Recent cybersecurity research indicates that scam websites surged 89% year-over-year, while phishing attacks account for 42% of Black Friday-specific threats, with 32% specifically targeting digital wallets and payment systems.

As transaction volumes explode during the holiday shopping period, cybercriminals exploit consumer urgency and reduced vigilance to harvest personal data, financial credentials, and cryptocurrency assets at an unprecedented scale.

This comprehensive security research article examines the ten most prevalent Black Friday scams currently targeting online shoppers, providing security professionals, content creators, and consumers with forensic-level analysis of each threat vector.

From clone websites using lookalike domains and AI-powered deepfake videos impersonating celebrity influencers to QR code fraud (“quishing”), cryptocurrency payment scams, and charity exploitation campaigns, this guide dissects the technical methodologies, psychological manipulation tactics, and attack infrastructure behind modern Black Friday fraud schemes.

Beyond threat identification, this article delivers actionable detection strategies, red flag indicators, and multi-layered defense protocols to help readers recognize and avoid these attacks.

Whether you’re developing security awareness content, conducting threat intelligence research, or protecting your personal finances, understanding these ten scam categories and their detection mechanisms is essential for navigating Black Friday 2025 safely while maintaining operational security and data integrity.

​10 Popular Black Friday Scams

Fake Shopping Websites and Spoofed Domains

Scammers create counterfeit online stores that closely mimic well-known retailers by cloning logos, product photos, and website layouts. These fraudulent sites use lookalike domain names with subtle variations, such as “be5tbuy.com” instead of “bestbuy.com” or “rc$.co.za” instead of “rcs.co.za”. Once shoppers enter payment details on fake checkout pages, attackers harvest credit card information and personal data for identity theft.​

Red Flags: URL misspellings, absence of HTTPS security protocols, missing “About” or “Contact” pages, and unrealistic discount offers. The SilkSpecter threat actor group has been particularly active, creating phishing domains using top-level domains like .top, .shop, .store, and .vip to impersonate brands such as IKEA, The North Face, and Wayfair.

Phishing and Smishing Campaigns

Fraudsters distribute emails and SMS messages impersonating trusted retailers, banks, or delivery services, claiming urgent account verification is required. These messages contain malicious links leading to credential-harvesting sites designed to steal login credentials and financial information. Phishing attacks account for 42% of Black Friday threats, with 32% specifically targeting digital wallets.​

Red Flags: Generic greetings instead of personalized names, spelling mistakes, urgent language like “Only 10 minutes left” or “Your account will be closed,” and sender addresses that don’t match official brand domains.

QR Code Fraud (Quishing)

QR code scams have emerged as a significant threat during Black Friday 2025. Attackers place fraudulent QR codes on posters, emails, social media posts, and even overlay legitimate codes in public spaces such as parking meters. Scanning these codes redirects victims to malicious websites that install malware or phishing pages that steal credentials.​

Red Flags: QR codes in unsolicited emails, codes on physical stickers that appear tampered with, and urgent promotional offers requiring immediate QR code scanning. Security experts recommend manually typing URLs rather than scanning unknown QR codes.

AI-Powered Deepfake Scams

Artificial intelligence has enabled criminals to create hyper-realistic deepfake videos and audio impersonating CEOs, influencers, and celebrities. In one documented case, a Fortune 500 retailer lost 40,000 customer records in 48 hours after AI-generated deepfake videos of their CEO promoted a fraudulent mobile app. Scammers synthesized content from Taylor Swift’s public appearances to falsely advertise Le Creuset giveaways, costing victims thousands of dollars.​

Red Flags: Celebrity endorsements for deals that seem too generous, executive announcements not found on official company channels, and promotional videos with slightly unnatural speech patterns or facial movements.

Fake Social Media Advertisements

Facebook, Instagram, and TikTok are flooded with fraudulent ads mimicking legitimate brands with deep discounts. These ads use stolen branding, fake reviews generated by bots, and direct users to counterfeit stores. Scammers employ sophisticated tactics to evade platform detection, including frequently changing account names and using URL shorteners.​

Red Flags: Deals offering 70-90% discounts on luxury items, unverified seller accounts, recently created profiles with few followers, and pressure to complete purchases quickly.​

Fake Delivery Notifications

Scammers exploit the high volume of expected packages by sending fake emails and texts impersonating carriers like USPS, FedEx, UPS, and DHL. These messages claim delivery issues exist and prompt recipients to click tracking links that lead to phishing sites or malware downloads.​

Red Flags: Unexpected delivery notifications for items you didn’t order, requests for payment information to “finalize” delivery (legitimate carriers never ask for payment details this way), and tracking numbers that don’t work on official carrier websites.​

Counterfeit Products and Marketplace Fraud

Fraudsters post listings on platforms like Facebook Marketplace and eBay for high-demand branded goods at unrealistic prices. These counterfeit products often mimicking luxury brands like Gucci, Louis Vuitton, or mass-market brands like Nike and Adidas are either never delivered or arrive as extremely poor-quality replicas.​

Red Flags: Prices significantly below retail value, sellers with no transaction history, requests to communicate outside platform messaging systems, and refusal to use platform payment protections.​

Gift Card Scams and Fake Vouchers

Scammers distribute fake coupons and vouchers through email and social media, promising unbelievable discounts or free gift cards. Some fraudulent sites claim to offer gift card generators, which instead install clipboard-monitoring malware that steals cryptocurrency wallet addresses. Gift card fraud is particularly prevalent because large purchases during holidays appear less suspicious.​

Red Flags: Offers for discounted gift cards from unofficial sources, requests to pay with gift cards (a common scammer tactic), and emails claiming you’ve won gift cards from contests you didn’t enter.​

Fake Charity and Donation Scams

Cybercriminals exploit holiday generosity by creating fraudulent charity campaigns with emotional appeals. The FTC reported a 30% surge in charity scams during December, with scammers impersonating legitimate organizations or creating fake disaster relief funds. These false charities use real-sounding names and professional-looking websites to deceive donors.​

Red Flags: Unsolicited donation requests via email or social media, pressure to donate immediately, vague descriptions of how funds will be used, and inability to verify the charity through watchdog organizations like CharityWatch.​

Cryptocurrency Payment Scams

Fraudulent stores offer “exclusive discounts” for cryptocurrency payments, then disappear with digital assets. Black Friday attracts crypto scams, including phishing attacks targeting wallet credentials, fake investment opportunities promising unrealistic returns, and malicious apps with OCR capabilities that scan device photos for cryptocurrency recovery phrases.​

Red Flags: Retailers suddenly accepting only cryptocurrency, investment opportunities promising guaranteed high returns during Black Friday, and apps requesting photo library access without legitimate reasons.

