Daily Brief

A novel tapjacking attack called TapTrap allows malicious apps to deceive Android users through invisible UI manipulations, gaining unauthorized access to device permissions and data. Developed by researchers from TU Wien and the University of Bayreuth, TapTrap exploits Android's animation features to obfuscate real actions intended by the system, effectively remaining undetected by users. This technique utilizes zero-permission apps, initiating a transparent activity over a legitimate one, misleading users to click on seemingly benign options which are, in fact, permissions for malicious activities. Research shows that 76% of apps in the Google Play Store might be vulnerable to such attacks due to the common presence of susceptible activity components. Despite the introduction of Android 16, vulnerabilities to TapTrap attacks persist, with official confirmations of mitigation strategies yet to be fully implemented in future system updates. A video demonstration involving a game app has illustrated how TapTrap could manipulate a user into unknowingly granting camera access via a web browser. Google has acknowledged the problem and is actively working on fixes to enhance protections against such tapjacking techniques, with updates expected in forthcoming Android versions.

A massive browser hijacking campaign has targeted users of Chrome and Edge through malicious extensions, affecting over 2.3 million users. Initially harmless, these browser extensions, including a popular color picker from Geco, were later updated with malware that enabled surveillance and data theft. These extensions, despite performing their stated functions such as color selection, covertly tracked user activity, captured URLs, and could redirect browsers to attacker-specified sites. Koi Security researchers discovered the campaign, dubbed RedDirection, which includes 18 different malicious extensions available in both the Chrome Web Store and Microsoft's Edge Add-ons. The malware functionality in these extensions was not present from the beginning; instead, it was inserted during subsequent updates, which were automatically installed without users' interaction. The affected extensions offer various utilities like emoji keyboards, weather forecasts, and VPN services but secretly perform background activities that compromise users’ privacy. Investigations into the incident are ongoing, and neither Google nor Microsoft has yet responded to inquiries regarding how these extensions passed their security checks.

Hackers have exploited the Shellter red teaming tool to spread Lumma Stealer and SectopRAT malware following a license leak by a customer. Shellter, designed to evade antivirus systems, was compromised despite stringent security measures and vetting processes in place since February 2023. Elastic Security Labs reported that starting from late April 2025, the stolen versions of Shellter were used in various infostealer campaigns. Shellter’s version 11.0, released on April 16, 2025, has been utilized in cybercriminal operations, reported after its sale on a cybercrime forum. The malware spread includes methods like embedding malicious payloads into legitimate programs through self-modifying shellcode. Attack vectors involved sponsorship scams targeting content creators and fraudulent gaming modifications distributed via YouTube. The security industry faces increased challenges in mitigating threats due to weaponized legitimate tools, as seen with earlier instances involving Cobalt Strike and Brute Ratel C4. The Shellter Project criticized Elastic's disclosure approach, highlighting a tension between public safety priorities and the handling of vulnerabilities.

Microsoft's July 2025 Patch Tuesday addressed 137 vulnerabilities, including a zero-day flaw in the Microsoft SQL Server. The zero-day vulnerability, identified as CVE-2025-49719, involved information disclosure through improper input validation and could be remotely exploited. Among the resolved issues are 14 Critical vulnerabilities, with 10 allowing remote code execution, one for information disclosure, and two related to AMD side channel attacks. The zero-day vulnerability was publicly disclosed before an official fix was available, highlighting ongoing security challenges. Several critical vulnerabilities in Microsoft Office and SharePoint were also patched, which could allow remote code execution from specially crafted documents or internet-based exploits. Aside from Microsoft, other vendors also issued updates and advisories addressing security concerns within their products in July 2025. Administrators are advised to update affected systems promptly to mitigate potential threats from these vulnerabilities.

Cybersecurity experts uncovered a malware operation affecting 90,000 North American users, involving a trojan named Anatsa disguised as a "PDF Update" app on Google Play. The malicious app deployed fake overlay screens claiming banking services were down for maintenance to steal banking credentials. Anatsa, also known as TeaBot and Toddler, has been active since 2020 and utilizes dropper apps to deliver malware after initially appearing benign. The malware can execute credential theft, keylogging, and Device-Takeover Fraud (DTO) to perform unauthorized transactions directly from the victims' devices. The attack pattern includes creating legitimate-looking apps on Google Play, gaining user trust, and later embedding harmful updates. The malware receives updates on targeted financial institutions from an external server to adapt to different banks dynamically. Anatsa's operations are characterized by intermittent active and dormant periods, helping it evade detection and maintain effectiveness. Although the malicious app and its developer have been removed from Google Play, it reached significant download milestones before detection.

