Tag: Cyber Threats

Cloudflare on Thursday said it autonomously blocked the largest ever distributed denial-of-service (DDoS) attack ever recorded, which hit a peak of 7.3 terabits per second (Tbps).

The attack, which was detected in mid-May 2025, targeted an unnamed hosting provider.

“Hosting providers and critical Internet infrastructure have increasingly become targets of DDoS attacks,” Cloudflare’s Omer Yoachimik said. “The 7.3 Tbps attack delivered 37.4 terabytes in 45 seconds.”

Earlier this January, the web infrastructure and security company said it had mitigated a 5.6 Tbps DDoS attack aimed at an unnamed internet service provider (ISP) from Eastern Asia. The attack originated from a Mirai-variant botnet in October 2024.

Then in April 2025, Cloudflare revealed it defended against a massive 6.5 Tbps flood that likely emanated from Eleven11bot, a botnet comprising roughly 30,000 webcams and video recorders. The hyper-volumetric attack lasted about 49 seconds.

The 7.3 Tbps DDoS attack, in comparison, carpet-bombed an average of 21,925 destination ports of a single IP address owned and used the hosting provider, hitting a crest of 34,517 destination ports per second.

The multi-vector attack originated from a similar distribution of source ports and has been identified as a combination of UDP flood, QOTD reflection attack, echo reflection attack, NTP reflection attack, Mirai UDP flood attack, portmap flood, and RIPv1 amplification attack. The UDP flood accounted for 99.996% of the attack traffic.

Cloudflare also pointed out that the attack came from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. The top sources of attack traffic included Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.

“The average number of unique source IP addresses per second was 26,855 with a peak of 45,097,” Yoachimik said.

“Telefonica Brazil (AS27699) accounted for the largest portion of the DDoS attack traffic, responsible for 10.5% of the total. Viettel Group (AS7552) follows closely with 9.8%, while China Unicom (AS4837) and Chunghwa Telecom (AS3462) contributed 3.9% and 2.9% respectively. China Telecom (AS4134) accounted for 2.8% of the traffic.”

The disclosure comes as the QiAnXin XLab team said the DDoS botnet tracked as RapperBot was behind an attack aimed at artificial intelligence (AI) company DeepSeek in February 2025, and that the latest samples of the malware attempting to extort victims to pay them “protection fees” to avoid being targeted by DDoS attacks in the future.

China, the United States, Israel, Mexico, the United Kingdom, Greece, Iran, Australia, Malaysia, and Thailand are the primary countries where devices infected by RapperBot are located. The botnet is known to be active since 2022.

RapperBot campaigns are known to target routers, network-attached storage devices, and video recorders with default weak passwords or firmware vulnerabilities to obtain initial access, and drop malware that can establish contact with a remote server over DNS TXT records to fetch DDoS attack commands.

The malware also makes use of custom encryption algorithms to encrypt the TXT records and command-and-control (C2) domain names used.

“Since March, its attack behavior has been significantly active, with an average of more than 100 attack targets per day and more than 50,000 bots observed,” the Chinese security vendor said.

“RapperBot’s attack targets are all over the fields of various industries, including public management, social security and social organizations, Internet platforms, manufacturing, financial services, etc.”

Hackers never sleep, so why should enterprise defenses? Threat actors prefer to target businesses during off-hours. That’s when they can count on fewer security personnel monitoring systems, delaying response and remediation.

When retail giant Marks & Spencer experienced a security event over Easter weekend, they were forced to shut down their online operations, which account for approximately a third of the retailer’s clothing and home sales.

As most staff are away during off-hours and holidays, it takes time to assemble an incident response team and initiate countermeasures. This gives attackers more time to move laterally within the network and wreak havoc before the security team reacts.

While not every organization may be ready to staff an in-house team around the clock, building a 24/7 SOC remains one of the most robust and proactive ways to protect against off-hours attacks. In the rest of this post, we’ll explore why 24/7 vigilance is so important, the challenges of achieving it, and six practical steps 24/7 SOC success.

Importance and challenges of a 24/7 SOC

A SOC is central to an organization’s cyber defense. It plays a key role in detecting, investigating, and responding to potential threats around the clock, providing real-time threat detection and resolution. Add in automation, and it only gets better, especially when everyone is away celebrating or concentrating on their weekend chores.

But running a 24/7 SOC isn’t straightforward. It requires a perfect balance of proven processes, advanced tools, and skilled professionals.

Proper planning and automation is key

Wherever security professionals can’t keep up with the demands of a changing attack surface, AI can make a difference. Together with the right people and processes in place, AI enables efficiency by automating threat detection, resulting in faster response times and enhancing your overall security posture. Let’s look at building the right processes and where AI fits in.

6 step approach for building a 24/7 SOC

Running a successful SOC comes down to the following six measures your organization will need to realize.

SOC teams are known to burn out quickly. Developing sustainable shift rotations with 8- or 12-hour shifts is important. For example, a SOC team can work on a 4-on, 4-off schedule to stay alert, while multinationals can spread shifts across time zones to reduce the risk of fatigue.

Hire more analysts than you think you’ll need—many are paid per shift, and having a bench ensures you can rotate effectively, cover unexpected absences, and reduce pressure on your core team. This approach gives you flexibility without overextending your staff.

Security professionals also need variety to keep things interesting and stay engaged. So, regularly rotate responsibilities like alert triage, playbook review, and threat hunting.

Note: Make sure to establish clear handoff protocols to encourage overlapping handover periods. This helps nurture an environment of context sharing between teams.

As fatigue often leads to a staffing exodus, automation can play a vital role in retaining top security talent. Use AI to reduce the team’s workload, automating repetitive tasks like log analysis or phishing triage.

Wellness programs can offer a big boost, too. Encouraging work/life balance and establishing anonymous feedback channels will improve retention. Also, schedule downtime and encourage actual breaks. Make sure to emphasize that there’s no reason to work through scheduled breaks unless there’s an active incident.

Lastly, rewarding team members and recognizing wins are important. These boost job satisfaction, helping you retain talent.

4. Choose the right tools

Thoroughly research and choose AI-driven security tools that fit your specific business needs and security requirements. It’s also imperative to consider different variables like cost and complexity before settling on a tool.

For example, SIEMs like Splunk are known to have scaling challenges and high log management costs. This can be unsustainable in multi-cloud environments. Elastic’s Attack Discovery is also known to have a lot of false positives, forcing analysts to manually validate outputs.

Although many AI-powered tools minimize manual effort, they still require significant setup, rule tuning, data onboarding, and dashboard customization. Some features may also require analysts to configure data sources and interpret results. Many SOC tools are static, with pre-trained models for just a handful of use cases.

Existing SOARs additionally require considerable configuration and maintenance, while their static playbooks can’t adaptively learn to deal with new threats.

Radiant is one alternative. Its adaptive AI SOC platform ingests, triages, and escalates when an alert is deemed a true positive. It will then respond fast to actual threats and various security use cases.

Aside from being cost-effective and requiring no maintenance, Radiant integrates back into customers’ environments for 1-click or fully automatic remediation (once the SOC team is confident with Radiant’s recommendations). Plus, it doesn’t require audits or retraining to stay on top of the latest malware.

5. Cultivate a culture of continuous learning

While security leadership should encourage post-mortems, they need to avoid assigning blame. Every security event has much to teach us, and organizations need to actively store this information in a knowledge base.

Continuous learning is your ticket to staying ahead of threats. So, make sure to offer seamless access to research and training, and sponsor certifications like GIAC Intrusion Analyst certification (GCIA) and Offensive Security Certified Professional (OSCP).

Create a team culture where members cross-pollinate knowledge and build trust. Hold regular threat briefings and security drills (e.g., red team vs. blue team simulations) to identify process gaps and improve escalation paths.

These drills will help each team member quickly act if the organization comes under attack. It’s also important to practice coordination with Legal, PR, and IT teams. Tabletop exercises for executives, i.e., testing the decision-making process under pressure, are also a great idea.

6. Governance, metrics, and reporting

Define success metrics, including MTTD/MTTR, AI accuracy, and false positive rate. Faster detection limits damage, and rapid response minimizes the impact of an incident. If the AI is highly accurate, it helps build trust in automation. At the same time, low false positives reduce analysts’ workload.

Equitable workload distribution and alert volume across SOC shifts ensure balance and lower the risk of burnout. Tracking incident statistics isn’t enough. You also have to continuously monitor employee well-being: A healthy SOC team means high morale and consistent performance.

For all the above, real-time dashboards and monthly reviews are a must. Provide visuals whenever possible and include deep dives for team leads. SOC managers and T3 analysts need comprehensive insights to optimize tools, better align compliance and business risk, and manage team health.

Conclusion

The synergy of skilled personnel, streamlined processes, advanced AI, and integrated tools is the underlying force that keeps your company name out of the headlines.

A 24/7 AI-powered SOC protects organizations from rapidly evolving, advanced, persistent threats. It will help you successfully address the limitations of SIEMs, SOARs, EDRs, and SOC co-pilots through the seamless integration of automation, people, processes, and tools.

Radiant’s unique adaptive AI SOC platform streamlines processes and empowers analysts, threat hunters, and security specialists. The platform’s no-retrain automation and >95% accuracy help SOC teams overcome a variety of hurdles: EDR’s limited scope, co-pilots’ analyst dependency, SIEM’s costly complexity, and SOAR’s manual playbooks, to name a few.

It’s also scalable and cost-effective with a wide range of integrations.

If you want to see Radiant in action, it’s just a click away. Book a demo today.

Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead.

The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package Index (PyPI) repository with bogus packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems.

The findings build on a previous report from the SANS’s Internet Storm Center in November 2024 that detailed a supposed “steam-account-checker” tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that can inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server (“dieserbenni[.]ru”).

Further analysis of the repository and the attacker-controlled infrastructure has led to the discovery of 67 trojanized GitHub repositories that impersonate benign repositories with the same name.

There is evidence to suggest that users searching for software such as account cleaning tools and game cheats such as Discord account cleaner, Fortnite External Cheat, TikTok username checker, and PayPal bulk account checker are the targets of the campaign. All the identified repositories have since been taken down by GitHub.

“Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector,” ReversingLabs researcher Robert Simmons said.

“For developers relying on these open-source platforms, it’s essential to always double check that the repository you’re using actually contains what you expect.”

GitHub as a Malware Distribution Service

The development comes as GitHub is increasingly becoming the focus of several campaigns as a malware distribution vector. Earlier this week, Trend Micro said it uncovered 76 malicious GitHub repositories operated by a threat actor it calls Water Curse to deliver multi-stage malware.

Then Check Point shed light on another campaign that’s using a criminal service known as the Stargazers Ghost Network to target Minecraft users with Java-based malware. The Stargazers Ghost Network refers to a collection of GitHub accounts that propagate malware or malicious links via phishing repositories.

“The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate,” Check Point said.

The cybersecurity company has also assessed that such “GitHub ‘Ghost’ accounts are only one part of the grand picture, with other ‘Ghost’ accounts operating on different platforms as an integral part of an even larger Distribution-as-a-Service universe.”

Some aspects of the Stargazers Ghost Network were exposed by Checkmarx in April 2024, calling out the threat actor’s pattern of using fake stars and pushing out frequent updates to artificially inflate the popularity of the repositories and make sure they surfaced on top on GitHub search results.

These repositories are ingeniously disguised as legitimate projects, typically related to popular games, cheats, or tools like cryptocurrency price trackers and multiplier prediction for crash-betting games.

These campaigns also dovetail with another attack wave that has targeted novice cybercriminals on the lookout for readily available malware and attack tools on GitHub with backdoored repositories to infect them with information stealers.

In one instance highlighted by Sophos this month, the trojanized Sakura-RAT repository has been found to incorporate malicious code that compromised those who compiled the malware on their systems with information stealers and other remote access trojans (RATs).

The identified repositories act as a conduit for four different kinds of backdoors that are embedded within Visual Studio PreBuild events, Python scripts, screensaver files, and JavaScript to steal data, take screenshots, communicate via Telegram, as well as fetch more payloads, including AsyncRAT, Remcos RAT, and Lumma Stealer.

In all, the cybersecurity company said it detected no less than 133 backdoored repositories as part of the campaign, with 111 containing the PreBuild backdoor, and the others hosting Python, screensaver, and JavaScript backdoors.

Sophos further noted that these activities are likely linked to a distribution-as-a-service (DaaS) operation that has been operational since August 2022, and which has used thousands of GitHub accounts to distribute malware embedded within trojanized repositories themed around gaming cheats, exploits, and attack tools.

While the exact distribution method used in the campaign is unclear, it’s believed that the threat actors are also relying on Discord servers and YouTube channels to spread links to the trojanized repositories.

“It remains unclear if this campaign is directly linked to some or all of the previous campaigns reported on, but the approach does seem to be popular and effective, and is likely to continue in one form or another,” Sophos said. “In the future, it’s possible that the focus may change, and threat actors may target other groups besides inexperienced cybercriminals and gamers who use cheats.”

Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead.

The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package Index (PyPI) repository with bogus packages that were downloaded over 75,000 times and came with information-stealing capabilities on Windows systems.

The findings build on a previous report from the SANS’s Internet Storm Center in November 2024 that detailed a supposed “steam-account-checker” tool hosted on GitHub, which incorporated stealthy features to download additional Python payloads that can inject malicious code into the Exodus cryptocurrency wallet app and harvest sensitive data to an external server (“dieserbenni[.]ru”).

Further analysis of the repository and the attacker-controlled infrastructure has led to the discovery of 67 trojanized GitHub repositories that impersonate benign repositories with the same name.

There is evidence to suggest that users searching for software such as account cleaning tools and game cheats such as Discord account cleaner, Fortnite External Cheat, TikTok username checker, and PayPal bulk account checker are the targets of the campaign. All the identified repositories have since been taken down by GitHub.

“Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector,” ReversingLabs researcher Robert Simmons said.

“For developers relying on these open-source platforms, it’s essential to always double check that the repository you’re using actually contains what you expect.”

GitHub as a Malware Distribution Service

The development comes as GitHub is increasingly becoming the focus of several campaigns as a malware distribution vector. Earlier this week, Trend Micro said it uncovered 76 malicious GitHub repositories operated by a threat actor it calls Water Curse to deliver multi-stage malware.

Then Check Point shed light on another campaign that’s using a criminal service known as the Stargazers Ghost Network to target Minecraft users with Java-based malware. The Stargazers Ghost Network refers to a collection of GitHub accounts that propagate malware or malicious links via phishing repositories.

“The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate,” Check Point said.

The cybersecurity company has also assessed that such “GitHub ‘Ghost’ accounts are only one part of the grand picture, with other ‘Ghost’ accounts operating on different platforms as an integral part of an even larger Distribution-as-a-Service universe.”

Some aspects of the Stargazers Ghost Network were exposed by Checkmarx in April 2024, calling out the threat actor’s pattern of using fake stars and pushing out frequent updates to artificially inflate the popularity of the repositories and make sure they surfaced on top on GitHub search results.

These repositories are ingeniously disguised as legitimate projects, typically related to popular games, cheats, or tools like cryptocurrency price trackers and multiplier prediction for crash-betting games.

These campaigns also dovetail with another attack wave that has targeted novice cybercriminals on the lookout for readily available malware and attack tools on GitHub with backdoored repositories to infect them with information stealers.

In one instance highlighted by Sophos this month, the trojanized Sakura-RAT repository has been found to incorporate malicious code that compromised those who compiled the malware on their systems with information stealers and other remote access trojans (RATs).

The identified repositories act as a conduit for four different kinds of backdoors that are embedded within Visual Studio PreBuild events, Python scripts, screensaver files, and JavaScript to steal data, take screenshots, communicate via Telegram, as well as fetch more payloads, including AsyncRAT, Remcos RAT, and Lumma Stealer.

In all, the cybersecurity company said it detected no less than 133 backdoored repositories as part of the campaign, with 111 containing the PreBuild backdoor, and the others hosting Python, screensaver, and JavaScript backdoors.

Sophos further noted that these activities are likely linked to a distribution-as-a-service (DaaS) operation that has been operational since August 2022, and which has used thousands of GitHub accounts to distribute malware embedded within trojanized repositories themed around gaming cheats, exploits, and attack tools.

While the exact distribution method used in the campaign is unclear, it’s believed that the threat actors are also relying on Discord servers and YouTube channels to spread links to the trojanized repositories.

“It remains unclear if this campaign is directly linked to some or all of the previous campaigns reported on, but the approach does seem to be popular and effective, and is likely to continue in one form or another,” Sophos said. “In the future, it’s possible that the focus may change, and threat actors may target other groups besides inexperienced cybercriminals and gamers who use cheats.”

Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns.

“Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service (MaaS) on underground forums and has been linked to a wide range of mobile campaigns,” PRODAFT said in a report shared with The Hacker News.

AntiDot is advertised as a “three-in-one” solution with capabilities to record the device screen by abusing Android’s accessibility services, intercept SMS messages, and extract sensitive data from third-party applications.

The Android botnet is suspected to be delivered via malicious advertising networks or through highly tailored phishing campaigns based on activity that indicates selective targeting of victims based on language and geographic location.

AntiDot was first publicly documented in May 2024 after it was spotted being distributed as Google Play updates to accomplish its information theft objectives.

Like other Android trojans, it features a wide range of capabilities to conduct overlay attacks, log keystrokes, and remotely control infected devices using Android’s MediaProjection API. It also establishes a WebSocket communication to facilitate real-time, bi-directional communication between the infected device and an external server.

In December 2024, Zimperium revealed details of a mobile phishing campaign that distributed an updated version of AntiDot dubbed AppLite Banker using job offer-themed decoys.

The latest findings from the Swiss cybersecurity company show that there are at least 11 active command-and-control (C2) servers in operation that are overseeing no less than 3,775 infected devices across 273 distinct campaigns.

A Java-based malware at its core, AntiDot is heavily obfuscated using a commercial packer to sidestep detection and analysis efforts. The malware, per PRODAFT, is delivered as part of a three-stage process that starts with an APK file.

“An inspection of the AndroidManifest file reveals that many class names do not appear in the original APK,” the company said. “These missing classes are dynamically loaded by the packer during installation, and include malicious code extracted from an encrypted file. The entire mechanism is intentionally crafted to avoid detection by antivirus tools.”

Once launched, it serves a bogus update bar and prompts the victim to grant it accessibility permissions, after which it unpacks and loads a DEX file incorporating the botnet functions.

A core feature of AntiDot is its ability to monitor for newly launched applications and serve and serve a bogus login screen from the C2 server when the victim opens a cryptocurrency- or payment-related app that the operators are interested in.

The malware also abuses accessibility services to gather extensive information about the contents of the active screens and sets itself as the default SMS app for capturing incoming and outgoing texts. Furthermore, it can monitor phone calls, block calls from specific numbers, or redirect them, effectively opening up more avenues for fraud.

Another important feature is that it can keep track of real-time notifications displayed in the device’s status bar and takes steps to either dismiss or snooze them in a bid to suppress alerts and avoid alerting the user of suspicious activity.

“The core of this novel technique is the malware’s ability to create a complete, isolated virtual environment on the victim’s device. Instead of simply mimicking a login screen, the malware installs a malicious ‘host’ application that contains a virtualization framework,” researchers Fernando Ortega and Vishnu Pratapagiri said.

“This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox.”

Should the victim launch the app, they are redirected to the virtual instance, from where their activities are monitored by the threat actors. In addition, the latest version of GodFather packs in features to bypass static analysis tools by making use of ZIP manipulation and filling the AndroidManifest file with irrelevant permissions.

Like in the case of AntiDot, GodFather relies on accessibility services to conduct its information gathering activities and control compromised devices. While Google has enforced security protections that prevent sideloaded apps from enabling accessibility service starting Android 13, a session-based installation approach can get around this safeguard.

The session-based method is used by Android app stores to handle app installation, as do texting apps, mail clients, and browsers when presented with APK files.

Central to the functioning of the malware is its virtualization feature. In the first stage, it collects information about the list of installed apps and checks if it includes any of the predetermined apps it’s configured to target.

If matches are found, it extracts relevant information from those apps and then proceeds to install a copy of those apps in a virtual environment inside the dropper app. Thus when the victim attempts to launch the actual banking application on their device, GodFather intercepts the action and opens the virtualized instance instead.

