Hackers target Russian ‘bulletproof’ hosting provider named Proton66

Posted on April 25, 2025April 25, 2025 by Cyber Dawg

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Welcome to Gone Phishing, your weekly cybersecurity newsletter that hooks you up with the latest threats before they reel you in! 🎣💻🛡️🛡️🛡️

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Microsoft, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

The Bill Gates have opened 🙃

🚨 Microsoft Fixes 121 Bugs in April Patch Tuesday: One Zero-Day Exploited in the Wild ⚠️

If you haven't patched your Windows systems yet — now's the time. Microsoft’s April 2025 Patch Tuesday squashes 121 vulnerabilities, including 1 actively exploited zero-day (CVE-2025-29824).

📌 The Numbers:

🧨 11 Critical

🚨 110 Important

🕵️‍♂️ 1 Zero-Day (exploited in the wild)

🔥 The Zero-Day:

● CVE-2025-29824 – A privilege escalation flaw in the Windows Common Log File System (CLFS) driver

● Exploited by ransomware tied to Storm-2460 using the PipeMagic malware

● Marked Important with a CVSS 7.8

💡 CLFS remains a popular attack vector—Microsoft has patched more than 20 CLFS flaws in the last two years, with several tied to real-world attacks.

⚠️ Other Notables:

● RCEs in Remote Desktop Gateway & LDAP (CVSS 8.1, Critical)

● Privilege Escalation in Active Directory Certificate Services

● SharePoint RCEs requiring authenticated access

👨‍💻 Affected components span everything from Azure, Office, and Visual Studio to Windows Kernel, Hyper-V, and even Bluetooth services.

🔐 Takeaway:

Patch ASAP. One of these is already being used by ransomware groups, and several others are marked as “Exploitation More Likely.” Don't wait for the next breach.

Now, on to this week’s hottest cybersecurity news stories:

👨🏻‍💻 Hackers target Russian ‘bulletproof’ hosting provider named Proton66 ⚡
🍇 GRAPELOADER: European diplomats targeted via wine-tasting lures 🍷
🗽 U.S. hit with widespread toll fraud campaign via Chinese smishing kit 🐉

Don’t play Russian Roulette with your online safety 🎲

Jungle Dice GIF by A Boogie Wit Da Hoodie

Gif by aboogiewitdahoodie on Giphy

🚨 Proton66: Russian Bulletproof Host Powers Surge in Global Cyberattacks 🌐

Cybersecurity researchers are raising alarms about a wave of mass scanning, brute-force attacks, and exploit attempts traced to Proton66, a Russian bulletproof hosting provider long known to cater to cybercriminal operations.

🕵️‍♂️ According to Trustwave SpiderLabs, the campaign has been ongoing since January 8, 2025, and is targeting organizations worldwide with fresh infrastructure and updated exploits.

🔍 The IP Blocks Behind the Storm

📡 Key netblocks involved:

● 45.135.232.0/24

● 45.140.17.0/24

● 193.143.1[.]65

Researchers observed new or previously dormant IPs becoming suddenly active, launching:

● Mass network scans

● Credential brute-force attacks

● Exploit attempts targeting recent critical vulnerabilities

🛠️ CVEs Under Fire

From February 2025, attackers have been exploiting top-tier vulnerabilities, including:

● CVE-2025-0108 – Auth bypass in Palo Alto PAN-OS

● CVE-2024-41713 – Input validation flaw in Mitel MiCollab

● CVE-2024-10914 – Command injection in D-Link NAS

● CVE-2024-55591 & CVE-2025-24472 – Auth bypass in Fortinet FortiOS

🎯 Exploitation of the Fortinet flaws has been linked to Mora_001, an initial access broker delivering a new ransomware strain named SuperBlack.

🧬 Malware Hosted on Proton66

The infrastructure is doubling as a launchpad for multiple malware campaigns, including:

💻 XWorm – Delivered via LNK + PowerShell + obfuscated VBS + Base64-encoded .NET DLL

📨 StrelaStealer – Spread via phishing to German users

💥 WeaXor ransomware – A revamped Mallox variant, C2 hosted at 193.143.1[.]139

🔗 In some cases, C2 servers and phishing pages for these strains were hosted directly on Proton66's IPs.

📱 Android Phishing via WordPress Redirects

🎯 A sneaky mobile campaign uses compromised WordPress sites to redirect Android users to fake Google Play Store pages via:

● Malicious JavaScript hosted on Proton66

● Geo-targeting: French, Spanish, and Greek-speaking users

● Conditional logic: redirects only activate for real Android browsers, not bots, proxies, or VPNs

👀 Redirection logic checks:

● IP fingerprinting via ipify.org

● VPN/proxy detection via ipinfo.io

● Result? A malicious APK download masquerading as a legitimate app.

🤝 Connections to PROSPERO and Beyond

Proton66 is reportedly tied to a linked AS called PROSPERO, previously spotlighted by Intrinsec for:

● Operating under the names Securehost and BEARHOST

● Offering bulletproof services on Russian-language cybercrime forums

🧩 Some Proton66/Prospero traffic was seen routing through infrastructure associated with Kaspersky Lab. Kaspersky has denied involvement, attributing the routing to automated DDoS service prefixes used by telecom partners.

🚨 What You Can Do

Recommended defensive actions:

🚫 Block all CIDR ranges linked to Proton66 and Chang Way Technologies (likely affiliated HK-based provider)

🔍 Monitor for:

● PowerShell + LNK execution chains

● Suspicious traffic to Proton66 IPs

● Unexpected APK installs from unknown sources

🧱 Deploy behavior-based endpoint protections to detect lateral movement and C2 activity

📌 TL;DR: Bulletproof Hosting, Real-World Threats

Proton66 isn't just a shady hosting provider — it's now a core enabler of malware, phishing, and ransomware activity across multiple regions and threat groups. From Android APK lures to critical infrastructure exploits, the IP ranges tied to Proton66 are a hotbed of cybercrime.

🛡️ Stay vigilant. Block early. Hunt often.

The question isn't if your business will be targeted, but when.

Take your first step towards a more secure future. Register for FORWARD on June 4th and stack the deck in your favor against cyber adversaries. You'll Gain real-world recovery insights from industry peers

Save Your Spot

GRAPELOADER: wine not? 🍷👀💀

🚨 APT29 Targets Diplomats with GRAPELOADER & WINELOADER 🍷

Russian state-sponsored group APT29 (aka Cozy Bear) is back, this time with a stealthy phishing campaign targeting European diplomatic entities using wine-tasting event lures 🍇🍷.

🔍 Check Point uncovered the use of:

🍇 GRAPELOADER – a new initial-stage loader for fingerprinting, persistence, and payload delivery

🍷 WINELOADER – an updated modular backdoor for later-stage operations

📩 How the Attack Works

Phishing emails spoofing a European Ministry of Foreign Affairs send out fake wine-tasting invites

The attached wine.zip includes:

● wine.exe (legit PowerPoint binary)

● AppvIsvSubsystems64.dll (dependency)

● ppcore.dll (malicious DLL sideloaded via wine.exe)

GRAPELOADER runs, gains persistence via the Windows Registry, and phones home to drop the main payload — believed to be WINELOADER

🕵️‍♂️ Both loaders use code obfuscation, anti-analysis tricks, and modular structures for stealth and flexibility.

🌍 Target Scope

● Primary focus: Ministries of Foreign Affairs in Europe

● Secondary targets: Embassies and diplomatic staff in the Middle East

● Emails came from: bakenhof[.]com, silry[.]com

🔎 Bonus Threat: Gamaredon’s USB Worm

Meanwhile, Gamaredon (another Russian threat group) continues pushing its PteroLNK malware, infecting USB drives with sneaky LNK + VBScript combos to spread info-stealers like GammaSteel — with heavy targeting of Ukraine.

💡 APT29’s campaign shows a pivot to layered loaders and social engineering over raw complexity, signaling a new phase in high-stakes cyber-espionage.

Learn how to make AI work for you

AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.

Ah, the old smish and grib, eh? 💀💀💀

🚨 U.S. Toll Road Users Targeted in Massive SMS Phishing Campaign 🚗

A widespread smishing campaign is hitting toll road users across the U.S., tricking them into handing over personal and financial data under the guise of unpaid toll notices.

🛑 Active since October 2024, the campaign impersonates systems like E-ZPass, sending SMS and iMessage alerts to users in WA, FL, PA, VA, TX, OH, IL, and KS.

🧠 The Brains Behind It

● Smishing kits by Wang Duo Yu, a Chinese student-turned-cybercrime entrepreneur

● Distributed via Telegram for as little as $20–$50 per kit

● Linked to the Smishing Triad, known for massive fake delivery scams in over 120+ countries

📲 How the Scam Works

Victims receive a fake toll notice via SMS/iMessage
They're urged to reply "Y" to activate a malicious link
Clicking redirects to a fake E-ZPass site after a fake CAPTCHA
Users enter name, ZIP, and payment details — all stolen instantly
Some attackers use Ghost Tap to enroll cards in mobile wallets for further fraud

🚨 The kits even include backdoors, enabling double theft — victims are hit by both the attacker and the kit's creator.

🛠️ Industrialized Smishing

⚠️ 60,000+ domains linked to these toll scams

● Spoofed sender names

● Victim-targeting tools

● Campaign dashboards

● SMS automation APIs

🌍 Expansion in Progress

The same actor is now pivoting to a new Lighthouse kit, targeting banks in Australia and APAC — with alleged backing of “300+ front desk staff” handling fraud operations globally.

🧪 Security firms like Cisco Talos, PRODAFT, and Resecurity are actively tracking the campaign, but the scale and infrastructure make takedown efforts tough.

