Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Spyware. Show all posts
zero-click
Mobile Security Spyware Threat Intelligence User Privacy Whatsapp Leak zero-click

Here's How to Safeguard Your Smartphone Against Zero-Click Attacks

 

Spyware tools have been discovered on the phones of politicians, journalists, and activists on numerous occasions over the past decade. This has prompted worries regarding the lack of protections in the tech industry and an unprecedented expansion of spyware technologies. 

Meta's WhatsApp recently stated that it has detected a hacking campaign aimed at roughly ninety users, the majority of whom were journalists and civil society activists from two dozen countries. 

According to a WhatsApp representative, the attack was carried out by the Israeli spyware company Paragon Solutions, which is now controlled by the Florida-based private equity firm AE Industrial Partners. Graphite, Paragon's spyware, infiltrated WhatsApp groups by sending them a malicious PDF attachment. It can access and read messages from encrypted apps such as WhatsApp and Signal without the user's knowledge. 

What is a zero-click attack? 

A zero-click attack, such as the one on WhatsApp, compromises a device without requiring any user activity. Unlike phishing or one-click attacks, which rely on clicking a malicious link or opening an attachment, zero-click leverages a security flaw to stealthily gain complete access after the device has been infected. 

"In the case of graphite, via WhatsApp, some kind of payload, like a PDF or an image, [was sent to the victims' devices] and the underlying processes that receive and handle those packages have vulnerabilities that the attackers exploit [to] infect the phone,” Rocky Cole, co-founder of mobile threat protection company iVerify, noted.

While reports do not indicate "whether graphite can engage in privilege escalation [vulnerability] and operate outside WhatsApp or even move into the iOS kernel itself, we do know from our own detections and other work with customers, that privilege escalation via WhatsApp in order to gain kernel access is indeed possible," Cole added. 

The iVerify team believes that the malicious attacks are "potentially more widespread" than the 90 individuals who were reported to have been infected by graphite because they have discovered cases where a number of WhatsApp crashes on [mobile] devices [they're] monitoring with iVerify have seemed to be malicious in nature.

While the WhatsApp hack primarily targeted civil society activists, Cole believes mobile spyware is a rising threat to everyone since mobile exploitation is more pervasive than many people realise. Moreover, the outcome is an emerging ecosystem around mobile spyware development and an increasing number of VC-backed mobile spyware companies are under pressure to become viable organisations. This eventually increases marketing competition for spyware merchants and lowers barriers that might normally deter these attacks. 

Mitigation tips

Cole recommends users to treat their phones as computers. Just as you use best practices to safeguard traditional endpoints like laptops from exploitation and compromise, you should do the same for phones. This includes rebooting your phone on a daily basis because most of these exploits remain in memory rather than files, and rebooting your phone should theoretically wipe out the malware as well, he said. 

If you have an Apple device, you can also enable Lockdown Mode. As indicated by Cole, "lockdown mode has the effect of reducing some functionality of internet-facing applications [which can] in some ways reduce the attack surface to some degree."

Ultimately, the only way to properly safeguard oneself from zero-click capabilities is to address the underlying flaws. Cole emphasised that only Apple, Google, and app developers may do so. "So as an end user, it's critically important that when a new security patch is available, you apply it as soon as you possibly can," the researcher added.
Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
Spyware
API Keys Cybersecurity Data Breach Developers malware npm packages open-source phishing Software Supply Chain Spyware

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns

 

A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments.

Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally.

“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”

Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”

Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers.

“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.

These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks.

“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.

The 2025 report highlights early examples:

Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information.

A fake npm extension embedded spyware that enabled complete remote access.

Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively.

A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.
Read more »
zero-click
Data Breach Hackers paragon Spyware WhatsApp zero-click

WhatsApp Fixes Security Flaw Exploited by Spyware

 



WhatsApp recently fixed a major security loophole that was being used to install spyware on users' devices. The issue, known as a zero-click, zero-day vulnerability, allowed hackers to access phones without the user needing to click on anything. Security experts from the University of Toronto’s Citizen Lab uncovered this attack and linked it to Paragon’s spyware, called Graphite.  

The flaw was patched by WhatsApp in late 2023 without requiring users to update their app. The company also chose not to assign a CVE-ID to the vulnerability, as it did not meet specific reporting criteria.  

