Cybercrime/malcode – Lifeboat News: The Blog

Aug 7
2025

Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud, Subscription Scams

Fake apps from VexTrio on Apple and Google stores mislead users, steal data, and charge hidden fees.

Aug 7
2025

Microsoft Launches Project Ire to Autonomously Classify Malware Using AI Tools

Microsoft unveils AI system Project Ire to automate malware detection, reducing analyst workload and boosting accuracy.

Aug 6
2025

ClickFix Malware Campaign Exploits CAPTCHAs to Spread Cross-Platform Infections

ClickFix malware replaced ClearFake in 2024, infecting users via fake CAPTCHAs and trusted platforms.

Aug 6
2025

15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign

TikTok Shop users are targeted in a phishing and malware campaign using 15,000 fake sites. Data and crypto thefts surge.

Aug 5
2025

PlayPraetor Android Trojan Infects 11,000+ Devices via Fake Google Play Pages and Meta Ads

New Android malware PlayPraetor infects 11,000+ devices, targeting banking users via fake Play Store links.

Aug 5
2025

New ‘Plague’ PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft

Undetected for a year, Plague malware targets Linux PAM to hijack SSH access and erase forensic traces.

Aug 5
2025

New Plague Linux malware stealthily maintains SSH access

A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems.

Nextron Systems security researchers, who identified the malware and dubbed it “Plague,” describe it as a malicious Pluggable Authentication Module (PAM) that uses layered obfuscation techniques and environment tampering to avoid detection by traditional security tools.

This malware features anti-debugging capabilities to thwart analysis and reverse engineering attempts, string obfuscation to make detection more difficult, hardcoded passwords for covert access, as well as the ability to hide session artifacts that would normally reveal the attacker’s activity on infected devices.

Aug 5
2025

Ransomware gangs join attacks targeting Microsoft SharePoint servers

Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.

Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).

The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).

Aug 5
2025

Attackers exploit link-wrapping services to steal Microsoft 365 logins

A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials.

The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.

Some email security services include a link wrapping feature that rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations.

Aug 5
2025

Mozilla warns of phishing attacks targeting add-on developers

Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository.

Mozilla’s add-on platform hosts over 60,000 browser extensions and more than 500,000 themes used by tens of millions of users worldwide.

According to Mozilla’s advisory, these phishing emails are impersonating the AMO team and claim that the targeted developer accounts require updates to maintain access to development features.