Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

**Where can I get it?** 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors.

 Malwarebytes introduces native ARM support for Windows devices  

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

 Google now allows digital fingerprinting of its users 

Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.

These are the dangers of “infostealers,” which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lion’s share of infostealer activity—racking up 70% of known infostealer detections on Mac.

These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.

With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.

****The threat of infostealers****

“Infostealers” are a type of malware that do exactly as they say—they steal information from people’s devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.

With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers don’t even require an additional step—they can take cryptocurrency directly from a victim’s online accounts. 

But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.

In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a person’s device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.

By 2018, TrickBot was the largest threat to businesses.

Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isn’t interested in Windows devices.

****The next Mac malware****

Malware is “malicious software,” and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesn’t automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesn’t work on iPhones.

For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.

During this time, most Mac threats were bothersome pieces of malware that would hijack a victim’s web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businesses—and as demand for Windows computers has waned—cybercriminals have readjusted their thinking.

In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new features—much like TrickBot—it has also been gussied up with some of the markings of a legitimate business.  

For instance, AMOS can be “licensed” out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didn’t just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.

By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotion—seriously—and even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.

But in the world of cybercrime, malware _features_ only mean so much. Another important piece of cybercrime is getting malware _onto_ a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.

Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to “malicious advertising” or “malvertising.” This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.

On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.

This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.

As we warned in the State of Malware report:

> “Poseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.”

Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.

Interestingly, Poseidon is just another “fork” of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.

Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertising—hackers can target malicious ads based on a potential victim’s location, operating system, software, and search terms—Mac users must be on watch.

****How to stay safe****

In 2025, Mac users don’t need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.

Here’s how you can stay safe:

*   Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
*   Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
*   Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Macs targeted by infostealers in new era of cyberthreats 

A new variant of the Snake Keylogger malware is being used to actively target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain.
Fortinet FortiGuard Labs said the new version of the malware has been behind over 280 million blocked infection attempts worldwide since the start of the year.
"Typically delivered through phishing emails containing malicious attachments or links,

New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update…

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update firmware now!

Rapid7 researchers uncovered security weaknesses in Xerox Versalink C7025 multifunction printers, specifically models running firmware version 57.69.91 and earlier. These vulnerabilities designated CVE-2024-12510 and CVE-2024-12511, expose the devices to “pass-back” attacks.

According to Rapid7’s research shared with Hackread.com, these are a type of attacks that allow a malicious actor who has compromised the printer’s administrative functions to redirect authentication requests to a system under their control. This can be achieved by altering settings related to services like Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP).

The LDAP vulnerability allows an attacker to modify the LDAP server’s IP address within the printer’s configuration. By then triggering an LDAP lookup, the printer unwittingly sends authentication credentials to the attacker’s rogue server. The attacker can then capture these credentials in clear text. Similarly, the SMB/FTP vulnerability allows modification of the SMB or FTP server’s IP address in the user’s address book configuration.  

The image illustrates how an attacker might manipulate the server IP address to redirect authentication attempts to a rogue server, thereby stealing the credentials. Predefined login credentials, with the username “MFPservice,” are used for authentication.

While the password itself is obscured, its presence indicates that the printer is configured to authenticate to the LDAP server, a detail central to the pass-back vulnerability where these credentials could be captured by an attacker.

Source: Rapid7

This can be exploited by triggering a scan-to-file operation, which sends authentication credentials to the attacker-controlled server. In the case of SMB, this could expose NetNTLMV2 handshakes, potentially allowing further compromise of Active Directory file servers. For FTP, credentials would be transmitted in clear text.

Successful exploitation of these vulnerabilities requires either administrative access to the printer’s settings or, in some cases, physical access to the console or remote access via the web interface if user-level remote control is enabled. 

The impact of these vulnerabilities is significant, as attackers could potentially gain access to sensitive credentials, including those for Windows Active Directory. This could enable lateral movement within a network, compromising critical servers and systems.

Rapid7 responsibly disclosed these vulnerabilities to Xerox, coordinating the disclosure timeline and working with the vendor to confirm the effectiveness of the patches. Organizations using affected Xerox Versalink printers should immediately upgrade to the latest patched firmware version.

In case immediate patching is not feasible, it is recommended to set a strong and unique password for the printer’s administrative account, avoid the use of domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials

Users who are on the lookout for popular games were lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Windows hosts.
The large-scale activity has been codenamed StaryDobry by Russian cybersecurity company Kaspersky, which first detected it on December 31, 2024. It lasted for a month.
Targets of the campaign include individuals and

Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack

Attackers are using patched bugs to potentially gain unfettered access to an organization's Windows environment under certain conditions.

Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

**Complete Access to Windows Environments**

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

**An Ideal Scenario for Threat Actors**

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Xerox Printer Vulnerabilities Enable Credential Capture

A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients.

After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt.

Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash.

This incident reminded me of two important security measures that we sometimes overlook.

The first is obvious. Computers are very bad at “forgetting” things. When you delete a file, the system doesn’t actually remove the file from your hard drive. Only the location of the file is set to “unused” so it may be overwritten at some point, but it often can be recovered. So you need to be careful how you decommission your old hard drives or any devices that have data on them.

One method is to overwrite the present data with zeroes or random numbers. There are several levels of overwriting hard drives:

*   **Single-pass overwrite**: Writing zeros or random data once across the entire disk is often sufficient for traditional hard drives.
*   **Multi-pass overwriting**: More secure methods involve multiple passes (e.g., 3-pass or 7-pass), which can further reduce the chance of data recovery.
*   **NIST 800-88 method**: A recognized standard that includes overwriting with random data followed by zeros and verification. This is the type of method we would like to see when it comes to sensitive data like medical information.

