#malware

#malware

Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator. "On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor," Socket researcher Kirill Boychenko said. The deceptive package, named "golang-random-ip-ssh-bruteforce," has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible.

After installing a backdoor to the infected systems, they then downloaded two Java Archive (JAR) files that effectively patched the original vuln.

The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information.

The threat actor known as 'cryptohan' has created npm packages that target the Solana cryptocurrency ecosystem and pretend to 'scan' for Solana SDK components.

"Like a real-world virus variant, this new 'ClickFix' strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year."

A critical security vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770 with a CVSS score of 9.8, has been weaponized in a large-scale exploitation campaign.

"The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections."

The targeted devices are end of life, meaning they no longer receive regular updates for stability and security. Despite the status, many organizations continue to rely on them.

Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters.