Category: Cybersecurity

Nov 24, 2025Ravie LakshmananCloud Security / Vulnerability

Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that’s reminiscent of the Shai-Hulud attack.

The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, Koi Security, Socket, and Wiz.

“The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments,” Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski said.

Like the Shai-Hulud attack that came to light in September 2025, the latest activity also publishes stolen secrets to GitHub, this time with the repository description: “Sha1-Hulud: The Second Coming.”

The prior wave was characterized by the compromise of legitimate packages to push malicious code designed to search developer machines for secrets using TruffleHog’s credential scanner and transmit them to an external server under the attacker’s control.

The infected variants also came with the ability to propagate in a self-replicating manner by re-publishing itself into other npm packages owned by the compromised maintainer.

In the latest set of attacks, the attackers have been found to add to a preinstall script (“setup_bun.js”) in the package.json file, which is configured to stealthily install or locate the Bun runtime and run a bundled malicious script (“bun_environment.js”).

The malicious payload carries out the following sequence of actions through two different workflows –

Wiz said it spotted over 25,000 affected repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours.

“This campaign continues the trend of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, though it may involve different actors,” Wiz said. “The threat leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages that execute credential theft and exfiltration code during installation.”

Koi Security called the second wave a lot more aggressive, adding that the malware attempts to destroy the victim’s entire home directory if it fails to authenticate or establish persistence. This includes every writable file owned by the current user under their home folder. However, this wiper-like functionality is triggered only when the following conditions are satisfied –

• It cannot authenticate to GitHub
• It cannot create a GitHub repository
• It cannot fetch a GitHub token
• It cannot find an npm token

“In other words, if Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction,” security researchers Yuval Ronen and Idan Dardikman said. “This marks a significant escalation from the first wave, shifting the actor’s tactics from purely data-theft to punitive sabotage.”

To mitigate the risk posed by the threat, organizations are being urged to scan all endpoints for the presence of impacted packages, remove compromised versions with immediate effect, rotate all credentials, and audit repositories for persistence mechanisms by reviewing .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches.

(This is a developing story and will be updated as new details emerge.)

New research from CrowdStrike has revealed that DeepSeek’s artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China.

“We found that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security vulnerabilities increases by up to 50%,” the cybersecurity company said.

The Chinese AI company previously attracted national security concerns, leading to a ban in many countries. Its open-source DeepSeek-R1 model was also found to censor topics considered sensitive by the Chinese government, refusing to answer questions about the Great Firewall of China or the political status of Taiwan, among others.

In a statement released earlier this month, Taiwan’s National Security Bureau warned citizens to be vigilant when using Chinese-made generative AI (GenAI) models from DeepSeek, Doubao, Yiyan, Tongyi, and Yuanbao, owing to the fact that they may adopt a pro-China stance in their outputs, distort historical narratives, or amplify disinformation.

“The five GenAI language models are capable of generating network attacking scripts and vulnerability-exploitation code that enable remote code execution under certain circumstances, increasing risks of cybersecurity management,” the NSB said.

CrowdStrike said its analysis of DeepSeek-R1 found it to be a “very capable and powerful coding model,” generating vulnerable code only in 19% of cases when no additional trigger words are present. However, once geopolitical modifiers were added to the prompts, the code quality began to experience variations from the baseline patterns.

Specifically, when instructing the model that it was to act as a coding agent for an industrial control system based in Tibet, the likelihood of it generating code with severe vulnerabilities jumped to 27.2%, which is nearly a 50% increase.

While the modifiers themselves don’t have any bearing on the actual coding tasks, the research found that mentions of Falun Gong, Uyghurs, or Tibet lead to significantly less secure code, indicating “significant deviations.”

In one example highlighted by CrowdStrike, asking the model to write a webhook handler for PayPal payment notifications in PHP as a “helpful assistant” for a financial institution based in Tibet generated code that hard-coded secret values, used a less secure method for extracting user-supplied data, and, worse, is not even valid PHP code.

While the produced app was functional, a deeper analysis uncovered that the model did not implement session management or authentication, exposing user data. In 35% of the implementations, DeepSeek-R1 was found to have used no hashing, or, in scenarios where it did, the method was insecure.

Interestingly, tasking the model with the same prompt, but this time for a football fanclub website, generated code that did not exhibit these behaviors. “While, as expected, there were also some flaws in those implementations, they were by no means as severe as the ones seen for the above prompt about Uyghurs,” CrowdStrike said.

Lastly, the company also said it discovered what appears to be an “intrinsic kill switch” embedded with the DeepSeek platform.

Besides refusing to write code for Falun Gong, a religious movement banned in China, in 45% of cases, an examination of the reasoning trace has revealed that the model would develop detailed implementation plans internally for answering the task before abruptly refusing to produce output with the message: “I’m sorry, but I can’t assist with that request.”

There are no clear reasons for the observed differences in code security, but CrowdStrike theorized that DeepSeek has likely added specific “guardrails” during the model’s training phase to adhere to Chinese laws, which require AI services to not produce illegal content or generate results that could undermine the status quo.

“The present findings do not mean DeepSeek-R1 will produce insecure code every time those trigger words are present,” CrowdStrike said. “Rather, in the long-term average, the code produced when these triggers are present will be less secure.”

The development comes as OX Security’s testing of AI code builder tools like Lovable, Base44, and Bolt found them to generate insecure code by default, even when including the term “secure” in the prompt.

All three tools, which were tasked with creating a simple wiki app, produced code with a stored cross-site scripting (XSS) vulnerability, security researcher Eran Cohen said, rendering the site susceptible to payloads that exploit an HTML image tag’s error handler to execute arbitrary JavaScript when passing a non-existent image source.

This, in turn, could open the door to attacks like session hijacking and data theft simply by injecting a malicious piece of code into the site in order to trigger the flaw every time a user visits it.

OX Security also found that Lovable only detected the vulnerability in two out of three attempts, adding that the inconsistency leads to a false sense of security.

“This inconsistency highlights a fundamental limitation of AI-powered security scanning: because AI models are non-deterministic by nature, they may produce different results for identical inputs,” Cohen said. “When applied to security, this means the same critical vulnerability might be caught one day and missed the next – making the scanner unreliable.”

The findings also coincide with a report from SquareX that found a security issue in Perplexity’s Comet AI browser that allows built-in extensions “Comet Analytics” and “Comet Agentic” to execute arbitrary local commands on a user’s device without their permission by taking advantage of a little-known Model Context Protocol (MCP) API.

That said, the two extensions can only communicate with perplexity.ai subdomains and hinge on an attacker staging an XSS or adversary-in-the-middle (AitM) attack to gain access to the perplexity.ai domain or the extensions, and then abuse them to install malware or steal data. Perplexity has since issued an update disabling the MCP API.

In a hypothetical attack scenario, a threat actor could impersonate Comet Analytics by means of extension stomping by creating a rogue add-on that spoofs the extension ID and sideloading it. The malicious extension then injects malicious JavaScript into perplexity.ai that causes the attacker’s commands to be passed to the Agentic extension, which, in turn, uses the MCP API to run malware.

“While there is no evidence that Perplexity is currently misusing this capability, the MCP API poses a massive third-party risk for all Comet users,” SquareX said. “Should either of the embedded extensions or perplexity.ai get compromised, attackers will be able to execute commands and launch arbitrary apps on the user’s endpoint.”

Nov 24, 2025Ravie LakshmananMalware / Vulnerability

A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.

“The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” AhnLab Security Intelligence Center (ASEC) said in a report published last week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.”

ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a “masterpiece of privately sold malware in Chinese espionage.”

CVE-2025-59287, addressed by Microsoft last month, refers to a critical deserialization flaw in WSUS that could be exploited to achieve remote code execution with system privileges. The vulnerability has since come under heavy exploitation, with threat actors using it to obtain initial access to publicly exposed WSUS instances, conduct reconnaissance, and even drop legitimate tools like Velociraptor.

ShadowPad installed via CVE-2025-59287 exploit

In the attack documented by the South Korean cybersecurity company, the attackers have been found to weaponize the vulnerability to launch Windows utilities like “curl.exe” and “certutil.exe,” to contact an external server (“149.28.78[.]189:42306”) to download and install ShadowPad.

ShadowPad, similar to PlugX, is launched by means of DLL side-loading, leveraging a legitimate binary (“ETDCtrlHelper.exe”) to execute a DLL payload (“ETDApix.dll”), which serves as a memory-resident loader to execute the backdoor.

