New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it's a growing risk for everyday users.

A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild. The research team, led by Onkar R. Sonawane, have found that this simple-looking program is surprisingly good at staying hidden while it steals your personal information. The research, which was shared with Hackread.com, shows that the malware is primarily spread through underground forums and bundled with pirated software.

Built using the programming languages Delphi and C++, Raven Stealer is designed to be small and quick. It works by quietly getting into your computer, where its payload (the part of the malware that does the actual harm) goes to work.

The payload targets popular web browsers like Chrome and Edge to grab things like your passwords, cookies, payment details, and other information you’ve saved. What makes it particularly tricky is that it can send this stolen information directly to a cybercriminal using a Telegram messaging bot. This means the bad guys get your data in real-time.

Attack flow, the UI of the file and the generated payload (Image Credit: Point Wild)

****How It Works****

Point Wild’s report explains that Raven Stealer uses a clever trick called process hollowing to avoid being caught by traditional antivirus programs. This means, instead of leaving a file on your computer’s hard drive, it works entirely within your computer’s memory, pretending to be a regular browser program. It’s like a car thief hollowing out a car and putting a different engine in it, so it looks normal from the outside but is used for something else entirely. This technique makes it tough for security software to spot it.

The malware’s creator used a simple builder program to create the attack file, which hides an encrypted “payload” inside and gives it a unique name to avoid detection. Once on an infected computer, it gathers a screenshot and stolen data into a ZIP file, then tries to send it to the attacker via Telegram. Although this transmission failed in testing due to a Telegram bot token problem, the threat of data theft remains.

****Protecting Yourself****

To keep your personal information safe from threats like this, always use up-to-date antivirus software with real-time protection and avoid downloading pirated programs. It’s also wise to be careful about clicking on suspicious links or attachments.

As Dr. Zulfikar Ramzan, CTO of Point Wild and Head of the Lat61 Threat Intelligence Team, explains, “Raven Stealer shows how commodity malware is evolving – stealing credentials, cookies, and payment data while hiding its tracks through in-memory execution and Telegram exfiltration. It’s a reminder that attackers are packaging advanced techniques into tools that even low-skilled actors can use.”

New Raven Stealer Malware Hits Browsers for Passwords and Payment Data

Learn what Codeless Testing Tools are and how effective they are in detecting common security vulnerabilities, along with understanding their strengths and limitations.

Codeless testing tools have become increasingly popular in recent years thanks to advances in automation technology. The reason for that is the numerous benefits it offers to the software development teams. Team members from a non-technical background, like business analysts, product owners, and project managers, can also participate in the testing process, as these tools do not require them to possess coding skills.

Test scripts need not be created using programming languages when using such tools. Just simple clicks or drag and drop features are enough for them to be created. This feature has considerably enhanced collaboration between team members and reduced the overall time and cost associated with the testing stage.

While looking at the security aspect of the software, it is quite clear that fraudulent cases and scams are rising too, with the advancements in technology. Cybersecurity is an ever-growing field, as it needs to keep itself up to date with the latest security protocols to fight cyber attacks. A company can not release its software product without testing for all the security features and patches that have been integrated into it.

So, the main question that arises is how effective codeless testing tools are in detecting security vulnerabilities. The article centers around this theme, along with diving deep into its elements.

In simplest terms, codeless testing tools are the platforms that allow testers to generate and run test cases without writing code in any programming language. These tools are intelligent enough to accept user inputs in the form of natural language commands, drag and drop features, or clicks on intuitive interfaces. testRigor, as a codeless test automation tool, is one such widely used product that has those benefits along with the following ones.

****Primary Benefits of Codeless Testing Tools****

The most common benefits of these tools are:

*   **Speed:** These tools considerably reduce the time required for creating and running test cases, as most parts of these steps can be executed based on simple inputs rather than complex coding and automated workflows.

*   **Greater Accessibility:** The technical barrier can be eliminated by using such tools because of their capability to accept simple inputs instead of code. That means testing can be done not just by testers but also by business analysts, project managers, and others from non-technical backgrounds.

*   **Better Test Coverage:** Repetitive tasks can be delegated to such tools so that testers get a bandwidth for creating edge cases as well. That improves the overall coverage of the test cases.

