Connect with us

CyberSecurity

The Storm Infostealer: A New Era of Remote Credential Theft

Published

on

The Storm Infostealer: A New Era of Remote Credential Theft

A dangerous evolution in credential theft has emerged from the digital shadows. Security analysts at Varonis have identified a sophisticated new Storm infostealer that operates with a chilling efficiency. Instead of risking detection by decrypting stolen data on a victim’s computer, this malware quietly packages everything and ships it off to the attacker’s own servers. This fundamental shift makes traditional endpoint defenses far less effective, marking a significant escalation in the cybercrime arms race.

How Storm Infostealer Evades Detection

To understand Storm’s threat, we must first look at what came before. Historically, information stealers worked locally. They would infiltrate a system, load libraries to access browser databases, and decrypt saved passwords and cookies right there on the victim’s machine. This activity, however, left clear footprints—processes accessing sensitive files, unusual network calls—that modern security tools learned to recognize and block.

Then, the landscape changed. Building on this, major browsers like Google Chrome introduced stronger, app-bound encryption. This made local decryption incredibly difficult, forcing malware authors to find new methods. Initial workarounds involved complex code injection or abusing debugging features, but these too left traces for vigilant security software to find.

The Remote Decryption Advantage

Therefore, the creators of Storm adopted a radically different approach. The malware acts as a sophisticated collector. It harvests encrypted credential files, session cookies, autofill data, and even credit card information directly from the browser’s secure storage. Crucially, it does not attempt to crack them open locally. Instead, it transmits the encrypted loot back to a command server controlled by the attacker. The decryption happens safely in the attacker’s own environment, completely bypassing the victim’s antivirus and endpoint detection systems. This server-side processing is a core reason why the Storm infostealer is so concerning to experts.

What Does the Storm Infostealer Steal?

The breadth of data targeted by Storm is comprehensive, designed to give attackers maximum leverage. After infection, it systematically collects a victim’s entire digital identity. This includes saved passwords, active session cookies, browsing history, and Google account tokens. Furthermore, it captures autofill data and stored credit card details. One compromised browser can hand an attacker the keys to corporate SaaS platforms, internal tools, and cloud environments without ever triggering a single password alert.

In addition to browser data, Storm casts a wider net. It scours user directories for documents, captures system information and screenshots, and extracts session data from popular messaging apps like Telegram, Signal, and Discord. Perhaps most alarmingly for some, it specifically targets cryptocurrency wallets, pilfering data from both browser extensions and dedicated desktop applications. According to researchers, all this activity runs directly in the computer’s memory to minimize its footprint and further reduce the chance of detection.

Automated Session Hijacking and Criminal Economics

Beyond mere data collection, Storm automates the next critical step: exploitation. Most stealers simply dump raw logs into a buyer’s panel, requiring manual effort to sift through and use the stolen credentials. Storm changes this equation. It automatically feeds stolen Google Refresh Tokens into its operator panel. Simultaneously, it provides a geographically matched SOCKS5 proxy. This combination allows the criminal to silently restore the victim’s authenticated session from a location that appears legitimate, enabling seamless account takeover and fraud.

On the criminal marketplace, this capability comes at a price. Varonis reports that access to the Storm infostealer is sold for less than $1,000 per month, making it an accessible tool for a wide range of threat actors. During their investigation, the company’s threat intelligence team identified 1,715 victim entries in Storm’s panel, with connections originating from countries including the United States, India, Brazil, Indonesia, Vietnam, and Ecuador. The diversity of network sources suggests active, widespread malicious campaigns.

High-Value Targets and the Broader Threat

The credentials stolen by Storm are not random. They are focused on high-value platforms that offer direct financial or strategic payoff. This includes major social media and communication giants like Facebook and Twitter/X. On the financial front, the malware aggressively targets leading cryptocurrency exchanges and services such as Coinbase, Binance, Blockchain.com, and Crypto.com.

Consequently, this stolen data fuels a thriving underground economy. Credentials are packaged and sold on dark web marketplaces, where they are used for everything from straightforward financial fraud and account resale to serving as the initial foothold for more advanced, targeted attacks against individuals and organizations. For more on protecting against such initial access threats, read our guide on endpoint security best practices.

Ultimately, the emergence of Storm signals a troubling trend toward more resilient and automated cybercrime tools. By moving the decryption process off the victim’s machine, attackers have found a way to neutralize a key defensive detection method. This development underscores the need for a layered security approach that includes robust network monitoring, user education on phishing threats, and advanced threat-hunting capabilities to identify anomalous data exfiltration, even when it’s encrypted. For deeper insights into the malware landscape, explore our analysis of the evolution of information stealers.

CyberSecurity

Fake CAPTCHA Pages Deliver SCMBANKER Malware to Mexican Banking Users

Published

on

SCMBANKER malware

Fake CAPTCHA Pages Are the Hook

Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.

Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.

This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.

How the Infection Chain Works

The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.

Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.

Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.

Why Mexican Users Are in the Crosshairs

Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.

The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.

Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.

ClickFix: A Growing Social Engineering Trend

The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.

Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.

For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.

Protecting Yourself from CAPTCHA-Based Malware

Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.

Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.

Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.

What Comes Next

The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.

As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.

For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.

Continue Reading

CyberSecurity

Four Security Vendors Rush Patches for Critical and High-Severity Product Bugs

Published

on

Trend Micro Tanium ESET Tenable patches

July has been a busy month for security teams inside four major cybersecurity vendors. Trend Micro, Tanium, ESET, and Tenable all shipped product updates targeting vulnerabilities that range from critical down to medium severity. No active exploitation has been reported for any of these bugs — but as recent attacks on Palo Alto Networks and Trend Micro itself have shown, security products are a prime target for sophisticated threat actors.

Here is what got patched, who is affected, and why these fixes matter now.

Tenable Agent: Critical Path Traversal Opens Door to RCE

The most severe of the bunch is a critical-severity path traversal vulnerability in the Tenable Agent, tracked as CVE-2026-15265. Tenable notified customers this week that the flaw could let an attacker achieve remote code execution on an affected system.

Path traversal bugs are a classic but still dangerous class of vulnerability. They allow an attacker to break out of restricted directories and write or execute files in places they should not have access to. When that happens inside a security agent — software designed to run with elevated privileges — the consequences can be severe. In this case, Tenable rates the bug as critical, meaning organizations should prioritize updating their agents immediately.

The advisory does not specify a CVSS score, but the critical designation alone signals urgency. Tenable has not published any workaround; the fix is the update itself.

ESET Inspect Connector: Local Privilege Escalation via ALPC

ESET disclosed a high-severity local privilege escalation vulnerability in its Inspect Connector for Windows on Tuesday. The company explained that an attacker with local access could send specially crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’s interface.

“Without proper authentication or origin validation in place, this message would be accepted and processed,” ESET wrote in its advisory. That means the attacker could access restricted functionality — essentially, they could elevate their privileges on the machine.

This is not a remote exploit. An attacker would need to already have some foothold on the system. But once inside, this bug makes lateral movement and deeper compromise much easier. ESET also published a separate advisory for a medium-severity denial-of-service (DoS) vulnerability affecting its security products for Linux.

Tanium Server: Unauthenticated DoS from the Network

Tanium informed customers last week about a high-severity flaw in the Tanium Server that could allow an unauthenticated, network-based attacker to launch a denial-of-service attack. The company’s advisory is characteristically sparse on technical details, but the risk is clear: an attacker who can reach the Tanium Server over the network does not need valid credentials to knock it offline.

For organizations that rely on Tanium for endpoint management and incident response, a DoS on the server could blind them to threats across the fleet. The update is recommended for all supported versions.

Trend Micro Cleaner One Pro: Local Privilege Escalation

Trend Micro warned users of Cleaner One Pro last week about a high-severity local privilege escalation vulnerability. The company said the bug could allow an attacker to delete privileged Trend Micro files — essentially letting a low-privileged user tamper with security software.

Cleaner One Pro is a system optimization tool, not a core security product like Apex One. Still, any vulnerability that lets an attacker delete files belonging to a Trend Micro application is concerning. It could be used to disable protections or corrupt logs.

Why Security Product Vulnerabilities Are a Bigger Deal

None of these vulnerabilities are known to have been exploited in the wild — yet. But there is a reason security teams pay close attention when a vendor like Trend Micro or ESET issues a patch. Security products run with high privileges by design. They have deep access to the operating system, the file system, and network traffic. A successful exploit against a security agent can give an attacker a beachhead that is extremely hard to detect.

Recent history bears this out. In June 2026, both Palo Alto Networks and Trend Micro confirmed that attackers had exploited vulnerabilities in their products in the wild. Those incidents served as a reminder that threat actors actively hunt for bugs in the very tools meant to stop them.

What Organizations Should Do Now

The message from all four vendors is the same: update now. For Tenable Agent, that means applying the latest version as soon as possible. For ESET Inspect Connector and Tanium Server, the same. For Trend Micro Cleaner One Pro, users should check for updates through the application or the vendor’s download portal.

If your organization uses any of these products, this is not a patch cycle to delay. The vulnerabilities are real, the fixes are available, and the window of opportunity for attackers is only getting wider.

For more context on recent security product vulnerabilities, see our coverage of Fortinet, Ivanti, and ServiceNow patches and the recent CrowdStrike and Tenable fixes.