Once installed, the malware is designed to launch a core module that’s responsible for loading other plugins embedded in the shellcode into memory. It also comes fitted with a variety of anti-detection and persistence techniques.

“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”

Nov 22, 2025Ravie LakshmananCyber Espionage / Cloud Security

The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time.

“In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks,” Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report.

APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), is assessed to be active since at least 2010. It has a track record of striking a wide range of sectors, including governments, financial, and aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance.

The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages. In May 2025, the hacking crew was blamed by the Czech Republic for targeting its Ministry of Foreign Affairs.

The attacks aimed at Russia are characterized by the use of legitimate cloud services, mainly those prevalent in the country, like Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and escape detection.

The adversary is also said to have staged encrypted commands and payloads in social media profiles, both domestic and foreign, while also conducting their attacks during weekends and holidays. In at least one attack targeting an IT company, APT31 breached its network as far back as late 2022, before escalating the activity coinciding with the 2023 New Year holidays.

In another intrusion detected in December 2024, the threat actors sent a spear-phishing email containing a RAR archive that, in turn, included a Windows Shortcut (LNK) responsible for launching a Cobalt Strike loader dubbed CloudyLoader via DLL side-loading. Details of this activity were previously documented by Kaspersky in July 2025, while identifying some overlaps with a threat cluster known as EastWind.

The Russian cybersecurity company also said it identified a ZIP archive lure that masqueraded as a report from the Ministry of Foreign Affairs of Peru to ultimately deploy CloudyLoader.

To facilitate subsequent stages of the attack cycle, APT31 has leveraged an extensive set of publicly available and custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome. Some of them are listed below –

• SharpADUserIP, a C# utility for reconnaissance and discovery
• SharpChrome.exe, to extract passwords and cookies from Google Chrome and Microsoft Edge browsers
• SharpDir, to search files
• StickyNotesExtract.exe, to extract data from the Windows Sticky Notes database
• Tailscale VPN, to create an encrypted tunnel and set up a peer-to-peer (P2P) network between the compromised host and their infrastructure
• Microsoft dev tunnels, to tunnel traffic
• Owawa, a malicious IIS module for credential theft
• AufTime, a Linux backdoor that uses the wolfSSL library to communicate with C2
• COFFProxy, a Golang backdoor that supports commands for tunneling traffic, executing commands, managing files, and delivering additional payloads
• VtChatter, a tool that uses Base64-encoded comments to a text file hosted on VirusTotal as a two-way C2 channel every two hours
• OneDriveDoor, a backdoor that uses Microsoft OneDrive as C2
• LocalPlugX, a variant of PlugX that’s used to spread within the local network, rather than to communicate with C2
• CloudSorcerer, a backdoor that used cloud services as C2
• YaLeak, a .NET tool to upload information to Yandex Cloud

“APT31 is constantly replenishing its arsenal: although they continue to use some of their old tools,” Positive Technologies said. “As C2, attackers actively use cloud services, in particular, Yandex and Microsoft OneDrive services. Many tools are also configured to work in server mode, waiting for attackers to connect to an infected host.”

“In addition, the grouping exfiltrates data through Yandex’s cloud storage. These tools and techniques allowed APT31 to stay unnoticed in the infrastructure of victims for years. At the same time, attackers downloaded files and collected confidential information from devices, including passwords from mailboxes and internal services of victims.”

Nov 22, 2025Ravie LakshmananZero-Day / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as part of its quarterly updates released last month.

“Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager,” CISA said.

Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, said it can permit an attacker to access API endpoints that, in turn, can allow them “to manipulate authentication flows, escalate privileges, and move laterally across an organization’s core systems.”

Specifically, it stems from a bypass of a security filter that tricks protected endpoints into being treated as publicly accessible by simply adding “?WSDL” or “;.wadl” to any URI. This, in turn, is the result of a faulty allow-list mechanism based on regular expressions or string matching against the request URI.

“This system is very error-prone, and there are typically ways to trick these filters into thinking we’re accessing an unauthenticated route when we’re not,” the researchers noted.

The authentication bypass can then be paired with a request to the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint to achieve remote code execution by sending a specially crafted HTTP POST. Even though the endpoint is only meant for checking the syntax of Groovy code and not executing it, Searchlight Cyber said it was able to “write a Groovy annotation that executes at compile time, even though the compiled code is not actually run.”

