Connect with us

CyberSecurity

Vidar Infostealer Targets SMBs in Malvertising Blitz: Cracked Software Lures Deliver Double Payload

Published

on

Vidar infostealer malvertising

Malvertising Delivers More Than Users Bargained For

A fresh wave of malvertising is battering small and medium-sized businesses, and the culprit is a familiar name in the cybercrime underworld: the Vidar infostealer. Researchers have tracked a financially motivated campaign that dangles cracked or pirated software as bait — but the catch is a nasty two-for-one payload that both steals sensitive data and hijacks system resources for cryptomining.

The operation, active since at least early 2025, relies on malicious ads that appear in search results for popular business tools. Think project management suites, accounting software, and design apps — all offered for free. Click one of these ads, and you’re not downloading a freebie. You’re inviting Vidar straight onto your network.

This isn’t a lone actor. The campaign shows signs of professional organization, with multiple ad accounts and constantly refreshed domains. For SMBs already stretched thin on IT security, it’s a brutal reminder that free software rarely comes without a cost.

How the Vidar Infostealer Campaign Works

The infection chain starts with a search. An employee at a small business types “free [popular software] download” into a search engine. A sponsored ad appears, looking legitimate — complete with a convincing logo and landing page. The user clicks, downloads what appears to be an installer, and runs it.

Inside that installer is a multi-stage dropper. It unpacks Vidar infostealer first, which immediately begins scraping credentials, browser cookies, cryptocurrency wallet files, and even two-factor authentication tokens. Then, almost as an afterthought, it deploys a cryptominer that eats CPU cycles in the background.

The result? Data exfiltration happens fast — often within minutes. And the cryptominer runs quietly, draining electricity and slowing systems until someone notices the fan noise or a spike in the power bill.

Why SMBs Are the Prime Target

Large enterprises have robust security stacks, endpoint detection, and dedicated threat-hunting teams. SMBs? Not so much. A 2024 report from the Ponemon Institute found that 60% of small businesses that suffer a cyberattack go out of business within six months. Attackers know this. They also know SMBs are more likely to search for cheap or free software alternatives.

“SMBs are the sweet spot for malvertising,” says one threat analyst who tracks Vidar. “They have valuable data but not the budget for top-tier defenses. Cracked software is an easy hook.”

The campaign’s use of legitimate ad networks makes it even harder to block. Malicious ads slip through automated review systems, and by the time they’re flagged, the damage is often done.

The Double Payload: Data Theft Meets Cryptomining

Vidar has been around since 2018, marketed on Russian-language cybercrime forums as an off-the-shelf infostealer. It’s known for its speed — it can grab browser data, email client credentials, and cryptocurrency wallets in under a minute. In this campaign, it’s paired with a cryptominer that targets Monero (XMR), a privacy coin favored by attackers because transactions are harder to trace.

The combination is ruthless. First, Vidar exfiltrates everything it can. Then the miner establishes persistence, running as a background process that survives reboots. The victim loses both data and computing power. For an SMB with limited IT staff, detecting the miner might take weeks. By then, credentials stolen by Vidar could already be sold on dark web forums or used in follow-up attacks like ransomware.

Security firm Proofpoint first flagged the uptick in Vidar activity tied to malvertising in late 2024. Since then, the volume has only grown. In one observed cluster, attackers registered over 40 domains in a single week, each mimicking a legitimate software vendor.

Protecting Your Business From Malvertising and Infostealers

There’s no silver bullet, but a few practical steps can dramatically reduce risk. Start with the basics:

  • Ban cracked software outright. Write a clear policy. No exceptions. Free or pirated versions of paid tools are the #1 delivery mechanism for infostealers like Vidar.
  • Use ad-blocking or DNS filtering. Tools like uBlock Origin or a DNS filter (e.g., NextDNS) can block malicious ad domains before they load.
  • Deploy endpoint detection and response (EDR). Free options exist for small businesses, like Microsoft Defender for Business. EDR can catch the unusual process behavior of a cryptominer.
  • Train employees to spot malvertising. Show them what a malicious sponsored ad looks like. Teach them to hover over links before clicking. A skeptical eye is still one of the best defenses.
  • Monitor for unusual CPU usage. A sudden, sustained spike in processor load — especially on idle machines — is a telltale sign of cryptomining.

For SMBs that rely on cloud services, enabling multi-factor authentication on every account is critical. Vidar often steals session cookies that bypass MFA, but it’s still a strong layer of defense. Also consider endpoint security best practices that include application whitelisting to block unauthorized installers.

The Bottom Line on Vidar and Malvertising

This campaign isn’t revolutionary in technique — malvertising and cracked software lures are old tricks. What’s new is the scale and the double payload. Vidar’s operators have industrialized the process, buying ads at scale and rotating infrastructure faster than most blocklists can keep up.

