Researchers have identified a new loader called "Latrodectus," linked to about a dozen campaigns since February 2024. The malware, which was mainly used by Initial Access Brokers (IABs), serves as a downloader to retrieve payloads and run arbitrary commands. Latrodectus was initially thought to be a variant of "IcedID," but a follow-up analysis confirmed that it is a different malware, most likely developed by the same creators as IcedID. Latrodectus was first discovered in operations linked to TA577, a known Qbot distributor.

A new phishing campaign is targeting Latin America to deliver malicious payloads to Windows systems. According to Trustwave SpiderLabs researcher Karla Agregado, the phishing email includes a ZIP file attachment that, when extracted, reveals an HTML file leading to a malicious file download disguised as an invoice. The HTML file contains a link that displays an error message, but when accessed from an IP address in Mexico, it loads a CAPTCHA verification page using Cloudflare Turnstile. This step leads to a redirect to another domain, from which a malicious RAR file is downloaded.

A team of researchers from ETH Zurich detailed a new type of attack that can compromise Confidential Virtual Machines (CVMs). They presented two variations of what they refer to as "Ahoi attacks." One of them, called "Heckler," involves a malicious hypervisor injecting interrupts to change data and control flow, which compromises CVMs' integrity and confidentiality.

About 2,000 hacked WordPress sites now show fake NFT and discount pop-ups, tricking visitors into connecting their wallets to cryptocurrency drainers that automatically steal funds. Last month, the website security company Sucuri revealed that hackers had compromised around 1,000 WordPress sites in order to promote cryptocurrency drainers through malvertising and YouTube videos.

According to security researchers at AhnLab Security Intelligence Center (ASEC), threat actors increasingly utilize YouTube to distribute information stealer malware (infostealers) by appropriating legitimate channels as well as using their own video channels.  Some of the infostealers seen include Vidar and LummaC2.  In one of the cases, the targeted channel had more than 800,000 subscribers.  Vidar is an infostealer that first appeared in 2018.  It was recently used in the November 2023 social engineering campaign targeting Booking.com.

Security Researchers at the Shadowserver Foundation have identified thousands of internet-exposed Ivanti VPN appliances likely impacted by a recently disclosed vulnerability leading to remote code execution.  The researchers described the vulnerability, tracked as CVE-2024-21894 (CVSS 8.2), as a heap overflow bug in the IPSec component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Policy Secure that could be exploited by remote, unauthenticated attackers to cause a denial-of-service (DoS) condition or execute arbitrary code.

According to the US Department of Health, threat actors are targeting IT help desk employees at healthcare and public health (HPH) organizations to gain access to corporate networks and divert payments.  It was noted that as part of such an attack, a threat actor was seen calling an IT help desk employee over the phone from a local area code, posing as an employee in a financial role, and convincing them to enroll a new device in multi-factor authentication (MFA).

Hardware manufacturers have developed technologies in recent years that should enable organizations to process sensitive data securely using shared cloud computing resources. This approach, known as confidential computing, protects sensitive data while it is being processed by isolating it in a secure area impenetrable to other users and even the cloud provider. However, computer scientists at ETH Zurich have demonstrated that hackers can gain access to these systems and the data stored within them.

An analysis conducted by Helene Pleil, a research associate at the Digital Society Institute (DSI) at ESMT Berlin, and colleagues from Technical University Darmstadt, delves into the main challenges to effective cyber arms control, which is critical for foreign and security policy. These challenges include rapid technological progress, a lack of uniform definitions, the dual use of cyber tools, and more. They did a literature review on the challenges and obstacles to developing arms control measures in cyberspace.

Hackers are using Facebook ads and hijacked pages to promote fake Artificial Intelligence (AI) services and infect users with password-stealing malware. The impersonated AI services include MidJourney, ChatGPT-5, DALL-E, and more. The malvertising campaigns were created with hijacked Facebook profiles that impersonate popular AI services, claiming to provide a sneak preview of new features. Users deceived by the ads join fraudulent Facebook communities, where threat actors post news, AI-generated images, and other related information to make the pages appear legitimate.