When it comes to writing malware, the majority of threat actors seem to got their creative juices flowing, new research has claimed.

A report from BlackBerry claims the company has detected and stopped significantly more unique malware strains, recording the highest quarter-over-quarter increase ever documented.

The company's latest Global Threat Intelligence Report, says its tools detected and stopped an average of 11,500 unique malware samples daily, between April and June 2024, a 53% increase compared to the January - March period.

Prioritizing impact

Ismael Valenzuela, Blackberry’s VP of Threat Research and Intelligence, believes this is what happens when new threat actors emerge, and old ones survive takedown attempts.

“This signals that these groups are allocating their resources to prioritize the impact of their attacks rather than sheer volume,” he noted. “Additionally, minor altering of a piece of malware might not seem very sophisticated but contributes to an overwhelming increase in the success and severity of attacks.”

So, creating unique malware increases the chances of success. BlackBerry adds that private data will continue being the number one target of these attacks.

Overall, BlackBerry’s tools apparently stopped 3.7 million cyberattacks in the period, or 43,500 every day. This is an 18% increase quarter-on-quarter, the company said, adding that critical infrastructure remained a top target (800,000 attacks). Of these numbers, 50% focused on the financial sector, up 10% quarter-on-quarter. Speaking of critical infrastructure, the industry experienced a significant uptick in attacks using unique malware, “due to its higher likelihood of success.”

Finally, the researchers added that the cybersecurity industry should be wary of emerging threats. Well-established actors such as LockBit remain a major threat, but cybersecurity pros should not ignore up-and-coming groups such as BlackSuit, or Space Bears.

More from TechRadar Pro

• This new Android malware impersonates VPN and browser tools, but don't be fooled
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

HP Arctic Wolf researchers claim to have found evidence hackers are using Generative Artificial Intelligence (GenAI) tools to create malware and other malicious code.

GenAI tools, such as ChatGPT, or Gemini, are being used left and right to create convincing phishing emails, professional-looking landing pages, and similar, the researchers are saying, and the evidence is apparently overwhelming.

However, when it comes to spotting malware code written by robots, it’s a different story: “To date there has been limited evidence of threat actors using GenAI tools to write code,” HP said.

The French under attack

Whether or not HP has been the first is hard to tell, as security firm Proofpoint made a similar claim back in April 2024 concerning a PowerShell malware strain.

Regardless of the timing, HP says it identified a campaign targets the French-speaking community with a VBScript and JavaScript that was probably written with the help of GenAI.

Therefore, the researchers believe these findings are a big deal: "Speculation about AI being used by attackers is rife, but evidence has been scarce, so this finding is significant,” commented Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab.

“Such capabilities further lower the barrier to entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains, and launch more damaging attacks.”

It’s a long shot, since one would still need significant knowledge to pull off malware, but GenAI would definitely be helpful.

“The structure of the scripts, comments explaining each line of code, and the choice of native language function names and variables are strong indications that the threat actor used GenAI to create the malware,” the researchers said. “The attack infects users with the freely available AsyncRAT malware, an easy-to-obtain infostealer which can record victim’s screens and keystrokes. The activity shows how GenAI is lowering the bar for cybercriminals to infect endpoints.”

More from TechRadar Pro

• This Windows malware is now evolving to target Linux systems
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

A new Android malware has been spotted spreading across Europe masquerading as popular software and apps.

Octo2, seemingly a successor to the wildly popular Octo trojan, was detected by cybersecurity researchers from ThreatFabric, who warned hackers have been spreading it under the guise of popular VPN software, browsers, and more. Victims would be tricked into visiting either fake websites, or risky third-party app repositories, where they would download NordVPN, Google Chrome, or an app called Europe Enterprise.

Obviously, these apps are not working as intended, and instead infect the device with Octo2, an advanced Android trojan that grants crooks remote access capabilities, screen recording with invisibility, keylogging, different self-protection techniques, on-device fraud, SMS and notification manipulation, and more.

