In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows users’ data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victims’ devices. Most frequently, this infostealer disguises itself as game cracks, cheats and mods.

Here’s how the attackers are spreading the stealer, and how you can protect yourself.

How Stealka spreads

A stealer is a type of malware that collects confidential information stored on the victim’s device and sends it to the attackers’ server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually.

Here’s an example: a malicious Roblox mod published on SourceForge.

Attackers exploited SourceForge, a legitimate website, to upload a mod containing Stealka

And here’s one on GitHub posing as a crack for Microsoft Visio.

A pirated version of Microsoft Visio containing the stealer, hosted on GitHub

Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss.

A fake website pretending to offer Roblox scripts

Admittedly, the cracks and software advertised on these fake sites can sometimes look a bit off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming it’s not actually a game but some kind of “professional software solution designed for Windows”.

Malware disguised as Half-Life 3, which is also somehow “a professional software solution designed for Windows”. A lot of professionals clearly spent their best years on this software…

The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with what’s advertised — inside, it’s always the same infostealer.

The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness.

The pirated file pretends to be scanned by a dozen antivirus tools

What makes Stealka dangerous

Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines. This puts over a hundred different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others.

Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. We’ve warned repeatedly that saving passwords in your browser is risky — attackers can extract them in seconds. Cookies and session tokens are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password.

The story doesn’t end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised.

Beyond stealing browser data, Stealka also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk:

• Crypto wallets: Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Exodus
• Two-factor authentication: Authy, Google Authenticator, Bitwarden
• Password management: 1Password, Bitwarden, LastPass, KeePassXC, NordPass

Finally, the stealer also downloads local settings, account data, and service files from a wide variety of applications:

• Crypto wallets. Wallet configurations may contain encrypted private keys, seed-phrase data, wallet file paths, and encryption parameters. That’s enough to at least make an attempt at stealing your cryptocurrency. At risk are 80 wallet applications, including Binance, Bitcoin, BitcoinABC, Dogecoin, Ethereum, Exodus, Mincoin, MyCrypto, MyMonero, Monero, Nexus, Novacoin, Solar, and many others.
• Messaging apps. Messaging app service files store account data, device identifiers, authentication tokens, and the encryption parameters for your conversations. In theory, a malicious actor could gain access to your account and read your chats. At risk are Discord, Telegram, Unigram, Pidgin, Tox, and others.
• Password managers. Even if the passwords themselves are encrypted, the configuration files often contain information that makes cracking the vault significantly easier: encryption parameters, synchronization tokens, and details about the vault version and structure. At risk are 1Password, Authy, Bitwarden, KeePass, LastPass, and NordPass.
• Email clients. These are where your account credentials, mail server connection settings, authentication tokens, and local copies of your emails can be found. With access to your email, an attacker will almost certainly attempt to reset passwords for your other services. At risk are Gmail Notifier Pro, Claws, Mailbird, Outlook, Postbox, The Bat!, Thunderbird, and TrulyMail.
• Note-taking apps. Instead of shopping lists or late-night poetry, some users store information in their notes that has no business being there, like seed phrases or passwords. At risk are NoteFly, Notezilla, SimpleStickyNotes, and Microsoft StickyNotes.
• Gaming services and clients. The local files of gaming platforms and launchers store account data, linked service information, and authentication tokens. At risk are Steam, Roblox, Intent Launcher, Lunar Client, TLauncher, Feather Client, Meteor Client, Impact Client, Badlion Client, and WinAuth for battle.net.
• VPN clients. By gaining access to configuration files, attackers can hijack the victim’s VPN account to mask their own malicious activities. At risk are AzireVPN, OpenVPN, ProtonVPN, Surfshark, and WindscribeVPN.

That’s an extensive list — and we haven’t even named all of them! In addition to local files, this infostealer also harvests general system data: a list of installed programs, the OS version and language, username, computer hardware information, and miscellaneous settings. And as if that weren’t enough, the malware also takes screenshots.

