Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.
The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.
Soco404 "targets both Linux and Windows systems, deploying platform-specific malware," Wiz

Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks

New Scavenger Trojan steals crypto wallet data using fake game mods and browser flaws, targeting MetaMask, Exodus, Bitwarden, and other popular apps.

The latest report from Doctor Web has detailed a malware campaign involving a new family of trojans called Trojan.Scavenger (Scavenger Trojan). These aren’t your typical malicious files that simply run in the background and steal data; they’re carefully structured to abuse a vulnerability in how Windows loads certain components. The attackers used this to infect targeted systems and extract sensitive information, especially from crypto wallets and password managers.

It all started when Doctor Web looked into a targeted attack on a Russian enterprise. During the investigation, their team noticed the attackers were taking advantage of DLL Search Order Hijacking.

This method lets malicious files get into software by faking to be legitimate components. The trick is placing a fake DLL in the same folder as the target application, giving it priority over the real system version. Once launched, the fake file runs as if it were part of the original app, giving it access to everything the app can reach.

According to Doctor Web’s report, after adding protection against this technique to their antivirus suite, the company began collecting telemetry data. That’s when they noticed some users were being served unknown malicious files through their browsers.

This led the researchers to the discovery of the Trojan.Scavenger campaign. It later became clear that attackers were distributing this malware in multiple stages and using various bait methods like game patches and cheats to lure victims into running it.

One infection route used a three-stage loader chain. The first component, Trojan.Scavenger1, was disguised as a performance patch for the game Oblivion Remastered. Victims were instructed to drop the fake DLL into the game’s folder.

The file name was deliberately chosen to match a legitimate Windows DLL so it would get loaded instead of the real one. But in this specific game version, the exploit failed because the developers had properly configured the loading process. Still, the same trick could succeed in other programs.

Researchers further noted that when the Trojan does manage to run, it downloads the next stage, Trojan.Scavenger.2, which then pulls in additional modules, Trojan.Scavenger.3 and Trojan.Scavenger.4. One of these, Trojan.Scavenger.3, pretends to be a system library and gets placed into the folder of Chromium-based browsers like Chrome, Edge, Opera, and Yandex. Because of the loading flaw, the browser ends up running the malicious file instead of the real system version.

This version of the Trojan tampers with the browser’s internal security features. It disables the sandbox and blocks the check that verifies browser extensions. Then it edits copies of popular extensions, including the following:

*   Slush
*   Phantom
*   LastPass
*   MetaMask
*   Bitwarden

The originals remain untouched, but the browser is tricked into using the tampered versions. These altered versions are designed to silently send data, such as mnemonic phrases and stored passwords, to the attacker’s server.

Meanwhile, Trojan.Scavenger.4 similarly targets the Exodus crypto wallet. It gets loaded when the app starts, using the same DLL hijacking method. Once inside, it taps into the app’s engine to scan for key data like the mnemonic phrase and the file storing the private key. That information is then sent to the attacker.

In another version of the campaign, the attackers skip the first trojan and start directly with a modified Trojan.Scavenger.2. This one uses a file with an .ASI extension, often associated with game mods or plugins. For example, users might be told to install a file called “Enhanced Native Trainer.asi” into their GTA game folder. The game recognises it as a plugin and runs it automatically, allowing the infection chain to continue from there.

Across all versions of this malware, the trojans share some key behaviour patterns. They check if they’re being launched inside a virtual machine or debug environment and will stop working if they detect one. This is a common method used to avoid detection during security research.

Another shared feature is how they communicate with their control server. They use a two-step handshake to set up an encrypted channel, first asking for part of the encryption key, then verifying the connection by sending encrypted timestamps. Any requests sent without this setup are ignored by the server.

Doctor Web reached out to the software developers whose apps were vulnerable, but most of them declined to fix the DLL hijacking flaw. Therefore, users must exercise caution and avoid downloading apps from third-party stores, refrain from using pirated games and keep their anti-virus software updated.

Scavenger Trojan Targets Crypto Wallets via Game Mods and Browser Flaws

Malwarebytes Trusted Advisor has had an update, and it's now sharper, smarter, and more helpful than ever.

You ever get that feeling when you double-check the locks, but still wonder if you’ve missed something? That’s what a lot of people feel about cybersecurity.  

That’s where Malwarebytes Trusted Advisor comes in. You can see it as your very own cybersecurity personal assistant, giving you real-time insight into how protected you are, without all the jargon or notifications.  

Trusted Advisor checks the state of your cybersecurity tools like real-time protection, VPN connection, scheduled scans, and browser safety, and gives you a clear, color-coded view of your current risk level. 

And now, our Windows version is sharper, smarter, and more helpful than ever. 

What’s new? 

*   **Stronger Wi-Fi protection\***: Trusted Advisor now checks if your Wi-Fi network is connected to an open, unsecured network.

*   **Smarter security score**: Your protection score is now more accurate and personalized, giving you clearer insights into your overall security health. 

*   **Seamless identity protection integration**: Trusted Advisor now works hand-in-hand with our identity protection, making it easier to stay ahead of threats like data leaks and identity fraud. 