A WhatsApp spokesperson confirmed that hackers used the flaw to target certain individuals, including journalists and activists. WhatsApp directly reached out to around 90 affected users across multiple countries.  


How the Attack Worked  

Hackers used WhatsApp groups to launch their attacks. They added their targets to a group and sent a malicious PDF file. As soon as the file reached the victim’s phone, the device automatically processed it. This triggered the exploit, allowing the spyware to install itself without any user action.  

Once installed, the spyware could access sensitive data and private messages. It could also move beyond WhatsApp and infect other apps by bypassing Android’s security barriers. This gave attackers complete control over the victim’s device.  


Who Was Targeted?  

According to Citizen Lab, the attack mostly focused on individuals who challenge governments or advocate for human rights. Journalists, activists, and government critics were among the key targets. However, since only 90 people were officially notified by WhatsApp, experts believe the actual number of victims could be much higher.  

Researchers found a way to detect the spyware by analyzing Android device logs. They identified a forensic marker, nicknamed "BIGPRETZEL," that appears on infected devices. However, spotting the spyware is still difficult because Android logs do not always capture all traces of an attack.  


Spyware Linked to Government Agencies  

Citizen Lab also investigated the infrastructure used to operate the spyware. Their research uncovered multiple servers connected to Paragon’s spyware, some of which were linked to government agencies in countries like Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Many of these servers were rented through cloud platforms or hosted directly by government agencies.  

Further investigation revealed that the spyware's digital certificates contained the name “Graphite” and references to installation servers. This raised concerns about whether Paragon's spyware operates similarly to Pegasus, another surveillance tool known for being used by governments to monitor individuals.  


Who Is Behind Paragon Spyware?  

Paragon Solutions Ltd., the company behind Graphite spyware, is based in Israel. It was founded in 2019 by Ehud Barak, Israel’s former Prime Minister, and Ehud Schneorson, a former commander of Unit 8200, an elite Israeli intelligence unit.  

Paragon claims that it only sells its technology to democratic governments for use by law enforcement agencies. However, reports have shown that U.S. agencies, including the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE), have purchased and used its spyware.  

In December 2024, a U.S.-based investment firm, AE Industrial Partners, bought Paragon, further raising questions about its future operations and how its surveillance tools may be used.  


Protecting Yourself from Spyware  

While WhatsApp has fixed this specific security flaw, spyware threats continue to evolve. Users can take the following steps to protect themselves:  

1. Update Your Apps: Always keep your apps updated, as companies frequently release security patches.  

2. Be Cautious of Unknown Files: Never open suspicious PDFs, links, or attachments from unknown sources.  

3. Enable Two-Factor Authentication: Adding an extra layer of security to your accounts makes it harder for hackers to break in.  

4. Check Your Device Logs: If you suspect spyware, seek professional help to analyze your phone’s activity.  

Spyware attacks are becoming more advanced, and staying informed is key to protecting your privacy. WhatsApp’s quick response to this attack highlights the ongoing battle against cyber threats and the need for stronger security measures.  


Read more »
User Privacy
AWS Credentials Mobile Security Spyware Stalkerware User Privacy

Amazon Faces Criticism For Still Hosting Stalkerware Victims' Data

 

Amazon is drawing fire for hosting data from the Cocospy, Spyic, and Spyzie apps weeks after being notified of the problem, as the spyware firms continue to upload sensitive phone data of 3.1 million users to Amazon Web Services (AWS) servers. 

Last month on February 20, threat analysts at TechCrunch, an American global news outlet, notified Amazon of the stalkerware-hosted data, including exact storage bucket information where the stolen data from victims' phones was stored. However, as of mid-March, no firm steps have been taken to disable the hosting servers. 

In response, AWS thanked TechCrunch for the tip and sent a link to its abuse report form. In response to this statement, Ryan, the AWS spokesperson stated, "AWS responded by requesting specific technical evidence through its abuse reporting form to investigate the claims. TechCrunch declined to provide this evidence or submit an abuse report.”

