ChainCatcher message, according to Jinshi reports, recently, the Japanese security team CSIRT revealed a security vulnerability in WinRAR that can bypass Microsoft's Windows Mark of the Web (MoTW) security mechanism, potentially allowing users to unknowingly execute malicious programs from the internet, posing serious security risks. This vulnerability is numbered CVE-2025-31334.To actively respond to the cybersecurity challenges posed by the WinRAR security vulnerability to our critical infrastructure, it is recommended to take the following measures from a technical perspective: first, conduct a comprehensive inspection of network devices in WinRAR user environments that are affected by this vulnerability and promptly install the latest version. Second, perform a reset of WinRAR client configurations. Third, it is advised that WinRAR users avoid connecting to untrusted networks when handling sensitive data.

ChainCatcher message, according to Cointelegraph, the Kaspersky report indicates that a dangerous malware is disguising itself as a Microsoft Office add-on on the SourceForge platform, specifically targeting cryptocurrency users for attacks. This malware employs clipboard hijacking techniques to automatically replace the cryptocurrency wallet addresses copied by users with the attacker's address, resulting in funds being directly transferred to the hacker's account. Security experts remind users to carefully verify wallet addresses when conducting cryptocurrency transactions to ensure transaction safety.

ChainCatcher news, according to Decrypt, cybersecurity experts recently discovered a dual malware attack targeting users inside and outside the cryptocurrency industry.Cyber intelligence company Silent Push revealed in its latest report a malicious activity named PoisonSeed, which first forges login pages of bulk email service providers like Mailchimp and SendGrid to steal user credentials. Attackers send fake emails claiming that user accounts are restricted, luring them to log into a counterfeit website. After entering their credentials, the attackers quickly and automatically export the email subscription list.Subsequently, the attackers use the stolen subscription list to impersonate Coinbase and send phishing emails to the victims' contacts, claiming that the exchange "is transitioning to self-custody wallets," and includes a 12-word recovery phrase, tricking users into importing the wallet, effectively allowing hackers to take control of the assets.

ChainCatcher news, according to Cointelegraph, cybersecurity company Kaspersky Lab recently discovered a large number of counterfeit Android phones preloaded with malware being sold online at low prices. These devices are implanted with the Triada Trojan virus, which can steal cryptocurrencies and other sensitive data.According to Kaspersky expert Dmitry Kalinin, attackers have successfully transferred about $270,000 in various cryptocurrencies by replacing wallet addresses, and the actual losses may be higher as attackers have also targeted the privacy coin Monero.Currently, 2,600 infection cases have been confirmed, mainly concentrated in Russia. The Trojan can infiltrate the firmware before the device reaches the user, intercepting two-factor authentication SMS messages and stealing account information.Kaspersky advises users to purchase devices only from legitimate channels and to install security solutions immediately after purchase.

ChainCatcher message, researchers from the security company ThreatFabric stated that a new type of malware, Crocodilus, can steal Android users' wallet recovery phrases. This malware spreads through proprietary drivers and bypasses the security protections of Android 13 (and higher), and installing the malware does not trigger Play Protect.The malware overlays a fake warning on the screen, urging users to "back up the wallet recovery phrase in settings within 12 hours," or they may risk losing access to their wallet.

ChainCatcher news, Slow Mist founder Yu Xian released a response guide regarding computer infection issues and made additions to the Chinese version of the Black Book.He pointed out that hacker organizations often use social engineering to induce users to install malware or run malicious code, such as pretending to be investors, journalists, or HR to lure users into meeting software, or disguising as Telegram and Cloudflare verification requests to get users to run malicious code.Yu Xian suggested that infected users take the following measures promptly: transfer wallet funds, change important account passwords and check for unknown device logins, use reputable antivirus software to scan for viruses, and if necessary, reset the computer and scan backup files for viruses.He emphasized that these attacks target not only Windows but also Mac and some Linux systems.

ChainCatcher message, Scam Sniffer has issued a phishing alert on the X platform stating that a counterfeit Microsoft Teams website is spreading malware. Risks include data leaks, credential theft, session hijacking, and wallet theft. Please verify the source before installation.

ChainCatcher news, according to Cointelegraph, CyberArk has discovered a new type of cryptocurrency hijacking malware called MassJacker that targets users of pirated software by hijacking cryptocurrency transactions through replacing addresses stored in the clipboard. Users may unknowingly infect their devices when downloading pirated software.CyberArk found that there are 778,531 unique wallets associated with this theft, with 423 wallets having previously held cryptocurrency assets.

ChainCatcher news, according to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is associated with six new malicious npm packages that attempt to deploy backdoors to steal user credentials.Additionally, this malware can extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attacks primarily target files from Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically tricking developers into inadvertently installing these malicious packages.The six discovered malicious packages include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They lure developers into installation through "typosquatting" (exploiting misspelled names). The APT group has created and maintained GitHub repositories for five of these packages, disguising them as legitimate open-source projects, increasing the risk of developers using the malicious code. These packages have been downloaded over 330 times. Currently, the Socket team has requested the removal of these packages and reported the related GitHub repositories and user accounts.Lazarus is a notorious North Korean hacker group, linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.

ChainCatcher news, according to the Straits Times, Singapore's Minister of State for Home Affairs Sun Xuelin stated that last year, cryptocurrency scams accounted for a quarter of the total losses from fraud. In the highest-value scam case last year, the victim clicked on a fake meeting link, downloaded and ran malicious code on their computer, resulting in a loss of approximately 125 million Singapore dollars.Sun Xuelin mentioned that, in addition to malware, scammers also design fake websites, send phishing links, or use "pump and dump" tactics to inflate the prices of memecoins before causing them to plummet. "Our advice to the public is to stay away from cryptocurrencies. The risk of being 'burned' is very high, and if you become a victim of a scam, the chance of recovering even a cent is very slim."