For SMB owners, the takeaway is simple: if an ad promises free access to expensive software, it’s almost certainly a trap. The Vidar infostealer campaign proves that the cost of “free” can be your company’s data — and your bottom line.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

The Ghost Phishing Wave That Makes Traditional Email Security Blink

Published

on

ghost phishing

The Invisible Threat That Activates Inside Your Browser

A fresh wave of attacks is quietly dismantling the assumptions behind most corporate email defenses. Dubbed “ghost phishing,” the technique comes from a campaign security researchers are tracking as EvilTokens — and it’s already hitting businesses across the US and Europe.

Here’s what makes it different: the malicious page doesn’t exist when the email lands. It doesn’t appear when the URL scanner checks it. It only springs to life — fully formed and dangerous — after it decrypts inside the victim’s browser. By then, the damage is often underway.

For CISOs and security teams, this isn’t just another phishing variant. It’s a direct attack on the core assumption that scanning a link at the time of delivery is enough.

How EvilTokens Turns a Blind Spot Into a Breach

The EvilTokens campaign works by embedding a URL that points to a seemingly harmless page. Standard email security tools — the kind that inspect links in real time — see nothing suspicious. The page is blank, or returns a benign status code. It passes every check.

But that URL contains an encrypted payload. When the recipient clicks it, the page decrypts inside the browser using client-side JavaScript. Suddenly, a convincing login page for Microsoft 365 appears. The victim, believing they’ve hit a legitimate authentication screen, enters their credentials. The attackers now have access to email, files, and whatever else sits behind that account.

This is not a theoretical flaw. Researchers have documented active compromises tied to the campaign, with attackers moving quickly from credential theft to data exfiltration and lateral movement inside corporate networks.

Why Traditional Email Security Misses the Mark

Most email security platforms rely on a handful of techniques: reputation analysis, URL sandboxing, and machine learning models trained on known malicious patterns. They work well against conventional phishing — the kind where the malicious page is already live when the link is checked.

Ghost phishing breaks that model entirely.

Because the malicious content is encrypted and only rendered client-side, there’s nothing for the scanner to find. No malicious JavaScript. No fake login form. No phishing indicators. The page is a ghost — invisible until the moment it needs to be seen by the victim, not the security tool.

This approach also evades time-of-click inspection, a more advanced protection that re-checks URLs when the user clicks. If the page still hasn’t decrypted at that moment, it passes again. The attack only reveals itself milliseconds later, inside the browser’s rendering engine.

What This Means for Microsoft 365 Defenders

The campaign specifically targets Microsoft 365 credentials, making it a direct threat to the thousands of organizations that rely on the platform for email, collaboration, and cloud storage. Once an attacker has a valid session token or password, they can access Microsoft 365 security settings, reset multi-factor authentication, and exfiltrate data without triggering alarms.

Security teams need to ask a hard question: if your email gateway can’t see the attack, what is your second line of defense?

Practical Defenses Against Ghost Phishing

There is no single magic bullet for ghost phishing, but a layered approach can significantly reduce risk.

  • Browser-level isolation: Technologies like remote browser isolation execute all web content in a sandboxed environment. Even if a page decrypts maliciously, it never touches the user’s actual browser or network.
  • Behavioral analytics for email: Look for anomalies in sender behavior, reply patterns, and email routing — not just link reputation. The EvilTokens campaign often uses compromised legitimate accounts to send the phishing emails.
  • Client-side JavaScript monitoring: Some endpoint detection tools can flag unexpected JavaScript decryption or DOM manipulation, even if the initial URL was clean.
  • User reporting and rapid response: Since no filter catches every ghost phish, a strong reporting culture and automated incident response workflow are critical. Every second counts when credentials are being harvested.

These defenses don’t replace traditional email security — they supplement it. The goal is to catch what the scanners miss, and to limit damage when a user does fall for the lure.

The Bigger Picture: A New Category of Email Attack

Ghost phishing represents a structural shift in how attackers think about evasion. Instead of trying to hide from scanners through obfuscation or domain rotation — tactics that security vendors have learned to counter — they simply refuse to show the malicious content until the scanner has already moved on.

This is harder to build than a typical phishing kit. It requires careful encryption logic, reliable decryption in the browser, and a delivery chain that avoids raising suspicion. The fact that EvilTokens is already operational suggests that attackers are investing in sophistication, not just volume.

For security leaders, the takeaway is uncomfortable but clear: the email security stack that worked five years ago is no longer sufficient. The ghosts are already inside the machine. The question is whether your defenses can see them.

