Coyote Trojan becomes first malware to abuse Microsoft’s UI Automation in real attacks, targeting banks and crypto platforms with stealthy tactics.

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first detected in February 2024, is known for phishing overlays and keylogging aimed at Latin American financial targets. But what makes this variant different is its use of UIA to bypass detection tools like endpoint detection and response software.

Instead of relying on conventional APIs to check which banking site a victim is visiting, Coyote now uses UI Automation. When the active window title doesn’t match any of the malware’s preloaded banking or crypto site addresses, it changes its tactics and uses a UIA COM object to start crawling through the sub-elements of the active window, searching for telltale signs of financial activity.

Akamai’s blog post, shared with Hackread.com ahead of publishing on Tuesday, found that Coyote’s hardcoded list includes 75 financial institutions and crypto exchanges. What’s worse, these aren’t just names or URLs. The malware maps them to internal categories, allowing it to prioritise or customise its credential-stuffing attempts. This approach not only increases its chances of hitting the target but also makes it more flexible across browsers and applications.

Normally, an attacker would need detailed knowledge of a specific application’s design. UIA simplifies that process. With this framework, malware can scan the UI of another app, extract content from fields like address bars or input boxes, and use that information to customise attacks or steal login data.

Coyote trojan doesn’t stop at identifying banks. It also sends system details back to its command-and-control infrastructure, including the computer name, username, and browser data. If offline, it still performs many of these checks locally, making it harder to catch through network traffic alone.

According to researchers, the bigger concern here is how UIA could open up new attack paths. Akamai demonstrated this by showing how attackers might not just scrape data but also manipulate UI elements. One proof of concept shows the malware altering a browser’s address bar, then simulating a click to quietly redirect the user to a phishing site, all while looking legitimate on screen.

Akamai’s PoC (Click to Play GIF)

On the defensive side, there are ways to catch this kind of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. They also provide osquery commands to flag processes that interact with UIA-related named pipes. These are early warning signs that an attacker may be snooping on the user interface.

Akamai’s threat hunting service has already started scanning environments for such anomalies. According to their report, customers were alerted when suspicious UIA activity was detected.

Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂 🗞 Post on Habr (rus)🗒 Digest on the PT website (rus) Only three trending vulnerabilities: 🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)🔻 Elevation of Privilege – Windows SMB Client […]

**July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube.** A traditional monthly roundup. This time, it’s a very short one. 🙂

🗞 Post on Habr (rus)  
🗒 Digest on the PT website (rus)

Only three trending vulnerabilities:

🔻 **Remote Code Execution** – Internet Shortcut Files (CVE-2025-33053)  
🔻 **Elevation of Privilege** – Windows SMB Client (CVE-2025-33073)  
🔻 **Remote Code Execution** – Roundcube (CVE-2025-49113)

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.

A phishing campaign targeting JavaScript developers has led to the compromise of several popular npm packages, including eslint-config-prettier. The breach began with an attacker tricking a maintainer using a fake login page hosted on a lookalike domain, npnjs.com.

Once the attacker got hold of the maintainer’s npm token, they pushed malicious versions of key packages directly through the registry, completely bypassing the GitHub repositories.

According to Socket, a developer-first security platform, which first spotted the scam, four versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) were found to contain a script that executes on install, targeting Windows machines. The script attempts to launch a node-gyp.dll file using rundll32, which could allow the attacker to execute arbitrary code on affected systems. Security researchers assigned the issue a CVSS score of 7.5 and confirmed a new CVE (CVE-2025-54313) is being tracked.

Socket’s blog post shared with Hackread.com revealed that the attack went undetected for a while since there were no commits or pull requests in the GitHub repo linked to the new versions.

