A stealthy browser extension called Rilide has resurfaced with improved evasion capabilities and support for Chrome’s latest extension framework. Disguised as a utility for Google Drive, it quietly collects data, particularly those tied to cryptocurrency wallets. Ongoing campaigns have used lures ranging from fake PowerPoint documents to spoofed Twitter notifications, all aimed at embedding the extension into Chromium-based browsers.

On GitHub, a seemingly innocent coding challenge is being used as a delivery mechanism for malware. A malicious repository targets Polish-speaking developers and installs FogDoor, a backdoor capable of data theft, remote command execution, and persistence. The campaign uses clever techniques, while quietly harvesting sensitive information.

Kubernetes environments are facing serious risk after the discovery of IngressNightmare - a collection of five critical flaws in the Ingress NGINX Controller. These bugs open the door to unauthenticated remote code execution and expose thousands of clusters to full compromise. In the wrong hands, this vulnerability could allow attackers to exfiltrate secrets across all namespaces, effectively granting full control over affected clusters.

Top Malware Reported in the Last 24 Hours

Malware campaigns abuse .NET MAUI

Cybercriminals are using the .NET MAUI cross-platform development framework to create malware that evades detection by disguising itself as legitimate apps. These threats target users to steal sensitive information. The malware operates by having its core functionalities written in C# and stored as blob binaries, which are not typically analyzed by antivirus solutions. Two examples of such malware include a fake bank app targeting Indian users and a fake SNS app targeting Chinese-speaking users. Both apps use various techniques to evade detection, such as hiding code blobs within assemblies, multi-stage dynamic loading, encrypted communications, and excessive obfuscation. 

Beware of this browser extension!

A new malicious browser extension called Rilide has been discovered. Rilide, first reported in April 2023, targets Chromium-based browsers like Google Chrome and Microsoft Edge, and is designed to steal sensitive information such as screenshots, passwords, and credentials for cryptocurrency wallets. It infiltrates systems through malicious advertisements or phishing pages, often impersonating well-known extensions like Google Drive and Palo Alto. Rilide has been distributed through various campaigns, including PowerPoint Lure, Twitter Lure, and Mixed Campaign. The newer versions of Rilide work with Chrome Extension Manifest V3 and have been adapted to avoid detection. The extension masquerades as a Google Drive utility but interacts with cookies, clipboard data, and system information.

Malware campaign poses fake coding challenges

A GitHub repository, named FizzBuzz is being used to distribute an info-stealer disguised as a recruitment challenge, especially targeting Polish-speaking developers. The repository contains an ISO file that holds a JavaScript exercise and a malicious LNK shortcut. When the LNK file is executed, it runs a PowerShell script that installs a backdoor called FogDoor, which is designed for data theft, remote command execution, and persistence while avoiding detection. The malware communicates with a social media platform via a Dead Drop Resolver (DDR) technique to retrieve attack commands and uses geofencing to restrict execution to Polish victims. The malware systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces. The malware also uses remote debugging to extract Chrome cookies and harvest Firefox credentials from profile directories.

Top Vulnerabilities Reported in the Last 24 Hours

Flaws in Ingress NGINX Controller for Kubernetes

A set of five critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These vulnerabilities could lead to unauthenticated remote code execution, potentially putting over 6,500 clusters at risk by exposing the component to the public internet. The vulnerabilities, assigned a CVSS score of 9.8, could allow attackers unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, leading to a potential cluster takeover. The issues stem from the admission controller component of the Ingress NGINX Controller being accessible over the network without authentication.

PoC released for Linux bug

A significant vulnerability, CVE-2025-0927, has been discovered in the Linux kernel, primarily affecting Ubuntu 22.04 users. This heap overflow vulnerability has been present in the Linux kernel since 2005 in the HFS+ file system and could potentially allow an attacker to escalate local privileges. The vulnerability impacts the Linux Kernel up to version 6.12.0 and Ubuntu 22.04 with Linux Kernel 6.5.0-18-generic. An attacker can exploit this vulnerability by mounting a specially crafted file system.