tor Backdoor Through Weaponized Military Documents in ZIP Files

In a highly targeted cyber espionage campaign uncovered in October 2025, threat actors have been deploying a sophisticated SSH-Tor backdoor by disguising it within weaponized military documents. The attack, aimed at defense personnel, demonstrates a significant evolution in combining social engineering with advanced technical stealth to maintain persistent access to compromised systems. The Lure: A

Hackers Deliver SSH-Tor Backdoor Through Weaponized Military Documents in ZIP Files Read More »

HttpTroy Backdoor Poses as VPN Invoice to Infiltrate South Korean Targets

The North Korea-aligned advanced persistent threat (APT) group Kimsuky has been discovered using a previously unknown backdoor, codenamed HttpTroy, in a highly targeted spear-phishing campaign. The attack, aimed at a single victim in South Korea, employed a sophisticated multi-stage infection chain disguised as a legitimate VPN invoice. The Deceptive Lure and Initial Compromise The attack began

HttpTroy Backdoor Poses as VPN Invoice to Infiltrate South Korean Targets Read More »

Nation-State Hackers Use New Airstalk Malware in Suspected Supply Chain Attack

A sophisticated threat actor, believed to be state-sponsored, has been discovered using a previously unknown malware family dubbed “Airstalk” in a suspected software supply chain attack. The malware uniquely abuses a legitimate enterprise mobile device management (MDM) API to establish a covert communication channel with its operators. The Attacker and the Malware’s Core Deception Tracked

Nation-State Hackers Use New Airstalk Malware in Suspected Supply Chain Attack Read More »

PhantomRaven Malware Hidden in 126 npm Packages Stealing GitHub Tokens from Developers

A sophisticated software supply chain attack, dubbed “PhantomRaven,” has infiltrated the npm registry with 126 malicious packages designed to secretly steal sensitive developer credentials. This campaign specifically targets authentication tokens, CI/CD secrets, and GitHub credentials directly from developers’ machines, posing a severe threat to software development integrity. The Scale and Stealth of the PhantomRaven Campaign

PhantomRaven Malware Hidden in 126 npm Packages Stealing GitHub Tokens from Developers Read More »