​How to Detect Scam Websites: Quick Reference Guide

Step 1: Check the URL

Look for misspellings (amaz0n.com), unusual domain extensions (.shop, .top), and extra characters. Hover over links to preview the actual destination.​

Step 2: Verify HTTPS & SSL Certificate

Ensure the padlock icon appears and URL starts with “https://”. Click the padlock to verify the certificate is from a recognized Certificate Authority like DigiCert or Let’s Encrypt.​

Step 3: Examine Website Quality

Check for spelling errors, poor image quality, inconsistent design, and excessive pop-ups. These indicate fraudulent operations.​

Step 4: Verify Contact Information

Look for a complete “Contact Us” page with physical address, phone number, and professional email. Test by calling or emailing to confirm legitimacy.​

Step 5: Research Domain Age

Use WHOIS lookup tools (ICANN, Who.is, or GoDaddy WHOIS) to check when the domain was registered. Domains under six months old warrant extra scrutiny.​

Step 6: Check Online Reviews

Search for “[website name] + scam” or check Trustpilot and Better Business Bureau. Verify social media presence with verified badges and genuine engagement.​

Step 7: Use Security Tools

Run the URL through Google Safe Browsing, VirusTotal, ScamAdviser, or APIVoid for threat detection.​

Step 8: Evaluate Pricing

Compare prices across legitimate retailers. Deals offering 70-90% off luxury items or everything are red flags.​

Step 9: Check Payment & Return Policies

Verify secure payment methods and HTTPS checkout. Legitimate sites accept credit cards and have clear return policies. Avoid sites requiring only wire transfers or cryptocurrency.​

Step 10: Trust Your Instincts

If multiple red flags appear or something feels wrong, leave the website immediately.​

If You Find a Scam: Document evidence and report to FTC (reportfraud.ftc.gov), IC3 (ic3.gov), or Google Safe Browsing.

Protection Strategies

To safeguard against these threats, security researchers recommend implementing multiple layers of defense. Enable two-factor authentication on all shopping accounts and use strong, unique passwords.

Verify deals directly through official retailer websites rather than clicking email or social media links. Use credit cards instead of debit cards for additional fraud protection, and consider virtual card numbers for online purchases. Install reputable security software and keep all devices updated with the latest patches.​

Before making purchases, verify website legitimacy by checking for HTTPS protocols, reading customer reviews from independent sources, and researching sellers through the Better Business Bureau.

For charitable giving, research organizations through trusted watchdog sites and donate directly through official websites rather than responding to unsolicited requests.​

Black Friday 2025 presents unprecedented cybersecurity challenges as scammers leverage AI, deepfakes, and sophisticated social engineering tactics.

The convergence of high transaction volumes, consumer urgency, and advanced fraud techniques creates optimal conditions for exploitation.

By recognizing these ten prevalent scams and their associated red flags, shoppers can make informed decisions and protect their financial and personal data.

Vigilance, verification, and skepticism toward deals that seem too good to be true remain the most effective defenses against Black Friday fraud. As cybercriminals continue evolving their tactics, staying informed about emerging threats and maintaining rigorous security practices becomes essential for safe holiday shopping.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post 10 Popular Black Friday Scams – How to Detect the Red Flags and Protect your wallet and Data appeared first on Cyber Security News.

The malware duo works in tandem to steal sensitive data from infected Windows computers. The attack begins when LeakyInjector, the first stage, quietly injects a second malware, LeakyStealer, into the explorer.exe process.

This injection technique uses low-level Windows programming interfaces to avoid detection by security software. Once installed, LeakyStealer takes over and begins searching for cryptocurrency wallets and browser history files.

What Data Gets Stolen

According to Hybrid-analysis, the LeakyStealer hunts for multiple popular cryptocurrency wallets, including Electrum, Exodus, Atomic, and Ledger Live.

It also targets browser-based crypto wallets like MetaMask, Phantom, Coinbase Wallet, and Trust Wallet.

Beyond crypto theft, the malware extracts browser history from Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi browsers.

The malware communicates with a command-and-control server to send stolen data back to the attackers.

It uses sophisticated techniques, such as a “polymorphic engine” that modifies its own memory at runtime to evade security detection tools.

Both malware stages are digitally signed with valid certificates, making them appear legitimate to Windows security systems.

The malware establishes persistence by copying itself as “MicrosoftEdgeUpdateCore.exe” and adding itself to Windows startup routines, ensuring it survives system restarts.

LeakySteaker regularly beacons to the attacker’s command server, sending back machine information such as hostname, username, and Windows version.

Attackers can then send remote commands to download and execute additional malware or run Windows system commands on your computer , as reported by Hybrid-analysis.

Users should immediately update security software and enable real-time monitoring. Avoid downloading software from untrusted websites, and be cautious of suspicious email attachments or links.

Consider using hardware cryptocurrency wallets rather than browser-based extensions for greater security.

Keep your operating system and browsers fully updated with the latest security patches to reduce vulnerability to such threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post LeakyInjector and LeakyStealer Malwares Attacks Users to Steal Crypto’s and Browser History appeared first on Cyber Security News.

This flaw, which could trigger a system-wide crash via a Blue Screen of Death (BSOD), highlights the challenges of integrating memory-safe languages into critical OS components.

Although Microsoft classified it as moderate severity, the issue underscores potential risks in enterprise environments where attackers might weaponize it for widespread disruption.

The vulnerability emerged during a targeted fuzzing campaign by Check Point, aimed at probing Windows’ graphics subsystem for weaknesses. Fuzzing, a technique that bombards software with malformed inputs to expose bugs, proved instrumental here.

Using tools like WinAFL and WinAFL Pet on a controlled test setup, researchers focused on the Enhanced Metafile Format (EMF) and EMF+ files’ compact structures that instruct GDI on rendering 2D graphics.

These files, often embedded in documents or images, have long been a vector for exploits due to their complexity.

Starting with just 16 seed files, the fuzzers quickly unearthed crashes ranging from information leaks to code execution risks in user-space components.

But the real breakthrough came unexpectedly: repeated system restarts after BugChecks pointed to a kernel-level issue. Dubbed a “Denial of Fuzzing” condition, it halted testing and forced a pivot to kernel forensics.

Windows Rust-based Kernel GDI Vulnerability

To isolate the culprit, Check Point enhanced its setup with memory dump analysis using MemProcFS and Volatility, extracting mutated files from RAM disks.

