Authors, Creators & Presenters: Heng Li (Huazhong University of Science and Technology), Zhiyuan Yao (Huazhong University of Science and Technology), Bang Wu (Huazhong University of Science and Technology), Cuiying Gao (Huazhong University of Science and Technology), Teng Xu (Huazhong University of Science and Technology), Wei Yuan (Huazhong University of Science and Technology), Xiapu Luo (The Hong Kong Polytechnic University)
PAPER
Automated Mass Malware Factory: The Convergence of Piggybacking and Adversarial Example in Android Malicious Software Generation
Adversarial example techniques have been demonstrated to be highly effective against Android malware detection systems, enabling malware to evade detection with minimal code modifications. However, existing adversarial example techniques overlook the process of malware generation, thus restricting the applicability of adversarial example techniques. In this paper, we investigate piggybacked malware, a type of malware generated in bulk by piggybacking malicious code into popular apps, and combine it with adversarial example techniques. Given a malicious code segment (i.e., a rider), we can generate adversarial perturbations tailored to it and insert them into any carrier, enabling the resulting malware to evade detection. Through exploring the mechanism by which adversarial perturbation affects piggybacked malware code, we propose an adversarial piggybacked malware generation method, which comprises three modules: Malicious Rider Extraction, Adversarial Perturbation Generation, and Benign Carrier Selection. Extensive experiments have demonstrated that our method can efficiently generate a large volume of malware in a short period, and significantly increase the likelihood of evading detection. Our method achieved an average attack success rate (ASR) of 88.3% on machine learning-based detection models (e.g., Drebin and MaMaDroid), and an ASR of 76% and 92% on commercial engines Microsoft and Kingsoft, respectively. Furthermore, we have explored potential defenses against our adversarial piggybacked malware.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Check Point is rolling out a new four-pillar cybersecurity strategy to give security teams an edge in the ongoing AI arms race with threat actors and is making three acquisitions that will play a critical role in getting it going.
Authors, Creators & Presenters: Jianwen Tian (Academy of Military Sciences), Wei Kong (Zhejiang Sci-Tech University), Debin Gao (Singapore Management University), Tong Wang (Academy of Military Sciences), Taotao Gu (Academy of Military Sciences), Kefan Qiu (Beijing Institute of Technology), Zhi Wang (Nankai University), Xiaohui Kuang (Academy of Military Sciences)
PAPER
Density Boosts Everything: A One-stop Strategy For Improving Performance, Robustness, And Sustainability of Malware Detectors
In the contemporary landscape of cybersecurity, AI-driven detectors have emerged as pivotal in the realm of malware detection. However, existing AI-driven detectors encounter a myriad of challenges, including poisoning attacks, evasion attacks, and concept drift, which stem from the inherent characteristics of AI methodologies. While numerous solutions have been proposed to address these issues, they often concentrate on isolated problems, neglecting the broader implications for other facets of malware detection. This paper diverges from the conventional approach by not targeting a singular issue but instead identifying one of the fundamental causes of these challenges, sparsity. Sparsity refers to a scenario where certain feature values occur with low frequency, being represented only a minimal number of times across the dataset. The authors are the first to elevate the significance of sparsity and link it to core challenges in the domain of malware detection, and then aim to improve performance, robustness, and sustainability simultaneously by solving sparsity problems. To address the sparsity problems, a novel compression technique is designed to effectively alleviate the sparsity. Concurrently, a density boosting training method is proposed to consistently fill sparse regions. Empirical results demonstrate that the proposed methodologies not only successfully bolster the model's resilience against different attacks but also enhance the performance and sustainability over time. Moreover, the proposals are complementary to existing defensive technologies and successfully demonstrate practical classifiers with improved performance and robustness to attacks.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Authors, Creators & Presenters: Dung Thuy Nguyen (Vanderbilt University), Ngoc N. Tran (Vanderbilt University), Taylor T. Johnson (Vanderbilt University), Kevin Leach (Vanderbilt University)
PAPER
PBP: Post-Training Backdoor Purification for Malware Classifiers
In recent years, the rise of machine learning (ML) in cybersecurity has brought new challenges, including the increasing threat of backdoor poisoning attacks on ML malware classifiers. These attacks aim to manipulate model behavior when provided with a particular input trigger. For instance, adversaries could inject malicious samples into public malware repositories, contaminating the training data and potentially misclassifying malware by the ML model. Current countermeasures predominantly focus on detecting poisoned samples by leveraging disagreements within the outputs of a diverse set of ensemble models on training data points. However, these methods are not applicable in scenarios involving ML-as-a-Service (MLaaS) or for users who seek to purify a backdoored model post-training. Addressing this scenario, we introduce PBP, a post-training defense for malware classifiers that mitigates various types of backdoor embeddings without assuming any specific backdoor embedding mechanism. Our method exploits the influence of backdoor attacks on the activation distribution of neural networks, independent of the trigger-embedding method. In the presence of a backdoor attack, the activation distribution of each layer is distorted into a mixture of distributions. By regulating the statistics of the batch normalization layers, we can guide a backdoored model to perform similarly to a clean one. Our method demonstrates substantial advantages over several state-of-the-art methods, as evidenced by experiments on two datasets, two types of backdoor methods, and various attack configurations. Our experiments showcase that PBP can mitigate even the SOTA backdoor attacks for malware classifiers, e.g., Jigsaw Puzzle, which was previously demonstrated to be stealthy against existing backdoor defenses. Notably, your approach requires only a small portion of the training data -- only 1% -- to purify the backdoor and reduce the attack success rate from 100% to almost 0%, a 100-fold improvement over the baseline methods.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Darktrace researchers caught a sample of malware that was created by AI and LLMs to exploit the high-profiled React2Shell vulnerability, putting defenders on notice that the technology lets even lesser-skilled hackers create malicious code and build complex exploit frameworks.
Last May, law enforcement authorities around the world scored a key win when they hobbled the infrastructure of Lumma, an infostealer that infected nearly 395,000 Windows computers over just a two-month span leading up to the international operation. Researchers said Wednesday that Lumma is once again “back at scale” in hard-to-detect attacks that pilfer credentials and sensitive files.
Lumma, also known as Lumma Stealer, first appeared in Russian-speaking cybercrime forums in 2022. Its cloud-based malware-as-a-service model provided a sprawling infrastructure of domains for hosting lure sites offering free cracked software, games, and pirated movies, as well as command-and-control channels and everything else a threat actor needed to run their infostealing enterprise. Within a year, Lumma was selling for as much as $2,500 for premium versions. By the spring of 2024, the FBI counted more than 21,000 listings on crime forums. Last year, Microsoft said Lumma had become the “go-to tool” for multiple crime groups, including Scattered Spider, one of the most prolific groups.
