Apr 05 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that understands this is what happens when you Musk it for a chocolate buskuit ๐๐๐ The world economy left the chat ๐๐๐
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณ
Congrats to Google, the cybercriminals are no matchโฆ for your patch! ๐ฉน
๐จโ๏ธ Google Cloud Run Vulnerability Revealed: โImageRunnerโ ๐๐
Cybersecurity researchers just uncovered ImageRunner, a now-patched privilege escalation flaw in Google Cloud Platform's Cloud Run that couldโve let attackers steal private container images and even inject malware into deployments ๐จ๐
๐ What was the issue?
Malicious users with limited permissions (run.services.update + iam.serviceAccounts.actAs) could:
๐ง Edit Cloud Run services
๐ฆ Pull private container images
๐งฌ Inject malicious code
Target: images stored in Google Artifact Registry or Google Container Registry in the same project ๐ฌ
๐ฃ Potential impact:
Secrets stolen ๐๏ธ
Sensitive data exfiltrated ๐ค
Reverse shells launched ๐
All by tricking Cloud Run into using infected container imagesโlike a software supply chain attack from inside the cloud โ๏ธ๐ฅ
๐ก๏ธ What did Google do?
๐ As of January 28, 2025, Google patched the issue. Now, any user or service account must have explicit read access to deploy container images. No more sneaky side-loading ๐ค
โ You now need the Artifact Registry Reader role (roles/artifactregistry.reader) to deploy from private registries.
๐ Tenable, who discovered the bug, calls this kind of vulnerability โJengaโโbecause when one cloud service gets wobbly, the rest stacked on top become vulnerable too ๐งฑ๐ช
๐ง Reminder: Cloud security isnโt just IAM policiesโit's the invisible glue between services that attackers love to exploit.
๐ง If you're using GCP Cloud Run, make sure:
Your IAM roles are tight ๐ฏ
Your image permissions are reviewed ๐
You stay up-to-date on patches! ๐
๐ก Defenders, stay alert: the cloud can be a blessing or a backdoorโdepending on how well you secure it ๐ก๏ธ๐ป
Now, on to this weekโs hottest cybersecurity news stories:ย
๐ธ Tax doesnโt need to be taxing!! Microsoft says otherwise โ ๏ธ
๐ง Lazarus rises from the deadโฆ AGAIN! Change the record ๐ฟ
๐ฒ 2,600+ Android phones infected w/ Triada malwareโฆ Beware โ ๏ธ
Gif by election2020 on Giphy
Microsoft has issued a high-alert warning about multiple phishing campaigns weaponizing tax season as a lure to steal credentials and drop malware. The campaigns are part of a broader phishing-as-a-service (PhaaS) ecosystem dubbed RaccoonO365, enabling threat actors to bypass traditional detection methods and launch highly targeted attacks.
๐งจ Key Threats & Techniques
๐น Themes Used: Fake tax docs, Microsoft 365 login pages, and Docusign requests
๐น Delivery Methods:
โโ๏ธ PDF attachments with URL shorteners (Rebrandly)
โโ๏ธ PDFs with QR codes
โโ๏ธ Spoofed emails using legit file-sharing & collaboration services
๐น Redirect Chains: Link > URL shortener > fake login/malware page
๐น Phishing kits powered by RaccoonO365 PhaaS
๐ต๏ธโโ๏ธ Notable Payloads Delivered
โย Malware / Toolย Function
โย BruteRatel C4 (BRc4)ย Red-teaming post-exploitation
โย Latrodectusย Malware loader (evolved in Feb 2025)
โย AHKBotย Credential theft & screenshot exfiltration
โย GuLoaderย Payload delivery platform
โย Remcos RATย Full remote control
โ ๏ธ BRc4 & Latrodectus were dropped via tax-themed PDFs that evaluated a user's IP/system to decide whether to send malware or a harmless file.
