Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: infostealer (21 articles)Clear

Cheap OnyxC2 service puts enterprise-grade data theft within easy reach

Researchers at BlackFog have detailed OnyxC2, a new malware-as-a-service sold on cybercrime forums that packages professional-grade data theft for as little as $250 a month, with a $500 premium tier adding hidden-desktop control and a $6,000 buyout option. It ships with a polished control panel and ready-made lures disguised as FinePrint, Windows Settings, a fake Windows update, and a game installer. Its payloads slipped past VirusTotal scanning when first uploaded and were still undetected weeks later, and builds use AES-256 encryption. The low price and turnkey design lower the barrier for less-skilled criminals to run capable infostealing campaigns.

Check
Watch endpoints for execution of lure-style installers impersonating FinePrint, Windows Settings, or Windows updates from untrusted sources, and hunt for unexplained outbound data transfers and hidden-desktop activity.
Affected
Organizations whose staff can be tricked into running disguised installers; the low cost and bundled lures widen the pool of attackers able to deploy capable infostealers.
Fix
Restrict software installation to approved sources, enforce application allow-listing and EDR with behavioral detection, train staff on disguised-installer lures, and monitor for and block anomalous data exfiltration.

WeedHack malware-as-a-service infostealer infects 116,000+ Minecraft systems via YouTube and SEO-poisoned fake mods and cheat clients

McAfee has detailed WeedHack, a malware-as-a-service infostealer campaign that has infected more than 116,000 systems since January by targeting Minecraft players. The malware spreads through malicious Minecraft mods, clients, cheats, and utilities promoted via YouTube videos (some with voice-over narration and thousands of views) and SEO poisoning of keywords matching popular clients like Meteor, Wurst, LiquidBounce, and Impact. WeedHack averages 2,000-3,000 infections daily, mostly in the US, Germany, India, and the UK, across 240+ distribution URLs and 3,820 unique malicious JAR files. It offers customers a dashboard to view stolen credentials and victim data. Some fake sites even link to legitimate GitHub repos to fabricate credibility.

Check
Brief staff and family-device users that Minecraft mods, cheats, and clients from YouTube links or search results frequently carry infostealers. Hunt endpoints for the 3,820 known WeedHack JAR hashes.
Affected
Minecraft players (often younger users on shared/home devices) installing third-party mods, cheats, and clients. 116,000+ infected since January, mostly US, Germany, India, UK. MaaS dashboard tracks victims.
Fix
Source Minecraft tools only from official project pages. Apply McAfee WeedHack IoCs and block known distribution URLs. Rotate credentials on any system that ran an untrusted JAR.

Ukraine cyber-police identifies 18-year-old Odesa infostealer operator linked to 28,000 stolen accounts and $721K California fraud

Ukrainian cyberpolice working with US law enforcement have identified an 18-year-old man from Odesa as the suspected operator of an infostealer operation that ran from 2024 through 2025 against customers of a California online retailer. The malware harvested 28,000 customer accounts; the operators used about 5,800 of them to make $721,000 in unauthorized purchases, leaving the retailer with around $250,000 in direct losses including chargebacks. The suspect ran the back-end infrastructure for processing and selling stolen session tokens. Police searched two residences and seized computers, phones, and bank cards. No arrest has been announced yet.

Check
Search HIBP and stealer-log marketplaces for your domain. If you run e-commerce, audit accounts with card-not-present orders that didn't match the legitimate user's device fingerprint in 2024-2025.
Affected
Customers of an unnamed California online retailer; 28,000 accounts harvested, 5,800 used in $721K of unauthorized purchases. Operation linked to a single 18-year-old in Odesa, Ukraine.
Fix
For affected users: rotate passwords, revoke active sessions, check card statements. For retailers: deploy session-binding device fingerprinting and require re-authentication for high-value card-not-present orders.

Leaked Shai-Hulud worm source code reused in four malicious npm packages, one adds Phantom Bot DDoS

After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.

