Category: Cybersecurity

Sep 03, 2025Ravie LakshmananThreat Intelligence / Network Security

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).

“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.”

The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”

Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.

Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.

“The initial impact of a volumetric attack is to create congestion that degrades the performance of network connections to the internet, servers, and protocols, potentially causing outages,” Akamai says in an explanatory note.

“However, attackers may also use volumetric attacks as a cover for more sophisticated exploits, which we refer to as ‘smoke screen’ attacks. As security teams work diligently to mitigate the volumetric attack, attackers may launch additional attacks (multi-vector) that allow them to surreptitiously penetrate network defenses to steal data, transfer funds, access high-value accounts, or cause further exploitation.”

The development comes a little over two months after Cloudflare said it blocked in mid-May 2025 a DDoS attack that hit a peak of 7.3 Tbps targeting an unnamed hosting provider.

In July 2025, the company also said hyper-volumetric DDoS attacks – L3/4 DDoS attacks exceeding 1 billion packets per second (Bpps) or 1 Tbps – skyrocketed in the second quarter of 2025, scaling a new high of 6,500 in comparison to 700 hyper-volumetric DDoS attacks in Q1 2025.

The development comes as Bitsight detailed the RapperBot kill chain, which targets network video recorders (NVRs) and other IoT devices for purposes of enlisting them into a botnet capable of carrying out DDoS attacks. The botnet infrastructure was taken down last month as part of a law enforcement operation.

In the attack documented by the cybersecurity company, the threat actors are said to have exploited security flaws in NVRs to gain initial access and download the next-stage RapperBot payload by mounting a remote NFS file system (“104.194.9[.]127”) and executing it.

This is accomplished by means of a path traversal flaw in the web server to leak the valid administrator credentials, and then use it to push a fake firmware update that runs a set of bash commands to mount the share and run the RapperBot binary based on the system architecture.

“No wonder the attackers choose to use NFS mount and execute from that share, this NVR firmware is extremely limited, so mounting NFS is actually a very clever choice,” security researcher Pedro Umbelino said. “Of course, this means the attackers had to thoroughly research this brand and model and design an exploit that could work under these limited conditions.”

The malware subsequently obtains the DNS TXT records associated with a set of hard-coded domains (“iranistrash[.]libre” and “pool.rentcheapcars[.]sbs” in order to get the actual list of actual command-and-control (C2) server IP addresses.

The C2 IP addresses, in turn, are mapped to a C2 domain whose fully qualified domain name (FQDN) is generated using a simplified domain generation algorithm (DGA) that consists of a combination of four domains, four subdomains, and two top-level domains (TLDs). The FQDNs are resolved using hard-coded DNS servers.

RapperBot ends up establishing an encrypted connection to the C2 domain with a valid DNS TXT record description, from where it received the commands necessary to launch DDoS attacks. The malware can also be commandeered to scan the internet for open ports to further propagate the infection.

“Their methodology is simple: scan the Internet for old edge devices (like DVRs and routers), brute-force or exploit and make them execute the botnet malware,” Bitsight said. “No persistence is actually needed, just scan and infect, again and again. Because the vulnerable devices continue to be exposed out there and they are easier to find than ever before.”

Sep 03, 2025Ravie LakshmananVulnerability / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device.

“This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot,” the agency said. “The attacker can then obtain incorrect access control by setting a new administrative password.”

According to malwrforensics, the issue has been fixed with firmware version TL-WA855RE(EU)_V5_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it’s unlikely to receive any patches or updates. Users of the Wi-Fi range extender are advised to replace their gear with a newer model that addresses the issue.

CISA has not shared any details on how the vulnerability is being exploited in the wild, by whom, or on the scale of such attacks.

Also added to the KEV catalog is a security flaw that WhatsApp disclosed last week (CVE-2025-55177, CVSS score: 5.4) as having been exploited as part of a highly-targeted spyware campaign by chaining it with an Apple iOS, iPadOS, and macOS vulnerability (CVE-2025-43300, CVSS score: 8.8).

Not much is known about who was targeted and which commercial spyware vendor is behind the attacks, but WhatsApp told The Hacker News that it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign.

Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

Sep 03, 2025Ravie LakshmananData Breach / Threat Intelligence,

Salesloft on Tuesday announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens.

“This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible.”

The company said its top priority is to ensure the integrity and security of its systems and customers’ data, and that it’s working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts.

The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said was a widespread data theft campaign that has leveraged stolen OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent to breach customers’ Salesforce instances.

“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” the company said last week.

The activity has been attributed to a threat cluster dubbed UNC6395 (aka GRUB1), with Google telling The Hacker News that more than 700 organizations may have been potentially impacted.

While it was initially claimed that the exposure was limited to Salesloft’s integration with Salesforce, it has since emerged that any platform integrated with Drift is potentially compromised. Exactly how the threat actors gained initial access to Salesloft Drift remains unknown at this stage.

The incident has also prompted Salesforce to temporarily disable all Salesloft integrations with Salesforce as a precautionary measure. Some of the businesses that have confirmed being impacted by the breach are as follows –

“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks,” Cloudflare said.

“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”

Sep 02, 2025Ravie LakshmananMalware / Threat Intelligence

The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.

The attack, observed by NCC Group’s Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee’s system.

“From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,” Yun Zheng Hu and Mick Koomen said. “Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack.”

The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim.

Although the exact initial access vector is currently not known, the foothold is leveraged to deploy a loader called PerfhLoader, which then drops PondRAT, a known malware assessed to be a stripped-down variant of POOLRAT (aka SIMPLESEA). The cybersecurity company said there is some evidence to suggest that a then-zero-day exploit in the Chrome browser was used in the attack.

Also delivered along with PondRAT are a number of other tools, including a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, and proxy programs like MidProxy and Proxy Mini.

“PondRAT is a straightforward RAT that allows an operator to read and write files, start processes, and run shellcode,” Fox-IT said, adding it dates back to at least 2021. “The actor used PondRAT in combination with ThemeForestRAT for roughly three months, to afterwards clean up and install the more sophisticated RAT called RemotePE.”

The PondRAT malware is designed to communicate over HTTP(S) with a hard-coded command-and-control (C2) server to receive further instructions, with ThemeForestRAT launched directly in memory either via PondRAT or a dedicated loader.

ThemeForestRAT, like PondRAT, monitors for new Remote Desktop (RDP) sessions and contacts a C2 server over HTTP(S) to retrieve as many as twenty commands to enumerate files/directories, perform file operations, execute commands, test TCP connection, timestomp file based on another file on disk, get process listing, download a files, inject shellcode, spawn processes, and hibernate for a specific amount of time.

Fox-IT said ThemeForestRAT shares similarities with a malware codenamed RomeoGolf that was put to use by the Lazarus Group in the November 2014 destructive wiper attack against Sony Pictures Entertainment (SPE). It was documented by Novetta as part of a collaborative effort known as Operation Blockbuster.

RemotePE, on the other hand, is retrieved from a C2 server by RemotePELoader, which, in turn, is loaded by DPAPILoader. Written in C++, RemotePE is a more advanced RAT that’s likely reserved for high-value targets.

“PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose,” Fox-IT said. “For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only.”

Sep 02, 2025Ravie LakshmananCyber Espionage / Network Security

Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems.

“MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management,” QiAnXin XLab said in a report published last week. “Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility.”

MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda.

The malware’s stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network communication, or opting for plaintext or AES encryption to secure network traffic.

MystRodX also supports what’s called a wake-up mode, thereby enabling it to function as a passive backdoor that can be triggered following the receipt of specially crafted DNS or ICMP network packets from incoming traffic. There is evidence to suggest that the malware may have been around since at least January 2024, based on an activation timestamp set in the configuration.

“Magic value is verified, MystRodX establishes communication with the C2 [command-and-control] using the specified protocol and awaits further commands,” XLab researchers said. “Unlike well-known stealth backdoors like SYNful Knock, which manipulates TCP header fields to hide commands, MystRodX uses a simpler yet effective approach: it hides activation instructions directly in the payload of ICMP packets or within DNS query domains.”