๐ฏ Campaigns & Targets
๐ February 2025 Campaigns:
โย Targeted 2,300+ U.S. organizations (engineering, IT, consulting sectors)
โย Emails had empty bodies but malicious PDFs with QR codes
โย Redirected to fake Microsoft 365 login pages via RaccoonO365
๐ Another campaign used Facebook ads to lure victims to a fake Windows 11 Pro download site, dropping the Latrodectus loader via BruteRatel.
๐ก๏ธ Advanced Obfuscation Tactics
๐ Fake file types (e.g., .lnk files made to look like tax docs)
๐ QR codes used to bypass secure email gateways (SEGs)
๐ Browser-in-the-browser (BitB) attacks mimicking login popups
๐ Abuse of legit services: DocuSign, Adobe, Dropbox, Canva, Zoho
๐ Use of open redirects & URL shorteners to hide phishing links
๐งฐ How to Stay Protected
โ Block macros & disable autorun
โ Use phishing-resistant MFA (e.g., hardware tokens, passkeys)
โ Educate users about tax-season phishing scams
โ Implement network protection to block outbound connections to known malicious domains
โ Leverage modern browsers with phishing protection built-in
Microsoftโs findings show a sophisticated evolution of phishing, where attackers are blending social engineering with stealthy malware loaders and legitimate-looking infrastructure. With tax season being a peak period for these attacks, organizations must remain hyper-vigilant. ๐งพ๐ฃ
Consensus is the worldโs longest-running gathering of the global crypto, blockchain, and AI communities.
Celebrated as โThe Super Bowl of Blockchainโ, Consensus will welcome 20,000 attendees shaping the decentralized digital economy to Toronto this May 14-16.
Ready to invest in your future?
Attending is your best bet.
Register & Save 20% with BEEHIIV
A new North Korean hacking campaign is using fake job interviews and the ClickFix technique to infect job seekers in the cryptocurrency sector with a newly discovered Go-based backdoor called GolangGhost. The attack, tracked as ClickFake Interview, is a continuation of the Contagious Interview campaign linked to the Lazarus Group, a hacking unit tied to North Koreaโs Reconnaissance General Bureau (RGB).
๐ฏ Key Targets & Attack Methodology
๐น Targets:
โ๏ธ Centralized finance (CeFi) companies (Coinbase, Kraken, KuCoin, Tether, etc.)
โ๏ธ Job seekers in business development, asset management, and DeFi
๐น Attack Flow:
1๏ธโฃ Hackers pose as recruiters on LinkedIn/X and invite targets to a video interview.
2๏ธโฃ Victims are directed to a fake video interview platform (e.g., "Willo").
3๏ธโฃ The platform presents a fake error message requiring a โcamera driverโ download.
4๏ธโฃ Victims are instructed to execute a malicious script via Command Prompt (Windows) or Terminal (macOS).
5๏ธโฃ The script drops FROSTYFERRET (a stealer) and GolangGhost (a backdoor).
๐น Key Malware Used
โย Malwareย Function
โย GolangGhostย Backdoor for data theft & remote control
โย FROSTYFERRETย Stealer disguised as a Chrome camera permission prompt
โย FERRETย Initial malware loader
๐ต๏ธ Advanced Social Engineering via ClickFix
๐ Uses fake job postings to lure victims
๐ Mimics real video interview platforms
๐ ClickFix method tricks users into manually running malicious scripts
๐ Exploits victim trust in the interview process
๐ MacOS users are tricked into entering their system password, likely for iCloud Keychain theft.
๐ผ North Koreaโs Expanding IT Worker Scheme in Europe
๐ข Google Threat Intelligence Group (GTIG) reports a global expansion of North Koreaโs fraudulent IT worker operations into Europe.
๐น Key Trends:
โ๏ธ North Koreans posing as remote IT workers to infiltrate Western firms
โ๏ธ Fake identities claiming to be from Italy, Japan, Vietnam, and the U.S.