Takedowns are hard
The FBI and an international coalition of its counterparts took action early last year. In May, they said they seized 2,300 domains, command-and-control infrastructure, and crime marketplaces that had enabled the infostealer to thrive. Recently, however, the malware has made a comeback, allowing it to infect a significant number of machines again.
Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, researchers said.
“Every application using the compromised npm versions is at risk ….” the researchers, from security firm Socket, said Friday. “Direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users."
Rome’s Sapienza University, Europe’s largest university by number of on-campus students, is grappling with a major IT outage following a cyberattack on La Sapienza that disrupted digital services across the institution. The La Sapienza cyberattack has forced the university to take critical systems offline as officials work to contain the incident and restore operations.The university publicly acknowledged the cyberattack on La Sapienza earlier this week through a social media statement, confirming that its IT infrastructure “has been the target of a cyberattack.” As an immediate response, Sapienza ordered a shutdown of its network systems “to ensure the integrity and security of data,” a decision that triggered widespread operational disruptions.
Updates to the La Sapienza Cyberattack
Sapienza University of Rome enrolls more than 112,500 students, making the impact of the outage particularly significant. Following the incident, university officials notified Italian authorities and established a dedicated technical task force to coordinate remediation and recovery efforts. As of the latest updates, the university’s official website remains offline, and recovery status updates have been communicated primarily through social media channels, including Instagram.To mitigate disruption to students, the university announced the creation of temporary in-person “infopoints.” These locations are intended to provide access to information normally available through digital systems and databases that remain unavailable due to the cyberattack on La Sapienza.
Cyberattack on La Sapienza Linked to BabLock Malware
While the university has not publicly confirmed the technical nature of the incident or identified those responsible, Italian newspaper Corriere Della Sera reports that the La Sapienza cyberattack bears the hallmarks of a ransomware operation. According to the outlet, the attack is allegedly linked to a previously unknown, pro-Russian threat actor known as “Femwar02.”The reporting suggests the attackers used BabLock malware, also referred to as Rorschach, based on observed malware characteristics and operational behavior. BabLock malware first emerged in 2023 and has attracted researchers' attention for its unusually fast encryption speeds and extensive customization capabilities.Sources cited by Corriere della Sera claim that the systems at Sapienza were encrypted and that a ransom demand exists. However, university staff reportedly have not opened the ransom note, as doing so would trigger a 72-hour countdown timer. As a result, the ransom amount has not been disclosed. This tactic, designed to pressure victims into rapid negotiations, is increasingly common in ransomware campaigns using BabLock malware.
Investigation and Recovery Efforts Continue
In response to the cyberattack on La Sapienza, university technicians are working alongside Italy’s national Computer Security Incident Response Team (CSIRT), specialists from the Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale. Their primary objective is to restore systems using backups, which, according to reports, were not affected by the attack.Italy’s national cybersecurity agency has confirmed that it is investigating the incident. However, neither Sapienza University nor Italian authorities have publicly verified whether the attack involved ransomware or whether any data was exfiltrated. This distinction is critical: encryption-only incidents primarily cause operational disruption, while confirmed data theft can trigger additional legal and regulatory obligations under the EU’s General Data Protection Regulation (GDPR).
Unit 42 researchers say an Asian threat group behind what they call the Shadow Campaigns has targeted government agencies in 37 countries in a wide-ranging global cyberespionage campaign that has involved phishing attacks and the exploitation of a more than a dozen known vulnerabilities.
Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.
Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.
⠀
Figure 1: Telemetry on the custom backdoor samples
⠀
Beyond the discovery of the new implant, forensic evidence led us to uncover several custom loaders in the wild. One sample, “ConsoleApplication2.exe”, stands out for its use of Microsoft Warbird, a complex code protection framework, to hide shellcode execution. This blog provides a deep technical analysis of Chrysalis, the Warbird loader, and the broader tactic of mixing straightforward loaders with obscure, undocumented system calls.
Initial access vector: Notepad++ and update.exe
Forensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure. While reporting references both plugin replacement and updater-related mechanisms, no definitive artifacts were identified to confirm exploitation of either. The only confirmed behavior is that execution of “notepad++.exe” and subsequently “GUP.exe” preceded the execution of a suspicious process “update.exe” which was downloaded from 95.179.213.0.
Analysis of update.exe
Figure 2: Execution diagram of update.exe
⠀
Analysis of “update.exe” shows the file is actually an NSIS installer, a tool commonly used by Chinese APT to deliver initial payload.
The following are the extracted NSIS installer files:
Installation script is instructed to create a new directory “Bluetooth”in “%AppData%”folder, copy the remaining files there, change the attribute of the directory to HIDDENand execute BluetoothService.exe.
DLL sideloading
Shortly after the execution of BluetoothService.exe,which is actually a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading, a malicious log.dll was placed alongside the executable, causing it to be loaded instead of the legitimate library. Two exported functions from log.dll are called by Bitdefender Submission Wizard: LogInitand LogWrite.
LogInit and LogWrite - Shellcode load, decrypt, execute
LogInit loads BluetoothServiceinto the memory of the running process.
LogWritehas a more sophisticated goal – to decrypt and execute the shellcode.
The decryption routine implements a custom runtime decryption mechanism used to unpack encrypted data in memory. It derives key material from previously calculated hash value and applies a stream‑cipher–like algorithm rather than standard cryptographic APIs. At a high level, the decryption routine relies on a linear congruential generator, with the standard constants 0x19660D and 0x3C6EF35F, combined with several basic data transformation steps to recover the plaintext payload.
Once decrypted, the payload replaces the original buffer and all temporary memory is released. Execution is then transferred to this newly decrypted stage, which is treated as executable code and invoked with a predefined set of arguments, including runtime context and resolved API information.
Figure 3: LogWrite internals
IAT resolution
Log.dllimplements an API hashing subroutine to resolve required APIs during execution, reducing the likelihood of detection by antivirus and other security solutions.
API hashing subroutine
The hashing algorithm will hash export names using FNV‑1a(fnv-1a hash 0x811C9DC5, fnv-1a prime 0x1000193 observed), then apply a MurmurHash‑style avalanche finalizer(murmur constant 0x85EBCA6B observed), and compare the result to a salted target hash.
Analysis of the Chrysalis backdoor
The shellcode, once decrypted by log.dll, is a custom, feature-rich backdoor we've named “Chrysalis”. Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility. It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable. It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication. Overall, the sample looks like something that has been actively developed over time, and we’ll be keeping an eye on this family and any future variants that show up.
