In a landmark cybersecurity breakthrough this February, researchers uncovered a new and highly sophisticated malware strain—BypassERWDirectSyscallShellcodeLoader—marking the first documented instance of generative AI being used to both create and analyze malicious code.
This advanced malware, generated using large language models like ChatGPT and DeepSeek, showcases a turning point in cyber warfare. No longer confined to manually written code, cybercriminals are now leveraging AI to produce complex, stealthy threats at scale, posing a fresh challenge for traditional defense systems.
The malicious code came to light through Deep Instinct’s proprietary DIANNA (Deep Instinct Artificial Neural Network Assistant)—an AI-powered detection tool that successfully explained and categorized this AI-born threat. The analysis revealed the malware’s capacity to evade detection while deploying multiple payloads through direct system calls, bypassing standard API monitoring tools.
What sets this malware apart is its modular framework, which allows attackers to tailor payloads for specific objectives. It also employs advanced evasion techniques, including anti-debugging, anti-sandboxing, and Bypass-ETW (Event Tracing for Windows). These features enable it to operate silently, deceiving security tools while maintaining its functionality in infected systems.
Remarkably, DIANNA identified and blocked the malware hours before it surfaced on VirusTotal, where only six security vendors initially flagged it as malicious. This detection gap underscores the limitations of signature-based methods and emphasizes the growing necessity for next-generation AI-driven cybersecurity solutions.
The emergence of BypassERWDirectSyscallShellcodeLoader is a wake-up call: as cybercriminals adopt AI to innovate attacks, defenders must evolve equally fast. AI-assisted tools like DIANNA are no longer just an option—they’re a critical frontline in the escalating battle against intelligent cyber threats.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
A previously documented threat actor known as Outlaw (or “Dota”) has resurfaced with an enhanced malware toolkit targeting Linux servers globally, according to a recent incident response investigation by Securelist analysts.
The group, active since at least 2018, has shifted focus to cryptographic mining and botnet propagation, exploiting weak SSH credentials to infiltrate systems in Brazil, the U.S., Germany, Italy, and Southeast Asia.
This latest campaign leverages Perl-based backdoors, modified XMRig miners, and IRC botnet clients to maintain persistence and evade detection while monopolizing victim resources.
The malware’s initial access vector remains consistent with historical Outlaw activity: brute-force attacks against SSH services using default or easily guessable credentials.
Once inside, attackers deploy a multi-stage payload beginning with a shell script (tddwrt7s.sh) that fetches and decompresses a malicious archive (dota.tar.gz).
This artifact creates a hidden directory (.configrc5) housing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication.
Securelist researchers noted the malware’s sophistication lies in its layered obfuscation, resource hijacking, and anti-forensic measures, including the systematic elimination of competing cryptominers on infected hosts.
Infection Mechanism: SSH Compromise and Payload Execution
The breach begins with attackers establishing SSH access using compromised credentials, often targeting accounts like suporte (Portuguese for “support”) with weak passwords.
Upon successful login, the threat actor executes a sequence of commands to download and unpack the primary payload.
This script retrieves a UPX-packed XMRig miner (kswapd0) and an obfuscated Perl IRC botnet client.
The .configrc5 directory structure includes subdirectories for payload execution (a/), persistence scripts (b/), and Tor proxies to mask mining pool communications.
Of particular note is the a /init0 script, which performs reconnaissance to identify and kill rival miners like tsm, rsync, and blitz using grep and kill -9 commands.
Persistence is achieved through SSH key manipulation and cron job injection. Attackers replace the victim’s .ssh /authorized_keys file with their own public key, ensuring repeated access even if credentials change.
The b/run script embeds a Base64-encoded Perl backdoor that deobfuscates to an IRC client masquerading as rsync. This client connects to C2 servers over port 443, enabling remote command execution, DDoS attacks, and lateral movement via SSH.
Securelist’s analysis revealed the malware’s adaptability, with recent samples incorporating Tor-based mining pools and process whitelisting to avoid disrupting its own operations.
While XMRig configurations default to CPU mining, the modular nature of the toolkit suggests potential expansion to GPU-based attacks.
The combination of credential brute-forcing, multi-layered payloads, and anti-detection routines positions Outlaw as a persistent threat to inadequately secured Linux environments.
Mitigation strategies emphasize SSH hardening, including disabling password authentication, enforcing firewall rate limits, and monitoring for unauthorized .ssh directory modifications.