Instead, the attacker relied on their npm credentials to publish directly, avoiding detection until users started noticing suspicious activity. Other affected packages discovered by researchers included the following:

*   synckit: 0.11.9
*   @pkgr/core: 0.2.8
*   napi-postinstall: 0.3.1
*   eslint-plugin-prettier: 4.2.2 and 4.2.3

These packages are widely used in front-end and Node.js projects. Because many developers rely on automated tools like Dependabot or Renovate, compromised versions may have been pulled into projects without anyone noticing. Once installed, the payload could provide remote access to Windows machines running affected builds.

The phishing email used in the campaign (Image via Socket)

The good news is that the maintainer whose token was compromised acted quickly after learning of the breach. The malicious versions were deprecated and removed, credentials were rotated, and npm support was brought in to assist with the cleanup.

Socket has been monitoring the situation and continues to scan for other suspicious activity across the npm registry. Their tools flag any new versions with unexpected install scripts or binary payloads, which could help developers detect issues early before the malicious code spreads.

Nigel Douglas, Head of Developer Relations at Cloudsmith, commented on the wider implications. He pointed out that this is yet another example of how dependency chains can turn into attack vectors. “CI/CD pipelines pull in hundreds of transitive dependencies by default, each with its own maintainers, update cycles, and exposure history,” he said. “Without secure dependency retrieval processes, it only takes one upstream breach to cause chaos in production.”

Douglas also stressed that it’s unreasonable to expect developers to catch every vulnerability on their own. “If a single stolen maintainer token can push malicious code into one of the most widely used linting tools on npm, that should tell us something. You can’t fix this just by focusing on individual packages,” he added.

He called for stronger maintainer practices like scoped tokens and 2FA, along with registry-level safeguards and secure artifact management systems that support things like version immutability and trusted source verification.

Fake npm Website Used to Push Malware via Stolen Token

Kaspersky's SecureList reveals GhostContainer, a new, highly customized backdoor targeting government and high-tech organizations in Asia via Exchange server vulnerabilities. Learn how this APT malware operates and how to stay protected.

Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration.

****Understanding GhostContainer****

GhostContainer is a multi-functional backdoor designed to evade detection by mimicking standard server components. It is delivered as a file named ‘App_Web_Container_1.dll’ and has a file size of 32.8 KB. Its core functionality is extended through additional downloadable modules. The researchers indicate that the attackers likely exploited a known, unpatched vulnerability (N-day vulnerability) in Exchange servers to gain initial access.

Source: SecureList

A key component of GhostContainer is the ‘Stub’ class, which acts as a command and control (C2) parser. It can execute shellcode, download files, run commands, and load extra .NET byte code. Particularly, the Stub class attempts to bypass Antimalware Scan Interface (AMSI) and Windows Event Log by overwriting specific addresses, further aiding in its stealth.

Researchers identified that data transferred between the attackers and the server is protected using AES encryption, with the key derived from the ASP.NET validation key. The malware’s capabilities include getting system architecture, running shell code, executing command lines, and managing files.

****Sophisticated Features and Open-Source Roots****

GhostContainer also includes a ‘virtual page injector’ class (App_Web_843e75cf5b63) that creates ghost pages to bypass file checks and load a .NET reflection loader. This loader then activates the web proxy class (App_Web_8c9b251fb5b3), a central element of the malware. This web proxy component possesses capabilities for web proxying, socket forwarding, and covert communication.

SecureList’s investigation also revealed that the attackers leveraged several open-source projects to build GhostContainer. For instance, the Stub class appears to be based on _ExchangeCmdPy.py_, an open-source tool for exploiting the Exchange vulnerability CVE-2020-0688.

Similarly, the virtual page injector utilizes code from ‘PageLoad_ghostfile.aspx,’ and the web proxy component is a customized version of ‘Neo-reGeorg,’ another open-source project. This blend of public tools with custom modifications showcases the attackers’ advanced skills.

****Targeting High-Value Organizations****

Telemetry data gathered by the researchers suggests that GhostContainer is part of an Advanced Persistent Threat (APT) campaign. The identified victims so far include a key government agency and a high-tech company, both situated in Asia.

