#infostealer — Public Fediverse posts

#Infostealer auf KI-Plattform #HuggingFace tarnt sich als OpenAI-Repository | Developer https://www.heise.de/news/Infostealer-auf-KI-Plattform-Hugging-Face-tarnt-sich-als-OpenAI-Repository-11290607.html #Typosquatting #ArtificialIntelligence #AI

Official #CheckMarx #Jenkins package compromised with #infostealer

https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/

#malware #cybersecurity

Operation HumanitarianBait: An Infostealer Campaign in Disguise

Cyble Research and Intelligence Labs (CRIL) has uncovered a targeted cyberespionage campaign using aid-themed lures in a Russian aid request form, as well as a fileless Python infostealer.

Pulse ID: 6a01c14d4138e8c33a19b4d7
Pulse Link: https://otx.alienvault.com/pulse/6a01c14d4138e8c33a19b4d7
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:45:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CRIL #CyberSecurity #Cyberespionage #Cyble #Espionage #InfoSec #InfoStealer #OTX #OpenThreatExchange #Python #RAT #Russia #bot #CyberHunter_NL

https://winbuzzer.com/2026/05/11/fake-openai-repository-on-hugging-face-pushes-info-xcxwbn/

A fake Hugging Face repository copied OpenAI's Privacy Filter branding and delivered infostealer malware to Windows users.

#AI #AIModels #HuggingFace #OpenAI #Infostealer #Cybersecurity #Malware #Cybercrime #OpenSourceAI

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.

Pulse ID: 69fdc9a2b94badfe5abacbcb
Pulse Link: https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb
Pulse Author: AlienVault
Created: 2026-05-08 11:31:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #InfoStealer #LUA #Malware #OTX #OpenThreatExchange #Proxy #RAT #VPN #bot #developers #AlienVault

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.

Pulse ID: 69fdc9a2b94badfe5abacbcb
Pulse Link: https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb
Pulse Author: AlienVault
Created: 2026-05-08 11:31:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #InfoStealer #LUA #Malware #OTX #OpenThreatExchange #Proxy #RAT #VPN #bot #developers #AlienVault

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.

Pulse ID: 69fdc9a2b94badfe5abacbcb
Pulse Link: https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb
Pulse Author: AlienVault
Created: 2026-05-08 11:31:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #InfoStealer #LUA #Malware #OTX #OpenThreatExchange #Proxy #RAT #VPN #bot #developers #AlienVault

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.

Pulse ID: 69fdc9a2b94badfe5abacbcb
Pulse Link: https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb
Pulse Author: AlienVault
Created: 2026-05-08 11:31:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #InfoStealer #LUA #Malware #OTX #OpenThreatExchange #Proxy #RAT #VPN #bot #developers #AlienVault

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.

Pulse ID: 69fdc9a2b94badfe5abacbcb
Pulse Link: https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb
Pulse Author: AlienVault
Created: 2026-05-08 11:31:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #InfoStealer #LUA #Malware #OTX #OpenThreatExchange #Proxy #RAT #VPN #bot #developers #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Pulse ID: 6a015ff906d70a7e190b0569
Pulse Link: https://otx.alienvault.com/pulse/6a015ff906d70a7e190b0569
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #bot #Tr1sa111

Fake #OpenAI repository on #HuggingFace pushes #infostealer #malware

https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/

#ChatGPT #AI #cybersecurity

Fake #OpenAI #repository on #Hugging #Face pushes #infostealer #malware A #malicious #HuggingFace repository that reached the platform’s trending list impersonated OpenAI’s “Privacy Filter” project to deliver information-stealing malware to Windows users.

The repository briefly reached #1 on Hugging Face and accumulated 244,000 downloads before the platform responded to reports and removed it.
#computersecurity #security

5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

Five malicious NuGet packages published under account bmrxntfj impersonate Chinese .NET libraries to deploy an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. The packages typosquat legitimate Chinese UI and infrastructure libraries, grafting .NET Reactor-protected payloads onto decompiled legitimate code. The campaign uses version rotation to evade hash-based detection, with 219 of 224 total versions unlisted but fetchable. The stealer targets 12 browsers, 8 desktop crypto wallets, and 5 browser wallet extensions, exfiltrating data to a newly-registered C2 domain. With approximately 65,000 downloads across all versions, the campaign puts tens of thousands of developer workstations and CI/CD build servers at risk. The payload executes through .NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS infrastructure.

