Daily Brief

Crocodilus is a newly identified Android malware that intercepts cryptocurrency wallet keys using sophisticated social engineering. It exploits Android's Accessibility Services to capture data and control affected devices, bypassing latest security measures including Android 13 protections. The malware employs a proprietary dropper to install itself discreetly, eluding Google's Play Protect and Accessibility Service restrictions. A significant feature of Crocodilus is its ability to use screen overlays to deceive users into revealing their encryption keys, leveraging warnings about potential wallet access loss. Initially, Crocodilus has been observed focusing on users in Turkey and Spain, capturing not only crypto-wallet access but also banking information. The origin of the malware appears to be Turkish, based on debug messages analyzed by researchers. ThreatFabric highlights the malware's versatile command functionality, including RAT operations which allow remote attackers to perform actions like screen taps and swipes. Recommendations for Android users include avoiding downloads from unofficial platforms and maintaining active Play Protect configurations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware, named RESURGE, targeting Ivanti Connect Secure (ICS) appliances. RESURGE has evolved from the SPAWNCHIMERA variant and incorporates rootkit, dropper, backdoor, bootkit, proxy, and tunneler capabilities. It specifically exploits a stack-based buffer overflow vulnerability identified as CVE-2025-0282, which affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This vulnerability allows unauthorized remote code execution and has been actively exploited by a China-nexus espionage group known as UNC5337. RESURGE can survive reboots and has new commands enhancing its ability to alter its operational behavior. The malware also employs a feature that patches CVE-2025-0282 to prevent other malicious actors from exploiting the same vulnerability. Enhanced tradecraft within RESURGE indicates active development and modification to escape detection and maximize impact. CISA's findings emphasize the necessity for organizations to update their Ivanti appliances, reset account credentials, and closely monitor network activity for signs of compromise.

Researchers at the University of Piraeus and others have identified a trend where malware authors use less common programming languages like Delphi and Haskell to evade detection. Malware instances are rising, with 26 million new cases projected in 2025, challenging existing static analysis tools predominantly based on more common languages like C or C++. Less popular languages and their diverse execution models complicate malware detection and automated analysis, providing a form of security through obscurity. Analysis on 400,000 Windows executables revealed that programming language choice and the compiler used significantly impact malware detection rates. Advanced Persistent Threat groups like APT29 are diversifying their programming languages and compilers to decrease detectability and increase difficulties in reverse engineering. Unconventional languages distribute shellcode bytes irregularly, complicating static detection mechanisms traditionally used for popular languages. Examples cited include changes in ransomware programs such as Akira shifting from C++ to Rust, and the blending of multiple languages in other malware variants. The study underscores the need for security researchers to adapt and develop new detection strategies for malware coded in less common languages.

New malware, named Crocodilus, primarily targets Android users in Spain and Turkey with sophisticated theft capabilities. Crocodilus employs accessibility services abuses to hijack devices, enabling the theft of banking and cryptocurrency information. The malware disguises itself as a legitimate Google Chrome app to bypass Android 13+ security measures. Features include remote control, black screen overlays for concealment, and social engineering to extract crypto wallet seed phrases. The Trojan continuously monitors device activities, captures screen contents, including Google Authenticator data, to facilitate fraud. Origin of the malware traced to a Turkish-speaking developer based on source code and debug messages analysis. Noteworthy is the malware’s technique of displaying fake alerts in crypto wallets, deceiving users to reveal their seed phrases. Security firm, ThreatFabric, highlights Crocodilus' advanced capabilities in comparison to typical newly discovered malware threats.

Researchers exploited a vulnerability in BlackLock Ransomware’s data leak site, gaining access to sensitive data. The security breach exposed configuration files, credentials, and a history of server commands, highlighting significant operational security failures. BlackLock, previously known as Eldorado, is an active extortion group targeting multiple sectors globally, including technology and finance. The ransomware group listed 46 victim organizations across multiple countries on its leak site last month. The flaw, described as a local file inclusion (LFI) bug, allowed unauthorized access by exploiting a path traversal attack on the server. Recent events saw the defacement of BlackLock’s DLS by DragonForce, indicating potential unannounced changes in ownership or cooperation between ransomware groups. Resecurity noted the possibility of a ransomware market consolidation influencing the operation and strategy shifts in BlackLock's activities. The exposure of these security issues underscores the ongoing risks and the sophistication of threat actors in the cybersecurity landscape.

