A sophisticated new data theft malware strain dubbed “SHELBY” has emerged in the cybersecurity landscape, targeting primarily financial institutions and healthcare organizations across North America and Europe. This approach allows the malware to blend its communication within legitimate HTTPS traffic to GitHub’s domains, making detection significantly more challenging for traditional security tools that typically do not block access to widely-used development platforms. The malware employs a multi-stage infection process that begins with phishing emails containing seemingly legitimate invoice attachments that, when opened, trigger a malicious macro that initiates the infection chain. The malware maintains persistence through a scheduled task that appears as a legitimate system maintenance process, helping it evade detection by security solutions. Once installed, SHELBY operates stealthily in the background, collecting sensitive information including login credentials, financial data, and patient records before exfiltrating them to its operators. The impact of SHELBY has been substantial, with at least 17 organizations confirming data breaches linked to this malware. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Elastic analysts identified SHELBY in early March 2025 while investigating a series of data breaches across multiple healthcare providers. The malware creates and accesses private repositories on GitHub where its operators store commands in encoded base64 strings within seemingly innocuous text files. Compromised data includes personally identifiable information, healthcare records, and financial account details. Their analysis revealed that the malware had remained undetected for approximately three months before discovery, highlighting its sophisticated evasion capabilities. SHELBY’s infection process begins with a JavaScript dropper embedded in PDF attachments that, when executed, downloads a PowerShell script from a compromised website. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Mar 2025 12:30:05 +0000