Notable improvements

Compared to the original Octo, the second version comes with a few notable improvements, including better operational stability, more advanced anti-analysis and anti-detection mechanisms, and a domain generation algorithm (DGA) system that grants threat actors a more resilient C2 communication.

Since the malware is not found on Google Play, and is not distributed through the official Android repository, it is difficult to determine exactly how many devices are infected. ThreatFabric claims that the majority of the victims are located across Europe - in Italy, Poland, Moldova, and Hungary.

However, the original Octo was a malware-as-a-service (MaaS) platform, and its victims were found all over the world, including the US, Canada, Australia, and the Middle East. Therefore, it’s safe to assume it’s only a matter of time before Octo2 is spotted there, as well.

ThreatFabric believes Octo2 is the developer’s response to Octo’s source code leaking earlier this year. When it happened, many threat actors used the code to create unique versions of the malware, possibly hurting the developer’s sales. Therefore, Octo2 could be a way to bring them back. Allegedly, there is a special discount for Octo users, as well.

Via BleepingComputer

More from TechRadar Pro

• Dangerous new Android malware infects 11 million devices — here's what we know
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now

Hackers have modified the infamous Mallox ransomware to also target Linux systems, experts have claimed.

The new version is called Mallox Linux 1.0, and was recently discovered by cybersecurity researchers SentinelLabs, after Mallox’s operators mistakenly leaked their tools.

The analysis of the tool led the researchers to conclude that Mallox Linux 1.0 is actually a rebrand of the Kryptina encryptor. Kryptina was built last year by a threat actor alias “Corlys”, who tried to rent the tool for roughly $800. However, since the cybercriminal community did not show much interest in the tool, Corlys shared it for free, in hopes that someone might pick it up.

TargetCompany

Now, it seems Mallox did, since the new variant uses Kryptina’s source code, the same encryption mechanism (AES-256-CBC), and the same decryption routines. Furthermore, it uses the same command-line builder and configuration parameters, too. Therefore, Mallox devs only changed the name and appearance of the encryptor, and removed any mention of Kryptina from the documents. Everything else is left unchanged.

For now, there is no word on potential victims, but in their analysis, researchers from Kaspersky said Mallox affiliates “do not restrict their activities to a specific country”. Instead, they attack vulnerable companies wherever they are. However, the majority of the firms struck by a variant of Mallox are located in either Brazil, Vietnam, or China.

The ransomware is also known as Fargo, or TargetCompany, and has been active in one form or another since June 2021. At first, it was targeting mostly unsecured MS-SQL servers, Sekoia found. Another Mallox hallmark is to threaten the victims, especially those in the European Union, about potential GDPR violations.

Between October 2022 and March 2023, its affiliates stole data from at least 20 organizations.

Via BleepingComputer

More from TechRadar Pro

• Visa warns dangerous new malware is attacking financial firms
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now

Python developers working on Mac devices are being targeted by North Korean hackers once again experts have warned.

A report from cybersecurity researchers Unit 42 has claimed the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by Lazarus Group, an infamous hacking collective on North Korea’s payroll. It revolves around creating fake job ads and luring software developers to apply. During the hiring process, the crooks would trick the devs into downloading and running malicious packages, thus granting the attackers access to important resources.

In this instance, the criminals were observed uploading weaponized Python packages to PyPI, one of the world’s most popular Python package repositories.

PondRAT

So far, the researchers identified four packages, which were subsequently reported and removed from the platform:

real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)

These packages were allegedly holding a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus was observed deploying in the past.

PondRAT can’t do all the things POOLRAT can, but it can still upload and download files, run arbitrary commands, or even stop working for a while.

"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said. Gleaming Pisces, Unit 42 claims, is a sub-group of Lazarus.

"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

For months now, Lazarus has been creating fake job ads, attempting to compromise developers working in high-profile organizations. It was also seen trying to get hired by these firms, too.

