Cybersecurity experts have flagged a deceptive malware campaign that uses fake CAPTCHA pop-up windows to install a new threat dubbed LightPerlGirl. The attack tricks users into manually executing disguised PowerShell commands, making it harder for security tools to detect the intrusion.
Researchers at Todyl identified the threat after spotting unusual PowerShell activity on a partner’s compromised device. The campaign hijacks legitimate but previously breached WordPress sites to deliver a fake security check, mimicking trusted services like Cloudflare.
Instead of exploiting software vulnerabilities, the attackers rely on social engineering, prompting users to copy and run a command via the Windows Run dialog. This manual step helps the malware bypass traditional security barriers.
LightPerlGirl, named after a signature in its code (“Copyright (c) LightPerlGirl 2025”) and embedded Russian strings, operates in multiple stealthy stages. The initial script contacts a command-and-control server to fetch a secondary payload, which includes three core functions:
- HelpIO: Attempts privilege escalation and disables antivirus detection by excluding the Temp folder from Windows Defender scans.
- Urex: Ensures persistence by downloading a batch file and adding a startup shortcut.
- ExWpL: Executes a fileless payload using .NET reflection—an advanced evasion method that avoids creating detectable files on disk.
This technique-heavy campaign shows how modern threats combine trusted interface mimicry with technical sophistication. The malware’s persistence mechanism ensures it stays active across reboots, maintaining covert access via its C2 infrastructure.
The attack underlines a broader shift in cyber threats—away from traditional exploits and toward manipulation of users through familiar interfaces, making them unwitting participants in compromising their systems.
Cybersecurity teams are urged to bolster endpoint protections and raise awareness around deceptive pop-ups, as attackers refine their methods to slip past even the most modern defense tools.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
Cybersecurity analysts have uncovered a sophisticated malware campaign that abuses routine online verification steps to install malicious software on Windows systems globally.
Threat actors are leveraging fake “prove you are human” prompts to lure users into executing harmful PowerShell scripts. These scripts often appear on deceptive websites that imitate trusted platforms like GitHub repositories and DocuSign pages.
The operation tricks victims into copying code into their system’s Run prompt, initiating a multi-stage infection chain that leads to the installation of the NetSupport Remote Access Trojan (RAT).
Researchers at DomainTools report that attackers are using well-crafted social engineering tactics and themed websites to distribute the scripts. These pages are engineered to bypass conventional security tools through layered delivery techniques.
The infrastructure behind the campaign spans multiple domain registrars—Cloudflare, NameCheap, and NameSilo—and utilizes various name servers, making takedown efforts more difficult and ensuring redundancy for malware distribution.
A particularly stealthy technique used in this campaign involves clipboard poisoning. On fake DocuSign pages, users who click a CAPTCHA-like checkbox unknowingly trigger a script that silently copies an encoded payload to their clipboard. This script, masked using ROT13 encoding, decodes into a PowerShell command that downloads further malware, including “wbdims.exe” from GitHub, and ensures it runs on every login by placing it in the startup folder.
Infected machines also contact a command-and-control server at “docusign.sa.com/verification/c.php” to report successful infections and receive additional instructions.
The campaign’s strength lies in exploiting user trust in everyday internet interactions while deploying advanced technical methods to evade detection. By requiring user interaction, attackers cleverly shift part of the execution process onto the victim, making this one of the more sophisticated social engineering attacks seen in recent months.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
In a landmark cybersecurity breakthrough this February, researchers uncovered a new and highly sophisticated malware strain—BypassERWDirectSyscallShellcodeLoader—marking the first documented instance of generative AI being used to both create and analyze malicious code.
This advanced malware, generated using large language models like ChatGPT and DeepSeek, showcases a turning point in cyber warfare. No longer confined to manually written code, cybercriminals are now leveraging AI to produce complex, stealthy threats at scale, posing a fresh challenge for traditional defense systems.
The malicious code came to light through Deep Instinct’s proprietary DIANNA (Deep Instinct Artificial Neural Network Assistant)—an AI-powered detection tool that successfully explained and categorized this AI-born threat. The analysis revealed the malware’s capacity to evade detection while deploying multiple payloads through direct system calls, bypassing standard API monitoring tools.
