New "WantToCry" Ransomware Campaign Exploits Exposed SMB Services A recently identified ransomware campaign, dubbed WantToCry, is targeting organizations by abusing exposed Server Message Block (SMB) services to encrypt victim data without deploying traditional malware. The attack method reduces detection risks, evading conventional security tools by leveraging legitimate SMB operations. Despite its name an apparent nod to the 2017 WannaCry outbreak WantToCry is not self-propagating and shares no technical ties to its predecessor. Instead, attackers scan the internet for devices with exposed SMB ports (TCP 139 and 445), often using platforms like Shodan and Censys. As of early 2026, over 1.5 million devices were found to have SMB ports accessible online, creating a vast attack surface. Once targets are identified, threat actors conduct brute-force attacks using weak or compromised credentials. After gaining access, they exfiltrate files over SMB to attacker-controlled infrastructure, where encryption occurs remotely. Encrypted files are then written back to the victim’s system with a .want_to_cry extension, accompanied by ransom notes (!Want_To_Cry.txt) demanding payments ranging from $400 to $1,800 in Bitcoin. Communication is offered via qTox or Telegram, though there is no evidence of double extortion or data leak threats. The campaign’s infrastructure is segmented, with initial reconnaissance linked to a Russian hosting provider, while encryption operations span multiple countries, including Germany, the U.S., Singapore, and Russia. Researchers noted recurring virtual machine hostnames previously associated with other malware families like LockBit and BlackCat, though these are likely rented systems rather than unique identifiers of a single group. Detection remains difficult, as WantToCry avoids executable malware, relying instead on legitimate SMB activity. However, unusual SMB traffic such as sustained file operations from external IPs or abnormal authentication attempts can serve as indicators. Organizations are advised to disable SMBv1, block inbound SMB traffic, enforce strong authentication, and monitor network activity to mitigate risks. The campaign underscores a growing trend of attackers exploiting misconfigurations rather than software vulnerabilities, emphasizing the need for robust access controls and exposed service security.

New npm Supply Chain Attack Targets Developers with Malicious Packages A recent supply chain attack campaign has been uncovered in the npm ecosystem, with four malicious packages designed to steal sensitive data, including SSH keys, cloud credentials, and cryptocurrency wallets. Discovered by OX Security within the last 24 hours, the attack highlights the risks of typosquatting and the rapid weaponization of leaked malware. The packages @deadcode09284814/axios-util, axois-utils, chalk-tempalte, and color-style-utils were published under a single npm account and collectively amassed over 2,600 weekly downloads. All versions of these packages contain embedded infostealer functionality, ensuring immediate compromise upon installation. The most notable package, chalk-tempalte, contains a near-identical clone of the Shai-Hulud malware, which was leaked publicly just days earlier by TeamPCP. The attacker behind this package appears to have copied the source code with minimal modifications, leaving it unobfuscated a departure from the original developers’ approach. The malware exfiltrates stolen data to a command-and-control (C2) server at 87e0bbc636999b.lhr.life and also uploads it to attacker-controlled GitHub repositories. The other packages demonstrate varying attack strategies: - @deadcode09284814/axios-util harvests SSH keys, environment variables, and cloud credentials (AWS, Google Cloud, Azure), sending them to a remote server at 80.200.28.28:2222. - axois-utils deploys a "phantom bot" written partially in Go, establishing persistence on infected systems and converting them into DDoS botnet nodes capable of HTTP, TCP, UDP, and reset-based flooding attacks. - color-style-utils acts as a simpler infostealer, collecting IP addresses, geolocation data, and cryptocurrency wallet details, transmitting them to edcf8b03c84634.lhr.life. The campaign likely relies on typosquatting, exploiting slight misspellings of popular packages (e.g., Axios) to trick developers into accidental installations. The lack of obfuscation suggests the attacker prioritized speed over stealth, further indicating opportunistic reuse of leaked malware. This incident underscores how quickly threat actors can repurpose leaked code, amplifying risks in the software supply chain. Developers are advised to uninstall affected packages, rotate exposed credentials, and scan for persistence mechanisms, including the string "A Mini Sha1-Hulud has Appeared" in repositories.

