A new wave of malicious Android applications impersonating a well-known Korean delivery service has emerged, featuring advanced obfuscation techniques powered by artificial intelligence.

These apps work to bypass traditional antivirus detection methods while extracting sensitive user information.

The threat actors behind this campaign have demonstrated sophisticated knowledge of mobile security vulnerabilities, combining multiple evasion strategies to maintain their operation undetected.

The malware campaign relies on a clever delivery mechanism that disguises itself as a legitimate package tracking application.

When users grant the necessary permissions, the app displays an interface resembling the real delivery service by connecting to authentic tracking websites using randomly generated tracking numbers.

This social engineering approach builds trust while the application performs malicious activities in the background, making it particularly dangerous for unsuspecting victims.

ASEC security analysts identified this malware after detecting repeated distribution patterns across various channels.

The investigation revealed that threat actors utilized AI-enhanced obfuscation techniques to disguise the app’s functionality and make reverse engineering significantly more difficult for security researchers.

Detection Evasion Through Intelligent Obfuscation

The technical sophistication of these applications lies in their obfuscation implementation. The developers applied AI-powered ProGuard obfuscation, converting all class names, function identifiers, and variable names into meaningless eight-character Korean text strings.

This approach differs from standard obfuscation because the random Korean characters make pattern-based detection substantially harder for automated security tools.

The resource names remained unmodified, indicating a selective obfuscation strategy designed specifically to hide the app’s core functionality while maintaining enough structural integrity for it to operate normally.

Security researchers discovered that after collecting information from infected devices, the malware exfiltrates data through breached legitimate websites repurposed as command-and-control servers.

The threat actors hardcoded C2 server addresses within blogs hosted on Korean portals, loading them dynamically when the application launches.

This technique creates an additional detection barrier because the actual malicious servers appear as benign web traffic to network monitoring systems, effectively hiding the data theft operation from security infrastructure.

The identified samples included five confirmed MD5 hashes, with associated URLs pointing to compromised Korean domains used for data exfiltration.

Security professionals should prioritize detecting and blocking these samples across their networks while implementing stricter application permission controls for delivery service apps.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post AI-Based Obfuscated Malicious Apps Evading AV Detection to Deploy Malicious Payload appeared first on Cyber Security News.

Xillen Stealer, a sophisticated Python-based information stealer, has emerged as a significant threat in the cybercriminal landscape.

Originally identified by Cyfirma in September 2025, this cross-platform malware has recently evolved into versions 4 and 5, introducing a dangerous arsenal of features designed to steal sensitive credentials, cryptocurrency wallets, and system information while evading modern security systems.

The malware targets data across more than 100 browsers and over 70 cryptocurrency wallets, positioning itself as a comprehensive credential harvesting tool marketed through Telegram channels.

The malware operates through a professional-looking interface that allows attackers to manage exfiltrated data, monitor infections, and view configuration settings.

Xillen Stealer’s functionality extends far beyond basic information theft.

It captures browser data including history, cookies, and saved passwords, while simultaneously targeting password managers like OnePass, LastPass, BitWarden, and Dashlane.

The stealer also focuses on collecting developer credentials, cloud configurations from AWS, GCP, and Azure, alongside SSH keys and database connection information.

Darktrace security analysts noted that the latest versions introduce an innovative approach to targeting high-value victims.

The malware includes an AITargetDetection class designed to identify valuable targets based on weighted indicators and specific keywords.

It searches for cryptocurrency wallets, banking credentials, premium accounts, and developer access, while prioritizing victims in wealthy countries including the United States, United Kingdom, Germany, and Japan.

Although the implementation currently relies on rule-based pattern matching rather than actual machine learning, it demonstrates how threat actors plan to integrate AI into future campaigns.

Xillen Stealer

The most concerning aspect of Xillen Stealer lies in its advanced evasion capabilities. The AIEvasionEngine module employs multiple techniques to bypass security systems.

These include behavioral mimicking that simulates legitimate user actions, noise injection to confuse behavioral classifiers, timing randomization with irregular delays, and resource camouflage designed to imitate normal applications.

The malware further employs API call obfuscation and memory access pattern alterations to defeat machine learning-based detection systems.

Additionally, the Polymorphic Engine transforms code through instruction substitution, control flow obfuscation, and dead code injection to ensure each sample appears unique, preventing signature-based detection.

For data exfiltration, Xillen Stealer implements a peer-to-peer command-and-control structure leveraging blockchain transactions, anonymizing networks like Tor and I2P, and distributed file systems.

The malware creates HTML and TXT reports containing stolen data and sends them to attackers’ Telegram accounts.

Security professionals must remain vigilant against this evolving threat, as its combination of credential theft, detection evasion, and adaptive targeting capabilities represents a significant risk to both individual users and enterprise environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Xillen Stealer With New Advanced Features Evade AI Detection and Steal Sensitive Data from Password Managers appeared first on Cyber Security News.

The dark web has transformed into a functioning parallel labor market where cyber specialists find employment through unconventional channels.

Unlike traditional job boards, this shadow economy operates with distinct recruitment norms and salary expectations that differ significantly from legitimate hiring practices.

A comprehensive analysis of 2,225 job-related posts collected from dark web forums between January 2023 and June 2025 reveals how this underground employment landscape continues to grow and evolve.

The market demonstrates that cybercriminals prioritize practical experience and demonstrated technical capability over educational credentials.

Kaspersky security analysts identified that job seekers increasingly highlight their prior work history within the shadow economy, indicating this environment has become an established career path for many participants.

Securelist security analysts noted that the dark web job market reflects broader shifts in how criminal enterprises recruit talent.

The majority of job postings do not specify traditional professional fields, with evidence showing that 69 percent of applicants lack formal educational requirements in their profiles.

