April was another busy month for the ANY.RUN team! We continued improving our malware detection capabilities, expanded our behavior signatures, and sharpened threat intelligence, all to make your investigations faster, deeper, and even more precise.
From adding fresh Suricata rules and YARA signatures to detecting new malware behaviors, here’s what’s new at ANY.RUN this month.
Let’s dive in!
Product Updates
Integration of ANY.RUN Services with Your Security Systems via SDK
In April, we’ve announced the release of the ANY.RUN SDK, making it easier than ever to integrate our products directly into your infrastructure.
Security teams can now automate submissions, accelerate workflows, and tailor ANY.RUN’s solutions to fit their existing systems like SIEM, SOAR, or XDR. This gives them faster investigations, fewer manual tasks, and more resources freed up for critical analysis.
By integrating ANY.RUN’s products into the security infrastructure via SDK, you can:
Search IOCs, IOBs, and IOAs across our threat database via TI Lookup
Receive and process network-based IOCs with TI Feeds
The SDK is available for users with the Hunter and Enterprise plans.
With the help of this simple integration, we want to make sure that organizations reduce incident response time, improve detection rates, and build a stronger, more resilient security posture.
How to get started: The SDK is Python-based and includes documentation, libraries, and ready-to-use code samples. Find full instructions on GitHub and PyPI.
Contributions and suggestions from other developers are also welcome! For more info on how to contribute, see our guide.
Test ANY.RUN’s services with 14-day trial to see how they can strengthen your company’s security
New Notifications section displayed inside ANY.RUN
ANY.RUN users will now have access to Notifications directly from the platform interface.
This section is built to keep you informed about the most important updates without cluttering your workflow.
With quick access to key information, your security team can easily stay on top of new capabilities, detection improvements, and emerging threats.
Notifications are short, clear, and actionable, so you can stay focused on your investigations while staying in the loop.
Inside the Notifications section, you’ll find:
Key product updates and new feature announcements
Alerts about critical service improvements
Links to major research reports and threat analyses
Important security advisories from our team
Threat Coverage Updates
In April, we expanded our detection coverage across Android, Windows, and Linux environments with updated rules, behavior signatures, and threat intelligence to support more precise, faster investigations.
Here’s a quick look at what’s been updated:
New Suricata Rules
We added 902 new Suricata rules in April to improve visibility into network-based threats, including malicious domains, phishing infrastructure, and C2 traffic.
These updates enhance detection coverage for various malware families, including miners, stealers, and ransomware.
Behavior Signatures
We introduced 91 new behavior-based signatures to improve detection for malware samples across platforms. These updates include:
These exploits were identified during real-world malware analysis sessions and are now reflected in our detection logic. ANY.RUN continues to monitor and analyze new CVEs to provide fast, actionable insights for defenders.
New YARA Rule Updates
We released 13 new and updated YARA rules to improve static detection and classification, covering both new malware strains and updates to existing detections.
TI Reports get you up to speed on the latest cyber threats targeting businesses
In April, we added two new reports to our Threat Intelligence library, focused on advanced persistent threats (APTs) and coordinated cybercriminal activity. These reports provide fresh insights into recent campaigns, along with actionable tools to support threat hunting, attribution, and detection.
This report analyzes campaigns linked to APT37, EncryptHub, and STORM-1865, combining info from public research and ANY.RUN’s own findings. It includes:
IOC lists and observed TTPs
Related malware samples
TI Lookup queries and YARA rules
Guidance for detecting similar threats in your environment
This overview shows how threat actor activity is identified, analyzed, and traced using ANY.RUN’s tools.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Threat Actors Activity Overview 02
This report focuses on recent campaigns associated with PATCHWORK and APT29. It provides:
YARA rules and TI Lookup queries to support detection
IOC collections and sample analysis
Adversary profiles and campaign behavior
Technical breakdowns of malicious files
The report is built to support threat hunters and analysts in tracking high-impact adversaries with greater precision.
About ANY.RUN
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.
From the near-demise of MITRE’s CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-30 07:06:412025-04-30 07:06:41This month in security with Tony Anscombe – April 2025 edition
Attackers are increasingly using the ClickFix technique to infect Windows computers to force users to run malicious scripts manually. The use of this tactic was first seen in the spring of 2024. Since then, attackers have come up with a number of scenarios for its use.
What is ClickFix?
The ClickFix technique is essentially an attempt to execute a malicious command on the victim’s computer relying solely on social engineering techniques. Under one pretext or another, attackers convince the user to copy a long command line (in the vast majority of cases — a PowerShell script), paste it into the system’s Run window, and press Enter, which should ultimately lead to compromising the system.
The attack normally begins with a pop-up window simulating a notification about a technical problem. To fix this problem, the user needs to perform a few simple steps, which boil down to copying some object and executing it through the Run application. However, in Windows 11, PowerShell can also be executed from the search bar for applications, settings, and documents, which opens when you click on the icon with the system’s logo, so sometimes the victim is asked to copy something there.
ClickFix attack – how to infect your own computer with malware in three easy steps. Source
This technique earned itself the name ClickFix because usually the notification contains a button, the name of which is somehow related to the verb “to fix” (Fix, How to fix, Fix it…), which the user needs to click to solve the alleged problem or see instructions for solving it. However, this isn’t a mandatory element — the need to launch some code can be justified by the requirement to check the computer’s security, or, for example, to confirm that the user is not a robot. In this case, the Fix button can be omitted.
An example of instructions for confirming that you’re not a robot. Source
The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions:
click the button to copy the code that solves the problem;
press the key combination [Win] + [R];
press the combination [Ctrl] + [V];
press [Enter].
So what actually happens? The first action (clicking the button to copy the code that solves the problem) copies some script invisible to the user to the clipboard. The second (pressing the key combination [Win] + [R]) opens the Run window, which in Windows is designed to quickly launch programs, open files and folders, and enter commands. In the third (pressing the combination [Ctrl] + [V]), the PowerShell script is pasted into Run window from the clipboard. And finally, with the fourth action (pressing [Enter]), the code is launched with the current user privileges.