The rapid evolution of cyber threats is outpacing the capabilities of traditional data protection tools, necessitating a shift to cloud-native cyber resilience strategies. Attackers are increasingly using sophisticated methods such as GenAI for malware creation and social engineering, targeting not just large enterprises but also smaller entities and cloud environments. Regulatory pressures are intensifying, with stringent global mandates on data privacy, sovereignty, and recovery, which many existing tools cannot meet without significant manual oversight. The costs associated with data sprawl across multi-cloud, SaaS, and edge environments are mounting, emphasizing the need for centralized, cost-effective data protection solutions. Cloud-native platforms for cyber resilience differ from traditional cloud-based backups by offering proactive threat hunting, AI-powered detection, and seamless integration with broader security infrastructures. Industry recognition, such as Druva’s leadership in Gartner's Magic Quadrant, highlights the growing importance and acceptance of cloud-native solutions in enterprise data security. To effectively counter modern cyber risks, organizations must adopt intelligent, fully managed cloud-native solutions that not only back up data but also enhance overall cyber resilience.

Anatsa, a banking trojan, was again found disguised as a legitimate app on Google Play, this time mimicking a PDF viewer with over 50,000 downloads. The malware activates upon the app's installation, targeting users of North American banking apps by overlaying fake notifications about banking maintenance to conceal its activities. Threat Fabric researchers have monitored Anatsa's presence on Google Play for years, noting repeated incidents where the trojan achieved significant download milestones through trojanized utility and productivity apps. In a recent modus operandi, the operators keep the initial versions of these apps clean and later push an update that introduces malicious code to download and install the Anatsa payload. Upon infection, Anatsa connects to its command-and-control server to receive instructions and list of apps to monitor, enabling unauthorized access and fraudulent transactions. The most recent affected app, 'Document Viewer – File Reader' by 'Hybrid Cars Simulator, Drift & Racing,' delivered its trojan payload between June 24 and 30, following an update six weeks post-release. Google has since removed the malicious app, and affected users are advised to uninstall the app, run a full system scan, and reset their banking credentials. Users are advised to download apps only from trusted publishers, scrutinize user reviews, check app permissions, and limit the number of installed apps to enhance security.

Nearly a dozen Chrome extensions with 1.7 million installs discovered to have malicious capabilities, allowing user tracking and data redirection. Extensions masquerade as useful tools (e.g., VPNs, volume boosters) but execute harmful activities in the background via Chrome Extensions API. Koi Security identified the harmful extensions, noting some still persist in the Chrome Web Store despite previous alerts. These extensions capture and transmit user data to remote servers, which also hold the capability to redirect users to potentially harmful websites. Google's auto-update feature unintentionally propagates these malicious updates to users without explicit consent or notification. The malicious code was added in updates after initial installation, hinting at external compromise of previously safe extensions. Additional malicious extensions found in Microsoft Edge's official store, with total user impact estimated over 2.3 million from both stores. Researchers recommend immediate removal of affected extensions, clearing of browser data, system malware checks, and monitoring for irregular account activities.

Virtual desktop and application virtualization are critical for remote and hybrid work setups, prioritizing flexibility, scalability, and security. Virtual environments face cyber threats due to centralized structures and vulnerabilities in remote access protocols. Implementing Zero Trust architecture and Multi-Factor Authentication (MFA) ensures that only authenticated users and trusted devices access the virtual settings. TruGrid SecureRDP enhances security by preventing exposure of firewall ports and implementing MFA to protect against credential-based threats. The product leverages global fiber optics to optimize network performance, reducing latency and packet loss, crucial for maintaining efficient virtual desktop operations. TruGrid SecureRDP simplifies regulatory compliance and licensing management while providing tools to scale virtual desktop infrastructure effectively as organizations grow. Enhanced user experience is achieved through smoother remote desktop performance, addressing common user frustrations and supporting broader adoption. Future enhancements in virtual desktop technologies will continue to address performance and security, aiming to support the growing trend of remote workforces.

Researchers found nearly a dozen malicious extensions in Google's Chrome Web Store, cumulatively downloaded 1.7 million times. These extensions, disguised as legitimate tools like VPNs and emoji keyboards, could track users, steal browser activity, and redirect to potentially harmful URLs. Some of the problematic extensions, such as ‘Volume Max — Ultimate Sound Booster,’ were previously flagged for suspicious activities but remained unconfirmed for malicious behavior until now. The harmful functionalities, hidden in background service workers using the Chrome Extensions API, capture and exfiltrate user data to remote servers. Despite the malicious updates, Google's auto-update feature deployed these versions without user interaction, raising concerns about silent update practices. Extensions originally safe at launch may have been compromised over time, introducing malware through updates by potentially external actors. Koi Security also discovered similar malicious extensions in the Microsoft Edge store, affecting an additional 600,000 downloads. Recommendations include immediate removal of the identified extensions, clearing browser data, system malware checks, and monitoring for account irregularities.