They refined the corpus iteratively, shrinking reproduction time from days to 30 minutes across 836 samples.

A clever harness modification streamed mutations to a remote server via a custom C function and Python listener, capturing the precise 380,000th mutation that triggered the crash.

Deep analysis revealed the bug in win32kbase_rs.sys, Microsoft’s Rust-rewritten driver for GDI regions.

During path-to-region conversion in NtGdiSelectClipPath, an out-of-bounds array access in region_from_path_mut() invoked Rust’s panic_bounds_check(), causing a SYSTEM_SERVICE_EXCEPTION.

The trigger? A malformed EmfPlusDrawBeziers record with mismatched point counts (17 points declared as 4) and anomalous coordinates, combined with a wide-stroke pen from an EmfPlusObject.

This malformed geometry stressed edge block handling, bypassing bounds in the singly linked list representation.

A simple PowerShell proof-of-concept demonstrated the exploit’s accessibility: embedding the crafted metafile in a Graphics object via System.Drawing led to an instant BSOD, even from low-privilege sessions on x86/x64 Windows 11 24H2.

While not enabling remote code execution directly, it posed a potent denial-of-service threat imagine an insider scripting crashes across an enterprise on a Friday evening.

Microsoft patched the flaw in OS Build 26100.4202 via the KB5058499 preview on May 28, 2025, expanding the driver by 16KB with hardened logic.

Key changes included dual edge-handling routines add_edge_original() and a bounds-checked add_edge_new(), gated by a feature flag. Full rollout followed in June, though initial testing showed the flag disabled.

Check Point reported the issue promptly, but Microsoft’s MSRC deemed it a non-critical DoS, arguing Rust’s panic mechanism behaved as designed.

This marks one of the first public Rust kernel bugs post-integration, as touted at BlueHat IL 2023 for enhancing security. While Rust mitigates overflows, it doesn’t eliminate design flaws or incomplete testing.

As Windows leans into memory safety, such incidents remind developers: language alone isn’t a panacea. Thorough fuzzing and validation remain vital to prevent “alarm systems that blow up the house.”

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows Rust Kernel GDI Vulnerability Leads to Crash and Blue Screen of Death Error appeared first on Cyber Security News.

The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors.

Threat actors abuse its core capabilities, messaging (chat), calls, and meetings, and video-based screen-sharing at different points along the attack chain.

This raises the stakes for defenders to proactively monitor, detect, and respond. While Microsoft’s Secure Future Initiative (SFI) has strengthened default security, the company emphasizes that defenders must utilize available security controls to harden their enterprise Teams environments.

Hackers Abuse Teams Features

Attackers are leveraging the entire attack lifecycle within the Teams ecosystem, from initial reconnaissance to final impact, Microsoft said.

This involves a multi-stage process where the platform’s trusted status is exploited to infiltrate networks, steal data, and deploy malware.

The attack chain often begins with reconnaissance, where threat actors use open-source tools like TeamsEnum and TeamFiltration to enumerate users, groups, and tenants.

They map organizational structures and identify security weaknesses, such as permissive external communication settings.

This is followed by resource development, where attackers may compromise legitimate tenants or create new ones, complete with custom branding, to impersonate trusted entities like IT support.

Once they have established a credible persona, attackers move to initial access. This stage frequently involves social engineering tactics such as tech support scams.

For example, the threat actor Storm-1811 has impersonated tech support to address fabricated email issues, using the pretext to deploy ransomware.

Similarly, affiliates of the 3AM ransomware have flooded employees with junk email and then used Teams calls to convince them to grant remote access.

Malicious links and payloads are also delivered directly through Teams chats, with tools like AADInternals and TeamsPhisher being used to distribute malware like DarkGate.

Escalation and Lateral Movement

After gaining a foothold, threat actors focus on maintaining persistence and escalating privileges. They may add their own guest accounts, abuse device code authentication flows to steal access tokens, or use phishing lures to deliver malware that ensures long-term access.

The financially motivated group Octo Tempest has been observed using aggressive social engineering over Teams to compromise Multi-Factor Authentication (MFA) for privileged accounts.

With elevated access, attackers begin discovery and lateral movement. They use tools like AzureHound to map the compromised organization’s Microsoft Entra ID configuration and search for valuable data.

The state-sponsored actor Peach Sandstorm has used Teams to deliver malicious ZIP files and then explored on-premises Active Directory databases.

If an attacker gains admin access, they can alter external communication settings to establish trust relationships with other organizations, enabling lateral movement between tenants.

The final stages of the attack involve collection, command and control (C2), exfiltration, and impact. Attackers use tools like GraphRunner to search and export sensitive conversations and files from Teams, OneDrive, and SharePoint.

Some malware, like a cracked version of Brute Ratel C4 (BRc4), is designed to establish C2 channels using Teams’ own communication protocols to send and receive commands.

Data exfiltration can occur through Teams messages or shared links pointing to attacker-controlled cloud storage. The ultimate goal is often financial theft through extortion or ransomware.

Octo Tempest, for instance, has used Teams to send threatening messages to pressure organizations into making payments after successfully gaining control of their systems.

This demonstrates how the platform can be abused not just as an entry vector, but as a tool for direct financial coercion.

In response, experts recommend a defense-in-depth strategy, focusing on hardening identity and access controls, monitoring for anomalous activity within Teams, and providing continuous security awareness training to users.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Microsoft Warns of Hackers Abuse Teams Features and Capabilities to Deliver Malware appeared first on Cyber Security News.

Unlike traditional malware that relies on executable files stored on disk, fileless attacks operate exclusively in memory, leveraging legitimate system tools to achieve their malicious objectives while remaining virtually undetectable to conventional security solutions.

According to the Ponemon Institute, fileless attacks are approximately ten times more likely to succeed than traditional file-based attacks.

This staggering success rate reflects a fundamental shift in how cybercriminals approach system compromise, moving away from easily detectable file-based methods toward memory-resident techniques that exploit the very tools administrators use daily.

Recent statistics reveal that fileless malware was involved in 52% of all system intrusion incidents globally in 2023, with over 60% of ransomware attacks incorporating some form of fileless component.

Understanding Traditional Malware Architecture

Traditional malware follows well-established attack patterns that have been refined over decades of cybercriminal evolution.

These threats typically involve executable files that must be written to and stored on the target system’s hard drive before they can be executed.

The attack lifecycle begins with initial delivery through vectors such as email attachments, malicious downloads, or infected removable media.

Once the malicious file reaches the target system, it requires execution permissions and often establishes persistence by modifying the registry, creating startup folder entries, or installing services.