As a result of executing the script, malware is downloaded and installed onto the computer — with the specific malicious payload varying from campaign to campaign. Thus, what we get is the user running a malicious script on their own system thereby infecting his own computer.
Typical attacks using the ClickFix technique
Sometimes attackers create their own websites and lure users to them using various tricks. Or they hack existing websites and force them to display a pop-up window with instructions. In other cases similar instructions are delivered under various pretexts via email, social networks, or even through instant-messengers. Here are some typical scenarios of using this technique in attacks:
1. Unable to display the page, need to refresh the browser
A classic scenario in which the visitor doesn’t see the page they expected to and is told they need to install a browser update to display it.
2. Error loading a document on a website
Another standard tactic: the user isn’t allowed to view a certain document in Microsoft Word or PDF format. Instead, they’re shown a notification asking to install a plugin for viewing the PDF or “Word online”.
3. Error opening a document from email
In this case attackers substitute the file format. The victim sees a .pdf or .docx icon, but in reality clicks on the HTML file that opens in the browser. Then everything is similar to the previous case — what are needed are: a plugin, malicious instructions, and the familiar “How to fix” button.
4. Problems with the microphone and camera in Google Meet or Zoom
A more unusual variation of the ClickFix tactic is used on fake Google Meet or Zoom websites. The user receives a link for a video call, but “is not allowed to join” it, because there are problems with their microphone and camera. The message “explains” how to fix it.
5. Prove that you’re not a robot – fake CAPTCHA
Finally, the most curious version of the attack using ClickFix: the site visitor is asked to complete a fake CAPTCHA to prove they’re not a robot. But the required proof is, of course, is to follow the instructions written in the pop-up window.
Prove you’re not a robot – to do this, run a malicious script on your computer. Source
How to protect yourself from ClickFix attacks?
The simplest mechanism for protecting your company from attacks using the ClickFix technique involves blocking the [Win] + [R] key combination in the system — it’s hardly needed at all in the day-to-day work of the typical employee. However, this isn’t a panacea — as we already wrote above, in Windows 11 the script can be launched from the search bar, and some variations of this attack use more detailed instructions in which the user is told how to manually open the Run window.
Therefore, protective measures, of course, should be comprehensive and primarily aimed at training employees. It’s worth conveying to them that if someone seeks any manual manipulations with the system — it’s an extremely alarming sign.
Here are some tips on how to protect your organization’s employees from attacks using ClickFix tactics:
Raise employee awareness of cyberthreats, including new tactics, with specialized training. Organizing such training is easy – just use our automated educational Kaspersky Automated Security Awareness Platform .
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-29 22:06:422025-04-29 22:06:42What is ClickFix and how to protect your company | Kaspersky official blog
The current article provides technical analysis of an emerging malware named Pentagon Stealer. The research has been prepared by the analyst team at ANY.RUN.
Key Takeaways
Variants: Exists in Python (AES-encrypted, multi-stage) and Golang (unencrypted, part of attack chains) versions.
Data Theft: Steals browser credentials, cookies, crypto wallet data (Atomic/Exodus), Discord/Telegram tokens, and specific files.
Debug Mode Exploitation: Launches Chromium-based browsers in debug mode to extract unencrypted cookies, bypassing DPAPI encryption for easier data theft.
Crypto Wallet Injection: Replaces app.asar files in Atomic/Exodus wallets with patched versions to steal mnemonics/passwords, using a public proof-of-concept available on GitHub.
Evolution and Campaigns: Spread via typosquatting, later under the names 1312, Acab, Vilsa, and BLX stealer. BLX adds clipboard, screenshot, and Steam/Epic data theft.
C2 Communication: Uses HTTP requests with servers like pentagon[.]cy and stealer[.]cy; BLX uploads to gofile.io, sending links to C2.
Ongoing Threat: Simple but persistent, with new variants showing minor updates, continuing to pose risks.
How We Discovered Pentagon Stealer
In early March of this year, when browsing Public submissions, the ANY.RUN team came across an interesting malware sample written in Golang.
Image 3. Sandbox analyses with the Pentagon tag displayed in TI Lookup
Among the search results, we identified a sandbox analysis of a website hosted on the domain pentagon.cy that featured the admin panel of this malware. Thus, we named it Pentagon Stealer.
Image 4. The admin panel
Exploring the website further, we discovered that there was also a Python-based version of this malicious program, available at pentagon[.]cy/paste?userid=<n>. You can see the page in this sandbox session.
Image 5. The original page containing a dropper script for deploying the first stage of the malware
Considering the lack of public information on the malware and its potential to pose serious threat to our clients, we decided to analyze it and collect essential intel for effective detection of Pentagon Stealer.
Here’s what we’ve found.
Follow along the analysis with ANY.RUN’s Interactive Sandbox and launch your own malware investigations
Let’s start with the Python variant which still can be found on the attackers’ infrastructure to this day. Next, we’ll compare its functionality to that of the previous versions.
Initial Stage: Script Dropper
As seen in the sandbox analysis, the attack begins with a script dropper. Its purpose is to launch python_setup.py encrypted via Fernet using AES in CBC mode.
Image 6. Decrypted script in CyberChef
Use this decryption recipe in CyberChef for decrypting the initial and all the following stages, as the algorithm remains unchanged, only the key changes.
Main Stealer Module
Once we decrypt the payload, we can see the code of the stealer’s main module.
First, it checks whether the directory “%LOCALAPPDATA%/HD Realtek Audio Player” exists on the victim’s computer. If not, it creates it and continues execution. This is a technique used by the malware to check if the machine has already been infected.