It’s worth pointing out that similar virtualization features were previously flagged in another Android malware codenamed FjordPhantom, which was documented by Promon in December 2023. The method represents a paradigm shift in mobile threat capabilities that go beyond the traditional overlay tactic to steal credentials and other sensitive data.

“While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions,” the company said.

“A particularly alarming capability uncovered in the GodFather malware is its capacity to steal device lock credentials, irrespective of whether the victim uses an unlock pattern, a PIN, or a password. This poses a significant threat to user privacy and device security.”

The mobile security company said the abuse of accessibility services is one of the many ways malicious apps can achieve privilege escalation on Android, allowing them to obtain permissions that exceed their functional requirements. These include misuse of Original Equipment Manufacturer (OEM) permissions and security vulnerabilities in pre-installed apps that cannot be removed by users.

“Preventing privilege escalation and securing Android ecosystems against malicious or over-privileged applications requires more than user awareness or reactive patching—it demands proactive, scalable, and intelligent defense mechanisms,” security researcher Ziv Zeira said.

SuperCard X Malware Comes to Russia

The findings also follow the first recorded attempts to target Russian users with SuperCard X, a newly emerged Android malware that can conduct near-field communication (NFC) relay attacks for fraudulent transactions.

According to Russian cybersecurity company F6, SuperCard X is a malicious modification of a legitimate tool called NFCGate that can capture or modify NFC traffic. The end goal of the malware is to not only receive NFC traffic from the victim, but also bank card data read by sending commands to its EMV chip.

“This application allows attackers to steal bank card data by intercepting NFC traffic for subsequent theft of money from users’ bank accounts,” F6 researcher Alexander Koposov said in a report published this week.

Attacks leveraging SuperCard X were first spotted targeting Android users in Italy earlier this year, weaponizing NFC technology to relay data from victims’ physical cards to attacker-controlled devices, from where they were used to carry out fraudulent ATM withdrawals or authorize point-of-sale (PoS) payments.

The Chinese-speaking MaaS platform, advertised on Telegram as capable of targeting customers of major banks in the U.S., Australia and Europe, shares substantial code-level overlaps with NGate, an Android malware that has also been found weaponizing NFCGate for malicious purposes in the Czech Republic.

All these campaigns are united by the fact that they rely on smishing techniques to convince a potential victim of the need to install an APK file on the device under the guise of a useful program.

Malicious Apps Spotted on App Stores

While all of the aforementioned malware strains require victims to sideload the apps on their devices, new research has also unearthed malicious apps on the official Google Play Store and Apple’s App Store with capabilities to harvest personal information and steal mnemonic phrases associated with cryptocurrency wallets with the goal of draining their assets.

One of the apps in question, RapiPlata, is estimated to have been downloaded around 150,000 times on both Android and iOS devices, underscoring the severity of the threat. The app is a type of malware known as SpyLoan, which lures users by claiming to offer loans at low-interest rates, only to be subjected to extortion, blackmail, and data theft.

“RapiPlata primarily targets Colombian users by promising quick loans,” Check Point said. “Beyond its predatory lending practices, the app engages in extensive data theft. The app had extensive access to sensitive user data — including SMS messages, call logs, calendar events, and installed applications — even going so far as to upload this data to its servers.”

The cryptocurrency wallet phishing apps, on the other hand, have been distributed through compromised developer accounts and serve a phishing page via WebView to obtain the seed phrases.

Although these apps have since been removed from the respective app stores, the danger is that the Android apps could be available for download from third-party websites. Users are advised to exercise caution when downloading financial or loan-related applications.

DALL-E for coders? That’s the promise behind vibe coding, a term describing the use of natural language to create software. While this ushers in a new era of AI-generated code, it introduces “silent killer” vulnerabilities: exploitable flaws that evade traditional security tools despite perfect test performance.

A detailed analysis of secure vibe coding practices is available here.

TL;DR: Secure Vibe Coding

Vibe coding, using natural language to generate software with AI, is revolutionizing development in 2025. But while it accelerates prototyping and democratizes coding, it also introduces “silent killer” vulnerabilities: exploitable flaws that pass tests but evade traditional security tools.

This article explores:

• Real-world examples of AI-generated code in production
• Shocking stats: 40% higher secret exposure in AI-assisted repos
• Why LLMs omit security unless explicitly prompted
• Secure prompting techniques and tool comparisons (GPT-4, Claude, Cursor, etc.)
• Regulatory pressure from the EU AI Act
• A practical workflow for secure AI-assisted development

Bottom line: AI can write code, but it won’t secure it unless you ask, and even then, you still need to verify. Speed without security is just fast failure.

Introduction

Vibe coding has exploded in 2025. Coined by Andrej Karpathy, it’s the idea that anyone can describe what they want and get functional code back from large language models. In Karpathy’s words, vibe coding is about “giving in to the vibes, embrace exponentials, and forget that the code even exists.”

From Prompt to Prototype: A New Development Model

This model isn’t theoretical anymore. Pieter Levels (@levelsio) famously launched a multiplayer flight sim, Fly.Pieter.com, using AI tools like Cursor, Claude, and Grok 3. He created the first prototype in under 3 hours using just one prompt:

“Make a 3D flying game in the browser.”

After 10 days, he had made $38,000 from the game and was earning around $5,000 monthly from ads as the project scaled to 89,000 players by March 2025.