The attackers do not rely on a traditional C2 infrastructure; instead, they control the compromised server by embedding commands within regular Exchange web requests. This approach makes it challenging to identify their specific IP addresses or domains.

The investigation into the full scope of these attack activities is ongoing. Meanwhile, organizations should act swiftly and immediately apply all available security updates and patches for Exchange servers and other software to close known vulnerabilities.

New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia

Trellix exposes SquidLoader malware targeting Hong Kong, Singapore, and Australia's financial service institutions. Learn about its advanced evasion tactics and stealthy attacks.

Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.

****A Covert Attack****

The attack begins with spear-phishing emails written in Mandarin, accurately crafted to impersonate financial institutions. These emails deliver a password-protected RAR archive containing a malicious executable. The email body itself is crucial to the deception, as it provides the password for the attachment. The subject line often poses as a “Registration Form for Bond Connect Investors Handling Foreign Exchange Business through Overseas Banks.”

The email claims to be from a financial representative, requesting the recipient to check and confirm the attached “scanned copy of the Bond Connect investor foreign exchange business registration form.” This file is cunningly disguised, not only mimicking a Microsoft Word document icon but also falsely adopting the file properties of a legitimate AMDRSServ.exe to bypass initial scrutiny.

Upon execution, SquidLoader unleashes a complex five-stage infection. It first unpacks its core payload, then initiates contact with a Command and Control (C2) server using a URL path that mimics legitimate Kubernetes services (e.g., /api/v1/namespaces/kube-system/services) to blend with normal network traffic.

This initial C2 communication transmits critical host information, including IP address, username, computer name, and Windows version, back to its operators. Finally, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a different address (e.g., 182.92.239.24), granting attackers persistent remote access.

Attack Chain (Source: Trellix)

****Evasive Tactics and Global Implications****

A key reason for SquidLoader’s danger is its extensive array of anti-analysis, anti-sandbox, and anti-debugging techniques. These include checking for specific analysis tools like IDA Pro (ida.exe) or Windbg (windbg.exe) and common sandbox usernames.

Notably, it employs a sophisticated threading trick involving long sleep durations and Asynchronous Procedure Calls (APCs) to detect and evade emulated environments. Should it detect any analysis attempt, the malware self-terminates. After its checks, it displays a deceptive pop-up message in Mandarin: “The file is corrupted and cannot be opened,” requiring user interaction that can thwart automated sandboxes.

“Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organisations,” Trellix researchers emphasised in their report.

The observed targeting in multiple countries highlights the global nature of this evolving threat, urging financial institutions worldwide, particularly in Hong Kong, Singapore, and Australia, to increase their security against such highly evasive adversaries.

SquidLoader Malware Campaign Hits Hong Kong Financial Firms

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-54313

**eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code**

High severity GitHub Reviewed Published Jul 19, 2025 to the GitHub Advisory Database • Updated Jul 21, 2025

**Package**

npm @pkgr/core (npm)

**Affected versions**

\= 0.2.8

npm eslint-config-prettier (npm)

\= 8.10.1

\= 9.1.1

\>= 10.1.6, <= 10.1.7

npm eslint-plugin-prettier (npm)

npm napi-postinstall (npm)

**Description**

Published to the GitHub Advisory Database

Jul 19, 2025

Last updated

Jul 21, 2025

GHSA-f29h-pxvx-f335: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

When, one year ago today, a buggy update to software sold by the cybersecurity firm CrowdStrike took down millions of computers around the world and sent them into a death spiral of repeated reboots, the global cost of all those crashed machines was equivalent to one of the worst cyberattacks in history. Some of the various estimates of the total damage worldwide have stretched well into the billions of dollars.

Now a new study by a team of medical cybersecurity researchers has taken the first steps toward quantifying the cost of CrowdStrike's disaster not in dollars, but in potential harm to hospitals and their patients across the US. It reveals evidence that hundreds of those hospitals' services were disrupted during the outage, and raises concerns about potentially grave effects to patients’ health and well-being.