Sam's Club, part of the Walmart empire, is currently investigating reports of a potential security incident involving Clop ransomware. The company has neither confirmed nor disclosed specifics of the alleged breach but commits to prioritizing the protection of member information. Clop ransomware gang has listed Sam's Club on its dark web leak site, accusing the retailer of neglecting customer security. This potential breach might be connected to recent global attacks by Clop, exploiting a zero-day vulnerability in Cleo's secure file transfer software. Sam's Club's history includes a 2020 incident where customer accounts were compromised through credential stuffing attacks, not a system breach. While Sam’s Club evaluates the situation, the Clop gang has not yet released evidence supporting their claims of a breach.

OpenAI has significantly raised its bug bounty payouts, offering up to $100,000 for critical security vulnerabilities. The increased reward is part of an effort to enhance the protection of its platforms, which serve 400 million users weekly. OpenAI's decision follows a fivefold increase from the previous maximum payout of $20,000. This adjustment aims to incentivize the discovery and reporting of high-impact security issues that could affect user trust and safety. Special promotions will further reward researchers with additional bonuses for reports within specific vulnerability categories. The bounty program now includes double payouts for reporting specific vulnerabilities like Insecure Direct Object Reference (IDOR) until April 30. OpenAI initiated its bug bounty program in April 2023, starting with a reward cap of $20,000 through the Bugcrowd platform. The program was launched shortly after addressing a significant data leak incident involving ChatGPT subscriber information.

A new phishing-as-a-service operation named Morphing Meerkat uses DNS-over-HTTPS (DoH) to evade traditional cybersecurity defenses. Morphing Meerkat impersonates over 114 brands, impacting email providers like Gmail and Outlook, and other services like DHL and RakBank. The operation has been active since at least 2020, utilizing DoH and DNS email exchange (MX) records to identify victims’ email providers and serve spoofed login pages. Infoblox researchers have traced half of the operational spam emails back to hosting services provided by iomart in the UK and HostPapa in the US. Phishing emails are delivered in multiple languages and are designed to trigger urgent user responses to steal sensitive information. Victims clicking on malicious links are directed through a series of redirects, ending up on fake login pages where their credentials are captured and exfiltrated. Morphing Meerkat also features real-time credential forwarding using Telegram bot webhooks to transmit stolen data effectively. Infoblox recommends tightening DNS controls and restricting access to certain online platforms as defenses against these sophisticated phishing attempts.

Three new security bypasses affect Ubuntu Linux versions 23.10 and 24.04, impacting their unprivileged user namespace restrictions. Local attackers can exploit these bypasses to gain full administrative capabilities in user namespaces, increasing the risk of exploiting kernel vulnerabilities. Qualys, a cloud security and compliance company, identified the bypasses, which compromise AppArmor-enhanced security measures initially designed to prevent namespace misuse. Although these bypasses pose significant security risks, they do not enable attackers to gain complete control of the system without additional vulnerabilities. Canonical has acknowledged these findings and is working on enhancing AppArmor protections, though these are not immediately considered vulnerabilities but limitations in existing defense mechanisms. Administrators are advised to implement additional hardening steps, as per Canonical's guidance, while awaiting official updates. The issue, including the busybox bypass independently discovered by researcher Roddux, highlights ongoing challenges in securing container environments within Linux distributions.

Oracle Health, formerly Cerner, reported a breach on legacy servers affecting U.S. hospitals' patient data. Unauthorized access to data occurred in February 2025, involving legacy Cerner data migration servers. Compromised customer credentials led to unauthorized copying of data, potentially including patient EHRs. Oracle Health has not made an official public announcement and is managing communications discreetly. Impacted hospitals are responsible for notifying patients and checking HIPPA compliance, with some support from Oracle. Oracle denies a related breach of Oracle Cloud's federated SSO login servers, though inconsistency remains about leaked data authenticity. Customers expressed frustration over Oracle's lack of transparency and insufficient guidance in handling the breach aftermath. Oracle agreed to fund credit monitoring services and patient notification efforts, but will not handle the notifications directly.