While the above benefits are of immense value to the testing process, whether they extend to the security testing also or not is what we will examine in the further sections.

****Common Security Vulnerabilities in Software****

Before we examine the role of codeless testing tools in security testing, let’s first have a brief look at the most common security vulnerabilities. Most of these risks are already documented in the OWASP Top 10, which is a widely followed standard for software security.

*   **SQL Injection (SQLi):** This is a kind of security breach when a malicious query is injected into an input field that can manipulate the backend database of a web application.

*   **Authentication Breaches:** Weak login mechanisms implemented in the software that may allow attackers to impersonate as an authentic user to hack the system.

*   **Misconfigured Security Settings:** This type of breach can happen due to exposed endpoints, unpatched servers, or misconfigured default settings that can be exploited by attackers.

*   **Cross-Site Scripting (XSS):** A webpage can be altered by using harmful scripts that may put its security at risk.

*   **Weak API security:** This kind of vulnerability arises from poorly validated inputs on APIs without adequate authentication that can expose sensitive information.

These vulnerabilities require rigorous testing by using specialised tools, programming skills, and penetration testing techniques. Whether a codeless testing tool can handle all that or not, let’s examine in the next section.

To understand the efficacy of codeless tools in security testing, let’s unpack their strengths and weaknesses.

****Strengths of Codeless Tools in Security Testing****

Several kinds of vulnerabilities exist in a web application, but a codeless testing tool is especially adept at detecting security flaws at the application behavioural level. They include:

*   **Input Validation Errors:** The tool can simulate different kinds of input for testing an application from all aspects, whether for valid inputs or invalid ones. Unexpected inputs may expose a weak validation mechanism.

*   **UI level vulnerability:** This includes whether the application can mask password fields properly or not, or whether the rule enforces strong password creation rules or not.

*   **Regression testing:** The tool can run regression tests for already incorporated security patches any number of times when further updates are introduced to the software.

These are mostly the simple ones that can be easily caught by a codeless testing tool.

****Limitations of Codeless Tools in Security Testing****

Security testing is an altogether separate module in the overall testing process. It needs specialised tools that are specifically designed to catch certain security flaws. And hence, a codeless testing tool may not suffice for such cases. They include:

*   **Deep Code Analysis:** If there are any insecure patterns in an application, a codeless tool cannot analyse its source code to highlight them. Simply because it lacks the capability of a deep code analysis tool. This may cause breaches like SQL Injection or insecure deserialization.

*   **Limited Simulation Capability:** Although a codeless tool can simulate a large set of scenarios, it may still fall short in simulating complex cases to test vulnerabilities like XSS or privilege escalation.

*   **Over-dependent on Patterns:** Most of the tools rely on pre-defined patterns that may not consider nuanced or the latest security risks that have emerged after the tool was trained.

So, in a nutshell, a codeless testing tool may complement security testing by running repetitive and simple test cases to catch common vulnerabilities. But it cannot be used to replace a dedicated security testing tool that is capable enough to catch deeply embedded security flaws.

****Final Thoughts****

Codeless testing tools can still be considered in their infancy. There are several advanced features, like AI and machine learning, that are on their way to being integrated into these platforms. That will considerably enhance their capabilities from simple record and playback features to an intelligent system that can easily detect deeply embedded vulnerabilities.

While in the current phase, they are effective enough to catch the most common security issues, they still fall short in rigorous security testing.

So, to answer the question, can codeless testing tools detect common security flaws? It is, yes, but only up to a certain extent. These tools can definitely elevate your security testing process, but cannot be wholly dependable due to their few limitations discussed in the previous section.

Nevertheless, they can still play an important role in improving the testing process by making it more efficient and thereby delivering a more powerful product.

Can Codeless Testing Tools Detect Common Security Vulnerabilities?

Conor Brian Fitzpatrick, the founder of the hacking forum BreachForums, has been resentenced to three years in prison…

Conor Brian Fitzpatrick, the founder of the hacking forum BreachForums, has been resentenced to three years in prison after a federal appeals court vacated his initial 17-day sentence. Learn how his site facilitated the sale of over 14 billion stolen records.

A New York man who ran one of the world’s biggest cybercrime and hacker forums, BreachForums, has been resentenced to three years in prison, according to the US Department of Justice (DoJ).

