Feed aggregator

Dragon-types are extremely powerful in this Pokemon game. Here’s how to catch them early and strengthen your team.

I’m a big advocate of password managers. Granted, there are better alternatives for passwords like passkeys, but if a provider offers nothing but password options, which many do, you can’t do much about that. So, for the time being we seem to be stuck with passwords.

Every reputable password manager claims that they can’t see your passwords, even if they wanted to. But researchers have found that these “zero‑knowledge” cloud password managers are more vulnerable than their marketing suggests.

The researchers also warn that this is not an immediate cause for panic. For a full‑on password leakage to happen, would requires rare, high‑end failures such as a malicious or fully compromised server combined with specific design weaknesses and features being enabled.

The underlying “problem” is that most of these password managers are cloud-based. Very handy if you’re working on another device and need access, but it also enlarges the attack surface. Sharing your passwords with another device or another user opens it up to the possibility of unwanted access.

The researchers tested a number of different vendors, including LastPass, Bitwarden, and Dashlane, and devised several attack scenarios that could allow the recovery of passwords.

Weaknesses

Password managers with groups of users

In groups, the sharing of recovery keys, group keys, and admin public keys often means they are fetched from the server without an authenticity guarantee. Meaning that under the right circumstances, an attacker could gain access.

When a group admin has enabled policies such as “auto or manual recovery,” it’s possible to silently change them using a compromised server if there’s no integrity protection on the org “policy blob” (a small configuration file).

Weak encryption on compromised server

Your password manager takes your master password and runs it through PBKDF2 many times (e.g., 600,000 rounds) before storing a hash. But on a compromised server, an attacker could turn down the number of iterations to, say, 2, which makes the master password easy to guess or brute-force.

Account recovery options

On a compromised server an attacker could change the policy blob and change the settings to “auto recovery” and send it to the clients. Switching to auto‑recovery helps the attacker because it lets the system hand over your vault keys without anyone having to click “approve” or even notice it happening.

So, the attacker can turn what should be a rare, user‑visible emergency process into a silent, routine mechanism they can abuse to pull out vault keys at scale or in a stealthy, targeted way.

Backwards compatibility

To avoid locking out users on old clients, providers keep supporting deprecated key hierarchies and non‑AEAD (Authenticated Encryption with Associated Data) modes such as CBC (Cipher Block Chaining) without robust integrity checks. This opens the door to classic downgrade attacks where the server coaxes a client into using weaker schemes and then gradually recovers plaintext.

How to stay safe

We want to emphasize that these attacks would be very targeted and require a high level of compromise. So, cloud password managers are still much safer than password reuse and spreadsheets, but their “zero‑knowledge” claims don’t hold up under nation state‑level type of attacks.

After responsible disclosure, many of the issues has already been patched or mitigated, reducing the number of possible attacks.

Many of the demonstrated attacks require specific enterprise‑style features (account recovery, shared vaults, org membership) or older/legacy clients to be in use. So be extra careful with those.

Enable multi-factor authentication for important accounts, so the attacker will not have enough by just obtaining your password.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

While this campaign targets crypto wallets and steals money, the methodology has far wider potential that could be used by other attackers. 

The post Autonomous AI Agents Provide New Class of Supply Chain Attack appeared first on SecurityWeek.

A convincing lookalike of the popular Huorong Security antivirus has been used to deliver ValleyRAT, a sophisticated Remote Access Trojan (RAT) built on the Winos4.0 framework, to users who believed they were improving their security.

The campaign, attributed to the Silver Fox APT group—a Chinese-speaking threat group known for distributing trojanized versions of popular Chinese software—uses a typosquatted domain to serve a trojanized NSIS installer that deploys a full-featured backdoor with advanced user-mode stealth and injection capabilities.

A fake site built to catch security-conscious users

Huorong Security—known in Chinese as 火绒—is a free antivirus product developed by Beijing Huorong Network Technology Co., Ltd., and widely used across mainland China.

The attackers registered huoronga[.]com—note the extra “a” at the end—as a near-perfect imitation of the legitimate huorong.cn. This typosquatting technique catches users who mistype the address or arrive via search engine poisoning or phishing links. The fake site looks convincing enough that most visitors would have no obvious reason to suspect anything is wrong.

