malware

Netherlands warns of Russian cyberattacks against Signal and WhatsApp around the world: they don’t need malware

by

When we think about applications like Signal or WhatsApp we usually immediately associate them with the idea of ​​privacy. Both have been built on a very clear promise: end to end encryption prevents third parties, including the companies themselves, from reading users’ messages. This security model has made millions of people trust these platforms for personal, professional and even sensitive conversations. However, that protection does not mean that accounts are completely safe. The intelligence services of the Netherlands have warned now of a global campaign that seeks to compromise accounts of these unused applications malware nor exploit technical flaws. The objectives. The military intelligence service (MIVD) and the general intelligence and security service (AIVD) indicate that the attacks seek to access accounts belonging to dignitaries, public officials and military personnel. Authorities also acknowledge that Dutch Government employees have been both targets and victims of these attempts. In addition, the report indicates that other profiles that may be of interest to the Russian Government, such as journalists, could also be among the recipients of this type of attack. Social engineering instead of spyware. Unlike other episodes of digital espionage that have affected messaging services in the past, the campaign described by the Dutch services does not rely on malware or the exploitation of technical flaws. The report explains that attackers mainly resort to phishing and social engineering techniques to gain access to accounts. This difference is relevant when compared to tools such as Pegasusthe famous spyware capable of infiltrating mobile phones. In this case, the goal is not to compromise the phone system, but rather to take advantage of the user’s behavior to take control of their account or link a foreign device. “Account take-over”. One of the methods is direct takeover of the account. The attackers, they explain in the report, pose as the official support team of the application and send messages to the victim alerting them of alleged suspicious activities, possible data leaks or attempts to access their account. From there they request that the user complete a verification process and share the code they receive by SMS, as well as the PIN configured in the application. If the victim provides this data, the malicious actor can take control of the account and reassociate it with a number under their control. The trick of QR and linked devices. The report also describes a second access route that does not necessarily imply that the victim loses immediate control of their account. In this case, attackers use social engineering techniques to convince the user to scan a QR code or click on a seemingly legitimate link, for example under the guise of joining a chat group. That QR or link may be designed to link the attacker’s device to the victim’s account using the apps’ linked device features. Once connected, the attacker can access the conversations and, depending on the platform and access mode, see messages in progress or even part of the history, in addition to being able to send messages on behalf of the user. What the intelligence services recommend. The report also includes several practical recommendations to reduce the risk of these types of attacks. Authorities warn that you should never share verification codes or your account PIN through messages, even if the request appears to come from the app’s support service. They also recommend distrusting links or QR codes sent by unknown contacts and always verify these requests through another channel before interacting with them. Another important measure is to periodically review the list of devices linked to the account and remove any devices that are not recognized. The document also adds other useful measures, such as activating the registration block in Signal and notifying contacts by another means if there is a suspicion that the account has been compromised. Images | BoliviaIntelligent | Also AY In Xataka | That they can hack a mobile phone just by entering a website is scary. If that mobile phone is also an iPhone, it’s terrifying

Github is vital for millions of users. That is why it has become the perfect place to hide malware