The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said an analysis of honeypot logs revealed several attempts to access the URL “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl” via HTTP POST requests between August 30 and September 9, 2025.

“There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker,” Ullrich said. “Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.”

This indicates that the vulnerability may have been exploited as a zero-day vulnerability, well before a patch was shipped by Oracle. The IP addresses from which the attempts originated are listed below –

• 89.238.132[.]76
• 185.245.82[.]81
• 138.199.29[.]153

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by December 12, 2025, to secure their networks.

Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2.

“This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” Blackfog researcher Brenda Robb said in a Thursday report.

In these attacks, prospective targets are tricked into allowing browser notifications through social engineering on malicious or legitimate-but-compromised websites.

Once a user agrees to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser to send alerts that look like they have been sent by the operating system or the browser itself, leveraging trusted branding, familiar logos, and convincing language to maintain the ruse.

These include alerts about, say, suspicious logins or browser updates, along with a handy “Verify” or “Update” button that, when clicked, takes the victim to a bogus site.

What makes this a clever technique is that the entire process takes place through the browser without the need for first infecting the victim’s system through some other means. In a way, the attack is like ClickFix in that users are lured into following certain instructions to compromise their own systems, thereby effectively bypassing traditional security controls.

That’s not all. Since the attack plays out via the web browser, it’s also a cross-platform threat. This effectively turns any browser application on any platform that subscribes to the malicious notifications to be enlisted to the pool of clients, giving adversaries a persistent communication channel.

Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit to other threat actors. It’s sold directly through crimeware channels, typically via Telegram and cybercrime forums, under a tiered subscription model: about $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year.

“Payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access,” Dr. Darren Williams, founder and CEO of BlackFog, told The Hacker News. “Matrix Push was first observed at the beginning of October and has been active since then. There’s no evidence of older versions, earlier branding, or long-standing infrastructure. Everything indicates this is a newly launched kit.”

The tool is accessible as a web-based dashboard, allowing users to send notifications, track each victim in real-time, determine which notifications the victims interacted with, create shortened links using a built-in URL shortening service, and even record installed browser extensions, including cryptocurrency wallets.

“The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages,” Robb explained. “Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services.”

Some of the supported notification verification templates are associated with well-known brands like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The platform also includes an “Analytics & Reports” section that allows its customers to measure the effectiveness of their campaigns and refine them as required.

“Matrix Push C2 shows us a shift in how attackers gain initial access and attempt to exploit users,” BlackFog said. “Once a user’s endpoint (computer or mobile device) is under this kind of influence, the attacker can gradually escalate the attack.”

“They might deliver additional phishing messages to steal credentials, trick the user into installing a more persistent malware, or even leverage browser exploits to get deeper control of the system. Ultimately, the end goal is often to steal data or monetize the access, for example, by draining cryptocurrency wallets or exfiltrating personal information.”

Attacks Misusing Velociraptor on the Rise

The development comes as Huntress said it observed a “significant uptick” in attacks weaponizing the legitimate Velociraptor digital forensics and incident response (DFIR) tool over the past three months.

On November 12, 2025, the cybersecurity vendor said threat actors deployed Velociraptor after obtaining initial access through exploitation of a flaw in Windows Server Update Services (CVE-2025-59287, CVSS score: 9.8), which was patched by Microsoft late last month.

Subsequently, the attackers are said to have launched discovery queries with the goal of conducting reconnaissance and gathering details about users, running services, and configurations. The attack was contained before it could progress further, Huntress added.

The discovery shows that threat actors are not just using custom C2 frameworks, but are also employing readily available offensive cybersecurity and incident response tools to their advantage.

“We’ve seen threat actors use legitimate tools long enough to know that Velociraptor won’t be the first dual-use, open-source tool that will pop up in attacks – nor will it be the last,” Huntress researchers said.

Nov 21, 2025Ravie LakshmananVulnerability / Threat Mitigation

Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations.

The vulnerability, tracked as CVE-2025-41115, carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management (SCIM) component that allows automated user provisioning and management. First introduced in April 2025, it’s currently in public preview.

“In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation,” Grafana’s Vardan Torosyan said.

That said, successful exploitation hinges on both conditions being met –

• enableSCIM feature flag is set to true
• user_sync_enabled config option in the [auth.scim] block is set to true

The shortcoming affects Grafana Enterprise versions from 12.0.0 to 12.2.1. It has been addressed in the following versions of the software –

• Grafana Enterprise 12.0.6+security-01
• Grafana Enterprise 12.1.3+security-01
• Grafana Enterprise 12.2.1+security-01
• Grafana Enterprise 12.3.0

“Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. ‘1’) may be interpreted as internal numeric user IDs,” Torosyan said. “In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.”

The analytics and observability platform said the vulnerability was discovered internally on November 4, 2025, during an audit and testing. Given the severity of the issue, users are advised to apply the patches as soon as possible to mitigate potential risks.

Nov 21, 2025Ravie LakshmananData Protection / Technology

In a surprise move, Google on Thursday announced that it has updated Quick Share, its peer-to-peer file transfer service, to work with Apple’s equipment AirDrop, allowing users to more easily share files and photos between Android and iPhone devices.

The cross-platform sharing feature is currently limited to the Pixel 10 lineup and works with iPhone, iPad, and macOS devices, with plans to expand to additional Android devices in the future.

In order to transfer a file from a Pixel 10 phone over AirDrop, the only caveat is that the owner of the Apple device is required to make sure their iPhone (or iPad or Mac) is discoverable to anyone – which can be enabled for 10 minutes.

Likewise, to receive content from an Apple device, Android device users will need to adjust their Quick Share visibility settings to Everyone for 10 minutes or be in Receive mode on the Quick Share page, according to a support document published by Google.

“We built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products,” Dave Kleidermacher, vice president of Platforms Security and Privacy at Google, said.

At the heart of the future is a multi-layered security approach that’s powered by the memory-safe Rust programming language to create a secure sharing channel that Google said eliminates entire classes of memory safety vulnerabilities, making its implementation resilient against attacks that attempt to exploit memory errors.

The tech giant also noted that the feature does not rely on any workaround and that the data is not routed through a server, adding it’s open to working with Apple to enable “Contacts Only” mode in the future.

“Google’s implementation of its version of Quick Share does not introduce vulnerabilities into the broader protocol’s ecosystem,” NetSPI, which carried out an independent assessment in August 2025, said.

“While it shares specific characteristics with implementations made by other manufacturers, this implementation is reasonably more secure. In fact, the process of file exchange is notably stronger, as it doesn’t leak any information, which is a common weakness in other manufacturers’ implementations.”

That said, its analysis uncovered a low-severity information disclosure vulnerability (CVSS score: 2.1) that could permit an attacker with physical access to the device to access information, such as image thumbnails and SHA256 hashes of phone numbers and email addresses. It has since been addressed by Google.

The development comes as Google said it blocked in India more than 115 million attempts to install sideloaded apps that request access to sensitive permissions for financial fraud. The company also said it’s piloting a new feature in the country in collaboration with financial services like Google Pay, Navi, and Paytm to combat scams that trick users into opening the apps when sharing their screens.

“Devices running Android 11+ now show a prominent alert if a user opens one of these apps while screen sharing on a call with an unknown contact,” Evan Kotsovinos, vice president of privacy, safety, and security at Google, said. “This feature provides a one-tap option to end the call and stop screen sharing, protecting users from potential fraud.

Lastly, Google said it’s also developing Enhanced Phone Number Verification (ePNV), which it described as a new Android-based security protocol that replaces SMS OTP flows with SIM-based verification to improve sign-in security.

A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign.

“While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan,” Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez saidsaid.

“This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns.”

APT24, also called Pitty Tiger, is the moniker assigned to a suspected Chinese hacking group that has targeted government, healthcare, construction and engineering, mining, nonprofit, and telecommunications sectors in the U.S. and Taiwan.

According to a July 2014 report from FireEye, the adversary is believed to be active as early as 2008, with the attacks leveraging pushing emails to trick recipients into opening Microsoft Office documents that, in turn, exploit known security flaws in the software (e.g., CVE-2012-0158 and CVE-2014-1761) to infect systems with malware.

Some of the malware families associated with APT24 include CT RAT, a variant of Enfal/Lurid Downloader called MM RAT (aka Goldsun-B), and variants of Gh0st RAT known as Paladin RAT and Leo RAT. Another notable malware put to use by the threat actor is a backdoor named Taidoor (aka Roudan).

APT24 is assessed to be closely related to another advanced persistent threat (APT) group called Earth Aughisky, which has also deployed Taidoor in its campaigns and has leveraged infrastructure previously attributed to APT24 as part of attacks distributing another backdoor referred to as Specas.

Both the malware strains, per an October 2022 report from Trend Micro, are designed to read proxy settings from a specific file “%systemroot%\system32\sprxx.dll.”

The latest findings from GTIG show that the BADAUDIO campaign has been underway since November 2022, with the attackers using watering holes, supply chain compromises, and spear-phishing as initial access vectors.

A highly obfuscated malware written in C++, BADAUDIO uses control flow flattening to resist reverse engineering and acts as a first-stage downloader that’s capable of downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and control (C2) server. It works by gathering and exfiltrating basic system information to the server, which responds with the payload to be run on the host. In one case, it was a Cobalt Strike Beacon.

BADAUDIO campaign overview

“BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications,” GTIG said. “Recent variants observed indicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.”

From November 2022 to at least early September 2025, APT24 is estimated to have compromised more than 20 legitimate websites to inject malicious JavaScript code to specifically exclude visitors coming from macOS, iOS, and Android, generate a unique browser fingerprint using the FingerprintJS library, and serve them a fake pop-up urging them to download BADAUDIO under the guise of a Google Chrome update.

Then, starting in July 2024, the hacking group breached a regional digital marketing firm in Taiwan to orchestrate a supply chain attack by injecting the malicious JavaScript into a widely used JavaScript library that the company distributed, effectively allowing it to hijack more than 1,000 domains.

The modified third-party script is configured to reach out to a typosquatted domain impersonating a legitimate Content Delivery Network (CDN) and fetch the attacker-controlled JavaScript to fingerprint the machine and then serve the pop-up to download BADAUDIO after validation.

“The compromise in June 2025 initially employed conditional script loading based on a unique web ID (the specific domain name) related to the website using the compromised third-party scripts,” Google said. “This suggests tailored targeting, limiting the strategic web compromise (MITRE ATT&CK T1189) to a single domain.”

Compromised JS supply chain attack to deliver BADAUDIO malware

“However, for a ten-day period in August, the conditions were temporarily lifted, allowing all 1,000 domains using the scripts to be compromised before the original restriction was reimposed.”

APT24 has also been observed conducting targeted phishing attacks since August 2024, using lures related to an animal rescue organization to trick recipients into responding and ultimately deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. These messages come fitted with tracking pixels to confirm whether the emails were opened by the targets and tailor their efforts accordingly.

The disclosure comes as CyberArmor detailed a sustained espionage campaign orchestrated by a suspected China-nexus threat actor against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. The activity has been codenamed Autumn Dragon.

The attack chain commences with a RAR archive likely sent as an attachment in spear-phishing messages that, when extracted, exploits a WinRAR security flaw (CVE-2025-8088, CVSS score: 8.8) to launch a batch script (“Windows Defender Definition Update.cmd”) that sets up persistence to ensure that the malware is launched automatically when the user logs in to the system the next time.

It also downloads a second RAR archive hosted on Dropbox via PowerShell. The RAR archive contains two files, a legitimate executable (“obs-browser-page.exe”) and a malicious DLL (“libcef.dll”). The batch script then runs the binary to sideload the DLL, which then communicates with the threat actor over Telegram to fetch commands (“shell”), capture screenshots (“screenshot”), and drop additional payloads (“upload”).

“The bot controller (threat actor) uses these three commands to gather information and perform reconnaissance of the victim’s computer and deploy third-stage malware,” security researchers Nguyen Nguyen and BartBlaze said. “This design enables the controller to remain stealthy and evade detection.”

The third stage once again involves the use of DLL side-loading to launch a rogue DLL (“CRClient.dll”) by using a real binary (“Creative Cloud Helper.exe”), which then decrypts and runs shellcode responsible for loading and executing the final payload, a lightweight implant written in C++ that can communicate with a remote server (“public.megadatacloud[.]com”) and supports eight different commands –

• 65, to run a specified command using “cmd.exe,” gather the result, and exfiltrate it back to the C2 server
• 66, to load and execute a DLL
• 67, to execute shellcode
• 68, to update configuration
• 70, to read a file supplied by the operator
• 71, to open a file and write the content supplied by the operator
• 72, to get/set the current directory
• 73, to sleep for a random interval and terminate itself

While the activity has not been tied to a specific threat actor or group, it’s possibly the work of a China-nexus group possessing intermediate operational capabilities. This assessment is based on the adversary’s continued targeting of countries surrounding the South China Sea.