The malware then begins to steal a variety of data, including:
Login credentials, cookies, and extension data from Chromium-based browsers and cookie data from Mozilla Firefox
Image 7. Code for stealing Firefox cookies
Data from apps for managing cryptocurrency wallets
Discord tokens and Telegram authorization data
Files with specific names and extensions from user directories
There are also two actions performed by the malware that stand out from the rest and are worth a more detailed analysis:
To steal cookies, Pentagon launches Chromium-based browsers in debug mode.
The malware also replaces app.asar files used by Exodus and Atomic wallets.
Let’s take a closer look at them.
Injection into Atomic and Exodus Crypto Wallets
The stealer can inject into two popular cryptocurrency wallet management applications: Atomic and Exodus. Both use Electron, which stores JavaScript code in app.asar files.
The injection performed by Pentagon involves replacing these files with attacker-patched versions.
The image above shows the stealer overwriting the app.asar content of both applications with data from its command server. Additionally, a loguuid is written to the LICENSE files in both cases, which allows the attackers to identify the victim.
Image 8. Code for injecting into Atomic and Exodus
But why did they overwrite app.asar and what specific changes were made?
Since .asar files are archives containing .js files, we can unpack them with 7-Zip with a special plugin to analyze the code. As expected, the goal here is to obtain the user’s mnemonic and password. The images below illustrate how this is done.
Image 9. Collection of the user data in Atomic Wallet
The images show how a packet, containing the user’s password, mnemonic, and wallet type, is formed. One of the headers includes the loguuid.
Image 10. Collection of the user data in Exodus Wallet
It’s worth noting that the attacker clearly used Inject_PoC in this part of the operation, as indicated by the code similarity.
For example, the Atomic Wallet section from the PoC repository looks like this:
Image 11. The attacker reused code for injecting into Atomic
The similarity is evident. The attacker just simplified the packet. In the case of Atomic, even the application version matches.
For Exodus, the code segment from the repository looks like this:
Image 12. Inject_PoC code for injecting into Exodus
Launching Browsers in Debug Mode
This is a common technique for obtaining cookies in unencrypted form.
In short, this method causes some Chromium-based browsers to provide cookies in plaintext. If the standard method of extracting cookies from files were used, they would need to be decrypted, which can be problematic.
These browsers use the DPAPI mechanism to protect sensitive data. If the malware is executed in the session of a user whose password was used in the encryption process, a call to the UnProtect() function may be enough to decrypt the data. Otherwise, decryption can be extremely difficult. In addition, the task may be complicated, for example, by the Application-Bound (App-Bound) Encryption method used in the latest versions of Chrome.
Here’s how debugging helps to get cookies in an easier way:
The browser is launched with a specified debugging port (default 9222).
A GET request is made to http://localhost:9222/json, which returns a JSON response containing webSocketDebuggerUrl.
Commands can be sent to this URL using the WebSocket protocol.
Using the Network.getAllCookies command, the desired cookies are obtained, already decrypted by the browser.
Image 13. Code for launching browsers in debug mode
This method explains the unusual behavior of relaunching browser, which piqued our interest when we first came across Pentagon’s sample.
Decryption and Transition to the Next Stage: runpython.py
The final part of the stealer module is the decryption and launch of the next stage, runpython.py.
Image 14. Code for initializing the next stage
Once we decrypt the payload, we can see the command used.
Image 15. Decrypted command for the next stage launch
Following the URL inside the command reveals the dropper script used for launching runpython.py.
Image 16. Runpython.py dropper script
Yet Another Stage: Functionality of runpython.py
Inside runpython.py, we can see the following bat-file:
Image 17. Bat-file loader of the next stage
It follows this algorithm:
Checks if it has access to system files, indicating admin rights.
If not, creates a temporary VBS script to relaunch the current BAT script with admin rights.
Creates the directory C:WindowsWinEmptyfold as an infection indicator.
Runs PowerShell to add a Windows Defender exclusion, preventing it from scanning the C:/ drive.
Downloads the next stage from a remote resource and executes it as RuntimeBroker.exe.
Deletes files and directories used by the stealer.
In all samples we have analyzed (example), Pentagon Stealer exclusively dropped Purecrypter which then deployed a miner. However, it is possible that there can be alternative payloads.
Attack Chain and Timeline of Python-based Pentagon Stealer
Pentagon Stealer’s chain of attack can be represented in the following way:
Let’s now take a look at Pentagon’s development timeline and see what methods the attackers used for delivering it to victims.
March 2024: Typosquatting Campaign
One of the earliest campaigns we came across in our research involved masking Pentagon as popular PyPI Python packages using a technique called “typosquatting”.
In this version, the malware couldn’t steal Web Data from Chromium browsers, unencrypted cookies via browser debugging, or Telegram data. Additionally, the protocol for interacting with the C2 server was more primitive: all information was written to files, which were then sent to funcaptcha[.]ru/delivery.
September 2024: 1312 Stealer
In another campaign, the stealer was available under the name 1312 Stealer. ANY.RUN’s Public submissions help us track changes in the admin panel.
1312’s new functionality included stealing Web Data from Chromium-based browsers and Telegram tdata. Communication with the C2 server changed: passwords were sent to 1312services[.]ru/pw, Web Data to 1312services[.]ru/webdata, and everything else to 1312services[.]ru/delivery.
Now, it’s time to dissect the latest version of the stealer, which is currently being actively distributed. It kept the functionality of the Python version, but with some improvements described below.
Image 21. Detect It Easy identified the sample as being written in Go
Unlike its Python counterpart, this variant does not download subsequent stages independently. Instead, it is used as one of the modules in the attack chain, as shown by sandbox analysis. Learn more about this in the ‘Infection Methods’ section.
Upon launch, the stealer hides its console window and checks for the directory %LOCALAPPDATA%Realtek HD Audio Service on the victim’s computer, indicating previous execution.