Conor Brian Fitzpatrick, aka Pompompurin, 22, was the founder and administrator of BreachForums, where criminals bought and sold stolen login credentials, databases, network access, malware and other illegal items.

In July 2023, Fitzpatrick pleaded guilty to charges, including conspiracy to traffic stolen information and possessing CSAM. Despite the serious crimes, he was initially sentenced to only 17 days in prison, which he had already served, and 20 years of supervised release. This light sentence was given due to his youth and an autism diagnosis.

Fitzpatrick’s BreachForums profile (Source: Hackread.com)

However, prosecutors immediately appealed, and in January 2025, a US appeals court overturned the sentence. The court noted Fitzpatrick’s “lack of remorse” and how he had violated his bail by using a VPN to access online chatrooms. Hackread.com had previously reported on these concerns, which led to the appeals court’s decision.

Fitzpatrick launched BreachForums in March 2022 after law enforcement took down a similar site called RaidForums. His site quickly grew to over 330,000 members, hosting more than 14 billion stolen records, including sensitive personal data like social security numbers and banking details.

According to the DOJ’s press release, in a key part of the investigation, undercover FBI agents infiltrated the site in July 2022, purchasing records for 15 million Americans, which ultimately led to Fitzpatrick’s arrest in March 2023 at his home in Peekskill, New York. Shortly after his arrest, the FBI seized BreachForums, taking the site offline.

Court documents show that Fitzpatrick personally profited from the site, earning approximately $698,000. The platform also served as a hub for hackers to buy and sell stolen data, with Fitzpatrick himself often acting as a middleman.

US Attorney Erik S. Siebert of the Eastern District of Virginia stated that the damage from these crimes is hard to measure, and the human impact of the child abuse material is impossible to calculate.

In addition to his prison time, Fitzpatrick must also give up over 100 domain names, electronic devices, and any cryptocurrency he earned from his illegal operation. This case was part of the DoJ’s nationwide Project Safe Childhood initiative, which was launched in May 2006 to combat the sexual exploitation and abuse of children.

BreachForums Founder Conor Fitzpatrick Resentenced to 3 Years in Prison

Waltham, United States, 17th September 2025, CyberNewsWire

**Waltham, United States, September 17th, 2025, CyberNewsWire**

Syteca, a global cybersecurity provider, introduced the latest release of its platform, continuing the mission to help organizations reduce insider risks and ensure sensitive data protection. Syteca 7.21 is a major update designed to enhance user privacy, simplify access management, provide seamless oversight, and improve the user experience.

With release 7.21, Syteca delivers a set of new capabilities, from masking sensitive information in real time to simplifying remote access. These new features help address the most pressing challenges faced by security teams worldwide.

**Sensitive Data Masking**

Syteca has become the first cybersecurity vendor to deliver real-time sensitive data masking. With this feature, the platform automatically detects and obscures confidential information (e.g., passwords, credit card numbers, or personal IDs) during live sessions and in recordings. By blurring this data, Syteca helps prevent exposure of private information and supports compliance with data privacy regulations like the GDPR, HIPAA, and PCI DSS.

**Web Connection Manager**

Users can now launch remote sessions (RDP for Windows or SSH for Linux/Unix) directly in web browsers (Chrome, Safari, and Edge). This means that IT teams don’t bother with installing agents, pushing updates, or troubleshooting installation issues. They just provide fast and secure access for both employees and vendors.

**Full-Motion Capture of On-Screen Activity**

The Syteca platform can now record continuous videos of user sessions, capturing every click and cursor movement. Full-motion session recordings give security teams complete visibility into user activity, which can provide more detailed audit trails and speed up incident investigations. Every session is encrypted for security. 

**Intuitive UI**

Beyond new capabilities, Syteca 7.21 introduces a redesigned user interface. The updated UI has a cleaner design while keeping familiar navigation in place. The lighter interface and reduced on-screen clutter help users find key information faster, thus streamlining daily security tasks.

> “Release 7.21 gives organizations better visibility and control over their internal security,” says Oleg Shomonko, CEO of Syteca. “Features like live data masking, full-motion session recordings, and browser-based access mean our clients can enhance the security of their assets and streamline compliance while reducing IT overhead. This update reflects our focus on solving real IT security challenges without adding complexity.”

