Tag: Cyber Threats

Oct 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.

The threat actor’s use of the security utility was documented by Sophos last month. It’s assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that’s susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.

In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol.

Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection. The findings mark the first time Storm-2603 has been linked to the deployment of Babuk ransomware.

Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it’s aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools.

“This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities,” Christiaan Beek, Rapid7’s senior director of threat analytics, said in response to the latest reported attacks.

According to Halcyon, Storm-2603 is believed to share some connections to Chinese nation-state actors owing to its early access to the ToolShell exploit and the emergence of new samples that exhibit professional-grade development practices consistent with sophisticated hacking groups.

The ransomware crew, which first emerged in June 2025, has since used LockBit as both an operational tool and a development foundation. It’s worth noting that Warlock was the final affiliate registered with the LockBit scheme under the name “wlteaml” before LockBit suffered a data leak a month before.

“Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the company said. “Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews.”

Halcyon also pointed out the threat actor’s 48-hour development cycles for feature additions, reflective of structured team workflows. This centralized, organized project structure suggests a team with dedicated infrastructure and tooling, it added.

Other notable aspects that suggest ties to Chinese state-sponsored actors include –

• Use of operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms
• The compilation of ransomware payloads at 22:58-22:59 China Standard Time and packaging them into a malicious installer at 01:55 the next morning
• Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, suggesting cohesive command-and-control (C2) operations and not opportunistic infrastructure reuse

A deeper examination of Storm-2603’s development timeline has uncovered that the threat actor established the infrastructure for AK47 C2 framework in March 2025, and then created the first prototype of the tool the next month. In April, it also pivoted from LockBit-only deployment to dual LockBit/Warlock deployment within a span of 48 hours.

While it subsequently registered as a LockBit affiliate, work continued on its own ransomware until it was formally launched under the Warlock branding in June. Weeks later, the threat actor was observed leveraging the ToolShell exploit as a zero-day while also deploying Babuk ransomware starting July 21, 2025.

“The group’s rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks,” Halcyon said.

Oct 10, 2025Ravie LakshmananSaaS Security / Threat Intelligence

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

“Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence team said in a report.

However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

What makes the attacks notable is that they don’t exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.

In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).

The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles. This includes altering the salary payment configuration to redirect future salary payments to accounts under their control.

To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What’s more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities.

Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links.

To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

Oct 10, 2025Ravie LakshmananRansomware / Data Theft

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js’ Single Executable Application (SEA) feature as a way to distribute its payloads.

According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It’s assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord.

SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.

“Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News.

On a dedicated website, the threat actors behind Stealit claim to offer “professional data extraction solutions” via several subscription plans. This includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.

Prices for the Windows Stealer range from $29.99 for a weekly subscription to $499.99 for a lifetime license. The Android RAT pricing, on the other hand, goes from $99.99 all the way to $1,999.99.

The fake executables contain an installer that’s designed to retrieve the main components of the malware retrieved from a command-and-control (C2) and install them, but note that before performing a number of anti-analysis checks to ensure it’s running inside a virtual or sandboxed environment.

A crucial aspect of this step involves writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temp%cache.json file. This key is used to authenticate with the C2 server, as well as by subscribers to log in to the dashboard in order to likely monitor and control their victims.

The malware is also engineered to configure Microsoft Defender Antivirus exclusions so that the folder that contains the downloaded components is not flagged. The functions of the three executables are as follows –

• save_data.exe, which is only downloaded and executed if the malware is running with elevated privileges. It’s designed to drop a tool named “cache.exe” – which is part of open-source project ChromElevator – to extract information from Chromium-based browsers.
• stats_db.exe, which is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).
• game_cache.exe, which is designed to set up persistence on the host by launching its upon system reboot by creating a Visual Basic script and communicating with the C2 server to stream a victim’s screen in real-time, execute arbitrary commands, download/upload files, and change desktop wallpaper.

“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed,” Fortinet said. “Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.”

Oct 10, 2025Ravie LakshmananVulnerability / Network Security

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035, a critical security flaw in GoAnywhere Managed File Transfer (MFT) that’s assessed to have come under active exploitation since at least September 11, 2025.

The company said it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious activity” related to the flaw.

That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident.

A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15. Three days later, a CVE for the vulnerability was formally published, it added.

“The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet,” Fortra said. “Other web-based components of the GoAnywhere architecture are not affected by this vulnerability.”

However, it conceded that there are a “limited number of reports” of unauthorized activity related to CVE-2025-10035. As additional mitigations, the company is recommending that users restrict admin console access over the internet, as well as enable monitoring and keep software up-to-date.