Pulse ID: 69fcc64069bf35be793669dd
Pulse Link: https://otx.alienvault.com/pulse/69fcc64069bf35be793669dd
Pulse Author: AlienVault
Created: 2026-05-07 17:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chinese #CyberSecurity #InfoSec #InfoStealer #Linux #Mac #MacOS #NET #NuGet #OTX #OpenThreatExchange #RAT #SSH #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/

#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence

ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/

#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence

ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/

#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence

ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/

#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence

ClickFix campaign uses fake macOS utilities lures to deliver infostealers - https://www.redpacketsecurity.com/clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers/

#threatintel
#macos
#clickfix
#infostealer
#payload-delivery
#persistence

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications.

Pulse ID: 69f3e871eb2a73cd5c8bee7e
Pulse Link: https://otx.alienvault.com/pulse/69f3e871eb2a73cd5c8bee7e
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChatGPT #CyberSecurity #Email #Google #HTTP #HTTPS #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #Proxy #RAT #RCE #RemoteAccessTrojan #Rust #Trojan #Word #bot #AlienVault

MiningDropper Android Malware Framework Spreads Infostealers, RATs and Banking Malware

Mining Dropper is an android malware delivery framework used to mine cryptocurrency and for distributing infostealers, Remote Access Trojans and banking malware.

Pulse ID: 69f10f6fb0cd7c248d2f4267
Pulse Link: https://otx.alienvault.com/pulse/69f10f6fb0cd7c248d2f4267
Pulse Author: cryptocti
Created: 2026-04-28 19:50:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #cryptocti

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse delivery methods including fake VPN downloads, hardware utilities, and gaming modifications. The malware collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods were identified: one using a free web hosting provider distributing malicious ZIP files with self-injection, and another using fake websites with DLL hijacking that injects code into RegAsm processes. The stealer targets over 25 cryptocurrency wallets and multiple browsers, using AES-CBC encryption for command-and-control communications and employing UAC bypass techniques for privilege escalation.

Pulse ID: 69e27c47d37f66809a367479
Pulse Link: https://otx.alienvault.com/pulse/69e27c47d37f66809a367479
Pulse Author: AlienVault
Created: 2026-04-17 18:30:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #Encryption #GitHub #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #RCE #VPN #Windows #Word #YouTube #ZIP #bot #cryptocurrency #AlienVault

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse platforms including fake VPN downloads, hardware utilities, and gaming modifications. The infostealer collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods are analyzed: one using a free web hosting provider distributing malicious ZIP files with self-injection loaders, and another employing fake websites with DLL hijacking techniques that inject into the RegAsm process. The stealer targets over 25 cryptocurrency wallets and multiple browsers, exfiltrating data to command-and-control servers using AES-CBC encryption and maintaining persistence through scheduled tasks and UAC bypass techniques.

Pulse ID: 69dfb91808e1258915184d6e
Pulse Link: https://otx.alienvault.com/pulse/69dfb91808e1258915184d6e
Pulse Author: AlienVault
Created: 2026-04-15 16:13:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #Encryption #GitHub #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #VPN #Windows #Word #YouTube #ZIP #bot #cryptocurrency #AlienVault

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

Watch out as new .NET AOT malware hides its code as a black box, making detection far harder while delivering Rhadamanthys infostealer and crypto miner.

Read: https://hackread.com/net-aot-malware-code-black-box-evade-detection/

#CyberSecurity #Rhadamanthys #InfoStealer #CryptoMiner

📬 Stealka Stealer: Fake-Roblox-Mods und Cheats plündern Krypto-Wallets
#ITSicherheit #Malware #Cheats #Infostealer #kaspersky #KryptoDiebstahl #KryptoWallets #Roblox #SoftwareCracks #SpielMods #StealkaStealer #WindowsMalware #ZweiFaktorAuthentifizierung https://sc.tarnkappe.info/3e3510

Meduza Stealer Developers Arrested in Russia https://dailydarkweb.net/meduza-stealer-developers-arrested-in-russia/ #DarkWebNews&Services #MalwareasaService #MeduzaStealer #infostealer #Article273 #cybercrime #Rosgvardia #Astrakhan #Arrest #Russia #MVD