💡 Smishing kits have become commercialized cybercrime tools, making phishing campaigns more scalable and accessible than ever.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

ClickFix up look sharp: state-sponsored hackers weaponise ClickFix

Posted on April 20, 2025April 20, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that refuses to recognise hackers as biological humans 👀🙈🤣

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Apple, the cybercriminals are no match… for your patch! 🩹

You’re the Apple of my eye 🍎👁️🙃

🚨 Apple Drops Critical Security Patches After Sophisticated Attacks Detected 🍏🔥

If you're rocking an iPhone, iPad, Mac, Apple TV, or Vision Pro, it’s update o’clock ⏰🔧 Apple just patched two serious zero-day vulnerabilities being actively exploited in the wild—yes, right now.

🚨 Here’s what’s been fixed:

CVE-2025-31200 (CVSS 7.5)

💥 Core Audio flaw – Can be triggered by a malicious audio stream (yup, just playing a tainted media file could let an attacker run code) 🎵💀

CVE-2025-31201 (CVSS 6.8)

🛠️ RPAC component bypass – If an attacker already has read/write access, this bug could help them sneak past Pointer Authentication 🚨🔓

🧠 Apple says these were used in "extremely sophisticated attacks against specific individuals" — think spyware, nation-state level stuff. Reported in part by Google’s Threat Analysis Group.

🔧 Fixes include:

✅ Improved bounds checking (for the audio bug)

✅ Removed the vulnerable code entirely (for the RPAC bypass)

📦 These updates are now live for:

📱 iOS & iPadOS 18.4.1 – iPhone XS & newer, various iPads

💻 macOS Sequoia 15.4.1

📺 tvOS 18.4.1

👓 visionOS 2.4.1

💡 Reminder: Apple has now patched 5 actively exploited zero-days in 2025—so this isn’t rare, it’s the new normal. Past issues have let bad actors:

Escalate privileges via Core Media

Disable USB lock protections

Escape the Safari/WebKit sandbox

🔐 What you should do:

✅ Update now—even if you think you’re not a target

✅ Be cautious with suspicious media files or shady links

✅ Keep auto-updates turned on across all Apple devices

🛡️ Bottom line: These bugs were being used in the wild—that means real people were targeted. Whether you're a journalist, business exec, or just privacy-conscious, staying updated is the easiest way to block these high-level threats.

Stay sharp, stay patched. 🍏⚔️

Now, on to this week’s hottest cybersecurity news stories:

🖱️ ClickFix up look sharp: state-sponsored hackers weaponise ClickFix 👾
🤑 Crypto users targeted w/ Node.js malware via fake Binance, TradingView 🌐
🕵🏻 Agent Tesla (no relation), XLoader deployed via .JSE and PoweShell 🐚

Jim’ll ClickFix it 💀💀💀

Giphy

🚨 ClickFix Goes Global: Nation-State Hackers Join the Malware Trend 🎯

Iran, North Korea, and Russia are now deploying a sneaky social engineering trick called ClickFix to infect targets across the globe — and it's working.

📅 Between late 2024 and early 2025, at least four state-sponsored groups used this technique in phishing campaigns targeting think tanks, governments, and defense contractors.

🛠️ What is ClickFix?

ClickFix is a crafty method where hackers trick victims into infecting themselves by copying and pasting "fixes" — actually malicious PowerShell commands — into their systems.

It often pretends to:

● Fix system errors ⚠️

● Verify your device ✅

● Download legit-looking documents 📄

👥 Who’s Using It?

Proofpoint linked the activity to these groups:

🍜 TA427 (aka Kimsuky – North Korea)

🐪 TA450 (aka MuddyWater – Iran)

🐻 TA422 (aka APT28 – Russia)

🕵️ UNK_RemoteRogue (suspected Russian group)

🕵️‍♂️ TA427: The Diplomat Trick

🎯 Target: Think tanks focused on Korean affairs

● Pretended to be a Japanese diplomat 🏯

● Sent meeting invites & a malicious PDF

● Led victims to a fake embassy site with “instructions”

● ClickFix chain installed Quasar RAT 🐀

🔧 TA450: Fake Microsoft Fix

🎯 Target: Sectors in the U.A.E., Saudi Arabia, U.S., Canada, and Europe

● Emails timed with Patch Tuesday updates 📅

● Claimed users needed to fix a Windows vulnerability

● ClickFix chain installed Level RMM software, giving attackers full remote access 🖥️

● 🛰️ UNK_RemoteRogue: Defense Industry Espionage

🎯 Target: Two major defense orgs

● Phishing from compromised Zimbra servers

● Fake Microsoft Office file + YouTube tutorial

● Users were coached to paste PowerShell code

● Delivered malware using the Empire C2 framework 🔗

⚠️ Why It Matters

✔️ Simple for attackers, tricky for users

✔️ Bypasses some security software

✔️ Trusted by nation-states & cybercriminals alike

Proofpoint warns that more state-backed groups may start experimenting with ClickFix — if they haven’t already.

🔐 Pro Tip

Never copy and paste code from unsolicited emails or websites — no matter how official they look. If something seems off, it probably is.

Stay sharp. Don’t get ClickFixed. 🧠💻

Just say Node 😏

🚨 Malvertising Meets Node.js: Microsoft Warns of Evolving Malware Campaign 🧪

Microsoft is tracking a dangerous new malvertising campaign that weaponizes Node.js to steal information, exfiltrate data, and sneak past defenses — all under the guise of legitimate crypto trading apps.

📅 First spotted in October 2024, the campaign is still active and growing.

🎯 The Lure: Crypto Tools That Aren’t What They Seem

Victims are being tricked into downloading fake installers pretending to be from:

💰 Binance

📈 TradingView

These downloads are hosted on fraudulent sites designed to mimic the real thing.

Once executed, the installer drops a malicious DLL named CustomActions.dll.

🛠️ Behind the Scenes: What the Malware Does

Here’s how the infection unfolds:

📋 Info Harvesting: The DLL collects system data using WMI (Windows Management Instrumentation).

🕒 Persistence: A scheduled task is created to maintain long-term access.

💨 Smoke & Mirrors: The malware opens a real crypto trading site in a browser window via msedge_proxy.exe to look legit.

Meanwhile, PowerShell scripts are quietly running in the background to:

● Exclude the malware from Microsoft Defender scans

● Download more payloads from a remote server

● Collect extensive data (OS, BIOS, hardware, apps)

● Send it all to a command-and-control (C2) server via HTTPS

⚙️ Enter Node.js: Malware Masquerading as Web Code

The malware’s next act involves:

📦 Downloading a ZIP archive from the C2 server

🧪 Deploying the Node.js runtime and a compiled JavaScript file (.JSC)

🕸️ Using Node.js to make network connections and steal browser data

📌 Why Node.js? It’s open-source, widely used by devs, and runs JavaScript outside the browser — making it a perfect disguise for malware.

🧯 What You Can Do

❌ Never download software from unofficial sources — especially via ads

🛡️ Use endpoint protection that detects script-based malware

🧠 Be suspicious of "fix-it" instructions involving terminal commands

🔐 Protect credentials and enable strong 2FA methods

Malware is getting smarter — and more deceptive. Stay cautious, stay updated, and don't let your terminal become a trojan horse. 🧠💻💣

Tesla just can’t catch a break 😉😂😂

🚨 New Multi-Stage Malware Attack Chains: Agent Tesla, Remcos RAT, and XLoader 🧬

Researchers at Palo Alto Networks Unit 42 are warning about a sophisticated, multi-layered malware campaign delivering a cocktail of info-stealers and remote access trojans — including Agent Tesla, Remcos RAT, and XLoader.

📌 This isn't a smash-and-grab. It's a well-orchestrated, multi-stage attack chain designed to evade sandboxes, confuse analysts, and ensure payload delivery.

📥 It All Starts with a Phish

🗓️ First spotted in December 2024, the attack kicks off with a phishing email disguised as an order confirmation. The email claims a payment was made and urges the target to review an attached file — a malicious 7-Zip archive.

Inside the archive:

🧾 A .JSE (JavaScript Encoded) file — the ignition for the entire attack chain

Once launched, this file contacts an external server to download a Base64-encoded PowerShell script.

📦 Payload Decoding and Execution

Here’s what happens next:

🔐 The PowerShell script decodes the Base64 payload

💾 Writes the decoded payload to the Windows temp directory

🚀 Executes it, launching a new dropper stage

The second-stage dropper can be compiled in .NET or AutoIt, depending on the variant.

⚔️ Diverging Paths: .NET vs AutoIt Droppers

🔧 If .NET:

The malware decrypts and injects Agent Tesla / Snake Keylogger / XLoader into the memory of a legitimate Windows process: RegAsm.exe

🎭 If AutoIt:

● Adds another obfuscation layer

● The AutoIt script decrypts a payload that injects a .NET file into RegSvcs.exe, delivering Agent Tesla

💡 Goal: Make analysis harder while ensuring successful execution.

🧱 Layered Simplicity = Resilience

"The attacker’s focus remains on a multi-layered attack chain rather than sophisticated obfuscation,"

– Saqib Khanzada, Unit 42

By stacking basic techniques, the attackers build a resilient and stealthy infection flow, rather than relying on flashy obfuscation.

🛡️ Defensive Tips:

● Avoid opening files from unknown or suspicious emails

● Monitor for unexpected usage of system processes like PowerShell or RegAsm.exe

● Invest in behavioral detection and EDR tools

● Segment high-value assets from user workstations

Attackers aren’t just getting more technical — they’re getting more strategic. The more layers they add, the harder they are to peel back. 🧅💀

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

How did the Oracle not see this coming

Posted on April 12, 2025April 12, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that treats cybercriminals like Donald Trump treats the World Economy 👀🤯💀💀💀

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to WhatsApp, the cybercriminals are no match… for your patch! 🩹

WhatsApp with that? 🙃

⚠️💻 WhatsApp for Windows Vulnerability – Update NOW! 🚨🐛

If you're using WhatsApp Desktop on Windows, this is your sign to hit that update button 🔄📥

🧨 A flaw tracked as CVE-2025-30401 allowed sneaky attackers to send malicious files disguised as innocent ones—like a wolf in sheep’s clothing 🐺🐑

🔍 How did it work?