How to protect yourself from Stealka and other infostealers

• Secure your device with reliable antivirus software. Even downloading files from legitimate websites is no guarantee of safety — attackers leverage trusted platforms to distribute stealers all the time. Kaspersky Premium detects malware on your computer in time and alerts you to the threat.
• Don’t store sensitive information in browsers. It’s handy — no one can argue with that. But unfortunately browsers aren’t the most secure environment for your data. Sign-in credentials, bank card details, secret notes, and other confidential information are better kept in a securely encrypted format in Kaspersky Password Manager, which is immune to the exploits used by Stealka.
• Be careful with game cheats, mods, and especially pirated software. It’s better to pay up for official software than to chase the false savings offered by software cracks, and end up losing all your money.
• Enable two-factor authentication or use backup codes wherever possible. Two-factor authentication (2FA) makes life much harder for attackers, while backup codes help you regain access to your critical accounts if compromised. Just be sure not to store backup codes in text documents, notes, or your browser. For all your backup codes and 2FA tokens, use a reliable password manager.

Curious what other stealers are out there, and what they’re capable of? Read more in our other posts:

• Beware of stealers disguised as… wedding invitations
• AMOS infostealer distributed via ChatGPT chat-sharing feature
• Banshee: A stealer targeting macOS users
• Arcane stealer instead of Minecraft cheats
• Efimer Trojan using hacked websites to steal cryptocurrency

Kaspersky official blog – ​Read More

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Libbiosig vulnerability

Discovered by Mark Bereza of Cisco Talos.

BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage research in biomedical signal processing by providing open source software tools.

TALOS-2025-2296 (CVE-2025-66043-CVE-2025-66048) includes several stack-based buffer overflow vulnerabilities in the MFER parsing functionality of the Biosig Project libbiosig 3.9.1. An attacker can supply a specially crafted MFER file to trigger these vulnerabilities, possibly leading to arbitrary code execution.

Grassroot DiCoM vulnerabilities

Discovered by Emmanuel Tacheau of Cisco Talos.

Grassroots DiCoM is a C++ library for DICOM medical files, accessible from Python, C#, Java, and PHP. It supports RAW, JPEG, JPEG 2000, JPEG-LS, RLE and deflated transfer syntax. Talos found three out-of-bounds read vulnerabilities in DiCoM. An attacker can provide a malicious file to trigger these vulnerabilities.

• TALOS-2025-2210 (CVE-2025-53618-CVE-2025-53619) can lead to an information leak. 
• TALOS-2025-2211 (CVE-2025-52582) can lead to an information leak.
• TALOS-2025-2214 (CVE-2025-48429) can lead to leaking heap data. 

Smallstep step-ca vulnerabilities

Discovered by Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG).

Smallstep step-ca is a TLS-secured online Certificate Authority (CA) for X.509 and SSH certificate management. TALOS-2025-2242 (CVE-2025-44005) is an authentication bypass vulnerability in step-ca. An attacker can bypass authorization checks and force a Step-CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Cisco Talos Blog – ​Read More

The Australian Cyber Security Centre (ACSC) has published a new guide, Quantum Technology Primer: Overview, aimed at helping organizations understand the field of quantum technologies for cybersecurity. The publication is part of a bigger effort to raise awareness and preparedness as quantum capabilities move closer to practical deployment across digital systems and organizational infrastructure. 

The primer provides a foundational understanding of key quantum technologies, the scientific principles behind them, and the cybersecurity considerations organizations need to address today to prepare for a quantum-enabled future. According to the ACSC, this guidance is essential for cybersecurity leaders, IT managers, and decision-makers responsible for technology strategy and risk management. 

Foundations of Quantum Technology 

Quantum technologies rely on principles of quantum mechanics, the branch of physics that describes the behavior of matter and energy at atomic and subatomic scales. Two core concepts underpin these technologies: superposition and entanglement. 

Superposition allows a particle to exist in multiple states simultaneously, collapsing to a single state only when measured. In practical terms, this property enables quantum systems to evaluate many potential outcomes at once, offering computational advantages far beyond classical computers. 

Entanglement occurs when particles share a quantum state, creating correlations that persist even across great distances. Measuring one particle instantaneously provides information about the other. This capability underpins emerging quantum communication methods and has significant implications for secure data transmission. 

The ACSC emphasizes that understanding these principles is no longer relevant only to quantum specialists. Decision-makers must grasp the basics to integrate quantum cybersecurity considerations into organizational planning effectively. 

Implications for Cybersecurity and Business Functions 

While many quantum technologies remain in development, their potential impact on digital systems, data protection, and organizational resilience is significant. The ACSC’s Technology Primer notes that quantum computing could render some current cryptographic methods obsolete. 

“Preparing now for quantum technologies is crucial,” the ACSC states. “Adopting post-quantum cryptography is a key step, as capable quantum computers will break some existing encryption. Organizations that delay preparation risk vulnerabilities and costly remediation.” 