Large-Scale Spear-Phishing Campaign Distributes VIP Keylogger via Malware-as-a-Service A sophisticated spear-phishing campaign is distributing a VIP Keylogger variant as part of a Malware-as-a-Service (MaaS) operation, employing advanced evasion techniques to harvest credentials from browsers, email clients, and collaboration tools. The attack leverages steganography, in-memory execution, and modular payload design to bypass traditional defenses. ### Attack Vector & Execution The campaign begins with fraudulent purchase-order emails, tricking victims into opening a RAR file attachment containing an executable disguised as a spreadsheet (ÜRÜN ÇİZİMİ VE TEKNİK ÖZELLİKLERİ_xlsx.exe). Upon execution, the malware loads VIP Keylogger directly into memory, avoiding disk-based detection. Researchers identified multiple samples on VirusTotal, with consistent payload behavior despite variations in social engineering lures. The malware employs process hollowing, dynamically retrieving functions from Kernel32.dll and Ntdll.dll to unpack and execute the keylogger. In some cases, the payload is concealed within AES-encrypted bytes in the .data section of a .NET Portable Executable (PE). The loader disables Windows AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) before executing the keylogger via the CLR runtime. ### Credential Theft Capabilities Once active, the keylogger targets over 40 Chromium-based browsers (Chrome, Brave, Vivaldi, Opera), extracting: - Stored passwords (via Windows DPAPI for AES-256 GCM-encrypted data) - Browser cookies & autofill data - Payment information (stored in SQLite databases) For Mozilla-based browsers (Firefox, Waterfox, Thunderbird), it uses PK11SDR_Decrypt from nss3.dll to retrieve saved logins. The malware also harvests: - Email credentials (Outlook via registry, Foxmail, Thunderbird) - Discord tokens, FileZilla server credentials, and Pidgin chat accounts (from plaintext config files) - Wi-Fi credentials, clipboard data, and screenshots (though these features were dormant in observed samples) ### Exfiltration & Infrastructure Stolen data is exfiltrated via FTP, Telegram, Discord, web POST requests, and SMTP. Analyzed samples sent credentials from logs@gtpv[.]online to log@gtpv[.]online using hosting2[.]ro.hostsailor[.]com over port 587. ### MaaS Model & Customization The VIP Keylogger operates under a Malware-as-a-Service model, with some variants lacking Anti-VM detection, Process Killer, or Downloader modules, suggesting client-specific customization. ### Indicators of Compromise (IOCs) - D1DF5D64C430B79F7E0E382521E96A14 (Trojan) - E7C42F2D0FF38F1B9F51DC5D745418F5 (Trojan) - EA72845A790DA66A7870DA4DA8924EB3 (Trojan) - 694C313B660123F393332C2F0F7072B5 (Spyware) The campaign highlights the growing threat of stealthy, in-memory malware delivered via social engineering, underscoring the need for advanced detection mechanisms.

Massive Data Leak Exposes 149 Million Logins, Revealing Persistent Password Security Flaws In late 2025, cybersecurity researcher Jeremiah Fowler discovered a publicly exposed database containing 149 million logins, emails, usernames, and passwords a trove of credentials left unsecured for nearly a month before being taken offline. The incident provided a rare opportunity to analyze real-world password trends over the past decade, offering stark insights into how user behavior and security practices have evolved or failed to improve. ### Key Findings: Password Trends from 2015 to 2025 Fowler’s analysis revealed that 85% of passwords in the leaked dataset followed human-memorable patterns, while only 15% met complexity standards (12+ characters with mixed cases, numbers, and symbols). The shift from 2015 was notable: while plain numeric strings dominated a decade ago, modern passwords now frequently combine names, dates, and a single special character a structure that remains predictable despite its apparent complexity. Common weak patterns included: - Dictionary words (e.g., password, admin, qwerty) - Name + number/date + symbol (e.g., John1985!) - Repeated or sequential characters (e.g., 123456, aaaaaa) - Reused credentials across multiple accounts ### The Reuse Problem Persists Despite years of security warnings, password reuse remains rampant. A 2025 GoDaddy survey found that 61% of consumers admit to reusing passwords a 11% increase from 2018. Even complex passwords are often recycled, creating a domino effect where a single breach can compromise multiple accounts. Meanwhile, only 6% of 19 billion analyzed passwords were unique, leaving users vulnerable to dictionary attacks. Generational differences also emerged: 60% of Gen X and Baby Boomers still rely on passwords as their primary authentication method, while only 30% use modern alternatives like social sign-ins or passkeys. ### The Rising Threat of Infostealers and Malware The leak underscored the growing sophistication of cybercriminals, particularly through infostealer malware, which extracts stored credentials, session cookies, and autofill data without requiring user interaction. Unlike keyloggers, which record keystrokes, infostealers operate at scale, harvesting vast amounts of data in a single execution. - IBM’s 2025 Threat Intelligence Index reported an 84% increase in weekly infostealer activity in 2024 compared to 2023. - Phishing emails delivering infostealers surged by 180% in early 2025. - Misconfigured databases have become a common vector for exposing stolen credentials, amplifying the risk of credential-stuffing attacks. ### The Evolution of Authentication: From Passwords to Passkeys The report traced the decade-long shift in authentication methods, highlighting key milestones: - Pre-2010: Password managers and MFA were niche tools, primarily used by enterprises. - 2010–2014: Password managers and 2FA became mainstream but remained optional. - 2015–2019: Security transitioned from optional to expected, with MFA becoming standard in workplaces. - 2020–2021: Platforms (browsers, OSes) began automating credential security, reducing user burden. - 2022–2025: A move toward passwordless authentication, with passkeys and phishing-resistant MFA gaining widespread adoption. Zero Trust architectures and adaptive risk-based authentication are now replacing static password reliance. ### The Core Challenge: Security vs. Usability Fowler’s research concluded that secure passwords and human memory remain fundamentally incompatible. With the average user managing 168 passwords, convenience often trumps security leading to weak, reused, or predictable credentials. While forced complexity rules and password managers help, they are not foolproof if users rely on the same patterns or fail to adopt additional protections like MFA. The leak serves as a reminder that password security is a moving target, requiring both technological advancements (like passkeys) and behavioral shifts to mitigate risks in an era of AI-driven cybercrime.