by

When a tool is so useful that no one dares to block it, it becomes a magnet for attackers. That is what is happening with GITHUB: public repositories, camouflaged archives and malicious loads that go unnoticed in corporate environments. Cisco Talos has uncovered a campaign that demonstrates it. The campaign, active since February 2025, was not an isolated experiment. It was a well structured operation based on the malware-as-a-service model (MaaS), in which attack tools are sold as if they were cloud services. In this case, the operators used Github to distribute malware through seemingly harmless links. When the malicious code hides in full view “In many environments, a malicious download from Github may seem Normal traffic”, Talos researchers explain. And there is the problem: the actors behind this campaign knew how to move between the legitimate and the harmful without raising suspicions, using the platform owned by Microsoft as an undercover distribution channel. The process began with Emmenhtal, a Loader designed to act by layers. Three of them were exclusively responsible for hiding the code. Only at the end of the process a script was executed in Powershell that contacted a remote address to download the real payload. That payload was Amadeya malware known since 2018 in Russian speaking forums. Its main function is to collect information from the infected system and Download additional files depending on the profile of the equipment. The most striking thing is that these files did not One of the most active accounts was legendary99999. In it, more than 160 repositories with random names were detected, each hosting a single malicious file in its release section. From there, the attackers could send direct links to the victims, as if it were any other legitimate download. Legendary 99999999999999 Settle Legendary9999 was not an isolated case. Talos identified other accounts, such as Milidmdds or DFFE9EWF, which followed a similar pattern: random names, repositories with harmless appearance, but designed to execute malicious loads. In total, malware samples such as Rhadamanthys, Lumma, Redline or even legitimate tools such as Putty and Selenium Webdriver were detected. The operation was always the same: once the equipment was infected, Amadey downloaded the necessary file from Github, according to the needs of each operator. The most striking is the flexibility of the operation: from remote access Trojans such as Asyncrat, to scripts disguised as MP4 files or even python code with hidden functions. Github acted quickly. As soon as Talos notified the findings, LThe accounts were eliminated. But the problem does not seem to be the platform yes, but the strategy behind its use: take advantage of legitimate and necessary services to hide malicious activities. Images | Xataka with Gemini 2.5 Flash | Talos In Xataka | The “Son in Hurry” scam had been wreaking havoc throughout Spain for years. Police are finally dismantling it

put malware in your music CD

by

Tokyo Tsushin Kogyo is one of the most solera companies in the technological world. He was born just after Second World War and his early years spent repairing radios and inventing appliances as a failed electric rice. As his name was so complicated for the West, they decided change it for something much simpler: Sony. Now surely the movie begins to sound because we are not going to discover the Importance of Sony and its innovation At this point. But that innovation is not always positive and just 20 years ago, Sony committed the one that could be the biggest error in its history: install malware in the music CD they sold. Oh, the MP3 … Although it was at the end of the 90s and the beginning of the 2000 when the MP3 format broke out in popularity, its story had already a few years behind it. It was in the 80s when a German engineer named Karlheinz Brandenburg developed a method to compress digital audio files without loss of quality being noticeable to the human ear. The most purists of Flac will say that E MP3 is the devil, but the Brandenburg team used an algorithm that eliminated the sound information that humans do not easily perceive, thus reducing a barbarity the weight of those files. This opened a world of possibilities in the consumer and distribution industry: the MP3 portable playershe opened his way to the distribution of digital music and for the streaming of it. He also opened, two by two, the gap for the copy of songs and their illegal download. To attack. Sony Music was already a giant of the record industry in the early 2000s. Now it is very combative with AIand in his day the MP3 did not make them a hint of grace. In fact, they were very aggressive about it. They were actively developing protection methods for their music albums and, in August 2000, Steve Heckler, vice president of the United States declared as follows: “The industry will take any necessary measure to protect and protect its sources of income. We will not lose that flow of money. Whatever happens, Sony will take aggressive measures to stop this and develop technology that transcends the individual user.” You may think so, hard words, but it is too aggressive. Attentive because Heckler continued to affirm that they were going to put a Firewall To Napster. “We will block it in your cable company. We will block it in your telephone company. We will block it in your Internet company. We will put a Firewall on your PC. They are aggressive strategies because, simply, there is too much at stake.” And what if they fulfilled their word. XCP. It may be something that sounds to you due to how close the Conflict between LaLiga and Cloudflarebut Sony’s matter really was much more … curious. Shortly after Heckler’s statements, Sony launched Natalie Imbruglia’s second album with Anticopia protection Without announcing that it carried anticopia protection, but this was a plan that was already underway and the company launched certain albums with strong protection in some markets. In addition, before merging with Sony, BMG also launched millions of albums with some protection system. The player | Image: Mark Russinovich In March 2004, Sony and BMG formed a 50%alliance, marking muscle in the music industry and seeing how this strategy against song piracy had many points in common. The two companies had been hard about it and had declared that they would do what they had to do to stop the illegal distribution. Thus, at some point, they hired the services of Firts 4 Internet. This company had a tool that seemed infallible: a system called Extended Copy Protection, or XCP. When a music CD was introduced with XCP on a PC, the self -arrange was activated and showed a license agreement that the user had to accept. If not, the CD was expelled and we could not reproduce it. By accepting it, we could enjoy the music and we would not notice anything … except for us to want to copy the files, since only three copies of the complete CD or three of each track were allowed. Some points of that eula: If you got rid of the country, you had to erase all your music. If they stole the CD, too. By accepting, you assumed that Sony could install rear doors on the PC so that they can force compliance with their rights. In case of disagreement, the maximum sum for which you could sue Sony was 5 dollars. Almost nothing, but the worst was not that. It was … malware. But when the Eula was accepted, we were not only allowed to access the CD, but several programs were installed. They were the usual ones such as the protection itself, a Sony BMG player or the drivers to reproduce it. But there was something else, something much darker. So much that the users had no idea that accepting that agreement was infecting their PC. The reason? Together with the other files, a rootkit called “$ Sys $ Aries” was installed that was automatically activated when starting the operating system and did everything possible to hide its processes. Even in the eyes of antivirus. This, as you can imagine, was a problem because hiding so deep in the system opened a huge security gap that could be used by malicious malware. Mark Russinovich Caught. They soon discover the cake. Mark RussinovichSoftware Engineer, unleashed the controversy when he published in October 2005 a blog post detailing the operation of this rootkit. Not only did he uncover the malware, but he indicated that the eula did not mention that software and denounced that digital rights management had gone too far. Mark Russinovich Russinovich was not anywhere: this Salamanca with American nationality is currently the Microsoft Azure Cto And XCP was not the only rootkit who brought to light (he did something very similar in … Read more

