ChainCatcher news, Slow Mist founder Yu Xian released a response guide regarding computer infection issues and made additions to the Chinese version of the Black Book.He pointed out that hacker organizations often use social engineering to induce users to install malware or run malicious code, such as pretending to be investors, journalists, or HR to lure users into meeting software, or disguising as Telegram and Cloudflare verification requests to get users to run malicious code.Yu Xian suggested that infected users take the following measures promptly: transfer wallet funds, change important account passwords and check for unknown device logins, use reputable antivirus software to scan for viruses, and if necessary, reset the computer and scan backup files for viruses.He emphasized that these attacks target not only Windows but also Mac and some Linux systems.

ChainCatcher message, Scam Sniffer has issued a phishing alert on the X platform stating that a counterfeit Microsoft Teams website is spreading malware. Risks include data leaks, credential theft, session hijacking, and wallet theft. Please verify the source before installation.

ChainCatcher news, according to Cointelegraph, CyberArk has discovered a new type of cryptocurrency hijacking malware called MassJacker that targets users of pirated software by hijacking cryptocurrency transactions through replacing addresses stored in the clipboard. Users may unknowingly infect their devices when downloading pirated software.CyberArk found that there are 778,531 unique wallets associated with this theft, with 423 wallets having previously held cryptocurrency assets.

ChainCatcher news, according to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is associated with six new malicious npm packages that attempt to deploy backdoors to steal user credentials.Additionally, this malware can extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attacks primarily target files from Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically tricking developers into inadvertently installing these malicious packages.The six discovered malicious packages include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They lure developers into installation through "typosquatting" (exploiting misspelled names). The APT group has created and maintained GitHub repositories for five of these packages, disguising them as legitimate open-source projects, increasing the risk of developers using the malicious code. These packages have been downloaded over 330 times. Currently, the Socket team has requested the removal of these packages and reported the related GitHub repositories and user accounts.Lazarus is a notorious North Korean hacker group, linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.

ChainCatcher news, according to the Straits Times, Singapore's Minister of State for Home Affairs Sun Xuelin stated that last year, cryptocurrency scams accounted for a quarter of the total losses from fraud. In the highest-value scam case last year, the victim clicked on a fake meeting link, downloaded and ran malicious code on their computer, resulting in a loss of approximately 125 million Singapore dollars.Sun Xuelin mentioned that, in addition to malware, scammers also design fake websites, send phishing links, or use "pump and dump" tactics to inflate the prices of memecoins before causing them to plummet. "Our advice to the public is to stay away from cryptocurrencies. The risk of being 'burned' is very high, and if you become a victim of a scam, the chance of recovering even a cent is very slim."

ChainCatcher news, according to Bitcoin.com, a covert malware campaign is hijacking cryptocurrency wallets by embedding malicious code in fake open-source projects on Github, tricking developers into executing hidden payloads.A cyber attack campaign named Gitvenom has been targeting Github users by embedding malicious code into seemingly legitimate open-source projects. Researchers Georgy Kucherin and Joao Godinho discovered this operation, where cybercriminals create fraudulent repositories that mimic real software tools. The method of embedding malicious code varies depending on the programming language used in the fake projects.

ChainCatcher news, according to Decrypt, the hacker group Crazy Evil has created a fake Web3 company called "ChainSeeker.io" to lure job seekers in the crypto industry into downloading malware that steals wallet funds.According to cybersecurity site Bleeping Computer, the organization has set up profiles on LinkedIn and X, recruiting for standard positions in the crypto industry, such as "Blockchain Analyst" or "Social Media Manager." They have also placed premium ads on sites like LinkedIn, WellFound, and CryptoJobsList to increase the visibility of their advertisements. Job seekers then receive an email from the fake company's "Chief Human Resources Officer," inviting them to contact the fake "Chief Marketing Officer" (CMO) via Telegram.The so-called CMO subsequently pressures them to download and install a virtual meeting software called GrassCall and enter a code provided by the CMO. GrassCall then installs various information-stealing malware or Remote Access Trojans (RATs), which search for crypto wallets, passwords, Apple Keychain data, and authentication cookies stored in web browsers.Currently, most of the ads seem to have been removed from social media.