Decryption of the main module
Once the execution is passed to decrypted shellcode from log.dll, malware starts with decryption of the main module via a simple combination of XOR, addition and subtraction operations, with a hardcoded key gQ2JR&9;. See below the pseudocode of decryption routine:
⠀
char XORKey[8] = "gQ2JR&9;";
DWORD counter = 0;
DWORD pos = BufferPosition;
while (counter < size) {
BYTE k = XORKey[counter & 7];
BYTE x = encrypted[pos];
x = x + k;
x = x ^ k;
x = x - k;
decrypted[pos] = x;
pos++;
counter++;
}
⠀
XOR operation is performed 5 times in total, suggesting a section layout similar to PE format. Following the decryption, malware will proceed to yet another dynamic IAT resolution using LoadLibraryAto acquire a handle to Kernel32.dll and GetProcAddress. Once exports are resolved, the jump is taken to the main module.
Main module
The decrypted module is a reflective PE-like module that executes the MSVC CRTinitialization sequence before transferring control to the program’s main entry point. Once in the Main function, the malware will dynamically load DLLs in the following order: oleaut32.dll, advapi32.dll, shlwapi.dll, user32.dll, wininet.dll,ole32.dll and shell32.dll.
Names of targeted DLLs are constructed on the run, using two separate subroutines. These two subroutines implement a custom, position-dependent character obfuscation scheme. Each character is transformed using a combination of bit rotations, conditional XOR operations, and index-based arithmetic, ensuring that identical characters encrypt differently depending on their position. The second routine reverses this process at runtime, reconstructing the original plaintext string just before it is used. The purpose of these two functions is not only to conceal strings, but also to intentionally complicate static analysis and hinder signature-based detection.
After the DLL name is reconstructed, the Main module implements another, more sophisticated API hashing routine.
API hashing subroutine
Figure 4: API hashing diagram
⠀
The first difference between this and the API hashing routine used by the loader is that this subroutine accepts only a single argument: the hash of the target API. To obtain the DLL handle, the malware walks the PEB to reach the InMemoryOrderModuleList, then parses each module’s export table, skipping the main executable, until it resolves the desired API. Instead of relying on common hashing algorithms, the routine employs multi-stage arithmetic mixing with constants of MurmurHash-style finalization. API names are processed in 4-byte blocks using multiple rotation and multiplication steps, followed by a final diffusion phase before comparison with the supplied hash. This design significantly complicates static recovery of resolved APIs and reduces the effectiveness of traditional signature-based detection. As a fallback, the resolver supports direct resolution via GetProcAddress if the target hash is not found through the hashing method. The pointer to GetProcAddress is obtained earlier during the “main module preparation” stage.
⠀
Figure 5: API hashing internals
Config decryption
The next step in the malware’s execution is to decrypt the configuration. Encrypted configuration is stored in the BluetoothService file at offset 0x30808 with the size of 0x980. Algorithm for the decryption is RC4with the key qwhvb^435h&*7. This revealed the following information:
Command and Control (C2) url: https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
Name of the module: BluetoothService
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36
The URL structure of the C2 is interesting, especially the section/a/chat/s/{GUID}), which appears to be the identical format used by Deepseek API chat endpoints. It looks like the actor is mimicking the traffic to stay below the radar.
Decrypted configuration doesn’t give much useful information besides the C2. The name of the module is too generic and the user agent belongs to Google Chrome browser. The URL resolves to 61.4.102.97, IP address based inMalaysia. At the time of the writing of this blog, no other file has been seen to communicate with this IP and URL.
Persistence and command-line arguments
To determine the next course of action, malware checks command-line arguments highlighted in Table 1 and chooses one of four potential paths. If the amount of the command-line arguments is greater than two, the process will exit. If there is no additional argument, persistence is set up primarily via service creation or registry as a fall back mechanism.
See Table 2 below:
Argument
Mode
Action
(None)
Installation
Installs persistence (Service or Registry) pointing to binary with -i flag, then terminates.
-i
Launcher
Spawns a new instance of itself with the -k flag via ShellExecuteA, then terminates.
-k
Payload
Skips installation checks and executes the main malicious logic (C2 & Shellcode).
⠀
With the expected arguments present, the malware proceeds to its primary functionality - to gather information about the infected asset and initiate the communication with C2.
Information gathering and C2 communication
A mutex Global\\Jdhfv_1.0.1 is registered to enforce single instance execution on the host. If it already exists, malware is terminated. If the check is clear, information gathering begins by querying for the following: current time, installed AVs, OS version, user name and computer name. Next, computer name, user name, OS version and string 1.01are concatenated and the data are hashed using FNV-1A. This value is later turned into its decimal ascii representation and used most likely as a unique identifier of the infected host.
Final buffer uses a dot as delimiter and follows this pattern:
The last piece of information added to the beginning of the buffer is a string 4Q. The buffer is then RC4 encrypted with the key vAuig34%^325hGV.
Following data encryption, the malware establishes an internet connection using previously mentioned user agent and C2 api.skycloudcenter.com over port 443. Data is then transferred via HttpSendRequestAusing the POSTmethod. Response from the server is then read to a temporary buffer which is later decrypted using the same key vAuig34%^325hGV.
Response and command processing
Note: C2 server was already offline during the initial analysis, preventing recovery of any network data. As a result, and due to the complexity of the malware, parts of the following analysis may contain minor inaccuracies.
The response from the C2 undergoes multiple checks before further processing. First, the HTTP response code is compared against the hardcoded value 200(0xC8),indicating a successful request, followed by a validation of the associated WinInet handle to ensure no error occurred. The malware then verifies the integrity of the received payload and execution proceeds only if at least one valid structure is detected. Next, malware looks into the response data for a small tag to determine what to do next. Tag is used as a condition for a switch statement with 16 possible cases. The default case will simply set up a flag to TRUE. Setting up this flag will result in completely jumping out of the switch. Other switch cases includes following options:
⠀
Char representation
Hex representation
Purpose
4T
0x3454
Spawn interactive shell
4U
0x3455
Send ‘OK’ to C2
4V
0x3456
Create process
4W
0x3457
Write file to disk
4X
0x3458
Write chunk to open file
4Y
0x3459
Read & send data
4Z
0x345A
Break from switch
4\\
0x345C
Uninstall / Clean up
4]
0x345D
Sleep
4_
0x345F
Get info about logical drives
4`
0x3460
Enumerate files information
4a
0x3661
Delete file
4b
0x3662
Create directory
4c
0x3463
Get file from C2
4d
0x3464
Send file to C2
⠀
4T - The malware implements a fully interactive cmd.exe reverse shell using redirected pipes. Incoming commands from the C2 are converted from UTF‑8 to the system OEM code page before being written to the shell’s standard input, while a dedicated thread continuously reads shell output, converts it from OEM encoding to UTF‑8 using GetOEMCP API, and forwards the result back to the C2.
4V- This option allows remote process execution by invoking CreateProcessW on a C2-supplied command line and relaying execution status back to the C2.
