Ragnar Loader malware enables ransomware groups to maintain stealthy access, evade detection, and execute remote control operations.
Category: cybercrime/malcode – Page 19
Ransomware gang encrypted network from a webcam to bypass EDR
The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim’s network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
Cybersecurity firm S-RM team discovered the unusual attack method during a recent incident response at one of their clients.
Notably, Akira only pivoted to the webcam after attempting to deploy encryptors on Windows, which were blocked by the victim’s EDR solution.
Microsoft says malvertising campaign impacted 1 million PCs
Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide.
The company’s threat analysts detected these attacks in early December 2024 after observing multiple devices downloading malware from GitHub repos, malware that was later used to deploy a string of various other payloads on compromised systems.
After analyzing the campaign, they discovered that the attackers injected ads into videos on illegal pirated streaming websites that redirect potential victims to malicious GitHub repositories under their control.
YouTube warns of AI-generated video of its CEO used in phishing attacks
YouTube warns that scammers are using an AI-generated video featuring the company’s CEO in phishing attacks to steal creators’ credentials.
The attackers are sharing it as a private video with targeted users via emails claiming YouTube is changing its monetization policy.
“We’re aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization,” the online video sharing platform warned in a pinned post on its official community website.
Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates
Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS.
“Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine,” Trend Micro said in a Monday analysis. “This enables them to steal sensitive data, such as login credentials, financial information, and personal files.”
It’s worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart’s Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.
New polyglot malware hits aviation, satellite communication firms
A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates.
The malware delivers a backdoor called Sosano, which establishes persistence on the infected devices and allows the attackers to execute commands remotely.
The activity was discovered by Proofpoint in October 2024, which states that the attacks are linked to a threat actor named ‘UNK_CraftyCamel.’ While the campaign is still small, the researchers report that it is still advanced and dangerous to targeted companies.