CVE-2025-10035 concerns a case of deserialization vulnerability in the License Servlet that could result in command injection without authentication. In a report earlier this week, Microsoft revealed that a threat it tracks as Storm-1175 has been exploiting the flaw since September 11 to deploy Medusa ransomware.

That said, there is still no clarity on how the threat actors managed to obtain the private keys needed to exploit this vulnerability.

“The fact that Fortra has now opted to confirm (in their words) ‘unauthorized activity related to CVE-2025-10035’ demonstrates yet again that the vulnerability was not theoretical and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” watchTowr CEO and founder Benjamin Harris said.

The SOC of 2026 will no longer be a human-only battlefield. As organizations scale and threats evolve in sophistication and velocity, a new generation of AI-powered agents is reshaping how Security Operations Centers (SOCs) detect, respond, and adapt.

But not all AI SOC platforms are created equal.

From prompt-dependent copilots to autonomous, multi-agent systems, the current market offers everything from smart assistants to force-multiplying automation. While adoption is still early— estimated at 1–5% penetration according to Gartner—the shift is undeniable. SOC teams must now ask a fundamental question: What type of AI belongs in my security stack?

The Limits of Traditional SOC Automation

Despite promises from legacy SOAR platforms and rule-based SIEM enhancements, many security leaders still face the same core challenges:

• Analyst alert fatigue from redundant low-fidelity triage tasks
• Manual context correlation across disparate tools and logs
• Disjointed and static detection and response workflows
• Loss of institutional knowledge during turnover or tool migration

Automation promised to solve this—but often came with its own overhead: engineering-intensive setups, brittle playbooks, and limited adaptability to nuanced environments.

From Co-Pilots to Cognitive Agents: The Shift to Mesh Agentic Architectures

Many AI-enabled SOC platforms rely on Large Language Models (LLMs) in a co-pilot format: they summarize alerts, generate reports, or offer canned queries – but require constant human prompting. This model delivers surface-level speed, but not scale.

The most advanced platforms go further by introducing mesh agentic architectures—a coordinated system of AI agents, each responsible for specialized SOC functions such as triage, threat correlation, evidence assembly, and incident response.

Rather than a single model responding to prompts, these systems autonomously distribute tasks across AI agents, continuously learning from organizational context, analyst actions, and environmental telemetry.

7 Core Capabilities That Define the Leading AI SOC Platforms

In reviewing today’s AI SOC landscape, seven defining characteristics consistently separate signal from noise:

Visit Conifers.ai to request a demo and experience how CognitiveSOC may be the right AI SOC platform for your modern SOC.

Oct 10, 2025Ravie LakshmananCybercrime / Malware

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign.

The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket.

“While the packages’ randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure,” security researcher Kush Pandya said.

The packages have been found to use npm’s public registry and unpkg.com’s CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety’s Paul McCarty late last month.

Specifically, the library comes fitted with a Python file named “redirect_generator.py” to programmatically create and publish an npm package with the name “redirect-xxxxxx,” where “x” refers to a random alphanumeric string. The script then injects a victim’s email address and custom phishing URL into the package.

Once the package is live on the npm registry, the “malware” proceeds to create an HTML file with a reference to the UNPKG CDN associated with the newly published package (e.g., “unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js”). The threat actor is said to be taking advantage of this behavior to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the victim to Microsoft credential harvesting pages.

The JavaScript file “beamglea.js” is a redirect script that includes the victim’s email address and the URL to which the victim is navigated in order to capture their credentials. Socket said it found more than 630 HTML files that masquerade as purchase orders, technical specifications, or project documents.

In other words, the npm packages are not designed to execute malicious code upon installation. Instead, the campaign leverages npm and UNPKG for hosting the phishing infrastructure. It’s currently not clear how the HTML files are distributed, although it’s possible they are propagated via emails that trick recipients into launching the specially crafted HTML files.

“When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim’s email address via URL fragment,” Socket said.

“The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them. This pre-filled credential significantly increases the attack’s success rate by reducing victim suspicion.”

The findings once again highlight the ever-evolving nature of threat actors who are constantly adapting their techniques to stay ahead of defenders, who are also constantly developing new techniques to detect them. In this case, it underscores the abuse of legitimate infrastructure at scale.

“The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector,” Pandya said. “Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites.”

“By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services. The combination of npm’s open registry, unpkg.com’s automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt.”

Oct 10, 2025Ravie LakshmananVulnerability / Zero-Day

Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.