📬 Malware-Alarm bei MagisTV: Marken-Flop und mögliche Risiken
#Malware #Streaming #FlujoTV #illegalesIPTV #Infostealer #MagisTV #MalwareinStreamingApps #StreamingPiraterie https://sc.tarnkappe.info/253d80

#arstechnica:
"
DOGE software engineer’s computer infected by info-stealing malware
"
"The presence of credentials in leaked "stealer logs" indicates his device was infected."
"A steady stream of published credentials"

https://arstechnica.com/security/2025/05/doge-software-engineers-computer-infected-by-info-stealing-malware/

8.5.2025

#Adobe #CISA #cybersecurity #Cybersicherheit #Datenschutz #Datensicherheit #DOGE #Gmail #Gravatar #infosec #infostealer #IT #malware #USA

Los delincuentes ya no roban contraseñas, roban sesiones activas https://blog.elhacker.net/2024/10/delincuentes-ya-no-roban-passwords-cookies-sesiones-activas.html #infostealer #cookie #sesion #token #mitm #robo

TL;DR Su un canale #Telegram di una gang #cybercriminale sono stati pubblicati 16 archivi contenenti le #credenziali e dati di oltre 4000 cittadini #israeliani compromessi da #infostealer

https://www.zerozone.it/cybersecurity/le-credenziali-di-oltre-4000-cittadini-israeliani-pubblicate-online/23318

TL;DR Su un canale #Telegram di una gang #cybercriminale sono stati pubblicati 16 archivi contenenti le #credenziali e dati di oltre 4000 cittadini #israeliani compromessi da #infostealer

https://www.zerozone.it/cybersecurity/le-credenziali-di-oltre-4000-cittadini-israeliani-pubblicate-online/23318

TL;DR Su un canale #Telegram di una gang #cybercriminale sono stati pubblicati 16 archivi contenenti le #credenziali e dati di oltre 4000 cittadini #israeliani compromessi da #infostealer

https://www.zerozone.it/cybersecurity/le-credenziali-di-oltre-4000-cittadini-israeliani-pubblicate-online/23318

TL;DR Su un canale #Telegram di una gang #cybercriminale sono stati pubblicati 16 archivi contenenti le #credenziali e dati di oltre 4000 cittadini #israeliani compromessi da #infostealer

https://www.zerozone.it/cybersecurity/le-credenziali-di-oltre-4000-cittadini-israeliani-pubblicate-online/23318

TL;DR Su un canale #Telegram di una gang #cybercriminale sono stati pubblicati 16 archivi contenenti le #credenziali e dati di oltre 4000 cittadini #israeliani compromessi da #infostealer

https://www.zerozone.it/cybersecurity/le-credenziali-di-oltre-4000-cittadini-israeliani-pubblicate-online/23318

Pubblicati su un canale Telegram i dati di 3923 cittadini israeliani rubati da malware #infostealer, completi di #credenziali personali di accesso a migliaia di servizi web.

@informatica

Molto pericoloso... Giusto per ricordare che i databreach, le vulnerabilità, le backdoor conosciute e sconosciute sono anche un problema di sicurezza fisica

Pubblicati su un canale Telegram i dati di 3923 cittadini israeliani rubati da malware #infostealer, completi di #credenziali personali di accesso a migliaia di servizi web.

@informatica

Molto pericoloso... Giusto per ricordare che i databreach, le vulnerabilità, le backdoor conosciute e sconosciute sono anche un problema di sicurezza fisica

Pubblicati su un canale Telegram i dati di 3923 cittadini israeliani rubati da malware #infostealer, completi di #credenziali personali di accesso a migliaia di servizi web.

@informatica

Molto pericoloso... Giusto per ricordare che i databreach, le vulnerabilità, le backdoor conosciute e sconosciute sono anche un problema di sicurezza fisica

Pubblicati su un canale Telegram i dati di 3923 cittadini israeliani rubati da malware #infostealer, completi di #credenziali personali di accesso a migliaia di servizi web.

@informatica

Molto pericoloso... Giusto per ricordare che i databreach, le vulnerabilità, le backdoor conosciute e sconosciute sono anche un problema di sicurezza fisica

Pubblicati su un canale Telegram i dati di 3923 cittadini israeliani rubati da malware #infostealer, completi di #credenziali personali di accesso a migliaia di servizi web.

@informatica

Molto pericoloso... Giusto per ricordare che i databreach, le vulnerabilità, le backdoor conosciute e sconosciute sono anche un problema di sicurezza fisica