What sets this malware apart is its modular framework, which allows attackers to tailor payloads for specific objectives. It also employs advanced evasion techniques, including anti-debugging, anti-sandboxing, and Bypass-ETW (Event Tracing for Windows). These features enable it to operate silently, deceiving security tools while maintaining its functionality in infected systems.
Remarkably, DIANNA identified and blocked the malware hours before it surfaced on VirusTotal, where only six security vendors initially flagged it as malicious. This detection gap underscores the limitations of signature-based methods and emphasizes the growing necessity for next-generation AI-driven cybersecurity solutions.
The emergence of BypassERWDirectSyscallShellcodeLoader is a wake-up call: as cybercriminals adopt AI to innovate attacks, defenders must evolve equally fast. AI-assisted tools like DIANNA are no longer just an option—they’re a critical frontline in the escalating battle against intelligent cyber threats.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
A previously documented threat actor known as Outlaw (or “Dota”) has resurfaced with an enhanced malware toolkit targeting Linux servers globally, according to a recent incident response investigation by Securelist analysts.
The group, active since at least 2018, has shifted focus to cryptographic mining and botnet propagation, exploiting weak SSH credentials to infiltrate systems in Brazil, the U.S., Germany, Italy, and Southeast Asia.
This latest campaign leverages Perl-based backdoors, modified XMRig miners, and IRC botnet clients to maintain persistence and evade detection while monopolizing victim resources.
The malware’s initial access vector remains consistent with historical Outlaw activity: brute-force attacks against SSH services using default or easily guessable credentials.
Once inside, attackers deploy a multi-stage payload beginning with a shell script (tddwrt7s.sh) that fetches and decompresses a malicious archive (dota.tar.gz).
This artifact creates a hidden directory (.configrc5) housing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication.
Securelist researchers noted the malware’s sophistication lies in its layered obfuscation, resource hijacking, and anti-forensic measures, including the systematic elimination of competing cryptominers on infected hosts.
Infection Mechanism: SSH Compromise and Payload Execution
The breach begins with attackers establishing SSH access using compromised credentials, often targeting accounts like suporte (Portuguese for “support”) with weak passwords.
Upon successful login, the threat actor executes a sequence of commands to download and unpack the primary payload.
This script retrieves a UPX-packed XMRig miner (kswapd0) and an obfuscated Perl IRC botnet client.
The .configrc5 directory structure includes subdirectories for payload execution (a/), persistence scripts (b/), and Tor proxies to mask mining pool communications.
Of particular note is the a /init0 script, which performs reconnaissance to identify and kill rival miners like tsm, rsync, and blitz using grep and kill -9 commands.
Persistence is achieved through SSH key manipulation and cron job injection. Attackers replace the victim’s .ssh /authorized_keys file with their own public key, ensuring repeated access even if credentials change.
The b/run script embeds a Base64-encoded Perl backdoor that deobfuscates to an IRC client masquerading as rsync. This client connects to C2 servers over port 443, enabling remote command execution, DDoS attacks, and lateral movement via SSH.
Securelist’s analysis revealed the malware’s adaptability, with recent samples incorporating Tor-based mining pools and process whitelisting to avoid disrupting its own operations.
While XMRig configurations default to CPU mining, the modular nature of the toolkit suggests potential expansion to GPU-based attacks.
The combination of credential brute-forcing, multi-layered payloads, and anti-detection routines positions Outlaw as a persistent threat to inadequately secured Linux environments.
Mitigation strategies emphasize SSH hardening, including disabling password authentication, enforcing firewall rate limits, and monitoring for unauthorized .ssh directory modifications.
Securelist advocates for tools like Fail2Ban paired with stringent sshd_config policies to disrupt Outlaw’s primary infiltration vector.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://cybersecuritynews.com/outlaw-cybergang-attacking-linux-environments/
The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities.
“This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes,” Netcraft said in a new report shared with The Hacker News.
“The new AI-assisted features amplify Darcula’s threat potential by simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge.”