Fake Huorong Security site

Another fake Huorong Security site

When a visitor clicks the download button, the request is silently routed through an intermediary domain (hndqiuebgibuiwqdhr[.]cyou) before the final payload is served from Cloudflare R2 storage—a legitimate cloud service chosen for its trusted reputation and availability. The file is named BR火绒445[.]zip, using the Chinese name for Huorong to maintain the disguise up to the moment of execution.

What happens after you click download

Inside the ZIP archive is a trojanized NSIS installer (Nullsoft Scriptable Install System), a legitimate open-source framework used by many real applications. Its use here is deliberate: an NSIS-built executable raises fewer red flags than a custom packer, and the installation experience feels normal.

When executed, the installer drops a desktop shortcut named 火绒.lnk (Huorong.lnk), reinforcing the illusion that the antivirus installed successfully.

At the same time, it extracts a cluster of files into the user’s Temp directory. Most are genuine supporting libraries or decoy executables meant to mimic a real installation, including copies of FFmpeg multimedia DLLs, a file posing as a .NET repair tool, and another mimicking a Huorong diagnostic utility.

The malicious components include:

• WavesSvc64.exe: the main loader, disguised as a Waves audio service process
• DuiLib_u.dll: a hijacked DirectUI library used for DLL sideloading
• box.ini: an encrypted file containing shellcode

How Windows is tricked into loading malware

The core technique is DLL sideloading, a technique attackers use to trick Windows into loading a malicious file instead of a legitimate one.

WavesSvc64.exe appears legitimate—its PDB path references a gaming application code directory—so Windows loads it without complaint. When it runs, Windows automatically loads DuiLib_u.dll alongside it. That DLL has been replaced with a malicious version that reads encrypted shellcode from box.ini, decrypts it, and executes it directly in memory.

Rather than dropping a single monolithic backdoor executable, the chain culminates in in-memory shellcode execution loaded from files dropped to disk (e.g., box.ini) via DLL sideloading. The shellcode-based chain is consistent with the Catena loader pattern documented by Rapid7, where signed or legitimate-looking executables bundle attack code in .ini configuration files and use reflective injection to execute it while leaving a minimal forensic footprint.

How the backdoor becomes permanent

Behavioral analysis shows a methodical infection chain:

1. Defender exclusions
The malware spawns PowerShell at high integrity level and instructs Windows Defender to ignore its persistence directory (AppData\Roaming\trvePath) and its main process (WavesSvc64.exe). After these commands execute, Windows Defender is less likely to scan the malware’s chosen path/process, materially reducing native detection.

2. Persistence
It creates a scheduled task named Batteries (observed as C:\Windows\Tasks\Batteries.job). On every subsequent boot, the task launches WavesSvc64.exe /run from the persistence directory, reapplies Defender exclusions, and reconnects to command and control (C2).

3. File refresh
To evade signature-based detection, the malware deletes and re-writes WavesSvc64.exe, DuiLib_u.dll, libexpat.dll, box.ini, and vcruntime140.dll. Deletion of these files alone may not fully remediate the infection, as the malware demonstrates the ability to re-write core components during execution.

4. Registry storage
Configuration data, including the encoded C2 domain yandibaiji0203.[]com, is written to HKCU\SOFTWARE\IpDates_info. A secondary key at HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e stores encrypted binary data likely used for malware configuration or payload staging.

How it avoids detection

Beyond disabling Defender, ValleyRAT takes steps to avoid detection and analysis.

It checks for debuggers and forensic tools by looking for characteristic window titles. It probes BIOS version, display adapters, and VirtualBox registry keys to detect virtual machines—the sandboxes researchers use to analyze malware safely. It also checks available memory and disk capacity, and inspects locale and language settings, likely as a geofencing measure to confirm it is running on a Chinese-language system before fully deploying.

Command-and-control communications

The Winos4.0 stager connects to its C2 server at 161.248.87.250 over TCP port 443. Using TCP 443 provides camouflage at the port level; however, inspection revealed a custom binary protocol rather than standard TLS-encrypted HTTPS.

Network intrusion detection systems triggered Critical-severity alerts for Winos4.0 CnC login and server-response messages, and a high-severity alert for ProcessKiller C2 initialization.

