#malware
24 articles
Technology, cryptocurrency, and software development sectors bore the brunt of 33 malware articles published between April 10 and 29, 2026, with one critical and 30 high-severity incidents. Threat actors CanisterSprawl, FakeWallet, and Fast16 were observed across global operations, with notable impacts in Ukraine, Brazil, and Taiwan. The coverage focused on financial services and critical-infrastructure targets, reflecting a concentrated wave of malicious activity during this period.
CRITICALSAP npm Packages Hijacked in Credential-Stealing Supply Chain Attack
Attackers compromised multiple SAP-related npm packages to deploy credential-stealing malware, targeting SAP BTP and cloud app credentials. Campaign dubbed mini Shai-Hulud.
HIGHFast16 Malware Resurfaces in Supply Chain Attacks Abusing Trusted
Fast16 malware resurfaces in new supply chain attacks, abusing remote monitoring tools and browser extensions to steal credentials. Campaign targets enterprise environments.
HIGHGlassWorm Malware Returns via 73 OpenVSX Sleeper Extensions
A new GlassWorm campaign deploys 73 sleeper extensions on OpenVSX that activate malicious behavior post-update, targeting VS Code users in dev environments.
HIGHCanisterSprawl Worm Hijacks npm Packages, Steals Developer Tokens
The CanisterSprawl supply chain worm hijacks npm packages, uses stolen developer tokens to self-propagate, and exfiltrates data to an ICP canister, according to Socket and…
HIGHNorth Korean Hackers Steal $12 Million in Crypto via Trojanized
North Korean hackers siphoned over $12 million from crypto users in Q1 2026 using trojanized trading apps like CoinStats and TradingView AI Agent to steal recovery phrases and…
HIGHFake TradingView AI Agent Site Drops Browser-Hijacking Malware
A malicious website impersonating a TradingView AI agent deploys malware that hands attackers full control of victims' browsers, enabling account theft and financial data…
HIGHNGate Malware Trojanizes HandyPay App to Steal Brazilian NFC Data
NGate malware, using AI-generated code, has infected the legitimate HandyPay NFC app to steal payment card data and PINs from over 220,000 Android users in Brazil, according to ESET.
HIGHPureRAT Malware Evades Detection with PNG-Stashed Payloads
PureRAT hides its Windows PE payloads inside PNG files and executes them filelessly in memory, a technique detailed by cybersecurity researchers analyzing a new sophisticated campaign.
MEDIUMThreat Actors Embed Malicious Payloads in .WAV Audio Files
SANS ISC reports threat actors are using .WAV audio files to deliver malware payloads, exploiting the format's ability to conceal malicious code within seemingly benign audio data.
HIGHFakeWallet Crypto Stealer Infects iOS Devices via Apple App Store
Kaspersky discovered 22 malicious iOS apps on the official App Store impersonating crypto wallets like MetaMask and Coinbase, stealing seed phrases and private keys from over 1,000 victims.
HIGHMiningDropper Framework Delivers Infostealers, RATs to Android Devices
MiningDropper, a multi-stage Android malware framework, delivers infostealers, RATs, and banking trojans to devices via disguised apps, according to CyberSecurity News researchers.
HIGHUNC1069 Targets Crypto Professionals with Fake Zoom and Teams Meetings
North Korean threat actor UNC1069 lures Web3 professionals with fake Zoom and Microsoft Teams meetings to deploy malware that steals cryptocurrency, according to new research.
HIGHFake Data Breach Notifications Deploy Malware, Steal Credentials
Threat actors are weaponizing data breach notifications, sending fake alerts that trick users into downloading malware or entering credentials on phishing sites, according to ESET research.
HIGHFake Proton VPN Sites and Gaming Mods Spread NWHStealer Malware
A new Windows information stealer dubbed NWHStealer is being distributed via fake Proton VPN websites, gaming modifications, and hardware utility downloads, targeting credentials and cryptocurrency wallets.
HIGHEmail-Borne Worm Surge Targets Industrial Control Systems
A global wave of email-borne worms, driven by a single piece of malware, targeted industrial control systems (ICS) in Q4 2025, marking a significant shift in OT threats.
HIGHSapphire Sleet Targets macOS Users with Fake Zoom SDK Update
North Korean threat actor Sapphire Sleet is distributing a new macOS malware via a fake Zoom SDK installer, stealing passwords, crypto wallets, and personal data through a multi-stage social engineering campaign.
HIGHIndustrial Control Systems Face Rising Malware, USB Threats in Q4 2025
Kaspersky data shows malware blocked on 33.3% of industrial control system computers in Q4 2025, with internet threats and removable media as top infection vectors. The share of systems facing USB-borne threats grew to 4.1%.
HIGHResearchers Map Over 1,250 Active C2 Servers Across Russian Hosting Providers
A three-month investigation has identified more than 1,250 active command-and-control servers operating across 165 Russian hosting providers, forming a resilient infrastructure for malware and ransomware operations.
HIGHUAC-0247 Threat Actor Targets Ukrainian Hospitals and Government with
The UAC-0247 threat actor is actively targeting Ukrainian municipal healthcare and government bodies, deploying malware to steal browser data, WhatsApp sessions, and credentials while moving laterally within networks.
HIGHAgingFly Malware Targets Ukrainian Government and Hospitals
A new malware family dubbed 'AgingFly' is stealing authentication data from Chromium browsers and WhatsApp in targeted attacks against Ukrainian local government bodies and hospitals.
HIGHThreat Actors Weaponize n8n Workflow Platform for Phishing and Payload Delivery
Attackers have been abusing the legitimate n8n workflow automation platform since October 2025 to send phishing emails and deliver malware, leveraging its trusted infrastructure to bypass email security filters.
HIGHLucidRook Malware Targets NGOs and Universities in Taiwan via Spear-Phishing
A new Lua-based malware, LucidRook, is being deployed in targeted spear-phishing attacks against NGOs and universities in Taiwan, using decoy documents to establish persistence and exfiltrate data.
HIGHFake Claude AI Site Delivers PlugX Malware in Trojanized Installer
A sophisticated phishing campaign uses a counterfeit Claude AI website to distribute a trojanized installer, deploying the remote access trojan PlugX to establish persistent backdoor access.
HIGHRansomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers
ESET Research reports ransomware operators are expanding their arsenal of EDR-killing tools, moving beyond exploiting vulnerable drivers to using legitimate but maliciously signed drivers for stealth.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.