Check
Search package lock files and CI/CD logs for installs of chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils. Check your GitHub accounts for any repo named 'A Mini Sha1-Hulud has Appeared.'
Affected
Any organization whose developers install Node.js packages by name from npm without lockfile pinning or pre-publish vetting, especially those typosquatting the popular axios library.
Fix
Uninstall the four packages and rotate all developer GitHub tokens, npm tokens, and cloud credentials on affected machines. Block the C2 hosts 87e0bbc636999b.lhr.life and 80.200.28.28:2222 at egress.

SHub Reaper macOS infostealer spoofs Apple, Google, and Microsoft in one chain - backdoor, wallet hijack, document theft

SentinelOne has documented a new variant of the SHub macOS infostealer family called Reaper. Victims are lured through fake WeChat and Miro installers hosted on typo-squatted Microsoft domains, then prompted to run what looks like an Apple security update. Reaper avoids macOS Tahoe's new Terminal protections by routing its commands through the applescript:// URL scheme. Once running, it steals browser credentials, crypto wallets, dev configs, iCloud data, and Telegram sessions, replaces legitimate Exodus, Ledger, and Trezor wallet apps with backdoored copies, and installs a persistent fake Google Software Update LaunchAgent that gives the attacker an ongoing remote shell. Files larger than 85MB are uploaded in 70MB chunks.

Check
Hunt macOS endpoints for LaunchAgents named com.google.keystone.agent.plist that point at unsigned scripts in ~/Library/Application Support/Google/GoogleUpdate.app/, and search proxy logs for traffic to hebsbsbzjsjshduxbs.xyz.
Affected
macOS users who can be social-engineered into running an installer or AppleScript prompt outside the App Store. Heavily targets developer, finance, and crypto-holding personas.
Fix
Remove the malicious LaunchAgent and persistence script. Rotate all credentials in the browser keychain, crypto wallets, iCloud, Telegram, and any tokens in shell history or .gitconfig. Enforce MDM blocking unsigned LaunchAgents.

REMUS infostealer profiled - 64-bit Lumma successor with EtherHiding C2 and Chromium ABE bypass

Flare published a deep profile of REMUS, the 64-bit infostealer that emerged in early 2026 after Lumma Stealer's core operators were doxxed in late 2025. Gen Threat Labs links REMUS directly to Lumma's codebase through 'Tenzor' transitional builds from September 2025, identical string obfuscation, anti-VM checks via cpuid leaf 0x40000000, and a refined Application-Bound Encryption bypass for Chromium browsers. The malware harvests browser passwords, cookies, autofill, crypto wallets, and clipboard data, and uses EtherHiding (blockchain-based C2 resolution) for resilience. Flare's 128-post analysis of REMUS forum activity from Feb 12 to May 8 shows the operation has moved from rapid feature expansion into platform stabilization, with active customer-facing MaaS development.

Check
Hunt for processes reading Chromium browser process memory to extract master keys, look for outbound traffic resolving C2 through Ethereum or other blockchain RPC endpoints (EtherHiding), and review browser cookie store access patterns.
Affected
Enterprises with users running Chromium-based browsers (Chrome, Edge, Brave) and saved passwords or session cookies. Crypto-holding individuals and finance, accounting, and developer roles with broad SaaS account access face elevated session-theft risk.
Fix
Roll out Application-Bound Encryption hardening on managed Chromium browsers, enforce conditional access with continuous access evaluation to invalidate stolen sessions, block known REMUS C2 indicators, and replace browser-stored passwords with an enterprise password manager.

Mac malware campaign uses Google ads and 'Apple Support' Claude.ai chats to install infostealer

Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.

Check
Check macOS endpoint logs for Terminal executions of curl or base64 piped to bash in the last 7 days, and review who clicked sponsored Google results for 'Claude mac download'.
Affected
macOS users who searched Google for 'Claude mac download' or similar terms and ran a Terminal command from a shared Claude.ai chat attributed to 'Apple Support'. Two payload variants seen: a MacSync infostealer that exfiltrates Keychain and browser secrets, and a polymorphic in-memory shell payload that profiles the host and delivers a second stage via osascript.
Fix
Rotate browser-saved passwords and macOS Keychain credentials for any user who may have run the malicious command. Sign out and re-authenticate browser sessions to invalidate stolen cookies. Block the indicator domains customroofingcontractors[.]com and bernasibutuwqu2[.]com at network egress. Reinforce with users that they should never install software from chat or terminal instructions - only from official vendor download pages.

