Macworld Mac users, we get it—you don’t like bloated, ugly antivirus software slowing down your beautifully tuned machines. But you also don’t want to be the one person who ignores modern cyber threats just because “Macs don’t get viruses.” Spoiler: they can and they do. If you’re looking for a lightweight…
Published
6 days ago
in
By
Macworld
Mac users, we get it—you don’t like bloated, ugly antivirus software slowing down your beautifully tuned machines. But you also don’t want to be the one person who ignores modern cyber threats just because “Macs don’t get viruses.” Spoiler: they can and they do.
I review a lot of laptops and I’ve noticed many of them come with a “free trial” of McAfee antivirus preinstalled. I’ve clicked through so many warnings about how my PC will be “at risk” unless I pay up for extended protection, and those McAfee alerts are in a stark red color that’s surely designed
Published
2 days ago
in
By
I review a lot of laptops and I’ve noticed many of them come with a “free trial” of McAfee antivirus preinstalled. I’ve clicked through so many warnings about how my PC will be “at risk” unless I pay up for extended protection, and those McAfee alerts are in a stark red color that’s surely designed to scare me… Read More
EDRKillShifter is getting a dangerous upgrade The new malware can disable AV and EDR from reputable vendors Sophos, Bitdefender, and Kaspersky among the tools being targeted Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community. In a new report, security researchers from Sophos
Published
2 weeks ago
in
By
EDRKillShifter is getting a dangerous upgrade
The new malware can disable AV and EDR from reputable vendors
Sophos, Bitdefender, and Kaspersky among the tools being targeted
Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community.
In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.
Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky.
You may like
This devious ransomware is able to hijack your system to turn off antivirus
Hackers can turn off Windows Defender with this sneaky new tool
This top security platform is being hacked to carry out malware threats
Shifting strategies
The malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.
Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, they’re even using signed drivers (either stolen or compromised).
In one case, the malicious code was embedded inside a legitimate utility, Beyond Compare’s Clipboard Compare tool, the researchers explained.
Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.
Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.
Now, it seems there is a new method – taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources (as was the case with Beyond Compare’s tool). This is often done after the attacker has access to a
Cheats and mods are now frontlines for cybercrime targeting gamers’ wallets and private data Verified crypto wallets like MetaMask and Exodus are being drained through browser injection Trojan.Scavenger abuses overlooked flaws to disable browser safety and manipulate trusted extensions Gamers seeking performance enhancements or special abilities through third-party patches and mods may be unwittingly exposing
Published
3 weeks ago
in
By
Cheats and mods are now frontlines for cybercrime targeting gamers’ wallets and private data
Verified crypto wallets like MetaMask and Exodus are being drained through browser injection
Trojan.Scavenger abuses overlooked flaws to disable browser safety and manipulate trusted extensions
Gamers seeking performance enhancements or special abilities through third-party patches and mods may be unwittingly exposing themselves to sophisticated malware, experts have warned.
Recent findings from Dr.Web revealed a malware family known as “Trojan.Scavenger” which targets Windows users by disguising itself as cheats or enhancements for popular games.
This seemingly harmless mod can ultimately compromise crypto wallets, password managers, and web browsers, posing serious risks to user privacy and digital assets.
You may like
Experts warn GTA and Minecraft being used to lure in cyberattack victims – here’s how to stay safe
Minecraft players watch out – these fake mods are hiding password-stealing malware
Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe
When cheats become covert threats
The infection chain begins when users download ZIP archives claiming to improve performance in games including the likes of Grand Theft Auto 5 or Oblivion Remastered.
These archives contain modified dynamic libraries, sometimes renamed with extensions like .ASI to resemble legitimate plugin formats.
When the user follows the installation instructions, the malicious library is placed in the same folder as the target game. If the game does not properly validate its libraries, the trojan loads automatically at startup.
In some cases, flaws in library search priorities are essential to the malware’s success, allowing it to hijack execution within the host application.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Once loaded, the malware establishes contact with a command-and-control server using encrypted communication. This process includes verifying encryption keys and checking timestamp consistency, which is meant to evade analysis and block antivirus detection.
The malware doesn’t stop with the initial payload. In more complex infections, it deploys additional trojans that embed themselves in Chromium-based browsers like Chrome, Edge, Opera, and Yandex.