The detection paradigm for traditional malware is relatively straightforward, relying heavily on signature-based identification methods.

Security solutions maintain extensive databases of known malware signatures, which are unique patterns or fingerprints that identify specific threats.

When files are scanned, their characteristics are compared against these signatures, triggering alerts when matches are found.

This approach has proven effective for identifying known threats and their variants, but struggles significantly with new or modified malware.

Traditional malware persistence mechanisms are well-documented and relatively easy to detect. Common techniques include registry Run keys that ensure automatic startup execution, Windows services that provide continuous operation, scheduled tasks that enable periodic execution, and boot sector infections that maintain deep system control.

These methods create detectable artifacts that security tools specifically monitor, making long-term persistence increasingly challenging for attackers.

The Fileless Malware Evolution

Fileless malware represents a fundamental departure from traditional attack methodologies, operating on principles that challenge every assumption underlying conventional cybersecurity defenses.

These attacks maintain several defining characteristics that distinguish them from file-based threats: they execute entirely within system memory without creating persistent files, utilize legitimate system utilities rather than custom executables, establish presence through registry modifications or process injection, and maintain communications through encrypted legitimate protocols.

The technical foundation of fileless attacks requires sophisticated capabilities that exploit the very architecture of modern operating systems.

Memory-resident execution allows dynamic code loading without touching the disk, while inter-process communication enables persistent presence across system boundaries.

System API manipulation provides access to legitimate functionality, and kernel-level operations can grant deep system control when properly executed.

Unlike traditional malware that announces its presence through file system artifacts, fileless attacks leverage what security researchers term “Living off the Land” (LotL) techniques.

These approaches exploit built-in system tools such as PowerShell, Windows Management Instrumentation (WMI), CertUtil, RegSvr32, and MSBuild to execute malicious operations while appearing as legitimate administrative activity.

The 2023 Global Threat Report from CrowdStrike revealed that 62% of detections were malware-free, instead leveraging legitimate credentials and built-in tools characteristic of living off the land attacks.

Memory-Based Execution Techniques

The cornerstone of fileless malware lies in its sophisticated memory manipulation techniques. Process injection represents one of the most critical methods, allowing malicious code to execute within the context of legitimate processes.

This technique encompasses several variations, including DLL injection, process hollowing, and reflective loading, each designed to evade different types of detection mechanisms.

DLL injection forces legitimate processes to load malicious dynamic link libraries directly into memory. The attack begins by identifying target processes using APIs such as CreateToolhelp32Snapshot, Process32First, and Process32Next.

Once a suitable target is identified, the malware uses VirtualAllocEx to allocate memory space within the target process, WriteProcessMemory to insert the malicious DLL path, and CreateRemoteThread to execute LoadLibrary, forcing the target to load the malicious library.

Process hollowing, also known as RunPE, represents an even more sophisticated approach. This technique creates a new process in suspended mode using CreateProcess with the CREATE_SUSPENDED flag.

The malware then unmaps the legitimate executable’s memory using ZwUnmapViewOfSection or NtUnmapViewOfSection, allocates new memory space with VirtualAllocEx, writes its malicious code using WriteProcessMemory, redirects the entry point with SetThreadContext, and finally resumes execution with ResumeThread.

Reflective DLL loading provides another layer of stealth by loading libraries directly into memory without relying on the Windows LoadLibrary function.

This technique requires custom loaders that manually perform the tasks typically handled by the operating system, including memory mapping, address resolution, and dependency loading.

The resulting execution occurs entirely in memory, leaving minimal forensic evidence.

Persistence Mechanisms In Fileless Attacks

Fileless malware employs sophisticated persistence mechanisms that differ fundamentally from traditional approaches.

Rather than relying on easily detectable file system modifications, these attacks leverage registry manipulation, WMI event subscriptions, and memory-resident techniques to maintain presence across system restarts.

Registry-based persistence represents one of the most common fileless techniques. Attackers modify autostart registry locations to enable persistent execution without creating files.

COM object hijacking redirects legitimate application execution to malicious code, while Image File Execution Options provide debugger-based persistence mechanisms.

Service configurations enable privileged execution, and registry value modifications create covert data storage capabilities.

WMI abuse provides particularly powerful persistence capabilities through permanent event subscriptions that survive system restarts automatically.

Conditional filters enable context-aware activation based on specific system events, while event consumer registration creates execution pathways that appear legitimate to most monitoring tools.

Complex event queries enable sophisticated trigger conditions, and encoded payloads obscure malicious intent from casual inspection.

The attackers stored heavily obfuscated PowerShell code across multiple registry keys within the HKCU\System directory, with each function stored as a separate registry key formatted as null-terminated strings.

Once the initial function established backdoor communications with the command and control server, it would call and execute additional keys, creating a sophisticated execution chain entirely within the registry.

Detection And Analysis Challenges

The detection paradigms for fileless attacks diverge significantly from traditional malware identification methods.

Conventional signature-based antivirus solutions prove largely ineffective against memory-resident threats, as there are no files to scan or known signatures to match.

File system monitoring overlooks entirely memory-resident operations, while static analysis capabilities prove ineffective against dynamic execution patterns.

Fileless attacks present considerably more complex detection challenges that require advanced behavioral analysis and memory forensics capabilities.

Security tools must distinguish malicious use of legitimate tools from normal administrative activities, a task that generates high false-positive rates without proper tuning.

Process injection detection demands real-time memory analysis, while persistence mechanisms often blend seamlessly with normal system operations.

The limitations of traditional Endpoint Detection and Response (EDR) solutions become apparent when facing sophisticated fileless threats.

While EDR excels at monitoring endpoint activities and automated responses, it focuses exclusively on endpoints and may not be fast enough for today’s rapid attacks.

Detection-first approaches can allow malicious actors to access resources before threats are identified, limiting effectiveness against sophisticated attacks such as LockBit ransomware, which can encrypt 100,000 files in under six minutes.

Memory forensics requires specialized expertise and resources that many organizations lack. Volatile evidence disappears upon system restart, complicating investigation efforts.

Process injection makes artifact attribution exponentially complex, while legitimate tool usage obscures malicious intent.

Timeline reconstruction becomes difficult when attacks operate primarily in memory, and evidence preservation requires specialized procedures that go beyond traditional digital forensics.

Attack Lifecycle Comparison

The execution patterns of traditional and fileless threats follow distinctly different trajectories that reflect their underlying architectural differences.