Darcula was first documented by the cybersecurity company in March 2024 as a toolkit that leveraged Apple iMessage and RCS to send smishing messages to users that trick recipients into clicking on bogus links under the guise of postal services like USPS.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.html
The fake websites trick users into downloading and running malware that searches for personal information, especially anything related to crypto currency.
Threat actors are leveraging brand impersonation techniques to create fake websites mimicking DeepSeek, an AI chatbot from China that launched just a month ago. Their goal? Getting users to divulge personal and sensitive information.
A significant number of imposter sites imitating DeepSeek have already popped up, according to researchers at ThreatLabz, including deepseeksol[.]com, deepseeksky[.]com, deepseek[.]app, deepseekaiagent[.]live, and many more.
The attack chain involves the fraudulent DeepSeek website asking visitors to complete a registration process. Once done, the user is directed to a fake CAPTCHA page. Malicious JavaScript copies a malicious PowerShell command to the user’s clipboard, which, if run, downloads and executes the Vidar information stealer, allowing it to exfiltrate sensitive data such as passwords, cryptocurrency wallets, and personal files.
“The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure,” noted the researchers in a blog post.
They added that the malware is programmed to search for files and configurations specifically related to cryptocurrency wallets. If detected, Vidar will query “specific registry keys and file paths to exfiltrate sensitive data such as wallet files.” The malware also actively searches the victim’s system for other assets, such as stored cookies and saved login credentials.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
The updated malware, which spreads via infected Xcode projects, introduces advanced evasion tactics and persistence mechanisms to bypass security defenses.
Microsoft has warned that a new variant of XCSSET malware is actively targeting macOS users, marking the first update to the malware since 2022.
This latest version has been observed in limited attacks but introduces stronger evasion tactics, updated persistence mechanisms, and new infection strategies that make it more difficult to detect and remove. The malware, which spreads through infected Xcode projects, continues to pose a significant threat to developers and enterprises relying on Apple’s software development ecosystem.
“The latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,” Microsoft said in its report posted on X. The malware retains its previous capabilities, including stealing digital wallet data, collecting sensitive files, and exfiltrating user information.
Microsoft has urged macOS developers to remain vigilant and thoroughly inspect Xcode projects before use.
New stealth and persistence techniques
The new XCSSET variant employs advanced obfuscation techniques to evade detection. According to Microsoft, the malware randomizes encoding techniques and iterations, incorporating Base64 encoding alongside traditional xxd (hexdump) encoding to make analysis more difficult.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Stealthy C2 messages operated by the Golang backdoor could easily be mistaken for legitimate Telegram API communication.
Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.
Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. “As part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,” Netskope researchers said in a blog post.
The researchers added that the malware (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.
Abusing Telegram API for C2 communications
According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API deployments, making its detection difficult.
“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted.
The backdoor uses Telegram as its C2 mechanism by using an open-source Go package to interact with it, the blog post added. It initially creates a bot instance using Telegram’s BotFather feature which enables creating, managing, and configuring Telegram Bots.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Security experts warn of surge in malware targeting credentials stored in password vaults and managers as adversarial focus and tactics shift. ‘Like hitting the jackpot.’
Security watchers warn of a three-fold increase in malware that targets credential stores, such as password managers and browser-stored login data.
The study by Picus Security, which was based on analysis of 1 million real-world malware samples, also found that 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques.
Password store security trade-offs
Password stores are secure repositories designed to manage and protect sensitive authentication data, including usernames, passwords, encryption keys, and other credentials. Stores come in various forms, tailored to use cases and resident operating systems.
The main types of password stores include Keychain (for macOS and iOS), built-in password managers in browsers such as Chrome and Firefox, Windows Credential Manager, and dedicated password managers such as LastPass, 1Password, and Bitwarden. The category also includes cloud secrets management stores, like AWS Secrets Manager and Azure Key Vault, and caches and memory of third-party software.
Password stores aim to enhance security by providing encrypted storage and convenient access to credentials, reducing the risk of password reuse and simplifying the management of multiple complex passwords. Unfortunately, the centralized nature also makes them attractive targets for cybercriminals who target them through various strains of malware.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
