Cache Me Out

                        <article>
                            <hr>

• Security researchers uncover new flaw in WinRAR
• The flaw allowed threat actors to bypass Mark of the Web and deploy malware to Windows devices without warning
• WinRAR released a new version to fix the bug, so update now

Experts have uncovered a flaw in WinRAR which could allow threat actors to bypass the Mark of the Web (MotW) and deploy malware on people’s computers.

The vulnerability was discovered by Japanese researcher Shimamine Taihei from the Mitsui Bussan Secure Directions, and is now tracked as CVE-2025-31334, and was given a severity score of 6.8/10 (medium).

MotW is a security mechanism that displays a warning when an executable file is downloaded from the internet. It is built into Windows and serves as an additional layer of security, warning people that files downloaded from the internet might be dangerous - however, there is a way to work around the warning when a file is shared in an archived format.

Symlink

“If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored,” WinRAR explained the vulnerability.

A symlink (short for symbolic link) is a shortcut or alias to a file or folder. Instead of copying a file, a symlink just points to it. Therefore, a hacker could create a symlink pointing to an executable with MotW, and if a victim runs it, the MotW wouldn’t show.

The vulnerability was found in all older versions of WinRAR, and it was addressed in version 7.11, which is now available for download.

Ever since Mark of the Web was introduced, cybercriminals have been looking for different ways to bypass it and deliver malware without warning.

In late January 2025, 7-Zip patched a major flaw that enabled just that. It is tracked as CVE-2025-0411 and was given a high severity score, 7/10. Earlier still, in 2022, researchers found a password-protected .ZIP file with an .ISO file inside that was able to bypass MotW.

To mitigate the risk, users should always keep their archivers up to date, and be vigilant when downloading files from the internet.

Via BleepingComputer

You might also like

• Ivanti patches serious Connect Secure flaw
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app

                                                        </article>

Source: Still using WinRAR? It has a worrying security flaw that could let hackers hijack your Windows device

                        <article>
                            <hr>

• Researchers found three malicious PyPI packages, two targeting bitcoin developers, and one WooCommerce stores
• Two are designed to steal data, and the third to test for valid credit cards
• All three have since been removed from the repository

Multiple open source software packages on the Python Package Index (PyPI) repository were found to be malicious, likely compromising thousands of devices, experts have warned.

Cybersecurity researchers at ReversingLabs found two malicious packages, “bitcoinlibdbfix” and “bitcoinlib-dev”, which cumulatively have around 2,000 downloads.

They claim to be a fix for a legitimate Python module named “bitcoinlib”, which contains features for creating and managing cryptocurrency wallets.

WooCommerce stores also under attack

Recently, the community discussed an issue related to how the package generates error messages.

The crooks saw this as an opportunity, created the two malicious packages and jumped into the conversation in an attempt to distribute them. It doesn’t seem to have worked: “The malicious content of that library was detected by the package contributors and the comments were deleted,” ReversingLabs said.

Both libraries attempted a similar attack, the researchers further explained. The idea was to overwrite the legitimate ‘clw cli’ command with malicious code, exfiltrating sensitive database files.

At the same time, researchers from Socket found a third package, which doesn’t target bitcoin developers, but rather WooCommerce stores. Furthermore, this package doesn’t even try to hide its true intentions, and instead is “openly malicious”. Despite being obvious malware, it still managed to rake in 37,217 downloads.

The malware is called “disgrasya” and works as a fully automated carding script. "The malicious payload was introduced in version 7.36.9, and all subsequent versions carried the same embedded attack logic," Socket said.

Carding is a type of cybercrime where stolen credit card information is used to make unauthorized purchases or test if the card is still active. Since criminals often buy these card details from the dark web, whoever built and distributed disgrasya could have profited greatly from it.

Via The Hacker News

You might also like

• Popular Python AI library hacked to deliver malware
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app

                                                        </article>

Source: Malicious Python packages are stealing vital data, and have been downloaded thousands of times already

                        <article>
                            <hr>

• Hackers are targeting business CRM accounts to steal mailing lists
• Emails used to send spam and trick people into setting up compromised crypto wallets
• The goal is to steal the money, so be on your guard

Hackers are stealing mailing lists from major companies and using them to break into people’s cryptocurrency wallets and snatch their funds.

A new report from cybersecurity researchers Silent Push, who dubbed the campaign ‘PoisonSeed’, outlined how the criminals first set up spoofed landing pages for companies such as Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, and others. They harvest people’s login credentials, which allow cybercriminals to log into mailing service accounts and exfiltrate any mailing lists.

Then they would send emails, impersonating those companies, and urging users to set up a new Coinbase Wallet, using the seed phrase embedded in the email. A seed phrase is a series of 12 to 24 words generated by the wallet that gives access to the funds inside. It acts as a master key, so anyone who has it can restore the wallet and control the cryptocurrencies inside.

Seed phrase poisoning attack

"Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push explained.

"As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising."

Once users set up new wallets, and top them up with their funds, the criminals can simply send the money elsewhere, which is a permanent loss for the victims.

The researchers believe the campaign is the work of two “loosely aligned” threat actors, called Scattered Spider, and CryptoChameleon, both of which are reportedly part of a broader cybercrime ecosystem called The Com.

Since cryptocurrency is permissionless and decentralized, once the funds are sent from one wallet to another, the only way to retrieve them is to have the other side send the money back.

In 2024, the US government has seized tens of millions of dollars' worth of crypto, as part of a broader investigation into market manipulation, theft, fraud, and more.

Via The Hacker News

You might also like

• Hundreds of masterminds behind most pump-and-dump crypto coin schemes worldwide collect a staggering $250 million annually
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app

                                                        </article>

Source: PoisonSeed campaign hijacks business CRM and email accounts to send out huge amounts of spam

Despite the stealthy nature of spyware, security researchers keep detecting Pegasus spyware attacks in part because of sloppy 'operational security.'