I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as extracted-decoded.js (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[ 1 ]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the wrapper that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[ 2 ]. We are facing a very long array of small Base64-encoded strings: function c() { const t8 = [ W54gaGuj , pSkByhzh , WRT/WPThyG , CSomW6OXWQG , WO7dIuVcTaq , AYb2Axm , WPT3WPJdLmkS , WPTNeuWa , hCkIW64XW7C , W47cM0tcObS , WPKbWOKfW74 , W6JdNCkDWRe+ , W53dLuxcP3u , WRTUc8ocW4W , ysiSica , wCo4oser , tSkAW5v3ca , W54XaKvz , W7nTe8ooW7a , W4BcSSo/FLi , W6HvW7i+FG , W5iBabul , F8oQW4JcVCku , W5ldPCkKbcy , W6ddQcdcNq0 , Aw5Niha , Dcy9W5dcVq , C8o/eqBcHW , id0GBMu , W5FcISkyW4FcJG , WR1ieSotW4y , wSoqq8o1da , B3jKvMe , icDmB2m , uSkgW4qZiq , WO7cMSkoW7zX , W5HxW6OnW7S , W4SBWRHwW7e , zwa3W5dcOG , W4PCW79DW6a , omkrngXB , xmkVCWeJ , nCoEWQ1WWR0 , WRNcH3vwCG , W7lcTSoUCq8 , rM9sWR/cPW , W4ZcKbxcUIC , DgGGDg8 , WR7dK8kpWROP , fmo7j1et , id09psa , vSo4Cx4n , iIWImJq , WRrixrpcJq , u29JA2u , ve9swsW , WRBdHH3dUa0 , W5RcKLpdTuW , u3ruyKK , WOVcLSowW4RcPG , BwuGzgK , ugf0AdO , W63cJ3Kmaa , WPVdRCk1bti , DwrVige , C8k2WQxcTh0 , igvUDhi , tmkSl1Ld , qqvnW4pcMa , WPNdGahdO0i , nmkQWRNdPNa , WQD8qmodW6G , W4NdK8oBW5pdQq , quFcOmoQWRe , Cbyarmkq , tmkoWQHU , ewb8W4eF , vcCOWOPc , WRtdQc3dIrW , WQXIrSoqW5q , kcDqCM8 , imkUWQtcPxC , bmooW7q6hW , ... Other small functions are low-level decoders that perform a lot of arithmetic operations. There are three main payloads that all have their own purpose: The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser. const localAppDataBase = `/mnt/c/Users/${windowsUsername}/AppData/Local`; const browserRelativePaths = [ Google/Chrome/User Data , // Chrome BraveSoftware/Brave-Browser/User Data , // Brave AVG Browser/User Data , // AVG Browser Microsoft/Edge/User Data , // Edge Opera Software/Opera Stable , // Opera Opera Software/Opera GX , // Opera GX Vivaldi/User Data , // Vivaldi Kiwi Browser/User Data , // Kiwi Yandex/YandexBrowser/User Data , // Yandex Iridium/User Data , // Iridium Comodo/Dragon/User Data , // Comodo SRWare Iron/User Data , // SRWare Chromium/User Data // Chromium\n ]; The malware also looks for interesting wallet Chrome extensions: const wps = [ nkbihfbeogaeaoehlefnkodbefgpgknn , ejbalbakoplchlghecdalmeeeajnimhm , acmacodkjbdgmoleebolmdjonilkdbch , bfnaelmomeimhlpmgjnjophhpkkoljpa , ibnejdfjmmkpcnlpebklmnkoeoihofec , egjidjbpglichdcondbcbd
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. "An attacker could exploit this vulnerability if they are able to send
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf , a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States. A criminal complaint unsealed today in an Alaska district court charges Jacob Butler , a.k.a. “ Dort ,” of Ottawa, Canada with operating the Kimwolf DDoS botnet. A statement from the Department of Justice says the complaint against Butler was unsealed following the defendant’s arrest in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant. Butler is currently in Canadian custody awaiting an initial court hearing scheduled for early next week. The government said Kimwolf targeted infected devices which were traditionally “firewalled” from the rest of the internet, such as digital photo frames and web cameras. The infected systems were then rented to other cybercriminals, or forced to participate in record-smashing DDoS attacks, as well as assaults that affected Internet address ranges for the Department of Defense . Consequently, the DoD’s Defense Criminal Investigative Service is investigating the case, with assistance from the FBI field office in Anchorage. “KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads. “These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.” On March 19, U.S. authorities joined international law enforcement partners in seizing the technical infrastructure for Kimwolf and three other large DDoS botnets — named Aisuru , JackSkid and Mossad — that were all competing for the same pool of vulnerable devices. On February 28, KrebsOnSecurity identified Butler as the Kimwolf botmaster after digging through his various email addresses, registrations on the cybercrime forums, and posts to public Telegram and Discord servers. However, Dort continued to threaten and harass researchers who helped track down his real-life identity and dramatically slow the spread of his botnet. Dort claimed responsibility for at least two swatting attacks targeting the founder of Synthient , a security startup that helped to secure a widespread critical security weakness that Kimwolf was using to spread faster and more effectively than any other IoT botnet out there. Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage
