GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets - Related to wallets, c2, using, fake, gitvenom

Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware

Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader.

The threat cluster has been assessed to be an extension of a long-running campaign mounted by a Belarus-aligned threat actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057. And UNC1151) since 2016. It's known to align with Russian security interests and promote narratives critical of NATO.

"The campaign has been in preparation since July-August 2024 and. Entered the active phase in November-December 2024," SentinelOne researcher Tom Hegel revealed in a technical findings shared with The Hacker News. "Recent malware samples and command-and-control (C2) infrastructure activity indicate that the operation remains active in recent days."

The starting point of the attack chain analyzed by the cybersecurity firm is a Google Drive shared document that originated from an account named Vladimir Nikiforech and hosted a RAR archive.

The RAT file includes a malicious Excel workbook, which. When opened, triggers the execution of an obfuscated macro when prospective victims enable macros to be run. The macro proceeds to write a DLL file that ultimately paves the way for a simplified version of PicassoLoader.

In the next phase, a decoy Excel file is displayed to the victim, while. In the background, additional payloads are downloaded onto the system. As in recent times as June 2024, this approach was used to deliver the Cobalt Strike post-exploitation framework.

SentinelOne expressed it also discovered other weaponized Excel documents bearing Ukraine-themed lures to retrieve an unknown second-stage malware from a remote URL ("sciencealert[.]shop") in the form of a seemingly harmless JPG image. A technique known as steganography. The URLs are no longer available.

In another instance, the booby-trapped Excel document is used to deliver a DLL named LibCMD, which is designed to run and. Connect to stdin/stdout. It's directly loaded into memory as a . NET assembly and executed.

"Throughout 2024, Ghostwriter has repeatedly used a combination of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded . NET downloaders obfuscated with ConfuserEx," Hegel stated.

"While Belarus doesn't actively participate in military campaigns in the war in Ukraine, cyber threat actors associated with it appear to have no reservation about conducting cyber espionage operations against Ukrainian targets."

Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware ...

Microsoft is investigating a new Microsoft 365 outage that is affecting Teams clients and causing call failures.

Since the incident started more th...

In Zohocorps ADSelfService Plus können Angreifer eine Sicherheitslücke missbrauchen. Um Konten zu übernehmen. Aktualisierte Software stopft das Sicher...

Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites

"The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services," Fortinet FortiGuard Labs mentioned in a technical research shared with The Hacker News.

The command is designed to download and. Execute a PowerShell script hosted on an adversary-controlled SharePoint server. The newly downloaded PowerShell checks if it's being run within a sandboxed environment before proceeding to download the Python interpreter (""), if it's not already present in the system.

The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that's capable of launching an embedded DLL, in this the Havoc Demon agent on the infected host.

"The threat actor uses Havoc in conjunction with the MicrosoQ Graph API to conceal C2 communication within well-known services," Fortinet stated, adding the framework supports elements to gather information, perform file operations, as well as carry out command and payload execution, token manipulation, and Kerberos attacks.

The development comes as Malwarebytes revealed that threat actors are continuing to exploit a known loophole in Google Ads policies to target PayPal end-consumers with bogus ads served via advertiser accounts that may have been compromised.

The ads seek to trick victims searching for assistance related to account issues or payment concerns into calling a fraudulent number that likely ends with them handing over their personal and financial information.

"A weakness within Google's policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain," Jérôme Segura, senior director of research at Malwarebytes. noted.

"Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service."

A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection effo...

In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.

After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incide...

In Zohocorps ADSelfService Plus können Angreifer eine Sicherheitslücke missbrauchen, um Konten zu übernehmen. Aktualisierte Software stopft das Sicher...

GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets

Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub.

The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky.

"The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game," the Russian cybersecurity vendor introduced.

"All of this alleged project functionality was fake, and. Cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard."

The malicious activity has facilitated the theft of 5 bitcoins, approximately worth $456,600 as of writing. It's believed the campaign has been ongoing for at least two years, when some of the fake projects were published. A majority of the infection attempts have been recorded in Russia, Brazil, and Turkey.

The projects in question are written in various programming languages, including Python, JavaScript. C, C++, and C#. But regardless of the language used, the end goal is the same: Launch an embedded malicious payload that's responsible for retrieving additional components from an attacker-controlled GitHub repository and executing them.

Prominent among these modules is a information stealer that collects passwords, bank account information, saved credentials, cryptocurrency wallet data, and web browsing history; compresses them into a .7z archive, and exfiltrates it to the threat actors via Telegram.

Also downloaded via the bogus GitHub projects are remote administration tools like AsyncRAT and Quasar RAT that can be used to commandeer infected hosts and. A clipper malware that can substitute wallet addressed copied into clipboard with an adversary-owned wallet so as to reroute the digital assets to the threat actors.

"As code sharing platforms such as GitHub are used by millions of developers worldwide, threat actors will certainly continue using fake software as an infection lure in the future," Kaspersky researcher Georgy Kucherin noted.

"For that reason, it is crucial to handle processing of third-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is paramount to thoroughly check what actions are performed by it."

Furthermore, the development comes as Bitdefender revealed that scammers are exploiting major e-sports tournaments like IEM Katowice 2025 and PGL Cluj-Napoca 2025 to target players of the popular video game Counter-Strike 2 (CS2) with the intent to defraud them.

"By hijacking YouTube accounts to impersonate professional players like s1mple, NiKo, and donk, cybercriminals are luring fans into fraudulent CS2 skin giveaways that result in stolen Steam accounts, cryptocurrency theft. And the loss of valuable in-game items," the Romanian cybersecurity firm stated.

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android dev...

The Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Life...

Cybersecurity researchers have flagged an updated version of the LightSpy implant that comes equipped with an expanded set of data collection functions...