Traditional malware attacks follow predictable phases, including initial delivery through email or downloads, file execution and installation, establishment of persistence through registry or startup folders, credential harvesting and lateral movement, and final data exfiltration or destructive actions.

Fileless campaigns execute through different stages that emphasize stealth and legitimate tool abuse. The attack lifecycle begins with memory-based payload delivery, often through malicious documents containing macros or scripts.

Legitimate tool exploitation follows, with attackers using PowerShell, WMI, or other built-in utilities to execute malicious commands.

In-memory persistence establishment occurs through techniques such as process injection or registry manipulation.

Living off the land enables lateral movement using trusted administrative tools, while covert data exfiltration occurs through legitimate channels that avoid detection.

The speed differential between these attack types is significant. According to CrowdStrike research, the intrusion breakout time—the period between initial compromise and lateral movement decreased from 84 minutes in 2022 to 62 minutes in 2023.

This acceleration reflects the increasing sophistication of attackers in deploying fileless techniques that bypass traditional detection mechanisms.

Real-world examples demonstrate these differences in practice. The 2021 attack on the Irish Health Service Executive exemplifies a fileless attack methodology.

The Conti ransomware group used a phishing email with a malicious Excel macro to penetrate an endpoint, then deployed a compromised version of Cobalt Strike to move laterally through the network for eight weeks before deploying ransomware.

This resulted in the exfiltration of 700GB of unencrypted data and the shutdown of an entire health service IT network serving over five million people.

Advanced Evasion Capabilities

Fileless malware achieves superior stealth through fundamentally different approaches to evasion.

While traditional malware employs established techniques such as packing and obfuscation to alter file signatures, polymorphic engines that generate unique instances, and anti-analysis measures to frustrate reverse engineering, fileless attacks achieve evasion through their very nature.

Living off the land techniques eliminate unusual process creation patterns that typically trigger security alerts. Memory-only execution avoids file system artifacts that forensic tools rely upon for evidence collection.

Legitimate tool abuse bypasses application whitelisting controls that many organizations implement. Minimal artifacts complicate forensic analysis efforts, while dynamic behavioral adaptation enables evasion of pattern recognition systems.

The environmental awareness capabilities of modern fileless malware represent another significant advancement. These threats can detect sandbox environments and alter their behavior accordingly, preventing security researchers from analyzing their true capabilities.

They can also assess system configurations and adapt their persistence mechanisms to match the specific environment, making detection even more challenging.

The resource profiles and operational impacts of fileless attacks differ significantly from traditional malware incidents.

Traditional malware typically requires moderate system resources, including disk space for executable storage, processing power for encryption and obfuscation operations, memory allocation for running processes, and network bandwidth for command and control communication.

These attacks often produce measurable performance impacts that monitoring tools can detect. Fileless attacks, conversely, demonstrate different resource consumption patterns.

They require minimal disk space since they operate primarily in memory, but demand more sophisticated system access and higher memory utilization.

Network traffic patterns may be more difficult to distinguish from legitimate administrative activity, while system performance impacts can be subtle and intermittent.

The forensic implications extend beyond the collection of simple evidence. Traditional malware leaves a clear trail, including file artifacts, registry modifications, network indicators, and system log entries that investigators can analyze.

Fileless attacks present several challenges, including the volatility of memory evidence, legitimate tool usage that can obscure malicious activity, minimal persistent artifacts, and difficulties in timeline reconstruction that complicate incident response efforts.

Future Implications and Mitigations

The evolution toward fileless attack methodologies represents more than a technical advancement – it signifies a fundamental shift in the cybersecurity threat landscape.

As attackers continue to refine these techniques, organizations must adapt their defensive strategies accordingly. The 1,400% year-over-year increase in fileless attacks reported in the 2023 research demonstrates the urgency of this challenge.

Organizations must move beyond detection-based security approaches toward preventive technologies that can stop threats without needing to identify them first.

Automated Moving Target Defense (AMTD) represents one such approach, randomly morphing the runtime memory environment to create unpredictable attack surfaces while leaving decoy traps where targets were previously located.

This deterministic, preventive approach proves effective against fileless attacks and other advanced threats. Network segmentation and strict access controls create barriers to the permissionless data flows within networks that fileless threats exploit.

Zero-trust strategies become particularly important when dealing with attacks that leverage legitimate administrative tools.

Advanced behavioral analytics capable of distinguishing malicious use of legitimate tools from normal administrative activity represent essential defensive capabilities.

The increasing sophistication of fileless malware techniques demands a corresponding evolution in cybersecurity defenses. Organizations must invest in advanced memory analysis capabilities, behavioral detection systems, and comprehensive incident response procedures specifically designed to address memory-resident threats.

As the threat landscape continues to evolve, the ability to detect, analyze, and respond to fileless attacks will become increasingly critical for maintaining an organizational security posture.

The fundamental differences between traditional and fileless malware attacks extend far beyond simple technical variations. They represent competing philosophies in cyberattack methodology, each with distinct advantages, challenges, and implications for organizational security.

Understanding these differences enables security professionals to develop more effective defensive strategies and prepare for the continuing evolution of cyber threats in an increasingly digital world.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post How Fileless Malware Differs From Traditional Malware Attacks appeared first on Cyber Security News.

The attack was neutralized by Microsoft Defender’s Attack Surface Reduction (ASR) rules, which blocked the malware from establishing contact with its command-and-control server.

The multi-stage attack highlights an increasing trend of threat actors using legitimate services to appear trustworthy and evade traditional security measures.

By using short-lived, valid code-signing certificates, the attackers were able to bypass initial signature-based detection and trick systems into trusting the malicious software.

Oyster Malware Via Microsoft Teams Installer

Conscia’s forensic investigation revealed a rapid and automated attack sequence that began with a simple web search.

On September 25, 2025, an employee’s search on Bing for Microsoft Teams led to a malicious redirect. Within just 11 seconds of the initial search, the user was funneled from bing.com through a redirect domain (team.frywow.com) to a malicious site, teams-install.icu.

This rapid redirection points to an automated process, likely driven by a malvertising campaign or a poisoned search engine result that placed the malicious link high in the search rankings.

The domain teams-install.icu was designed to spoof a legitimate Microsoft download page and was hosted on Cloudflare to further mask its malicious intent. Once the user landed on the page, a file named MSTeamsSetup.exe was downloaded.

Roughly an hour later, the file was executed. Although it appeared to be a legitimate installer, it was in fact the Oyster malware. The attack was only stopped when Microsoft Defender’s ASR rules detected and blocked the malware’s attempt to connect to its C2 server at nickbush24.com.