4W- This option implements a remote file write capability, parsing a structured response containing a destination path and file contents, converting encodings as necessary, writing the data to disk, and returning a formatted status message to the command-and-control server.
4X- Similar to the previous switch, it supports a remote file-write capability, allowing the C2 to drop arbitrary files on the victim system by supplying a UTF-8 filename and associated data blob.
4Y - Switch implements a remote file-read capability. It opens a specified file with, retrieves its size, reads the entire contents into memory, and transmits the data back to the C2.
4\\- The option implements a full self-removal mechanism. It deletes auxiliary payload files, removes persistence artifacts from both the Windows Service registry hive and the Run key, generates and executes a temporary batch file u.batto delete the running executable after termination, and finally removes the batch script itself.
4_- Here malware enumerates information about logical drivers using GetLogicalDriveStringsA and GetDriveTypeAAPIs and sends the information back to the C2.
4`- This switch option shares similarities with previously analyzed data exfiltration function - 4Y. However, its primary purpose differs. Instead of transmitting preexisting data, it enumerates files within a specified directory, collects per-file metadata (timestamps, size, and filename), serializes the results into a custom buffer format, and sends the aggregated listing to the C2.
4a - 4b - 4c - 4d- In the last 4 cases, malware implements a custom file transfer protocol over its C2 channel. Commands 4a and 4b act as control messages used to initialize file downloadand upload operations respectively, including file paths, offsets, and size validation. Once initialized, the actual data transfer occurs in a chunked fashion using commands 4c (download)and 4d (upload). Each chunk is wrapped in a fixed-size 40-byte response structure, validated for successful HTTP status and correct structure count before processing. Transfers continue until the C2 signals completion via a non-zero termination flag, at which point file handles and buffers are released.
Additional artifacts discovered on the infected host
During the initial forensics analysis of the affected asset, Rapid7’s MDR team observed execution of following command:
The retrieved folder “USOShared”from the infected asset didn’t contain svchost.exe but it contained “libtcc.dll” and “conf.c”. The hash of the binary didn’t match any known legitimate version but the command line arguments and associated “libtcc.dll” suggested that svchost.exe is in fact renamed Tiny-C-Compiler. To confirm this, we replicated the steps of the attacker successfully loaded shellcode from “conf.c” into the memory of “tcc.exe”, confirming our previous hypothesis.
Analysis of conf.c
The C source file contains a fixed size (836) char buffer containing shellcode bytes which is later casted to a function pointer and invoked. The shellcode is consistent with 32-bit version of Metasploit’s block API.
The shellcode loads Wininet.dll using LoadLibraryA, resolves Internet-related APIs such as InternetConnectAand HttpSendRequestA, and downloads a file from api.wiresguard.com/users/admin. The file is read into a newly allocated buffer, and execution is then transferred to the start of the 2000-byte second-stage shellcode.
⠀
Figure 6: Shellcode decryption stub
⠀
This stub is responsible for decrypting the next payload layer and transferring execution to it. It uses a rolling XOR-baseddecryption loop before jumping directly to the decrypted code.
A quick look into the decrypted buffer revealed an interesting blob with a repeated string CRAZY, hinting at an additional XORed layer, later confirmed by a quick test.
⠀
Figure 7: Repeated XOR key “CRAZY”
⠀
Figure 8: Decrypted configuration
⠀
Parsing of the decrypted configuration data confirms that retrieved shellcode is Cobalt Strike (CS) HTTPS beaconwith http-get api.wiresguard.com/update/v1and http-post api.wiresguard.com/api/FileUpload/submit urls.
Analysis of the initial evidence revealed a consistent execution chain: a loader embedding Metasploit block_api shellcode that downloads a Cobalt Strike beacon. The unique decryption stub and configuration XOR key CRAZY allowed us to pivot into an external hunt, uncovering additional loader variants.
⠀
Figure 9: Execution flow followed by conf.c and other loaders
Variation of loaders and shellcode
In the last year, four similar files were uploaded to public repositories.
From all the loaders we analyzed, Loader 3piqued our interest for three reasons - shellcode encryption technique, execution ,and almost identical C2to beacon that was found on the infected asset. All the previous samples used a pretty common technique to execute the shellcode - decrypt embedded shellcode in user space, change the protection of memory region to executable state, and invoke decrypted code via CreateThread/ CreateRemoteThread; Loader 3 (original name “ConsoleApplication2.exe”) violates this approach.
Analysis of Loader 3 - ConsoleApplication2.exe
At the first glance, the logic of the sample is straightforward: Load the DLL clipc.dll, overwrite first 0x490 bytes, change the protection to PAGE_EXECUTE_READ (0x20), and then invoke NtQuerySystemInformation. Two interesting notes to highlight here - bytes copied into the memory region of clipc.dll are not valid shellcode and NtquerySystemInformation is used to “Retrieve the specified system information”, not to execute code.
⠀
Figure 10: Snippet from ConsoleApplication2.exe
⠀
Looking into the copied data reveals two “magic numbers” DEADBEEFand CAFEAFE, but nothing else. However, the execution of shellcode is somehow successful, so what’s going on?
⠀
Figure 11: Data copied into clipc.dll
⠀
According to the official documentation, the first parameter of NtQuerySystemInformation is of type SYSTEM_INFORMATION_CLASSwhich specifies the category of system information to be queried. During static analysis in IDA Pro, this parameter was initially identified as SystemExtendedProcessInformation|0x80but looking for this value in MSDN and other public references didn’t provide any explanation on how the execution was achieved. But, searching for the original value passed to the function (0xB9)uncovered something interesting. The following blog by DownWithUp covers Microsoft Warbird, which could be described as an internal code protection and obfuscation framework. These resources confirm IDA misinterpretation of the argument which should be SystemCodeFlowTransition, a necessary argument to invoke Warbird functionality. Additionally, DownWithUp’s blog post mentioned the possible operations:
⠀
Figure 12: Warbird operations documented by DownWithUp
⠀
Referring to the snippet we saw from “ConsoleApplication2.exe”, the operation is equal to WbHeapExecuteCallwhich gives us the answer on how the shellcode gained execution. Thanks to work of other researchers, we also know that this technique only works if the code resides inside of memory of Microsoft signed binary, thus revealing why clipc.dllhas been used.The blog post from cirosecalso contains a link for their POC of this technique which is almost the same replica of “ConsoleApplication2.exe”, hinting that author of “ConsoleApplication2.exe” simply copied it and modified to execute Metasploit block_api shellcode instead of the benign calc from POC. The comparison of the Cobalt Strike beacon configuration delivered via “conf.c”and “ConsoleApplication2.exe” revealed shared trades between these two, most notably domain, public key, and process injection technique.
