Daily Brief

A large-scale ad fraud campaign identified as “Vapor” has exploited over 331 Android apps on the Google Play Store, affecting 60+ million downloads. The fraudulent apps served intrusive full-screen ads and phishing attacks, aiming to collect user credentials and credit card information. These apps masqueraded as legitimate utility, fitness, and lifestyle applications, deceiving users into installing them. Fraudsters used sophisticated tactics such as multiple developer accounts and versioning to evade detection and bypass Google’s security measures. Google has since removed these apps, but not before they generated over 200 million daily bid requests from unsuspecting users. The threat actors employed techniques such as hiding app icons and mimicking legitimate services to stay undetected on newer Android versions. The campaign, active since around April 2024 and expanding in the following year, illustrates a growing trend in sophisticated cybercriminal strategies targeting app markets.

Wiz security researchers linked a supply chain attack to a compromised GitHub Action, impacting over 23,000 repositories. The security issue originated from stolen personal access tokens (PATs), with Wiz pinpointing reviewdog/action-setup as the initial compromise point. Google Cloud has announced a $32 billion acquisition of Wiz to enhance cloud security capabilities and support multi-cloud strategies. The discovery was aided by reviewing activities from March 11, when malicious code was injected into reviewdog/action-setup, causing secrets leakage. The attacks appeared to be a targeted chain operation, aiming to compromise a high-value target through the smaller initial attack surface of reviewdog. Wiz recommends discontinuing the affected GitHub Actions, replacing them with secure alternatives, and rotating any compromised secrets. The definitive agreement between Google and Wiz follows previous negotiation challenges around regulatory concerns.

Okta is essential for identity governance and security but is highly targeted by cybercriminals. Maintaining Okta’s security involves continuous vigilance against configuration drift, identity sprawl, and misconfigurations. Nudge Security offers continuous configuration monitoring to ensure adherence to Okta best practices and security features. Identity risk detection by Nudge Security identifies risks such as obsolete accounts or inappropriate admin privileges. Nudge Security also ensures secure access to Okta, preventing unauthorized entry that could lead to broader system breaches. Streamlined remediation process facilitated by Nudge Security prioritizes and addresses detected security gaps efficiently. Organizations are encouraged to adopt proactive management practices to secure their Okta environments effectively. Nudge Security provides tools for continuous monitoring, automated detection, and remediation, with a free 14-day trial available.

The UK Government's Department for Science, Innovation, and Technology (DSIT) is seeking information on the data brokerage industry to inform new data-sharing legislation. This initiative aims to understand the operations, security practices, and clientele of data brokers to aid in policy development amidst concerns about national security and privacy breaches. Data brokers collect and sell personal data, which poses significant risks as these repositories often attract cybercriminals and sometimes state-sponsored actors. Recent regulatory moves in the U.S. against data brokers highlight the growing concern over the security of vast data stores that these entities manage. The consultation is linked with advancements in the Data (Use and Access) Bill, seeking to balance GDPR compliance with business-friendly practices while promoting better usage of data across various sectors, including the NHS and police. The government distinguishes between data brokers and data intermediaries, the latter being entities that facilitate data portability and operate with the consent of the data subjects. Stakeholders have until May 12 to submit their views, with assurances that sensitive details supplied will be securely managed to avoid unauthorized access or other security threats.

MirrorFace, a China-linked cyber espionage group, targeted a Central European diplomatic organization using a sophisticated malware campaign. The attack deployed ANEL and AsyncRAT, marking a notable shift from previously used malware, LODEINFO, which had not been observed in use throughout 2024 and 2025. This recent espionage operation, named Operation AkaiRyū, involved spear-phishing techniques to install malware through documents related to the upcoming Word Expo in Osaka. MirrorFace, also known as Earth Kasha and part of the larger APT10 group, historically focused on Japanese targets, making this attack on a European entity a significant deviation. Additional malware, HiddenFace (aka NOOPDOOR), was also utilized, indicating an evolution in the threat actor’s toolkit and operational tactics. The operation showed overlaps with earlier campaigns identified by Japanese authorities, suggesting broader regional implications and shared methodologies amongst Chinese hacking groups. Enhanced operational security by MirrorFace, including the use of Windows Sandbox for running malicious code, has increased the complexity of attributing and understanding the full scope of their activities.