Cybersecurity researchers have identified 46 new vulnerabilities across solar inverter products from Sungrow, Growatt, and SMA, collectively named SUN:DOWN by Forescout Vedere Labs. These security flaws could potentially allow bad actors to remotely execute commands, seize control of devices, or disrupt power grids. Attackers could exploit these weaknesses to manipulate energy distribution, causing grid instability and potential blackouts. In one scenario, hackers could take over Growatt inverter accounts by discovering usernames through exposed APIs and resetting passwords, then use the devices as a botnet. All affected vendors have addressed the vulnerabilities after the issues were responsibly disclosed. Forescout emphasizes the importance of strict security measures, regular risk assessments, and visibility into networked solar devices to mitigate risks. These findings align with recent disclosures of critical vulnerabilities in other operational technology (OT) devices, underlining broad cyber security concerns in industrial applications.

Cardiff City Council's children services director confirmed a data breach affecting the organization. The exact nature and extent of the compromised data have not been disclosed, but it could include sensitive information related to children's welfare. The breach was discussed during a council meeting, emphasizing the issue as one of five elevated corporate risks in children's services. The council is working with the Welsh government and other local authorities to address cybersecurity risks and prevent future incidents. Current security measures being implemented include enhanced security products, staff training, phishing exercises, and cybersecurity workshops for senior management. The breach might be connected to a previous ransomware attack on Data Cymru, a company working with Welsh local governments. The council aims to lower its cybersecurity risk rating by the end of 2025/26 as ongoing initiatives and an action plan are being developed. There has been no immediate response from the council or related organizations about details of the data breach or if affected individuals have been notified.

Cybersecurity experts have identified a new malware variant named CoffeeLoader, which primarily functions as a downloader for secondary payloads. CoffeeLoader employs a unique packer named Armoury, utilizing GPU processes to hinder analysis and detection by virtual environments and security software. This malware includes advanced evasion techniques such as call stack spoofing, sleep obfuscation, and leveraging Windows fibers to escape detection by antivirus and Endpoint Detection and Response (EDR) systems. CoffeeLoader was first observed in September 2024 and uses a domain generation algorithm for robust communication with command-and-control (C2) servers even if primary channels fail. The infection process involves a dropper that tries to execute with elevated privileges and establish persistence through scheduled tasks. It shares similarities with the older SmokeLoader malware, hinting at a possible evolution or relationship between the two, especially after recent law enforcement actions against SmokeLoader. Associated threats include phishing campaigns and targeted malware attacks on cryptocurrency traders and users downloading compromised software.

Over 3,000 IT professionals indicate a shift towards BCDR solutions due to their superior disaster recovery capabilities and cost-effectiveness. Datto BCDR integrates local hardware, software, and cloud-based recovery, ensuring rapid and efficient business continuity. The platform supports both agent-based and agentless backups, providing flexibility across different IT environments and reducing management complexity. Datto BCDR features automated backup and DR testing, minimizing manual effort and ensuring recoverability. Advanced Inverse Chain Technology™ allows for independent recovery points, ensuring faster restores and minimal data loss. The Datto Cloud offers robust security and performance, with features like 1-Click Disaster Recovery to streamline and accelerate disaster response. Frequent backups (as little as every five minutes) paired with efficient off-site data retention enhance the assurance against data loss. Regular testing as per the State of BCDR Report 2025 reveals gaps in frequent backup testing across industries, underlining the need for automated solutions like those offered by Datto.

PJobRAT, an Android malware, has recently targeted Taiwanese users through deceptive chat applications. Initially documented in 2021 for attacks against Indian military personnel, the malware can extract sensitive data such as SMS messages, contacts, and media files. Operated by the SideCopy group, linked to Transparent Tribe, the malware has been used in espionage efforts against government and military entities, frequently employing social engineering via fake romantic interests. Sophos revealed that the malware's recent campaign involved fake apps named SangaalLite and CChat, distributed through WordPress sites. The malicious apps were capable of extensive data harvesting and were controlled via command-and-control (C2) servers, which also distributed updates and commands to the malware. Despite the longevity of the campaign, the number of infections was relatively low, suggesting a highly targeted approach. The campaign spanned from January 2023 and paused around October 2024; it included new features enabling broader control over infected devices and the execution of shell commands.