Attribution to Lotus Blossom
Attribution is primarily based on strong similarities between the initial loader observed in this intrusion and previously published Symantec research. Particularly the use of a renamed “Bitdefender Submission Wizard” to side-load “log.dll” for decrypting and executing an additional payload. In addition, similarities of the execution chain of “conf.c” retrieved from the infected asset and other loaders that we found, supported by the same public key extracted from CS beacons delivered through “conf.c” and “ConsoleApplication2.exe” suggests with moderate confidence, that the threat actor behind this campaign is likely Lotus Blossom.
Conclusion
The discovery of the Chrysalis backdoor and the Warbird loader highlights an evolution in Lotus Blossom's capabilities. While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft.
What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird). This demonstrates that Lotus Blossom is actively updating their playbook to stay ahead of modern detection.
Rapid7 customers
InsightIDR and MDR
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Suspicious Process - Child of Notepad++ Updater (gup.exe) and Suspicious Process - Chrysalis Backdoor are two examples of deployed detections that will alert on behavior related to Chrysalis. Rapid7 will also continue to iterate detections as new variants emerge, giving customers continuous protection without manual tuning.
Intelligence Hub
Customers using Rapid7’s Intelligence Hub gain direct access to Chrysalis backdoor, Metasploit loaders and Cobalt Strike IOCs, including any future indicators as they are identified.
Indicators of compromise (IoCs)
File indicators
Note: data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.
Rapid7 recommends updating to the latest version of Notepad++. In addition, the IoCs provided above and within Rapid7 Intelligence Hub can be used to hunt within your logs during the timeframe of June through November, 2025, as this is the timeframe when the backdoor activity is known to have been taking place.
Interested in learning more?
Catch Inside Chrysalis, Rapid7's webinar led by Christiaan Beek, on-demand via BrightTALK.
Explore StrongestLayer's threat intelligence report highlighting the rise of email security threats exploiting trusted platforms like DocuSign and Google Calendar. Learn how organizations can adapt to defend against these evolving cyber risks.
Two code injection vulnerabilities allowed unauthenticated attackers to execute arbitrary code and access sensitive device information across compromised networks.
Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile after discovering attackers exploited the flaws to compromise customer systems. The company confirmed a limited number of organizations fell victim to attacks leveraging CVE-2026-1281, which CISA added to its Known Exploited Vulnerabilities catalog with a February 1 remediation deadline for federal agencies.
The Code Injection Zero-Days
Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM's In-House Application Distribution and Android File Transfer Configuration features. Rated critical with CVSS scores of 9.8, the vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication.
"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti stated in its security advisory released Thursday. The company acknowledged it lacks sufficient information about the threat actors or comprehensive indicators of compromise due to the sophistication of the attacks.
The vulnerabilities affect only on-premises EPMM deployments and do not impact cloud-hosted Ivanti Neurons for Mobile Device Management, Ivanti Endpoint Manager, the Ivanti Sentry secure mobile gateway or any other Ivanti products. However, the company recommends organizations review Sentry logs alongside EPMM systems for potential lateral movement.
What Attackers Can Siphon
Successful exploitation grants attackers access to mobile device management infrastructure. Compromised EPMM appliances expose administrator and user credentials, including usernames and email addresses. Attackers gain visibility into managed mobile devices, accessing phone numbers, IP addresses, installed applications and device identifiers like IMEI and MAC addresses.
Organizations with location tracking enabled face additional exposure. Attackers accessing compromised systems can retrieve device location data including GPS coordinates and cellular tower information. More critically, attackers can leverage EPMM's API or web console to modify device configurations, including authentication settings.
Urgent Remediation Called For
Ivanti released RPM scripts providing temporary mitigation for affected EPMM versions. Organizations running versions 12.5.0.x, 12.6.0.x and 12.7.0.x should deploy RPM 12.x.0.x, while those operating versions 12.5.1.0 and 12.6.1.0 require RPM 12.x.1.x. The company emphasized that applying patches requires no downtime and causes no functional impact.
"If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM," Ivanti warned. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0," scheduled for release later in Q1 2026.
Organizations suspecting compromise should not attempt to clean affected systems. Ivanti recommends either restoring EPMM from known-good backups taken before exploitation occurred or rebuilding the appliance and migrating data to replacement systems. After restoration, administrators must reset passwords for local EPMM accounts, LDAP and KDC service accounts, revoke and replace public certificates, and reset passwords for all internal and external service accounts configured with EPMM.
The company's analysis guidance shows particular risks around Sentry integration. While EPMM can be restricted to demilitarized zones with minimal corporate network access, Sentry specifically tunnels traffic from mobile devices to internal network assets. Organizations should review systems accessible through Sentry for potential reconnaissance or lateral movement.
CISA Issues a Tight Two-Day Deadline
CISA's addition of CVE-2026-1281 to the KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal civilian agencies must apply vendor mitigations or discontinue using vulnerable systems by February 1, 2026. CISA strongly urges all organizations, not just federal agencies, to prioritize remediation as part of vulnerability management practices.
Notably, CISA added only CVE-2026-1281 to the KEV catalog despite Ivanti confirming exploitation of both vulnerabilities. The agency has not explained this discrepancy.
The disclosure continues Ivanti's troubled 2025, which saw widespread exploitation of multiple zero-day vulnerabilities across its product portfolio. Security researchers previously linked EPMM attacks to sophisticated threat actors, with some incidents attributed to China-nexus advanced persistent threat groups.
These management platforms represent high-value targets because compromising them effectively transforms the system into enterprise-wide command-and-control infrastructure.
Organizations should apply patches immediately and conduct thorough security assessments of potentially compromised systems to prevent further damage from these actively exploited vulnerabilities.
ReversingLabs this week published a report that finds there was a 73% increase in the number of malicious open source packages discovered in 2025 compared with the previous year. More than 10,000 malicious open source packages were discovered, most of which involved node package managers (npms) that cybercriminals were using to compromise software supply chains...
Malicious open source software packages have become a critical problem threatening the software supply chain.
That’s one of the major takeaways of a new report titled “State of the Software Supply Chain” by open source software security company Sonatype.
Sonatype said its researchers identified more than 454,600 new malicious packages last year across npm, PyPI, Maven Central, NuGet, and Hugging Face, repositories which together combined for 9.8 trillion downloads.
Open source malware has evolved “from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” the researchers said.
“What stands out most about 2025 is not just the scale of the threat, but also the sophistication,” the report said. “Where 2024’s XZ Utils incident was groundbreaking, demonstrating how a single compromised maintainer could imperil global infrastructure, 2025 saw software supply chain risk evolve dramatically.”
npm Leads in Malicious Open Source Software Packages
More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically.
Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain.
IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.”
“Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said.
Open Source Malware Exploits Developer Processes
Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines.
“Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.”