Instead, employers focus on what candidates have actually accomplished in previous roles. This represents a fundamental departure from conventional hiring practices, where degrees and certifications typically serve as filtering mechanisms.

The market operates with transparent salary structures and defined role expectations, mirroring legitimate employment systems in surprising ways.

Experience Over Credentials: The New Hiring Standard

The most significant finding shows that practical experience has become the primary qualification currency. Job seekers consistently emphasize their track record within criminal operations, portfolio work, and demonstrated technical proficiency rather than formal training or certifications.

Employers posting opportunities actively seek individuals who can provide evidence of previous successful projects or campaigns.

This shift prioritizes real-world problem-solving and proven results over theoretical knowledge. Candidates who can demonstrate specific technical skills through past work samples receive preferential consideration.

The dark web job market essentially operates as a pure meritocracy where actions matter more than credentials. Salaries reflect market demand for specific technical expertise, with specialized roles commanding premium compensation.

This evolution suggests that the underground employment landscape functions as a genuine economic system with recognizable labor dynamics comparable to legitimate industries.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Dark Web Job Market Evolved – Prioritizes Practical Skills Over Formal Education appeared first on Cyber Security News.

Two of North Korea’s most dangerous hacking groups have joined forces to launch a coordinated attack campaign that threatens organizations worldwide.

The Kimsuky and Lazarus groups are working together to steal sensitive intelligence and cryptocurrencies through a systematic approach that combines social engineering with zero-day exploitation.

This partnership represents a major shift in how state-sponsored threat actors operate, moving from isolated attacks to carefully coordinated operations.

The campaign begins with Kimsuky conducting reconnaissance through carefully crafted phishing emails disguised as academic conference invitations or research collaboration requests.

These messages contain malicious attachments in HWP or MSC formats that deploy the FPSpy backdoor when opened. Once installed, the backdoor activates a keylogger called KLogEXE that captures passwords, email content, and system information.

This intelligence gathering phase maps out the target’s network architecture and identifies valuable assets before handing off control to Lazarus.

CN-SEC security researchers noted that Lazarus then exploits zero-day vulnerabilities to gain deeper access to compromised systems.

The group has weaponized CVE-2024-38193, a Windows privilege escalation flaw, to deploy malicious Node.js packages that appear legitimate.

When these packages are executed, attackers gain SYSTEM-level privileges and install the InvisibleFerret backdoor, which bypasses endpoint detection tools through the Fudmodule malware component.

Technical Breakdown of the InvisibleFerret Backdoor

The InvisibleFerret backdoor represents a significant advancement in evasion capabilities. It disguises its network traffic as normal HTTPS web requests, making detection through traffic analysis extremely difficult for security teams.

The malware specifically targets blockchain wallets by scanning system memory for private keys and transaction data stored in browser extensions and desktop applications.

In one documented case, attackers transferred $32 million in cryptocurrency within 48 hours without triggering security alerts.

The backdoor communicates with command and control servers through encrypted channels that rotate daily using a domain polling strategy. Each C2 domain is disguised as a legitimate e-commerce or news website to avoid suspicion.

After completing their objectives, both groups coordinate to remove evidence through shared infrastructure.

They overwrite malicious files with legitimate system processes and delete attack logs. Organizations in defense, finance, energy, and blockchain sectors face the highest risk from this threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Kimsuky and Lazarus Join Forces to Exploit Zero-Day Vulnerabilities Targeting Critical Sectors Worldwide appeared first on Cyber Security News.

A new command-and-control platform called Matrix Push C2 has emerged as a serious threat to web users across all operating systems.

This browser-based attack framework turns legitimate web browser features into a weapon for delivering malware and phishing attacks.

Unlike traditional malware that requires file downloads, Matrix Push C2 operates silently through a fileless attack method, making it harder to detect and stop.

The platform exploits web push notifications, a standard feature in modern browsers, to establish direct communication channels with infected devices.

Attackers use this connection to deliver fake system alerts, redirect users to malicious websites, monitor victim activity in real time, and even scan for cryptocurrency wallets.

The beauty of this attack from the cybercriminal’s perspective is that it bypasses many traditional security tools because it appears to come from the browser itself rather than external malware.

Blackfog security analysts identified the malware’s sophisticated approach to victim targeting and engagement.

The Matrix Push C2 dashboard provides attackers with detailed analytics showing infected browsers, notification delivery rates, and user interaction data.

With just three test clients, the researchers observed a 100 percent delivery success rate, demonstrating how effective this attack vector could be at scale.

How the Infection Mechanism Works

The attack begins with social engineering. Attackers trick users into allowing browser notifications through malicious or compromised websites.

Once a user subscribes to these notifications, the attacker gains a direct communication line to the victim’s desktop or mobile device.

From that point forward, the attacker can push out convincing fake error messages and security alerts that look like they come from trusted companies or the operating system itself.

When users click these deceptive notifications, they are redirected to attacker-controlled websites hosting phishing pages or malware downloads.

For example, a fake notification might display “Update required! Please update Google Chrome to avoid data loss!” and direct users to download trojanized software.

The entire attack happens through the browser’s notification system without requiring traditional malware installation.

What makes Matrix Push C2 particularly dangerous is its use of brand-themed phishing templates. The platform includes pre-built templates mimicking PayPal, Netflix, Cloudflare, MetaMask, and other trusted services.

Attackers can customize these templates to match official designs perfectly, exploiting user trust in recognized brands.

Real-time monitoring capabilities allow attackers to track which notifications were delivered, which users clicked them, and gather valuable device information, creating a complete attack orchestration platform.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using New Matrix Push C2 to Deliver Malware and Phishing Attacks via Web Browser appeared first on Cyber Security News.