EagleMsgSpy swoops over China

It's likely used by security bureaus in China to harvest data from suspect phones

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ An accessibility feature built into Windows to facilitate the use of computers by people with disabilities, called the Windows UI Automation framework, can be abused by malware to steal sensitive data from other applications or control them in malicious ways that evades detection by endpoint protection systems. Akamai has warned that while Microsoft has placed some security restrictions on the framework, a resourceful attacker could still find ways to take advantage of it. [The Hacker News]

↘️ Multiple province-level security bureaus in Mainland China are likely using a powerful spyware tool called EagleMsgSpy to harvest extensive data from target devices, including texts, audio recordings and location data, since at least 2017. Customers are also offered an administrative panel with geographical maps tied to the device’s location as well as top-10 lists of frequently contacted people through the device. EagleMsgSpy is said to be the work of a company named Wuhan Chinasoft Token Information Technology, and is part of a broader set of contracted surveillanceware being leveraged by law enforcement. [The Hacker News]

Via GIPHY

↘️ The Russian nation-state hackers known as Turla have been linked to a new campaign that involves appropriating the infrastructure of other threat actors, such as Amadey and Flying Yeti, and using it to infect systems used by Ukrainian military forces. “Secret Blizzard has been using footholds from third parties — either by surreptitiously stealing or purchasing access — as a specific and deliberate method to establish footholds of espionage value,” Microsoft said. The unconventional tactic aside, it’s not clear how successful these two campaigns were or what kind of data — if any — Turla managed to obtain. [The Hacker News]

↘️ A threat actor known as GoldenEyeDog (APT-Q-27) has been linked to a set of cyber attacks targeting the gambling industry with trojans like Silver Fox and Winos, and cryptocurrency miners under the guise of bogus installation packages hosted on watering hole websites. The activity leverages SEO poisoning to direct users searching for popular software to the phony sites in question. [QiAnXin]

↘️ Snowflake has announced a new authentication policy that will require all customers to enable multi-factor authentication (MFA) on their accounts by November 2025 or risk having their access blocked. The policy change comes after the company began to enforce MFA as the default for all password sign-ins in new Snowflake accounts created starting October 2024. The development also comes in the wake of a cyber campaign that leveraged stolen Snowflake credentials to stage data exfiltration and extortion attacks against over 160 companies earlier this year. [Snowflake]

↘️ Cybersecurity researchers have uncovered a sophisticated malicious payload delivery and upgrade framework called DarkCracks that’s characterized by "high persistence, stealth, and a well-designed upgrade mechanism, leveraging high-performance, stable online infrastructure as its backbone.” Targeted entities include public service systems across different countries, such as school websites, public transportation systems, and prison visitor systems. The framework also exploits compromised GLPI and WordPress sites to function as downloaders and command-and-control (C2) servers. These compromised sites are used to collect sensitive information from infected devices, maintain long-term access, and serve as relay nodes to control other devices or deliver malicious payloads, effectively masking the attacker’s tracks. [QiAnXin XLab]

↘️ The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia’s Federal Security Service (FSB) that involves recruiting Ukrainian minors for conducting reconnaissance activities under the guise of “quest games.” This unconventional intelligence-gathering tactic highlights the hybrid nature of the ongoing Russian war in Ukraine. [The Hacker News]

↘️ China, Russia, Iran, and Israel are the “primary” countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden. The activity involves exploiting inherent weaknesses in a protocol suite called Signaling System 7 (SS7). “DoD’s failure to secure its unclassified voice, video, and text communications with end-to-end encryption technology has left it needlessly vulnerable to foreign espionage” senators Wyden and Eric Schmitt said in a letter. “Moreover, although DoD is among the largest buyers of wireless telephone service in the United States, it has failed to use its purchasing power to require cyber defenses and accountability from wireless carriers.” Wyden has since unveiled legislation that would require the Federal Communications Commission (FCC) to set cybersecurity standards for telecom companies in order to prevent attacks such as those orchestrated by Salt Typhoon. FCC has also released a draft proposal for the agency to regulate the cybersecurity of telecom companies. [404 Media / The Stack]

↘️ A new threat group dubbed TaxOff has been discovered targeting Russian government agencies with phishing emails that use legal and financial themes to deliver the Trinper backdoor. The Trinper backdoor is a multithreaded C++ malware that includes capabilities such as code injection, file manipulation and keylogging, and communicates with its C2 servers through encrypted channels and domain fronting techniques. Russian organizations have also been targeted by a hacktivist group called Head Mare to deploy a new C++based variant of the PhantomCore backdoor. [Positive Technologies / Cyble]