Learn to analyze cyber threats
Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
It then begins collecting information as described. The main improvement, unique to the Golang version, is the ability to steal data not only from Firefox but also from other Gecko-based browsers, including:
Zen
SeaMonkey
Waterfox
K-Meleon
Thunderbird
IceDragon
Cyberfox
BlackHaw
Pale Moon
Mercury
Librewolf
The malware now can steal passwords from these browsers, in addition to cookies. The rest of the functionality remains unchanged, though the programming language has been altered.
C2 Communication Protocol
Regarding interaction with the C2 server, recent malware versions use two domains: stealer[.]cy and pentagon[.]cy. The communication method is identical in both the latest Python and Golang versions.
Image 22. How Pentagon Stealer communicate with C2
The stealer and command server communicate via HTTP requests. Upon log creation (create_log()), the victim sends the number of collected passwords, cookies, Discord tokens, and names of all collected files. The server responds with either a rejection or a log_uuid, which is subsequently used as the victim’s identifier, replacing the previously hardcoded uuid.
Image 23. POST request to pentagon[.]cy/create_log shown in ANY.RUN
Image 24. C2 response
Infection Methods
Notably, the Golang version of the stealer lacks any encryption of its code and strings, which is unusual since each subsequent stage of its Python counterpart is encrypted using AES. This suggests the possible existence of a dropper or loader.
A search in TI Lookup involving the stealer yielded the following analysis.
Here is the sample’s execution chain:
Image 25. Attack chain involving the Golang version
The initial attack stage involved running an NSIS installer named BlumBot.exe. This installer executed a VBS script that displayed a familiar message, “vcruntime140.dll is missing from your computer”. It then proceeds to launch the next stage, Installer.exe.
Notably, reverse-engineering BlumBot.exe was not necessary to uncover this. A tool capable of unpacking NSIS installers and extracting the .nsi script was enough. In our investigation, we used NanaZip.
NSIS installer in NanaZip:
Image 26. NSIS installer in NanaZip
Fragment of the .nsi script:
Image 27. Piece of .nsi script
Installer.exe is a loader written in Golang. Its sole purpose is to download and execute two files, ByPass.exe and Main.exe, from biteblob[.]com, and then send a Telegram message confirming successful execution.
Following this, the stealer and a second module, which is actually a miner, are executed.
This is just one example of how Pentagon Stealer is used. In Public Submissions, you can frequently observe samples of various malware using this stealer as one stage in an attack chain.
Further Evolution of Pentagon Stealer
As mentioned, this malware has appeared under various names, although its core functionality remains unchanged, with only minor logical modifications. This trend continues today.
For instance, we recently discovered samples of a stealer with identical code but named BLX Stealer, as indicated by code strings and description in this article.
The attack consists of multiple stages, but we focus on the stealer itself.
This version is written in Python, like its predecessors, but is packaged into an executable using PyInstaller. With pyinstxtractor and pylingual.io, we successfully reconstructed the stealer’s source code for analysis.
Regarding functionality, this version did not branch out from the latest Pentagon Stealer, as it lacks crypto-wallet injection and data theft from Gecko-based browsers other than Mozilla Firefox.
Yet, it has unique features not previously observed:
Extracts clipboard content
Captures screenshots
Reads system information
Retrieves additional Discord user information, including two-factor authentication status, Nitro subscription type, and user badges
Steals Steam and Epic Games account data
The communication protocol with the C2 server is also noteworthy. The stealer does not send files directly; instead, it uploads them to gofile.io and then sends the access link to http[:]//<ip>/tgproxy/{USERID}/.
Image 28. Example of C2 communication
We also discovered a sample with the capability to steal NordVPN configuration files (user.config).
Conclusion
Pentagon Stealer cannot be considered malware capable of complex targeted attacks due to its simplicity. Its development history shows that authors often merely changed the domain, leaving the functionality intact. However, a year has passed since its first mention, and it has undergone modifications, with the most significant changes occurring this year. The story is far from over, as new, more complex versions continue to emerge, albeit from different authors.
IOCs and TTPs
MITRE ATT&CK
Tactics
Techniques
Description
TA0002: Execution
T1059.001: Command and Scripting Interpreter: PowerShell
Disables disk C: scanning using Microsoft Defender in the Python version
T1059.003: Command and Scripting Interpreter: Windows Command Shell
Executes a .bat file to download the next stage in the Python version
T1059.005: Command and Scripting Interpreter: Visual Basic
Launches a .vbs script to escalate privileges in the Python version
TA005: Defense Evasion
T1140: Deobfuscate/Decode Files or Information
Decrypts Python stages using Fernet
TA0006: Credential Access
T1555.003: Credentials from Web Browsers
Steals passwords from various browsers
T1539: Steal Web Session Cookie
Steals cookies from various browsers
TA0009: Collection
T1005: Data from Local System
Collects files with specific names and extensions from user directories
TA0011: Command and Control
T1071.001: Application Layer Protocol
Sends collected data to the command server
T1659: Content Injection
Injects custom JavaScript code into cryptocurrency management software
TA0040: Impact
T1657: Financial Theft
Steals credentials from cryptocurrency management software
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-29 12:06:562025-04-29 12:06:56Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities
2024 wasn’t the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. In Cisco Talos’ 2024 Year in Review, with the help of our friends at Robust Intelligence (now a Cisco company), we dissect how cybercriminals used generative AI to scale up social engineering, fine-tune phishing, and automate grunt work like OSINT gathering.
So while AI didn’t completely rock the threat landscape last year, the groundwork is being laid for 2025, where agentic AI and automated vulnerability hunting could cause some significant challenges for defenders. Our research showcases the top four areas of concern for the coming year.