Via The Hacker News

More from TechRadar Pro

• North Korean Lazarus hackers are using a fake coding test to steal passwords
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

MoneyGram has said it is experiencing a “cybersecurity issue” that has forced it to shut down parts of its IT infrastructure.

The incident seems to have started on Friday, when customers first started complaining about the service not being operational. The company posted its first announcement on X on Sunday, saying it was experiencing a network outage, but in replies to the tweet, the customers slammed the company for “waiting this long to admit there is a problem.”

A day later, MoneyGram gave more details, saying it identified a “cybersecurity issue”, which forced it to take parts of its IT infrastructure offline, launch an investigation, and bring in external cybersecurity experts and law enforcement. The company did not clearly state if this was a ransomware attack, and no ransomware operators have assumed responsibility for the attack yet.

Money stuck in the void

At press time, the company’s website was still offline, holding only a short message saying “We're busy updating the website. Please check back soon.”

MoneyGram also did not say which services it had to bring down, but since customers from all over the world are complaining, it’s safe to assume that online transactions are not working. The Register reports that in-person payments are also not operational.

There is currently no ETA on when the company might bring its services back online. If similar incidents elsewhere are any indication, it could take up to a week to restore at least some systems.

MoneyGram is a hugely popular solution, with more than 150 million customers worldwide. And by being a payments processor, it is a prime target for cybercriminals. If crooks managed to steal sensitive data from the company, it could spell trouble for many people.

Via The Register

More from TechRadar Pro

• Visa warns dangerous new malware is attacking financial firms
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now

Cybersecurity researchers have revealed malware managed to sneak into the Google Play app store thanks to a compromised software development kit (SDK).

The malware, called Necro, ended up on at least 11 million devices, and quite possibly - a lot more, the team from Kaspersky noted. Necro infiltrated an advertising SDK named ‘Coral SDK’, which should have been used to integrate different advertising modules into an application. However, with steganography, the SDK deploys stage-two malware capable of a number of malicious activities, including loading ads through invisible WebView windows, downloading and running arbitrary JavaScript files, facilitating fraud, and rerouting malicious traffic.

Two seemingly legitimate applications picked up this SDK - a photo editing tool called Wuta Camera by 'Benqu,' and Max Browser by 'WA message recover-wamr.' The former has more than 10 million downloads, and the latter - one million.

Updating flawed apps

When Kaspersky discovered the malware and notified the developers - Wuta Camera was fixed, and the malware removed. If you are using this app by any chance, make sure to update it to version 6.3.7.138. Max Browser, on the other hand, is still compromised, and the researchers are suggesting deleting the app and switching to a different browser.

Google’s Play Store keeps track of, and displays, the number of downloads. Cumulatively, it is more than 11 million on the platform. However, compromised apps are being distributed through other means, too. Therefore, the number of compromised mobile endpoints is quite likely a lot bigger. Kaspersky found multiple other apps, distributed on third-party websites, carrying the Necro malware, including modded versions of WhatsApp (GBWhatsApp and FMWhatsApp), Spotify (Spotify Plus), Minecraft, Stumble Guys, and many others.

Google is usually very diligent when it comes to protecting its app repository, but even the strongest defenses can sometimes be breached. When downloading new apps, it would be wise not to blindly trust anything found on official stores. Instead, also look at the number of downloads, ratings, and reviews.

Via BleepingComputer

More from TechRadar Pro

• Cybersecurity firm warns Android users to watch out for money-draining malware
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now

Just being mentioned on the dark web makes a company far more likely to suffer a cyberattack, new research has claimed.

A report from Searchlight Cyber and the Marsh McLennan Cyber Risk Intelligence Center looked to see if the presence of data relating to an organization on the dark web increases risk of cyberattacks.

The ‘dark web’ is the part of the internet that cannot be accessed via a browser in a usual manner, and is generally used by cybercriminals to share resources, sell goods and services, and communicate.