The malware is delivered by means of a dropper that makes use of a spate of debugger- and virtual machine-related checks to determine if the current process is being debugged or it’s being run within a virtualized environment. Once the validation step is complete, the next-stage payload is decrypted. It contains three components –

• daytime, a launcher responsible for launching chargen
• chargen, the MystRodX backdoor component, and
• busybox

MystRodX, once executed, continuously monitors the daytime process, and if it is not found to be running, immediately launches it. Its configuration, which is encrypted using the AES algorithm, contains information pertaining to the C2 server, backdoor type, and main and backup C2 ports.

“When the Backdoor Type is set to 1, MystRodX enters passive backdoor mode and waits for an activation message,” XLab said. “When the value of Backdoor Type is not 1, MystRodX enters active backdoor mode and establishes communication with the C2 specified in the configuration, waiting to execute the received commands.”

Sep 02, 2025The Hacker NewsData Privacy / SaaS Security

The Harsh Truths of AI Adoption

MITs State of AI in Business report revealed that while 40% of organizations have purchased enterprise LLM subscriptions, over 90% of employees are actively using AI tools in their daily work. Similarly, research from Harmonic Security found that 45.4% of sensitive AI interactions are coming from personal email accounts, where employees are bypassing corporate controls entirely.

This has, understandably, led to plenty of concerns around a growing “Shadow AI Economy”. But what does that mean and how can security and AI governance teams overcome these challenges?

AI Usage Is Driven by Employees, Not Committees

Enterprises incorrectly view AI use as something that comes top-down, defined by their own visionary business leaders. We now know that’s wrong. In most cases, employees are driving adoption from the bottom up, often without oversight, while governance frameworks are still being defined from the top down. Even if they have enterprise-sanctioned tools, they are often eschewing these in favor of other newer tools that are better-placed to improve their productivity.

Unless security leaders understand this reality, uncover and govern this activity, they are exposing the business to significant risks.

Why Blocking Fails

Many organizations have tried to meet this challenge with a “block and wait” strategy. This approach seeks to restrict access to well-known AI platforms and hope adoption slows.

The reality is different.

AI is no longer a category that can be easily fenced off. From productivity apps like Canva and Grammarly to collaboration tools with embedded assistants, AI is woven into nearly every SaaS app. Blocking one tool only drives employees to another, often through personal accounts or home devices, leaving the enterprise blind to real usage.

This is not the case for all enterprises, of course. Forward-leaning security and AI governance teams are looking to proactively understand what employees are using and for what use cases. They seek to understand what is happening and how to help their employees use the tools as securely as possible.

Shadow AI Discovery as a Governance Imperative

An AI asset inventory is a regulatory requirement and not a nice-to-have. Frameworks like the EU AI Act explicitly mandate organizations to maintain visibility into the AI systems in use, because without discovery there is no inventory, and without an inventory there can be no governance. Shadow AI is a key component of this.

Different AI tools pose different risks. Some may quietly train on proprietary data, others may store sensitive information in jurisdictions like China, creating intellectual property exposure. To comply with regulations and protect the business, security leaders must first uncover the full scope of AI usage, spanning sanctioned enterprise accounts and unsanctioned personal ones.

Once armed with this visibility, organizations can separate low-risk use cases from those involving sensitive data, regulated workflows, or geographic exposure. Only then can they enforce meaningful governance policies that both protect data and enable employee productivity.

How Harmonic Security Helps

Harmonic Security enables this approach by delivering intelligence controls for employee use of AI. This includes continuous monitoring of Shadow AI, with off-the-shelf risk assessments for each application.

Instead of relying on static block lists, Harmonic provides visibility into both sanctioned and unsanctioned AI use, then applies smart policies based on the sensitivity of the data, the role of the employee, and the nature of the tool.

That means a marketing team might be permitted to put specific information into specific tools for content creation, while HR or legal teams are restricted from using personal accounts for sensitive employee information. This is underpinned by models that can identify and classify information as employees share the data. This enables teams to enforce AI policies with the necessary precision.