Curious about how AI could impact your defenses — or your data — this year? Take a look at this summary of AI-based threats:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-29 10:07:042025-04-29 10:07:04Year in Review: AI based threats
“I’m giving away $125 000! Join the project via the link in my profile!” — suddenly, a popular Russian blogger launches a massive cash giveaway on Instagram. A familiar face, speaking in upbeat voice and confident tone, appears in Stories. It all looks too good to be true…
That’s because it is. There’s no real project. The blogger didn’t launch anything. Her account was simply hijacked. And the scammers went beyond the usual tricks: not only did they steal access and post a fake giveaway link, but they also stitched together a new video from old footage and dubbed it with a voice generated by neural networks. Read the whole story to learn how Instagram accounts are stolen by swapping SIM cards — and what you can do to protect yourself.
An almost flawless scam campaign
With the rise of AI tools, scammers have suddenly gotten “smarter”. Before, having hacked a blogger, they’d have just posted phishing links and hoped the audience would bite. Now they can run full-fledged PR campaigns from the stolen account. Here’s what the scammers did this time:
One short video. They wrote a script, voiced it with a deepfake of the blogger’s voice, and edited together visuals from her previously posted Reels.
A text post. They published a photo with a tear-jerking caption about how hard it was to launch the project, trying to mimic the blogger’s usual tone.
Four Stories. They reused old Stories where the blogger mentioned a real project, added a link to a phishing site, and reposted them.
All this lends the fake project an air of legitimacy — since bloggers often use content like this across different formats to promote real initiatives. The scammers spared no effort — even throwing in some testimonials from grateful fans; fake ones, of course.
Fake testimonials aimed at encouraging more fans to participate
Let’s take a closer look at the video. At first glance, it’s surprisingly high-quality. It follows all the blog’s rules: the blog’s topic (home renovation), voiceover narration, quick editing. But upon closer examination, the illusion is shattered. Check out the screenshot below: only one video has a watermark in the top-left corner — from the free version of the editing app CapCut. That’s the fake. The other videos don’t have this watermark — because the real blogger either uses the premium version or edits with another app.
The first video is the fake one created by the scammers
There’s another detail: the subtitles. In all her real videos, the blogger uses plain white text with no background. In the fake video, the text is white on a black background. Sure, bloggers sometimes change their style, but usually settings like font and color are saved in their editing software and stay consistent.
What happens if you click the link in the profile?
Here’s where it gets interesting. What kind of “project” exactly were the scammers promoting, and what happens if you click the link?
The bio looks suspicious
If you’re using a device without reliable protection (which would warn you if you try to visit a phishing site), you’ll land on a very basic page: a flashy image, some eye-catching text, and a Claim your prize button. Clicking such buttons typically leads to one of two outcomes: you’ll be asked to pay a commission, or prompted to enter your data — purportedly to receive your winnings. In any case, you’ll be asked to share your bank details. Of course, no prize is coming — it’s pure phishing.
A girl with dollars and a smartphone symbolizes the riches that await… the scammers after they steal your banking account
How did attackers hack the blogger’s Instagram account?
Important: there’s no official version of how the account was compromised yet. It’s a high-profile case, and the blogger has reported it to the police. She currently suspects she fell victim to a SIM-swap attack. In short, this means that the scammers convinced her mobile provider to transfer her phone number to a new SIM card. There are two main ways this can be done:
Old method. Scammers forge a power of attorney and physically visit the mobile provider’s office to request a SIM replacement.
New method. The criminals access the victim’s online account provided by the mobile carrier and remotely issue an eSIM.
SIM swapping allowed scammers to bypass two-factor authentication and convince Instagram support that they were the real account owners. Similar tricks can be used with any service that sends verification codes via text — including online banks.
As for the blogger’s original SIM card, it instantly turned into a useless piece of plastic: no internet, no calls, no texts.
How to protect your account from being hacked
Here are the basic rules to prevent most types of account hacks — whether on messaging apps, social networks, forums, or other sites:
Use advancedtwo-factor authentication with app-generated codes instead of texts (SMS). For Instagram, we recommend also adding a backup method: Settings and activity → Accounts Center → Password and security → Two-factor authentication → Add a backup method. Then, download a dedicated app to generate your login codes.
Follow the golden rule: each service has its own unique password. That way, hackers won’t get access to everything at once.
Ask your mobile operator if it’s possible to either completely prohibit servicing you remotely, or set up a special code you must state in every interaction — remote or in person. This can help protect you from SIM-swapping attacks.
More to read on protecting your accounts from hacking:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-28 12:06:372025-04-28 12:06:37How to protect your social media accounts from SIM swap attacks | Kaspersky official blog
Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks.
Ransomware and pre-ransomware incidents made up a slightly larger portion of threats observed this quarter, with most incidents falling into the latter category. Talos IR’s investigations into pre-ransomware events provided unique insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed, including early engagement with the incident response team and robust monitoring of certain threat actor tactics, techniques and procedures (TTPs).
Watch a discussion on the biggest trends on this latest report
Actors leverage access to valid accounts via phishing to establish persistence
Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks.
Adversaries predominately leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers. For example, in an observed vishing campaign — described in further detail in the ransomware section below — adversaries deceived users over the phone into establishing remote access sessions to the user’s workstation, then used this access to load tooling, establish persistence mechanisms and disable endpoint protections.
In some engagements, actors leveraged phishing attacks to steal users’ legitimate access tokens, enabling them to maintain persistent access to the targeted networks. In one engagement, adversaries deployed a phishing email with a malicious link to successfully steal a user’s multi-factor authentication (MFA) session token along with their credentials. From there, the actors gained unauthorized access to the target’s Microsoft Office 365 environment and deployed enterprise applications with the likely goal of gaining further access into additional accounts. In another phishing engagement, upon gaining access to a user’s valid account, the actors cloned their active access token and specified new credentials for outbound connections. They then sought to expand their access by running commands to gather system information and creating a scheduled task to execute a malicious JavaScript file upon user login.