BADBOX 2.0, a sophisticated ad fraud and residential proxy scheme, has been uncovered using 1 million infected Android devices including tablets, CTV boxes, and more. Facilitated by four collaborative threat groups, BADBOX 2.0 involves infecting devices via backdoors, allowing remote loading of fraud modules. The affected devices are predominantly from lower-cost consumer segments manufactured in mainland China, with significant infections reported notably in Brazil, the USA, Mexico, and Argentina. The operation has faced disruptions, including the sinkholing of BADBOX 2.0 domains and takedown of malware-distributing apps from the Google Play Store. The backbone malware, dubbed BB2DOOR and based on Android malware Triada, is delivered through device pre-installations, remote servers at boot, or via trojanized third-party apps. MoYu Group, a central threat actor within the BADBOX network, exploits the infected devices to offer residential proxy services. Google’s ongoing actions against the scheme include the removal of over 180 Android apps involved in a similar fraud operation named Vapor.

Ox Thief, an extortion group, claimed to have stolen 47 GB of sensitive data from an unnamed organization, threatening to publish if a ransom wasn't paid. The group offered data samples for verification and listed severe potential consequences for non-compliance, such as fines, lawsuits, and reputational damage. In an unusual tactic, Ox Thief threatened to contact high-profile figures, including Edward Snowden and journalists, to escalate legal and media repercussions. The extortion strategy includes detailing potential legal outcomes and government penalties, pressuring victims to evaluate the costs of non-payment. Fortra’s Nick Oram highlighted this as a new escalation in ransomware tactics, emphasizing the strategic use of legal threats and media exposure. There's speculation about declining ransomware payments leading criminals like Ox Thief to innovate in their extortion methods. The outcome for the victim company, Broker Educational Sales & Training (BEST), and verification of Ox Thief's claims remain unclear.

Microsoft has discovered a new remote access trojan (RAT), StilachiRAT, designed to extract sensitive information like browser-stored credentials and cryptocurrency wallet details. StilachiRAT contains a versatile set of espionage tools, targeting system information, clipboard data, remote desktop sessions, and monitoring graphical user interface activities. The malware specifically targets a range of cryptocurrency wallet extensions on Google Chrome, emphasizing its focus on financial theft. StilachiRAT utilizes advanced techniques to evade detection, including periodic checks for analysis tools and sandbox environments, complicating efforts to analyze and mitigate the threat. The RAT communicates with a command-and-control server to receive instructions and exfiltrate collected data, indicating a well-managed, persistent threat. Microsoft has not yet attributed StilachiRAT to any specific threat actor or country, and it remains unclear how the malware is initially delivered to targets. Besides StilachiRAT, recent unusual malware samples include a passive Internet Information Services backdoor, a bootkit using an insecure driver for payload delivery, and a multi-platform post-exploitation framework.

A critical vulnerability in Apache Tomcat (CVE-2025-24813) enables remote code execution and is already exploited in the wild. The vulnerability was disclosed on March 10, with a public exploit surfacing just 30 hours after the announcement and subsequent patch release. Attackers can manipulate the server via a PUT request that uploads a malicious base64-encoded payload, leading to arbitrary code execution upon file deserialization with a GET request. No authentication is required to execute the attack, increasing the vulnerability's accessibility to potential miscreants. Wallarm reported rapid adoption of the exploit by threat actors, including usage by Chinese operators. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is alerted and plans to include the vulnerability in its advisory notifications. Successful exploitation is contingent on certain default configurations and the use of file-based session storage, common across many Apache Tomcat deployments. Apache Tomcat versions affected include 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, and from 9.0.0.M1 through 9.0.98.

A former aide from the Department of Government Efficiency (DOGE) improperly emailed an unencrypted database containing private information. The incident was highlighted in a court document related to a lawsuit by New York Attorney General Letitia James and 18 other state AGs against DOGE's activities within the US Treasury. The database included basic details like names, transaction types, and amounts, but lacked more sensitive data like social security numbers. DOGE was scrutinized for its practices of seeking inefficiencies within federal operations, with actions deemed legally questionable and insecure. Marko Elez, the aide involved, had resigned following revelations of his involvement in racially charged activities and statements on social media. The court testimony mentioned that although Elez distributed the data without proper encryption or approval, no alterations to the Treasury’s payment systems were detected. Concerns were raised about Elez's interim security clearance and his access to sensitive systems and equipment.