Some modern drives come with a **secure erase** command embedded in the firmware, but you need special software to execute the command, and it may require several rounds of overwrite.

Users that have a Windows computer with UEFI can use the secure erase option in their computer’s BIOS or UEFI settings. The exact steps depend on your computer’s manufacturer and model. Unless you’re afraid of law enforcement or a very skilled attacker that should be enough. For computers pre-dating UEFI you will need specialized software. To find out whether your computer has UEFI:

*   Right-click the Start button
*   Select Run
*   Type msinfo32 and press OK
*   Click System Summary
*   Scroll down to the BIOS Mode value to check whether it says UEFI  
      
    

Non-SSD drives can be degaussed, a method which uses a strong magnetic field to disrupt the magnetic storage on traditional hard drives. However, it is ineffective for SSDs and flash storage.

Which leaves physical destruction as the last option. The usual method to do this, called shredding, involves cutting up hard drives into small pieces and then burning them in an incinerator or shredding machine to destroy their magnetic properties.

The second security measure that is important is to have your data removed from publicly available records. In the Dutch case it’s remarkable and painful that such a company would have this type of information stored on their drives. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the date should have been encrypted, and of course the hard drives should have been decommissioned responsibly.

Depending on the type of information and the origin it seems unlikely that someone would consider to ask for removal of the data. After all, often it’s important that medical information is shared among care providers.

On the other hand, there is a ton of information about everyone in publicly accessible places that we can keep under control by using data removal services. Using a data removal service increases online anonymity, which makes it harder for stalkers, phishers, other attackers, or advertisers to find personal details.

 Hard drives containing sensitive medical data found in flea market 

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest on the PT website Content: 🔻 00:00 […]

**New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024.** I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”. 😉

📹 Video on YouTube, LinkedIn  
🗞 Post on Habr (rus)  
🗒 Digest on the PT website

Content:

🔻 00:00 Greetings  
🔻 00:28 **Elevation of Privilege** – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)  
🔻 01:30 **Elevation of Privilege** – Windows Common Log File System Driver (CVE-2024-49138)  
🔻 02:37 **Remote Code Execution** – Apache Struts (CVE-2024-53677)  
🔻 03:31 **Authentication Bypass** – Hunk Companion WordPress plugin (CVE-2024-11972)  
🔻 04:44 Trending vulnerabilities for 2024

👾 08:10 Channel mascot 😅

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it…

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it steals credentials and evades detection.

Cybersecurity researchers at FortiGuard Labs have discovered a new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users. As per their research, shared with Hackread.com, this malware is designated AutoIt/Injector.GTY!tr, and has been linked to over 280 million blocked infection attempts globally, primarily concentrated in China, Turkey, Indonesia, Taiwan, and Spain. 

Researchers note that this Snake Keylogger variant typically spreads through phishing emails containing malicious attachments or links. It targets popular web browsers like Chrome, Edge, and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials, and monitoring the clipboard. The stolen data is then exfiltrated to its command-and-control (C2) server via email (SMTP) and Telegram bots. 

According to FortiGuard Labs’ technical report, the malware employs AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. AutoIt can create standalone executables that can bypass standard antivirus solutions whereas AutoIt-compiled binary adds a layer of obfuscation, making detection and analysis more challenging.  

Malware Activity -Source Fortinet

The graph shows the fluctuating activity levels of AutoIt/Injector.GTY detections, suggesting potential campaigns between 1 Jan-12 Feb 2025. It is important to note that this graph represents detected instances, and the actual number of infections could be higher. 

During the attack, the malware drops a copy of itself as “ageless.exe” in the %Local\_AppData%\\supergroup folder with hidden attributes and places “ageless.vbs” in the %Startup% folder. This script uses WScript.Shell() to run “ageless.exe” upon system startup, ensuring persistence.  This method is commonly used because the Windows Startup folder allows scripts to run without administrative privileges.  

After executing “ageless.exe,” the malware injects its malicious payload into a legitimate .NET process, “RegSvcs.exe,” using process hollowing, which involves suspending “RegSvcs.exe,” deallocating its original code, allocating new memory, and injecting the malicious payload. Upon resuming, the process executes the injected code, allowing the malware to hide within a trusted process, evading detection.  

Snake Keylogger retrieves the victim’s geolocation using websites like checkipdyndnsorg and exfiltrates stolen credentials via SMTP and Telegram bots using HTTP Post requests.  Moreover, the malware can detect access to folders containing browser login credentials and other sensitive data. It uses modules to steal data from browser autofill systems, including credit card details and captures keystrokes using the SetWindowsHookEx API with the WH\_KEYBOARD\_LL flag, allowing it to log sensitive input.  

The image shows the various techniques Snake Keylogger employs during the attack, including Collection, Credential Access, Defense Evasion, Exfiltration, Lateral Movement, Privilege Escalation, Reconnaissance, and Resource Development, etc. providing a concise overview of the diverse malicious capabilities of the Snake Keylogger.

Snake Keylogger MITRE ATT&CK Matrix – Source Fortinet

This is a sophisticated, feature-rich variant, and a threat to Windows users worldwide. Organizations and individuals use a combination of advanced threat protection and proactive security measures to defend against this and other emerging keylogger threats.

Tag

#windows