Ransomware trends
Vishing campaign leveraging BlackBasta and Cactus TTPs hits manufacturing and construction organizations
Ransomware and pre-ransomware incidents made up over 50 percent of engagements this quarter, an increase from nearly 30 last quarter. A robust campaign leveraging BlackBasta and Cactus TTPs that targeted manufacturing and construction organizations accounted for over 60 percent of pre-ransomware and ransomware engagements and was consistent with public reporting on likely related incidents.
The attack chain we observed begins with the threat actors flooding users’ mailboxes at targeted organizations with a large volume of benign spam emails. After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with installation of the program if not already present on the user’s system. Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence. The actors create the TitanPlus registry key and embed IP addresses to enable command and control (C2) communication, using character substitution to obfuscate the infrastructure. After completing the TitanPlus registry key persistence process, the adversary then performs subsequent privilege escalation and lateral movement, seemingly with the ultimate goal of deploying ransomware. We initially observed the threat actors leveraging BlackBasta ransomware and pivoting to Cactus ransomware after public reporting on their use of the former was released. Our analysis of engagements involving Cactus led us to identify a previously undocumented variant of the ransomware, which builds upon previous functionality with new command-line arguments that provide the threat actors with greater control over the binary’s function, likely to prioritize efficiency and maximum impact.
Looking forward: The threat actors responsible for this campaign have proven to be agile, modifying their TTPs as more public reporting on this campaign emerges, which leads us to assess they will continue to adjust their TTPs and/or incorporate a different ransomware family or tooling into their attack chain moving forward to evade detection. We published our findings on this campaign in our Year in Review report in late March 2025 and will be tracking this activity to see if the threat actors modify their operations moving forward.
Early detection of pre-ransomware TTPs halts attacks before encryption
Out of all ransomware and pre-ransomware engagements this quarter, 75 percent of incidents fell into the latter category, providing insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed.
One tactic that proved effective was early engagement with the incident response team. For example, in one engagement, Talos IR was contacted directly after the organization’s users experienced a flood of spam email. Given this TTP was consistent with the vishing campaign we had already observed affecting other organizations, we were able to advise that this was very likely pre-ransomware activity and share actionable indicators of compromise (IOCs) and mitigation recommendations.
Another defensive measure that was effective in containing pre-ransomware activity was robust monitoring and endpoint detection and response (EDR) solutions, particularly those configured to alert on unauthorized remote access connections and suspicious file execution. In one engagement, Cisco XDR was configured to flag certain TTPs that the security team identified were consistent with pre-ransomware activity, and soon after the alerts were triggered, they moved quickly to focus on eradication of the threat. The TTPs included use of remote access tools, disabling of the volume shadow copy service (VSS), and use of a local account to deploy a vulnerable driver. In another engagement, the organization’s monitoring tools alerted them of unauthorized remote access and they acted swiftly to respond to the affected system, resulting in the threat actor only having access to the targeted system for three minutes. In a different incident, suspicious file execution was flagged, leading the customer to identify the threat and isolate the system within hours of initial access.
Crytox becomes latest ransomware group to leverage HRSword to disable EDR protections
Crytox appeared in a Talos IR engagement for the first time this quarter, with affiliates leveraging HRSword as part of their attack chain — a tool that has not previously been publicly associated with the ransomware group. According to public reporting, Crytox is a ransomware family first seen in 2020 that typically encrypts local disks and network drives and drops a ransom note with a five-day ultimatum. Affiliates are known to leverage the uTox messenger application so victims can communicate with the threat actors.
Talos IR responded to an engagement in which adversaries exploited a public-facing application that was not protected by MFA to gain initial access, then launched a ransomware attack that encrypted two hypervisors hosting numerous VM servers. The actors used TTPs that aligned with known Crytox TTPs, including using uTox for communication and dropping a ransomware note that matches publicly shared Crytox ransom notes. Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution. We first reported on ransomware actors’ use of HRSword in FY24 Q1, specifically highlighting a Phobos incident, and observed additional threat groups leverage the tool throughout the remainder of the year.
Targeting
The manufacturing industry vertical was the most affected this quarter, accounting for 25 percent of engagements. Notably, though education was the most targeted vertical for the second half of 2024, we did not respond to any incidents targeting education entities this quarter.
Initial access
As mentioned, the most observed means of gaining initial access this quarter was phishing, followed by use of valid accounts and exploitation of public facing applications. The increase in phishing attacks this quarter is likely due in part to the robust vishing campaign we observed that accounted for over 60 percent of all phishing engagements.
Recommendations for addressing top security weaknesses
Implement properly configured MFA and other access control solutions
Half of the engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA and MFA bypass. As mentioned in the above ransomware section, token theft played a role in several incidents this quarter, enabling threat actors to bypass authentication controls and establish trusted connections. We also observed threat actors adding malicious secondary MFA devices to compromised accounts as well as taking advantage of a lack of MFA on remote access services, the latter of which is a tactic we have consistently observed in previous quarters. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, creation of accounts designed to bypass or be exempt from MFA and removal of accounts from MFA.
Enforce user education on phishing and social engineering attacks
Half of the engagements this quarter involved social engineering, potentially highlighting insufficient user education. This security weakness corresponds with the surge in phishing attacks, as users were manipulated to grant attackers access to their environments, with vishing proving to be particularly effective. Talos IR recommends raising awareness of phishing and social engineering techniques, as user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report suspicious activity.
Protect endpoint security solutions
Almost 20 percent of incidents involved organizations that did not have protections in place to prevent uninstallation of EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.
Top-observed MITRE ATT&CK techniques
The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
This was the first quarter since January to March of 2024 (Q1 FY24) in which phishing was the top initial access technique, with actors leveraging vishing, malicious links, malicious attachments and BEC attacks.
We observed actors leveraging a wider variety of commercial and open-source remote access tools this quarter, including SplashTop, Atera, TeamViewer, AnyDesk, LogMeIn, ScreenConnect, QuickAssist, TightVNC and Level’s RMM platform. These tools appeared in 50 percent of engagements, a slight increase from almost 40 percent last quarter.