C2 traffic was observed originating from rundll32.exe, which executed with the command line “rundll32.exe”—lacking the typical <DLL>,<Export> argument structure. In environments with command-line and parent-child process monitoring, this execution pattern is a high-confidence anomaly. Sandbox analysis extracted multiple WinosStager plugin DLLs from the rundll32 process, confirming the modular architecture that makes ValleyRAT particularly dangerous: capabilities are not bundled in a single monolithic binary but downloaded on demand.

The ProcessKiller component is particularly concerning. Network telemetry indicates ProcessKiller C2 initialization, consistent with a module associated in prior reporting with terminating security software. Previous ValleyRAT/Winos4.0 campaigns targeted security products from Qihoo 360, Huorong, Tencent, and Kingsof—indicating the potential to terminate security software, including the product it impersonated as a lure.

Post-compromise capabilities

In short, once it’s installed, attackers can monitor the victim, steal sensitive information, and remotely control the system. Sandbox analysis confirmed the following behaviors once the malware has a foothold:

• Keylogging via a system-wide keyboard hook installed through SetWindowsHookExW in the rundll32 process, capturing every keystroke.
• Process injection: WavesSvc64.exe creates suspended processes and writes to the memory of other processes for stealth code execution.
• Credential access: the malware reads credential-related registry keys and touches browser cookie files.
• System reconnaissance: queries hostname, username, keyboard layout, locale, running processes, and physical drives.
• RWX memory regions created inside rundll32.exe consistent with in-memory execution, reducing reliance on additional dropped payload executables.
• Self-cleanup: deletes its own executed files and performs deletion of 10 or more additional files to obstruct forensic recovery.
• The malware creates mutexes including the dated string 2026. 2. 5 and the path C:\ProgramData\DisplaySessionContainers.log, and writes a log file at that location.

Who’s behind this campaign?

This campaign fits the established pattern of Silver Fox operations. The group has repeatedly used trojanized installers of widely trusted Chinese software to distribute ValleyRAT and the Winos4.0 framework. Previous lures included QQ Browser, LetsVPN, and gaming applications.

Impersonating a security product raises the stakes. The victims are not just casual users—they are actively looking for protection.

The targeting remains consistent. Chinese-language filenames, the Huorong lure, and built-in locale checks all point to a geographically focused campaign.

However, the public leak of the ValleyRAT builder on GitHub in March 2025 significantly lowered the barrier to entry. Researchers identified approximately 6,000 related samples between November 2024 and November 2025, with 85% appearing in the latter half of that period. That increase suggests the tooling is spreading beyond a single operator.

How to stay safe

This campaign shows how easily trust can be turned against users. The attackers didn’t need a zero-day exploit. They needed a convincing website, a realistic installer, and the knowledge that many people will search for a product name and click the first result.

When the lure is a security product, the deception is even more effective.

Here’s what to check:

• Verify download sources. The legitimate Huorong Security website is huorong.cn. Always double-check the domain before downloading security software—a single extra character can lead to a malicious site.
• Monitor Windows Defender exclusions. Any Add-MpPreference command you did not initiate is a strong indicator of compromise. Audit exclusions regularly.
• Hunt for persistence artifacts. Search endpoints for a scheduled task or job named Batteries (artifact observed as C:\Windows\Tasks\Batteries.job), the %APPDATA%\trvePath\ directory, and the registry key HKCU\SOFTWARE\IpDates_info.
• Block outbound connections to 161.248.87.250 at the firewall and deploy IDS rules for Winos4.0 C2 signatures (ET SIDs 2052875, 2059975, and 2052262).
• Alert on process anomalies. Rundll32.exe without a legitimate DLL argument, and WavesSvc64.exe outside a genuine Waves Audio installation, are high-confidence indicators.

Malwarebytes detects and blocks known variants of ValleyRAT and its associated infrastructure.

