New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud, and NFC Theft

Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns. "Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service MaaS on...

Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control C2 servers...

Android botnet BadBox largely disrupted

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox. The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs. The German BSI Federal Office...

Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99

The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. "The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring...

Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action

Germany's Federal Office of Information Security BSI has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the...

Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities

The Russia-linked advanced persistent threat APT group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control C2 servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022. The activity, firs...

Advanced threat predictions for 2025

We at Kaspersky's Global Research and Analysis Team monitor over 900 APT advanced persistent threat groups and operations. At the end of each year, we take a step back to assess the most complex and sophisticated attacks that have shaped the threat landscape. These insights enable us to anticipat...

Iranian Hackers Set Up New Network to Target U.S. Political Campaigns

Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future's Insikt Group has linked the infrastructure to a hacking group it tracks as GreenCharlie, an...

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign. The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords OTPs used for online...

Mispadu Trojan Targets Europe, Thousands of Credentials Compromised

The banking trojan known as Mispadu has expanded its focus beyond Latin America LATAM and Spanish-speaking individuals to target users in Italy, Poland, and Sweden. Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial...

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector

Organizations in the Defense Industrial Base DIB sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont. The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach...

AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service

More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office SOHO routers as part of a multi-year campaign active since at least May 2021. AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware...

New Version of ViperSoftX Malware Targets Password Managers and Cryptocurrency Wallets

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary ViperSoftX is an information-stealing malware primarily targeting cryptocurrencies, using sophisticated encryption techniques and monthly changes in command-and-control servers to evade detection. To...

Researchers Discover Numerous Samples of Information Stealer 'Stealc' in the Wild

A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers,"...

Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions

Today, most Network Detection and Response NDR solutions rely on traffic mirroring and Deep Packet Inspection DPI. Traffic mirroring is typically deployed on a single-core switch to provide a copy of the network traffic to a sensor that uses DPI to thoroughly analyze the payload. While this...

LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data

Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang. Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for...

Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services

Cybersecurity researchers have exposed new connections between a widely used pay-per-install PPI malware service known as PrivateLoader and another PPI platform offered by a cybercriminal actor dubbed ruzki. "The threat actor ruzki aka les0k, zhigalsz advertises their PPI service on underground...

Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

A China-based advanced persistent threat APT known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the PlugX remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur, owing to its...

Cyclops Blink Sets Sights on Asus Routers

This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control C&C servers of the Cyclops Blink botnet...

Emotet Botnet's Latest Resurgence Spreads to Over 100,000 Computers

The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities. "While Emotet has not yet attained the same scale it once...