BetaIT-Hub is in early access — your feedback helps us improve. Use the chat or email [email protected]
Real-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
237 results in Malware
Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign. [...]
More than 200 individuals were arrested for cybercrime activities during INTERPOL's Operation Ramz, which focused on the Middle East and North Africa. [...]
A new variant of the 'SHub' macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor. [...]
The newly discovered Reaper malware bypasses Apple's macOS Tahoe 26.4 security updates to steal passwords, crypto assets, and install a permanent backdoor.
The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend. [...]
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production
The Gentlemen ransomware gang suffered an internal breach in May 2026, exposing victim data, affiliate activity, and backend operations.
Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte)
A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design. "Fast16's hook engine is selectively interested in
The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. [...]
The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)
Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads.
Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]
A suspected China-linked threat actor targeted the Indian branch of a global manufacturer leveraging an open source offensive toolkit
:root { --isc-maroon: #7a1f1f; --isc-maroon-dark: #5e1717; --isc-link: #0066cc; --isc-text: #1a1a1a; --isc-muted: #555; --isc-rule: #d0d0d0; --isc-code-bg: #f4f4f4; --isc-code-text: #c0392b; --isc-block-bg: #1e1e1e; --isc-block-text: #e6e6e6; --isc-callout-bg: #fafafa; --isc-table-header: #ececec; } * { box-sizing: border-box; } html, body { margin: 0; padding: 0; background: #ffffff; color: var(--isc-text); font-family: "Open Sans", "Source Sans Pro", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.6; } .isc-header { background: var(--isc-maroon); color: #ffffff; padding: 14px 24px; border-bottom: 4px solid var(--isc-maroon-dark); } .isc-header .brand { font-family: Arial, Helvetica, sans-serif; font-size: 22px; font-weight: bold; letter-spacing: 0.3px; } .isc-header .brand a { color: #ffffff; text-decoration: none; } .isc-header .tagline { font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #f3d6d6; margin-top: 2px; } main { max-width: 920px; margin: 0 auto; padding: 28px 32px 48px; } h1.diary-title { font-family: Arial, Helvetica, sans-serif; font-size: 26px; line-height: 1.25; color: var(--isc-maroon); margin: 8px 0 10px 0; border-bottom: 1px solid var(--isc-rule); padding-bottom: 12px; } .meta { font-family: Arial, Helvetica, sans-serif; font-size: 13px; color: var(--isc-muted); margin-bottom: 24px; } .meta strong { color: var(--isc-text); } .meta a { color: var(--isc-link); text-decoration: none; } .meta a:hover { text-decoration: underline; } h2 { font-family: Arial, Helvetica, sans-serif; font-size: 19px; color: var(--isc-maroon); margin-top: 32px; margin-bottom: 10px; padding-bottom: 4px; border-bottom: 1px solid var(--isc-rule); } h3 { font-family: Arial, Helvetica, sans-serif; font-size: 16px; color: var(--isc-text); margin-top: 22px; margin-bottom: 8px; } p { margin: 10px 0; } a { color: var(--isc-link); } a:hover { text-decoration: underline; } code, .inline-code { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 13px; background: var(--isc-code-bg); color: var(--isc-code-text); padding: 1px 5px; border-radius: 3px; word-break: break-all; } .callout { background: var(--isc-callout-bg); border-left: 3px solid var(--isc-maroon); padding: 10px 16px; margin: 14px 0; font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 13px; color: var(--isc-text); } figure { margin: 22px 0; text-align: center; } figure img { max-width: 100%; height: auto; border: 1px solid #cccccc; display: block; margin: 0 auto; } figcaption { font-family: Arial, Helvetica, sans-serif; font-size: 13px; color: var(--isc-muted); margin-top: 8px; font-style: italic; } figcaption strong { color: var(--isc-text); font-style: normal; } table.diary-table { border-collapse: collapse; width: 100%; margin: 16px 0; font-family: Arial, Helvetica, sans-serif; font-size: 13.5px; } table.diary-table th, table.
Hackers are using Fake interview apps to spread JobStealer malware on macOS and Windows to steal crypto wallets, browser data, and passwords.
In this article Delivery Module types Botnet operations Who is Secret Blizzard? Mitigation and protection guidance Microsoft Defender detections Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard , has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments. This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection. The threat actor has historically targeted organizations in the government and diplomatic sector in Europe and Central Asia, as well as systems in Ukraine previously compromised by Aqua Blizzard, very likely for the purpose of obtaining information supporting Russia’s foreign policy and military objectives. While many threat actors rely on increasing usage of native tools (living-off-the-land binaries (LOLBins)) to avoid detection, Kazuar’s progression into a modular bot highlights how Secret Blizzard is engineering resilience and stealth directly into their tooling. By separating responsibilities across Kernel, Bridge, and Worker modules and restricting external communications to a single elected leader, Kazuar reduces its observable footprint. It also maintains flexible tasking, data staging, and multiple fallback channels for command and control (C2). Understanding this architecture helps defenders move beyond single sample analysis and instead focus on the behaviors that keep the botnet operational: leader election, inter-process communication (IPC) message routing, working directory staging, and periodic exfiltration. Kazuar’s capabilities and tradecraft have been widely documented by the security research community, and prior reporting, including Unit 42’s write-up and a recent deep dive into its loader capabilities , remains relevant today. This blog is an in-depth analysis of Kazuar’s progression from a single, monolithic framework into a modular bot ecosystem composed of three distinct module types, each with clearly defined roles. Together, these components distribute functionality across the P2P botnet, enabling flexible configuration, lower observability, and broad tasking while minimizing opportunities for detection. Delivery Kazuar is delivered through multiple dropper variants. In one observed method, the Pelmeni dropper embeds the encrypted second-stage payload directly within the dropper as an encrypted byte array. The payload is often bound to the target environment (for example, encrypted using the target hostname) so it only decrypts and executes on the intended host. In another method, the dropper deploys a small .NET loader alongside the final payload. The dropper then invokes the loader (often configured as a COM object) and supplies the decrypted pay
A group of likely Russian government hackers tried to hack a security researcher who investigates spyware attacks. He was then able to turn the tables on the hackers and reveal details of their espionage campaign.
Google’s Android Advanced Protection Mode is getting a new feature allowing trusted security experts to investigate potential spyware infections
What would some of the world's largest repositories of malware look like if they were stacked as hard drives, one on top of the other?