WhatsApp trusted what a file claimed to be (its MIME type – like “this is a photo 📸”)

But when you clicked it inside the app? It looked at the file extension (.exe, .jpg, etc.) instead

That means something called cute-pic.jpg.exe could look like a picture 🖼️ but run like a program 💻—and boom 💥 malware

😬 This affected all versions before 2.2450.6—so if you're still on an old version, you're at risk!

🛡️ What to do:

✅ Update to WhatsApp Desktop v2.2450.6 or later ASAP

✅ Be wary of weird or unexpected attachments—even if they look normal

✅ Don't trust file names blindly 👀

🧠 Security pro Nico Chiaraviglio from Zimperium called this a reminder that:

“Attachments are STILL one of the most common ways attackers spread malware.”

💪 He recommends a layered defense:

🔍 Attachment scanning

📈 Behavioral analysis

🧠 User education

🎯 Bottom line: Just because it looks like a file you can trust… doesn't mean it is. Don’t open anything sketchy, even if it comes through WhatsApp.

🛠️ And if you haven’t updated yet—go do it now. Seriously. 🏃💨

Now, on to this week’s hottest cybersecurity news stories:

🔮 Oracle confirms hack-attack: broken systems, stolen credentials 🔑
📥 Don’t get crushed by Crush: FTP system infiltrated by ransomware 💰
🌐 Popular site SourceForge spreads crypto miner and clipper malware 👾

How did the Oracle not see this coming 🔮👀💀

Gif by xbox on Giphy

🚨 Oracle Confirms Private Data Breach — After Public Denials ☁️

🔐 Oracle has privately admitted that a legacy system was breached, exposing old client login

data — including usernames, encrypted passwords, and passkeys.

🕵️‍♂️ What Happened?

Attackers accessed a “legacy environment” (rebranded as “Oracle Classic”)

● FBI and CrowdStrike are now involved

● 6 million records across 140,000 tenants allegedly stolen

● Data includes credentials as recent as 2024

🎭 Public Denial, Private Panic

Oracle previously told the public:

“No breach of Oracle Cloud.”

But insiders and security experts say this is semantic wordplay — the breached system was previously part of Oracle Cloud, just rebranded.

🧠 “They’re splitting hairs to dodge admitting a real cloud breach,” said one researcher.

💸 Extortion & Lawsuits

Hacker “rose87168” demanded $20M before posting data for sale

Malware targeted Oracle’s Identity Manager (IDM) as early as January 2025

Now facing a class action lawsuit for delaying disclosure

🏥 Not the Only Breach

Just last month, Oracle also disclosed a healthcare breach — attackers stole patient data from Cerner servers using compromised credentials.

🚨 Why It Matters

Experts say these breaches challenge the core security promises of cloud platforms.

“A single hack shouldn’t affect 140,000 tenants — this breaks the cloud model,” warns security advisor Sunil Varkey.

🔇 As of now, Oracle still hasn’t made any public statement — sticking to private disclosures only.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI

It was only a Crush, it was only a Crush 🎙️🎶💀

🚨 CISA & Experts Warn: CrushFTP Exploited in Active Attacks 💥

Hackers are actively exploiting a serious flaw in CrushFTP, a popular file transfer tool used by thousands of organizations to move sensitive data.

🐞 The Vulnerability: CVE-2025-31161

● Discovered by: Researchers at Outpost24

● Reported to CrushFTP: March 13

● Public alert: March 21

Exploit now in the wild ⚠️

The flaw was originally going to be disclosed after customers had time to patch. But other researchers leaked details early — and attackers pounced.

🧠 "They weaponized the bug before customers had a chance to update,” said CrushFTP.

🦠 Ransomware Gang Claims Stolen Data

The Kill ransomware group now claims it’s using the exploit to steal “significant volumes” of sensitive data — and they’ve begun extorting victims.

🛡️ CISA has confirmed the attacks and told federal agencies to patch by April 28.

🏢 Who’s at Risk?

Hundreds of CrushFTP servers are exposed online, according to Shadowserver and Censys.

Recent versions of v10 and v11 are vulnerable.

Incident responders at Huntress report live attacks at companies in:

🛒 Retail

💡 Marketing

💻 Semiconductors

⚠️ Patch Now — Or Risk Getting Hit

CrushFTP is sending another urgent alert to customers. While some workarounds exist, patching is strongly advised.

“Anyone unpatched needs to urgently update.” — CrushFTP

💣 CrushFTP is the latest in a string of file transfer tools being targeted, following similar attacks on MOVEit, GoAnywhere, Cleo, and Accellion.

Stay alert. Patch fast. The attackers aren’t waiting.

Trying to strike a chord and it’s probably A (crypto) miner 💀💀💀

🚨 Malware Alert: Miners & Clippers Spread via Fake Software on SourceForge 🦠

Cybercriminals are back at it — this time using SourceForge, a trusted software hub, to push cryptocurrency miners and clipper malware disguised as cracked Microsoft Office apps.

🎭 The Bait: Fake "Office Add-ins"

One suspicious listing, called “officepackage”, looks harmless at first glance — it even borrows content from a legit GitHub repo.

But clicking “Download” on the site? It redirects you to a shady page on taplink[.]cc.

👀 What happens next?

● You’re served a ZIP file called vinstaller.zip

● Inside: another locked archive (installer.zip) and a text file with the password

● That archive contains a nasty MSI installer 💣

💻 What the Malware Does

Kaspersky says the installer kicks off a complex infection chain:

🧩 Uses VB scripts and PowerShell to download more payloads

📡 Sends your system data via Telegram API

💰 Deploys:

Crypto miner (drains CPU power)

ClipBanker (replaces crypto wallet addresses)

🔐 Drops ShellExperienceHost.exe to open an encrypted backdoor

🪝Executes more hidden commands using ErrorHandler.cmd

📍 Who's Being Targeted?

● Interface is in Russian

● Targets users searching for Microsoft Office on Yandex

● 90% of the 4,600+ victims so far are located in Russia

⚠️ Bigger Picture: This Is Just One Campaign

Kaspersky also spotted TookPS malware spreading via fake AI, remote desktop, and 3D modeling software sites — often promoted through malicious Google ads.

🖥️ One tactic: sideloading malware into TeamViewer, giving attackers stealthy remote access.

💬 “As users seek software outside official sources, attackers offer their own versions — loaded with malware,” said Kaspersky.

🔐 Takeaway:

Always download software from trusted sources. Crack sites and shady "free" tools are often booby-trapped — and malvertising is making it even easier for attackers to reach you.

Stay smart. Stay safe. 💻🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

🚨 Massive Web Infections Redirect Users to Chinese Gambling Sites 🎰 (1)

Posted on April 5, 2025April 5, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that understands this is what happens when you Musk it for a chocolate buskuit 😂😂😂 The world economy left the chat 💀💀💀

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Google, the cybercriminals are no match… for your patch! 🩹

Google: IAM legend 💪💪💪

🚨⚙️ Google Cloud Run Vulnerability Revealed: “ImageRunner” 🐛🚀

Cybersecurity researchers just uncovered ImageRunner, a now-patched privilege escalation flaw in Google Cloud Platform's Cloud Run that could’ve let attackers steal private container images and even inject malware into deployments 😨🐍

🔍 What was the issue?

Malicious users with limited permissions (run.services.update + iam.serviceAccounts.actAs) could:

🔧 Edit Cloud Run services

📦 Pull private container images

🧬 Inject malicious code

Target: images stored in Google Artifact Registry or Google Container Registry in the same project 😬

💣 Potential impact:

Secrets stolen 🗝️

Sensitive data exfiltrated 📤

Reverse shells launched 🐚

All by tricking Cloud Run into using infected container images—like a software supply chain attack from inside the cloud ☁️💥

🛡️ What did Google do?

🔒 As of January 28, 2025, Google patched the issue. Now, any user or service account must have explicit read access to deploy container images. No more sneaky side-loading 😤

✅ You now need the Artifact Registry Reader role (roles/artifactregistry.reader) to deploy from private registries.

📌 Tenable, who discovered the bug, calls this kind of vulnerability “Jenga”—because when one cloud service gets wobbly, the rest stacked on top become vulnerable too 🧱🪜

🧠 Reminder: Cloud security isn’t just IAM policies—it's the invisible glue between services that attackers love to exploit.

🔧 If you're using GCP Cloud Run, make sure:

Your IAM roles are tight 🎯

Your image permissions are reviewed 🔍

You stay up-to-date on patches! 🔐

💡 Defenders, stay alert: the cloud can be a blessing or a backdoor—depending on how well you secure it 🛡️💻

Now, on to this week’s hottest cybersecurity news stories:

💸 Tax doesn’t need to be taxing!! Microsoft says otherwise ⚠️
🧟 Lazarus rises from the dead… AGAIN! Change the record 💿
📲 2,600+ Android phones infected w/ Triada malware… Beware ☠️

QR ya??? 🙃

Gif by election2020 on Giphy

🚨 Microsoft Warns of Tax-Themed Phishing Surge Targeting U.S. Organizations 📬

Microsoft has issued a high-alert warning about multiple phishing campaigns weaponizing tax season as a lure to steal credentials and drop malware. The campaigns are part of a broader phishing-as-a-service (PhaaS) ecosystem dubbed RaccoonO365, enabling threat actors to bypass traditional detection methods and launch highly targeted attacks.