The core of this campaign’s sophistication lies in its abuse of code-signing certificates. The malicious executable was signed by a seemingly legitimate entity named “KUTTANADAN CREATIONS INC.” using a certificate that was valid for only two days, from September 24 to 26, 2025.

This emerging tactic allows threat actors to:

• Bypass Security: Signed files are often trusted by default, evading antivirus and other signature-based checks.
• Minimize Detection: The short lifespan of the certificate reduces the window for security vendors to identify and revoke it.
• Automate Attacks: Attackers can automate the process of obtaining and signing malware with fresh certificates for different campaigns.

Conscia research uncovered other similar short-lived certificates used by signers like “Shanxi Yanghua HOME Furnishings Ltd,” suggesting a larger, well-orchestrated operation.

This incident was neutralized before any data could be exfiltrated or further payloads like ransomware could be deployed. The successful prevention demonstrates that traditional security measures are no longer sufficient. Trust in digital certificates cannot be absolute, and organizations must deploy advanced endpoint protection.

Had the ASR rules not been in place, the Oyster backdoor (also known as Broomstick or CleanUpLoader) would have established persistent access to the compromised system. This would have enabled the attackers to conduct data theft, deploy additional malware, and move laterally across the network.

Key lessons from this attack are clear: attackers are evolving their use of legitimate system tools (“living-off-the-land“), certificate trust is being actively weaponized, and the speed of automated attacks requires robust, behavior-based security controls like ASR to prevent a compromise that can occur in seconds.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware appeared first on Cyber Security News.

The package, downloaded approximately 1,500 times per week, contained a backdoor that copied every email processed by the tool to a server controlled by the attacker. This incident highlights a significant and emerging threat in the AI-powered software supply chain.

According to security firm Koi analysis postmark-mcp package was designed as an MCP server to integrate with the Postmark email service, allowing AI assistants to automate email-sending tasks.

For its first 15 versions, the tool functioned as expected, building a foundation of trust within the developer community and becoming integrated into hundreds of workflows.

However, starting with version 1.0.16, a single line of malicious code was added. This code silently added a Bcc field to every outgoing email, sending a copy to phan@giftshop.club.

The compromised data included everything from password resets and invoices to confidential internal communications.

The developer behind the package appeared to be a legitimate software engineer from Paris with an established GitHub profile, a tactic that likely helped the malicious package evade suspicion.

The attack was a classic case of impersonation; the developer copied the code from a legitimate GitHub repository officially maintained by Postmark (ActiveCampaign), injected the backdoor, and published it to the npm registry under the same name.

Koi reported that its risk engine flagged the package after detecting suspicious behavior changes in version 1.0.16. The simplicity of the attack is what makes it particularly alarming.

The developer did not exploit a zero-day vulnerability or use a complex hacking technique; they abused the trust inherent in the open-source ecosystem.

First Malicious MCP Server Found

This incident exposes a critical vulnerability in the architecture of AI agent tools. MCP servers are granted high-level permissions to operate autonomously, often with full access to emails, databases, and APIs.

Unlike traditional software, these tools are used by AI assistants that execute tasks without human review. The AI has no way of detecting that an email is being secretly copied, as it only verifies that the primary task of sending the email was completed successfully.

This creates a major security blind spot for organizations. MCP servers often operate outside of established security perimeters, bypassing Data Loss Prevention (DLP) systems, vendor risk assessments, and email gateways.

The estimated impact is significant, with calculations suggesting that between 3,000 and 15,000 emails could have been exfiltrated daily from around 300 organizations.

After being contacted, the developer deleted the package from npm. However, this action does not remove the compromised package from systems where it is already installed. Any user with version 1.0.16 or later of postmark-mcp remains vulnerable.

Indicators of Compromise (IOCs) and Mitigation

• Package: postmark-mcp (npm)
• Malicious Version: 1.0.16 and later
• Backdoor Email: phan@giftshop[.]club
• Domain: giftshop[.]club

Users of postmark-mcp are urged to immediately uninstall the package and rotate any credentials or sensitive information that may have been transmitted via email.

This attack serves as a stark warning about the risks associated with the rapidly growing MCP ecosystem, emphasizing the need for robust verification and continuous monitoring of all third-party tools used by AI agents.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents appeared first on Cyber Security News.

The threat actors behind this operation are leveraging Search Engine Optimization (SEO) techniques to position malicious repositories at the top of search results across major platforms, including Google and Bing, targeting users searching for legitimate software from technology companies, financial institutions, and password management services.

The campaign demonstrates a multi-layered approach where cybercriminals create fraudulent GitHub repositories that masquerade as official software distributors. 

When victims search for specific applications, the poisoned search results redirect them to malicious GitHub Pages hosting what appears to be legitimate software installers. 

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team identified this threat after discovering two fraudulent repositories specifically targeting their customers, both created by the user “modhopmduck476” on September 16, 2025.

Atomic Stealer Campaign Targets macOS Users

The attack chain begins with victims encountering malicious GitHub Pages through SEO-poisoned search results.

These repositories contain deceptive “Install [Company] on MacBook” links that redirect users to secondary staging sites. 

In the LastPass case, victims were redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass, which subsequently forwarded them to macprograms-pro[.]com/mac-git-2-download.html.

The secondary site instructs users to execute a terminal command that performs a CURL request to a base64-encoded URL. 

This encoded URL resolves to bonoud[.]com/get3/install.sh, which downloads the malicious payload disguised as a system “Update” to the temporary directory. 

The downloaded file is actually the Atomic stealer malware, also known as AMOS malware, which has been active in cybercriminal circles since April 2023.

Atomic Stealer represents a sophisticated information-stealing threat specifically designed for macOS environments. 

The malware is capable of harvesting sensitive data, including passwords, browser cookies, cryptocurrency wallet information, and system credentials. 

Once installed, it establishes persistence on the infected system and communicates with command-and-control (C2) servers to exfiltrate stolen data.

The threat actors have demonstrated operational resilience by creating multiple GitHub usernames to circumvent takedown efforts. 

This distributed approach allows them to maintain their malicious infrastructure even when individual repositories are reported and removed. 

The campaign’s scope extends beyond LastPass, with security researchers identifying similar attacks targeting various technology companies and financial institutions through identical tactics and techniques (TTPs).

LastPass has successfully coordinated the takedown of the identified malicious repositories and continues monitoring for additional threats. 

The company advises macOS users to exercise caution when downloading software through search results and to always verify the authenticity of repositories before executing terminal commands or installing applications from unofficial sources.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Massive Cyber-Attack Attacking macOS Users via GitHub Pages to Deliver Stealer Malware appeared first on Cyber Security News.

