https://hackingpassion.com/tags/infostealer/Recent content in Infostealer on HackingPassion.com : root@HackingPassion.com-[~]HugoenWed, 20 May 2026 14:26:29 +0200https://hackingpassion.com/voidstealer-chrome-abe-bypass/Wed, 20 May 2026 14:26:29 +0200https://hackingpassion.com/voidstealer-chrome-abe-bypass/<p>Chrome keeps saved passwords locked behind one master key. <strong>VoidStealer</strong> steals that key using a tool Chrome cannot block. It does not need administrator rights, does not touch the browser&rsquo;s code, and when it is done, saved passwords, open login sessions, and stored payment cards are all readable. The technique had been sitting on GitHub as open-source research for over six months. Nobody had used it in the wild until now.</p>https://hackingpassion.com/reaper-shub-macos-stealer/Tue, 19 May 2026 10:52:16 +0200https://hackingpassion.com/reaper-shub-macos-stealer/<p>Reaper swipes macOS passwords and crypto wallets, backdoors the machine, and pretends to be Apple, Microsoft, and Google in the same attack. Apple shipped an update in March to stop exactly this. Reaper already bypasses it.</p> <p>Reaper belongs to a malware family called <strong>SHub Stealer</strong>, active since April 2025. SHub grew out of an earlier macOS stealer called <strong>MacSync</strong>, which itself was built on a foundation called <strong>Mac.c</strong>, first spotted in April 2025. Within months it turned into a commercial crime service, meaning the people who built the infrastructure rent access to different operators who run their own campaigns with their own targets and lures. Researchers at <strong>Malwarebytes</strong>, <strong>Jamf</strong>, <strong>Moonlock</strong>, and <strong>Microsoft&rsquo;s Defender Security Research team</strong> had already documented earlier variants, but this version of Reaper does things none of the earlier builds could: a bypass of Apple&rsquo;s latest security update, a persistent backdoor that survives reboots, and a method for permanently hijacking installed crypto wallet applications without triggering a single security warning.</p>https://hackingpassion.com/macsync-clickfix-claude/Tue, 12 May 2026 11:37:35 +0200https://hackingpassion.com/macsync-clickfix-claude/<p><strong>MacSync</strong> is spreading through <strong>Google ads</strong> that lead directly to <strong>claude.ai</strong>. The installation guide there was written by Claude itself. One Terminal command and the malware is running, your credentials are gone, and your crypto wallet applications have been replaced.</p> <p>Security researcher <strong>Berk Albayrak</strong> spotted an active version of this campaign on <strong>May 9, 2026</strong> and posted his findings on X. Researcher <strong>g0njxa</strong> also published findings on X tracing the campaign infrastructure. <strong>BleepingComputer</strong> independently confirmed a second variant running on completely separate infrastructure.</p>https://hackingpassion.com/microsoft-edge-cleartext-passwords/Tue, 05 May 2026 10:56:56 +0200https://hackingpassion.com/microsoft-edge-cleartext-passwords/<p><strong>Microsoft Edge loads every saved password into memory the moment the browser opens.</strong> They sit there in plain readable text for the entire session, even for sites that are never visited during that session. <strong>Microsoft&rsquo;s official response: this is by design.</strong></p> <p>A security researcher who goes by <strong>@L1v1ng0ffTh3L4N</strong> decided to test every major Chromium-based browser to see how each one actually handles stored credentials while running. He went through them one by one. <strong>Edge was the only browser he found behaving this way.</strong> He took his findings to the BigBiteOfTech conference on April 29, presented them there with Palo Alto Networks Norway, and then posted a proof-of-concept video on May 4 that pulled in 5,900 responses within hours. He also put a small tool on GitHub called <strong>EdgeSavedPasswordsDumper</strong> so anyone could check this on their own machine.</p>