The primer outlines several proactive steps organizations can take: 

• Ensure cybersecurity plans are current and aligned with industry best practices. 

• Develop and implement strategies for PQC across networks. 

• Assess risks across data lifecycles and safeguard sensitive information. 

• Verify that service providers and vendors comply with quantum readiness plans. 

• Continue staff training to reinforce good cybersecurity practices. 

By incorporating these measures, organizations can strengthen their resilience and reduce potential threats from new quantum technologies. 

Types of Quantum Technologies Covered 

The ACSC primer details several categories of quantum technologies that could affect business and cybersecurity landscapes: 

• Quantum Computing: From noisy intermediate-scale quantum computers to cryptographically relevant systems capable of challenging classical encryption. 

• Quantum Information Sciences: Includes quantum communications using quantum key distribution (QKD) and quantum networking, which could redefine secure data transfer. 

• Quantum Sensors: Devices that leverage quantum mechanics to achieve unprecedented precision in measurement and sensing applications. 

Although most quantum technologies are still in the early stages, some are already integrated into research, development, and pilot implementations. The ACSC notes that as these technologies mature, they will become part of organizational supply chains and digital infrastructure, making awareness and preparedness essential. 

Quantum Cybersecurity as a Strategic Necessity 

The ACSC’s Technology Primer highlights quantum cybersecurity as a strategic priority, weighing on both the risks and opportunities of quantum technologies. Organizations that plan for quantum today will be better prepared for a future where these technologies are standard. Cyble’s AI-powered threat intelligence and autonomous security solutions help identify new cyber threats, protect data, and maintain resilience.  

Schedule a free demo to see how Cyble can protect your organization better! 

References: 

• https://www.cyber.gov.au/business-government/secure-design/quantum/quantum-technology-primer-overview#:~:text=Quantum%20technology%20applies%20quantum%20physics,more%20accurately%20than%20classical%20physics. 

• https://www.cyber.gov.au/about-us/view-all-content/news/new-publication-released-quantum-technology-primer-overview 

The post Australia’s ACSC Releases Quantum Technology Primer for Cybersecurity Leaders  appeared first on Cyble.

Cyble – ​Read More

Our experts from the Global Research and Analysis Team (GReAT) have investigated a new wave of targeted emails from the ForumTroll APT group. Whereas previously their malicious emails were sent to public addresses of organizations, this time the attackers have targeted specific individuals — scientists from Russian universities and other organizations specializing in political science, international relations, and global economics. The purpose of the campaign was to infect victims’ computers with malware to gain remote access thereto.

What the malicious email looks like

The attackers sent the emails from the address support@e-library{.}wiki, which imitates the address of the scientific electronic library eLibrary (its real domain is elibrary.ru). The emails contained personalized links to a report on the plagiarism check of some material, which, according to the attackers’ plan, was supposed to be of interest to scientists.

In reality, the link downloaded an archive from the same e-library{.}wiki domain. Inside was a malicious .lnk file and a .Thumbs directory with some images that were apparently needed to bypass security technologies. The victim’s full name was used in the filenames of the archive and the malicious link-file.

In case the victim had doubts about the legitimacy of the email and visited the e-library{.}wiki page, they were shown a slightly outdated copy of the real website.

What happens if the victim clicks on the malicious link

If the scientist who received the email clicked on the file with the .lnk extension, a malicious PowerShell script was executed on their computer, triggering a chain of infection. As a result, the attackers installed a commercial framework Tuoni for red teams on the attacked machine, providing the attackers with remote access and other opportunities for further compromising the system. In addition, the malware used COM Hijacking to achieve persistency, and downloaded and displayed a decoy PDF file, the name of which also included the victim’s full name. The file itself, however, was not personalized — it was a rather vague report in the format of one of the Russian plagiarism detection systems.

Interestingly, if the victim tried to open the malicious link from a device running on a system that didn’t support PowerShell, they were prompted to try again from a Windows computer. A more detailed technical analysis of the attack, along with indicators of compromise, can be found in a post on the Securelist website.

How to stay safe

The malware used in this attack is successfully detected and blocked by Kaspersky’s security products. We recommend installing a reliable security solution not only on all devices used by employees to access the internet, but also on the organization’s mail gateway, which can stop most threats delivered via email before they reach an employee’s device.

Kaspersky official blog – ​Read More

When CISOs ask for budget, they are rarely competing against “no security.” They are competing against growth initiatives, product launches, and cost optimization. 