Combined sources for more risk

Analyzing Searchlight’s dark web dataset against a sample of 9,000+ organizations with an overall breach rate of 3.7% between 2020 and 2023, the report found a significant correlation - if a dark web mention contains compromised users, there is 2.56 times higher chance of that company being struck by a cyberattack.

The mention of an organization or data related to an organization on a dark web market increases the likelihood of a cyberattack 2.41 times. Also, the mention of an organization or data related to an organization on plain-text repositories increases the chance 1.88 times.

To make matters worse, combining multiple sources provides an even stronger indication of increased risks.

“If security teams can identify their exposure on the dark web they have a huge opportunity to proactively act, adjust their defenses, and effectively stop attacks before they are launched by cybercriminals,” commented Ben Jones, Co-Founder and CEO of Searchlight Cyber.

More from TechRadar Pro

• What is the dark web?
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now

Computer manufacturing giant Dell is looking into claims that its infrastructure was breached and sensitive data on thousands of employees stolen.

Late last week, a threat actor with the alias ‘grep’ posted a new thread on the infamous dark web forum BreachForums. In it, they offered a large Dell database for sale, allegedly containing sensitive employee information.

“In September 2024 Dell suffered a minor data breach that exposed internal employees data,” the thread reads. “Were affected over 10 800 employees belonging to Dell and their partners. Compromised data: Employee ID, Employee full name, Employee status, Employee internal ID.”

No word from Capgemini yet

If the database turns out to be legitimate, this could be quite a problem for Dell, since the information can be used in identity theft and phishing, potentially compromising Dell further. Crooks could impersonate company employees to communicate with other workers and have them disclose secrets, grant access to restricted areas of the infrastructure, or even deploy ransomware.

To make matters worse, the database can be obtained quite easily. A small sample has been available for free, and the entire database can be purchased for 1 BreachForums credit (roughly $0.30).

Now, Dell told BleepingComputer that it is investigating the claims of the breach.

"We are aware of the claims and our security team is currently investigating," the company told the publication.

Earlier this month, grep claimed to have breached French tech and consulting giant, Capgemini. They said they obtained 20 GB worth of sensitive data, including databases, source code, private keys, credentials, API keys, projects, employee data (including names, email addresses, usernames, and password hashes). The archive also contains backups, and Capgemini clients’ internal configuration details for cloud infrastructure.

The crook even shared alleged T-Mobile virtual machine logs. But a T-Mobile US representative debunked the claim, saying the data does not belong to that company. "This is not T-Mobile US," they told us. "From what we can tell, we believe this may be a T-Mobile brand outside of the US."

Via BleepingComputer

More from TechRadar Pro

• Hacker claims to have stolen 20GB data hoard from Capgemini, and is threatening to leak it all
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

The hacker that managed to break into countless corporate Snowflake accounts and steal the data found inside is still active, researchers are saying. To this day, they are actively trying to extort money out of the victims of the attack that happened months ago.

This is according to Mandiant’s senior threat analyst Austin Larsen, Cyberscoop reports. Larsen spoke during SentinelOne’s LABScon security conference that took place last week and shared the news on the progress of the investigation. Mandiant was the company that Snowflake brought in to investigate the incident this spring, when it was first spotted.

Back then, Mandiant said it was tracking the crook under the moniker UNC5537, but since then they said they go by either “Judische”, or “Waifu”. They are actively targeting software-as-a-service (SaaS) organizations, and the newest incident happened “as recently as today,” Larsen said.

Brute-force

In April this year, a threat actor mounted a brute-force attack against the cloud storage service provider Snowflake, since many of its customers were not using multi-factor authentication (MFA). They successfully broke into many organizations, including Santander Bank, Ticketmaster, and many others. Initially, it was thought that at least 165 organizations were compromised. However, Larsen now believes mere “dozens” of firms were affected.

Mandiant “obtained a series of private communications in which we were able to identify [Judische and associates] essentially coordinating and planning a lot of the Snowflake activity, in some cases, even telling the IP address that they’re dumping logs to,” Cyberscoop cited Larsen.