Continue Reading

CyberSecurity

Vidar Infostealer Targets SMBs in Malvertising Blitz: Cracked Software Lures Deliver Double Payload

Published

on

Vidar infostealer malvertising

Malvertising Delivers More Than Users Bargained For

A fresh wave of malvertising is battering small and medium-sized businesses, and the culprit is a familiar name in the cybercrime underworld: the Vidar infostealer. Researchers have tracked a financially motivated campaign that dangles cracked or pirated software as bait — but the catch is a nasty two-for-one payload that both steals sensitive data and hijacks system resources for cryptomining.

The operation, active since at least early 2025, relies on malicious ads that appear in search results for popular business tools. Think project management suites, accounting software, and design apps — all offered for free. Click one of these ads, and you’re not downloading a freebie. You’re inviting Vidar straight onto your network.

This isn’t a lone actor. The campaign shows signs of professional organization, with multiple ad accounts and constantly refreshed domains. For SMBs already stretched thin on IT security, it’s a brutal reminder that free software rarely comes without a cost.

How the Vidar Infostealer Campaign Works

The infection chain starts with a search. An employee at a small business types “free [popular software] download” into a search engine. A sponsored ad appears, looking legitimate — complete with a convincing logo and landing page. The user clicks, downloads what appears to be an installer, and runs it.

Inside that installer is a multi-stage dropper. It unpacks Vidar infostealer first, which immediately begins scraping credentials, browser cookies, cryptocurrency wallet files, and even two-factor authentication tokens. Then, almost as an afterthought, it deploys a cryptominer that eats CPU cycles in the background.

The result? Data exfiltration happens fast — often within minutes. And the cryptominer runs quietly, draining electricity and slowing systems until someone notices the fan noise or a spike in the power bill.

Why SMBs Are the Prime Target

Large enterprises have robust security stacks, endpoint detection, and dedicated threat-hunting teams. SMBs? Not so much. A 2024 report from the Ponemon Institute found that 60% of small businesses that suffer a cyberattack go out of business within six months. Attackers know this. They also know SMBs are more likely to search for cheap or free software alternatives.

“SMBs are the sweet spot for malvertising,” says one threat analyst who tracks Vidar. “They have valuable data but not the budget for top-tier defenses. Cracked software is an easy hook.”

The campaign’s use of legitimate ad networks makes it even harder to block. Malicious ads slip through automated review systems, and by the time they’re flagged, the damage is often done.

The Double Payload: Data Theft Meets Cryptomining

Vidar has been around since 2018, marketed on Russian-language cybercrime forums as an off-the-shelf infostealer. It’s known for its speed — it can grab browser data, email client credentials, and cryptocurrency wallets in under a minute. In this campaign, it’s paired with a cryptominer that targets Monero (XMR), a privacy coin favored by attackers because transactions are harder to trace.

The combination is ruthless. First, Vidar exfiltrates everything it can. Then the miner establishes persistence, running as a background process that survives reboots. The victim loses both data and computing power. For an SMB with limited IT staff, detecting the miner might take weeks. By then, credentials stolen by Vidar could already be sold on dark web forums or used in follow-up attacks like ransomware.

Security firm Proofpoint first flagged the uptick in Vidar activity tied to malvertising in late 2024. Since then, the volume has only grown. In one observed cluster, attackers registered over 40 domains in a single week, each mimicking a legitimate software vendor.

Protecting Your Business From Malvertising and Infostealers

There’s no silver bullet, but a few practical steps can dramatically reduce risk. Start with the basics:

  • Ban cracked software outright. Write a clear policy. No exceptions. Free or pirated versions of paid tools are the #1 delivery mechanism for infostealers like Vidar.
  • Use ad-blocking or DNS filtering. Tools like uBlock Origin or a DNS filter (e.g., NextDNS) can block malicious ad domains before they load.
  • Deploy endpoint detection and response (EDR). Free options exist for small businesses, like Microsoft Defender for Business. EDR can catch the unusual process behavior of a cryptominer.
  • Train employees to spot malvertising. Show them what a malicious sponsored ad looks like. Teach them to hover over links before clicking. A skeptical eye is still one of the best defenses.
  • Monitor for unusual CPU usage. A sudden, sustained spike in processor load — especially on idle machines — is a telltale sign of cryptomining.

For SMBs that rely on cloud services, enabling multi-factor authentication on every account is critical. Vidar often steals session cookies that bypass MFA, but it’s still a strong layer of defense. Also consider endpoint security best practices that include application whitelisting to block unauthorized installers.

The Bottom Line on Vidar and Malvertising

This campaign isn’t revolutionary in technique — malvertising and cracked software lures are old tricks. What’s new is the scale and the double payload. Vidar’s operators have industrialized the process, buying ads at scale and rotating infrastructure faster than most blocklists can keep up.

For SMB owners, the takeaway is simple: if an ad promises free access to expensive software, it’s almost certainly a trap. The Vidar infostealer campaign proves that the cost of “free” can be your company’s data — and your bottom line.

Continue Reading

Trending