"Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset"

Malware that steals information is exploiting an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions and enable continuous access to Google services even if a password is reset. According to researchers at CloudSEK, the critical exploit helps with session persistence and cookie generation, thus allowing threat actors to maintain unauthorized access to a valid session. PRISMA, a threat actor, first revealed the technique on their Telegram channel on October 20, 2023. It has since been included in Malware-as-a-Service (MaaS) stealer families, including Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and more. This article continues to discuss the use of MultiLogin to take over user sessions and enable continuous access to Google services.

THN reports "Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset"

Submitted by grigby1