ChainCatcher news, according to Cointelegraph, cybersecurity company Kaspersky recently released research showing that hackers are creating hundreds of fake projects on the GitHub platform to lure users into downloading malware that steals cryptocurrency and credentials. Kaspersky has named this malware activity "GitVenom."Kaspersky analyst Georgy Kucherin pointed out in a report on February 24 that these fake projects include Telegram bots for managing Bitcoin wallets and tools for automating Instagram account interactions. Hackers carefully design project documentation, possibly using AI tools to generate content, and artificially increase the number of project "commits" to make the projects appear to be actively developed.According to Kaspersky's investigation, these malicious projects can be traced back at least two years. Regardless of how the projects are presented, they contain malicious components, such as information-stealing tools that upload saved credentials, cryptocurrency wallet data, and browsing history through Telegram, as well as clipboard hijackers that replace cryptocurrency wallet addresses. In November 2023, a user lost 5 Bitcoins (approximately $442,000) as a result. Kaspersky advises users to carefully check the behavior of third-party code before downloading.

ChainCatcher news, according to Decrypt, researchers from Microsoft Threat Intelligence have discovered a new type of malware that can target cryptocurrency wallets. XCSSET was first identified in 2020, allowing malicious actors to take screenshots, record user behavior, and steal data from Telegram. The updated version can also locate data within the Apple Notes application and uses obfuscation techniques to make the malware harder to detect. XCSSET theoretically also has the capability to manipulate what the end user sees in their browser. This could include modifying or replacing Bitcoin and other cryptocurrency addresses, meaning funds may not be sent to their intended destination.Researchers added that users must always check and verify any Xcode projects downloaded or cloned from repositories, as malware often spreads through infected projects. They should also only install applications from trusted sources, such as the official app stores of software platforms.

ChainCatcher news, according to Cointelegraph, cybersecurity company Kaspersky Labs has stated that a malware development kit used to create applications on the Google Play Store and Apple App Store is scanning user images for cryptocurrency wallet recovery phrases in order to steal funds.Kaspersky Labs reported that once the malware named SparkCat infects a device, it uses optical character recognition (OCR) tools to search images for specific keywords in different languages. The intruders steal the recovery phrases of cryptocurrency wallets, which are sufficient for them to gain full control over the victim's wallet and further steal funds.The flexibility of this malware allows it not only to steal secret phrases but also to extract other personal data from the photo gallery, such as message content or passwords that may be left on screenshots. The report advises against storing sensitive information in screenshots or mobile photo galleries and recommends using password managers. Additionally, it suggests deleting any suspicious or infected applications. The report states that the source of the malware is unclear and cannot be attributed to any known organization, but it is similar to an activity discovered by ESET researchers in March 2023.

ChainCatcher message, Scam Sniffer posted on X platform revealing that Google Ads are displaying counterfeit Homebrew malware targeting crypto users. Attackers use fake ads to lure victims into downloading the malware, which is designed to steal cryptocurrency wallet data and assets.

ChainCatcher message, according to Scam Sniffer monitoring, attackers are deploying malware using a fake Cloudflare verification page through clipboard injection and command execution.

ChainCatcher news, according to Decrypt, recently Check Point discovered a macOS malware named "Banshee" that mimics Apple's encryption algorithms to evade antivirus detection and targets cryptocurrency wallets and browser credentials. However, Apple security researcher Patrick Wardle stated that the threat has been overstated by the media and its actual harm is limited.Banshee was previously operated as "Stealer-as-a-Service," but it was terminated in November 2024 due to source code leakage. Wardle pointed out that the software's encryption methods are quite basic, and the latest macOS systems can defend against such threats by default, posing almost no risk to ordinary users. He emphasized that instead of focusing on specific malware, it is better to concentrate on basic security practices.

ChainCatcher message, according to Scam Sniffer monitoring, a victim lost 1 million dollars due to counterfeit Zoom malware, related to the us04-zoom[.]us threat actor. Currently, cases of private key theft malware are on the rise, and it is essential to strictly verify sources and conduct security scans before installation.