The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell ... and Shai-Hulud to have ecosystem-wide impact.”
“The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact.
“Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.”
Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted.
“AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”
The DOJ indicted 31 people accused of participating in an ATM jackpotting scheme in which the venerable Ploutus malware was used to help steal more than $5 million from machines around the United States. In total, 87 people have been charged, with many connected to the Tren de Aragua Venezuelan crime syndicate.
Dependency management used to be a private embarrassment: an Ant script, a /lib folder, and classpath roulette. You could ship anyway, and the consequences mostly stayed inside your org.
A 149M-credential breach shows why encryption alone isn’t enough. Infostealer malware bypasses cloud security by stealing passwords at the endpoint—where encryption offers no protection.
Momentum is building in the fight against botnets, as network operators and law enforcement ramp up crackdowns on botnet infrastructure, malware, and bulletproof hosting providers. While major takedowns show progress, cybercriminals are still adapting — learn more in this latest edition of the Botnet Spotlight.
A new Android banking malware can launch ransomware attacks in addition to more typical activities like credential theft and user surveillance.
The “deVixor” remote access trojan (RAT) was detailed by Cyble researchers in a new blog post. While focused on Iranian banking users for now, the malware developer’s active Telegram channel suggests that the malware could eventually find wider use.
As Cyble noted, “The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation.”
“DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse,” the researchers added.
Android Banking Malware DeVixor’s Many Capabilities
The deVixor campaign has been active since October, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses promising deep discounts to lure users into downloading malicious APK files.
Cyble said its analysis of more than 700 samples “indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.”
DeVixor has evolved from basic SMS harvesting into a full-featured RAT that offers bank fraud, credential theft, ransomware, and device surveillance from a single platform.
The Android banking malware uses Firebase for command delivery and a Telegram-based bot infrastructure for administration, “allowing attackers to manage infections at scale and evade traditional detection mechanisms.”
Evolving from early versions that primarily focused on collecting PII and harvesting banking-related SMS messages, the malware has evolved rapidly, adding banking-related overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and exploitation of Android’s Accessibility Service.
The RAT uses a Telegram bot–based admin panel for issuing commands, and each APK deployed is assigned a unique Bot ID stored in a local port.json file, allowing the operator to monitor and control individual devices. Cyble listed nearly 50 commands that the malware can execute.
DeVixor can harvest OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges. It captures banking credentials by loading legitimate banking pages inside a WebView-based JavaScript injection.
The malware can also collect all device notifications, capture keystrokes, prevent uninstallation, hide its presence, harvest contacts, and take screenshots.
“Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations,” the researchers said.
“The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service,” Cyble said.
Android Ransomware
The Android banking malware also includes “a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments,” the researchers said.
After the RANSOMWARE command is issued, the malware receives the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the ransom demand.
Details are stored locally in a file called LockTouch.json, which retains the ransomware infection across device reboots. Based on screenshots posted on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays the ransom message “Your device is locked. Deposit to unlock,” along with the attacker’s TRON wallet address.
The malware also sends device identifiers and ransom-related details to the command and control (C&C) server to track victim status and compliance with demands.
Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use.
The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause.
“... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said.
Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.
Infostealers and No MFA Make Attacks Easy
The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:
Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”
“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime.
“Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).”
Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases.
“A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”
ownCloud Calls for Greater MFA Use
ownCloud responded to the report with a call for greater MFA use by clients.
In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.”
Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’”
ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said.
Recommended steps include:
Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
Resetting passwords for all users and requiring “strong, unique credentials”
Reviewing access logs for suspicious activity
Invalidating active sessions to force re-authentication with MFA
Just weeks after the devastating "Second Coming" campaign crippled thousands of development environments, the threat actor behind the Shai-Hulud worm has returned. Security researchers at Aikido have detected a new, evolved strain of the malware dubbed "The Golden Path," signaling that the most aggressive supply chain predator in the npm ecosystem is far from finished.
This latest iteration was first spotted on over the weekend, embedded within the package @vietmoney/react-big-calendar. While the initial discovery suggests the attackers may still be in a "testing" phase with limited spread, the technical refinements found in the code point to a more resilient and cross-platform threat.
Evolution of a Predator
Shai-Hulud has long utilized a Dune-inspired theatrical flair, but its latest evolution suggests a shift in branding. In this new wave, stolen data is exfiltrated to GitHub repositories featuring a cryptic new description: "Goldox-T3chs: Only Happy Girl.
Technically, "The Golden Path" is a significant upgrade. Earlier versions of the worm struggled with Windows environments when attempting to self-propagate using the bun runtime. The new strain specifically addresses this, implementing cross-platform publishing capabilities that ensure the worm can spread regardless of the victim's operating system.
Researchers also noted a shift in file nomenclature—the malware now operates via bun_installer.js and environment_source.js—and features improved error handling for TruffleHog, the secret-scanning tool the worm uses to harvest AWS, GCP, and Azure credentials. By refining its timeout logic, the malware is now less likely to crash during high-latency scans, making its "smash-and-grab" operations more reliable.
A Legacy of Disruption
This isn't Shai-Hulud’s first rodeo. The group first made headlines in September 2025 when a massive campaign hit over 500 npm packages, including those belonging to cybersecurity giant CrowdStrike.
That initial strike was historically significant, resulting in the theft of an estimated $50 million in cryptocurrency and proving that even the most security-conscious organizations are vulnerable to upstream dependency hijacking.
In November, the "Second Coming" wave escalated the stakes by introducing a "dead man’s switch"—a destructive payload designed to wipe a user's home directory if the malware detected it had been cut off from its command-and-control (C2) servers.
The return of Shai-Hulud underscores a grim reality for modern DevOps: trust is a liability. By targeting the preinstall phase of npm packages, the malware executes before a developer even realizes a package is malicious.
"The differences in the code suggests that this was obfuscated again from original source, not modified in place," Aikido researchers noted. "This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."
Relying on npm’s default security is no longer sufficient. Organizations are urged to adopt "Trusted Publishing," enforce strict lockfile integrity, and utilize package-aging tools that block the installation of brand-new, unvetted releases. In the world of Shai-Hulud, the only way to survive the desert is to stop trusting the ground beneath your feet.
By Salleh Kodri, Sr Presales consultant, Cyble
As 2025 comes to a close, one thing is clear to me: The most damaging cyber incidents across ASEAN this year did not start with malware, zero-days, or system breaches.
They started with trust.
Across my work in Malaysia, Singapore, Thailand, Indonesia, the Philippines, and Vietnam, I repeatedly saw organizations doing “everything right” from a technical security standpoint, yet still suffering real-world damage because their brand, identity, or executives were exploited.
2025 was the year many of us finally realized that brand is no longer a marketing concern. It is a cyber asset, and in ASEAN, it has become one of the most abused attack surfaces.