Researchers from the University of California San Diego today marked the one-year anniversary of CrowdStrike's catastrophe by releasing a paper in JAMA Network Open, a publication of the Journal of the American Medical Association Network, that attempts for the first time to create a rough estimate of the number of hospitals whose networks were affected by that IT meltdown on July 19, 2024, as well as which services on those networks appeared to have been disrupted.

A chart showing a massive spike in detected medical service outages on the day of CrowdStrike’s crashes.

Courtesy of UCSD and JAMA Network Open

By scanning internet-exposed parts of hospital networks before, during, and after the crisis, they detected that at minimum 759 hospitals in the US appear to have experienced network disruption of some kind on that day. They found that more than 200 of those hospitals seemed to have been hit specifically with outages that directly affected patients, from inaccessible health records and test scans to fetal monitoring systems that went offline. Of the 2,232 hospital networks they were able to scan, the researchers detected that fully 34 percent of them appear to have suffered from some type of disruption.

All of that indicates the CrowdStrike outage could have been a “significant public health issue,” argues Christian Dameff, a UCSD emergency medicine doctor and cybersecurity researcher, and one of the paper's authors. “If we had had this paper's data a year ago when this happened," he adds, “I think we would have been much more concerned about how much impact it really had on US health care.”

CrowdStrike, in a statement to WIRED, strongly criticized the UCSD study and JAMA’s decision to publish it, calling the paper “junk science.” They note that the researchers didn’t verify that the disrupted networks ran Windows or CrowdStrike software, and point out that Microsoft’s cloud service Azure experienced a major outage on the same day, which may have been responsible for some of the hospital network disruptions. “Drawing conclusions about downtime and patient impact without verifying the findings with any of the hospitals mentioned is completely irresponsible and scientifically indefensible,” the statement reads.

“While we reject the methodology and conclusions of this report, we recognize the impact the incident had a year ago,” the statement adds. “As we’ve said from the start, we sincerely apologize to our customers and those affected and continue to focus on strengthening the resilience of our platform and the industry.”

In response to CrowdStrike’s criticisms, the UCSD researchers say they stand by their findings. The Azure outage that CrowdStrike noted, they point out, began the previous night and affected mostly the central US, while the outages they measured began at roughly midnight US east coast time on July 19—about the time when CrowdStrike’s faulty update began crashing computers—and affected the entire country. (Microsoft did not immediately respond to a request for comment.) “We are unaware of any other hypothesis that would explain such simultaneous geographically-distributed service outages inside hospital networks such as we see here” other than CrowdStrike’s crash, writes UCSD computer science professor Stefan Savage, one of the paper’s co-authors, in an email to WIRED. (JAMA declined to comment in response to CrowdStrike’s criticisms.)

In fact, the researchers describe their count of detected hospital disruptions as only a minimum estimate, not a measure of the real blast radius of CrowdStrike's crashes. That's in part because the researchers were only able to scan roughly a third of America's 6,000-plus hospitals, which would suggest that the true number of medical facilities affected may have been several times higher.

The UCSD researchers' findings stemmed from a larger internet-scanning project they call Ransomwhere?, funded by the Advance Research Projects Agency for Health and launched in early 2024 with the intention of detecting hospitals' ransomware outages. As a result of that project, they were already probing US hospitals using the scanning tools ZMap and Censys when CrowdStrike's July 2024 calamity struck.

For the 759 hospitals in which the researchers detected that a service was knocked offline on July 19, their scans also allowed them to analyze which specific services appeared to be down, using publicly available tools like Censys and the Lantern Project to identify different medical services, as well as manually checking some web-based services they could visit. They found that 202 hospitals experienced outages of services directly related to patients. Those services included staff portals used to view patient health records, fetal monitoring systems, tools for remote monitoring of patient care, secure document transfer systems that allow patients to be transferred to another hospital, “pre-hospital” information systems like the tools that can share initial test results from an ambulance to an emergency room for patients requiring time-critical treatments, and the image storage and retrieval systems that are used to make scan results available to doctors and patients.