Indicators of Compromise (IOCs)

Infrastructure

• Fake websites:
  • huoronga[.]com
  • huorongcn[.]com
  • huorongh[.]com
  • huorongpc[.]com
  • huorongs[.]com
• Redirect domain: hndqiuebgibuiwqdhr[.]cyou
• Payload host: pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev
• C2 IP: 161.248.87[.]250 (TCP 443, custom binary protocol)
• Encoded C2 domain: yandibaiji0203[.]com

File hashes (SHA-256)

• 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4  (NSIS installer)
• db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e  (WavesSvc64.exe)
• d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2  (DuiLib_u.dll)
• 07aaaa2d3f2e52849906ec0073b61e451e0025ef2523dafbd6ae85ddfa587b4d  (WinosStager DLL #1)
• 66e324ea04c4abbad6db4f638b07e2e560613e481ff588e0148e33e23a5052a9  (WinosStager DLL #2)
• 47df12b0b01ddca9eb116127bf84f63eb31e80cec33e4e6042dff1447de8f45f  (WinosStager DLL #3)

Host-based indicators

• Scheduled task named Batteries at C:\Windows\Tasks\Batteries.job
• Persistence directory: %APPDATA%\trvePath\
• Registry key: HKCU\SOFTWARE\IpDates_info
• Registry key: HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e
• Log file: C:\ProgramData\DisplaySessionContainers.log
• Processes: WavesSvc64.exe, rundll32.exe (without DLL argument)

MITRE ATT&CK

• T1189 — Drive-by Compromise (Initial Access)
• T1059.001 — PowerShell (Execution)
• T1053.005 — Scheduled Task (Persistence)
• T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion)
• T1574.002 — DLL Side-Loading (Defense Evasion)
• T1027 — Obfuscated Files or Information (Defense Evasion)
• T1218.011 — Rundll32 (Defense Evasion)
• T1555 — Credentials from Password Stores (Credential Access)
• T1082 — System Information Discovery (Discovery)
• T1057 — Process Discovery (Discovery)
• T1056.001 — Keylogging (Collection)
• T1071 — Application Layer Protocol (Command and Control)
• T1070.004 — Indicator Removal: File Deletion (Defense Evasion)

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

The Chinese tech company is branching out from phones to robots, via its robot phone -- all of which it will show off next week at MWC in Barcelona.

Ex-ASML chief Peter Wennink’s deregulation solution triggers warnings from academics and government advisors

The latest Apple phone brings notable improvements to the camera, display and battery. But is it worth the upgrade?

Catalin Dragomir admitted in a US court to selling access to an Oregon state government office’s network.

The post Romanian Hacker Pleads Guilty to Selling Access to US State Network appeared first on SecurityWeek.

Threat actors relying on AI have been exploiting exposed ports and weak credentials to take over FortiGate devices.

The post Hundreds of FortiGate Firewalls Hacked in AI-Powered Attacks: AWS appeared first on SecurityWeek.

It's a trap! There are some great deals on used and refurbished desktops and laptops that are still running Windows 10. Don't do it.

Tenants have powerful home security options, too. These kits use peel-and-stick sensors, simple apps and other rent-friendly tricks.

Patched in December 2025, the exploited flaw leads to XSS attacks via the animate tags in SVG documents.

The post Recent RoundCube Webmail Vulnerability Exploited in Attacks appeared first on SecurityWeek.

A ransomware attack forced the University of Mississippi Medical Center to close all of its roughly three dozen clinics around the state and cancel elective procedures.

The post Mississippi Hospital System Closes All Clinics After Ransomware Attack appeared first on SecurityWeek.

At 31% off, this compact blender is hovering just above its all-time low -- but it won't be for long.

We look at how neoclouds can deliver access to artificial intelligence acceleration faster and cheaper than public cloud providers

PayPal blamed an application error for the exposure of customer personal information for nearly 6 months. 

The post PayPal Data Breach Led to Fraudulent Transactions appeared first on SecurityWeek.

Last week on Malwarebytes Labs:

• Age verification vendor Persona left frontend exposed, researchers say
• Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets
• AI-generated passwords are a security risk
• Intimate products maker Tenga spilled customer data
• Meta patents AI that could keep you posting from beyond the grave
• Betterment data breach might be worse than we thought
• Job scam uses fake Google Forms site to harvest Google logins
• Scammers use fake “Gemini” AI chatbot to sell fake “Google Coin”
• Chrome “preloading” could be leaking your data and causing problems in Browser Guard
• Scam Guard for desktop: A second set of eyes for suspicious moments
• Update Chrome now: Zero-day bug allows code execution via malicious webpages
• Hobby coder accidentally creates vacuum robot army
• ClickFix added nslookup commands to its arsenal for downloading RATs

Stay safe!

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Here are hints and the answers for the NYT Connections: Sports Edition puzzle for Feb. 23, No. 518.