The Path Forward

Shadow AI is here to stay. As more SaaS applications embed AI, unmanaged use will only expand. Organizations that fail to address discovery today will find themselves unable to govern tomorrow.

The path forward is to govern it intelligently, rather than block it. Shadow AI discovery gives CISOs the visibility they need to protect sensitive data, meet regulatory requirements, and empower employees to safely take advantage of AI’s productivity benefits.

Harmonic Security is already helping enterprises take this next step in AI governance.

For CISOs, it’s no longer a question of whether employees are using Shadow AI…it’s whether you can see it.

Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025.

The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec.

“We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), and a Seychelles-based autonomous system named TK-NET (AS210848),” according to a report published last week.

“Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities.”

AS61432 currently announces a single prefix 185.156.72[.]0/24, while AS210950 has announced two prefixes 45.143.201[.]0/24 and

185.193.89[.]0/24. The two autonomous systems were allocated in May and August 2021, respectively. A major chunk of their prefixes has been announced on AS210848, another autonomous system also allocated in August 2021.

“This network shares all its peering agreements with IP Volume Inc. – AS202425, a company based in Seychelles and created by Ecatel’s owners, infamous for running an extensively abusive bulletproof hosting service in the Netherlands since 2005,” Intrinsec noted.

The entirety of prefixes that were moved from AS61432 and AS210950 are now announced by bulletproof and abusive networks fronted by shell companies like Global Internet Solutions LLC (gir.network), Global Connectivity Solutions LLP, Verasel, IP Volume Inc., and Telkom Internet LTD.

The findings build upon prior disclosures about how multiple networks allocated in August 2021 and based in Ukraine and Seychelles – AS61432, AS210848, and AS210950 – were used for spam distribution, network attacks, and malware command-and-control hosting. In June 2025, some of the IPv4 prefixes announced by these networks were moved to FDN3, which was created in August 2021.

That’s not all. Three of the prefixes announced by AS210848, and one by AS61432, were previously announced by another Russian network, SibirInvest OOO (AS44446). Of the four IPv4 prefixes announced by FDN3, one of them (88.210.63[.]0/24) is assessed to have been previously announced by a U.S.-based bulletproof hosting solution named Virtualine (AS214940 and AS214943).

It’s this IPv4 prefix range that has been attributed to large-scale brute-force and password spraying attempts, with the activity scaling to a record high between July 6 and 8, 2025.

The brute-force and password spraying efforts aimed at SSL VPN and RDP assets could last up to three days, per Intrinsec. It’s worth noting that these techniques have been adopted by various ransomware-as-a-service (RaaS) groups like Black Basta, GLOBAL GROUP, and RansomHub as an initial access vector to breach corporate networks.

The two other prefixes that FDN3 announced in June, 92.63.197[.]0/24 and 185.156.73[.]0/24, were previously announced by AS210848, indicating a high degree of operational overlap. 92.63.197[.]0/24, for its part, has ties to Bulgarian spam networks like ROZA-AS (AS212283).

“All those strong similarities, including their configuration, the content they host, and their creation date, led us to assess with a high level of confidence the previously mentioned autonomous systems to be operated by a common bulletproof hosting administrator,” Intrinsec explained.

Further analysis of FDN3 has uncovered ties to a Russian company called Alex Host LLC that, in the past, has been linked to bulletproof hosting providers like TNSECURITY, which have been used to host Doppelganger infrastructure.

“This investigation once again highlights a common phenomenon of offshore ISPs such as IP Volume Inc. enabling smaller bulletproof networks through peering agreements and prefix hosting overall,” the company said. “Thanks to their offshore location, such as Seychelles, which provides anonymity to the owners of those companies, the malicious activities perpetrated through those networks cannot be directly imputed to them.”

The development comes as Censys uncovered a connect-back proxy management system associated with the PolarEdge botnet that’s currently running on over 2,400 hosts. The system is an RPX server that operates as a reverse-connect proxy gateway capable of managing proxy nodes and exposing proxy services.

“This system appears to be a well-designed server that may be one of the many tools used for managing the PolarEdge botnet,” senior security researcher Mark Ellzey said. “It is also possible that this specific service is completely unrelated to PolarEdge and is instead a service that the botnet utilizes to jump between different relays.”