ChainCatcher news, according to Bitcoin.com, a covert malware campaign is hijacking cryptocurrency wallets by embedding malicious code in fake open-source projects on Github, tricking developers into executing hidden payloads.A cyber attack campaign named Gitvenom has been targeting Github users by embedding malicious code into seemingly legitimate open-source projects. Researchers Georgy Kucherin and Joao Godinho discovered this operation, where cybercriminals create fraudulent repositories that mimic real software tools. The method of embedding malicious code varies depending on the programming language used in the fake projects.

ChainCatcher news, according to Decrypt, the hacker group Crazy Evil has created a fake Web3 company called "ChainSeeker.io" to lure job seekers in the crypto industry into downloading malware that steals wallet funds.According to cybersecurity site Bleeping Computer, the organization has set up profiles on LinkedIn and X, recruiting for standard positions in the crypto industry, such as "Blockchain Analyst" or "Social Media Manager." They have also placed premium ads on sites like LinkedIn, WellFound, and CryptoJobsList to increase the visibility of their advertisements. Job seekers then receive an email from the fake company's "Chief Human Resources Officer," inviting them to contact the fake "Chief Marketing Officer" (CMO) via Telegram.The so-called CMO subsequently pressures them to download and install a virtual meeting software called GrassCall and enter a code provided by the CMO. GrassCall then installs various information-stealing malware or Remote Access Trojans (RATs), which search for crypto wallets, passwords, Apple Keychain data, and authentication cookies stored in web browsers.Currently, most of the ads seem to have been removed from social media.

ChainCatcher news, according to Cointelegraph, cybersecurity company Kaspersky recently released research showing that hackers are creating hundreds of fake projects on the GitHub platform to lure users into downloading malware that steals cryptocurrency and credentials. Kaspersky has named this malware activity "GitVenom."Kaspersky analyst Georgy Kucherin pointed out in a report on February 24 that these fake projects include Telegram bots for managing Bitcoin wallets and tools for automating Instagram account interactions. Hackers carefully design project documentation, possibly using AI tools to generate content, and artificially increase the number of project "commits" to make the projects appear to be actively developed.According to Kaspersky's investigation, these malicious projects can be traced back at least two years. Regardless of how the projects are presented, they contain malicious components, such as information-stealing tools that upload saved credentials, cryptocurrency wallet data, and browsing history through Telegram, as well as clipboard hijackers that replace cryptocurrency wallet addresses. In November 2023, a user lost 5 Bitcoins (approximately $442,000) as a result. Kaspersky advises users to carefully check the behavior of third-party code before downloading.

ChainCatcher news, according to Decrypt, researchers from Microsoft Threat Intelligence have discovered a new type of malware that can target cryptocurrency wallets. XCSSET was first identified in 2020, allowing malicious actors to take screenshots, record user behavior, and steal data from Telegram. The updated version can also locate data within the Apple Notes application and uses obfuscation techniques to make the malware harder to detect. XCSSET theoretically also has the capability to manipulate what the end user sees in their browser. This could include modifying or replacing Bitcoin and other cryptocurrency addresses, meaning funds may not be sent to their intended destination.Researchers added that users must always check and verify any Xcode projects downloaded or cloned from repositories, as malware often spreads through infected projects. They should also only install applications from trusted sources, such as the official app stores of software platforms.

ChainCatcher news, according to Cointelegraph, cybersecurity company Kaspersky Labs has stated that a malware development kit used to create applications on the Google Play Store and Apple App Store is scanning user images for cryptocurrency wallet recovery phrases in order to steal funds.Kaspersky Labs reported that once the malware named SparkCat infects a device, it uses optical character recognition (OCR) tools to search images for specific keywords in different languages. The intruders steal the recovery phrases of cryptocurrency wallets, which are sufficient for them to gain full control over the victim's wallet and further steal funds.The flexibility of this malware allows it not only to steal secret phrases but also to extract other personal data from the photo gallery, such as message content or passwords that may be left on screenshots. The report advises against storing sensitive information in screenshots or mobile photo galleries and recommends using password managers. Additionally, it suggests deleting any suspicious or infected applications. The report states that the source of the malware is unclear and cannot be attributed to any known organization, but it is similar to an activity discovered by ESET researchers in March 2023.

ChainCatcher message, Scam Sniffer posted on X platform revealing that Google Ads are displaying counterfeit Homebrew malware targeting crypto users. Attackers use fake ads to lure victims into downloading the malware, which is designed to steal cryptocurrency wallet data and assets.

ChainCatcher message, according to Scam Sniffer monitoring, attackers are deploying malware using a fake Cloudflare verification page through clipboard injection and command execution.

ChainCatcher news, according to Decrypt, recently Check Point discovered a macOS malware named "Banshee" that mimics Apple's encryption algorithms to evade antivirus detection and targets cryptocurrency wallets and browser credentials. However, Apple security researcher Patrick Wardle stated that the threat has been overstated by the media and its actual harm is limited.Banshee was previously operated as "Stealer-as-a-Service," but it was terminated in November 2024 due to source code leakage. Wardle pointed out that the software's encryption methods are quite basic, and the latest macOS systems can defend against such threats by default, posing almost no risk to ordinary users. He emphasized that instead of focusing on specific malware, it is better to concentrate on basic security practices.

ChainCatcher message, according to Scam Sniffer monitoring, a victim lost 1 million dollars due to counterfeit Zoom malware, related to the us04-zoom[.]us threat actor. Currently, cases of private key theft malware are on the rise, and it is essential to strictly verify sources and conduct security scans before installation.