Users interested in trying Syteca’s brand new capabilities can access the demo portal at syteca.com. 

**About Syteca**

Syteca is a comprehensive cybersecurity platform that helps organizations worldwide protect their inside perimeter. The Syteca platform combines advanced user activity monitoring (UAM) and robust privileged access management (PAM) solutions that empower organizations to govern access, mitigate insider threats, prevent data breaches, and streamline IT compliance. Syteca serves over 1,500 customers across different industries. 

**Contact**

**Chief Marketing Officer**  
**Helen Gamasenko**  
**Syteca**  
**\[email protected\]**

New in Syteca Release 7.21: Agentless Access, Sensitive Data Masking, and Smooth Session Playback

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.

This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-67v4-38h7-9jjp: Jenkins has a missing permission check, allowing users to obtain agent names

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including `jenkins.log` and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.

This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: `[CR]`, `[LF]`, or `[CRLF]` (representing the kind of line break), followed by `>` .

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-59476

**Jenkins has a log message injection vulnerability**

Moderate severity GitHub Reviewed Published Sep 17, 2025 to the GitHub Advisory Database • Updated Sep 17, 2025

**Package**

maven org.jenkins-ci.main:jenkins-core (Maven)

**Affected versions**

< 2.516.3

\>= 2.517, < 2.528

**Patched versions**

2.516.3

2.528

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including jenkins.log and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.

This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: [CR], [LF], or [CRLF] (representing the kind of line break), followed by > .

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-59476
*   https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3424

Published to the GitHub Advisory Database

Sep 17, 2025

Last updated

Sep 17, 2025

GHSA-qrh5-jg98-cr48: Jenkins has a log message injection vulnerability

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).

Jenkins 2.528, LTS 2.516.3 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-59475

**Jenkins is missing a permission check in the authenticated users' profile menu**

Moderate severity GitHub Reviewed Published Sep 17, 2025 to the GitHub Advisory Database • Updated Sep 17, 2025

**Package**

maven org.jenkins-ci.main:jenkins-core (Maven)

**Affected versions**

< 2.516.3

\>= 2.517, < 2.528

**Patched versions**

2.516.3

2.528

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).

Jenkins 2.528, LTS 2.516.3 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-59475
*   https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3625

Published to the GitHub Advisory Database

Sep 17, 2025

Last updated

Sep 17, 2025

GHSA-223m-4rfp-646h: Jenkins is missing a permission check in the authenticated users' profile menu 

ReversingLabs discovers “Shai-hulud,” a self-replicating computer worm on the npm open-source registry. Learn how the malware steals developer…

ReversingLabs discovers “Shai-hulud,” a self-replicating computer worm on the npm open-source registry. Learn how the malware steals developer secrets, exposes private code, and spreads through popular packages like ngx-bootstrap and @ctrl/tinycolor.

A new and dangerous self-replicating computer worm, named Shai-hulud, has been discovered on the Node Package Manager (npm) open-source registry (a huge library where developers share and use pieces of JavaScript code).

Security firm ReversingLabs (RL), which shared its findings with Hackread.com, identified the worm on September 15, claiming that this is the first time a worm of this kind has been found on the platform. The name Shai-hulud comes from the malicious code’s own repository and is a nod to the giant sandworms from the popular sci-fi series “Dune.”

Shai-hulud spreads by taking over a developer’s npm account and secretly adding harmful code to their public and private code packages that the developer manages. Once a package is infected, it can then spread the worm to anyone who downloads and uses it.

This makes it especially dangerous because many software projects rely on packages from the npm network. A single compromised package can quickly infect a wide network of other projects.

****A Widespread Attack****

The first compromised package, rxnt-authentication, was infected on September 14, and therefore, its maintainer, techsupportrxnt, is considered Patient Zero for this campaign. This is a term used to describe the first person/system identified as being the source of an infection.

As the RL research team continues to track the issue, hundreds of npm packages have already been compromised, some of which are very popular, boasting millions of weekly downloads. For example, the worm has infected ngx-bootstrap, which has 300,000 weekly downloads, and @ctrl/tinycolor, with 2.2 million weekly downloads, making this a high-impact security breach.