🧨 Key Threats & Techniques

🔹 Themes Used: Fake tax docs, Microsoft 365 login pages, and Docusign requests

🔹 Delivery Methods:

✔️ PDF attachments with URL shorteners (Rebrandly)

✔️ PDFs with QR codes

✔️ Spoofed emails using legit file-sharing & collaboration services

🔹 Redirect Chains: Link > URL shortener > fake login/malware page

🔹 Phishing kits powered by RaccoonO365 PhaaS

🕵️‍♂️ Notable Payloads Delivered

● Malware / Tool Function

● BruteRatel C4 (BRc4) Red-teaming post-exploitation

● Latrodectus Malware loader (evolved in Feb 2025)

● AHKBot Credential theft & screenshot exfiltration

● GuLoader Payload delivery platform

● Remcos RAT Full remote control

⚠️ BRc4 & Latrodectus were dropped via tax-themed PDFs that evaluated a user's IP/system to decide whether to send malware or a harmless file.

🎯 Campaigns & Targets

📅 February 2025 Campaigns:

● Targeted 2,300+ U.S. organizations (engineering, IT, consulting sectors)

● Emails had empty bodies but malicious PDFs with QR codes

● Redirected to fake Microsoft 365 login pages via RaccoonO365

📅 Another campaign used Facebook ads to lure victims to a fake Windows 11 Pro download site, dropping the Latrodectus loader via BruteRatel.

🛡️ Advanced Obfuscation Tactics

💠 Fake file types (e.g., .lnk files made to look like tax docs)

💠 QR codes used to bypass secure email gateways (SEGs)

💠 Browser-in-the-browser (BitB) attacks mimicking login popups

💠 Abuse of legit services: DocuSign, Adobe, Dropbox, Canva, Zoho

💠 Use of open redirects & URL shorteners to hide phishing links

🧰 How to Stay Protected

✅ Block macros & disable autorun

✅ Use phishing-resistant MFA (e.g., hardware tokens, passkeys)

✅ Educate users about tax-season phishing scams

✅ Implement network protection to block outbound connections to known malicious domains

✅ Leverage modern browsers with phishing protection built-in

Microsoft’s findings show a sophisticated evolution of phishing, where attackers are blending social engineering with stealthy malware loaders and legitimate-looking infrastructure. With tax season being a peak period for these attacks, organizations must remain hyper-vigilant. 🧾💣

Crypto’s Most Influential Event

Consensus is the world’s longest-running gathering of the global crypto, blockchain, and AI communities.

Celebrated as ‘The Super Bowl of Blockchain’, Consensus will welcome 20,000 attendees shaping the decentralized digital economy to Toronto this May 14-16.

Ready to invest in your future?

Attending is your best bet.

ClickFix up look sharp!!! 🎙️

🚨 North Korean Hackers Target Job Seekers in Crypto Sector with Fake Interviews 🎙️

A new North Korean hacking campaign is using fake job interviews and the ClickFix technique to infect job seekers in the cryptocurrency sector with a newly discovered Go-based backdoor called GolangGhost. The attack, tracked as ClickFake Interview, is a continuation of the Contagious Interview campaign linked to the Lazarus Group, a hacking unit tied to North Korea’s Reconnaissance General Bureau (RGB).

🎯 Key Targets & Attack Methodology

🔹 Targets:

✔️ Centralized finance (CeFi) companies (Coinbase, Kraken, KuCoin, Tether, etc.)

✔️ Job seekers in business development, asset management, and DeFi

🔹 Attack Flow:

1️⃣ Hackers pose as recruiters on LinkedIn/X and invite targets to a video interview.

2️⃣ Victims are directed to a fake video interview platform (e.g., "Willo").

3️⃣ The platform presents a fake error message requiring a “camera driver” download.

4️⃣ Victims are instructed to execute a malicious script via Command Prompt (Windows) or Terminal (macOS).

5️⃣ The script drops FROSTYFERRET (a stealer) and GolangGhost (a backdoor).

🔹 Key Malware Used

● Malware Function

● GolangGhost Backdoor for data theft & remote control

● FROSTYFERRET Stealer disguised as a Chrome camera permission prompt

● FERRET Initial malware loader

🕵️ Advanced Social Engineering via ClickFix

💠 Uses fake job postings to lure victims

💠 Mimics real video interview platforms

💠 ClickFix method tricks users into manually running malicious scripts

💠 Exploits victim trust in the interview process

🛑 MacOS users are tricked into entering their system password, likely for iCloud Keychain theft.

💼 North Korea’s Expanding IT Worker Scheme in Europe

📢 Google Threat Intelligence Group (GTIG) reports a global expansion of North Korea’s fraudulent IT worker operations into Europe.

🔹 Key Trends:

✔️ North Koreans posing as remote IT workers to infiltrate Western firms

✔️ Fake identities claiming to be from Italy, Japan, Vietnam, and the U.S.

✔️ Work in web development, blockchain, bot development

✔️ Use of GitHub to build fake portfolios

🔹 Recent Tactics:

✔️ Targeting companies with BYOD (Bring Your Own Device) policies

✔️ Extortion – demanding ransom from employers to prevent data leaks

🚨 "Europe needs to wake up fast. North Korea’s cyber threats are not just a U.S. problem." – Google Threat Intelligence Group

🛡️ How to Stay Protected

✅ Verify job offers – Don’t download software for interviews

✅ Use endpoint security – Block unauthorized script execution

✅ Be wary of LinkedIn/X job offers from unknown recruiters

✅ Adopt strong authentication – Enable phishing-resistant MFA

✅ Monitor for fake employee identities in remote hiring processes

North Korea continues to innovate in cybercrime, blending social engineering, supply chain infiltration, and IT worker fraud to fund its regime. As cryptocurrency remains a prime target, businesses and job seekers must stay vigilant against evolving tactics. 🛡️

Daily News for Curious Minds

Be the smartest person in the room by reading 1440! Dive into 1440, where 4 million Americans find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight. Subscribe to 1440 today.

Triada mate… Try harder. Get it? I’m here all week 😂

🚨 Fake Android Phones Preloaded with Malware Targeting Users Worldwide 🌍

Counterfeit smartphones are being sold at reduced prices, but they come preloaded with a dangerous Android malware called Triada. The latest version of this malware gives attackers full control over infected devices, allowing them to steal sensitive data, hijack cryptocurrency transactions, and spread malware via messaging apps.

🛑 Affected Users: More than 2,600 devices worldwide, majority in Russia

📅 Attack Window: March 13 – 27, 2025

🔎 Malware: Triada RAT (Remote Access Trojan)

📌 What is Triada?

Triada is a modular Android malware first discovered in 2016 that has evolved into a sophisticated backdoor. It can:

🔹 Steal user credentials from Telegram, TikTok, and other social apps

🔹 Send and delete WhatsApp and Telegram messages without the user’s knowledge

🔹 Replace cryptocurrency wallet addresses in clipboard (clipper attack)

🔹 Monitor web browser activity and manipulate links

🔹 Replace phone numbers during calls

🔹 Intercept SMS messages and subscribe victims to premium SMS services

🔹 Download additional malware

🔹 Block network connections to avoid detection

🔥 How is Triada Spread?

🚨 Preloaded in Counterfeit Android Devices

✔️ Triada is embedded in the system firmware during manufacturing

✔️ Users cannot remove it without flashing a clean system image

✔️ Sold through third-party marketplaces and supply chain compromises

📡 Previously Spread via Malicious Apps

✔️ Fake WhatsApp mods (FMWhatsApp, YoWhatsApp)

✔️ Fake Android framework backdoors (BADBOX campaign)

💡 Google’s 2019 investigation found a third-party vendor called Yehuo/Blazefire was responsible for infecting system images with Triada.

🛑 Why is This Dangerous?

1️⃣ Difficult to Remove – It's embedded in the system framework of the phone.

2️⃣ Spreads via Messaging Apps – Can send malware-laden messages from your WhatsApp/Telegram.

3️⃣ Steals Crypto Funds – Can hijack and replace wallet addresses.

4️⃣ Intercepts Calls & Messages – Perfect for espionage and fraud.

5️⃣ Generates Massive Revenue for Hackers – Triada authors have transferred $270,000+ in cryptocurrency in just nine months.

🛡️ How to Protect Yourself

✅ Avoid buying off-brand or counterfeit Android devices

✅ Purchase from reputable retailers and official brand stores

✅ Check for unusual permissions & network activity

✅ Use security apps that can detect system malware

✅ Keep your device updated and avoid sideloading apps

✅ Be cautious of WhatsApp mods & unofficial APKs

🚨 Triada remains one of the most complex and dangerous Android threats.

Hackers continue to compromise supply chains to pre-install malware on devices before they even reach consumers.

🔥 More Android Threats Emerging

🔴 Crocodilus & TsarBot – Android banking trojans targeting 750+ financial apps

🔴 Salvador Stealer – Masquerades as an Indian banking app to steal sensitive user data

🔴 Cosiloon – Another malware pre-installed on low-end Android phones

As hackers refine their tactics, users must be extra vigilant when purchasing Android devices and installing apps. 📲🔒

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

Tax doesn’t need to be taxing!! Microsoft says otherwise

Posted on April 5, 2025April 12, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that understands this is what happens when you Musk it for a chocolate buskuit 😂😂😂 The world economy left the chat 💀💀💀

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Google, the cybercriminals are no match… for your patch! 🩹

Google: IAM legend 💪💪💪

🚨⚙️ Google Cloud Run Vulnerability Revealed: “ImageRunner” 🐛🚀

🔍 What was the issue?

Malicious users with limited permissions (run.services.update + iam.serviceAccounts.actAs) could:

🔧 Edit Cloud Run services

📦 Pull private container images

🧬 Inject malicious code

Target: images stored in Google Artifact Registry or Google Container Registry in the same project 😬

💣 Potential impact:

Secrets stolen 🗝️

Sensitive data exfiltrated 📤

Reverse shells launched 🐚

All by tricking Cloud Run into using infected container images—like a software supply chain attack from inside the cloud ☁️💥

🛡️ What did Google do?

