A new threat targeting Chinese users has appeared with a dangerous ability to shut down security tools.

RONINGLOADER, a multi-stage loader spreading a modified version of the gh0st RAT, uses clever tricks to bypass antivirus protection.

The malware arrives through fake software installers that pretend to be legitimate programs like Google Chrome and Microsoft Teams.

Once inside a system, it works through several layers of infection to disable Windows Defender and popular Chinese security products like Qihoo 360 Total Security and Huorong.

This campaign shows how attackers are getting better at breaking through security defenses. The malware brings its own signed driver that looks legitimate to Windows but actually helps it kill security processes.

What makes it dangerous is how many backup plans it has. If one method to disable security fails, it tries several other approaches.

This shows the Dragon Breath APT group behind it has learned from earlier campaigns and improved their methods.

After tracking detection systems, Elastic security analysts identified this campaign using a behavioral rule designed to spot Protected Process Light abuse.

The research team found RONINGLOADER using a technique that was publicly documented just months earlier. The malware takes advantage of a Windows feature meant to protect important system processes but turns it against Defender itself.

Attack Method and Infection Chain

The infection starts with a trojanized NSIS installer that drops multiple components onto the victim system. When someone runs what they think is a normal software installer, they actually activate two separate installers.

One installs the real software to avoid raising suspicion, while the second quietly deploys the attack chain.

The malware creates a directory at C:\Program Files\Snieoatwtregoable\ and drops two files: Snieoatwtregoable.dll and an encrypted file called tp.png.

The DLL file decrypts tp.png using a simple but effective algorithm that combines XOR encryption with a rotate operation:-

*encrypted_file_content = _ROR1_(*encrypted_file_content ^ xor_key[indx), 4);

After decryption, the malware loads fresh system libraries to remove any security hooks that might catch its behavior. It then elevates its privileges using the runas command and scans for running security software.

The malware looks explicitly for Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security by checking their process names.

To kill these processes, RONINGLOADER uses a signed driver called ollama.sys that was digitally signed by Kunming Wuqi E-commerce Co., Ltd.

The driver registers a single function that accepts a process ID and terminates it using kernel-level APIs that normal security tools cannot block.

The malware writes this driver to disk, creates a temporary service to load it, sends the termination command, and immediately deletes the service.

For Qihoo 360, the malware takes extra steps by blocking all network connections through firewall rules before injecting code into the Volume Shadow Copy service process.

This injection uses Windows thread pools with file write triggers, a technique that helps it avoid detection.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools appeared first on Cyber Security News.

Attackers are using fake invoice emails to spread XWorm, a remote-access trojan that quietly steals login credentials, passwords, and sensitive files from infected computers.

When a user opens the attached Visual Basic Script file, the malware begins working silently in the background without any visible warnings or alerts.

This makes it extremely dangerous because victims never know their system is compromised until it’s too late.

Once active, XWorm gives attackers complete control over the infected machine, allowing them to record keystrokes, spy on users, steal personal data, and even install additional threats like ransomware.

The attack begins with a simple email that appears to be a routine payment notification. These emails typically include a polite message from someone claiming to be an account officer, asking recipients to review processed invoices.

The message looks harmless enough, but the attachment contains a .vbs file that immediately executes malicious code when opened.

What makes this tactic clever is that the attackers rely on outdated technology that most people no longer expect to see in business communications.

Malwarebytes security analysts identified the malicious attachment as Backdoor.XWorm during their investigation.

XWorm operates as malware-as-a-service, meaning cybercriminals can rent or purchase access to the infrastructure that maintains backdoor connections and collects stolen data.

This business model has made it easier for less technically skilled attackers to launch sophisticated campaigns, increasing the overall threat landscape for both individuals and organizations.

The Visual Basic Script attachment stands out because modern businesses rarely use this file type anymore. Most email security systems block .vbs files automatically since they can run code directly on a computer without any additional steps.

However, when these attachments manage to slip through email filters, they can cause serious damage.

The script immediately drops a batch file named IrisBud.bat into the Windows temporary folder and uses Windows Management Instrumentation to execute it invisibly.

Infection Mechanism and Execution Flow

The infection chain starts simple but quickly becomes complex through multiple stages of obfuscation.

