The Hidden Dangers of Web Cookies and How Cybercriminals Exploit Them
Web cookies are small text files stored on your device by websites to enhance your browsing experience and remember your login, shopping cart, or language preferences. However, these seemingly harmless files can pose serious privacy and security risks. There are various types of cookies, including first-party cookies, set by the website you're visiting, and third-party cookies, placed by external domains for advertising and tracking purposes. More sophisticated tracking mechanisms, like super cookies and zombie cookies, store data outside the browser, making them difficult to delete and persist even after attempts to remove them. While helpful for personalized experiences, cybercriminals can exploit these cookies if stolen, leading to session hijacking, identity theft, or unauthorized access to corporate networks. Recent research by NordStellar analyzed over 93 billion stolen cookies circulating on the dark web, revealing that malware, including infostealers and keyloggers, is commonly used to harvest this data. Prominent malware tools like Redline Stealer, Vidar, and CryptBot were found to be responsible for massive amounts of stolen cookies, many containing sensitive personal data, including names, email addresses, and login credentials. These stolen cookies are often used for session hijacking, bypassing login credentials, and even multi-factor authentication (MFA). Cookies from major platforms, including Google, YouTube, and Microsoft, are especially valuable targets, with attacks predominantly affecting countries like Brazil, India, and the U.S. To protect against these threats, it's crucial to reject unnecessary cookies, clear cookies regularly, use security tools to block malware, and avoid using public Wi-Fi without encryption.
Cybercriminals Use Fake Bitdefender Website to Distribute Trio of Financial Stealers
Cybercriminals have launched a sophisticated malware campaign using a fraudulent Bitdefender antivirus website to target users' financial data and maintain persistent access to infected systems. The malicious domain “bitdefender-download[.]co” closely mimics the legitimate Bitdefender site, making it difficult for users to distinguish between the real and fake pages. When unsuspecting visitors click the "Download For Windows" button, they trigger the download of a ZIP file containing three distinct pieces of malware: VenomRAT, StormKitty, and SilentTrinity. These malware programs are designed to steal sensitive financial information, including cryptocurrency wallets, banking credentials, and personal data. VenomRAT is the primary tool for providing attackers with ongoing access, enabling file theft, keylogging, and stealing credit card details. At the same time, StormKitty and SilentTrinity work to harvest credentials and rapidly maintain stealthy, long-term access. This multi-stage attack begins with a file hosted on Bitbucket, which redirects to Amazon S3 storage, adding a layer of legitimacy to the download process. The three malware families are complementary: VenomRAT facilitates initial access and data theft, StormKitty focuses on credential harvesting, and SilentTrinity provides long-term access for potential future exploits or resale to other criminals. DomainTools Intelligence (DTI) researchers have traced the fake Bitdefender site to the same infrastructure used by other fraudulent domains, including those impersonating banks like IDBank and Royal Bank of Canada. This suggests a coordinated phishing operation aimed at rapidly stealing financial data while establishing a persistent presence on victims' systems. Security experts advise users to only download software from official sources and be cautious of unsolicited software prompts to protect against such sophisticated cyberattacks.
FormBook Malware Targets Windows Systems with Advanced Evasion and Remote Control
FormBook malware has emerged as a critical cybersecurity threat to Microsoft Windows users, offering attackers full remote control over compromised systems. Delivered through phishing emails exploiting the CVE-2017-11882 vulnerability, FormBook’s latest version uses sophisticated tactics to evade detection. The malware first executes a 64-bit DLL to decrypt its payload, hidden within a fake PNG file and injects it into legitimate processes using process hollowing. Once installed, it operates in a 32-bit environment inside ImagingDevices.exe, employing anti-analysis techniques such as duplicating system files in memory, obfuscating API calls, and dynamically decrypting over 100 functions during execution. It also actively scans for sandbox environments, making it resistant to traditional static and dynamic analysis methods. These evasion tactics allow FormBook to maintain a persistent and undetected presence on infected systems, even in the face of security tools. Beyond its evasion capabilities, FormBook provides cybercriminals full remote control of infected devices, enabling them to execute various malicious activities. It can harvest sensitive data, including system details, browser credentials, cookies, autofill information, and clipboard content from applications like Chrome, Firefox, and Outlook. FormBook can also communicate with a Command-and-Control (C2) server, using encrypted HTTP requests to send data and receive commands, like executing files, downloading additional malware, and clearing browser data. Its ability to manipulate processes and control systems makes it a potent tool for attackers, posing a serious risk to individuals and organizations. CVE-2017-11882 was patched as a part of Microsoft’s November 2017 regular security update. To protect against this threat, users are advised to keep security solutions current, utilize anti-malware tools, and train employees on phishing awareness to prevent initial infections.
Coordinated Cloud-Based Scanning Targets Vulnerabilities Across Multiple Platforms
On May 8, 2025, cybersecurity firm GreyNoise detected a large-scale cloud-based scanning operation targeting 75 distinct vulnerabilities across various platforms. The attack involved 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon. These IPs triggered 75 different behaviors, including exploitation attempts for known CVEs, misconfiguration probes, and reconnaissance activities, signaling an opportunistic approach by the threat actors. The targets ranged from well-known technologies like Adobe ColdFusion and Apache Struts to less frequently exploited systems, including Oracle WebLogic and Drupal. This activity appeared limited to a single day, with no signs of scanning before or after, indicating the use of temporary infrastructure rented solely for this operation. The attackers focused on vulnerabilities tied to remote code execution, OGNL injection, and environment variable exposure, using widely recognized exploits to gain access to exposed systems. The scanning campaign, although opportunistic, displayed signs of coordination, with significant overlap in the IP addresses used for different vulnerability scans. For example, 262 IP addresses overlapped between ColdFusion and Apache Struts scans, while 251 IPs were involved across all three major vulnerability targets. This suggests that a single operator or a unified toolset was employed, indicative of a well-organized but short-lived attack. While the immediate mitigation involves blocking the identified malicious IPs, experts caution that these scans are part of a broader trend of opportunistic attacks. The attackers may shift infrastructure or change tactics, making organizations need to monitor and patch systems continually. Using temporary infrastructure to carry out these scans underscores the growing sophistication of cybercriminals, who are adapting their methods to evade detection while searching for vulnerabilities to exploit.
