Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Banner Mobile
970x20 Itcentric

Tag: Malware

Maha Grass APT Group Unleashes StreamSpy Malware Attacks

Redazione RHC 03/12/2025

The Patchwork cyber espionage group — also known as Hangover or Dropping Elephant and internally tracked by QiAnXin as APT-Q-36 — has been active since 2009 and is believed to be close to South Asia. Over the years, it has targeted government agencies, the military, research institutions, diplomacy, industry, and educational institutions in several Asian countries, conducting large-scale intelligence gathering operations. The QiAnXin Threat Intelligence Center has identified a new Trojan attributed to the Maha Grass organization, which uses a combination of WebSocket and HTTP protocols to communicate with command and control servers. The malware, dubbed StreamSpy , retrieves instructions via a

ShadyPanda Malware Infects 4.3M Browsers with Chrome Edge Extensions

Redazione RHC 02/12/2025

Researchers at Koi Security described a multi-stage operation called ShadyPanda . Over the course of seven years, attackers released seemingly useful extensions for Chrome and Edge, built up an audience with positive comments and reviews. They then released an update containing malicious code . Researchers estimate that the total number of installations reached a remarkable 4.3 million downloads . The scheme is simple and unpleasant: “legitimate” extensions accumulate ratings, reviews, and trust badges for years, only to receive an update that contains malware, extracts arbitrary JavaScript, and executes it with full access to the browser . The code is obfuscated and becomes

KrakenBite Phishing Service Exposed

Redazione RHC 01/12/2025

The underground cybercrime market continues to evolve rapidly, fueled by specialized groups designing and selling tools for increasingly sophisticated digital scams. Among these, a particularly active player in recent weeks is KrakenBite , known for offering turnkey phishing services to cybercriminals around the world. In a recent announcement on their channels, spotted by Red Hot Cyber’s DarkLab group, the group said they had added five new phishing pages targeting Moroccan banks , bringing the total number of pages available in their “catalogue” to 115 . The Criminal Offer: Phishing Pages for Every Market The post presents a staggering list of targeted international

Bloody Wolf Attacks Central Asia with NetSupport RAT via Java Exploits

Redazione RHC 29/11/2025

Group-IB specialists have recorded new attacks by the Bloody Wolf hacker group, which has been targeting Kyrgyzstan since June 2025 and has expanded its operations to Uzbekistan since October. The financial sector, government agencies, and IT companies are at risk. According to researchers, the attackers are impersonating the Kyrgyz Ministry of Justice, using fake PDF documents and seemingly legitimate domains, but are actually distributing Java archives (JARs) containing the NetSupport RAT malware. Bloody Wolf has been active since at least the end of 2023. Previously, the group targeted Kazakhstan and Russia, distributing STRRAT and NetSupport via phishing attacks. The group’s geographic reach

Shai-Hulud Worm Spreads Beyond npm, Attacks Maven

Redazione RHC 28/11/2025

The Shai-Hulud worm has spread beyond the npm ecosystem and was discovered in Maven . Socket specialists noticed an infected package on Maven Central containing the same malicious components used in the second wave of Shai-Hulud attacks. Experts have identified the org.mvnpm:posthog-node:4.18.1 package on Maven Central, which contains two components characteristic of Shai-Hulud: the setup_bun.js loader and the main payload bun_environment.js. Currently, this is the only Java package found containing this malware. “The PostHog project was compromised in both the JavaScript/npm and Java/Maven ecosystems, with the same payload, Shai-Hulud v2, being used in all cases,” the researchers write. It’s important to note

Malware Uses Finger Command to Infect Windows Devices

Redazione RHC 26/11/2025

A nearly forgotten service command has returned to prominence after being spotted in new Windows device infection patterns. For decades considered a relic of the early days of the internet, the mechanism is now being used in attacks disguised as harmless controls and queries offered to victims in a Command Prompt window. The finger command, once designed to retrieve user information on Unix and Linux servers, was also present in Windows. It returned the account name, home directory, and other basic information. While the protocol is still supported, its use has largely disappeared . However, for attackers, this actually represents an advantage:

Windows Server Vulnerability Exploited: ShadowPad Malware Deployed

Redazione RHC 24/11/2025

A recently patched vulnerability in Microsoft’s Windows Server update services has led to a series of attacks using one of the most notorious espionage tools of recent years. The incidents demonstrate how quickly attackers can move from studying a published exploit to actively exploiting the vulnerability to penetrate infrastructure. According to South Korean company AhnLab , an unknown group gained access to Windows servers running WSUS by exploiting the CVE-2025-59287 vulnerability. This vulnerability was exploited to run standard system utilities, allowing attackers to contact an external server and download malicious code. Before installing the main tool, the PowerCat utility was used, which

RHC interviews ShinyHunters: “Systems can be repaired, but people remain vulnerable!”

RHC Dark Lab 17/09/2025

ShinyHunters is a group of threat actors that gained notoriety after the massive data breach against Salesforce, an incident that led Google to closely monitor them and assign them the code name UNC6240. The Salesforce breach would allow attackers to gain easy access to a large number of companies in a wide range of industries. In recent days, many companies have shared official statements about the breaches they have suffered, but many others have not yet made any public statements. The group recently gained notoriety after a massive data breach targeting Salesforce, an incident that prompted Google to closely monitor them and

What was the first ransomware in history? Discovering Trojan AIDS

Redazione RHC 09/07/2025

We often talk about ransomware on Red Hot Cyber and criminal cyber gangs. But who invented this dangerous cyber blackmail “weapon”? Today, ransomware attacks have become familiar to most people, especially given the escalation in recent years that has targeted Italian hospitals and critical infrastructure, such as the Colonial Pipeline of the United States of America. The first ransomware in history While today ransomware attacks occur through malware injected into systems from a phishing email or a malicious exposure of a company’s administrative tools (as we saw in the article on Ransomware as a Service), the first ransomware in history was distributed

What is ransomware? Let’s explore how RaaS works and what it means.

Redazione RHC 09/07/2025

Many people often want to understand the ransomware phenomenon precisely, its meaning, the methods of violation, and the crime that revolves around it, struggling to find information scattered across thousands of articles. This article aims to answer all these questions, providing a comprehensive, yet simple, guide to understanding this phenomenon as a whole. On the pages of every newspaper, we hear about huge cyber breaches, million-dollar ransoms, cyber gangs, RaaS, and cyber warfare. These are all words that can be very confusing for people who aren’t specialized in cyber security. With this article we want to explain what ransomware is, how the

Category