But it’s not just games. Vibe coding is being used to build MVPs, internal tools, chatbots, and even early versions of full-stack apps. According to recent analysis, nearly 25% of Y Combinator startups are now using AI to build core codebases.

Before you dismiss this as ChatGPT hype, consider the scale: we’re not talking about toy projects or weekend prototypes. These are funded startups building production systems that handle real user data, process payments, and integrate with critical infrastructure.

The promise? Faster iteration. More experimentation. Less gatekeeping.

But there’s a hidden cost to this speed. AI-generated code creates what security researchers call “silent killer” vulnerabilities, code that functions perfectly in testing but contains exploitable flaws that bypass traditional security tools and survive CI/CD pipelines to reach production.

The Problem: Security Doesn’t Auto-Generate

The catch is simple: AI generates what you ask for, not what you forget to ask. In many cases, that means critical security features are left out.

The problem isn’t just naive prompting, it’s systemic:

• LLMs are trained to complete, not protect. Unless security is explicitly in the prompt, it’s usually ignored.
• Tools like GPT-4 may suggest deprecated libraries or verbose patterns that mask subtle vulnerabilities.
• Sensitive data is often hardcoded because the model “saw it that way” in training examples.
• Prompts like “Build a login form” often yield insecure patterns: plaintext password storage, no MFA, and broken auth flows.

According to this new Secure Vibe Coding guide, this leads to what they call “security by omission”, functioning software that quietly ships with exploitable flaws. In one cited case, a developer used AI to fetch stock prices from an API and accidentally committed their hardcoded key to GitHub. A single prompt resulted in a real-world vulnerability.

Here’s another real example: A developer prompted AI to “create a password reset function that emails a reset link.” The AI generated working code that successfully sent emails and validated tokens. But it used a non-constant-time string comparison for token validation, creating a timing-based side-channel attack where attackers could brute-force reset tokens by measuring response times. The function passed all functional tests, worked perfectly for legitimate users, and would have been impossible to detect without specific security testing.

Technical Reality: AI Needs Guardrails

The guide presents a deep dive into how different tools handle secure code, and how to prompt them properly. For example:

• Claude tends to be more conservative, often flagging risky code with comments.
• Cursor AI excels at real-time linting and can highlight vulnerabilities during refactors.
• GPT-4 needs specific constraints, like:
• “Generate [feature] with OWASP Top 10 protections. Include rate limiting, CSRF protection, and input validation.”

It even includes secure prompt templates, like:

# Insecure
"Build a file upload server"

# Secure
"Build a file upload server that only accepts JPEG/PNG, limits files to 5MB, sanitizes filenames, and stores them outside the web root."

The lesson: if you don’t say it, the model won’t do it. And even if you do say it, you still need to check.

Regulatory pressure is mounting. The EU AI Act now classifies some vibe coding implementations as “high-risk AI systems” requiring conformity assessments, particularly in critical infrastructure, healthcare, and financial services. Organizations must document AI involvement in code generation and maintain audit trails.

Secure Vibe Coding in Practice

For those deploying vibe coding in production, the guide suggests a clear workflow:

1. Prompt with Security Context – Write prompts like you’re threat modeling.
2. Multi-Step Prompting – First generate, then ask the model to review its own code.
3. Automated Testing – Integrate tools like Snyk, SonarQube, or GitGuardian.
4. Human Review – Assume every AI-generated output is insecure by default.

# Insecure AI output: 
if token == expected_token: 

# Secure version: 
if hmac.compare_digest(token, expected_token):

The Accessibility-Security Paradox

Vibe coding democratizes software development, but democratization without guardrails creates systemic risk. The same natural language interface that empowers non-technical users to build applications also removes them from understanding the security implications of their requests.

Organizations are addressing this through tiered access models: supervised environments for domain experts, guided development for citizen developers, and full access only for security-trained engineers.

Vibe Coding ≠ Code Replacement

The smartest organizations treat AI as an augmentation layer, not a substitute. They use vibe coding to:

• Accelerate boring, boilerplate tasks
• Learn new frameworks with guided scaffolds
• Prototype experimental features for early testing

But they still rely on experienced engineers for architecture, integration, and final polish.

This is the new reality of software development: English is becoming a programming language, but only if you still understand the underlying systems. The organizations succeeding with vibe coding aren’t replacing traditional development, they’re augmenting it with security-first practices, proper oversight, and recognition that speed without security is just fast failure. The choice isn’t whether to adopt AI-assisted development, it’s whether to do it securely.

For those seeking to dive deeper into secure vibe coding practices, the full guide provides extensive guidelines.

Security-focused Analysis of Leading AI Coding Systems

The complete guide includes secure prompt templates for 15 application patterns, tool-specific security configurations, and enterprise implementation frameworks, essential reading for any team deploying AI-assisted development.

The North Korea-aligned threat actor known as BlueNoroff has been observed targeting an employee in the Web3 sector with deceptive Zoom calls featuring deepfaked company executives to trick them into installing malware on their Apple macOS devices.

Huntress, which revealed details of the cyber intrusion, said the attack targeted an unnamed cryptocurrency foundation employee, who received a message from an external contact on Telegram.

“The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time,” security researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon said. “The Calendly link was for a Google Meet event, but when clicked, the URL redirects the end user to a fake Zoom domain controlled by the threat actor.”