ChainCatcher news, Scam Sniffer has issued a security warning, revealing a new type of composite scam targeting cryptocurrency users. This scam has two main attack paths: system infection and account hijacking. The scammers first disguise themselves as well-known cryptocurrency KOLs, commenting on legitimate posts to lure users into joining so-called "exclusive investment" Telegram groups. Once users join the group, they will immediately receive a verification request from a fake bot named OfficiaISafeguardBot. These verifications are usually set with very short time windows, creating a sense of urgency.On a technical level, the verification process injects malicious PowerShell code into the clipboard without the user's knowledge. Once executed, it will automatically download and run malware that can compromise system security. These malware have been flagged as malicious by VirusTotal and have recently caused multiple incidents of private key theft. Another attack method is to induce users to provide Telegram account-related information, including phone numbers, login verification codes, and two-step verification passwords, thereby gaining complete control over the user's Telegram account.Scam Sniffer offers the following security recommendations:Do not execute commands from unknown sourcesCarefully verify the authenticity of official channelsBe vigilant about any verification requests with time pressureUse hardware wallets to store cryptocurrency assetsAvoid running arbitrary code and installing unknown softwareNever share Telegram verification codes and two-step verification passwords

ChainCatcher news, according to Forbes, researchers have confirmed that a malware attack targeting macOS users has been active for four months. This attack uses malware disguised as a video conferencing application to steal passwords from Keychain, as well as session cookies and cryptocurrency wallet information from browsers like Google Chrome, Brave, and Opera.According to Tara Gould from Cado Security Labs, the attackers use AI-generated content to create fake websites and social media accounts, posing as trustworthy businesses. Victims are often contacted through platforms like Telegram, discussing business opportunities related to blockchain or cryptocurrency. Once the file is installed, users are prompted to enter their macOS password, further facilitating data theft.Security experts advise users to remain vigilant, especially regarding unfamiliar links related to business. Using protective tools like Intego VirusBarrier can effectively defend against such threats.

ChainCatcher news, according to a report by Cointelegraph, Radiant Capital stated in an updated investigation report on December 6 that the cybersecurity company Mandiant has assessed with high confidence that the attack was carried out by threat actors affiliated with North Korea (DPRK).The platform mentioned that a Radiant developer received a Telegram message on September 11, which contained a compressed file from a "trusted former contractor," requesting feedback on a new project they were planning. Upon review, this message was suspected to be from threat actors allied with North Korea impersonating the former contractor. "This ZIP file, when shared with other developers for feedback, ultimately delivered malware that facilitated the subsequent intrusion."Radiant Capital believes that the threat actors responsible for the incident are referred to as "UNC4736"—reportedly associated with North Korea's main intelligence agency, the Reconnaissance General Bureau (RGB), and speculated to be a subgroup of the hacking organization Lazarus Group.Previous report stated that the cross-chain lending protocol Radiant Capital suffered a cyber attack, resulting in losses exceeding $50 million.

ChainCatcher message, Scam Sniffer posted on the X platform that the crypto conference malware "Meeten" has been renamed to "Meetio," reminding the community to stay vigilant, as the renamed application is just a "disguise" and still poses a security threat.

According to ChainCatcher news reported by Cointelegraph, North Korean hackers appear to have developed malware that can evade Apple's security checks. Researchers at Jamf Threat Labs, who focus on Apple, indicate that these applications seem to be experimental. This is the first time they have seen such technology used to infiltrate Apple's macOS operating system, but it does not run on the latest systems.Researchers found that Microsoft's VirusTotal online scanning service reported these applications as harmless, but they are actually malicious. Variants of these applications are written in Go and Python, utilizing Google Flutter applications. Flutter is an open-source development toolkit used for creating cross-platform applications.Out of six malicious applications, five are signed with developer accounts and have been temporarily notarized by Apple. Researchers wrote, "The domains and techniques in the malware are very similar to those used in other North Korean hacker malware, with indications that the malware was once signed and even temporarily passed Apple's notarization process."