Subscribe to our news Changelog
Hidden cryptocurrency mining and theft campaign affected over 28,000 users
Virus analysts at Doctor Web have identified a large-scale campaign aimed at spreading cryptomining and cryptostealing malware by delivering trojans to victims' computers under the guise of office programs, game cheats, and online trading bots.
08.10.2024 | Real-time threat news
Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process
Doctor Web virus analysts have identified a new rootkit modification that installs the Skidmap mining trojan on compromised Linux machines. This rootkit is designed as a malicious kernel module that hides the miner’s activity by providing fake information about CPU usage and network activity. This attack appears to be indiscriminate, primarily targeting the enterprise sector—large servers and cloud environments—where mining efficiency can be maximized.
03.10.2024 | Real-time threat news
Doctor Web resumed virus database updates after the attack on its infrastructure
Now that the dangerous situation involving the attack on Doctor Web's infrastructure has been resolved successfully, we're happy to bring you up to speed on the latest developments and present the security incident's complete timeline.
18.09.2024 | Real-time threat news
Doctor Web's resources attacked
On Saturday, September 14, Doctor Web specialists recorded a targeted attack on the company's resources. The attempt to harm our infrastructure was prevented in a timely manner, and no user whose system was protected by Dr.Web was affected.
17.09.2024 | Real-time threat news
Void captures over a million Android TV boxes
Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed Android.Vo1d , has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.
12.09.2024 | Real-time threat news
Gaining persistence in a compromised system using Yandex Browser. Failed spear phishing attack on Russian rail freight operator.
Social engineering is a highly effective fraud technique that is difficult to withstand. A skilled attacker knows how to find the right approach to intimidate or persuade a victim to perform an action. But what if an attack requires little communication effort, and a computer stops being a digital assistant and becomes an unwitting accomplice?
04.09.2024 | Real-time threat news
Do shoot the messenger: Telegram-controlled backdoor trojan targets Linux servers
Doctor Web virus analysts exposed a Linux version of the well-known TgRat trojan, which is used for targeted attacks on computers. One notable feature of this trojan is that it is controlled via a Telegram bot.
04.07.2024 | Real-time threat news
Smart-sex-toy users targeted by clicker trojan
Virus analysts at Doctor Web uncovered an Android application containing a clicker trojan that silently opens advertising sites and clicks on webpages. Such trojans can be used to stealthily display ads, generate click fraud, sign up unsuspecting victims for paid subscriptions or launch DDoS attacks.
04.05.2024 | Real-time threat news
Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector
In October 2023, Doctor Web was contacted by a Russian mechanical-engineering enterprise that suspected malware was on one of its computers. Our specialists investigated this incident and determined that the affected company had encountered a targeted attack. During this attack, malicious actors had sent phishing emails with an attachment containing the malicious program responsible for the initial system infection and installing other malicious instruments in the system.
11.03.2024 | Real-time threat news
Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims
Doctor Web is reporting on an increase in cases of cryptocurrency-mining trojans being found hidden in pirated software that is available in Telegram and on some Internet sites.
15.01.2024 | Real-time threat news
Vulnerability in Openfire messaging software allows unauthorized access to compromised servers
Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the infected servers as part of a botnet.
25.09.2023 | Real-time threat news
The art of manipulation: fraudsters steal money with remote administration software for mobile devices
Doctor Web is reporting on the growing number of fraud cases involving remote desktop access applications. RustDesk is the most popular among attackers.
22.09.2023 | Real-time threat news
Android.Spy.Lydia trojans masquerade as an Iranian online trading platform
Doctor Web has detected new versions of the Android.Spy.Lydia trojans, which engage in a variety of spyware activities on infected Android devices and provide attackers with remote control capabilities to steal personal information and funds. Moreover, the trojans have a defense mechanism that checks whether they are being launched in an emulator or on a test device. In such cases, the trojans stop working.
13.09.2023 | Real-time threat news
Pandora's box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes
Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan.
06.09.2023 | Real-time threat news
Fruity trojan downloader performs multi-stage infection of Windows computers
Doctor Web has uncovered an attack on Windows users involving a modular downloader trojan dubbed Trojan.Fruity.1. With its help, threat actors can infect computers with different types of malware, depending on the attackers’ goals. To conceal an attack and increase the chances of it being successful, they use a variety of tricks. These include a multi-stage infection process for target systems, using harmless apps for launching components of the trojan, and trying to bypass anti-virus protection.
27.07.2023 | Real-time threat news
Doctor Web identifies pirated Windows builds with crypto stealer that penetrates EFI partition
Doctor Web has discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.
13.06.2023 | Real-time threat news
Android apps containing SpinOk module with spyware features installed over 421,000,000 times
Doctor Web discovered an Android software module with spyware functionality. It collects information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server. Dubbed Android.Spy.SpinOk in accordance with Dr.Web classification, this module is distributed as a marketing SDK. Developers can embed it into all sorts of apps and games, including those available on Google Play.
29.05.2023 | Real-time threat news
Linux backdoor malware infects WordPress-based websites
Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.
30.12.2022 | Real-time threat news
Android users risk falling victim to fraudsters during online job searches
Doctor Web is alerting users to the emergence of malicious Android apps that attackers have disguised as job-search software. Through these applications, fraudsters can collect their victims’ personal information and steal money from them using deceptive techniques.
21.11.2022 | Real-time threat news
Banking trojans disguised as shopping apps attack Malaysian Android users
Doctor Web reports on the discovery of banking trojan apps that target Malaysian users. Malicious actors distribute them as mobile shopping apps. Unlike many other bankers, these not only have icons and basic store names, but also work just like such apps in order to look more plausible and not trigger any suspicions. These trojans steal logins and passwords from accounts of online banking systems. They also hijack SMS containing mobile TANs and one-time passwords that are used to confirm transactions. Moreover, they steal victims’ personal information, including their date of birth and mobile phone and identity card numbers.
19.10.2022 | Real-time threat news
Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices
Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users. The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.
22.08.2022 | Real-time threat news
Study of an APT attack on a telecommunications company in Kazakhstan
In October 2021, one of Kazakhstan’s telecommunication companies contacted Doctor Web, with suspicion of malware in the corporate network. During the first look, we found backdoors that were previously only used in targeted attacks. During the investigation, we also found out that the company’s internal servers had been compromised since 2019. For several years, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been the main attackers' tools.
24.03.2022 | Real-time threat news
Mobile device users’ cryptocurrency is at risk
Doctor Web warns on the spread of trojan apps designed to steal cryptocurrency from mobile device users. The malicious software hijacks secret seed phrases that give access to crypto wallets. Users of both Android devices and Apple smartphones are at risk.
21.03.2022 | Real-time threat news
Vulnerabilities in Log4j 2 threaten users
Concerning the dangerous vulnerabilities in the Log4j 2 logging library–CVE-2021-44228, CVE-2021-45046, CVE2021-4104, and CVE-2021-42550–Doctor Web is drawing users’ attention to the need to observe protective measures. The library is used for logging in Java projects and is part of the Apache Logging Project. Vulnerabilities allow attackers to execute arbitrary code on the system and cause a Denial of Service or disclose confidential information. Even though Apache has already released several patches, vulnerabilities may still be a danger.
27.12.2021 | Real-time threat news
«Doctor Web discovered vulnerabilities in children’s smart watches
30.11.2021 | Real-time threat news