Vercel breach root cause revealed: Lumma Stealer on a Context.ai employee's laptop, delivered via Roblox auto-farm scripts

Follow-up: this is the origin-story update to the Vercel breach disclosed April 19 (which our publication did not cover at the time). Hudson Rock traced the initial compromise to a Context.ai employee whose laptop was infected by Lumma Stealer malware in February 2026 after the user downloaded Roblox 'auto-farm' scripts and game-exploit executors - a notorious delivery vector for infostealers. The malware harvested that employee's Google Workspace credentials plus access keys and logins for Supabase, Datadog, and Authkit. The haul also included the support@context.ai account, letting the attacker escalate inside Context.ai, reach its AWS environment, and then pivot through compromised Google Workspace OAuth tokens into a Vercel employee's enterprise workspace that had granted the 'AI Office Suite' app 'Allow All' permissions. The attacker (ShinyHunters, now selling the data for $2M on BreachForums) read Vercel environment variables not flagged as 'sensitive.' Google pulled the Context.ai Chrome extension (ID omddlmnhcofjbnbflmjginpjjblphbgk) on March 27 - it embedded an OAuth grant for read access to users' entire Google Drive. The lesson is brutal: one employee's personal risky behavior on a work device cascaded through four SaaS platforms into a supply-chain breach that a threat actor is now auctioning.

Check
If any employee at your company has ever signed into Context.ai with a corporate Google Workspace account, treat that account as compromised and begin full credential rotation and OAuth review immediately.
Affected
Any Google Workspace tenant where an employee granted the Context.ai 'AI Office Suite' OAuth app broad permissions (specifically OAuth app IDs 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com and 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com). Any Vercel customer whose environment variables were not explicitly marked 'sensitive'. Any organisation whose employees also install uncurated browser extensions or run game cheats on corporate devices (a pattern that keeps reappearing in infostealer cases).
Fix
In Google Workspace admin, search the OAuth app inventory for the two Context.ai client IDs above and revoke them from every user. On Vercel, audit and rotate every environment variable not marked 'sensitive' across every project, and going forward default-enable sensitive flags on new environment variables. Rotate Supabase, Datadog, and Authkit tokens that were ever accessible from a Context.ai-linked Google account. Pull 60 days of audit logs for each affected SaaS and look for impossible-travel sign-ins, new OAuth grants, and unexpected API-key creation. Block game-cheat and executor download domains at the corporate DNS layer and communicate the Roblox-script risk directly to staff.

Self-propagating npm worm hits Namastex Labs packages, steals secrets across npm, PyPI, and crypto wallets

A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.

Check
Search your package-lock and yarn.lock files and private registry caches for any of the listed Namastex Labs versions, and then rotate every credential that has ever been present on a machine that installed them.
Affected
Confirmed malicious versions per Socket: @automagik/genie 4.260421.33 through 4.260421.39; pgserve 1.1.11 through 1.1.13; @fairwords/websocket 1.0.38 through 1.0.39; @fairwords/loopback-connector-es 1.4.3 through 1.4.4; @openwebconcept/theme-owc 1.0.3; @openwebconcept/design-tokens 1.0.3. Any additional npm package republished by an account whose publish token was exfiltrated by this worm is also potentially malicious.
Fix
Remove the listed versions from development environments, CI/CD runners, and private mirrors immediately. Rotate every secret the worm would have seen: npm publish tokens, PyPI tokens, cloud provider keys, CI/CD deploy keys, SSH keys, LLM platform API keys, container registry credentials, and any crypto wallet seeds stored in browser extensions on affected machines. Audit your package caches and internal mirrors for related packages that share the same public.pem file, webhook host, or postinstall pattern (Socket publishes IoCs for this). Pin production dependencies to known-good versions with integrity hashes and deny the newest versions of the affected packages in your package firewall until forensics is complete.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.