First VPN promised hackers complete anonymity for their cyberattacks. But Europol said it was able to notify the service’s users that they have now been identified.
Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. [...]
A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article .
Deleted Google API Keys remain active for up to 23 minutes after deletion, exposing GCP, Gemini, BigQuery, and Maps data to attackers.
At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the AI it protects. As organizations accelerate AI adoption, security teams are navigating new blind spots created by the broad distribution of agents, data, and identities across different tools and platforms. Microsoft Security ’s latest updates extend visibility, control, and protection across your expanding ecosystem, from third-party apps like Claude to your cloud environments and multi-cloud infrastructure. Together, these updates help your team secure what matters most—agents, data, and identities—without slowing your own innovation. Here’s what’s new: Cloud Security Solutions | Microsoft Security Microsoft Purview visibility now extends to Anthropic Claude Security and compliance teams can now detect and investigate Anthropic Claude usage alongside other cloud applications in the broader AI ecosystem. The new Anthropic Claude connector for Microsoft Purview delivers centralized visibility and oversight for Claude Enterprise and Claude Platform feed activity and chat conversations, enabling Microsoft Purview to provide insights on Claude interactions and audit log signals. This integration will provide visibility across Enterprise Claude.ai, Claude Console and Claude API, extending the Microsoft Purview experience and helping your teams protect sensitive data across your AI estate. New data security posture management experience in Microsoft Purview The new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available. This solution unifies and streamlines DSPM across scenarios, from discovery to protection, all the way to remediation, allowing teams to investigate risks and take actions on the same workflow. The new experience delivers goal-oriented flows, deeper remediation, expanded reporting, and third-party visibility. Your teams can efficiently discover sensitive data, assess risk, and take action at scale. Microsoft Purview Data Security Investigations extends investigative depth with custom examinations Microsoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth. OCR extracts text from images, bringing previously inaccessible visual content into scope for AI-powered deep content analysis. In addition to existing examination types that identify credentials, risk, and personally identifiable data, and help inform mitigation, investigators can define their own analysis with custom examination, enabling more tailored and flexible investigations based on their unique needs. Now, Data Security Investigations can extract text from images, like the one above, adding visual content into scope for AI-powered investigations. Microsoft Entra ID Account recovery securely restores account access Microsoft Entr
First VPN, a service used by ransomware actors and fraudsters, was dismantled by Europol
Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. [...]
A threat actor compromised an Nx developer and posed as a legitimate maintainer to publish a malicious extension on Visual Studio Marketplace
Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen
Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation. [...]
A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. [...]
Cisco has released security updates to address a maximum-severity vulnerability in Secure Workload that allows attackers to gain Site Admin privileges. [...]