*   **Take control of ads\***: Trusted Advisor now helps you disable Windows’ ad features, such as start menu suggestions and login screen ads, allowing you to enjoy a smoother Windows experience free from distractions.  

Cybersecurity sometimes feels like quantum physics, but it doesn’t have to. With its latest updates, Malwarebytes Trusted Advisor makes it easier than ever to understand what’s going on behind the scenes, and to take control of your digital safety without needing a degree in computer science.  

Want to see the new Trusted Advisor in action? Open Malwarebytes on Windows and check your protection dashboard.  

_\* Windows 11 only._

 Introducing the smarter, more sophisticated Malwarebytes Trusted Advisor, your cybersecurity personal assistant 

Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.

Brave browser has announced a new privacy measure, automatically blocking Microsoft’s controversial Recall feature from taking screenshots of browsing activity. This move, implemented in version 1.81 for Windows users, aims to give users more control over their digital privacy, especially concerning their online history.

****What is Microsoft Recall?****

Microsoft Recall, first introduced in May 2024, is designed as a productivity tool for Copilot+ PCs, which are high-end, AI-enhanced computers. It works by taking periodic screenshots of a user’s screen activity and storing them in a local, searchable database. The idea is to allow users to easily ‘recall’ past actions and information using natural language queries, for instance, finding a website visited that featured specific content.

However, from its initial announcement, Recall faced significant criticism from privacy advocates and security experts. Early versions stored these screenshots in plain text, making them highly vulnerable if a system got compromised. While Microsoft has since made changes, including making Recall an opt-in feature and encrypting the data, concerns about a persistent, OS-level log of user activity remain.

****Brave’s Proactive Privacy Stance****

Brave’s Privacy Team specified that Recall contradicts the browser’s privacy-first mission. To address this, Brave has expanded upon Microsoft’s existing privacy commitment to not record private browsing sessions. Therefore, Brave now signals to the operating system that all Brave browser windows are “private,” effectively preventing Recall from capturing any screenshots from them by default.

Block Microsoft Recall toggle in Brave (Source: brave.com)

This approach ensures user browsing activity does not “accidentally end up in a persistent database,” which the Brave Privacy Team highlighted as particularly sensitive in cases like intimate partner violence. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository.

While inspired by similar screenshot-blocking efforts from messaging platforms like Signal, Brave’s method is designed to avoid interfering with other legitimate functions, such as accessibility tools or regular screenshots. Users who wish to allow Recall to capture their Brave Browser can manually adjust a setting within brave://settings/privacy.

****Ongoing Changes and User Control****

This step comes as Microsoft is enhancing Recall, a feature currently in preview, with its final release form for all Windows 11 users remaining uncertain. The Brave Privacy Team has acknowledged that Microsoft has made several security and privacy-enhancing modifications to Recall due to initial concerns.

However, the rapid emergence of bypasses to Microsoft’s initial fixes, such as CVE-2025-53770 and CVE-2025-53771, indicates an ongoing challenge for software developers in securing against such deep-level system monitoring.

Nonetheless, Brave’s action reinforces its commitment to user privacy by offering a strong default defence against features that could potentially log extensive personal data.

Brave Browser Blocks Microsoft Recall from Tracking Online Activity

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Unmasking the new Chaos RaaS group attacks

Multiple hacking groups—including state actors from China—have targeted a vulnerability in older, on-premises versions of the file-sharing tool after a flawed attempt to patch it.

Hundreds of organizations around the world suffered data breaches this week, as an array of hackers rushed to exploit a recently discovered vulnerability in older versions of the Microsoft file-sharing tool known as SharePoint. The string of breaches adds to an already urgent and complex dynamic: Institutions that are longtime SharePoint users can face increased risk by continuing to use the service, just as Microsoft is winding down support for a platform in favor of newer cloud offerings.

Microsoft said on Tuesday that, in addition to other actors, it has seen multiple China-linked hacking groups exploiting the flaw, which is specifically present in older versions of SharePoint that are self-hosted by organizations. It does not impact the newer, cloud-based version of SharePoint that Microsoft has been encouraging customers to adopt for many years. Bloomberg first reported on Wednesday that one of the victims is the United States National Nuclear Security Administration, which oversees and maintains US nuclear weapons.

“On-premises” or self-managed SharePoint servers are a popular target for hackers, because organizations often set them up such that they are exposed on the open internet and then forget about them or don't want to allocate budget to replace them. Even if fixes are available, the owner may neglect to apply them. That's not the case, though, with the bug that sparked this week's wave of attacks. While it relates to a previous SharePoint vulnerability discovered at the Pwn2Own hacking competition in Berlin in May, the patch that Microsoft released earlier this month was itself flawed, meaning even organizations that did their security diligence were caught out. Microsoft scrambled this week to release a fix for the fix, or what the company called “more robust protections” in its security alert.

“At Microsoft, our commitment—anchored in the Secure Future Initiative—is to meet customers where they are,” said a Microsoft spokesperson in an emailed statement. “That means supporting organizations across the full spectrum of cloud adoption, including those managing on-premises systems.”