Continue Reading

CyberSecurity

A Lone Hacker Used AI to Breach AWS in 72 Hours — Here’s What Went Wrong

Published

on

AWS breach 72 hours

The 72-Hour Cloud Breach That Shook AWS Security

A single attacker armed with AI tools and stolen credentials managed to break into a large Amazon Web Services cloud environment in just three days. The incident, reported by cloud security firm Mitiga, reveals a frightening new reality: cloud defenses that once held up against human attackers are crumbling under AI-assisted assaults.

The attacker didn’t just brute-force their way in. They exploited AI workflows, chained together multiple cloud weaknesses, and used stolen credentials to move laterally. Within 72 hours, they had enough access to extort the victim — a major AWS customer whose identity remains undisclosed.

This isn’t a nation-state operation. It wasn’t a sophisticated hacker collective. It was one person, working alone, with AI as their force multiplier.

How the Attacker Exploited AI Workflows

The breach didn’t start with a flashy zero-day. It started with something far more mundane: compromised credentials. The attacker obtained access to an AWS Identity and Access Management (IAM) user account — probably through phishing, credential stuffing, or a third-party data leak.

Once inside, they didn’t just poke around. They used AI tools to analyze the cloud environment, identify weak points, and automate the discovery of misconfigured S3 buckets, exposed APIs, and overly permissive roles. Traditional reconnaissance that might take a team of humans weeks was compressed into hours.

AI-powered scanning let the attacker map the entire cloud infrastructure in record time. They found a chain of vulnerabilities — a public-facing EC2 instance with an outdated SSH key, a Lambda function with excessive permissions, and a CloudTrail logging gap that left blind spots.

The AI Workflow Exploitation Itself

Perhaps most troubling: the attacker targeted the victim’s own AI workflows. Many AWS customers now run machine learning pipelines, using services like Amazon SageMaker and Bedrock. These workflows often involve large datasets, model training scripts, and automated deployment pipelines — all rich targets.

The attacker injected malicious code into a SageMaker notebook instance, which then executed with the permissions of the service role. That gave them access to training data, model artifacts, and even the ability to poison future outputs. They also exploited a misconfigured Bedrock agent that had access to internal databases.

By weaponizing the victim’s own AI infrastructure, the attacker turned a productivity tool into a backdoor.

Stolen Credentials and Lateral Movement

Stolen credentials were the linchpin. The attacker used the initial IAM access to harvest more keys — from EC2 instance metadata, from environment variables in Lambda functions, and from secrets stored in plaintext in a code repository.

Each new credential opened another door. They moved from the compromised IAM account to an S3 bucket with customer data, then to an RDS database containing financial records. The lateral movement was systematic, deliberate, and fast.

Cloud security teams often assume that stolen credentials alone can’t cause catastrophic damage. This breach proves otherwise. When combined with AI-driven reconnaissance, a single set of keys becomes a skeleton key.

The Extortion Stage: How the Attacker Demanded Payment

Once the attacker had access to critical data and systems, they didn’t exfiltrate everything quietly. They made their presence known. They encrypted several S3 buckets using the victim’s own KMS keys — a technique that leaves the victim locked out of their own data.

Then came the extortion demand. The attacker threatened to release the stolen data publicly and permanently destroy the encrypted buckets unless a ransom was paid. The exact amount hasn’t been disclosed, but the victim was left with no easy way out.

This is a new breed of cloud extortion. It’s not just about ransomware on a single server. It’s about holding an entire cloud environment hostage — and using AI to make the attack faster, more precise, and harder to detect.

Cloud Security Lessons: What AWS Customers Must Do Now

The Mitiga report offers several specific recommendations. Here’s what every AWS customer should take away:

  • Audit AI workflows immediately. SageMaker notebooks, Bedrock agents, and Lambda functions that process AI data need strict permission boundaries. Assume they will be targeted.
  • Rotate credentials aggressively. Stolen IAM keys were the entry point. Use short-lived credentials via AWS STS whenever possible. Enable MFA for every user — no exceptions.
  • Close logging gaps. The attacker exploited blind spots in CloudTrail. Enable detailed logging for all API calls, especially for IAM, S3, and Lambda. Use GuardDuty to detect anomalous behavior.
  • Segment the environment. The attacker moved laterally because there were no network boundaries between the compromised IAM account and sensitive databases. Use VPCs, security groups, and service control policies to isolate critical assets.
  • Monitor for AI-specific attacks. Traditional security tools may miss malicious activity in machine learning pipelines. Consider specialized monitoring for model access, training data modifications, and unusual API calls to AI services.

This breach could happen to any AWS customer. The tools the attacker used — stolen credentials, AI automation, cloud misconfigurations — are available to anyone with malicious intent and a few hundred dollars worth of compute time.

