Security researchers have uncovered a new Android banking trojan, named Herodotus, which is being used in active campaigns targeting users in Italy and Brazil. The malware aims for device takeover, or DTO, and stands out because it deliberately mimics human typing patterns to evade timing-based, behaviour-only anti-fraud systems. What Herodotus is, and where it came […]
Cybersecurity researchers have uncovered a fresh phishing campaign that appears aimed at organizations in Russia’s automotive and e-commerce sectors, using a previously unseen .NET implant, named CAPI Backdoor. According to Seqrite Labs, attackers distributed a ZIP attachment to trigger infection, and the ZIP artifact was uploaded to VirusTotal on October 3, 2025. image import–phishing-zip-sample Attack
New .NET CAPI Backdoor Targets Russian Automotive and E-Commerce Firms via Phishing ZIPs Read More »
A newly discovered malware campaign is spreading rapidly across Brazil, using WhatsApp as its main delivery channel. Cybersecurity experts have identified this advanced banking Trojan as “Maverick”, a threat capable of taking remote control of infected computers and stealing sensitive financial data. Massive Scale of Infection Researchers report that over 62,000 infection attempts were blocked
Banking Malware Exploits WhatsApp to Take Remote Control of Computers Read More »
A new, persistent Android campaign, attributed to GhostBat RAT, impersonates Regional Transport Office, RTO, applications to steal banking data from Indian users. Attackers distribute malicious droppers through WhatsApp, SMS with shortened URLs, GitHub hosted APKs, and compromised websites, then use multi stage loading, ZIP header manipulation, native libraries, and extensive string obfuscation to avoid detection
Security researchers have uncovered a new Astaroth banking trojan campaign that uses GitHub as a fallback infrastructure, allowing the malware to remain operational even after traditional command and control servers are taken down. By hosting encrypted configuration data on GitHub, the attackers make the campaign more resilient, and victims continue to be compromised across multiple
Astaroth Banking Trojan Uses GitHub to Stay Active After Multiple Takedowns Read More »
Security researchers have uncovered an active malware campaign, named Stealit, that uses a newer Node.js capability to ship malicious code as single-file executables, enabling infections on systems without Node.js installed. Researchers at Fortinet FortiGuard Labs also note some variants are built with the Electron framework, making delivery simpler and more covert. How the malware is
A sophisticated Android spyware campaign, known as ClayRat, has been actively targeting users in Russia by exploiting fake apps and deceptive websites. The threat actors are impersonating widely-used apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into installing malware. According to Zimperium researcher Vishnu Pratapagiri, once installed, ClayRat can collect SMS messages, call
ClayRat Spyware Targets Android Users Using Fake WhatsApp, TikTok Apps Read More »
Security researchers have observed a renewed Mustang Panda campaign that uses a fresh DLL side-loading method to deliver malicious payloads, targeting Tibetan advocacy groups with politically themed lures. The operation first appeared in June, 2025, and combines archive-based phishing, hidden library files, dynamic API resolution, and periodic task scheduling to maintain persistence and execute stolen
Mustang Panda Employs New DLL Side Loading Technique to Deploy Malware Read More »
Shuyal Stealer has quickly become one of the most flexible credential theft tools observed in recent months. First seen in early August, its modular design enables it to target a wide variety of web browsers, including Chromium-based, Gecko-based, and legacy engines, making it a high-risk threat for many environments. Early signs and impact Initial indicators
Shuyal Stealer Targets 19 Browsers to Harvest Login Credentials Read More »
Cybersecurity experts have closely monitored the development of XWorm malware, evolving it into a highly adaptable tool capable of executing a broad range of malicious operations on infected systems. Trellix researchers Niranjan Hegde and Sijo Jacob explained, “XWorm’s architecture is modular, consisting of a core client and multiple specialized components known as plugins. Each plugin
XWorm 6.0 Resurfaces with Over 35 Plugins, Upgraded Data Theft Features Read More »