Technical jargon and security metrics often fall flat here. To win the conversation, threat intelligence cannot be framed as more data for analysts. It must be positioned as a business enabler that reduces measurable risk, protects revenue, and accelerates decision-making. 

Here are the board-ready cases that connect threat intelligence investments directly to business objectives.  

1. Protecting Revenue and Avoiding Financial Loss

Boards understand one number very well: the cost of a breach. What they often underestimate is how much of that cost comes from late detection. 

Reactive security means discovering threats after damage has already begun. By then, costs multiply across downtime, incident response, legal exposure, regulatory fines, and reputational damage. 
 
Threat intelligence changes the equation. 

ANY.RUN’s Threat Intelligence Feeds deliver high-fidelity indicators sourced from interactive sandbox analyses of live malware samples and targeted attacks. This expands threat coverage, reduces the likelihood of successful breaches, and directly lowers potential financial impact — turning threat intelligence into a clear ROI driver.  

TI Feeds: features and data sources 

Threat Intelligence Lookup is another decision-enabling service from ANY.RUN. It is an on-demand searchable database that provides instant access to detailed threat reports, behavioral insights, direct links to sandbox sessions, and contextual connections between IOCs and active campaigns, enabling rapid enrichment during investigations. Instead of asking “What could happen?”, security leaders can answer “What is actively targeting organizations like ours right now?” 

See what malware is threatening the organizations from your country and industry right now 

Board-level takeaway: 

Early detection driven by real-world threat intelligence materially lowers breach impact and recovery costs. 

Message pattern: “Investing in threat intelligence reduces our average incident response cost by 60-70% by enabling early detection and prevention. For every major incident we prevent, we save the organization between $1-4 million in direct costs, not including reputational damage and customer trust.” 

2. Ensuring Revenue-Critical Operations and Business Continuity

Board members understand downtime in dollars per minute. For e-commerce platforms, financial services, manufacturing operations, or SaaS providers, every minute of disruption translates directly to lost revenue, damaged customer relationships, and competitive disadvantage. Ransomware attacks alone now cost businesses an average of 25 days of downtime — a strike that many organizations cannot absorb. 
 
Threat intelligence supports resilience by helping organizations: 

• Identify emerging attack campaigns early; 

• Anticipate shifts in attacker tactics; 

• Prepare controls before attacks reach critical systems. 

TI shortens mean time to detect (MTTD) and mean time to respond (MTTR) by providing actionable context during incidents. SOC teams correlate alerts against real-time feeds, quickly identifying and containing threats before they spread. 

Threat intelligence supports quick informed decisions impacting KPIs 

With ANY.RUN’s feeds, powered by community submissions from thousands of organizations, teams gain immediate access to indicators tied to active global campaigns. This accelerates incident response, limits disruption, and keeps critical systems online preserving revenue and operational momentum.

Board-level takeaway:  

Threat intelligence reduces the likelihood that cyber incidents escalate into operational outages or prolonged downtime. 

Message pattern: “Our revenue-critical operations represent $X million in daily transactions. Threat intelligence gives us advance warning of attacks targeting our industry, allowing us to prevent disruptions before they impact operations. The cost of this service is equivalent to less than one hour of system downtime.” 

3. Maximizing ROI on Existing Security Investments 

Most organizations have already invested heavily in security infrastructure: firewalls, SIEM platforms, EDR solutions, and of course SOC teams. However, tools are only as effective as the intelligence that drives them. Without current threat data, your security stack operates reactively, generating alerts based on generic signatures and outdated indicators. 
 
Threat Intelligence Feeds dramatically amplify the effectiveness of your security investments. Context-rich current threat data transforms them from reactive alert generators into proactive defense mechanisms. 
 
ANY.RUN’s Threat Intelligence Feeds integrate seamlessly with major security platforms through APIs and standard formats like STIX. Your existing tools immediately gain access to millions of current indicators and threat context without requiring additional headcount or infrastructure. Your SOC analysts can make faster, more accurate decisions because they have the context they need at their fingertips. 

ANY.RUN integration options 
 
Board-level takeaway: 

Threat intelligence ensures security investments are aligned with real, current threats to the business, not theoretical risks. 

Message pattern: “We’ve invested $X million in security infrastructure. Threat intelligence feeds cost a fraction of that while potentially doubling the effectiveness of every security tool we’ve already purchased.” 