Securelist advocates for tools like Fail2Ban paired with stringent sshd_config policies to disrupt Outlaw’s primary infiltration vector.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://cybersecuritynews.com/outlaw-cybergang-attacking-linux-environments/
The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities.
“This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes,” Netcraft said in a new report shared with The Hacker News.
“The new AI-assisted features amplify Darcula’s threat potential by simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge.”
Darcula was first documented by the cybersecurity company in March 2024 as a toolkit that leveraged Apple iMessage and RCS to send smishing messages to users that trick recipients into clicking on bogus links under the guise of postal services like USPS.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.html
The fake websites trick users into downloading and running malware that searches for personal information, especially anything related to crypto currency.
Threat actors are leveraging brand impersonation techniques to create fake websites mimicking DeepSeek, an AI chatbot from China that launched just a month ago. Their goal? Getting users to divulge personal and sensitive information.
A significant number of imposter sites imitating DeepSeek have already popped up, according to researchers at ThreatLabz, including deepseeksol[.]com, deepseeksky[.]com, deepseek[.]app, deepseekaiagent[.]live, and many more.
The attack chain involves the fraudulent DeepSeek website asking visitors to complete a registration process. Once done, the user is directed to a fake CAPTCHA page. Malicious JavaScript copies a malicious PowerShell command to the user’s clipboard, which, if run, downloads and executes the Vidar information stealer, allowing it to exfiltrate sensitive data such as passwords, cryptocurrency wallets, and personal files.
“The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure,” noted the researchers in a blog post.
They added that the malware is programmed to search for files and configurations specifically related to cryptocurrency wallets. If detected, Vidar will query “specific registry keys and file paths to exfiltrate sensitive data such as wallet files.” The malware also actively searches the victim’s system for other assets, such as stored cookies and saved login credentials.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
The updated malware, which spreads via infected Xcode projects, introduces advanced evasion tactics and persistence mechanisms to bypass security defenses.
Microsoft has warned that a new variant of XCSSET malware is actively targeting macOS users, marking the first update to the malware since 2022.
This latest version has been observed in limited attacks but introduces stronger evasion tactics, updated persistence mechanisms, and new infection strategies that make it more difficult to detect and remove. The malware, which spreads through infected Xcode projects, continues to pose a significant threat to developers and enterprises relying on Apple’s software development ecosystem.
“The latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,” Microsoft said in its report posted on X. The malware retains its previous capabilities, including stealing digital wallet data, collecting sensitive files, and exfiltrating user information.
Microsoft has urged macOS developers to remain vigilant and thoroughly inspect Xcode projects before use.
New stealth and persistence techniques
The new XCSSET variant employs advanced obfuscation techniques to evade detection. According to Microsoft, the malware randomizes encoding techniques and iterations, incorporating Base64 encoding alongside traditional xxd (hexdump) encoding to make analysis more difficult.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Stealthy C2 messages operated by the Golang backdoor could easily be mistaken for legitimate Telegram API communication.
Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.
Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. “As part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,” Netskope researchers said in a blog post.
The researchers added that the malware (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.
Abusing Telegram API for C2 communications
According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API deployments, making its detection difficult.
“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted.
The backdoor uses Telegram as its C2 mechanism by using an open-source Go package to interact with it, the blog post added. It initially creates a bot instance using Telegram’s BotFather feature which enables creating, managing, and configuring Telegram Bots.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Security experts warn of surge in malware targeting credentials stored in password vaults and managers as adversarial focus and tactics shift. ‘Like hitting the jackpot.’
Security watchers warn of a three-fold increase in malware that targets credential stores, such as password managers and browser-stored login data.
The study by Picus Security, which was based on analysis of 1 million real-world malware samples, also found that 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques.
Password store security trade-offs
Password stores are secure repositories designed to manage and protect sensitive authentication data, including usernames, passwords, encryption keys, and other credentials. Stores come in various forms, tailored to use cases and resident operating systems.
The main types of password stores include Keychain (for macOS and iOS), built-in password managers in browsers such as Chrome and Firefox, Windows Credential Manager, and dedicated password managers such as LastPass, 1Password, and Bitwarden. The category also includes cloud secrets management stores, like AWS Secrets Manager and Azure Key Vault, and caches and memory of third-party software.
Password stores aim to enhance security by providing encrypted storage and convenient access to credentials, reducing the risk of password reuse and simplifying the management of multiple complex passwords. Unfortunately, the centralized nature also makes them attractive targets for cybercriminals who target them through various strains of malware.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
