VulnHub

The latest Malware newsletter from Security Affairs reports on several significant cybersecurity threats. One notable incident involves new malware specifically targeting users of Cobra DocGuard software, potentially compromising sensitive data. Additionally, Iranian cyber actors have been using Telegram as a command and control channel to distribute malware to predetermined targets, raising concerns about state-sponsored cyber activities. The newsletter also discusses the Trivy supply chain attack, which has now expanded to include compromised Docker images, putting many containerized applications at risk. Lastly, a new malware called VoidStealer has been identified, which manipulates Chrome debugging tools to extract user information. These developments highlight ongoing vulnerabilities in software and the tactics employed by cybercriminals and state actors alike.

Recent reports indicate that cybercriminals are increasingly using cloud phones, which are virtualized Android devices hosted on remote servers, to carry out financial fraud schemes. These devices provide attackers with anonymity and the capability to manipulate phone numbers, making it easier for them to bypass traditional security measures. As a result, victims can include individuals and businesses alike, potentially leading to significant financial losses. Security experts warn that the rise of these technologies poses a growing risk to online transactions and personal data. Companies and users need to be vigilant and adopt more stringent security practices to mitigate these threats.

Researchers at Expel have raised concerns about malicious Chrome extensions that are targeting users' conversations with AI tools. These extensions, often disguised as useful add-ons, can secretly collect and transmit sensitive information, including chat history and personal data. Users who install these extensions unknowingly expose their private interactions to potential attackers. This incident is particularly concerning as AI technology becomes more integrated into daily tasks, increasing the risk of data breaches. Users are advised to be cautious about the extensions they install and to regularly review their browser settings for any unauthorized additions.

VoidStealer is a new type of information-stealing malware that has been discovered to exploit a flaw in Chrome's Application-Bound Encryption (ABE). This malware uses a clever method to bypass security measures and access the master key needed to decrypt sensitive data stored in the Chrome browser. As a result, users' personal information, including passwords and credit card details, could be at risk. This development is concerning for anyone using Chrome, as it highlights vulnerabilities that attackers can exploit to gain unauthorized access to private data. Users should remain vigilant and consider enhancing their security measures to protect against such threats.

A malicious Chrome extension called ShieldGuard was discovered to be a crypto scam masquerading as a security tool. This extension primarily targeted users looking to protect their cryptocurrency wallets but instead siphoned off sensitive wallet information and drained user data. Researchers found that once installed, the extension would exploit its permissions to access and transfer funds from users' crypto wallets. This incident affects anyone who installed the ShieldGuard extension, highlighting the ongoing risks of using unverified browser extensions in the cryptocurrency space. Users are urged to be cautious and only download extensions from reputable sources to safeguard their assets.

Researchers have discovered a serious vulnerability in Android that allows attackers to hijack mobile payment applications using a technique called LSPosed-based runtime manipulation. This attack can bypass security measures such as SIM binding, which is intended to protect users' financial transactions. As a result, anyone using affected payment apps could be at risk of fraud and unauthorized transactions. This incident highlights the ongoing challenges in mobile security, especially for users who rely on their devices for financial activities. Users should be cautious and consider reviewing their app security settings until further protections are implemented.

Two Google Chrome extensions have been compromised after a transfer of ownership, allowing attackers to inject malicious code and steal sensitive user data. The extensions, originally developed by a user identified as 'akshayanuonline@gmail.com', are QuickLens and another unnamed extension. This incident raises significant concerns as it exposes users who have installed these extensions to potential malware and data breaches. Users of these extensions should be cautious and consider removing them to protect their information. This situation serves as a reminder of the risks associated with third-party software and the importance of monitoring the permissions and developers of browser extensions.

Google has reported a significant increase in zero-day attacks targeting enterprise software, with nearly a quarter of these incidents aimed at security and networking appliances in 2025. This trend indicates that attackers are increasingly focusing on vulnerabilities within critical infrastructure components used by businesses. The implications are serious, as these vulnerabilities can lead to unauthorized access, data breaches, and disruptions in service. Companies that rely on these types of software need to prioritize security measures and stay updated on patches to protect their systems. As the threat landscape evolves, organizations must remain vigilant to mitigate risks associated with these attacks.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.