The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.

Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.

It’s worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation.

CVE-2025-11371, per Huntress, “allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability. Additional details of the flaw are being withheld in light of active exploration and in the absence of a patch.

In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers could exploit earlier versions and use the hard-coded machine key to execute code remotely via the ViewState deserialization flaw.

In the interim, users are recommended to disable the “temp” handler within the Web.config file for UploadDownloadProxy located at “C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config.”

“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said.

Oct 10, 2025Ravie LakshmananVulnerability / Threat Intelligence

Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday.

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. “Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. Google said it found evidence of additional suspicious activity dating back to July 10, 2025, although how successful these efforts were remains unknown. Oracle has since issued patches to address the shortcoming.

Cl0p (aka Graceful Spider), active since 2020, has been attributed to the mass exploitation of several zero-days in Accellion legacy file transfer appliance (FTA), GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom over the years. While phishing email campaigns undertaken by the FIN11 actors have acted as a precursor for Cl0p ransomware deployment in the past, Google said it found signs of the file-encrypting malware being a different actor.

The latest wave of attacks began in earnest on September 29, 2025, when the threat actors kicked off a high-volume email campaign aimed at company executives from hundreds of compromised third-party accounts belonging to unrelated organizations. The credentials for these accounts are said to have been purchased on underground forums, presumably through the purchase of infostealer malware logs.

The email messages claimed the actor had breached their Oracle EBS application and exfiltrated sensitive data, demanding that they pay an unspecified amount as ransom in return for not leaking the stolen information. To date, none of the victims of the campaign have been listed on the Cl0p data leak site – a behavior that’s consistent with prior Cl0p attacks where the actors waited for several weeks before posting them.

The attacks themselves leverage a combination of Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection, to gain remote code execution on the target Oracle EBS server and set up a reverse shell.

Sometime around August 2025, Google said it observed a threat actor exploiting a vulnerability in the “/OA_HTML/SyncServlet” component to achieve remote code execution and ultimately trigger an XSL payload via the Template Preview functionality. Two different chains of Java payloads have been found embedded in the XSL payloads –

• GOLDVEIN.JAVA, a Java variant of a downloader called GOLDVEIN (a PowerShell malware first detected in December 2024 in connection with the exploitation campaign of multiple Cleo software products) that can receive a second-stage payload from a command-and-control (C2) server.
• A Base64-encoded loader called SAGEGIFT custom designed for Oracle WebLogic servers that’s used to launch SAGELEAF, an in-memory dropper that’s then used to install SAGEWAVE, a malicious Java servlet filter that allows for the installation of an encrypted ZIP archive containing an unknown next-stage malware. (The main payload, however, has some overlaps with a cli module present in a FIN11 backdoor known as GOLDTOMB.)

The threat actor has also been observed executing various reconnaissance commands from the EBS account “applmgr,” as well as running commands from a bash process launched from a Java process running GOLDVEIN.JAVA.

Interestingly, some of the artifacts observed in July 2025 as part of incident response efforts overlap with an exploit leaked in a Telegram group named Scattered LAPSUS$ Hunters on October 3, 2025. However, Google said it does not have sufficient evidence to suggest any involvement of the cybercrime crew in the campaign.

The level of investment into the campaign suggests the threat actors responsible for the initial intrusion likely dedicated significant resources to pre-attack research, GTIG pointed out.

The tech giant said it’s not formally attributing the attack spree to a tracked threat group, although it pointed out the use of the Cl0p brand as notable. That said, it’s believed that the threat actor has an association with Cl0p. It also noted that the post-exploitation tooling exhibits overlaps with malware (i.e., GOLDVEIN and GOLDTOMB) used in a previous suspected FIN11 campaign, and that one of the breached accounts used to send the recent extortion emails was previously used by FIN11.

“The pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale, branded extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic benefits which may also appeal to other threat actors,” it said.

“Targeting public-facing applications and appliances that store sensitive data likely increases the efficiency of data theft operations, given that the threat actors do not need to dedicate time and resources to lateral movement.”

Oct 09, 2025Ravie LakshmananCyber Espionage / Artificial Intelligence

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL.

“The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations,” Volexity said in a Wednesday report. “The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload.”

Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German.

Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastructure, in some cases, which led to the deployment of malware. However, the follow-on waves have been described as “highly tailored,” in which the threat actors resort to building trust with recipients over time before sending the link – a technique called rapport-building phishing.