“If a patient was having a stroke and the radiologist needed to look at a scan image quickly, it would be much harder to get it from the CT scanner to the radiologist to read,” Dameff offers as one hypothetical example.

The researchers also found that 212 hospitals had outages of “operationally relevant” systems like staff scheduling platforms, bill payment systems, and tools for managing patient wait times. In another category of “research relevant” services, the study found that 62 hospitals faced outages. The biggest fraction of outages in the researchers' findings was an “other” category that included offline services that the researchers couldn't fully identify in their scans at 287 hospitals, suggesting that some of those, too, might have been uncounted patient-relevant services.

“Nothing in this paper says that someone's stroke got misdiagnosed or there was a delay in the care of someone getting life-saving antibiotics, for instance. But there might have been,” says Dameff. “I think there's a lot of evidence of these types of disruptions. It would be hard to argue that people weren't impacted at a potentially pretty significant level.”

The study’s findings give a sprawling new sense of scope to anecdotal reports of how CrowdStrike’s outage affected medical facilities that already surfaced over the last year. WIRED reported at the time that Baylor hospital network, a major nonprofit health care system, and Quest Diagnostics were both unable to process routine bloodwork. The Boston-area hospital system Mass General Brigham reportedly had to bring 45,000 of its PCs back online, each of which required a manual fix that took 15 to 20 minutes.

In their study, researchers also tried to roughly measure the length of downtime of the hospital services affected by the CrowdStrike outage, and found that most recovered relatively quickly: About 58 percent of the hospital services were back online within six hours, and only 8 percent or so took more than 48 hours to recover.

That's a far shorter disruption than the outages from actual cyberattacks that have hit hospitals, the researchers note: Mass-spreading malware attacks like NotPetya and WannaCry in 2017 as well as the Change Healthcare ransomware attack that struck the payment provider subsidiary of United Healthcare in early 2024 all shut down scores of hospitals across the US—or in the case of WannaCry, the United Kingdom—for days or weeks in some cases. But the effects of the CrowdStrike debacle nonetheless deserve to be compared to those intentionally inflicted digital disasters for hospitals, the researchers argue.

“The duration of the downtimes is different, but the breadth, the number of hospitals affected across the entire country, the scale, the potential intensity of the disruption is similar,” says Jeffrey Tully, a pediatrician, anesthesiologist, and cybersecurity researcher who coauthored the study.

A map showing the duration of the apparent downtime of detected medical service outages in hospitals across the US.

Courtesy of UCSD and JAMA Network Open

A delay of hours, or even minutes, can increase mortality rates for heart attack and stroke patients, says Josh Corman, a cybersecurity researcher with a focus on medical cybersecurity at the Institute for Security and Technology and former CISA staffer who reviewed the UCSD study. That means that even a shorter-duration outage in patient related services across hundreds of hospitals could have concrete and seriously harmful—if hard to measure—consequences.

Aside from drawing a first estimate of the possible toll on patients' health in this single incident, the UCSD team emphasizes that the real work of their study is to show that, with the right tools, it's possible to monitor and learn from these mass medical network outages. The result may be a better sense of how to prevent—or in the case of more intentional downtime from cyberattacks and ransomware—protect hospitals from experiencing them in the future.

At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds

Cryptominer campaign runs for years using legit sites to spread malware, targeting Linux systems through known bugs and avoiding detection.

A recent investigation by VulnCheck has exposed a cryptomining campaign that has been running unnoticed for years. The threat actor behind this operation, using the Linuxsys miner, has been targeting vulnerable systems since at least 2021, maintaining a consistent strategy that relies heavily on compromised legitimate websites to distribute malware.

What makes this campaign more difficult to detect is the attacker’s use of real websites as malware delivery channels. Instead of hosting payloads on suspicious domains, they compromise third-party sites with valid SSL certificates and plant their download links there. This not only helps them bypass many security filters but also keeps their core infrastructure (like the downloader site repositorylinux.org) at a distance from the actual malware files.