🔒 As of January 28, 2025, Google patched the issue. Now, any user or service account must have explicit read access to deploy container images. No more sneaky side-loading 😤

✅ You now need the Artifact Registry Reader role (roles/artifactregistry.reader) to deploy from private registries.

📌 Tenable, who discovered the bug, calls this kind of vulnerability “Jenga”—because when one cloud service gets wobbly, the rest stacked on top become vulnerable too 🧱🪜

🧠 Reminder: Cloud security isn’t just IAM policies—it's the invisible glue between services that attackers love to exploit.

🔧 If you're using GCP Cloud Run, make sure:

Your IAM roles are tight 🎯

Your image permissions are reviewed 🔍

You stay up-to-date on patches! 🔐

💡 Defenders, stay alert: the cloud can be a blessing or a backdoor—depending on how well you secure it 🛡️💻

Now, on to this week’s hottest cybersecurity news stories:

💸 Tax doesn’t need to be taxing!! Microsoft says otherwise ⚠️
🧟 Lazarus rises from the dead… AGAIN! Change the record 💿
📲 2,600+ Android phones infected w/ Triada malware… Beware ☠️

QR ya??? 🙃

Gif by election2020 on Giphy

🚨 Microsoft Warns of Tax-Themed Phishing Surge Targeting U.S. Organizations 📬

🧨 Key Threats & Techniques

🔹 Themes Used: Fake tax docs, Microsoft 365 login pages, and Docusign requests

🔹 Delivery Methods:

✔️ PDF attachments with URL shorteners (Rebrandly)

✔️ PDFs with QR codes

✔️ Spoofed emails using legit file-sharing & collaboration services

🔹 Redirect Chains: Link > URL shortener > fake login/malware page

🔹 Phishing kits powered by RaccoonO365 PhaaS

🕵️‍♂️ Notable Payloads Delivered

● Malware / Tool Function

● BruteRatel C4 (BRc4) Red-teaming post-exploitation

● Latrodectus Malware loader (evolved in Feb 2025)

● AHKBot Credential theft & screenshot exfiltration

● GuLoader Payload delivery platform

● Remcos RAT Full remote control

⚠️ BRc4 & Latrodectus were dropped via tax-themed PDFs that evaluated a user's IP/system to decide whether to send malware or a harmless file.

🎯 Campaigns & Targets

📅 February 2025 Campaigns:

● Targeted 2,300+ U.S. organizations (engineering, IT, consulting sectors)

● Emails had empty bodies but malicious PDFs with QR codes

● Redirected to fake Microsoft 365 login pages via RaccoonO365

📅 Another campaign used Facebook ads to lure victims to a fake Windows 11 Pro download site, dropping the Latrodectus loader via BruteRatel.

🛡️ Advanced Obfuscation Tactics

💠 Fake file types (e.g., .lnk files made to look like tax docs)

💠 QR codes used to bypass secure email gateways (SEGs)

💠 Browser-in-the-browser (BitB) attacks mimicking login popups

💠 Abuse of legit services: DocuSign, Adobe, Dropbox, Canva, Zoho

💠 Use of open redirects & URL shorteners to hide phishing links

🧰 How to Stay Protected

✅ Block macros & disable autorun

✅ Use phishing-resistant MFA (e.g., hardware tokens, passkeys)

✅ Educate users about tax-season phishing scams

✅ Implement network protection to block outbound connections to known malicious domains

✅ Leverage modern browsers with phishing protection built-in

Crypto’s Most Influential Event

Consensus is the world’s longest-running gathering of the global crypto, blockchain, and AI communities.

Celebrated as ‘The Super Bowl of Blockchain’, Consensus will welcome 20,000 attendees shaping the decentralized digital economy to Toronto this May 14-16.

Ready to invest in your future?

Attending is your best bet.

ClickFix up look sharp!!! 🎙️

🚨 North Korean Hackers Target Job Seekers in Crypto Sector with Fake Interviews 🎙️

🎯 Key Targets & Attack Methodology

🔹 Targets:

✔️ Centralized finance (CeFi) companies (Coinbase, Kraken, KuCoin, Tether, etc.)

✔️ Job seekers in business development, asset management, and DeFi

🔹 Attack Flow:

1️⃣ Hackers pose as recruiters on LinkedIn/X and invite targets to a video interview.

2️⃣ Victims are directed to a fake video interview platform (e.g., "Willo").

3️⃣ The platform presents a fake error message requiring a “camera driver” download.

4️⃣ Victims are instructed to execute a malicious script via Command Prompt (Windows) or Terminal (macOS).

5️⃣ The script drops FROSTYFERRET (a stealer) and GolangGhost (a backdoor).

🔹 Key Malware Used

● Malware Function

● GolangGhost Backdoor for data theft & remote control

● FROSTYFERRET Stealer disguised as a Chrome camera permission prompt

● FERRET Initial malware loader

🕵️ Advanced Social Engineering via ClickFix

💠 Uses fake job postings to lure victims

💠 Mimics real video interview platforms

💠 ClickFix method tricks users into manually running malicious scripts

💠 Exploits victim trust in the interview process

🛑 MacOS users are tricked into entering their system password, likely for iCloud Keychain theft.

💼 North Korea’s Expanding IT Worker Scheme in Europe

📢 Google Threat Intelligence Group (GTIG) reports a global expansion of North Korea’s fraudulent IT worker operations into Europe.

🔹 Key Trends:

✔️ North Koreans posing as remote IT workers to infiltrate Western firms

✔️ Fake identities claiming to be from Italy, Japan, Vietnam, and the U.S.

✔️ Work in web development, blockchain, bot development

✔️ Use of GitHub to build fake portfolios

🔹 Recent Tactics:

✔️ Targeting companies with BYOD (Bring Your Own Device) policies

✔️ Extortion – demanding ransom from employers to prevent data leaks

🚨 "Europe needs to wake up fast. North Korea’s cyber threats are not just a U.S. problem." – Google Threat Intelligence Group

🛡️ How to Stay Protected

✅ Verify job offers – Don’t download software for interviews

✅ Use endpoint security – Block unauthorized script execution

✅ Be wary of LinkedIn/X job offers from unknown recruiters

✅ Adopt strong authentication – Enable phishing-resistant MFA

✅ Monitor for fake employee identities in remote hiring processes

Daily News for Curious Minds

Triada mate… Try harder. Get it? I’m here all week 😂

🚨 Fake Android Phones Preloaded with Malware Targeting Users Worldwide 🌍

🛑 Affected Users: More than 2,600 devices worldwide, majority in Russia

📅 Attack Window: March 13 – 27, 2025

🔎 Malware: Triada RAT (Remote Access Trojan)

📌 What is Triada?

Triada is a modular Android malware first discovered in 2016 that has evolved into a sophisticated backdoor. It can:

🔹 Steal user credentials from Telegram, TikTok, and other social apps

🔹 Send and delete WhatsApp and Telegram messages without the user’s knowledge

🔹 Replace cryptocurrency wallet addresses in clipboard (clipper attack)

🔹 Monitor web browser activity and manipulate links

🔹 Replace phone numbers during calls

🔹 Intercept SMS messages and subscribe victims to premium SMS services

🔹 Download additional malware

🔹 Block network connections to avoid detection

🔥 How is Triada Spread?

🚨 Preloaded in Counterfeit Android Devices

✔️ Triada is embedded in the system firmware during manufacturing

✔️ Users cannot remove it without flashing a clean system image

✔️ Sold through third-party marketplaces and supply chain compromises

📡 Previously Spread via Malicious Apps

✔️ Fake WhatsApp mods (FMWhatsApp, YoWhatsApp)

✔️ Fake Android framework backdoors (BADBOX campaign)

💡 Google’s 2019 investigation found a third-party vendor called Yehuo/Blazefire was responsible for infecting system images with Triada.

🛑 Why is This Dangerous?

1️⃣ Difficult to Remove – It's embedded in the system framework of the phone.

2️⃣ Spreads via Messaging Apps – Can send malware-laden messages from your WhatsApp/Telegram.

3️⃣ Steals Crypto Funds – Can hijack and replace wallet addresses.

4️⃣ Intercepts Calls & Messages – Perfect for espionage and fraud.

5️⃣ Generates Massive Revenue for Hackers – Triada authors have transferred $270,000+ in cryptocurrency in just nine months.

🛡️ How to Protect Yourself

✅ Avoid buying off-brand or counterfeit Android devices

✅ Purchase from reputable retailers and official brand stores

✅ Check for unusual permissions & network activity

✅ Use security apps that can detect system malware

✅ Keep your device updated and avoid sideloading apps

✅ Be cautious of WhatsApp mods & unofficial APKs

🚨 Triada remains one of the most complex and dangerous Android threats.

Hackers continue to compromise supply chains to pre-install malware on devices before they even reach consumers.

🔥 More Android Threats Emerging

🔴 Crocodilus & TsarBot – Android banking trojans targeting 750+ financial apps

🔴 Salvador Stealer – Masquerades as an Indian banking app to steal sensitive user data

🔴 Cosiloon – Another malware pre-installed on low-end Android phones

As hackers refine their tactics, users must be extra vigilant when purchasing Android devices and installing apps. 📲🔒

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

🚨 Massive Web Infections Redirect Users to Chinese Gambling Sites 🎰

Posted on March 28, 2025March 28, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that wonders whether it’s hackers behind Daylight Savings Hour 👨🏻‍💻🤔😂

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Google, the cybercriminals are no match… for your patch! 🩹

E.T. phone Chrome 👽

🚨 Chrome Zero-Day Under Attack! Update Now! 🔥

Google just rushed out an emergency fix for CVE-2025-2783, a high-severity zero-day exploit hitting Windows users—and it's already being used in attacks! 🎯

💥 What's happening?