Chrome’s extensions have a big problem. Anyone can buy them and fill them with malware without finding out

by

One day John Tuckner decided to try to be evil. He found a browser extension called “Website Blocker” that could buy for $ 50 and took it. The extension, which allows to block certain websites so that the user is not distracted with them for some time, was especially interesting because it allowed to reuse it for spam attacks. And then things happened. Sight problem. In just a few days I had control of the extension and could do what I wanted with it. He modified the code, published the update and confirmed that the novelties had reached all users without being found. And then told what was happening: He is the founder of the cybersecurity company Secure Annex, and wanted to confirm their fears: there is great danger with extensions: anyone can buy them, modify them and reuse them for all kinds of purposes. Google reviews the modifications, but “it is not clear about what level of scrutiny,” Tuckner explained. Another recent case. At the end of January the creator of the Browser Boost Extra Tools for Chrome extension sold this development and transferred it to its new owner. Its 30,000 users were soon exposed to the new code, which dynamically redirected websites that the new owner decided unilaterally. I have not been. One of the extension users He warned of the problem in the github repository of the extension and analyzed the code notifying the danger of malware that could reach due to the new owner. The creator, n0m1111, explained who had sold the extension months ago and was no longer responsible for the code. Playing with permits. These extensions often allow permits of all types of browser parameters. Tuckner explained how in the extension he bought a permit called “declarativemetretreQuest” was used that was very wide and allowed to redirect users to false authentication sites to steal their passwords. Other permits would allow the owner of an extension to take screenshots with sensitive information or access the cookies that the browser keeps to steal data from the browser sessions. The possibilities are multiple and in Xataka we already talked a few months ago about how extensions They are becoming a silent method to infect users. A recent attack. In February, the Gitlab Threat Intelligence expert team They discovered A group of 16 Chrome extensions “used to inject code into browse to facilitate advertising and SEO fraud.” Among them they added 3.2 million users, and in Gitlab confirmed that the extensions had been bought and then modified, which allowed to avoid suspicions by users and the industry itself. These experts notified Google of the problem, and the company eliminated them all in January 2025. Block extensions, the solution. If you want to protect yourself from these problems, the solution is block The execution of extensions in your browser, especially in computers that handle sensitive data such as work. Unless they are extensions of trust, these types of problems can cause serious security problems. Care with permissions. Browser extensions can end up being bought, sold and reused without notice by their new owners, as has been the case. That raises a serious problem for users and companies, which before installing an extension should provide A lot of attention to permits that ask for these extensions to work. What do they say in Google. In Xataka we have contacted Google responsible and we will update this article if we receive new data on the subject. Be that as it may, the company offers A HELP DOCUMENT In this regard and also indicated in a Article in your official blog How to stay safe with the use of extensions in Google Chrome. In Xataka | Those responsible for the Robinson list confirm that it has not been hacked or data robbery (updated)