Malaysia: When Customers Were Hit Before Banks Even Knew
In Malaysia, I saw multiple cases where:
Fake banking websites and phishing pages were already circulating
Before the institution itself had any alert.
What struck me was this: There was no breach. No malware. No SOC alert.
The damage happened entirely outside the bank’s environment, through brand impersonation, fake domains, and social media abuse. By the time complaints reached the organization, trust had already eroded.
The lesson was painful but clear: If you only monitor what happens inside your network, you will always be late.
Singapore: Reputation Damage Moves Faster Than Regulation
In Singapore, the challenge was not capability, it was speed and exposure.
I observed:
Scam infrastructure spun up and taken down rapidly
Even in a highly regulated, mature environment, brand abuse moved faster than response processes.
What concerned stakeholders most was not technical impact, but public confidence. Once trust is questioned, no amount of post-incident explanation can fully undo the damage.
Singapore reinforced a critical truth for me in 2025: Cybersecurity maturity does not automatically protect digital reputation.
Thailand: Executive Impersonation Became the Weakest Link
In Thailand, the most alarming trend I encountered was executive identity abuse.
We saw:
Fake LINE and WhatsApp accounts impersonating senior leaders
Social media profiles cloning executives from banks and enterprises
Attempts to influence internal decisions using perceived authority
These were not sophisticated hacks. They were psychological attacks, exploiting hierarchy, respect, and urgency.
What made this dangerous was that traditional security tools had no visibility into it. The risk sat squarely at the intersection of human trust and digital identity, a space most security programs were not designed to defend.
Indonesia: Scale Made Brand Abuse a Business Model
Indonesia showed me what happens when scale meets weak visibility.
With its massive digital population, attackers exploited:
Fake mobile apps using trusted brand names
Clone domains targeting regional customers
Long-running scam campaigns that reused infrastructure
In several cases, takedown efforts were slow, not because teams didn’t care, but because they discovered the abuse far too late.
By the time action was taken, the attackers had already moved, rebranded, and relaunched elsewhere.
Indonesia highlighted something important: Brand abuse in ASEAN is not opportunistic, it is industrialized.
Philippines: Trust Was Exploited Through Familiarity
In the Philippines, what stood out to me was how attackers weaponized familiar communication channels.
We encountered:
Victims didn’t think they were being attacked.
They thought they were interacting with legitimate services.
The danger here wasn’t technology, it was perception. And perception is exactly what brand abuse manipulates best.
Vietnam: Digital Growth Outpaced Brand Defense
Vietnam’s rapid digital growth in 2025 came with an unintended consequence:
Brand exposure expanded faster than brand protection.
I observed:
New digital services being impersonated almost immediately
Fake pages and domains launched within days of public announcements
Limited monitoring beyond core infrastructure
Vietnam reminded me that digital transformation without intelligence-led visibility creates silent risk, especially when brand assets are treated as secondary concerns.
Why 2025 Changed My View on Cyber Risk in ASEAN
Across all these countries, one pattern kept repeating:
Yet real harm occurred—financial, reputational, and regulatory.
That was my biggest takeaway of 2025:
Cyber risk in ASEAN is no longer defined by system compromise alone.
It is defined by how easily trust can be abused.
Brand Is Now a Cyber Asset, Whether We Like It or Not
In 2025, I stopped asking: “Is this a cybersecurity issue?”
And started asking: “Does this harm trust, safety, or public confidence?”
Because once customers, citizens, or partners lose trust, recovery becomes exponentially harder than restoring a system from backup.
Brands, executives, and digital identities now require the same discipline we apply to networks and endpoints:
Continuous monitoring
Early intelligence
Rapid disruption
Clear ownership
Looking Into 2026: Trust Will Be the New Perimeter
As ASEAN continues to digitize, attackers will not slow down. They will go where defense is weakest, and in many organizations, that is still outside the firewall.
In 2026, the question will no longer be: “Are we secure?”
It will be: “Do we know how our brand, identity, and trust are being abused—right now?”
Those who answer that question honestly and act on it will be ahead.
Those who don’t will keep defending systems while attackers exploit perception.
Personal Closing
2025 changed how I see cybersecurity in ASEAN.
Not as a technology problem, but as a trust problem.
And trust, once lost, is the hardest asset to recover.
(This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)
Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers.
The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors.
“The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.
Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors
The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said.
“Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said.
The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.”
Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.”
Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.”
The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.”
The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said.
“The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.
Campaign Uses Obfuscation, UAC Bypass
The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass.
One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method.
The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.”
“The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.”
The campaign starts as a phishing campaign masquerading as standard Purchase Order communications.
Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.”
The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said.
The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes.
The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).
France is investigating whether “foreign interference” was behind remote access trojan (RAT) malware that was discovered on a passenger ferry.
The ferry malware was “capable of allowing the vessel's operating systems to be controlled remotely,” Le Mondereported today, citing the Interior Minister.
Interior Minister Laurent Nuñez told France Info radio that hacking into a ship's data-processing system “is a very serious matter ... Investigators are obviously looking into interference. Yes, foreign interference.”
Nuñez would not speculate if the attack was intended to interfere with the ship’s navigation and he did not specifically name Russia, but he said, "These days, one country is very often behind foreign interference."
The office of the Paris prosecutor said it had opened an investigation into a suspected attempt "by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.”
Latvian Arrested in Ferry Malware Case
Two crew members, a Latvian and a Bulgarian, were detained after they were identified by Italian authorities, but the Bulgarian was later released.
The Latvian was arrested and charged after the malware was found on the 2,000-passenger capacity ferry the Fantastic, which is owned by the Italian shipping company GNV, while it was docked in France's Mediterranean port of Sète.
GNV said it had alerted Italian authorities, saying in a statement that it had "identified and neutralized an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences," France 24 reported.
Christian Cevaer, director of the France Cyber Maritime monitor, told AFP that any attempt to take control of a ship would be a "critical risk" because of "serious physical consequences" that could endanger passengers.
Cevaer said such an operation would likely require a USB key to install the software, which would require "complicity within the crew."
The investigation is being led by France's domestic intelligence service, the General Directorate for Internal Security (DGSI), as a sign of the importance of the case, France 24 said.
After cordoning off the ship in the port, the Fantastic was inspected by the DGSI, “which led to the seizure of several items,” France 24 said.
After technical inspections ruled out any danger to passengers, the ship was cleared to sail again.
Searches were also conducted in Latvia with the support of Eurojust and Latvian authorities.
Meanwhile, the Latvian suspect’s attorney said the investigation “will demonstrate that this case is not as worrying as it may have initially seemed,” according to a quote from the attorney as reported by France 24.