Exploit targets Chrome's Mojo IPC system 🖥️

Used in sophisticated phishing attacks 🎣—victims got tricked into clicking a malicious link, which instantly infected their devices! 😱

Targets? Russian media, education, and government organizations 🇷🇺

Kaspersky is calling it "Operation ForumTroll" 🕵️‍♂️

🔧 Fix? Update Chrome to version 134.0.6998.177/.178 NOW! ⏳

📢 Using Edge, Brave, or Opera? They’re based on Chromium, so updates should be coming soon—stay alert! ⚠️

With state-backed hackers on the loose, don't risk it—update immediately! 🚀

Now, on to this week’s hottest cybersecurity news stories:

💉 JavaScript injection promoting gambling sites infects 150k sites ☣️
⚠️ CISA warning! Active exploits hit Next.js and DrayTek devices 📱
👾 Raspberry Robin malware linked to almost 200 unique C2 domains 👨🏻‍💻

Don’t gamble with your online safety 🎲

Gif by Giphy

🚨 Massive Web Infections Redirect Users to Chinese Gambling Sites 🎰

A massive JavaScript injection campaign has compromised 150,000+ websites, redirecting visitors to Chinese-language gambling platforms.

🔥 How the Attack Works

🔹 Malicious JavaScript injected into legitimate sites 📜

🔹 Hijacks browsers, replacing content with a gambling page

🔹 Uses iframe overlays to mimic real betting sites (e.g., Bet365) 🎭

🔹 Obfuscates code to evade detection 🕵️‍♂️

🚨 Scale & Evolution

✅ 135,800+ sites still actively infected

✅ Redirects via five domains (e.g., "zuizhongyj[.]com")

✅ Constantly updated with new tactics

🌎 Tied to Larger Cybercrime Networks

🔹 Similar tactics used by DollyWay malware, which has compromised 20,000+ WordPress sites since 2016

🔹 Uses Traffic Direction Systems (TDS) to funnel visitors to scam sites

🔹 Monetized through networks like VexTrio & LosPollos

🛡️ How to Stay Safe

✅ Website admins: Regularly scan for unauthorized JavaScript injections

✅ Keep WordPress & plugins updated to prevent exploitation

✅ Users: Avoid unfamiliar gambling pop-ups & redirects

With thousands of sites compromised and millions exposed, this attack highlights the growing risk of web-based threats—stay cautious and proactive! 🚧

Here’s Why Over 4 Million Professionals Read Morning Brew

Business news explained in plain English
Straight facts, zero fluff, & plenty of puns
100% free

See for yourself

Motherfkers act like they forgot about DrayTek** 🎤

🚨 CISA Adds Exploited Sitecore CMS Flaws to KEV List 📝

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old vulnerabilities in Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) list, citing active exploitation.

🔥 The Vulnerabilities

🔹 CVE-2019-9874 (CVSS 9.8) – Allows unauthenticated remote code execution via deserialization attack 🔓

🔹 CVE-2019-9875 (CVSS 8.8) – Allows authenticated remote code execution via deserialization attack

📅 Federal agencies must patch by April 16, 2025 to secure their networks.

⚠️ Other Exploited Vulnerabilities

🔸 Next.js CVE-2025-29927 (CVSS 9.1) – Authorization bypass lets attackers bypass middleware security & access sensitive resources 🔑

🔸 DrayTek Router Flaws (CVE-2020-8515, CVE-2021-20123, CVE-2021-20124) – Used for remote code execution & file theft 📡

🌎 Attack Hotspots

🔹 Sitecore & Next.js flaws actively probed worldwide

🔹 DrayTek router exploits detected in Indonesia, U.S., Hong Kong, Lithuania, & Singapore

🛡️ How to Stay Protected

✅ Apply patches for all impacted systems ASAP

✅ Monitor logs for unusual activity & exploit attempts

✅ Restrict public access to vulnerable applications

With older flaws still being actively exploited, staying updated is critical to prevent cyber intrusions! 🚧

There’s a reason Morning Brew is the gold standard of business news—it’s the easiest and most enjoyable way to stay in the loop on all the headlines impacting your world.

Tech, finance, sales, marketing, and everything in between—we’ve got it all. Just the stuff that matters, served up in a fast, fun read.

Look—over 4 million professionals start their day with Morning Brew’s daily newsletter, and it only takes 5 minutes to read. Sign up for free and see for yourself!

Check it out

🚨 Raspberry Robin Malware Expands with 200+ C2 Domains 👾

A new investigation has uncovered nearly 200 command-and-control (C2) domains linked to Raspberry Robin, a fast-evolving malware used by Russian-linked cybercriminals and nation-state hackers for initial access into victim networks.

🔥 Key Findings

🔹 New C2 domains (180+) discovered via QNAP device relay 📡

🔹 Uses “fast flux” to rotate domains & evade takedowns 🔄

🔹 Top TLDs: .wf, .pm, .re, .nz, .eu, .tw 🌍

🔹 C2 infrastructure tied to niche registrars & Bulgarian hosting provider

🕵️ How Raspberry Robin Spreads

✅ USB-Based Propagation – Infects devices via compromised USB drives

✅ Discord-Based Delivery – Archives & Windows Script Files spread malware 🎭

✅ Exploiting One-Day Vulnerabilities – Gains privilege escalation before public disclosure

🏴‍☠️ Linked to Major Threat Actors

🔸 Used by Russian APT Cadet Blizzard for initial access 🕶️

🔸 Distributes malware for LockBit, Dridex, SocGholish, & FIN11

🔸 Possibly operates as a Pay-Per-Install (PPI) botnet

🛡️ How to Stay Safe

✅ Disable autorun on USB devices 🚫

✅ Monitor network traffic for unusual domain activity 🌐

✅ Use endpoint protection to detect malware loaders 🛡️

✅ Restrict access to QNAP & NAS devices from external networks

With Russian threat actors leveraging Raspberry Robin for large-scale intrusions, defensive measures are critical to prevent data breaches and ransomware infections. 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

Defense Industry Under Attack

Posted on March 21, 2025March 21, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s popping like fresh 🍞🥖🥨🍰🧁

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Windows, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

One door closes, a Window opens 🏡

🛡️ Microsoft Patch Tuesday: 57 Bugs Fixed, 6 Zero-Days Under Attack! 💀

Microsoft just dropped 57 security patches, including 6 zero-days being actively exploited! ⚠️

Top risks include:

Win32 Kernel exploit (CVE-2025-24983) lets attackers gain SYSTEM privileges.
File system flaws allowing data theft & remote code execution.
Microsoft Management Console bypass (CVE-2025-26633) to evade security protections.

The U.S. CISA has added these to its Known Exploited Vulnerabilities (KEV) list, giving agencies until April 1, 2025 to patch. If you haven’t updated yet, do it NOW to stay protected! 🔒

Now, on to this week’s hottest cybersecurity news stories:

🐀 Dark Crystal targets Ukraine 🎯
👾 Basta crimes spreads Evel Knievel 🏍️
🔎 ClearFake it before you make it nigga ☠️

CERTified loverboy, certified pedophile 📀

Gif by Giphy

🎯 Dark Crystal RAT Campaign Targets Ukrainian Defense Sector

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new cyber espionage campaign deploying Dark Crystal RAT (DCRat) against defense industry employees and military personnel.

🚨 How the Attack Works

🔹 Malicious messages sent via Signal 📲

🔹 Compromised accounts used to increase trust 🕵️‍♂️

🔹 Fake meeting minutes sent as archive files 📁

🔹 Contains a decoy PDF + DarkTortilla crypter 🎭

🔹 Decryption leads to full remote access via DCRat 💻

🕵️ Who’s Behind It?

CERT-UA attributes the attack to UAC-0200, active since mid-2024.

🔥 Why It’s Dangerous

✅ DCRat executes arbitrary commands 🛠️

✅ Steals sensitive data & credentials 🔑

✅ Grants attackers remote control over infected systems

🌍 Cyber Tensions & Signal Controversy

🔸 Reports claim Signal is no longer assisting Ukrainian authorities in countering Russian cyber threats

🔸 Signal denies these claims, stating it does not collaborate with any government

🔐 How to Stay Safe

✅ Be cautious of unexpected Signal messages 🚧

✅ Verify senders before opening attachments

✅ Use endpoint protection & monitor for unauthorized activity 🔍

Russian-linked cyber actors are increasingly targeting secure messaging platforms—stay vigilant and protect sensitive data! 🚨

Optimize global IT operations with our World at Work Guide

Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:

Standardizing global IT operations enhances efficiency and reduces overhead
Ensuring compliance with local IT legislation to safeguard your operations
Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack

Leverage Deel IT to manage your global operations with ease.

Download free guide

Basta crimes 🎤

🕵️ Leaked Black Basta Chats Reveal Russian Ties & Cybercrime Expansion

A leak of 200,000 internal chat messages from the Black Basta ransomware gang suggests possible links to Russian authorities and major cybercrime operations.

🚨 Key Revelations

🔹 Leader Oleg Nefedov (GG/AA) allegedly escaped arrest in Armenia with Russian officials’ help

🔹 Two suspected offices in Moscow 🏢

🔹 Used ChatGPT for fraud, malware development, and debugging 🤖

🔹 Overlaps with other ransomware gangs (Rhysida, CACTUS) 🎭

🔹 Developed a custom C2 framework (“Breaker”) for persistence & stealth

🔥 Brute-Force Attacks with BRUTED

🔹 Custom tool “BRUTED” automates credential stuffing 🔑

🔹 Targets firewalls, VPNs, & edge network devices

🔹 Used since 2023 for large-scale password attacks

🕵️ What’s Next for Black Basta?

