RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks – Cybersecurity News [March 24, 2025]

From hackers targeting Hyper-V servers to fake file converters spreading malware, there’s plenty to watch out for. There’s also news of Counter-Strike 2 players being tricked into handing over their Steam accounts, and a new ransomware strain is hitting multiple operating systems at once. Even npm packages aren’t safe, with attackers sneaking in backdoors through open-source libraries. Stay ahead of these risks with our latest cybersecurity bulletin—because knowing what’s out there is the first step to staying secure.

RedCurl Hackers Develop Ransomware to Encrypt Hyper-V Servers

Let us begin with the shift in tactics of the RedCurl cyberespionage group. The threat actors are now encrypting Hyper-V virtual machines using a newly developed ransomware variant called “QWCrypt.”

The new tactics were analysed and shared by researchers at Bitdefender, who say that RedCurl’s attacks begin with phishing emails containing malicious “.IMG” attachments (often disguised as resumes). These files exploit DLL (Dynamic Link Library) sideloading vulnerabilities using a legitimate Adobe executable, which then downloads the necessary payload and establishes persistence on the compromised system. They’re trying “living-off-the-land” techniques using built-in Windows tools to evade detection and leveraging custom scripts/tunnelling tools for lateral movement.

Bitdefender continues to monitor the threat landscape and is expected to release specific countermeasures following a thorough investigation. For the time being, organisations should implement strong email security measures to filter out phishing attempts and restrict the execution of unverified files. Regularly updating and patching systems, segmenting network access, and using behaviour-based detection tools will also go a long way.

Browser-in-the-Browser Attacks Put CS2 Players’ Steam Accounts At Risk

A new phishing campaign is going after Counter-Strike 2 (CS2) players using a deceptive technique called Browser-in-the-Browser (BitB) attacks.

The threat actors behind this alleged campaign are creating fake Steam login popups that look almost identical to the real thing. The end goal? Steal valuable Steam accounts filled with in-game skins and items, which are then resold for significant amounts of money. Security researchers at Silent Push discovered that the phishing campaign is primarily spreading through YouTube videos and other promotional channels. Victims are lured in with offers of free CS2 loot cases containing skins—an attractive bait for dedicated players.

Players are asked to enter their Steam login information when they arrive at the phishing website, which is where the BitB attack is used. Any credentials entered in this phony login window are transmitted straight to the attackers, who resell them on grey market websites. The fake window replicates the actual Steam interface, including the URL bar.

You should never enter login credentials on a popup window before verifying its authenticity. Check if you can resize or move the window—fake BitB popups usually cannot be adjusted.

FBI Alerts Public to Cyberattacks via Fake Document Converter Sites

The FBI issued a warning where they shared how threat actors are using fake online document converters to steal sensitive information and distribute malware.

These fraud websites offer free file conversion services (like changing a Word document into a PDF) but infect people’s devices with malware or extract personal information from the documents they upload. The threat actors make the names of these websites similar to real ones. Sometimes, they change just a single letter or add terms like “INC” instead of “CO” to appear genuine.

When you upload a file for conversion, the resulting download contains hidden malware like RATs (Remote Access Trojans) or loaders like the Gootloader. Some of these attacks have even led to ransomware infections where threat actors gain access to organisational networks and encrypted data. Meta platform X and Malwarebytes online platform have recently published some examples of domains involved in this type of scam.

Many people rely on such tools for quick fixes and getting work done faster, so they need to be cautious! It’s best to stick to well-known, reputable services and always verify a website before uploading any sensitive documents. If you suspect you’ve encountered a fraudulent converter, report it to the FBI’s IC3 (Internet Crime Complaint Center).

VanHelsing Ransomware Strikes Windows, ARM, and ESXi Systems

There’s also a new ransomware that’s been causing all sorts of harm to operating systems, including Windows, Linux, BSD, ARM, and ESXi.

Security researchers from CYFIRMA and Check Point Research have been analysing the group’s methods, uncovering how the malware is built and deployed. The affiliates using the ransomware keep 80% of the payments and the operators take a 20% cut, with all transactions secured via blockchain-based escrow. The attackers have already listed three victims on their dark web extortion portal–a Texas city and two tech firms. They demand a ransom of $500,000, and threaten to leak the stolen data if payment isn’t made.

The malware is written in C++ and first appeared in active attacks on 16 March. It encrypts files using the ChaCha20 algorithm, generating unique encryption keys for each file. What makes it especially dangerous is the stealth mode it offers that allows the threat actors to divide the encryption and renaming tasks, making it that much harder for security software to detect.

So, how do you keep this threat at bay? By keeping operating systems and software up to date, regularly backing up important data, and using advanced endpoint protection.

Malicious npm Packages Inject Persistent Backdoor in Legitimate Software

This week, security researchers uncovered two malicious packages hosted on npm repository, “ethers-provider2” and “ethers-providerz ,” which stealthily modify locally installed software to embed a persistent reverse shell backdoor.

It was lucky that ReversingLabs identified this during a routine security investigation into the open-source supply chain. The “ethers-provider2” package leverages the widely used “ssh2” but modifies its installation script (“install.js”) to fetch and execute a second-stage payload. Then, this payload searches for the legitimate “ethers” package and replaces its “provider-jsonrpc.js” file with a trojanised version.

Using a modified SSH client, the modified file creates a persistent reverse shell and then retrieves a third-stage payload from an external server. The “ethers-providerz” package uses a similar tactic, focusing on the “@ethersproject/providers” package. Early versions of the package had implementation errors preventing full execution, but the author has since removed it from npm, potentially with plans to reintroduce a functional version. Additionally, two other suspicious packages—”reproduction-hardhat” and “@theoretical123/providers”—appear to be linked to the same campaign.