Viruses

Amatera Stealer is a sophisticated information-stealing malware written in C++ and offered as a malware-as-a-service (MaaS) to cybercriminals. Based on the ACR stealer, it is specifically designed to target sensitive data from browser extensions, password managers, cryptocurrency wallets, email clients, and messaging applications like Signal and WhatsApp. Once it infiltrates a system, Amatera Stealer can bypass browser encryption by injecting malicious code, allowing it to extract cookies, saved passwords, browsing history, and other private information. The malware also seeks out files by specific extensions and keywords related to software wallets and communication tools, significantly increasing the potential for data theft. In addition to stealing information, it can download and execute other malicious files and PowerShell scripts, further compromising the device. Distribution channels include deceptive email campaigns, compromised websites using ClearFake and ClickFix methods, and fake software cracks. Victims face serious risks such as privacy invasion, financial loss, and identity theft, as well as the possibility of ongoing system compromise. Immediate detection and removal are crucial to minimize potential damage from this highly evasive threat.

Sorillus RAT is a sophisticated, Java-based remote access trojan offered as malware-as-a-service, targeting Windows, macOS, and Linux systems. Cybercriminals behind Sorillus RAT distribute it primarily through phishing emails containing fake invoices, which lure victims into downloading malicious files. Once installed, this RAT provides attackers with extensive control, allowing them to execute commands, manage files and processes, and steal sensitive information such as hardware IDs, operating system details, and user credentials. Its surveillance capabilities include recording webcam and microphone input, capturing screenshots, keylogging, and even reading clipboard contents. Sorillus RAT can also exfiltrate data by compressing and transferring files over HTTP, making it highly effective for data theft operations. Attackers can use the trojan to install additional malware, shut down or reboot infected systems, or even uninstall itself to evade detection. Infections typically remain stealthy, causing little to no visible symptoms, which makes early detection difficult. Users are at risk of financial loss, identity theft, and further compromise if this malware remains active on their devices.

Sakura RAT is a sophisticated remote access trojan designed to provide cybercriminals with full control over compromised Windows systems. Distributed largely via GitHub repositories—often hidden within build scripts and project files—Sakura RAT is associated with the financially-motivated threat actor "Water Curse." Once installed, it employs advanced anti-detection and anti-analysis techniques, such as disabling Microsoft Defender, bypassing User Account Control (UAC), and ensuring persistence through scheduled tasks and registry modifications. Sakura RAT harvests a wide range of sensitive data, including system information, network details, browser credentials, messenger data, and even files from developer and AI chatbot accounts. It is capable of in-memory payload execution, hidden desktop and browser access, screenshot capture, and theft of stored passwords and cookies. The malware also targets system recovery options by deleting Volume Shadow Copies and modifying registry keys to prevent the use of System Restore. Its stealthy nature means victims are unlikely to notice obvious symptoms, increasing the risk of prolonged data theft and privacy compromise. Constant updates and feature improvements by its developers mean that future variants could introduce even more destructive capabilities.

Midnight Ransomware is a dangerous file-encrypting malware strain identified as part of the Babuk ransomware family, discovered during active research on malicious file submissions to VirusTotal. It is designed to illegally extort victims by encrypting all accessible files on an infected system, rendering user data unusable and then demanding a hefty ransom for restoration. Once activated, Midnight Ransomware systematically renames every targeted file by appending the .Midnight extension, so, for example, a file named invoice.pdf would become invoice.pdf.Midnight. This aggressive malware utilizes robust cryptographic algorithms, typically leveraging a combination of symmetric and asymmetric encryption, which makes decryption nearly impossible without a private key stored on the attackers’ remote servers. When the encryption process concludes, the victim will find a ransom note named How To Restore Your Files.txt dropped into affected folders. This note informs users that their files are locked and threatens permanent data loss or public data leaks unless instructions are followed and payment is made within a few days, with late payment resulting in a higher ransom.