Between July 1 and July 16 this year, VulnCheck analysts spotted repeated exploit attempts from the IP address 103.193.177.152 against a canary Apache 2.4.49 instance. These attempts were tied to the CVE-2021-41773 vulnerability. While this particular vulnerability isn’t new and continues to be a popular target, the entity exploiting it stood out.

The attackers used a simple script called linux.sh, which pulls down both the configuration file and the Linuxsys binary from a list of five compromised websites. These include domains like prepstarcenter.com, wisecode.it, and dodoma.shop, all of which are otherwise ordinary-looking sites.

According to VulnCheck’s blog post shared with Hackread.com ahead of publishing on Wednesday, the list wasn’t random. This gave the attacker backup options if one site got taken down or stopped working, so the malware could still be delivered without interruption.

The miner configuration file retrieved from these sites points to hashvault.pro as the mining pool and identifies the wallet associated with the operation. That wallet has been receiving small payouts since January 2025, averaging around 0.024 XMR per day, about $8.

While $8 sounds insignificant, the operation isn’t necessarily about high revenue. The consistency and duration suggest other goals, or possibly more mining activity elsewhere that hasn’t been observed yet.

Tracing Linuxsys back in time, it first appeared in 2021 in a blog post by Hal Pomeranz, a highly respected expert in Linux and Unix digital forensics, analysing the exploitation of the same CVE. Since then, it has been tied to multiple vulnerabilities through reports by several cybersecurity firms. These include recent CVEs like 2023-22527, 2023-34960, and 2024-36401.

All of these security vulnerabilities were exploited using a n-day vulnerability exploitation, content staging on compromised web infrastructure, and persistent mining operations. An n-day vulnerability is a security bug that’s already known and usually has a fix available. The name just means the flaw has been public for a certain number of days, with ‘n’ being how many days it’s been since the issue was first made public or patched.

There’s also some evidence that the operation isn’t limited to Linux. Two Windows executables, nssm.exe and winsys.exe, were found on the same compromised hosts. While VulnCheck didn’t observe these in action, their presence suggests a broader scope than just Linux systems.

What’s kept this campaign so low-profile is likely a combination of careful targeting and deliberate avoidance of honeypots. VulnCheck notes that the attacker appears to favour high-interaction environments, meaning typical bait servers often miss this activity entirely. This cautious approach has likely helped the campaign avoid attracting too much attention despite being active for years.

VulnCheck has released Suricata and Snort rules that detect exploit attempts for all known associated CVEs. Meanwhile, indicators of compromise include IPs, URLs, and file hashes related to the attack. They also provided detection rules that security teams can use to identify DNS queries and HTTP traffic associated with the downloader and initial payload scripts.

Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware

Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald's was exposed after they guessed the password ("123456") for the fast food chain's account at Paradox.ai, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 companies. Paradox.ai said the security oversight was an isolated incident that did not affect its other customers, but recent security breaches involving its employees in Vietnam tell a more nuanced story.

Security researchers recently revealed that the personal information of millions of people who applied for jobs at **McDonald’s** was exposed after they guessed the password (“123456”) for the fast food chain’s account at **Paradox.ai**, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an isolated incident that did not affect its other customers, but recent security breaches involving its employees in Vietnam tell a more nuanced story.

A screenshot of the paradox.ai homepage showing its AI hiring chatbot “Olivia” interacting with potential hires.

Earlier this month, security researchers **Ian Carroll** and **Sam Curry** wrote about simple methods they found to access the backend of the AI chatbot platform on McHire.com, the McDonald’s website that many of its franchisees use to screen job applicants. As first reported by Wired, the researchers discovered that the weak password used by Paradox exposed 64 million records, including applicants’ names, email addresses and phone numbers.