The Android apps Cocospy, Spyic, and Spyzie share identical source code and a security vulnerability that can be easily exploited. The flaw abuses poorly secured servers used by the apps, allowing external access to exfiltrated data. The servers employed by the apps have Chinese origins and store data on Cloudflare and AWS infrastructure.

On March 10, TechCrunch notified Amazon that the Spyzie app was also uploading stolen data to its own Amazon bucket. According to Amazon, AWS responds to complaints of abuse and has stringent acceptable usage guidelines. The company's procedural reaction, however, has come under fire for taking too long to take action regarding hosting stolen data.

Ryan clarified that AWS responded quickly and made repeated requests for the technical data required to conduct the investigation, which TechCrunch declined. He went on to say: "AWS's request to submit the findings through its publicly available abuse reporting channel was questioned by the outlet, which declined to provide the requested technical data.” 

Stalkerware thrives on direct downloads, despite being banned from major app stores like Google Play and Apple's App Store. While some sellers say that the apps are for legal purposes, their capabilities are frequently utilised in ways that breach privacy regulations.
Read more »
WhatsApp
AI Backdoor Data Encryption Pegasus Spyware Technology WhatsApp

Frances Proposes Law Requiring Tech Companies to Provide Encrypted Data


Law demanding companies to provide encrypted data

New proposals in the French Parliament will mandate tech companies to give decrypted messages, email. If businesses don’t comply, heavy fines will be imposed.

France has proposed a law requiring end-to-end encryption messaging apps like WhatsApp and Signal, and encrypted email services like Proton Mail to give law enforcement agencies access to decrypted data on demand. 

The move comes after France’s proposed “Narcotraffic” bill, asking tech companies to hand over encrypted chats of suspected criminals within 72 hours. 

The law has stirred debates in the tech community and civil society groups because it may lead to building of “backdoors” in encrypted devices that can be abused by threat actors and state-sponsored criminals.

Individuals failing to comply will face fines of €1.5m and companies may lose up to 2% of their annual world turnover in case they are not able to hand over encrypted communications to the government.

Criminals will exploit backdoors

Few experts believe it is not possible to bring backdoors into encrypted communications without weakening their security. 

According to Computer Weekly’s report, Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said, “A backdoor for the good guys only is a dangerous illusion. Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cyber criminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone.”

Researchers stress that the French proposals aren’t technically sound without “fundamentally weakening the security of messaging and email services.” Similar to the “Online Safety Act” in the UK, the proposed French law exposes a serious misunderstanding of the practical achievements with end-to-end encrypted systems. Experts believe “there are no safe backdoors into encrypted services.”

Use of spyware may be allowed

The law will allow using infamous spywares such as NSO Group’s Pegasus or Pragon that will enable officials to remotely surveil devices. “Tuta Mail has warned that if the proposals are passed, it would put France in conflict with European Union laws, and German IT security laws, including the IT Security Act and Germany’s Telecommunications Act (TKG) which require companies to secure their customer’s data,” reports Computer Weekly.

Read more »
zero click
Cyber Attacks Paragon Solutions Spyware WhatsApp zero click

WhatsApp Alerts Users About a Dangerous Zero-Click Spyware Attack

 


WhatsApp has warned users about a highly advanced hacking attack that infected nearly 90 people across 24 countries. Unlike traditional cyberattacks that rely on tricking victims into clicking malicious links, this attack used zero-click spyware, meaning the targets were hacked without taking any action.  


What Happened?

Hackers exploited a security vulnerability in WhatsApp to send malicious documents to the victims’ devices. These documents contained spyware that could take control of the phone without the user clicking or opening anything.  

According to reports, the attack was linked to Paragon Solutions, an Israeli company that develops spyware for government agencies. While governments claim such tools help in law enforcement and national security, they have also been misused to spy on journalists, activists, and members of civil society.  


Who Was Targeted?

The specific names of the victims have not been disclosed, but reports confirm that journalists and human rights advocates were among those affected. Many of them were based in European nations, but the attack spread across multiple regions.  

WhatsApp acted quickly to disrupt the attack and alerted the affected users. It also referred them to Citizen Lab, a cybersecurity research group that investigates digital threats.  


What is a Zero-Click Attack?  

A zero-click attack is a form of cyberattack where hackers do not need the victim to click, open, or download anything. Instead, the attack exploits weaknesses in apps or operating systems, allowing spyware to be installed silently.  