Amazon will end local processing of Alexa voice commands on Echo devices from March 28, 2025, transitioning all operations to cloud-based analysis. The change affects users who opted for the "Do Not Send Voice Recordings" setting, a privacy feature allowing local processing in Echo Dot 4, Echo Show 10, and Show 15. Amazon claims the shift to cloud processing is due to the demands of new generative AI features, which the current hardware of some Echo devices cannot support. Users who do not adjust settings will find their recordings automatically processed in the cloud and deleted post-processing, yet text transcripts will not be auto-deleted. Amazon emphasized the ongoing availability of privacy options, despite criticism over how it handles user data and the implications on user privacy. Concerns persist about Amazon’s data practices, including its use of voice interaction data for targeted ads and previous issues with security lapses in its Ring camera products. The Echo products capable of local processing are part of the suite supporting Alexa+, which offers enhanced AI features but will soon require a subscription.

Pavel Durov, Telegram's CEO, temporarily left France for Dubai due to an ongoing criminal investigation related to the platform's use. French authorities recently relaxed a judicial order that restricted Durov's international travel amid the investigation. The investigation focuses on allegations that Telegram was used for fraud, drug trafficking, and distributing illegal content. Prior to his departure, Durov was arrested at Le Bourget Airport near Paris in late August 2024 but was later released on a bail of €5 million. Since September, Telegram has cooperated with law enforcement more actively, sharing users' data like phone numbers and IP addresses upon legal requests for criminal activities in breach of the platform's Terms of Service. Durov stated that Telegram has enhanced its search features to prevent the misuse of the platform for illegal activities. In response to the probe, Telegram has increased efforts to ensure the platform's integrity for its nearly one billion users.

Microsoft has identified a new remote access trojan (RAT) named StilachiRAT, known for its advanced evasion and persistence methods. StilachiRAT's capabilities include extracting sensitive data, such as cryptocurrency wallet info and browser-stored credentials. The malware employs various techniques to avoid detection, including monitoring for sandbox environments and dynamically resolving API calls. Microsoft has not attributed StilachiRAT to a specific actor nor identified a geographic origin, due to its limited appearance in the wild. Among the RAT's features is the ability to monitor active RDP sessions and impersonate user sessions, facilitating lateral movement within networks. The trojan also features extensive anti-forensics capabilities, such as clearing event logs and encoding internal calls to slow analysis efforts. Microsoft's mitigation advice includes only downloading software from official sources and utilizing security software to block malicious domains and attachments.

OKX Web3 has temporarily suspended its DEX aggregator services to implement security measures following a misuse by the North Korean Lazarus hackers. The Lazarus group attempted to launder $100 million from a $1.5 billion heist using OKX's decentralized finance services. This incident follows the record-breaking Bybit heist, with OKX freezing the involved funds and refuting claims made by Bybit about misinformation. New security measures include a system to track and block hacker-linked addresses and real-time blocking of such addresses on the centralized exchange. OKX is cooperating with regulatory bodies and blockchain explorers to enhance transaction labeling and increase the platform's security and compliance. OKX aims to prevent future misuse by upgrading its systems, with plans to see how effective these defenses are against further attempts by Lazarus or other malicious actors. The response includes a proactive approach to defending against competitive and malicious disruptions in the cryptocurrency exchange landscape.

A security vulnerability in Apache Tomcat, identified as CVE-2025-24813, has been actively exploited just 30 hours after its public disclosure. The flaw allows for remote code execution or information disclosure through specific exploitation conditions using PUT requests. The vulnerability impacts several versions of Tomcat but has been addressed in the latest releases: versions 9.0.99, 10.1.35, and 11.0.3. The exploitation technique involves uploading a Base64-encoded serialized Java payload via a PUT request, which is executed upon deserialization triggered by a subsequent GET request using the malicious session ID. The attack exploits Tomcat's default session persistence mechanism and its support for handling partial PUT requests, which could potentially allow uploading arbitrary malicious files. There is a significant risk as the exploitation requires no authentication, only requiring that Tomcat uses file-based session storage. Apache Tomcat users are urged to update their installations promptly to the patched versions to safeguard against potential exploits of this vulnerability.