🔸 Possible rebrand with new ransomware based on Conti’s code

🔸 Heavy investment in automated cyberattacks

🔸 Scaling credential theft & network infiltration

🔐 How to Stay Protected

✅ Enforce strong, unique passwords & MFA 🔄

✅ Monitor for unusual login attempts & brute-force attacks 🔍

✅ Patch firewalls & VPNs to prevent exploitation 🔥

With growing automation & state-level connections, Black Basta remains a top ransomware threat—organizations must stay ahead! 🚧

It’s clearly a ClearFake 🎭

🎭 ClearFake Uses Fake reCAPTCHA to Spread Malware

The ClearFake campaign is tricking users with fake reCAPTCHA and Cloudflare Turnstile verifications, leading them to download Lumma Stealer and Vidar Stealer malware. At least 9,300 websites have been compromised.

🔥 How the Attack Works

🔹 Users visit a hacked site—JavaScript loads from Binance Smart Chain (BSC) 📜

🔹 Victim is tricked into running malicious PowerShell (ClickFix technique)

🔹 Deploys Emmenhtal Loader (PEAKLIGHT) → Drops Lumma Stealer

🔹 New variant encrypts HTML & expands Web3 capabilities 🕵️‍♂️

⚠️ Why This Is Dangerous

✅ Uses blockchain (BSC) for resilience & stealth

✅ Compromised over 9,300 sites & exposed 200,000+ users

✅ Targets both Windows & macOS users

✅ Frequently updated to evade detection

🛡️ How to Stay Safe

✅ Never download "browser updates" from pop-ups 🚫

✅ Be cautious of CAPTCHA prompts on unfamiliar sites

✅ Monitor PowerShell execution & network traffic 🔍

✅ Keep browsers & security tools updated

With widespread infections & rapid evolution, ClearFake remains a major global threat—stay vigilant! 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

[Exclusive Invite] Beyond Backups: How to Elevate Your Cyber Resilience

Posted on March 18, 2025March 14, 2025 by Cyber Dawg

Rubrik

Hear from Chief Research Analyst at IT-Harvest

View in Browser | Forward to a Friend

Beyond Backup: Defining Cyber Resilience for IT Professionals

The global average cost of a data breach in 2024 was $4.88M*

If you’re still betting on legacy systems to keep your data protected, you could be looking at a huge payment down the line.

You need to be ready to bounce back when you’re hit, and that comes down to understanding what it takes to be cyber resilient.

Join us at Beyond Backup: Defining Cyber Resilience for IT Pros to find out what it takes, including:

Why traditional backup systems need to evolve in response to current cyber threats
Real-world use cases that define cyber resilience for IT professionals
Steps to improve your cybersecurity posture and prepare for cyberattacks

Speakers: Richard Stiennon, Chief Research Analyst at IT-Harvest, and Jason Cook, Field CTO at Rubrik

Day/time: Thursday, March 20th at 10 AM PT / 1 PM ET

Save Your Spot

* IBM Cost of a Breach 2024 Report

🎯 Unknown Hackers Target Japanese Organizations via PHP Vulnerability

Posted on March 14, 2025March 14, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s treating cybercriminals like Trump’s tariffs are treating the stock market 📉📉📉

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Mozilla & Microsoft, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patches 🐣🐣

All Mozilla, no filler 😜

🚨 Firefox Add-on Trouble Incoming? Update Now! 🔥

Mozilla is urging all Firefox users to update ASAP to avoid issues with add-ons, DRM content, and security features due to an expiring root certificate on March 14, 2025. 🛑

What’s the fix?

✅ Update to Firefox 128+ (or ESR 115.13+ for long-term users).

✅ Applies to Windows, macOS, Linux, and Android (but not iOS/iPadOS).

✅ Tor Browser users should update as well.

Without this update, add-ons may disable themselves, security alerts may stop working, and some DRM content won’t play. Don't risk it—update now! 🚀

🛡️ Microsoft Patch Tuesday: 57 Bugs Squashed, 6 Zero-Days Exploited! 💀

Microsoft just patched 57 security flaws, including 6 actively exploited zero-days! ⚠️

Key risks include:

Win32 Kernel flaw (CVE-2025-24983) used by malware to gain SYSTEM privileges.
NTFS & FAT file system bugs allowing attackers to steal data or execute malicious code.
Microsoft Management Console bypass (CVE-2025-26633) helping attackers evade security checks.

The U.S. CISA has added these to its Known Exploited Vulnerabilities (KEV) list, requiring agencies to patch by April 1, 2025. If you haven't updated yet, do it now to stay protected! 🔒

Now, on to this week’s hottest cybersecurity news stories:

⛩️ Japan-attack: PHP-CGI RCE flaw exploited in attacks galore 👨🏻‍💻
🌐 Juniper networks beware! Chinese hackers are out en masse 👨‍👨‍👧‍👧
🎭 Fake Play Store scam targets global users: PlayPraetor Trojan 🐴

Don’t Japanic 😨

Gif by Giphy

🎯 Unknown Hackers Target Japanese Organizations via PHP Vulnerability

A mystery hacking group has been exploiting CVE-2024-4577, a remote code execution (RCE) flaw in PHP-CGI on Windows, to infiltrate Japanese companies across tech, telecom, education, e-commerce, and entertainment sectors since January 2025.

🔥 How the Attack Works

🔹 Exploits PHP-CGI vulnerability for initial access

🔹 Deploys Cobalt Strike (TaoWu plugins) via PowerShell for remote control 📡

🔹 Moves laterally using privilege escalation tools (JuicyPotato, RottenPotato, SweetPotato)

🔹 Hides traces by deleting event logs (wevtutil commands)

🔹 Steals passwords & NTLM hashes using Mimikatz 🛑

🛠️ Hacker Toolset (Exposed on Alibaba Cloud)

🔹 BeEF – Executes browser-based attacks 🍖

🔹 Viper C2 – Runs remote commands & reverse shell payloads 🐍

🔹 Blue-Lotus – Web shell framework for XSS, cookie theft & CMS hijacking 🌐

🕵️ What’s Their Goal?

Researchers suspect more than just credential theft—the attackers are gaining SYSTEM privileges and setting up persistence, suggesting long-term espionage or future attacks.

🔐 How to Stay Protected

✅ Patch PHP-CGI (CVE-2024-4577) immediately 🔄

✅ Monitor for unusual PowerShell activity & log deletions 📊

✅ Restrict execution of privilege escalation tools 🚫

✅ Strengthen defenses against Cobalt Strike & web shell attacks 🛡️

With sophisticated tactics and stealthy tools, these hackers pose a serious threat—stay alert and secure your systems! 🚨

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI

Heard about the Chinese Hackfather? He sent them some code they couldn’t understand. 🗣️

🚨 China-Linked Hackers Target Juniper Routers with Custom Backdoors 🚪

The China-backed hacking group UNC3886 is infiltrating outdated Juniper MX routers, deploying custom TinyShell-based backdoors to spy on networks and evade detection.

🎯 Who’s Affected?

🔹 Defense, telecom, and tech sectors in the U.S. & Asia

🔹 Organizations using end-of-life Juniper routers

🔥 How the Attack Works

⚠️ Gains privileged access via compromised credentials

⚠️ Injects malware into legitimate Junos OS processes 🛠️

⚠️ Disables logging before executing commands, then restores logs 🕵️‍♂️

⚠️ Uses rootkits & SSH hijacking tools to maintain persistence

🛠️ Custom Backdoors & Implants

🔹 appid, to – Remote control via SOCKS proxy & command execution

🔹 irad – Stealthy packet sniffer for extracting commands

🔹 lmpad – Memory injection tool to disable logging

🔹 jdosd – UDP-based remote shell for file transfer

🔹 oemd – TCP backdoor for executing commands

🛑 How to Defend Against UNC3886

✅ Upgrade Juniper routers to patched versions 🛡️

✅ Monitor for unusual system modifications & log tampering 📊

✅ Restrict administrative access & enforce MFA 🔑

✅ Deploy forensic tools to detect passive backdoors 🔍

UNC3886’s stealth tactics & deep system knowledge make these attacks highly persistent—organizations must act fast to secure their networks! 🚧

You gotta Play to win 🏆

🚨 PlayPraetor Trojan: Global Google Play Scam Exposed 🧠

Cybercriminals are tricking users with fake Google Play Store pages to distribute PlayPraetor, a powerful malware that steals banking credentials, logs keystrokes, and hijacks cryptocurrency transactions. Over 6,000 fraudulent pages have been uncovered by cybersecurity firm CTM360.

🎭 How the Scam Works

🔹 Fake Google Play Pages – Lookalike sites distribute malicious APKs

🔹 Trojanized Apps – Malware disguises as legitimate apps 🕵️‍♂️

🔹 Dangerous Permissions – Gains control via Accessibility Services

🔹 Banking Fraud – Targets banking & crypto apps, intercepting MFA codes 🔑

🛠️ PlayPraetor’s Attack Strategy

CTM360’s Scam Navigator outlines six key stages:

1️⃣ Fake Domains – Mimic Google Play & government sites

2️⃣ Phishing Traps – Victims lured via ads, SMS, & social media

3️⃣ Malware Distribution – Trojanized apps infect devices

4️⃣ Credential Theft – Keyloggers & clipboard monitoring steal data

5️⃣ Monetization – Stolen accounts sold on the dark web 💰

6️⃣ Botnet Operations – Infected devices used for ad fraud & cybercrime

🛡️ How to Protect Yourself

✅ Download apps ONLY from official stores (Google Play, Apple App Store)

✅ Verify app developers & read user reviews

✅ Deny unnecessary permissions, especially Accessibility Services

✅ Use mobile security software to block malware

✅ Stay informed on emerging threats

With over 6,000 fraudulent pages detected, PlayPraetor is one of the most widespread mobile scams ever—stay vigilant! ⚠️

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

Silk Typhoon bursts the banks 🌊

Posted on March 7, 2025March 7, 2025 by Cyber Dawg

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s the DOGE to cybercrime’s government spending 🤺

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Elastic, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Elastic bounces back 🙃

🚨 Critical Kibana Flaw – Patch Now!

