Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
2nd Edition GlitchZone RHC 320x100 2
TM RedHotCyber 970x120 042543

Tag: Malware

Notepad++ 8.8.9 Released: Fixing Critical Update Vulnerability

Redazione RHC 16/12/2025

A new version, 8.8.9, of the popular text editor Notepad++, has been released by its developers, fixing a flaw in the automatic update system . This issue came to light after some users and investigators discovered that, instead of downloading legitimate updates, the system was downloading malicious executables. The first hints of the problem emerged in the Notepad++ community forums. For example, one user reported that they found that the GUP.exe (WinGUp) update tool was running a suspicious-looking file, %Temp%AutoUpdater.exe, which had begun collecting system data. The malware executed typical reconnaissance commands and saved the results in the a.txt file: After collecting

Storm-0249 Uses DLL Sideloading in Highly Targeted Attacks

Redazione RHC 15/12/2025

A well-known initial access broker (IAB) called ” Storm-0249 ” has changed its operational strategies, using phishing campaigns as well as highly targeted attacks, which exploit the very security tools designed to protect networks as a means to achieve their goals. The group uses an alarming new technique that includes a method called DLL sideloading . Malicious MSI packages are spread by Storm-0249 via phishing campaigns, often using social engineering tactics called “ClickFix,” which trick users into executing commands to fix supposedly bogus technical issues. The ReliaQuest Threat Research Team (after the analysis was partly developed by TrendMicro specialists) has published an

VS Code Extensions Infected with Sophisticated Malware via Typosquatting

Redazione RHC 15/12/2025

A sophisticated malware campaign has been detected within the Visual Studio Code (VS Code) marketplace. Researchers at ReversingLabs (RL) have identified 19 malicious extensions that successfully evaded standard detection methods by deeply hiding their payloads within dependency folders. Active since February 2025, it uses a clever combination of typosquatting-adjacent techniques and steganography to compromise developers’ computers. “The malicious files abused a legitimate npm package to evade detection and created an archive containing malicious binaries that masqueraded as an image – a file with the PNG extension,” the researchers reported. To further obscure their tracks, the attackers used a deceptive file called banner.png

GhostFrame Phishing Kit: New Stealthy PhaaS Threat Emerges

Redazione RHC 14/12/2025

Barracuda has released details of a new stealthy, evasive phishing-as-a-service (PhaaS) kit that hides malicious content within web page iframes to evade detection and maximize resilience. This is the first time Barracuda has detected a complete phishing framework built around the iframe technique. Threat analysts have been monitoring the new PhaaS since September 2025 and have dubbed it GhostFrame . To date, over a million attacks have been attributed to this kit. Barracuda’s technical analysis shows that GhostFrame’s functionality is deceptively simple, yet highly effective. Unlike most phishing kits, GhostFrame uses a simple, seemingly innocuous HTML file, with all the malicious activity

NANOREMOTE Trojan Uses Google Drive for Command and Control

Redazione RHC 12/12/2025

A new multifunctional Windows Trojan called NANOREMOTE uses a cloud file storage service as its command center , making the threat harder to detect and giving attackers a persistent channel to steal data and deliver additional downloads. The threat was reported by Elastic Security Labs, which compared the malware to the already known FINALDRAFT implant, also known as Squidoor , which relies on Microsoft Graph to communicate with operators. Both tools are associated with the REF7707 cluster, reported as CL-STA-0049, Earth Alux and Jewelbug , and attributed to Chinese espionage activities against government agencies, defense contractors, telecommunications companies, educational institutions and aviation

Notepad++ Vulnerability Fixed: Update to 8.8.9 to Avoid Malware

Redazione RHC 11/12/2025

Notepad++ is often targeted by attackers because the software is popular and widely used. A recently discovered vulnerability in the open-source text and code editor Notepad++ could allow attackers to hijack network traffic, hijack the update process, and install malware on affected computers . This flaw has now been fixed in Notepad++ version 8.8.9. Users running older versions should immediately run a thorough scan with reputable security software. Their systems may already be compromised; in more severe cases, a complete reinstallation may be the only reliable solution. According to the developers, the Notepad++ update utility, WinGUp, could, under certain circumstances , be

EtherRAT Malware Exploits React2Shell Vulnerability with Ethereum C2

Redazione RHC 11/12/2025

Just two days after the critical React2Shell vulnerability was discovered, Sysdig researchers discovered a new malware, EtherRAT, in a compromised Next.js application. The malware uses Ethereum smart contracts for communication and achieves persistence on Linux systems in five ways. Experts believe the malware is related to tools used by the North Korean Lazarus group. However, EtherRAT differs from known samples in several key ways. React2Shell (CVE-2025-55182) is a critical vulnerability in Meta’s popular React JavaScript library. The issue, which received a CVSS score of 10 out of 10, is related to insecure data deserialization in React Server components and allows remote code

Malicious VSCode Extensions Steal Crypto Wallets and Browser Sessions

Redazione RHC 10/12/2025

Two malicious extensions have been discovered that infect developers’ computers with stealer programs on Microsoft’s Visual Studio Code marketplace. The malware can take screenshots, steal passwords and cryptocurrency wallets, and even hijack browser sessions. Researchers at Koi Security have discovered the malicious extensions Bitcoin Black and Codo AI, which masquerade as a theme and AI assistant. Both malware were released under the developer name BigBlack . At the time of the researchers’ report, Codo AI was still available on the store, although it had fewer than 30 downloads. Bitcoin Black had only one installation. According to experts, Bitcoin Black uses the “*”

Maha Grass APT Group Unleashes StreamSpy Malware Attacks

Redazione RHC 03/12/2025

The Patchwork cyber espionage group — also known as Hangover or Dropping Elephant and internally tracked by QiAnXin as APT-Q-36 — has been active since 2009 and is believed to be close to South Asia. Over the years, it has targeted government agencies, the military, research institutions, diplomacy, industry, and educational institutions in several Asian countries, conducting large-scale intelligence gathering operations. The QiAnXin Threat Intelligence Center has identified a new Trojan attributed to the Maha Grass organization, which uses a combination of WebSocket and HTTP protocols to communicate with command and control servers. The malware, dubbed StreamSpy , retrieves instructions via a

ShadyPanda Malware Infects 4.3M Browsers with Chrome Edge Extensions

Redazione RHC 02/12/2025

Researchers at Koi Security described a multi-stage operation called ShadyPanda . Over the course of seven years, attackers released seemingly useful extensions for Chrome and Edge, built up an audience with positive comments and reviews. They then released an update containing malicious code . Researchers estimate that the total number of installations reached a remarkable 4.3 million downloads . The scheme is simple and unpleasant: “legitimate” extensions accumulate ratings, reviews, and trust badges for years, only to receive an update that contains malware, extracts arbitrary JavaScript, and executes it with full access to the browser . The code is obfuscated and becomes

Category