Datarip Ransomware is a recent and highly disruptive strain of file-encrypting malware that targets Windows systems, originating from the notorious MedusaLocker family. Once executed on a victim’s device, it systematically scans for documents, images, videos, databases, and many other file types, encrypting them using robust RSA and AES cryptographic algorithms. Following successful encryption, the ransomware appends a unique .datarip extension to every affected file, making them instantly unrecognizable and inaccessible without the decryption key. For instance, a file previously named holiday.jpg becomes holiday.jpg.datarip, clearly signaling to users that their data is under hostage. To further its intimidation, the malware alters the desktop wallpaper and drops a ransom note - RETURN_DATA.html - directly onto the desktop and within folders containing encrypted content, ensuring the victim’s awareness is immediate and persistent. This HTML ransom note sternly warns against using third-party recovery tools, renaming encrypted files, or modifying them, as these actions may result in irreversible data corruption. Compounding the pressure, the criminals claim to have exfiltrated sensitive data and threaten to leak or sell this information unless contact is made and payment arranged within a strict time frame. Contact details, typically anonymous email accounts, are provided for negotiations, where victims are encouraged to send samples for "free decryption" as proof of capability. Datarip’s communication tactics underscore the dual risk of permanent data loss and potential privacy breaches.

APEX Ransomware is a highly disruptive strain of malicious software that targets Windows systems, designed to extort victims by rendering their files completely inaccessible through strong cryptographic algorithms. Detected in the wild by malware researchers and submitted to public repositories like VirusTotal, this ransomware encrypts a wide array of personal and business files, systematically appending a new custom extension, .Apex, to every file it processes, such as transforming report.pdf into report.pdf.Apex. On top of the file modification, it generates a ransom note named APEXNOTE.txt in every folder where encrypted files reside. The encryption employed by APEX employs robust methods—likely using AES or RSA encryption, as with many modern ransomware variants—making unauthorized file recovery virtually impossible without a unique decryption key held by the attackers. The ransom note typically demands a payment of $10,000 in Bitcoin through a specified darknet portal, threatening to destroy the decryption tool if the ransom is not paid within 24 hours.

PANDA Ransomware represents a severe form of crypto-malware designed to encrypt victims’ files and demand exorbitant ransoms in exchange for decryption. Upon executing its malicious payload, this ransomware begins by targeting a wide array of file types and methodically encrypts them using robust cryptographic algorithms, often believed to be advanced AES or similar military-grade encryption. An unambiguous marker of this attack is the addition of the .panda file extension to every compromised file; an image like photo.jpg becomes photo.jpg.panda, signaling to the victim that their data is now inaccessible. Following full encryption, README.txt - a ransom note - appears throughout directories containing locked files and typically is also placed on the desktop. This note contains explicit instructions: pay $50,000 USD in Bitcoin within three days through a TOR-hosted payment portal or risk permanent data loss as the decryption key is allegedly destroyed after the deadline. Simultaneously, the desktop wallpaper is replaced with a visually alarming message urging the victim to consult the ransom note for details.

TXTME Ransomware is a recent and highly disruptive file-locking malware strain belonging to the notorious Dharma family, known for targeting Windows systems through malicious email attachments, pirated software, exploit kits, and especially weakly protected RDP services. Upon successful infiltration, this threat commences a systematic file-encryption routine that renders personal documents, photos, and other files completely inaccessible without the cryptographic key held by the attackers. As part of the encryption process, it alters filenames by appending a unique victim identifier, the attacker’s contact email, and the extension .TXTME; for example, an image file such as 1.jpg becomes 1.jpg.id-XXXXX.[ownercall@tuta.io].TXTME. The ransomware disables the system firewall, deletes Volume Shadow Copies to prevent easy recovery, and gains persistence by creating entries under Windows' Run registry keys while copying itself into the user's local application data folders. Capable of avoiding targets in specific geographic regions by extracting location data, TXTME demonstrates both technical sophistication and a keen awareness of its targets. It employs robust encryption algorithms—typically combining asymmetric and symmetric ciphers used by the Dharma/Crysis lineage—leaving files locked without any straightforward method of retrieval. Victims are then instructed, via two different ransom notes (including a popup and a dropped TXTME.txt file), to contact the cybercriminals and negotiate payment in Bitcoin for data recovery. Both the desktop pop-up and the TXTME.txt ransom note clearly warn users against renaming encrypted files or seeking third-party decryption, threatening permanent data loss for non-compliance.