Unlike phishing attacks that trick users into clicking harmful links, zero-click attacks bypass user interaction completely, making them much harder to detect or prevent.  


How Dangerous Is This Spyware? 

Once installed, the spyware can:  

1. Access private messages, calls, and photos  

2. Monitor activities and track location  

3. Activate the microphone or camera to record conversations  

4. Steal sensitive personal data

Cybersecurity experts warn that such spyware can be used for mass surveillance, threatening privacy and security worldwide.  


Who is Behind the Attack?  

WhatsApp has linked the spyware to Paragon Solutions, but has not revealed how this conclusion was reached. Authorities and cybersecurity professionals are now investigating further.  


How to Stay Safe from Spyware Attacks

While zero-click attacks are difficult to prevent, you can reduce the risk by:  

1. Keeping Your Apps Updated – Always update WhatsApp and your phone’s operating system to patch security flaws.  

2. Enabling Two-Factor Authentication (2FA) – This adds an extra layer of security to your account.  

3. Being Cautious with Unknown Messages – While this attack required no interaction, remaining alert can help protect against similar threats.  

4. Using Encrypted and Secure Apps – Apps with end-to-end encryption, like WhatsApp and Signal, make it harder for hackers to steal data.  

5. Monitoring Unusual Phone Activity – If your phone suddenly slows down, heats up, or experiences rapid battery drain, it may be infected. Run a security scan immediately.  

This WhatsApp attack is a reflection of the growing threats posed by spyware. As hacking methods become more advanced and harder to detect, users must take steps to protect their digital privacy. WhatsApp’s quick response limited the damage, but the incident highlights the urgent need for stronger cybersecurity measures to prevent such attacks in the future.


Read more »
Spyware Attack
Cyber Attacks Hacking WhatsApp Israeli Firm Israeli spyware Malicious Software Spyware Spyware Attack

WhatsApp Uncovers Zero-Click Spyware Attack Linked to Israeli Firm Paragon

 

WhatsApp has uncovered a stealthy spyware attack attributed to Israeli firm Paragon, targeting nearly 100 users worldwide, including journalists and civil society members. This zero-click attack required no user interaction, making it particularly dangerous as it could infiltrate devices without victims clicking on links or downloading attachments. 

A WhatsApp spokesperson confirmed that the company successfully identified and blocked the exploit, directly notifying those affected. The investigation, supported by cybersecurity research group Citizen Lab, revealed that the spyware could extract private messages, access call logs, view photos, and even activate the device’s microphone and camera remotely. John Scott-Railton, a senior researcher at Citizen Lab, highlighted the broader risks associated with such surveillance tools. He stressed the need for greater accountability within the spyware industry, warning that unchecked surveillance capabilities pose serious threats to personal privacy and digital security. 

Italian media outlet Fanpage.io first reported the breach, revealing that its director, Francesco Cancellato, was among the targeted individuals. WhatsApp informed him that malicious software might have compromised his device, potentially granting unauthorized access to sensitive data. In response, Cancellato and a team of independent analysts are examining the extent of the breach and working to determine who orchestrated the espionage. Paragon, which has positioned itself as a more ethical alternative to controversial spyware vendors like NSO Group, now faces increased scrutiny. 

The company had been seeking entry into the U.S. market but encountered regulatory hurdles after concerns arose over national security risks and human rights implications. The Biden administration’s executive order on commercial spyware, designed to curb the spread of digital surveillance tools, contributed to the suspension of a key contract for Paragon. Cybersecurity experts caution that even democratic governments have misused surveillance technology when regulatory oversight is inadequate. 

The exposure of Paragon’s spyware campaign raises questions about the potential for abuse, especially in the hands of entities operating with minimal transparency. Experts argue that unless stringent policies are enforced, spyware firms will continue to develop and distribute invasive surveillance tools without accountability. Paragon has yet to respond to the allegations, but the revelations about its activities are likely to fuel ongoing debates over the ethics of commercial spyware. 

This case underscores the urgent need for stronger global regulations to prevent the misuse of surveillance technologies and protect individuals from unauthorized digital intrusions.
Read more »
Subscribe to: Posts (Atom)