After several weeks, the employee is said to have joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.

However, when the employee said they were unable to use their microphone, the synthetic personas urged them to download and install a Zoom extension to address the supposed issue. The link to the extension, shared via Telegram, downloaded an AppleScript that went by the name “zoom_sdk_support.scpt.”

This AppleScript first opens a legitimate webpage for the Zoom software development kit (SDK), but is also configured to stealthily download a next-stage payload from a remote server (“support[.]us05web-zoom[.]biz”) and executes a shell script.

The script begins by disabling bash history logging and then checks if Rosetta 2 is installed on the compromised Mac, and if not, installs it. Rosetta is a software that enables Macs running Apple silicon to run apps that were built for a Mac with an Intel processor (x86_64).

The script then proceeds to create a hidden file called “.pwd,” and downloads a binary from the malicious Zoom web page (“web071zoom[.lus/fix/audio-fv/7217417464”) to the “/tmp/icloud_helper” directory. It also performs another request to “web071zoom[.]us/fix/audio-tr/7217417464” to fetch another unspecified payload.

The shell script also prompts the user to provide their system password and wipes the history of executed commands to avoid leaving a forensic trail. Huntress said its investigation led to the discovery of eight distinct malicious binaries on the victim host –

• Telegram 2, a Nim-based binary responsible for starting the primary backdoor
• Root Troy V4, a fully-featured Go backdoor that’s used to run remote AppleScript payloads, shell commands, and download additional malware and execute them
• InjectWithDyld, a C++ binary loader downloaded by Root Troy V4, which, in turn, drops two more payloads: A benign Swift application to facilitate process injection and a different Nim implant that enables the operator to issue commands and receive responses asynchronously
• XScreen, an Objective-C keylogger with features to monitor the victim’s keystrokes, clipboard, and the screen, and send the information to a command-and-control (C2) server
• CryptoBot, a Go-based information stealer that can collect cryptocurrency related files from the host
• NetChk, an almost empty binary that’s designed to generate random numbers forever

BlueNoroff, also tracked under the names Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444, is a sub-cluster within the Lazarus Group that has a history of striking financial institutions, cryptocurrency businesses, and ATMs for monetary gain and generate revenue for the Democratic People’s Republic of Korea (DPRK).

The group is best known for orchestrating a series of cryptocurrency heists known as TraderTraitor to target employees of organizations engaged in blockchain research with malicious cryptocurrency trading applications. Some of the significant cases include the hacks of Bybit in February 2025 and Axie Infinity in March 2022.

“Remote workers, especially in high-risk areas of work, are often the ideal targets for groups like TA444,” Huntress said. “It is important to train employees to identify common attacks that start off with social engineering related to remote meeting software.”

According to DTEX’s latest assessment of North Korea’s cyber structure, the APT38 mission likely no longer exists and has fractured into TraderTraitor (aka Jade Sleet and UNC4899) and CryptoCore (aka CageyChameleon, CryptoMimic, DangerousPassword, LeeryTurtle, and Sapphire Sleet), with the new clusters becoming the new faces of financial theft for the regime.

“TraderTraitor is arguably the most prolific of any of the DPRK APT groups when it comes to cryptocurrency theft and seems to have housed the most talent from the original APT38 effort,” DTEX said. “CryptoCore has been active since at least 2018, likely splitting out of APT38 with TraderTraitor.”

What’s more, the use of audio issue-themed lures to trick prospective victims into compromising their own machines with malware has its echoes in an evolution of another North Korea-linked campaign dubbed Contagious Interview, which involves using ClickFix-style alerts to deliver another malware named GolangGhost.

The new iteration, referred to as ClickFake Interview, revolves around creating fake job advertisements and duping job applicants into copying and running a malicious command under the pretext of addressing an issue with access camera and microphone on a fake website set up by the threat actors to complete their hiring assessment.

These cross-platform attacks, per Cisco Talos, have since evolved further, employing a Python version of GolangGhost that has been codenamed PylangGhost. The bogus assessment sites impersonate well-known financial entities such as Archblock, Coinbase, Robinhood, and Uniswap, and have been found to target a small set of users mainly located in India.

“In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users,” security researcher Vanja Svajcer said. “Linux users are not targeted in these latest campaigns.”

PylangGhost, like its Golang counterpart, establishes contact with a C2 server to receive commands that enable the attackers to remotely control the infected machine, download/upload files, as well as steal cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets.

“It is not clear […] why the threat actors decided to create two variants using a different programming language, or which was created first,” Talos remarked. “The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.”

Jun 19, 2025The Hacker NewsCybersecurity / Threat Hunting

Most cyberattacks today don’t start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts.

It’s called “Living Off Trusted Sites” (LOTS)—and it’s the new favorite strategy of modern attackers. Instead of breaking in, they blend in.

Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide malicious code inside routine traffic, making it incredibly difficult for traditional defenses to detect them.

And here’s the scary part: many security teams don’t even realize it’s happening—until it’s too late.

Why You’re Not Seeing These Attacks

LOTS tactics don’t look suspicious at first glance. There’s no malware signature to flag, and no unusual IP address to trace. It’s legitimate traffic—until it’s not.

