// #malware
9 articles
Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers
A campaign targeting macOS users — particularly developers — is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.
MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration
ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.
JDownloader Official Download Site Hijacked to Serve Python RAT in Supply Chain Attack
The official JDownloader download site was compromised during a window of approximately 18 hours between 6 and 7 May 2026, with legitimate installer downloads replaced by a trojanised package delivering a Python-based remote access trojan. JDownloader is a popular open-source download manager with millions of users. Users who installed JDownloader during the compromise window should treat their system as compromised and perform immediate credential rotation and system remediation.
TCLBanker Banking Trojan Spreads via WhatsApp and Outlook Worm Modules, Targets 59 Financial Platforms
Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel — Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
DEEP#DOOR: Python Backdoor Abuses Cloudflare Tunnels to Bypass Network Detection and Exfiltrate Credentials
Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.
26 Fake Crypto Wallet Apps Found on Apple App Store Harvesting Mnemonic Seed Phrases
Researchers have discovered 26 malicious applications that bypassed Apple's App Store review and actively harvest cryptocurrency wallet seed phrases from victims. Users who installed any suspect app should rotate all wallet credentials immediately — mnemonic phrase compromise results in permanent, irreversible asset loss.
UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing
Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.
DPRK's Contagious Interview Campaign Spreads 1,700+ Malicious Packages Across Five Ecosystems
North Korea's UNC1069 (BlueNoroff) threat group has expanded its Contagious Interview supply chain operation to five package registries — npm, PyPI, Go Modules, crates.io, and Packagist — publishing more than 1,700 malicious packages that deliver a cross-platform infostealer and RAT. The operation is the largest coordinated open-source supply chain attack attributed to a nation-state actor.