Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA

Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure.  About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security.  As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords.  Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide.  As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems. As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data.  The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale.  A step he pointed out was that the notifications are genuine and come from the official email address no-reply@comms.ncsc.govt.nz, which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals.  The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information.  There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis.  A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud.  It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau. The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability.  Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources.  There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords.  Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion.  The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector.  A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.

YouTube video by 情報の灯台【パソコン】ソース有り

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Introduction In early 2025, LummaStealer was in widespread use by cybercriminals targeting victims throughout the world in multiple industry verticals,

  Attackers are increasingly disguising malicious activity inside everyday business tools and file formats that employees and IT teams typically trust. According to the latest HP Wolf Security Threat Insights Report (Q2 2025), threat actors are refining their strategies to blend in with legitimate processes, making it more difficult for security defenses to keep up. One of the standout campaigns observed in Q2 2025 involved the XWorm remote access trojan (RAT). Instead of deploying custom malware directly, attackers chained together several built-in Windows utilities. These “living off the land” binaries were used to run commands, transfer files, and decode hidden malware, all while evading many security alerts. The final XWorm payload was concealed inside the pixels of a genuine image from a trusted website. Attackers then used PowerShell scripts to extract the hidden code, with MSBuild executing the malware. Once complete, attackers gained full remote access and data-stealing capabilities using only tools already present on the system. “Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack… Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” explained Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc. Phishing emails continue to dominate, accounting for 61% of threats reaching endpoints. Attackers are exploiting document formats to trick victims: * Invoice-themed campaigns used SVG attachments imitating Adobe Acrobat, complete with animations, before luring users into downloading malware. The attack installed a lightweight reverse shell, enabling remote execution and data theft. * PDF-based lures displayed blurred invoices and download prompts, ultimately dropping a malicious Visual Basic Encoded script hidden in a ZIP archive. This technique stored malware components in the Windows Registry, making detection harder. Victims were infected with MassLogger, a credential stealer, and in some French cases, a secondary RAT named ModiRAT Attackers are also reviving outdated file formats to bypass detection. Compiled HTML Help (.chm) files, once used for Windows manuals, are being weaponized with embedded scripts to deliver multi-stage infections, often leading to XWorm. Shortcut files (LNKs) disguised as PDFs inside phishing ZIPs were also spotted. Instead of opening documents, the shortcuts launched malicious code that installed the Remcos RAT. In some campaigns, attackers even embedded payloads inside obsolete Program Information File (PIF) formats to further reduce suspicion. Despite a major international takedown in May 2025, the Lumma Stealer malware resurfaced just a month later with fresh infrastructure. Attackers distributed it through IMG archives attached to phishing emails. When opened, these acted as virtual drives containing an HTML Application file disguised as an invoice. This eventually executed obfuscated PowerShell scripts, running Lumma Stealer in memory and bypassing disk-based security tools. The findings underline how cybercriminals exploit trusted tools, realistic lures, and legacy file formats to bypass security. Traditional detection methods based on file signatures are no longer enough. Defense strategies must instead focus on monitoring behavior, persistence techniques, and system tool abuse. “Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods… You don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” said Alex Holland, Principal Threat Researcher, HP Security Lab.