Paradox.ai acknowledged the researchers’ findings but said the company’s other client instances were not affected, and that no sensitive information — such as Social Security numbers — was exposed.

“We are confident, based on our records, this test account was not accessed by any third party other than the security researchers,” the company wrote in a July 9 blog post. “It had not been logged into since 2019 and frankly, should have been decommissioned. We want to be very clear that while the researchers may have briefly had access to the system containing all chat interactions (NOT job applications), they only viewed and downloaded five chats in total that had candidate information within. Again, at no point was any data leaked online or made public.”

However, a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services. The results were not pretty.

The password data from the Paradox.ai developer was stolen by a malware strain known as “**Nexus Stealer**,” a form grabber and password stealer that is sold on cybercrime forums. The information snarfed by stealers like Nexus is often recovered and indexed by data leak aggregator services like **Intelligence X**, which reports that the malware on the Paradox.ai developer’s device exposed hundreds of mostly poor and recycled passwords (using the same base password but slightly different characters at the end).

Those purloined credentials show the developer in question at one point used the same seven-digit password to log in to Paradox.ai accounts for a number of Fortune 500 firms listed as customers on the company’s website, including **Aramark**, **Lockheed Martin**, **Lowes**, and **Pepsi.**

Seven-character passwords, particularly those consisting entirely of numerals, are highly vulnerable to “brute-force” attacks that can try a large number of possible password combinations in quick succession. According to a much-referenced password strength guide maintained by **Hive Systems**, modern password-cracking systems can work out a seven number password more or less instantly.

Image: hivesystems.com.

In response to questions from KrebsOnSecurity, Paradox.ai confirmed that the password data was recently stolen by a malware infection on the personal device of a longtime Paradox developer based in Vietnam, and said the company was made aware of the compromise shortly after it happened. Paradox maintains that few of the exposed passwords were still valid, and that a majority of them were present on the employee’s personal device only because he had migrated the contents of a password manager from an old computer.

Paradox also pointed out that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its partners. Still, a review of the exposed passwords shows they included the Vietnamese administrator’s credentials to the company’s SSO platform — paradoxai.okta.com. The password for that account ended in 202506 — possibly a reference to the month of June 2025 — and the digital cookie left behind after a successful Okta login with those credentials says it was valid until December 2025.

Also exposed were the administrator’s credentials and authentication cookies for an account at **Atlassian**, a platform made for software development and project management. The expiration date for that authentication token likewise was December 2025.

Infostealer infections are among the leading causes of data breaches and ransomware attacks today, and they result in the theft of stored passwords and any credentials the victim types into a browser. Most infostealer malware also will siphon authentication cookies stored on the victim’s device, and depending on how those tokens are configured thieves may be able to use them to bypass login prompts and/or multi-factor authentication.

Quite often these infostealer infections will open a backdoor on the victim’s device that allows attackers to access the infected machine remotely. Indeed, it appears that remote access to the Paradox administrator’s compromised device was offered for sale recently.

In February 2019, Paradox.ai announced it had successfully completed audits for two fairly comprehensive security standards (ISO 27001 and SOC 2 Type II). Meanwhile, the company’s security disclosure this month says the test account with the atrocious 123456 username and password was last accessed in 2019, but somehow missed in their annual penetration tests. So how did it manage to pass such stringent security audits with these practices in place?

Paradox.ai told KrebsOnSecurity that at the time of the 2019 audit, the company’s various contractors were not held to the same security standards the company practices internally. Paradox emphasized that this has changed, and that it has updated its security and password requirements multiple times since then.

It is unclear how the Paradox developer in Vietnam infected his computer with malware, but a closer review finds a Windows device for another Paradox.ai employee from Vietnam was compromised by similar data-stealing malware at the end of 2024 (that compromise included the victim’s GitHub credentials). In the case of both employees, the stolen credential data includes Web browser logs that indicate the victims repeatedly downloaded pirated movies and television shows, which are often bundled with malware disguised as a video codec needed to view the pirated content.

Tag

#windows