Tactic
Technique
Example
Reconnaissance (TA0043)
T1590 Gather Victim Network Information
Adversaries may gather information about the victim’s networks that can be used during targeting. Information may include a variety of details, including administrative data as well as specifics regarding its topology and operations.
T1595.002 Active Scanning: Vulnerability Scanning
Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.
Initial Access (TA0001)
T1598.004 Phishing for Information: Spearphishing Voice
In an observed campaign, users received calls from the adversary posing as IT support and were prompted to initiate a QuickAssist session.
T1598.003 Phishing for Information: Spearphishing Link
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting.
T1598 Phishing for Information: Spearphishing Attachment
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting.
T1190 Exploit in Public-Facing Application
Adversaries may exploit a vulnerability to gain access to a target system.
T1078 Valid Accounts
Adversaries may use compromised credentials to access valid accounts during their attack.
Execution (TA0002)
T1059.001 Command and Scripting Interpreter: PowerShell
Adversaries may abuse PowerShell to execute commands or scripts throughout their attack.
T1047 Windows Management Instrumentation
Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack.
T1053 Scheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
Persistence (TA0003)
T1098 Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1136.001 Create Account: Local Account
Adversaries may create a local account to maintain access to victim systems.
T1547.001 Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Adversaries established persistence by embedding IP addresses in the TitanPlus registry key.
T1133 External Remote Services
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1546.008 Event Triggered Execution: Accessibility Features
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.
Privilege Escalation (TA0004)
T1134 Access Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
Defense Evasion (TA0005)
T1562.001 Impair Defenses: Disable or Modify Tools
Adversaries may disable or uninstall security tools to evade detection.
T1562.004 Impair Defenses: Disable or Modify System Firewall
Adversaries may disable or modify system firewalls to bypass controls limiting network usage.
T1564.008 Hide Artifacts: Email Hiding Rules
Adversaries may use email rules to hide inbound or outbound emails in a compromised user’s mailbox.
T1070.001 Indicator Removal: Clear Windows Event Logs
Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis.
T1112 Modify Registry
Adversary used some registry modifications to get privilege escalation.
Credential Access (TA0006)
T1003 OS Credential Dumping
Adversaries may dump credentials from various sources to enable lateral movement.
T1528 Steal Application Access Token
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Discovery (TA0007)
T1046 Network Service Discovery
Adversaries may use tools like Advanced Port Scanner for network scanning.
T1057 Process Discovery
Adversaries may attempt to get information about running processes on a system.
T1018 Remote System Discovery
Adversaries may attempt to discover information about remote systems with commands, such as “net view”.
T1082 System Information Discovery
An adversary may attempt to get detailed information about the operating system and hardware.
T1016 System Network Configuration Discovery
Adversaries may use commands, such as ifconfig and net use, to identify network connections.
Adversaries may abuse valid accounts using RDP to move laterally in a target environment.
T1021.006 Remote Services: Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM).
Command and Control (TA0011)
T1219 Remote Access Software
An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
T1105 Ingress Tool Transfer
Adversaries may transfer tools from an external system to a compromised system.
T1572 Protocol Tunneling
Adversaries may tunnel network communications to and from a victim system within a separate protocol, such as SMB, to avoid detection and/or enable access.
Exfiltration (TA0010)
T1048 Exfiltration Over Alternative Protocol
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel, such as WinSCP.
Impact (TA0040)
T1486 Data Encrypted for Impact
Adversaries may use ransomware to encrypt data on a target system.
T1490 Inhibit System Recovery
Adversaries may disable system recovery features, such as volume shadow copies.
T1489 Service Stop
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
Software/Tool
S0029 PsExec
Free Microsoft tool that can remotely execute programs on a target system.
S0349 LaZagne
A post-exploitation, open-source tool used to recover stored passwords on a system.
S0357 Impacket
An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols.
S0002 Mimikatz
Credential dumper that can obtain plaintext Windows logins and passwords.
S0097 Ping
An operating system utility commonly used to troubleshoot and verify network connections.
S0552 AdFind
Freely available command-line query tool used for gathering information from Active Directory.
S1071 Rubeus
A C# toolset designed for raw Kerberos interaction.
S0057 Tasklist
A utility that displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-26 17:06:412025-04-26 17:06:41Deepfake ‘doctors’ take to TikTok to peddle bogus cures
The familiar checkout ritual at the supermarket: once everything’s been scanned — the offer, delivered with a hopeful smile: “Chocolate bar for the road? It’s a good one, and the discount is almost criminal”. If you’re lucky, you get a delicious bonus at a great price. But more often than not they’re trying to sell you something that’s not selling well: either it’s about to expire or it has some other hidden flaw.
Now, imagine you declined that chocolate bar, but it was secretly slipped into your bag anyway, or even worse, into your pocket, where it melted and ruined your clothes, spoiling your day. Well, something similar happened to those who bought knock-offs of popular smartphone brands from online marketplaces. No, they didn’t get a chocolate bar. They walked away with a brand-new smartphone that had the Triada Trojan embedded in its firmware. This is much worse than melted chocolate. Their crypto balances, along with their Telegram, WhatsApp, and social media accounts, could be gone before they could utter “bargain!”. Someone could steal their text messages and a lot more.
Triada? What Triada?
That’s the name we at Kaspersky gave to the Trojan we first discovered and described in detail in 2016. This mobile malware would infiltrate almost every process running on a device, while residing only in the RAM.
The emergence of Triada spelled a new era in the evolution of mobile threats targeting Android. Before Triada, Trojans were relatively harmless — mainly displaying ads and downloading other Trojans. This new threat showed that things would never be the same again.
With time, Android developers fixed the vulnerabilities that early versions of Triada exploited. Recent Android versions restricted even users with root privileges from editing system partitions. Did this stop the cybercriminals? What do you think?!..