It is not infallible, but we have a trick to protect the mobile against invisible malware: a reset on time

by

Putting the shoot after the wound is not optimal, but it is something we usually do in the digital world. When our accounts or passwords – or those of someone close – are violated, is when we start worrying about cybersecurity. We change the passwordsWe add Two -step verification systems And we see what we can do so that Our accounts and devices are safer. And, between All types of malwarethere is a tremendously annoying and dangerous one: the spy software that performs Zero-Click attacks. The good thing is that we can protect ourselves by acquiring a simple habit: restart the mobile. Zero click. When we talk about such vulnerability, we refer to a security failure that allows someone to enter malicious software on our device without having to perform any action. Taking advantage of a mobile safety failure or PCs, hackers are capable of ‘strain’ software on the device without having downloaded anything or punctured in strange links. That is why it is called ‘Zero Click’, since, to open the doors of our device to another type of malware -like phishing, for example -we do have to perform an action. This is something that has been used recently in apps such as Outlook or in him iPhoneand the same thing always happens: failures in the safety of the app or the system opens the door torque to the click zero malware. Pegasus. These vulnerabilities usually occur the same day to launch a new version of an app or an operating system. Taking advantage of possible programming failures and safety gaps, malware can go through a back door without us knowing. And these attacks usually go hand in hand with spy software, very difficult to identify by the user, but that has almost ease access for our device. Surely sounds to you Pegasusthat spy software developed by the Israeli company that He infected mobiles of thousands of journalists, politicians and other personalities. Using capacities similar To those who attack taking advantage of the Zero-Click, it allows to see, even, conversations in encrypted apps. Through WhatsApp. But it is not the only one, since recently, spy software known as Graphite infected the mobile of several people using a WhatsApp failure. Rocky Cole is the co -founder of a cybersecurity company and has commented A ZDNET that Graphite sneaked into the mobile through an image or a PDF sent by WhatsApp To the mobile of the victims, and the underlying processes that are activated when files are received in the app are the ones that the attackers explode to infect the device. It is not known, at least publicly, if Graphite can move to the core of iOS or only operate on WhatsApp, but could take advantage of an “escalation of privileges” – a vulnerability of the app – to move outside the messaging application. Cole states that this attack was aimed at concrete people, but comments that it is an emerging threat to all. “And the world is not, at all, prepared to deal with something like that,” he says. Tract it as a computer. In the report, Cole leaves the wedge of the advertising of its application Iverify, but also two tips that are not unknown, but it is worth remembering. The first is that we should acquire the habit of restarting or off the mobile every day. The reason is that many of these vulnerabilities exist only in memory and, not being files, in theory the malware should be eliminated when cleaning the memory after a restart. The bad thing is that it is easy for the spy software to return to the device, so something that it also recommends is to install the updates as soon as they are available. These patches usually cover the vulnerabilities found by both companies and external groups, such as Mozilla Security Groupwho analyzes the software and warns those responsible to patch it. Better turn off. Although several security experts agree that we should not leave the mobile on 24/7, not everyone agrees that a simple restart can solve these problems. The reason is that, when restarting the device, some mobiles try to maintain everything as it was before, storing certain data in memory and these being the ones that would take advantage of the hackers. The NSA – the United States National Security Agency – commented that It is best to turn it off completely and wait a few seconds before turning it on again. In this way, all applications have to start from scratch again. And, according to the NSA, it is something we should do once a week. Beyond security. The NSA itself coincides with school that restarting or turning off the mobile is not a magical solution against this type of malware, but it can stop cybercriminals and make them engineer new ways to maintain access, perhaps being these more visible for device safety systems. But well, apart from security, both on iPhone and, above all, in Android mobiles, make a restart every so often Close processes and release RAM. It happens, as we say, especially in Android, where the system code can ‘fight’ against the manufacturer’s customization layer, making the mobile not do well that we should have been without restarting/off because there will be many waste in the RAM. Bad? That is something that forces us to acquire a new habit. Turning it only takes us for a few seconds, but if we are not used, the easiest thing is for us to forget. The good thing is that many mobiles already include restart and off options programmed in their adjustments. Image | Xataka In Xataka | The rear door that the United Kingdom wants in Icloud is a nightmare for all: Apple has just taken an unprecedented measure