Originally emerging in March 2024 as a Malware-as-a-Service (MaaS) offering on Russian-speaking cybercrime forums, ACR Stealer has rapidly evolved from its predecessor, GrMsk Stealer, into a formidable threat that employs cutting-edge obfuscation methods to bypass modern security solutions.

This malware has gained particular notoriety for its innovative use of legitimate platforms as command-and-control infrastructure, making detection and mitigation exceptionally challenging for security teams.

The malware’s sophistication extends beyond traditional information stealing, incorporating advanced techniques such as Dead Drop Resolver (DDR) methods, direct syscall implementation, and WoW64 transition abuse to evade endpoint detection and response (EDR) systems.

Recent campaigns have demonstrated ACR Stealer’s ability to compromise over 200 applications across multiple categories, from cryptocurrency wallets to password managers, while maintaining persistent communication with threat actor infrastructure through ingeniously disguised channels.

ACR Stealer Attack Chain

ACR Stealer campaigns typically initiate through sophisticated phishing operations that leverage social engineering to deceive victims into executing malicious payloads.

The most extensively documented attack vector involves a fraudulent website masquerading as an official Google Safety Centre, hosted at “googleaauthenticator[.]com”.

This phishing site meticulously replicates Google’s branding and interface design to establish credibility with potential victims.

When victims interact with the “Download Authenticator” button on the malicious site, they unknowingly trigger the download of “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe”.

This initial payload serves as a sophisticated loader that employs several deception techniques to mask its malicious nature. The executable features a valid digital signature, which helps bypass initial security screening by creating the appearance of legitimacy.

The loader’s architecture demonstrates advanced obfuscation through its use of encrypted payloads stored within the RCData section of the executable.

Upon execution, the malware leverages the LoadResource() API to extract and decrypt these embedded payloads, subsequently saving them to the system’s %temp% directory.

The decryption process reveals two distinct malware components: ACR Stealer and Latrodectus, each designed for specific malicious functions.

Process Injection And Persistence Mechanisms

ACR Stealer employs sophisticated process injection techniques that utilize direct syscalls to evade user-mode API monitoring.

The malware specifically uses the NtCreateUserProcess syscall to spawn child processes, bypassing traditional CreateProcess API calls that are commonly monitored by security solutions.

This technique represents a significant advancement in evasion capabilities, as many EDR systems rely on user-mode API hooks for detection.

The malware establishes persistence through multiple mechanisms, including scheduled task creation and strategic file placement. When executed from the temporary directory, the malware performs an environment check to determine its execution context.

If not running from the %appdata% directory, it copies itself to this location and re-executes from the new path before terminating the original process.

This behavior ensures the malware maintains a foothold on the system while removing evidence of its initial execution location.

Recent variants have incorporated advanced persistence techniques that leverage COM objects to create scheduled tasks configured for frequent execution.

Unlike earlier versions that only triggered at logon, newer iterations schedule execution every 10 minutes, demonstrating an evolution toward more aggressive persistence strategies.

Technical Capabilities And Evasion Techniques

Dead Drop Resolver Implementation

One of ACR Stealer’s most notable innovations is its implementation of Dead Drop Resolver (DDR) techniques to obfuscate command-and-control infrastructure.

This method represents a significant advancement over traditional C2 communication by embedding server details within legitimate platforms that security tools are unlikely to flag as suspicious.

The malware leverages multiple platforms for DDR implementation, including Steam Community profiles, Google Docs, and Telegram channels.

In documented campaigns, ACR Stealer accesses specific Steam Community profiles, such as “hxxps://steamcommunity[.]com/profiles/76561199679420718,” to retrieve encoded C2 server information.

This approach provides operational security benefits by allowing threat actors to dynamically change C2 infrastructure without updating malware samples.

The DDR process involves multiple stages of encoding and decoding. The malware first contacts the legitimate platform to extract encoded data, typically using Base64 encoding with additional XOR encryption layers.

After retrieving the encoded information, ACR Stealer constructs the actual C2 URL and proceeds to download encrypted configuration files that contain targeting parameters and operational instructions.

Advanced Communication Protocols

ACR Stealer has evolved to incorporate sophisticated communication mechanisms that bypass traditional network monitoring solutions.

Recent variants implement NTSockets functionality, which interfaces directly with the Windows AFD (Auxiliary Function Driver) device rather than using standard Winsock libraries.

This technique enables the malware to establish network communications while evading EDR systems that rely on user-mode API hooking for network traffic monitoring.

The NTSockets implementation involves direct communication with the “\Device\Afd\Endpoint” device using low-level NT functions such as NtCreateFile and NtDeviceIoControlFile.

This approach effectively bypasses almost all commonly used Windows networking APIs that security solutions monitor for HTTP requests.

The malware constructs HTTP requests manually at the protocol level, assembling headers and payloads without relying on higher-level libraries.

WoW64 And Heaven’s Gate Exploitation

Advanced ACR Stealer variants employ Heaven’s Gate techniques to execute 64-bit code within 32-bit processes, further complicating detection and analysis.

This technique exploits the WoW64 subsystem to transition between 32-bit and 64-bit execution modes, allowing the malware to access extended functionality while maintaining compatibility with older systems.

The Heaven’s Gate implementation involves direct manipulation of the processor’s execution mode through carefully crafted assembly code that transitions from 32-bit to 64-bit mode.

This technique is particularly effective against analysis tools and sandboxes that may not properly handle mode transitions.

The malware uses this capability to execute critical functions such as C2 communication while disrupting automated analysis systems.

Data Stealing Operations

ACR Stealer demonstrates unprecedented scope in its data harvesting capabilities, targeting over 200 applications across eight major categories.

The malware’s targeting strategy reflects a comprehensive understanding of modern digital asset management and communication patterns.

Web Browser Exploitation: The malware targets an extensive array of web browsers, including mainstream options like Chrome, Firefox, and Edge, as well as privacy-focused alternatives such as Brave and specialized browsers like Opera GX.

ACR Stealer extracts stored credentials, cookies, autofill data, browsing history, and session tokens from these applications.

Recent variants have developed capabilities to bypass Chrome’s App Bound Encryption by injecting shellcode directly into browser processes.

Cryptocurrency Wallet Targeting: ACR Stealer exhibits a sophisticated understanding of the cryptocurrency ecosystem, targeting over 50 different wallet applications.

The malware specifically seeks wallet.dat files, private keys, seed phrases, and configuration files from applications including Electrum, Exodus, Bitcoin Core, Ethereum wallets, and hardware wallet management software.