โ๏ธ Work in web development, blockchain, bot development
โ๏ธ Use of GitHub to build fake portfolios
๐น Recent Tactics:
โ๏ธ Targeting companies with BYOD (Bring Your Own Device) policies
โ๏ธ Extortion โ demanding ransom from employers to prevent data leaks
๐จ "Europe needs to wake up fast. North Koreaโs cyber threats are not just a U.S. problem." โ Google Threat Intelligence Group
๐ก๏ธ How to Stay Protected
โ ย Verify job offers โ Donโt download software for interviews
โ Use endpoint security โ Block unauthorized script execution
โ Be wary of LinkedIn/X job offers from unknown recruiters
โ Adopt strong authentication โ Enable phishing-resistant MFA
โ Monitor for fake employee identities in remote hiring processes
North Korea continues to innovate in cybercrime, blending social engineering, supply chain infiltration, and IT worker fraud to fund its regime. As cryptocurrency remains a prime target, businesses and job seekers must stay vigilant against evolving tactics. ๐ก๏ธ
Be the smartest person in the room by reading 1440! Dive into 1440, where 4 million Americans find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet โ politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight. Subscribe to 1440 today.
๐จ Fake Android Phones Preloaded with Malware Targeting Users Worldwide ๐
Counterfeit smartphones are being sold at reduced prices, but they come preloaded with a dangerous Android malware called Triada. The latest version of this malware gives attackers full control over infected devices, allowing them to steal sensitive data, hijack cryptocurrency transactions, and spread malware via messaging apps.
๐ Affected Users: More than 2,600 devices worldwide, majority in Russia
๐ Attack Window: March 13 – 27, 2025
๐ Malware: Triada RAT (Remote Access Trojan)
๐ What is Triada?
Triada is a modular Android malware first discovered in 2016 that has evolved into a sophisticated backdoor. It can:
๐น Steal user credentials from Telegram, TikTok, and other social apps
๐น Send and delete WhatsApp and Telegram messages without the userโs knowledge
๐น Replace cryptocurrency wallet addresses in clipboard (clipper attack)
๐น Monitor web browser activity and manipulate links
๐น Replace phone numbers during calls
๐น Intercept SMS messages and subscribe victims to premium SMS services
๐น Download additional malware
๐น Block network connections to avoid detection
๐ฅ How is Triada Spread?
๐จ Preloaded in Counterfeit Android Devices
โ๏ธ Triada is embedded in the system firmware during manufacturing
โ๏ธ Users cannot remove it without flashing a clean system image
โ๏ธ Sold through third-party marketplaces and supply chain compromises
๐ก Previously Spread via Malicious Apps
โ๏ธ Fake WhatsApp mods (FMWhatsApp, YoWhatsApp)
โ๏ธ Fake Android framework backdoors (BADBOX campaign)
๐ก Googleโs 2019 investigation found a third-party vendor called Yehuo/Blazefire was responsible for infecting system images with Triada.
๐ Why is This Dangerous?
1๏ธโฃ Difficult to Remove โ It's embedded in the system framework of the phone.
2๏ธโฃ Spreads via Messaging Apps โ Can send malware-laden messages from your WhatsApp/Telegram.
3๏ธโฃ Steals Crypto Funds โ Can hijack and replace wallet addresses.
4๏ธโฃ Intercepts Calls & Messages โ Perfect for espionage and fraud.
5๏ธโฃ Generates Massive Revenue for Hackers โ Triada authors have transferred $270,000+ in cryptocurrency in just nine months.
๐ก๏ธ How to Protect Yourself
โ Avoid buying off-brand or counterfeit Android devices
โ Purchase from reputable retailers and official brand stores
โ Check for unusual permissions & network activity
โ Use security apps that can detect system malware
โ Keep your device updated and avoid sideloading apps
โ Be cautious of WhatsApp mods & unofficial APKs
๐จ Triada remains one of the most complex and dangerous Android threats.
Hackers continue to compromise supply chains to pre-install malware on devices before they even reach consumers.
๐ฅ More Android Threats Emerging
๐ด Crocodilus & TsarBot โ Android banking trojans targeting 750+ financial apps
๐ด Salvador Stealer โ Masquerades as an Indian banking app to steal sensitive user data
๐ด Cosiloon โ Another malware pre-installed on low-end Android phones
As hackers refine their tactics, users must be extra vigilant when purchasing Android devices and installing apps. ๐ฒ๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!