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.

The vulnerable driver in question is “amsdk.sys” (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that’s assessed to be built upon Zemana Anti-Malware SDK.

“This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers,” Check Point said in an analysis.

The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver (“zam.exe”) is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11.

The WatchDog Anti-malware driver has been found to contain multiple vulnerabilities, the first and foremost being the ability to terminate arbitrary processes without verifying whether the process is running as protected (PP/PPL). It’s also susceptible to local privilege escalation, allowing an attacker to gain unrestricted access to the driver’s device.

The end goal of the campaign, first spotted by Check Point in late May 2025, is to leverage these vulnerable drivers to neutralize endpoint protection products, creating a clear path for malware deployment and persistence without triggering signature-based defenses.

As observed before, the campaign is designed to deliver ValleyRAT (aka Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor. The cybersecurity company said the attacks employ an all-in-one loader, encapsulating anti-analysis features, two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader in one binary.

“Upon execution, the sample performs a few common anti-analysis checks, such as Anti-VM (detection of virtual environments), Anti-Sandbox (detection of execution within a sandbox), hypervisor detection, and others,” Check Point said. “If any of these checks fail, the execution is aborted, and a fake system error message is displayed.”

The downloader is designed to communicate with a command-and-control (C2) server to fetch the modular ValleyRAT backdoor onto the infected machine.

Following responsible disclosure, Watchdog has released a patch (version 1.1.100) to address the LPE risk by enforcing a strong Discretionary Access Control List (DACL), while not plugging the arbitrary process termination issue. This, in turn, has had the side effect of causing the attackers to swiftly adapt and incorporate the modified version by altering just a single byte without invalidating Microsoft’s signature.

“By flipping a single byte in the unauthenticated timestamp field, they preserved the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists,” Check Point noted. “This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns.”

“This campaign demonstrates how threat actors are moving beyond known weaknesses to weaponize unknown, signed drivers—a blind spot for many defense mechanisms. The exploitation of a Microsoft-signed, previously unclassified vulnerable driver, combined with evasive techniques such as signature manipulation, represents a sophisticated and evolving threat.”

Silver Fox, also called SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, is assessed to be highly active since early last year, primarily targeting Chinese-speaking victims using fake websites masquerading as Google Chrome, Telegram, and artificial intelligence (AI)-powered tools like DeepSeek to distribute remote access trojans like ValleyRAT.

According to Chinese cybersecurity vendor Antiy, the hacking group is believed to have been around since the second half of 2022, targeting domestic users and companies with an attempt to steal secrets and defraud them.

“The cybercriminal group mainly spreads malicious files through instant messaging software (WeChat, Enterprise WeChat, etc. ), search engine SEO promotion, phishing emails, etc.,” the company said. “The ‘SwimSnake’ cybercriminal group is still frequently updating malware and AV evasion methods.”

The attacks employ trojanized versions of open-source software, malicious programs built using the Qt framework, or MSI installers disguised as Youdao, Sogou AI, WPS Office, and DeepSeek to serve Valley RAT, including its online module that can capture screenshots of WeChat and online banks.

The development comes as QiAnXin also detailed a separate campaign mounted by the “Finance Group” within Silver Fox that targets financial personnel and managers of enterprises and institutions, aiming to plunder sensitive financial information or directly profit through fraud.

These attacks leverage phishing lures related to tax audits, electronic invoices, subsidy announcements, and personnel transfers to deceive users into running remote access trojans, while relying on legitimate cloud services such as Alibaba Cloud OSS and Youdao Cloud Notes to host malicious payloads in an attempt to sidestep detection.

The Finance Group is one of the four sub-clusters part of Silver Fox, the other three being the News and Romance Group, the Design and Manufacturing Group, and the Black Watering Hole Group.

Interestingly, after the Finance Group gains control of a victim’s computer through methods like watering hole attacks and phishing, they take over the victim’s social media accounts and leverage them to send phishing QR codes to various WeChat group chats with the goal of harvesting bank account numbers and passwords from group members, ultimately draining funds from their bank accounts for profit.