Ferry Malware Follows French Interior Ministry Attack
The ferry malware incident closely follows a cyberattack on the French Interior Ministry’s internal email systems that led to the arrest of a 22-year-old man in connection with the attack.
The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files.
Nuñez described the incident as more serious than initially believed. Speaking to France Info radio, he said, “It’s serious. A few days ago, I said that we didn’t know whether there had been any compromises or not. Now we know that there have been compromises, but we don’t know the extent of them.”
Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information.
A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted.
Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.”
The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.
The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.”
The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.”
The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware.
[caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption]
Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said.
The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:
Wiping data from the device, “effectively performing a factory reset.”
Locking the device.
Changing the PIN, password or biometric information to prevent user access to the device.
Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”
DroidLock Malware Overlays
The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list.
The Android malware uses two primary overlay methods:
A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.
The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said.
The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server.
“This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said.
Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).
U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments.
“Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory.
Attacks have so far primarily targeted the government and IT sectors, the agencies said.
One PRC BRICKSTORM Malware Attack Lasted More Than a Year
CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said.
In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys.
The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said.
BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said.
BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic."
The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.
PRC Hackers Got Access via a Web Server
CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server.
“Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said.
On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit).
The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server.
From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys.
After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware.
The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/.
CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples.
CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.
Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign.
“This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today.
Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret.
“The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.
Linux Malware Combines Mirai Botnet with XMRig Cryptominer
Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote.
Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said.
The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems.
The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said.
After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination.
“A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said.
At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels.
“This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.
Fileless Cryptominer
In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process.
Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis.
“Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said.
That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host.
During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count.
The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).
Cyble researchers have identified a new NFC relay attack campaign targeting users in Brazil.
Dubbed “RelayNFC,” Cyble Research and Intelligence Labs (CRIL) researchers identified five phishing sites distributing the malicious app, which claims to secure payment cards. The malicious application captures the victim’s card details and relays them to attackers for fraudulent transactions.
The malware is also highly evasive and remains undetected by security tools.
NFC Relay Attack App Evades Security Tools
RelayNFC is a “lightweight yet highly evasive malware” because of its Hermes-compiled payload, Cyble said. Use of the JavaScript engine “makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server,” the researchers said.
VirusTotal detections of the NFC relay attack malware were at zero at publication time, “indicating very low visibility across the security ecosystem, and the code suggests a high likelihood of continued development,” they said.
RelayNFC uses a full real-time Application Protocol Data Unit (APDU) relay channel that enables attackers to complete transactions “as though the victim’s card were physically present.”
The researchers also identified a related variant that attempts to implement Host Card Emulation (HCE), suggesting that the threat actor is exploring other NFC relay techniques too.
Other malware strains exploiting Near-Field Communication (NFC) capabilities to intercept or relay contactless payment data have included Ngate, SuperCardX, and PhantomCard, suggesting a growing trend of NFC exploits, Cyble said.
RelayNFC Malware Relies on Phishing Sites
Distribution of RelayNFC relies entirely on phishing, tricking users into downloading the malware. The campaign uses a Portuguese-language page that prompts victims to install the malicious payment card security app (image below).
[caption id="attachment_107130" align="aligncenter" width="262"] NFC relay attack phishing site (Cyble)[/caption]
The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:
maisseguraca[.]site
proseguro[.]site
test[.]ikotech[.]online
maisseguro[.]site
maisprotecao[.]site
RelayNFC appears to be a new variant built using the React Native framework and has been active for at least a month. The malware operates as a “reader,” the researchers said, capturing victim card data and relaying it to the attacker’s server. After installation, the app immediately displays a phishing screen that tells the user to tap their payment card on the device.
Once the card data has been read, RelayNFC displays another phishing screen that prompts the victim to enter their 4- or 6-digit PIN.
APDU Commands Turn Device Into ‘Remote NFC Reader’
The RelayNFC code is built around a relay channel that uses a persistent WebSocket connection to forward Application Protocol Data Unit (APDU) commands between the attacker’s server and the victim’s NFC subsystem, “effectively turning the infected device into a remote NFC ‘reader’ for the attacker,” the researchers said.
The NFC controller processes the command and generates a genuine APDU response, as the card would during a legitimate transaction. RelayNFC captures that output and returns it to the command-and-control server in an “apdu-resp” message, “preserving the original request ID and session ID so the attacker’s device can continue the EMV transaction seamlessly.”
“This real-time, bidirectional relay of APDU commands and responses is what enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal,” the researchers said.
“By combining phishing-driven distribution, React Native–based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” they said.
The researchers said their findings underscore the need for strong device-level protections, user awareness, and monitoring by financial institutions.
Security researchers have identified a new Android banking trojan that does much more than steal banking credentials. It can also record encrypted messages and essentially enables complete control of infected devices.
ThreatFabric researchers are calling the new Android malware “Sturnus.”
“A key differentiator is its ability to bypass encrypted messaging,” the researchers said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”
“Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices,” they said. “The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims' financial security and privacy.”
So far the malware has been configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting that a broader campaign will follow.
“While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families,” they warned.
Android Malware Deploys Fake Login Screens
The trojan harvests banking credentials through “convincing fake login screens that replicate legitimate banking apps,” the researchers said.
The Android malware also offers attacks “extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge,” they warned.
The malware combines HTML overlays and keylogging to capture and exfiltrate user credentials and sensitive data. The overlay engine maintains a repository of phishing templates under /data/user/0/<malware_package>/files/overlays/, where each HTML file corresponds to a specific banking application. When an overlay is triggered, the malware launches a WebView configured with JavaScript, DOM storage, and a JavaScript bridge to intercept and forward any data the victim enters directly to the command and control (C2) server.
The malware also includes a full-screen “block overlay” that lets attackers hide their activities from victims by displaying a full-screen black overlay that blocks visual feedback while the malware operates in the background.
Beyond basic keystroke logging, the malware continuously monitors the device’s UI tree and sends structured logs that describe what is displayed on screen, which lets attackers reconstruct user activity even when screen capture is blocked or when network conditions prevent live video transmission. “Together, these mechanisms give the operator a detailed, real-time picture of the victim’s actions while providing multiple redundant paths for data theft,” the researchers said.
Capturing Encrypted Messages
Sturnus also monitors the foreground app and automatically activates its UI tree collection when the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram.
“Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time,” the researchers said. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations.”
The ThreatFabric report also contained two SHA-256 hashes, the second of which is currently detected by 23 of 67 security vendors on VirusTotal:
045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5
0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d
The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.
Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.
NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.
NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.
So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.
The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.
But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.
First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.
Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.
How to stay safe
NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:
Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.
We don’t just report on phone security—we provide it
Login
The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption]
Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said.
The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:
NFC relay attack phishing site (Cyble)[/caption]
The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:
