Security Affairs
Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new piece of Ryuk Stealer targets government, military and finance sectors

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking. Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to […]

Reynolds ransomware uses BYOVD to disable security before encryption ransomware

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking.

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

In September 2019, BleepingComputer reported the discovery of a new piece of malware that included references to the Ryuk Ransomware and that was used to steal files with filenames matching certain keywords.

It is not clear if the malware was developed by the threat actors behind Ryuk Ransomware for data exfiltration.

“It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer,” explained the popular malware researcher Vitali Kremez.

“What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed.” reported BleepingComputer.

The new variant of the Ryuk Stealer malware implements a new file content scanning feature and is able to search for additional keywords in the filenames for data exfiltration.

Source BleepingComputer

The variant of the Ryuk Stealer recently discovered is able to look for C++ code files (i.e. .cpp), further Word and Excel document types, PDFs, JPG image files, and also files associated with cryptocurrency wallets.

The scanning module first checks if the files on the systems have one of the above extensions, then it will check the contents of the files to verify the presence of one of the following keywords.

'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance'

In addition, the stealer will also check the presence of one of other 55 keywords in the filenames.

Once the document has passed the checks, it will be uploaded to an FTP site, experts pointed out that the code of the Ryuk stealer includes two FTP sites. At the time of the analysis, both sites were not reachable at the time of the analysis.

Targeted keywords in the new variant of the Ryuk stealer confirm that attackers are looking for confidential information in military, banking, finance and law enforcement.

Another aspect to consider is that operators behind ransomware are also interested in stealing sensitive data from their victims and use them to blackmail victims and force them to pay the ransom like the Maze ransomware gang does.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ryuk stealer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]