Microsoft still supports SharePoint Server versions 2016 and 2019 with security updates and other fixes, but both will reach what Microsoft calls “End of Support” on July 14, 2026. SharePoint Server 2013 and earlier have already reached end of life and receive only the most critical security updates through a paid service called “SharePoint Server Subscription Edition.” As a result, all SharePoint server versions are increasingly part of a digital backwater where the convenience of continuing to run the software comes with significant risk and potential exposure for users—particularly when SharePoint servers sit exposed on the internet.

“Years ago, Microsoft positioned SharePoint as a more secure replacement for old school Windows file-sharing tools, so that's why organizations like government agencies invested in setting up those servers. And now they just run at no additional cost, versus a Microsoft365 subscription in the cloud that involves a subscription,” says Jake Williams, a longtime incident responder who is vice president of research and development at Hunter Strategy. “So Microsoft tries to nudge the holdouts by charging for extended support. But if you are exposing a SharePoint server to the internet, I would emphasize that you also have to budget for incident response, because that server will eventually get popped.”

The United States Cybersecurity and Infrastructure Security Agency said in guidance about the vulnerability on Tuesday that, “CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.”

The ubiquity of Microsoft’s Windows operating system around the world has led to other situations in which a long goodbye has created security issues for holdout users—and other organizations or individuals with connections to a vulnerable entity. Microsoft struggled to deal with the long tail of users on extremely popular Windows editions including Windows XP and Windows 7. But legacy software is a challenge for any software or digital infrastructure provider. Earlier this year, for example, Oracle reportedly notified some customers about a breach after attackers compromised a “legacy environment” that had been largely retired in 2017.

The challenge with a service like SharePoint is that it often acts as an ancillary tool without ever being the center of attention.

“For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose, and close critical gaps,” says Bob Huber, chief security officer at the cybersecurity company Tenable.

When asked about the alleged breach at the National Nuclear Security Administration, the Department of Energy emphasized that the incident did not impact sensitive or classified data. “On Friday, July 18, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” a DOE spokesperson told WIRED in a statement. “The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.”

Microsoft did not immediately return WIRED’s requests for comment about the process of sunsetting SharePoint Server. The company wrote in a blog post on Tuesday that customers should keep supported versions of SharePoint Server updated with the latest patches and turn on Microsoft's “Antimalware Scan Interface” as well as Microsoft Defender Antivirus.

Microsoft Put Older Versions of SharePoint on Life Support. Hackers Are Taking Advantage

It's the first known instance of malware that abuses the UIA framework and has enabled dozens of attacks against banks and crypto exchanges in Brazil.

Banking Trojan Coyote Abuses Windows UI Automation

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

The Federal Bureau of Investigation (FBI), alongside the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a warning regarding increased activity by the Interlock ransomware group.

This financially motivated threat targets a wide range of organizations, including businesses and vital critical infrastructure across North America and Europe, employing a dangerous double extortion model to maximize pressure on victims.

****Interlock’s Uncommon Attack Methods****

Interlock ransomware was first detected in late September 2024, with FBI investigations as recent as June 2025 detailing their evolving tactics. The group develops encryptors for both Windows and Linux operating systems, with a particular focus on encrypting virtual machines (VMs). Open-source reports also suggest similarities between Interlock and the Rhysida ransomware variant.

This group stand out for its initial access techniques, which differ from many ransomware groups. One observed method involves ‘drive-by downloads’ from legitimate but compromised websites, where malicious software is disguised as fake updates for popular web browsers like Google Chrome or Microsoft Edge, or even common security tools such as FortiClient or Cisco-Secure-Client.

Moreover, they leverage a social engineering trick called ClickFix, where users are tricked into running harmful files by clicking on fake CAPTCHAs that instruct them to paste and execute malicious commands in their system’s run window.

Once inside a network, the ransomware deploys web shells and tools like Cobalt Strike to establish control, move between systems, and steal sensitive information. They gather login details, including usernames, passwords, and even use keyloggers to record keystrokes.

According to the advisory (PDF), After stealing data, Interlock encrypts systems, appending files with .interlock or .1nt3rlock extensions. They then demand ransom without an initial amount in their note, instead instructing victims to contact them via a special .onion website over the Tor browser. The group threatens to leak exfiltrated data if the ransom, typically paid in Bitcoin, is not met, a threat they have consistently followed through on.

****Urgent Defences for Organizations****

To counter the Interlock threat, federal agencies urge organizations to implement immediate security measures. Key defences include:

*   Preventing initial access by using DNS filtering and web access firewalls, and training employees to spot social engineering attempts.

*   Patching and updating to make sure all operating systems, software, and firmware are up to date, prioritizing known vulnerabilities.

*   Strong authentication implementation, like multi-factor authentication (MFA) for all services where possible, along with stronger identity and access management policies.

*   Network Control by segmenting networks to limit how far ransomware can spread.

*   Backup and recovery by maintaining multiple, offline, immutable (unchangeable) backups of all critical data.

Also, no-cost resources are available through the ongoing #StopRansomware initiative.

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.
"The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes' web addresses and cryptocurrency exchanges," Akamai security researcher Tomer

New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Tag

#windows