Elastic has released an urgent security update for Kibana, fixing a critical prototype pollution vulnerability (CVE-2025-25015, CVSS 9.9) that could allow arbitrary code execution. 🚨

⚡ What’s the Risk?

● Attackers can manipulate JavaScript objects, leading to remote code execution (RCE), data access, or privilege escalation.

● Exploitable via crafted file uploads & HTTP requests.

🛑 Affected Versions:

● Kibana 8.15.0 → 8.17.3 (Fixed in 8.17.3)

● In 8.15.0 to 8.17.1, only Viewer role users can exploit it.

● In 8.17.1 to 8.17.2, attackers need specific privileges (fleet-all, integrations-all, actions:execute-advanced-connectors).

🔧 Immediate Action Required!

✅ Update to Kibana 8.17.3 ASAP!

✅ If patching isn’t possible, disable Integration Assistant (xpack.integration_assistant.enabled: false in kibana.yml).

Elastic has patched similar high-severity flaws before – don’t wait! Secure your systems now! 🔒✨

Now, on to this week’s hottest cybersecurity news stories:

🌊 Chinese ‘Silk Typhoon’ expands attacks to IT supply chains 🌐
🚀 Google launches AI conversational scam protection for Android 🤖
🐼 Chinese APT Lotus Panda targets governments w/ new variants 👾

Silk Typhoon bursts the banks 🌊

Gif by moonbugentertainment on Giphy

🚨 Silk Typhoon Targets IT Supply Chains for Cyber Espionage 🎯

The China-linked hacking group Silk Typhoon (formerly Hafnium) has shifted tactics, now targeting IT supply chains to infiltrate corporate networks. Instead of direct attacks, they compromise remote management tools, cloud apps, and IT service providers to gain broad access to victims.

🎯 Who’s at Risk?

🔹 IT service providers, MSPs, cloud management firms

🔹 Government agencies, healthcare, legal, defense, and NGOs

🔹 Energy & higher education sectors

🔍 How They Attack

⚠️ Exploiting stolen API keys & credentials for privilege escalation 🔑

⚠️ Zero-day attacks on Ivanti VPN, Palo Alto firewalls & Citrix NetScaler 🌐

⚠️ Password spraying with leaked credentials 💻

⚠️ Deploying web shells for persistence & command execution 🚪

📡 What They Steal

🔹 Email, OneDrive & SharePoint data via MSGraph API 📁

🔹 Cloud infrastructure reconnaissance & lateral movement 🔄

🔹 Sensitive corporate & government information 🕵️

🕶️ Hiding Their Tracks

Silk Typhoon operates through a "CovertNetwork" of compromised routers & appliances from Zyxel, QNAP, and Cyberoam, disguising their real location.

🔐 How to Stay Secure

✅ Apply security patches ASAP for exploited CVEs 🛠️

✅ Use multi-factor authentication (MFA) 🔑

✅ Limit access to critical cloud services & enforce network segmentation 🔄

✅ Monitor for unusual API key use & privilege escalation 🚨

Silk Typhoon’s supply chain attacks are a major cybersecurity threat—proactive defense is crucial! 🚧

Looking for unbiased, fact-based news? Join 1440 today.

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Subscribe to 1440 today.

Pays to be a Paranoid Android 🤖

🚨 Google Rolls Out AI-Powered Scam Detection for Android Users 📱

Google is launching AI-driven scam detection to help Android users avoid conversational scams and spoofed calls that impersonate trusted companies.

🔍 How It Works

✅ AI models analyze conversation patterns in real-time

✅ Detects suspicious messages & alerts users 🚨

✅ Runs entirely on-device for privacy 🔒

✅ Only applies to unknown numbers 📵

Users can dismiss, block, or report scams, with reported details shared with Google & carriers.

📞 AI Scam Detection for Calls Expands

🔹 Available on Pixel 9+ devices in the U.S.

🔹 Beep alerts notify participants when enabled 📢

🔹 Audio is processed ephemerally & not stored

🌍 Where & When?

🚀 First launching in English in the U.S., U.K., & Canada

📆 More regions to follow

🛡️ Safer Browsing with AI

Google also revealed that 1B+ Chrome users now use Enhanced Protection mode, which:

🔹 Detects phishing & scam websites 🕵️‍♂️

🔹 Flags suspicious downloads 🚫

Stay Safe!

🔹 Keep scam detection enabled

🔹 Be cautious of unknown senders & callers

🔹 Use Safe Browsing for extra protection

AI-powered tools are making scams easier to spot—but vigilance is still key! 🚧

Hackers: Lotus cause some Pandamonium 😏

🚨 Lotus Panda Targets Governments & Telecoms with Sagerunex Backdoor 🕵️

The Chinese state-backed hacking group Lotus Panda (aka Billbug, Thrip, Lotus Blossom) has been targeting government, manufacturing, telecom, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with new variants of the Sagerunex backdoor.

🎯 What’s New?

🔹 Two new "beta" versions of Sagerunex spotted

🔹 Uses Dropbox, X (Twitter), and Zimbra for stealthy C2 communications 📡

🔹 Deploys cookie stealers, proxy tools, and privilege escalation software

🚪 How They Get In

⚠️ Likely through spear-phishing & watering hole attacks 🎣

⚠️ Backdoor hides in email drafts & trash folders to evade detection 🕵️‍♂️

⚠️ Steals system data & sends commands via Zimbra webmail

🔥 How They Operate

✅ Collects system details & encrypts exfiltrated data

✅ Runs reconnaissance commands (net, tasklist, ipconfig, netstat)

✅ Uses Venom proxy to bypass internet restrictions

🔐 How to Defend Against Lotus Panda

✅ Monitor for unusual Dropbox/X/Zimbra activity 📊

✅ Restrict unauthorized use of proxy tools 🚫

✅ Educate employees on phishing threats 📧

✅ Strengthen email security & endpoint defenses 🛡️

Lotus Panda remains a persistent threat, evolving its stealth tactics to bypass security measures. Stay vigilant and proactive! 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

The Bill Gates have opened 🙃

Don’t play Russian Roulette with your online safety 🎲

🚨 Proton66: Russian Bulletproof Host Powers Surge in Global Cyberattacks 🌐

The question isn't if your business will be targeted, but when.

GRAPELOADER: wine not? 🍷👀💀

🚨 APT29 Targets Diplomats with GRAPELOADER & WINELOADER 🍷

Learn how to make AI work for you

Ah, the old smish and grib, eh? 💀💀💀

🚨 U.S. Toll Road Users Targeted in Massive SMS Phishing Campaign 🚗

You’re the Apple of my eye 🍎👁️🙃

Jim’ll ClickFix it 💀💀💀

🚨 ClickFix Goes Global: Nation-State Hackers Join the Malware Trend 🎯

Just say Node 😏

🚨 Malvertising Meets Node.js: Microsoft Warns of Evolving Malware Campaign 🧪

Tesla just can’t catch a break 😉😂😂

WhatsApp with that? 🙃

How did the Oracle not see this coming 🔮👀💀

🚨 Oracle Confirms Private Data Breach — After Public Denials ☁️

Learn AI in 5 minutes a day

It was only a Crush, it was only a Crush 🎙️🎶💀

🚨 CISA & Experts Warn: CrushFTP Exploited in Active Attacks 💥

Trying to strike a chord and it’s probably A (crypto) miner 💀💀💀

Google: IAM legend 💪💪💪

QR ya??? 🙃

🚨 Microsoft Warns of Tax-Themed Phishing Surge Targeting U.S. Organizations 📬

Crypto’s Most Influential Event

ClickFix up look sharp!!! 🎙️

🚨 North Korean Hackers Target Job Seekers in Crypto Sector with Fake Interviews 🎙️

Daily News for Curious Minds

Triada mate… Try harder. Get it? I’m here all week 😂

Google: IAM legend 💪💪💪

QR ya??? 🙃

🚨 Microsoft Warns of Tax-Themed Phishing Surge Targeting U.S. Organizations 📬

Crypto’s Most Influential Event

ClickFix up look sharp!!! 🎙️

🚨 North Korean Hackers Target Job Seekers in Crypto Sector with Fake Interviews 🎙️

Daily News for Curious Minds

Triada mate… Try harder. Get it? I’m here all week 😂

E.T. phone Chrome 👽

Don’t gamble with your online safety 🎲

🚨 Massive Web Infections Redirect Users to Chinese Gambling Sites 🎰

Here’s Why Over 4 Million Professionals Read Morning Brew

Motherf**kers act like they forgot about DrayTek 🎤

🚨 CISA Adds Exploited Sitecore CMS Flaws to KEV List 📝

The newsletter every professional should be reading

It’s Robin you blind 💀

One door closes, a Window opens 🏡

CERTified loverboy, certified pedophile 📀

🎯 Dark Crystal RAT Campaign Targets Ukrainian Defense Sector

Optimize global IT operations with our World at Work Guide

Basta crimes 🎤

It’s clearly a ClearFake 🎭

All Mozilla, no filler 😜

Don’t Japanic 😨

🎯 Unknown Hackers Target Japanese Organizations via PHP Vulnerability

Learn AI in 5 minutes a day

Heard about the Chinese Hackfather? He sent them some code they couldn’t understand. 🗣️

🚨 China-Linked Hackers Target Juniper Routers with Custom Backdoors 🚪

You gotta Play to win 🏆

🚨 PlayPraetor Trojan: Global Google Play Scam Exposed 🧠

Elastic bounces back 🙃

Silk Typhoon bursts the banks 🌊

Looking for unbiased, fact-based news? Join 1440 today.

Pays to be a Paranoid Android 🤖

🚨 Google Rolls Out AI-Powered Scam Detection for Android Users 📱

Hackers: Lotus cause some Pandamonium 😏

🚨 Lotus Panda Targets Governments & Telecoms with Sagerunex Backdoor 🕵️

Motherfkers act like they forgot about DrayTek** 🎤