Attackers are exploiting:

• Common business tools like Teams, Zoom, and GitHub
• Shortened or vanity URLs to redirect users
• Trusted cloud services to host malicious payloads

In short, they’re using your trust against you.

What You’ll Learn in This Free Webinar

Join Zscaler’s top threat hunters for “Threat Hunting Insights from the World’s Largest Security Cloud“—a must-attend webinar revealing how stealthy LOTS attacks are detected and stopped in real time. Get frontline tactics to outsmart threats hiding in trusted tools.

You’ll discover:

• 🔍 The latest LOTS attack techniques seen in real environments
• 🛠️ How threat hunters caught stealthy attackers hiding inside “normal” traffic
• 🚨 What trusted tools are being misused right now by threat actors
• 🔐 Simple, proven ways to improve LOTS detection and reduce risk
• 🔭 What’s coming next: trends shaping the future of stealth-based attacks

This session is for anyone responsible for defending their organization—whether you’re a security leader trying to stay ahead of evolving threats, a threat hunter sharpening your detection skills, or part of an IT or SOC team overwhelmed by false positives and stealthy attacks. If your company relies on SaaS apps, cloud platforms, or collaborative tools, you’re already a target—and LOTS tactics are designed to slip past unnoticed.

Watch this Webinar

Attackers today aren’t trying to break in—they’re blending in. By hiding inside trusted tools and platforms, they bypass traditional defenses and operate in plain sight. This webinar gives you rare access to real-world detection stories and techniques from experts who analyze trillions of security signals every day inside the world’s largest inline security cloud.

Reserve your seat now to gain exclusive frontline insights, proven tactics, and smarter strategies that could save your team hours—and stop attacks before they succeed.

Jun 19, 2025Ravie LakshmananEmail Security / Identity Protection

Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims’ emails.

Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.

“From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said.

“Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox.”

The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliated with the Russian state-sponsored hacking group called APT29 (aka BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, ICECAP, Midnight Blizzard, and The Dukes).

The social engineering unfolds over a span of several weeks to establish rapport with targets, rather than induce a sense of pressure or urgency that may have otherwise raised suspicion.

This involves sending benign phishing emails disguised as meeting invitations that include no less than four different fictitious addresses with the “@state.gov” email address in the CC line to lend it a veneer of credibility.

“A target might reason ‘if this isn’t legitimate, surely one of these State Department employees would say something, especially if I reply and keep them on the CC line,’” the Citizen Lab said.

“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist.”

This indicates that these attacks are meticulously planned and executed to trick victims into parting with a 16-digit passcode that gives the adversary permission to access their mailbox under the pretext of enabling “secure communications between internal employees and external partners.”

Google describes these app passwords as a way for a less secure app or device the ability to access a user’s Google account that has two-factor authentication (2FA) enabled.

“When you use 2-Step Verification, some less secure apps or devices may be blocked from accessing your Google account,” per the company. “App passwords are a way to let the blocked app or device access your Google account.”

The initial messages are designed to elicit a response from the target to set up a meeting, after which they are sent a PDF document that lists a series of steps to create an app password in order to securely access a fake Department of State cloud environment and share the code with them.

“The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence,” GTIG said. “This method also allows the attackers to have persistent access to accounts.”

Google said it observed a second campaign bearing Ukrainian themes, and that the attackers logged into victim accounts mainly using residential proxies and VPS servers to evade detection. The company said it has since taken steps to secure the accounts compromised by the campaigns.

UNC6293’s ties to APT29 stem from a series of similar social engineering attacks that have leveraged novel techniques like device code phishing and device join phishing to gain unauthorized access to Microsoft 365 accounts since the start of the year.

Device join phishing is particularly noteworthy for the fact that it tricks victims into sending back to the attackers a Microsoft-generated OAuth code to hijack their accounts.

“Since April 2025, Microsoft has observed suspected Russian-linked threat actors using third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing valid authorization code,” Microsoft revealed last month.

“When clicked, the link returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the tenant.”

Jun 19, 2025Ravie LakshmananMobile Security / Passwordless

Meta Platforms on Wednesday announced that it’s adding support for passkeys, the next-generation password standard, on Facebook.

“Passkeys are a new way to verify your identity and login to your account that’s easier and more secure than traditional passwords,” the tech giant said in a post.

Support for passkeys is expected to be available “soon” on Android and iOS mobile devices. The feature is also coming to its Messenger platform in the coming months.

The company said passkeys can also be used to auto-fill payment information when making purchases using Meta Pay.

Meta previously rolled out passkeys support for WhatsApp on Android in October 2023, and on iOS a few months later in April 2024. There is no word yet on when it plans to bring passkeys to Instagram.

Passkeys, backed by the FIDO Alliance, is a passwordless authentication solution that allows users to securely sign in to online services by using biometrics or the device lock PIN code.

“Passkeys are an upgrade in security compared to traditional passwords and one-time SMS codes because they are resistant to guessing or theft by malicious websites or scam links, making them effective against phishing and password spraying attacks,” Meta said.

Last month, Microsoft made passkeys the default sign-in method for new consumer accounts. More recently, Apple previewed upcoming changes to its Passwords app that allows users to import and export passkeys between participating credential manager apps across iOS, iPadOS, macOS, and visionOS 26.