Hackers abuses cloud hosting services to distribute Stealer Malware by mixing it up with good ones to prevent the malware from getting blacklisted.
Researchers from Zscaler ThreatLabZ observed a popular hosting provider serving the domain used in phishing and malware attacks in wild.
Researchers found the domain http[:]//flexsell[.]ca which is hosted on IP 64[.]34[.]67[.]205 distributes weaponized word documents that contains a payload capable of stealing cryptocurrency wallet information.
The Stealer Malware particularly targeting the following cryptocurrency wallets Bitcoin, Electrum, and Monero.
The weaponized word documents contain an obfuscated malicious macro which will be executed once the documents are opened and initiate the HTTP request to download the Stealer Malware without user consent.
The malware package is custom packed and hardcore, it decrypts on runtime, upon execution it collects the details such as machine ID, EXE_PATH, Windows, computer (username), screen, layouts, local time, and CPU model form the system and submit to C&C server.
Its communication with C&C server is hardcoded, on the infected machine malware searches for default location was digital wallet stored, browser cookies and login details of popular applications like Pidgin, WinSCP, and Psi+.
With another campaign the attackers abused the hosting services for hosting the phishing pages, attackers targeted Microsoft and DocuSign with the phishing attack.
Phishing is a fraud mechanism used to obtain sensitive data such as usernames, password, and credit card details to carry out various malicious activities.
Zscaler published the blog post contains’ complete IoC and URL’s used by attacker’s to deliver malware.
Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…