Security Affairs Malware Newsletter Round 42: Critical Updates on Global Cyber Threats

TL;DR

The Security Affairs Malware Newsletter Round 42 provides a comprehensive overview of the latest malware threats and cybersecurity research. Key highlights include malicious NPM packages targeting PayPal users, the emergence of new malware variants like ResolverRAT, and advanced threat techniques such as BPFDoor’s hidden controller. The newsletter also covers phishing campaigns, AI-assisted malware analysis, and ransomware detection methods.

Introduction

The Security Affairs Malware Newsletter Round 42 offers a curated selection of the most impactful articles and research on malware from around the world. This edition includes critical updates on various cyber threats, from malicious NPM packages to advanced persistent threats (APTs).

Latest Malware Threats

Malicious NPM Packages Targeting PayPal Users

A recent report by Fortinet highlights the discovery of malicious NPM packages designed to target PayPal users. These packages are distributed through the NPM registry and aim to steal sensitive information from unsuspecting victims. Read more

New Malware Variant: ResolverRAT

Morphisec has identified a new malware variant called ResolverRAT. This sophisticated malware is designed to evade detection and complicate analysis, making it a significant threat to cybersecurity. Read more

Cryptocurrency Theft via WhatsApp

Dr.Web reports on a new scheme involving cheap Android smartphones and WhatsApp, leading to cryptocurrency theft. This highlights the growing trend of cybercriminals targeting mobile devices for financial gain. Read more

BPFDoor’s Hidden Controller

Trend Micro discusses the use of BPFDoor’s hidden controller against targets in Asia and the Middle East. This advanced malware uses sophisticated techniques to remain undetected. Read more

Gorilla: Newly Discovered Android Malware

Catalyst has discovered a new Android malware named Gorilla. This malware is designed to steal sensitive information from infected devices. Read more

Advanced Threat Techniques

Cascading Shadows: Complex Attack Chains

Palo Alto Networks details a complex attack chain used by cybercriminals to avoid detection and complicate analysis. This technique involves multiple stages of infection and data exfiltration. Read more

IronHusky Updates MysterySnail RAT

Kaspersky reports on the IronHusky group updating the MysterySnail RAT to target Russia and Mongolia. This updated malware includes new features designed to evade detection. Read more

XorDDoS: New Controller and Infrastructure

Cisco Talos unmasks the new XorDDoS controller and infrastructure, revealing how this malware is used to launch distributed denial-of-service (DDoS) attacks. Read more

Phishing and Social Engineering

Fake PDF Converters Stealing Documents

CloudSEK reports on the use of fake PDF converters to steal more than just documents. These malicious tools are designed to trick users into downloading malware. Read more

Renewed APT29 Phishing Campaign

Check Point Research highlights a renewed phishing campaign by APT29 targeting European diplomats. This campaign uses sophisticated social engineering techniques to trick victims into revealing sensitive information. Read more

Emerging Threats and Techniques

Multi-Platform APT Attacks

Seqrite discusses the shift from HTA to MSI in multi-platform APT attacks. This change in tactics, techniques, and procedures (TTPs) allows attackers to target multiple operating systems. Read more

Slow Pisces: Targeting Developers

Palo Alto Networks reports on Slow Pisces, a new malware that targets developers with coding challenges and introduces new customized Python malware. Read more

Misuse of Node.js for Malware Delivery

Microsoft Security Blog discusses how threat actors are misusing Node.js to deliver malware and other malicious payloads, highlighting the need for vigilance in software supply chains. Read more

State-Sponsored Cyber Attacks

Mustang Panda’s Arsenal

Zscaler provides an in-depth analysis of Mustang Panda’s arsenal, including tools like ToneShell, StarProxy, PAKLOG, CorKLOG, and SplatCloak. These tools are used in state-sponsored cyber attacks. Read more Read more

State-Sponsored Actors and ClickFix

Proofpoint discusses how state-sponsored actors are using ClickFix to target victims around the world, highlighting the global reach of these threats. Read more

AI and Machine Learning in Cybersecurity

Large Language Model (LLM) for Software Security

A recent arXiv paper explores the use of large language models (LLMs) for software security, including code analysis, malware analysis, and reverse engineering. Read more

AI-Assisted Malware Analysis

Another arXiv paper discusses the use of AI in malware analysis, specifically with the tool R2AI. This highlights the growing role of AI in cybersecurity. Read more

Ransomware Detection Using Machine Learning

MDPI publishes a study on a machine learning-based ransomware detection method that uses format-preserving encryption to neutralize attackers’ techniques. Read more

AOAFS: Malware Detection System

MDPI also reports on AOAFS, a malware detection system using an improved arithmetic optimization algorithm. This system aims to enhance the accuracy and efficiency of malware detection. Read more

Conclusion

The Security Affairs Malware Newsletter Round 42 provides a comprehensive overview of the latest malware threats and cybersecurity research. As cyber threats continue to evolve, it is crucial for organizations and individuals to stay informed and proactive in their defense strategies.

Follow Us

Stay updated with the latest cybersecurity news and insights by following Security Affairs on Twitter, Facebook, and Mastodon. For more information, visit SecurityAffairs and connect with Pierluigi Paganini.

References

[^14]: Zscaler (2025). “[Latest Mustang Panda Arsenal: ToneShell and StarProxy

P1](https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1)”. Zscaler Blog. Retrieved 2025-04-20.

[^15]: Zscaler (2025). “[Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak

P2](https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2)”. Zscaler Blog. Retrieved 2025-04-20.