SUSE has launched "SUSE Sovereign Premium Support," targeting European organizations concerned about data sovereignty. This service ensures that support is strictly provided within a specific region, complying with local data sovereignty laws and reducing dependence on non-European entities. The traditional follow-the-sun support model is avoided to prevent data transfers that could violate regional data sovereignty regulations. SUSE's initiative reflects a broader trend where companies, including tech giants like AWS and Microsoft, are actively addressing European data sovereignty concerns through local solutions. CEO Dirk-Peter van Leeuwen highlighted a significant interest in developing technology that can be built and supported within Europe, though he noted minimal migration away from major hyperscalers. The move by SUSE is seen as a response to the increasing demand for digital autonomy in Europe, especially in light of evolving geopolitical climates and local regulatory demands. The additional cost for the sovereign support service is around 15%, which some customers are willing to pay to ensure compliance and maintain data within controlled regions.

Cybersecurity firm ReversingLabs uncovered a supply chain attack affecting the Ethcode Visual Studio Code extension, used by over 6,000 developers for Ethereum blockchain development. The attack was initiated through a pull request by a newly created GitHub user, Airez299, which included malicious code hidden among extensive legitimate updates. The malicious code introduced a dependency on a compromised npm package, "keythereum-utils," which was found to be obfuscated and designed to download a second-stage payload. The exact nature of the downloaded malware is unknown but suspected to be involved in cryptocurrency theft or contract poisoning. After detection, the malicious code and dependency were removed, and the Ethcode extension was reinstated in the VS Code Extensions Marketplace. This incident is part of a larger trend of software supply chain attacks, leveraging public repositories to infiltrate development environments with malware. ReversingLabs emphasized the increasing use of such tactics, noting an alarming rise in open-source malware discovered in recent quarters.

Zewei Xu, suspected Chinese cyberespionage agent, was arrested in Milan following intel from the US. US authorities link Xu to the Chinese state-sponsored group Silk Typhoon, accused of spying during COVID-19 on vaccine developments and carrying out the Microsoft Exchange hack. The US has filed an extradition request, with a court hearing at Milan's Court of Appeals set to decide on it. Xu's family claims confusion over his arrest, asserting he is an employee at a semiconductor firm and not involved with Chinese espionage. Silk Typhoon, associated with Xu, was previously implicated in significant security breaches at the US Treasury and against US networks. Italian-US diplomatic relations face strain, highlighted by recent contentious extradition cases and Italy's nuanced stance towards China. The upcoming court decision on Xu's extradition could further impact international relations and cybersecurity policies.

Recent incidents highlight how identity-driven attacks are successfully targeting major retailers like Adidas, The North Face, and Victoria's Secret. Attackers leverage overprivileged access and unmonitored service accounts, bypassing the need for malware or direct system breaches. Tactics such as credential stuffing, third-party breaches, and social engineering are being employed to access sensitive customer data. These security incidents primarily exploit poor identity management and lax MFA (Multi-Factor Authentication) implementations on SaaS platforms. Retailers' experiences underscore the importance of securing not just direct user access but also the extended access provided to vendors. The breaches reveal critical gaps in identity controls, overprivileged roles, and the need for robust monitoring of SaaS identities to prevent similar attacks. Security experts recommend stringent access controls, continuous monitoring of high-impact identities, and targeted training to mitigate risks from such identity-first attacks.

Cybersecurity experts have identified a new botnet, RondoDox, exploiting vulnerabilities in TBK DVRs and Four-Faith routers to conduct DDoS attacks. The botnet targets specific flaws designated as CVE-2024-3721 in TBK DVRs and CVE-2024-12856 in Four-Faith routers, often found in unmonitored environments like retail or office settings. RondoDox utilizes compromised devices to disguise command-and-control traffic, enabling multifaceted cyber-attacks including financial scams. The malware leverages a complex a shell script to provide multi-architecture support, ensuring widespread compatibility across devices. RondoDox implements advanced evasion techniques, such as DoH-based C2 resolution and XOR-encryption, to avoid detection by traditional IDS systems. The botnet actively terminates any running processes that could potentially interfere with its operations or aid in detection, like network utilities or other malware. The malware contacts external servers to receive commands for launching targeted DDoS attacks, simulating traffic from various popular platforms to remain undetected. Researchers emphasize the sophistication and adaptive capabilities of RondoDox, highlighting its potential to remain operational and undetected for prolonged periods.