The window for detection is shrinking. A human attacker might leave traces over weeks. An AI-assisted attacker can complete the kill chain in a weekend. Cloud security teams need to think faster, automate defenses, and assume that credentials are already compromised.

Because the next lone attacker won’t be alone. They’ll have AI on their side.

Continue Reading

CyberSecurity

CISA Flags Four New Flaws Under Active Attack: Adobe, Joomla, and Langflow Affected

Published

on

actively exploited vulnerabilities

Urgent Patch Deadline: Three Weeks for Federal Agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog. The agency confirmed evidence of active exploitation in the wild. Federal civilian agencies now have until April 11, 2026 — just three weeks — to patch or remediate these bugs under Binding Operational Directive (BOD) 22-01.

That timeline isn’t optional. It’s a hard deadline for .gov networks. But the implications stretch far beyond government IT. Any organization running the affected software should treat this as a red alert.

The Four Flaws: A Quick Breakdown

CISA’s latest KEV update covers vulnerabilities in Adobe ColdFusion, Joomla, and Langflow. Here’s what you need to know about each one.

1. CVE-2026-48282 — Adobe ColdFusion (CVSS 10.0)

This is the headliner. A path traversal vulnerability in Adobe ColdFusion that carries a perfect 10.0 CVSS score. Attackers can exploit it to achieve arbitrary code execution on the target server. That’s the worst kind of bug: full system compromise, no authentication required, with a low attack complexity.

Adobe released a security update for this flaw back in March. If you haven’t applied it yet, you’re effectively leaving a backdoor open. ColdFusion has been a favorite target for ransomware groups and state-sponsored actors for years. This isn’t a theoretical risk — CISA’s KEV listing confirms it’s already being used in real attacks.

2. CVE-2025-4439 — Joomla Core Vulnerability

The second actively exploited vulnerability resides in Joomla, the popular open-source content management system. While CISA’s public advisory doesn’t yet detail the exact attack vector, the KEV inclusion signals that threat actors have found a reliable way to weaponize it. Joomla sites running unpatched versions should be considered compromised until proven otherwise.

3. CVE-2025-3248 and CVE-2025-3249 — Langflow Bugs

Langflow, a visual framework for building AI and machine learning applications, has two flaws on the list. Both are under active exploitation. Langflow’s growing popularity in the AI development space makes it an attractive target. Organizations using Langflow for internal AI pipelines should prioritize patching immediately.

Why This Matters for Your Organization

Three weeks sounds like plenty of time. It isn’t. Not when you factor in patch testing, deployment windows, and the sheer chaos of modern IT environments. Attackers know this. They’re counting on it.

The KEV catalog isn’t a suggestion. It’s a list of vulnerabilities that CISA has confirmed are being actively exploited. For federal agencies, it’s a legal obligation. For everyone else, it’s a clear signal: patch now, or accept the risk of a breach.

What makes these four vulnerabilities particularly dangerous is their diversity. They hit a legacy enterprise platform (ColdFusion), a widely used CMS (Joomla), and an emerging AI tool (Langflow). That means attackers have multiple entry points across different parts of your infrastructure.

What You Should Do Right Now

Start with the Adobe ColdFusion fix. A CVSS 10.0 flaw with active exploitation is your highest priority. Verify your version against Adobe’s security bulletin and apply the patch. If you can’t patch immediately, isolate the affected servers from the internet.

Next, check your Joomla installations. The CMS powers millions of websites, many of which are small businesses with minimal security staffing. If you’re running Joomla, confirm you’re on the latest supported version and review your access logs for signs of compromise.

Finally, audit any Langflow deployments. Because Langflow is newer and often used in experimental or development environments, it may have flown under the radar of your standard patch management process. Find it. Patch it.

Don’t forget the basics: enable multi-factor authentication, review user permissions, and ensure your vulnerability management program covers third-party and open-source components. The KEV catalog is a free resource — use it. Subscribe to updates, and cross-reference it against your asset inventory weekly.

The Bigger Picture: Active Exploitation Is the Norm

This KEV update is a reminder that the gap between disclosure and exploitation is shrinking. Attackers don’t wait for patch Tuesday. They scan for vulnerable systems within hours of a CVE being published. The four flaws added today were already being weaponized before CISA made them public.

That’s the new reality. Software vendors release patches; criminals reverse-engineer them to find the underlying vulnerability; and then they hunt for unpatched systems. It’s a cycle that repeats with every major update.

Your defense isn’t just about patching fast. It’s about knowing what you have, tracking what’s vulnerable, and having a process that can respond in days, not months. The organizations that survive these attacks are the ones that treat patching as a core operational discipline, not an afterthought.

Check your Adobe ColdFusion version. Update your Joomla instance. Find your Langflow servers. You have three weeks. Don’t waste them.

Continue Reading

Trending