The fake websites trick users into downloading and running malware that searches for personal information, especially anything related to crypto currency.
Threat actors are leveraging brand impersonation techniques to create fake websites mimicking DeepSeek, an AI chatbot from China that launched just a month ago. Their goal? Getting users to divulge personal and sensitive information.
A significant number of imposter sites imitating DeepSeek have already popped up, according to researchers at ThreatLabz, including deepseeksol[.]com, deepseeksky[.]com, deepseek[.]app, deepseekaiagent[.]live, and many more.
The attack chain involves the fraudulent DeepSeek website asking visitors to complete a registration process. Once done, the user is directed to a fake CAPTCHA page. Malicious JavaScript copies a malicious PowerShell command to the user’s clipboard, which, if run, downloads and executes the Vidar information stealer, allowing it to exfiltrate sensitive data such as passwords, cryptocurrency wallets, and personal files.
“The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure,” noted the researchers in a blog post.
They added that the malware is programmed to search for files and configurations specifically related to cryptocurrency wallets. If detected, Vidar will query “specific registry keys and file paths to exfiltrate sensitive data such as wallet files.” The malware also actively searches the victim’s system for other assets, such as stored cookies and saved login credentials.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
The updated malware, which spreads via infected Xcode projects, introduces advanced evasion tactics and persistence mechanisms to bypass security defenses.
Microsoft has warned that a new variant of XCSSET malware is actively targeting macOS users, marking the first update to the malware since 2022.
This latest version has been observed in limited attacks but introduces stronger evasion tactics, updated persistence mechanisms, and new infection strategies that make it more difficult to detect and remove. The malware, which spreads through infected Xcode projects, continues to pose a significant threat to developers and enterprises relying on Apple’s software development ecosystem.
“The latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,” Microsoft said in its report posted on X. The malware retains its previous capabilities, including stealing digital wallet data, collecting sensitive files, and exfiltrating user information.
Microsoft has urged macOS developers to remain vigilant and thoroughly inspect Xcode projects before use.
New stealth and persistence techniques
The new XCSSET variant employs advanced obfuscation techniques to evade detection. According to Microsoft, the malware randomizes encoding techniques and iterations, incorporating Base64 encoding alongside traditional xxd (hexdump) encoding to make analysis more difficult.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Stealthy C2 messages operated by the Golang backdoor could easily be mistaken for legitimate Telegram API communication.
Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.
Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. “As part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,” Netskope researchers said in a blog post.
The researchers added that the malware (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.
Abusing Telegram API for C2 communications
According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API deployments, making its detection difficult.
“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted.
The backdoor uses Telegram as its C2 mechanism by using an open-source Go package to interact with it, the blog post added. It initially creates a bot instance using Telegram’s BotFather feature which enables creating, managing, and configuring Telegram Bots.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Security experts warn of surge in malware targeting credentials stored in password vaults and managers as adversarial focus and tactics shift. ‘Like hitting the jackpot.’
Security watchers warn of a three-fold increase in malware that targets credential stores, such as password managers and browser-stored login data.
The study by Picus Security, which was based on analysis of 1 million real-world malware samples, also found that 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques.
Password store security trade-offs
Password stores are secure repositories designed to manage and protect sensitive authentication data, including usernames, passwords, encryption keys, and other credentials. Stores come in various forms, tailored to use cases and resident operating systems.
The main types of password stores include Keychain (for macOS and iOS), built-in password managers in browsers such as Chrome and Firefox, Windows Credential Manager, and dedicated password managers such as LastPass, 1Password, and Bitwarden. The category also includes cloud secrets management stores, like AWS Secrets Manager and Azure Key Vault, and caches and memory of third-party software.
Password stores aim to enhance security by providing encrypted storage and convenient access to credentials, reducing the risk of password reuse and simplifying the management of multiple complex passwords. Unfortunately, the centralized nature also makes them attractive targets for cybercriminals who target them through various strains of malware.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