Fast-forward to March 2025, and we discovered an adapted version of Triada that takes advantage of the new restrictions. The threat actor infects the firmware even before the smartphones are sold. Pre-installed in system partitions, the malware proves nearly impossible to remove.
What is this new version capable of?
Our Android security solution detects the new version of Triada as Backdoor.AndroidOS.Triada.z. This new version is what’s embedded in the firmware of fake Android smartphones available from online marketplaces. It can attack any application running on the device. This gives the Trojan virtually unlimited capabilities. It can control text messages and calls, steal crypto, download and run other applications, replace links in browsers, surreptitiously send messages in chat apps on your behalf, and hijack social media accounts.
A copy of Triada infiltrates every app launched on an infected device. Besides that, the Trojan includes specialized modules that target popular apps. As soon as the user downloads a legitimate app like Telegram or TikTok, the Trojan embeds itself in it and starts causing harm.
Telegram. Triada downloads two modules to compromise Telegram. The first one initiates malicious activity once a day, connecting to a command-and-control (C2) server. It sends the victim’s phone number to the criminals, along with complete authentication data — including the access token. The second module filters all messages, interacting with a bot (which didn’t exist at the time of our research), and deleting notifications about new Telegram logins.
Instagram. Once a day, the Trojan runs a malicious task to search for active session cookies and forward the data to the attackers. These files help the criminals assume full control over the account.
Browsers. Triada threatens a number of browsers: Chrome, Opera, Mozilla, and some others. The full list is available in the Securelist article. The module connects to the C2 server over TCP and randomly redirects legitimate links in the browsers to advertising sites for now. However, because the Trojan downloads redirect links from its C2 server, attackers can direct users to phishing sites at any time.
WhatsApp. Again, there are two modules. The first one collects and sends data about the active session to the C2 server every five minutes — giving the attackers full access to the victim’s account. The second one intercepts the client functions for sending and receiving messages, which allows the malware to send and then delete arbitrary instant messages to cover its tracks.
LINE. The dedicated Triada module collects internal app data, including authentication data (access token), every 30 seconds, and forwards it the C2 server. In this case, too, someone else assumes full control of the user’s account.
Skype. Although Skype is about to be retired, Triada still has a module for infecting it. Triada uses several methods to obtain the authentication token and then sends it to the C2 server.
TikTok. This module can collect a lot of data about the victim’s account from cookie files in the internal directory, and also extract data required for communicating with the TikTok API.
Facebook. Triada is armed with two modules for this app. One of them steals authentication cookies, and the other sends information about the infected device to the C2 server.
Of course, there are also modules for SMS and calls. The first SMS module allows the malware to filter all incoming messages and extract codes from them, respond to some messages (likely to subscribe victims to paid services) and send arbitrary SMS messages when instructed by the C2 server. The second, auxiliary module disables the built-in Android protection against SMS Trojans that requests user permission before sending messages to short codes (Premium SMS), which could be used to confirm paid subscriptions.
The call module embeds itself in the phone app, but it’s most likely still under development. We discovered that it partially implements phone number spoofing — something we expect to be completed soon.
Another module, a reverse proxy, turns the victim’s smartphone into a reverse proxy server, giving attackers access to arbitrary IP addresses on behalf of the victim.
Not unexpectedly, Triada also targets crypto owners, with a special surprise awaiting them: a clipper. The Trojan watches the clipboard for crypto wallet addresses, substituting one of the attackers’ own. A crypto stealer analyzes the victim’s activity, replacing crypto wallet addresses with a fraudulent addresses anywhere it can, whenever an attempt is made to withdraw cryptocurrency. It even interferes with button tap handlers inside apps and replaces images with generated QR codes that link to the attackers’ wallet addresses. The criminals have managed to steal more than US$264 000 in various cryptocurrencies since June 13, 2024 with the help of these tools.
See our Securelist report for a full list of Triada features and a detailed technical analysis.
How the malware infiltrates smartphones.
In every infection case that we are aware of, the firmware name on the device differed from the official one by a single letter. For example, the official firmware was TGPMIXM, while the infected phones had TGPMIXN. We found posts on relevant discussion boards where users complained about counterfeit devices purchased from online stores.
It’s likely that a stage in the supply chain was compromised, while the stores had no idea they were distributing devices infected with Triada. Meanwhile, it’s practically impossible to determine exactly when the malware was placed inside the smartphones.
How to protect yourself from Triada
The new version of the Trojan was found pre-installed on counterfeit devices. Therefore, the best way to avoid Triada infection is to buy smartphones from authorized dealers only. If you suspect that your phone may have been infected with Triada (or another Trojan), here are our recommendations.
Refrain from using any of the potentially compromised apps listed above or making any financial transactions — including cryptocurrency.
If Triada is found on the device, reflash the smartphone with the official firmware yourself, or contact the local service center. Expect sudden changes to your smartphone’s specs: besides the pre-installed Trojan, the fake firmware often overstated the RAM and storage.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-25 13:06:382025-04-25 13:06:38Triada: a Trojan pre-installed on Android smartphones out of the box | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
“Be curious, not judgmental,” Ted Lasso says, misattributing Walt Whitman. We forgive Ted because… well, he’s Ted Lasso.
If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I’m asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is “Be curious, not judgmental.”
I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That’s why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.
Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?
These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.
Beyond that, I always listen for my favorite answer: “I don’t know, but…” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn…”
Barbecue sauce.
The one big thing
Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
Why do I care?
A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus.
So now what?
Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.
Top security headlines of the week
Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS. Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)
Microsoft purges millions of cloud tenants in the wake of Storm-0558. In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading)
Researchers warn of critical flaw found in Erlang OTP SSH. The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive)
CISA flags actively exploited vulnerability in SonicWall SMA devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-24 18:06:392025-04-24 18:06:39Lessons from Ted Lasso for cybersecurity success