The initial .vbs file contains 429 lines of heavily disguised code that writes another file to the system. This batch file then copies itself to the user profile directory under the name aoc.bat, ensuring persistence even if the temporary files get cleaned up.

The batch file includes a clever technique to hide its execution by checking if a specific variable exists. If not, it restarts itself in a minimized window that runs completely invisible to the user while the original process exits immediately.

Inside the batch file, attackers use padding techniques with repeated variables that serve no purpose except to confuse analysis tools and security researchers.

These dummy variables make the code appear longer and more complicated than it actually is. After removing this padding, the real commands become visible, including instructions to copy files, read encoded data, and launch PowerShell scripts.

The batch file contains two hidden payload sections that look like ordinary comments starting with double colons, but these actually hold encrypted malware data.

The PowerShell script performs the final stage of the attack by reading the hidden payloads from aoc.bat, decrypting them using AES encryption with a hardcoded key, and decompressing the data with GZip.

This produces two executable files that load directly into memory without ever being saved to disk, a technique called fileless execution that helps avoid detection by traditional antivirus software.

The sandbox analysis revealed a mutex identifier 5wyy00gGpG6LF3m6 that security researchers recognize as belonging to the XWorm malware family, confirming the threat and allowing for proper classification and response.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers are Weaponizing Invoices to Deliver XWorm That Steals Login Credentials appeared first on Cyber Security News.

A new malware family targeting macOS systems has emerged with advanced detection evasion techniques and multi-stage attack chains.

Named DigitStealer, this information stealer uses multiple payloads to steal sensitive data while leaving minimal traces on infected machines.

The malware disguises itself as legitimate software and uses clever methods to bypass Apple’s security protections.

DigitStealer spreads through fake versions of popular macOS applications. The malware was discovered in an unsigned disk image file called DynamicLake.dmg, pretending to be a legitimate utility.

Users are tricked into running a file labeled “Drag Into Terminal.msi” which starts the infection process.

At the time of discovery, no antivirus engines on VirusTotal detected this threat, making it extremely dangerous.

What makes this malware stand out is its use of advanced hardware checks to avoid running on virtual machines or older Mac computers.

Jamf security researchers identified that DigitStealer specifically targets newer Apple Silicon systems, particularly M2 chips and above, while avoiding Intel-based Macs and even M1 devices.

The malware performs extensive system checks before executing its main payload.

The infection starts with a simple bash command that downloads an encoded script from a remote server. Once decoded, this script performs multiple verification steps to ensure it runs only on physical Mac computers with specific hardware features.

The malware checks the system locale and exits if it detects certain countries, potentially to avoid prosecution.

Detection Evasion Through Advanced Hardware Checks

DigitStealer uses sophisticated techniques to detect virtual machines and analysis environments. The malware queries hardware information using system commands and searches for keywords like “Virtual” or “VM” in the output.

If detected, the malware immediately stops execution. The most interesting aspect involves checking for specific Apple Silicon features using the following commands:-

sysctl -n hw.optional.arm.FEAT_BTI
sysctl -n hw.optional.arm.FEAT_SSBS
sysctl -n hw.optional.arm.FEAT_ECV

These commands verify whether advanced ARM processor features exist on the target system. Only M2 or newer chips have these capabilities, effectively limiting infections to the latest Mac computers.

This approach helps the malware avoid detection by security researchers who often use virtual machines or older hardware for analysis.

After passing all verification checks, DigitStealer downloads four separate payloads from remote servers.

Each payload has a specific purpose, from stealing browser credentials and cryptocurrency wallets to modifying legitimate applications like Ledger Live.

The malware uses legitimate Cloudflare services to host payloads, making detection and blocking more difficult.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Highly Sophisticated macOS DigitStealer Employs Multi-Stage Attacks to Evade detection appeared first on Cyber Security News.

A new wave of Formbook malware attacks has appeared, using weaponized ZIP archives and multiple script layers to bypass security controls.

The attacks begin with phishing emails containing ZIP files that hold VBS scripts disguised as payment confirmation documents.

These scripts trigger a chain of events that downloads and installs the malware on victim systems. The multi-stage approach makes detection harder for both security tools and analysts.