It seemed that iOS was unwavering. Until this malware slipped in App Store and started reading screenshots

by

Talk about iOS (usually) to be synonymous with Talk about security. But there is no infallible operating system. In the case of Android, we are quite accustomed to the fact that occasionally Some type of malware in Play Storebut in Apple’s application store this is not common. For the first time, a malware capable of reading screenshots has been found in App Store. Is, According to Kasperskythe first case detected of an app published in APP Store capable of using technology to extract image text using Google technology. The Antivirus company has explained that this malware is part of a campaign that sought to attack users to find cryptographic keys. The severity of the matter comes from the distribution method: applications infected with both iOS and Android. In the case of Android, these apps exceeded 240,000 downloads. These apps were varied and did not follow a thematic pattern. Some were “Chat AI”, other Delivery apps, others of messaging … Some of these applications had thousands of downloads in the Apple application store. What was its operation? In both cases, the same. Apps executed technology OCR of Googlea Google Cloud solution capable of recognizing text automatically. Once we gave apps gallery permits, they were able to look for text in our images and send it to the server. Thus, the attackers were made with cryptocurrency wallet passwords or with phrases and recovery codes of any app. From Kaspersky they affirm that “they cannot confirm with certainty that the infection has been the result of an attack on the supply chain or a deliberate action of developers.” Similarly, they point out that there may still be apps with this malware available in application stores. As we always indicate from Xataka, it is crucial not to give gallery permits to apps in which we do not trust 100%. Image | Xataka In Xataka | How to detect and eliminate malware with MSRT, the hidden Windows 10 and 11 tool

The Bank of Spain alerts a malware capable of “capturing bank credentials.” His name: Trickmo

by

The scams and fraud are the order of the day. The one that most and the least will have received a called with a synthetic voice offering easy money, An SMS with a fraudulent link or a mail supplanting identity of some service or company. According to the Ministry of Interior, only in 2023 426,744 computer scams were registered, 27% more than in 2022, and the thing does not seem to go less. Scams and malware are the order of the day and today is the turn of talking about Trickmo, protagonist of The last alert of the Bank of Spain. Trickmo. That is the name that receives this peculiar malware. The Bank of Spain refers to him as “one of the last dangers detected”, but the truth is that It is not the first time that we hear about him. Trickmo is a Trojan with many variants, as explained by security companies such as Cleafy and Zimperiumand is able to record the screen, register single -use codes, grant permits and simulate the blocking or mobile pin. The goal? Banking keys, of course. According to the Bank of Spain, this malware “infiltrates mobile devices through malicious applications that we download or fraudulent links.” In the case of installing it, “Trickmo can have access to our SMS, capture bank credentials and access our accounts without authorization.” In addition, the agency points the following: “(…) There is a variant of Trickmo that” paints “a false interface that simulates the mobile screen, where it records the movements we draw on it to, in this way, obtain our pin or the unlocking pattern.” False screens generated by Trickmo | Image: Zimperium Affected. According to Zimperium’s analysis, the main countries affected by this malware are Canada, United Arab Emirates, Türkiye and Germany. For the map shared in the report, it seems that in Spain there have also been affected, but the percentage is minimal with respect to the four mentioned above. How to avoid it? The Bank of Spain offers some basic tips, such as maintaining updated software, not downloading apps from external sources to offices, Activate two steps authentication and pay attention to attachments and files. With regard to banks, most likely they never send links by SMS. In the emails and URLs, however legitimate that they seem, it is best to check the sender and notice that the “or” are not zeros, for example. And before the doubt, always consult with the bank. Cover image | Master1305 In Xataka | How to detect and eliminate malware with MSRT, the hidden Windows 10 and 11 tool

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.