Irrespective of the approach used, the links lead to a ZIP or RAR archive that includes a rogue DLL payload that’s launched using DLL side-loading. The payload is an actively developed backdoor called GOVERSHELL. It’s worth noting that the activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch, with Volexity characterizing GOVERSHELL as a successor to a C++ malware family referred to as HealthKick.

As many as five distinct variants of GOVERSHELL have been identified to date –

• HealthKick (First observed in April 2025), which is equipped to run commands using cmd.exe
• TE32 (First observed in June 2025), which is equipped to execute commands directly via a PowerShell reverse shell
• TE64 (First observed in early July 2025), which is equipped to run native and dynamic commands using PowerShell to get system information, current system time, run command via powershell.exe, and poll an external server for new instructions
• WebSocket (First observed in mid-July 2025), which is equipped to run a PowerShell command via powershell.exe and an unimplemented “update” sub-command as part of the system command
• Beacon (First observed in September 2025), which is equipped to run native and dynamic commands using PowerShell to set a base polling interval, randomize it, or execute a PowerShell command via powershell.exe

Some of the legitimate services abused to stage the archive files include Netlify, Sync, and OneDrive, whereas the email messages have been identified as sent from Proton Mail, Microsoft Outlook, and Gmail.

A noteworthy aspect of UTA0388’s tradecraft is its use of OpenAI ChatGPT to generate content for phishing campaigns in English, Chinese, and Japanese; assist with malicious workflows; and search for information related to installing open-source tools like nuclei and fscan, as revealed by the AI company earlier this week. The ChatGPT accounts used by the threat actor have since been banned.

The use of a large language model (LLM) to augment its operations is evidenced in the fabrications prevalent in the phishing emails, ranging from the personas used to send the message to the general lack of coherence in the message content itself, Volexity said.

“The targeting profile of the campaign is consistent with a threat actor interested in Asian geopolitical issues, with a special focus on Taiwan,” the company added. “The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases.”

The disclosure comes as StrikeReady Labs said a suspected China-linked cyber espionage campaign has targeted a Serbian government department related to aviation, as well as other European institutions in Hungary, Belgium, Italy, and the Netherlands.

The campaign, observed in late September, involves sending phishing emails containing a link that, when clicked, directs the victim to a fake Cloudflare CAPTCHA verification page that leads to the download a ZIP archive, within which there exists a Windows shortcut (LNK) file that executes PowerShell responsible for opening a decoy document and stealthily launching PlugX using DLL side-loading.

Oct 09, 2025Ravie LakshmananMobile Security / Malware

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them.

“Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device,” Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News.

The malware is also designed to propagate itself by sending malicious links to every contact in the victim’s phone book, indicating aggressive tactics on the part of the attackers to leverage compromised devices as a distribution vector.

The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of obfuscation to sidestep detection efforts and stay ahead of security defenses. The malware name is a reference to the command-and-control (C2) panel that can be used to remotely administer the infected devices.

The attack chain involves redirecting unsuspecting visitors to these bogus sites to Telegram channels under the adversary’s control, from where they are tricked into downloading APK files by artificially inflating download counts and sharing manufactured testimonials as proof of their popularity.

In other cases, bogus websites claiming to offer “YouTube Plus” with premium features have been found to host APK files that can bypass security protections enforced by Google to prevent sideloading of apps on devices running Android 13 and later.

“To bypass platform restrictions and the added friction introduced in newer Android versions, some ClayRat samples act as droppers: the visible app is merely a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app’s assets,” the company said. “This session-based installation method lowers perceived risk and increases the likelihood that a webpage visit will result in spyware being installed.”

Once installed, ClayRat uses standard HTTP to communicate with its C2 infrastructure and requests users to make it the default SMS application to gain access to sensitive content and messaging functions, thereby allowing it to covertly capture call logs, text messages, notifications, and disseminate the malware further to every other contact.

Some of the other features of the malware include making phone calls, getting device information, taking pictures using the device camera, and sending a list of all installed applications to the C2 server.

ClayRat is a potent threat not only for its surveillance capabilities, but also for its ability to turn an infected device into a distribution node in an automated fashion, which enables the threat actors to expand their reach swiftly without any manual intervention.

The development comes as academics from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed apps from budget Android smartphones sold in Africa operate with elevated privileges, with one vendor-supplied package transmitting device identifiers and location details to an external third-party.

The study examined 1,544 APKs collected from seven African smartphones, finding that “145 applications (9%) disclose sensitive data, 249 (16%) expose critical components without sufficient safeguards, and many present additional risks: 226 execute privileged or dangerous commands, 79 interact with SMS messages (read, send, or delete), and 33 perform silent installation operations.”