The attack starts when victims receive emails with attached ZIP archives. Inside these archives sits a VBS file with names like “Payment_confirmation_copy_30K__20251211093749.vbs” that looks like a business document.

When opened, this VBS script starts a carefully planned infection process. The malware uses multiple scripting languages, including VBS, PowerShell, and eventually executable files, to reach its final goal of installing Formbook on the target machine.

Internet Storm Center security researchers identified this campaign and found that only 17 out of 65 antivirus programs detected the initial VBS file.

The low detection rate shows how effective the obfuscation techniques are. The malware writers designed each stage to avoid common security checks and make analysis more difficult for security teams.

Multi-Stage Infection Mechanism

The VBS script uses several tricks to hide its true purpose. First, it creates a delay loop that waits 9 seconds before doing anything harmful.

This simple trick helps avoid detection by sandbox systems that look for immediate suspicious actions:-

Dim Hump
Hump = DateAdd("s", 9, Now())
Do Until (Now() > Hump)
    Wscript.Sleep 100
    Frozen = Frozen + 1
Loop

The script then builds a PowerShell command by joining many small text pieces together. The word “PowerShell” itself is hidden using number codes instead of plain text. After creating the PowerShell script, the VBS file runs it using a Shell.Application object.

This PowerShell script downloads another payload from Google Drive and saves it to the user’s AppData folder. The final step launches msiexec.exe and injects the Formbook malware into it.

The malware then connects to its command server at 216.250.252.227 on port 7719 to receive instructions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Formbook Malware Delivered Using Weaponized Zip Files and Multiple Scripts appeared first on Cyber Security News.

Phishing attacks continue to be one of the most persistent threats targeting organizations worldwide.

Cybercriminals are constantly improving their methods to steal sensitive information, and a recently discovered phishing kit demonstrates just how advanced these operations have become.

This particular framework was designed to impersonate the Italian IT and web services provider Aruba S.p.A., a company that serves over 5.4 million customers across Italy’s digital infrastructure.

By targeting such a widely trusted service provider, attackers could gain access to critical business assets, including hosted websites, domain controls, and email systems.

The phishing campaign begins with spear-phishing emails that create urgency by warning victims about expiring services or failed payments.

These messages contain links to fake login pages that closely mimic the official Aruba.it webmail portal.

What makes this attack particularly clever is the use of pre-filled login URLs that automatically populate the victim’s email address in the login form.

This small detail adds a layer of authenticity that makes targets less suspicious and more likely to enter their passwords.

Group-IB security researchers identified this sophisticated phishing framework through their ongoing monitoring of underground criminal ecosystems.

The kit represents more than just a fake webpage. It functions as a complete, automated platform built for efficiency and stealth, employing multiple techniques to evade detection and maximize credential theft.

Unlike basic phishing attempts, this system uses CAPTCHA filtering to block security scanners and Telegram bots to send stolen data to attackers instantly.

Multi-Stage Credential Harvesting Process

The attack unfolds through four carefully designed stages that systematically extract credentials and financial information.

First, victims encounter a CAPTCHA challenge that serves as an anti-bot filter, ensuring only human targets proceed to the actual phishing pages.

After passing this check, victims land on a convincing replica of the Aruba login page, where they enter their username and password, which are sent to the attacker immediately.

The process continues with a fake payment page requesting credit card details for a small fee, typically around €4.37, presented as a service renewal charge.

Once card information is submitted, victims are presented with a fraudulent 3D Secure verification page that captures the one-time password sent by their bank.

This final piece of information gives attackers everything needed to authorize real-time fraudulent transactions.

Throughout this process, all stolen data is exfiltrated to Telegram chats that serve as exfiltration channels, providing attackers with instant notifications.

After completing the stages, victims are redirected to the legitimate Aruba website, remaining unaware that their information was compromised.

This operation highlights the growing trend of phishing-as-a-service, where pre-built kits dramatically lower technical barriers and enable widespread credential theft at an industrial scale.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post A Multi-Stage Phishing Kit Using Telegram to Harvest Credentials and Bypass Automated Detection appeared first on Cyber Security News.