Monolock ransomware has surfaced in underground forums, with threat actors advertising version 1.0 for sale alongside stolen corporate credentials.

First detected in late September, the malware exploits phishing emails containing malicious Word documents.

Upon opening, the embedded macro downloads the ransomware binary from a compromised server. Victims report file encryption using a mix of AES-256 for file payloads and RSA-2048 for key exchange, rendering data inaccessible without the private key.

Dark Web Informer analysts noted that Monolock’s initial deployments targeted small to mid-sized organizations in healthcare and manufacturing sectors.

The operators demand payment in cryptocurrency, instructing victims to access a Tor-hosted payment portal. This portal automatically verifies the transaction and supplies the decryption key.

Early samples reveal a ransom note that offers a 10 percent discount if paid within 48 hours.

In controlled environments, researchers identified that Monolock terminates processes associated with common backup and security software before encryption begins.

It scans running services for patterns matching “backup,” “sql,” and “vss,” then kills them to prevent snapshot restores.

After encryption, it appends the extension “.monolock” to filenames and leaves a ransom note named “README_RECOVER.txt” in each directory.

Persistence and Evasion

Monolock’s infection mechanism embeds itself into the Windows registry under the Run key, ensuring execution at boot.

The malware binary disguises as a legitimate DLL and injects into explorer.exe to evade detection.

It uses API hashing to locate required Windows functions dynamically, complicating static signature matching.

A snippet of the API-hashing routine demonstrates this tactic:-

DWORD hash = 0xA1B2C3D4;
for (char* p = moduleName; *p; ++p) {
    hash = ((hash << 7) | (hash >> (32 - 7))) ^ *p;
}

By leveraging this routine, Monolock avoids importing functions by name, hindering many endpoint detection tools.

This advanced evasion underscores the need for behavior-based monitoring to detect such threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Allegedly Selling Monolock Ransomware on Dark Web Forums appeared first on Cyber Security News.

Over the past week, cybersecurity professionals have been gripped by the emergence of GlassWorm, a highly sophisticated, self-propagating malware campaign targeting VS Code extensions on the OpenVSX Marketplace.

The scale and technical complexity of this attack signal a turning point for supply chain security in developer ecosystems.

As of October 2025, over 35,800 installations have reportedly been compromised, with the number growing as active malicious extensions continue to operate in the wild.

The impact is felt not only through direct credential theft but also through deep infiltration of developer machines.

The initial signs of the campaign surfaced when Koi researchers identified unusual behavioral shifts in the seemingly benign “CodeJoy” extension after its 1.8.3 version update.

While the extension passed initial visual code reviews, Koi’s risk engine flagged it for anomalous network connections and credential access.

Undetectable on superficial inspection, the researchers quickly found that the underlying infection vector was both novel and alarming—the malicious code was encoded using invisible Unicode characters, allowing it to blend perfectly with legitimate source files.

The result: entire blocks of JavaScript payload remained unseen to the naked eye and undetectable by most static analysis tools.

Koi’s investigation soon revealed the magnitude of the threat. The worm harvests secrets from npm, GitHub, OpenVSX, and even targets 49 different cryptocurrency wallet extensions.

After siphoning credentials, it leverages them to hijack additional extensions, thereby achieving a self-propagating cycle.

Victims’ devices are then weaponized, serving as criminal proxy nodes or platforms for remote attacks, illustrating a truly distributed and resilient campaign strategy.

Koi analysts confirmed that the attackers architected an unkillable command-and-control (C2) infrastructure using the Solana blockchain.

Alongside blockchain payload distribution, fallback C2 mechanisms—Google Calendar events and direct IP endpoints—make takedown efforts almost futile.

Each communication contains encrypted instructions for further stages, enabling dynamic updates to the malware in near real-time.

This approach enables GlassWorm to adapt swiftly and persistently within compromised networks.

Invisible Unicode: The Infection Mechanism

A standout aspect of GlassWorm’s operation is its use of the Unicode “variation selector” exploit. By inserting non-rendering Unicode codepoints into JavaScript source files, the malware hides entire logic branches.

These characters are ignored by visual editors and code review platforms but are recognized and executed by the JavaScript interpreter.

For instance, a segment in the compromised CodeJoy file showed a vast empty space—actually filled with functional malicious code—successfully disguised.

// Line 2 appears empty but contains:
function stealCreds() {...}

This method fundamentally breaks assumptions of code transparency. Developers, even when manually inspecting diffs or reviewing GitHub commits, cannot see the injected logic.

Only byte-wise or deeply specialized tools can reveal the hidden payload, underscoring the criticality of updating code inspection and CI processes to detect non-standard Unicode—a mitigation priority for defenders.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New GlassWorm Using Invisible Code Hits Attacking VS Code Extensions on OpenVSX Marketplace appeared first on Cyber Security News.