This comprehensive approach to cryptocurrency theft reflects the high-value nature of digital assets in cybercriminal operations.

Enterprise Communication Tools: The malware targets email clients such as Thunderbird, Outlook, Mailbird, and specialized applications like The Bat!.

Additionally, it harvests data from FTP clients, including FileZilla, WinSCP, and various commercial FTP applications.

This targeting strategy suggests a focus on compromising business communications and file transfer credentials that could enable lateral movement or business email compromise attacks.

Data Exfiltration And Processing

ACR Stealer implements sophisticated data processing mechanisms that organize harvested information into structured formats suitable for threat actor consumption.

The malware categorizes stolen data by application type and implements compression algorithms to optimize transmission efficiency.

The exfiltration process involves multiple encryption layers, including XOR encoding with hardcoded keys and Base64 encoding for protocol compatibility.

Stolen data is transmitted to C2 servers using HTTP POST requests with carefully crafted headers designed to blend with legitimate web traffic.

The malware implements error-handling mechanisms to ensure data integrity during transmission and includes retry logic for failed uploads.

Command And Control Infrastructure

Dynamic C2 Resolution

ACR Stealer’s C2 infrastructure demonstrates remarkable resilience through its implementation of dynamic resolution mechanisms.

Rather than relying on hardcoded IP addresses or domains, the malware retrieves C2 information from legitimate platforms that are unlikely to be blocked by network security solutions.

The configuration retrieval process involves accessing URLs such as “hxxps://geotravelsgi[.]xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d” to download encrypted configuration files.

These configurations contain not only C2 server details but also targeting parameters, update mechanisms, and additional payload delivery instructions.

Multi-Stage Payload Delivery

Recent ACR Stealer variants have incorporated multi-stage payload delivery capabilities that enable threat actors to deploy additional malware based on victim value or operational requirements.

The malware’s configuration includes a “loader” key that specifies secondary payloads for execution. These payloads can be delivered as executable files, PowerShell scripts, or DLL libraries, depending on the threat actor’s objectives.

The secondary payload execution system supports various file type,s including .exe, .cmd, .dll, and .ps1 files.

For PowerShell-based payloads, the malware implements DownloadString and Invoke-Expression (IEX) execution methods.

This flexibility enables threat actors to adapt their operations based on the victim environment and value assessment.

Indicators Of Compromise

ACR Stealer has evolved into a more sophisticated variant known as Amatera Stealer, which incorporates significant improvements in evasion capabilities and operational security.

This rebranded version maintains core ACR Stealer functionality while introducing enhanced anti-analysis features and improved sophistication.

Amatera Stealer represents active development efforts to counter security improvements and maintain operational effectiveness.

The evolution includes abandoning Steam and Telegram dead drops in favor of direct C2 connections with hardcoded IP addresses. This change suggests adaptation to detection methods while maintaining operational capabilities.

The ACR Stealer family demonstrates continuous development patterns that reflect active threat actor investment in maintaining operational effectiveness.

Updates include encryption key pattern modifications, new command implementations, and persistence mechanism enhancements.

These developments suggest well-resourced threat actors with long-term operational objectives.

Recent variants have introduced interesting anti-analysis features designed to complicate reverse engineering and automated analysis.

These include environment detection mechanisms, sandbox evasion techniques, and analysis disruption methods. The consistent addition of new features indicates ongoing development investment and threat evolution.

Mitigations

Security organizations defending against ACR Stealer must implement comprehensive, multi-layered approaches that address the malware’s sophisticated evasion techniques.

Network monitoring should focus on detecting DDR communications through behavioral analysis rather than relying solely on signature-based detection.

Endpoint protection should incorporate behavioral analysis capabilities that can identify direct syscall abuse and process injection techniques.

User education programs must emphasize the risks associated with downloading software from non-official sources and clicking on suspicious advertisements.

Organizations should implement strict software installation policies and provide official channels for legitimate software acquisition.

Additionally, implementing application allowlisting can prevent execution of unauthorized software, including ACR Stealer variants.

The sophistication of ACR Stealer and its variants represents a significant challenge for cybersecurity professionals, requiring advanced detection capabilities and comprehensive security strategies to effectively counter this evolving threat.

As threat actors continue developing more sophisticated techniques, security teams must remain vigilant and adapt their defensive strategies to address these advancing capabilities.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post ACR Stealer – Uncovering Attack Chains, Functionalities And IOCs appeared first on Cyber Security News.

Dubbed the “Clickfix” attack, this method turns a user’s own browser actions against them to compromise their system under the guise of a simple human verification step.

The attack targets on individuals in public spaces like airports, where the promise of “Free Wi-Fi” is a powerful lure. Unsuspecting users attempting to connect are redirected to a professionally designed but fake captive portal.

These pages, often hosted on insecure IP addresses rather than legitimate domains, mimic real network login screens, complete with logos and a CAPTCHA prompt to “prove you are not a robot,” a feature intended to build a false sense of security.

Deceptive Verification Process

The core of the Clickfix attack lies in its clever manipulation of user behavior. After a user interacts with the fake CAPTCHA, a pop-up window appears with a set of “Verification Steps.”

Instead of a simple click, the instructions guide the user through a specific sequence of keyboard shortcuts: press Ctrl+S to save the web page, navigate to the browser’s downloads window, and press Enter to open the file, the Cybersecuritynews researcher team said.

This sequence is a social engineering trick designed to bypass standard browser security warnings about downloading executable files.

By instructing the user to save the page and run the file themselves, the attackers effectively get consent to execute malicious code. The downloaded file is not an image or document but a script that initiates the infection.

Once the user unwittingly executes the downloaded file, a malicious PowerShell script is launched.

Analysis of the attack chain with ANY.RUN Sandbox reveals that this script acts as a downloader, establishing a connection to a command-and-control server to fetch the primary malware payload. In this campaign, the payload has been identified as a network trojan.

PowerShell is a powerful tool for attackers because it is integrated into Windows and can execute commands, scripts, and payloads directly in memory, often evading detection by traditional antivirus solutions.

This type of fileless malware can be used for a wide range of malicious activities, including stealing sensitive information, deploying ransomware, or providing a persistent backdoor for remote access to the compromised device.

To safeguard against this threat, users should stay alert when connecting to public Wi-Fi, carefully examine the URLs of login pages, and be very cautious of any website that requires unusual keyboard commands for verification.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post New Clickfix Attack Promises “Free WiFi” But Delivers Powershell-Based Malware appeared first on Cyber Security News.