****What the Worm Does****

The Shai-hulud worm steals important information such as cloud service tokens and private code. It specifically targets keys for services like npm, GitHub, AWS, and GCP (Google Cloud Platform). The research also reveals the worm installs a tool called TruffleHog, which can detect more than 800 different types of secrets.

Moreover, it can make a user’s private code libraries on GitHub public. A recent search for these “migrated” repositories yielded close to 700 results, exposing a large amount of proprietary code.

GitHub search showing the compromised user repositories (Credit: ReversingLabs)

While the exact initial cause of the attack isn’t known, ReversingLabs notes its methods are similar to a previous campaign in August, suggesting the attackers may have used social engineering or exploited vulnerabilities in developer tools.

ReversingLabs has been reaching out to as many affected developers as possible, but because the worm is spreading so fast, it’s impossible to warn everyone. The company advises developers to check their public GitHub accounts for any suspicious activity, such as new repositories they didn’t create or private repositories that have suddenly been made public.

New Shai-hulud Worm Infecting npm Packages With Millions of Downloads

The AI era means attackers are smarter, faster, and hitting you where you least expect it — your sign-up funnel.

AI-Powered Sign-up Fraud Is Scaling Fast

Researchers have discovered a large ad fraud campaign on Google Play Store.

Researchers have discovered a large ad fraud campaign on Google Play Store.

The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign “SlopAds.”

Ad fraud is a type of fraud that lets advertisers pay for ads even though the number of impressions (the times that the ad has been seen) is enormously exaggerated.

While the main victims of ad fraud are the advertisers, there are consequences for the users that had these apps installed as well, such as slowed-down devices and connections due to the apps executing their malicious activity in the background without the user even being aware.

At first, to stay under the radar of Google’s app review process and security software, the downloaded app will behave as advertised, if a user has installed it directly from the Play Store.

_Image courtesy of HUMAN Satori_

But if the installation has been initiated by one of the campaign’s ads, the user will receive some extra files in the form of a steganographically encrypted payload.

If the app passes the first check it will receive four .png images that, when decrypted and reassembled, are actually an .apk file. The malicious file uses WebView (essentially a very basic browser) to send collected device and browser information to a Control & Command (C2) server which determines, based on that information, what domains to visit in further hidden WebViews.

The researchers found evidence of an AI (Artificial Intelligence) tool training on the same domain as the C2 server (ad2\[.\]cc). It is unclear whether this tool actively managed the ad fraud campaign.

Based on similarities in the C2 domain, the researchers found over 300 related domains promoting SlopAds-associated apps, suggesting that the collection of 224 SlopAds-associated apps was only the beginning.

Google removed all of the identified apps listed in this report from Google Play. Users are automatically protected by Google Play Protect, which warns users and blocks apps known to exhibit SlopAds associated behavior at install time on certified Android devices, even when apps come from sources outside of the Play Store.

You can find a complete list of the removed apps here: SlopAds app list

**How to avoid installing malicious apps**

While the official Google Play Store is the safest place to get your apps from, there is no guarantee that it will remain a non-malicious app just because it is in the Google Play Store. So here are a few extra measures you can take:

*   Always check what permissions an app is requesting, and don’t just trust an app because it’s in the official Play Store. Ask questions such as: Do the permissions make sense for what the app is supposed to do? Why did necessary permissions change after an update? Do these changes make sense?
*   Occasionally go over your installed apps and remove any you no longer need.
*   Make sure you have the latest available updates for your device, and all your important apps (banking, security, etc.)
*   Protect your Android with security software. Your phone needs it just as much as your computer.

Another precaution you can take if you’re looking for an app, do your research about the app before you go to the app store. As you can see from the screenshot above, many of the apps are made to look exactly the same as very popular legitimate ones (e.g. ChatGPT).

So, it’s important to know in advance who the official developer is of the app you want and if it’s even available from the app store.

As researcher Jim Nielsen demonstrated for the Mac App Store, there are a lot of apps trying to look like ChatGPT, but they are not the real thing. ChatGPT is not even in the Mac App Store, it is available in the Google Play Store for Android, but make sure to check that OpenAI is listed as the developer.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Latest News