The group allegedly extorted between $2 million and $2.7 million, and continues to strike organizations to this day.

The identity of the attacker is unknown, but the truth is slowly unraveling. Both Mandiant and cybersecurity journalist Brian Krebs believe the hacker is a 26-year-old software engineer located in Ontario, Canada.

Via Cyberscoop

More from TechRadar Pro

• Hundreds of Snowflake customers may have been hit by breach that stole "significant" data
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Harvey Nichols, a luxury British department store chain known for offering high-end fashion, beauty, food, and home products, suffered a cyberattack in which crooks stole sensitive user data. The company confirmed the news in data breach notification letters it recently started mailing to affected customers.

In the email, the company said that it lost people’s names, postal addresses, phone numbers, company names, and email addresses. It described the information stolen as “non-sensitive” despite the fact that it can be used in dangerous phishing attacks that can result with wire fraud, ransomware attacks, and more.

Luckily, payment information and login credentials were not exposed.

Missing key details

Besides the data breach notification letters, the company is tight-lipped about the breach. It said nothing about it on its website, or social media accounts. On X, it advises victims to reach out via email for further assistance. Therefore, we don’t know who the attackers are, when the attack happened, how they breached the network, or if they used any malware or ransomware in their attack. We also don’t know how long the crooks dwelled on the target infrastructure, how they were spotted, or if they reached out to the company with any ransom demands. TechRadar Pro have reached out to the company with these questions and will update the article if we hear back.

Harvey Nichols did say that the hole which allowed the crooks to wiggle their way in has been closed since the intrusion was first observed. "The issue that allowed the attack to succeed has now been closed so our system is once again fully secure, and we have engaged experts to ensure it remains so,” it said. It also claims it saw no evidence of data misuse, just yet.

“Please remain vigilant if you receive any suspicious emails or calls claiming to be from Harvey Nichols,” the company concluded. The Information Commissioner's Office and the Data Protection Commission in Ireland have both been notified about the breach.

Via The Register

More from TechRadar Pro

• Data breach gives hackers access to 1.7 million people’s credit card details — here's what we know
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

‘Hotpatching’ - the ability to install important patches without needing to restart the endpoint - is coming to Windows Server 2025.

The news was confirmed on the Windows blog late last week, when Windows Server Director of Product, Hari Pulapaka, announced the feature in preview.

“You asked and we delivered: Standard and Datacenter edition server hotpatching - security updates without reboots - is ready for your evaluation in Windows Server 2025 Azure Arc-enabled Hotpatch public preview,” the blog reads. “This feature will be a game changer; simpler change control, shorter patch windows, easier orchestration… and you may finally get to see your family on the weekends.”

General availability soon

Being able to install important updates without the need to restart the device is a big deal, since the patches will be deployed faster, with fewer resources used. Furthermore, fewer reboots also mean less workload impact, and better security.

"Instead of 12 mandatory reboots a year on 'Patch Tuesday,' you'll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month)," Pulapaka added.

The feature will be available through Azure Arc, which will enable management and allow the Windows Server internal licensing service for Hotpatch to run and deliver updates to users.

"When Windows Server 2025 becomes generally available, you will be able to run the edition you want, where you want - whether on-prem, in Azure, or elsewhere," Pulapaka concluded.

"You'll have an option to hotpatch Windows Server 2025 physical servers or virtual machines, and those VMs can run on Hyper-V, VMware, or anywhere else that supports Microsoft's protection-focused Virtualization Based Security standard."

Those interested in enabling the Hotpatching feature on their Windows Server 2025 Datacenter and Standard edition evaluation machines should activate the service through the built-in Azure Arc agent setup. They also need to run Windows Server 2025 Datacenter evaluation, Virtualization Based Security, have the KB5040435 July Security update installed, and connected to Azure Arc.

More from TechRadar Pro

• Microsoft has snuck out its Windows Server 2022 release
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now