“The attack campaign is targeted,” the researchers said. “Throughout our analysis, we frequently observed the next stages being hosted behind Cloudflare, with geo-restrictions enabled, as well as other restrictions such as only allowing specific HTTP User Agents.”

Nov 21, 2025The Hacker NewsMobile Security / Data Protection

Ever wonder how some IT teams keep corporate data safe without slowing down employees? Of course you have.

Mobile devices are essential for modern work—but with mobility comes risk. IT admins, like you, juggle protecting sensitive data while keeping teams productive. That’s why more enterprises are turning to Samsung for mobile security.

Hey—you’re busy, so here’s a quick-read article on what makes Samsung Galaxy devices and Knox Suite really stand out.

Security built in. Management simplified.

Samsung Galaxy devices come with Samsung Knox built in at the manufacturing stage, creating a hardware foundation that extends visibility and control across your security infrastructure.

• Simplified management with Knox Suite: Samsung’s all-in-one package to manage and secure work devices grants centralized control without the need for extra tools or workflows (that got your attention!).
• Integrated security: Samsung Knox is built into both hardware and software, giving multi-layered protection against malware attacks.
• Government-grade protection: Secure boot, trusted execution environments, and more—that means these devices are ready for enterprise demands!

With Samsung Galaxy, security isn’t just software—it’s the foundation of your devices.

Strengthening Zero Trust without the hassle

Mobile threats can appear anywhere. To mitigate the risks, Samsung Galaxy devices are Zero Trust ready, while Samsung Knox enforces strict access controls within your systems. Let’s take a quick look:

• Device Integrity: Samsung Galaxy devices, managed or unmanaged, verify their integrity before connecting to corporate resources. See how.
• Zero Trust Network Access (ZTNA): Businesses can get high-speed Zero Trust Network Access natively from Samsung Galaxy devices.
• Real-time security signals: Knox Asset Intelligence (part of Knox Suite – Enterprise Plan) sends almost-real-time device telemetry into security information and event management (SIEM) tools, so mobile threats appear alongside other alerts. Check out Samsung’s article on Knox Asset Intelligence for Microsoft Sentinel!

Think of it as a live dashboard for every device without adding extra complexity. Samsung Knox helps you stay strict without making life harder for your team—that’s a win-win!

Extending your EMM strategy… without adding headaches

Knox Suite amplifies the EMM tools you already use, further strengthening your enterprise mobility management. IT admins get deeper security, smarter insights, and tighter control while keeping existing workflows intact. What’s more, it’s compatible with most EMM tools!

With Knox Suite, you can:

• Equip your frontline with the tools they need to succeed. Leverage powerful features such as Knox Authentication Manager for seamless, secure access. And, ensure operational continuity of your Line of Business apps by enforcing OS compatibility through Knox E-FOTA.
• Gain unmatched control and security over your organization’s devices with Knox Mobile Enrollment, which allows you to securely lock devices to your organization–even after a factory reset–until released by an admin.
• Stay ahead of threats with the Knox Asset Intelligence security center dashboard, which provides a comprehensive look at your entire Samsung fleet, highlighting vulnerabilities and patch levels for unique chipsets.

In short, Knox Suite enhances the value of your EMM tools—providing IT with enterprise-grade security and visibility without slowing day-to-day operations.

Why Samsung is a trusted partner for IT admins

Here’s the deal: Samsung’s Knox Suite helps to manage and secure work devices for today’s challenges and tomorrow’s threats.

• Protect sensitive data: Layered hardware and software defences keep corporate information safe.
• Maintain productivity: Users stay productive while IT remains in control.
• Future-ready: Knox evolves alongside security threats, policies, and enterprise needs.

Security doesn’t have to be complicated—it just needs the right foundation. By choosing Samsung, enterprises can confidently embrace mobility while safeguarding their most valuable assets: data and reputation.

Want to be the IT hero who brought security and productivity to your team? Here’s all you need to know!