4. Optimizing Security Resource Allocation and Driving Efficiency

Cybersecurity budgets are under scrutiny, with boards demanding maximum value from every dollar. Overworked SOC teams drowning in alerts waste resources on false positives and low-priority events. Hiring more analysts is expensive, slow, and increasingly unrealistic. Boards want efficiency, not headcount inflation. 

Threat intelligence enriches alerts with context, reduces noise, and allows teams to focus on high-risk threats. Pre-filtered, accurate IOCs improve detection rates while lowering analyst burnout. 

ANY.RUN’s feeds are designed for exactly this: clean, enriched indicators ready for automation, with low false-positive rates thanks to sandbox-verified data. The result is higher SOC productivity, better resource utilization, and a stronger return on existing security investments. 
 
By feeding curated, high-confidence intelligence directly into detection and response workflows, ANY.RUN’s Threat Intelligence Feeds: 

• Reduce false positives, 

• Speed up alert triage, 

• Shorten investigation time, 

• Enable junior analysts to make better decisions faster. 

This allows organizations to scale their security posture without scaling payroll. 
 
Board-level takeaway: 

Threat intelligence increases SOC productivity, delivering better protection without proportional increases in staffing costs. 
 
Message pattern: “Our SOC team currently handles X,000 alerts monthly with Y analysts at an annual cost of $Z. Threat intelligence increases our team’s effective capacity by 50-70% without adding headcount, delivering better protection while keeping personnel costs stable.”

5. Demonstrating Regulatory Compliance and Due Diligence

Regulatory frameworks like GDPR, NIS2, DORA, and SOC 2 don’t just require security controls. They mandate demonstrable due diligence and continuous improvement. Failure to meet these standards results in crippling fines (up to 4% of global revenue under GDPR), potential business restrictions, and loss of customer trust. More importantly, regulators increasingly expect organizations to demonstrate proactive threat awareness and intelligence-driven security practices. 
 
Threat intelligence feeds provide auditable evidence of continuous monitoring, proactive threat hunting, and intelligence-driven security operations. ANY.RUN’s TI Feeds deliver documented indicators of compromise with rich context, enabling your team to demonstrate to auditors that you’re actively monitoring the threat landscape relevant to your industry and geography. 

Board-level takeaway:  
 
Threat intelligence provides auditable evidence of proactive monitoring and rapid response capabilities. Non-compliance triggers fines, audits, and reputational damage. 

Message pattern: “Threat intelligence isn’t just about preventing attacks — it’s about showing regulators, auditors, and customers that we take our security obligations seriously. This investment protects us from regulatory fines that could reach tens of millions of dollars and positions us favorably during audits and compliance reviews.” 

Conclusion 

Threat intelligence gives CISOs a way to translate cyber risk into business terms the board understands. It replaces reactive defenses with foresight, guesswork with evidence, and isolated security efforts with a unified, risk-driven strategy. 

ANY.RUN’s Threat Intelligence Feeds are built on visibility into real attacker activity observed daily in live malware executions. This means decisions are based on what adversaries are doing now, not what they did months ago. For CISOs, this enables stronger protection. For boards, it delivers confidence that security investments directly support business objectives. 

In budget discussions, threat intelligence should not be positioned as “more data.” It should be positioned as business assurance: fewer costly incidents, more efficient operations, and a clearer understanding of cyber risk across the organization. 

When CISOs can demonstrate that intelligence-driven security reduces financial impact, protects revenue streams, and scales without ballooning costs, the budget conversation changes. Threat intelligence becomes a strategic pillar of the organization’s risk management program, not a line item to be negotiated away. 

About ANY.RUN 

As a leading provider of interactive malware analysis and threat intelligence, ANY.RUN is trusted by over 500,000 analysts across 15,000 organizations worldwide. Its solutions enable teams to investigate threats in real time, trace full execution chains, and surface critical behaviors within seconds.  

Safely detonate samples, interact with them as they run, and instantly pivot to network traces, file system changes, registry activity, and memory artifacts in ANY.RUN’s Interactive Sandbox. For threat intelligence insights, integrate TI Lookup and TI Feeds supplying enriched IOCs and automation-ready intelligence. No infrastructure maintenance is required.   

Start your 2-week trial of ANY.RUN’s solutions → 

FAQ: Threat Intelligence for CISOs and Boards 

The post 5 Ways Threat Intelligence Drives SOC ROI: Board-Ready Cases for CISOs  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More