“UTG-Q-1000 is one of the most active and aggressive cybercrime groups in China in recent years. Their operations are highly organized, technically sophisticated, and financially motivated,” QiAnXin said. “They’ve established a complete black-market profit chain involving: espionage (data theft), remote control via malware, and financial fraud and phishing.”

Sep 02, 2025Ravie LakshmananCryptocurrency / Malware

Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems.

The package, named nodejs-smtp, impersonates the legitimate email library nodemailer with an identical tagline, page styling, and README descriptions, attracting a total of 347 downloads since it was uploaded to the npm registry in April 2025 by a user named “nikotimon.” It’s currently no longer available.

“On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory,” Socket researcher Kirill Boychenko said.

The main objective is to overwrite the recipient address with hard-coded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions, effectively acting as a cryptocurrency clipper.

That having said, the package delivers on its stated functionality by acting as an SMTP-based mailer in an attempt to avoid raising developers’ suspicion.

The package still works as a mailer and exposes a drop-in interface compatible with nodemailer. That functional cover lowers suspicion, allows application tests to pass, and gives developers little reason to question the dependency.

The development comes months after ReversingLabs discovered an npm package named “pdf-to-office” that achieved the same goals by unpacking the “app.asar” archives associated with Atomic and Exodus wallets and modifying within them a JavaScript file to introduce the clipper function.

“This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots,” Boychenko said. “By abusing import time execution and Electron packaging, a lookalike mailer becomes a wallet drainer that alters Atomic and Exodus on compromised Windows systems.”

Sep 01, 2025Ravie LakshmananMobile Security / Malvertising

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.

These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week.

The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices.

“Google Play Protect’s defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run,” the company said. “Second, actors want to future-proof their operations.”

“By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow.”

ThreatFabric said that while Google’s strategy ups the ante by blocking a malicious app from being installed even before a user can interact with it, attackers are trying out new ways to get around the safeguards — an indication of the endless game of whack-a-mole when it comes to security.

This includes designing droppers, keeping in mind Google’s Pilot Program, so that they don’t seek high-risk permissions and serve only a harmless “update” screen that can fly past scanning in the regions.

But it’s only when the user clicks the “Update” button that the actual payload gets fetched from an external server or unpacked, which then proceeds to seek the necessary permissions to fulfil its objectives.

“Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered,” ThreatFabric said. “This illustrates a critical gap: Play Protect still allows risky apps through if the user clicks Install anyway, and the malware still slips through the Pilot Program.”

One such dropper is RewardDropMiner, which has been found to serve along with spyware payloads a Monero cryptocurrency miner that can be activated remotely. Recent variants of the tool, however, no longer include the miner functionality.

Some of the malicious apps delivered via RewardDropMiner, all targeting users in India, are listed below –

• PM YOJANA 2025 (com.fluvdp.hrzmkgi)
• °RTO Challan (com.epr.fnroyex)
• SBI Online (com.qmwownic.eqmff)
• Axis Card (com.tolqppj.yqmrlytfzrxa)

Other dropper variants that avoid triggering Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.

When reached for comment, Google told The Hacker News it has not found any apps using these techniques distributed via the Play Store and that it’s constantly adding new protections.

“Regardless of where an app comes from – even if it’s installed by a ‘dropper’ app – Google Play Protect helps to keep users safe by automatically checking it for threats,” a spokesperson said.

“Protection against these identified malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware have been found on Google Play. We’re constantly enhancing our protections to help keep users safe from bad actors.”

The development comes as Bitdefender Labs has warned of a new campaign that’s using malicious ads on Facebook to peddle a free premium version of the TradingView app for Android to ultimately deploy an improved version of the Brokewell banking trojan to monitor, control, and steal sensitive information from the victim’s device.

No less than 75 malicious ads have been run since July 22, 2025, reaching tens of thousands of users in the European Union alone. The Android attack wave is just one part of a larger malvertising operation that has abused Facebook Ads to also target Windows desktops under the guise of various financial and cryptocurrency apps.

“This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior,” the Romanian cybersecurity company said. “By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms.”