Recently, Rob wrote about a tool, Proxifier , that can intercept requests from specific processes. Proxifier is available for Windows, macOS, and Android. But I have not seen a generic Linux option yet. The advantage of a tool like Proxifier is the ability to target specific software. For debugging, reverse engineering, and similar tasks, selecting a specific process is quite useful, as it creates less noise to sift through and simplifies analysis. There are a few methods for how proxies are usually configured in Linux: Environment Variables Many software programs look for the environment variables http_proxy and https_proxy. These environment variables can be targeted by setting them for specific processes. Open a shell, set the environment variables, and run the software you wish to inspect in the same shell. export http_proxy= http://proxy.example.com:80 export https_proxy= http://proxy.example.com:443 ./software-under-test iptables The Linux firewall code, iptables, has a number of lesser-known interesting options that can help. For example, traffic can be redirected for a specific user: iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT --to-ports 8080 This example will direct all traffic generated by the user with UID 1234 to port 8080. Now start the software as this specific user (maybe set up a test user for that purpose), and you will only see traffic created by this specific user. There is no option to select a pid as pids are constantly changing, and there may be multiple pids if the process uses multiple threads, which is common for networking. Network Namespaces Usually, a particular Linux system uses a single routing table. Network namespaces enable the creation of separate routing tables for different processes. First, you create a new namespace. You need to assign interfaces to it, as namespaces cannot see network interfaces unless you explicitly add them. ip netns add testing # adding namespace 'testing' ip link set dev ens18 netns testing # add ens18 interface to testing. However, most use virtual interfaces ip netns exec testing software-under-test # execute software-under-test in namespace There are a number of more complete recipes for network namespaces available online. I find it the most versatile solution, particularly if environment variables do not work. The iptables solution is often simpler than namespaces, but you may end up with some unintended additional traffic. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. [...]
The first quarter of 2026 reinforced that attackers are moving faster, operating with greater coordination, and exploiting weaknesses before most organizations can respond effectively. From escalating geopolitical tensions to increasingly aggressive ransomware operations, the latest quarterly Threat Landscape Report highlights a security environment where reactive defense strategies are becoming unsustainable. Quarterly Threat Landscape Report findings Exploits unseat social engineering for top initial access vector (IAV) One of the biggest takeaways is that vulnerability exploitation surpassed social engineering as the largest initial access vector with 38% of the total. This would be interesting on its own, but when coupled with more than 50% of all exploited vulnerabilities actively being zero-click, network facing vulnerabilities, it indicates that, at least in the short term, attackers are finding AI-enabled vulnerability exploitation easier to accomplish than exploiting human behavior. These types of vulnerabilities require no authentication and no user interaction, giving attackers rapid pathways into exposed systems and edge infrastructure. At the same time, exploitation activity was frequently preceded by large spikes in public discussion across forums, blogs, and social media platforms, demonstrating how quickly threat actors operationalize publicly available information once vulnerabilities gain visibility. Geopolitics and FBI takedowns in the threat landscape Geopolitical instability also continued to shape cyber operations throughout the quarter, particularly in the Middle East, where cyber activity was increasingly synchronized with military escalation. Iranian state-aligned groups targeted government infrastructure, financial services, and industrial systems, while Russian and Chinese campaigns focused heavily on intelligence collection, telecommunications infrastructure, and persistent access operations designed to remain undetected over long periods of time. The result is a threat landscape where organizations must prepare not only for immediate disruption, but also for long-term persistence inside enterprise environments. Meanwhile, law enforcement operations targeting underground criminal infrastructure disrupted several major ransomware and credential marketplaces during Q1, including the seizure of RAMP and LeakBase. These takedowns have created operational pressure for cybercriminal groups, pushing threat actors toward smaller, decentralized communities and increasing internal distrust. A marked shift towards "pure extortion" The report also highlights the continued evolution of ransomware operations, particularly the growing shift toward “pure extortion” tactics focused on rapid data theft rather than traditional encryption-based attacks. Threat actors increasingly leveraged zero-click vulnerabilities to gain initial access, exfiltrate sensitive data, and pressure victims without deploying ransomware payloads that create ad