↘️ The Russian hacking group tracked as APT29 is using a network of 193 remote desktop protocol (RDP) proxy servers to perform adversary-in-the-middle (AitM) attacks to steal data and credentials and to install malicious payloads. The attacks leverage an open-source tool called PyRDP to set up the servers and aim to trick victims into opening malicious RDP configuration files sent as attachments in spear-phishing emails. At its peak in October 2024, the campaign hit as many as 200 entities a day with the phishing messages. [The Hacker News]

↘️ The malware botnet known as BADBOX is estimated to have infected over 190,000 Android devices globally, despite a sinkhole operation that neutralized over 30,000 devices in Germany. A new analysis reveals that the attacks have compromised well-known and trusted brands like Yandex TVs and Hisense smartphones. The malware exploits devices for residential proxying, remote code installation, account abuse, and ad fraud. One of most notable features is the ability to install additional modules. BADBOX is a sophisticated supply chain threat in that these devices are either tampered with during the manufacturing process or sold by the manufacturer with the ability to install APKs without the user's consent. They are then sold through reputable/popular retailers, such as Amazon, eBay, AliExpress, and others. A majority of the infections are located in Russia, China, India, Belarus, Brazil, and Ukraine. [The Hacker News]

How BADBOX Works (Bitsight)

↘️ The Vietnam-nexus threat actor dubbed OceanLotus targeted a Chinese governmental enterprise with a Tromas by leveraging an MSI Transforms (.MST) file, which can be used to modify or customize MSI files without altering the original package. Specifically, a .LNK file propagated via phishing emails is designed to alter WindowsPCHealthCheckSetup.exe, a legitimate Windows component, by using an .MST file sent along with the .LNK file to load a DLL trojan. [QiAnXin]

↘️ Malicious actors have been observed exploiting vulnerabilities and misconfigurations in public sites as part of a large-scale scanning operation, leading to unauthorized access to sensitive customer data, infrastructure credentials, and proprietary source code. The activity has been primarily linked to a group tracked as Nemesis, with some of it also attributed to ShinyHunters. "The attackers used a series of scripts to scan vast ranges of IPs belonging to AWS, looking for known application vulnerabilities as well as blatant mistakes," researchers said. The campaign ironically came to light after the S3 bucket attackers used to store the data stolen from the victims had a misconfiguration which resulted in it being left open. [vpnMentor]

↘️ GitHub is dealing with a spike in inauthentic "stars" that's used to artificially inflate the popularity of scammy and malware-laced repositories, thereby helping them reach more unsuspecting users. The technique has been around for some time, but a new study by researchers from Carnegie Mellon University, Socket, and North Carolina State University has found that the majority of fake stars are used to promote short-lived malware repositories masquerading as pirating software, game cheats, or cryptocurrency bots. Advertised via GitHub star merchants like Baddhi, BuyGitHub, FollowDeh, R for Rank, and Twidium, these services have been found to be behind 4.5 million "fake" stars spanning 22,915 repositories. [arXiv]

↘️ Law enforcement officials have said that a Chinese national named Wan Kuok-koi (aka Broken Tooth) has played a central role in the emergence of a virulent new form of cyber fraud known as pig butchering, which is now referred to as romance baiting. He was sanctioned by the U.S. Treasury Department on corruption charges in 2020. He is said to own or control a company named Dongmei Group, which was behind a development called Dongmei Zone in Myanmar, a site that later became known as one of the earliest scam compounds. [The Wall Street Journal]

↘️ A novel variation of clickjacking, known as DoubleClickjacking, has been found to bypass standard web browser protections and trigger malicious actions. The vulnerability exploits the brief delay between two clicks in a double-click sequence on an attacker-controlled web page, during which the UI context of the parent window is switched, thereby tricking users into authorizing actions they never intended, such as granting excessive API permissions through OAuth. As mitigations, website owners can implement protective scripts that disable critical buttons until users demonstrate intentional actions, such as mouse movements or keyboard inputs. [The Hacker News]

↘️ Microsoft has brought a lawsuit against ten individuals for using stolen credentials and custom software to break into computers running Microsoft’s Azure OpenAI services to generate “harmful content.” The defendants are alleged to gave used stolen API keys to gain access to devices and accounts with Microsoft’s Azure OpenAI service, which they then used to generate “thousands” of images that violated safety protocols in place to prevent misuse. Some of the stolen API keys belonged to U.S. companies located in Pennsylvania and New Jersey. The activity took place between July and August 2024, with the defendants also using a software tool to gain insights into the content filtering system, thereby allowing them to determine phrases that were identified as prohibited and help circumvent those guardrails. The individuals are accused of setting up a hacking-as-a-service scheme by stealing API keys from customers with access to Microsoft generative AI systems and selling that access to interested parties over the internet. The development comes as companies offering AI tools are locked in a battle against malicious actors who are looking at various ways to exploit them. [CyberScoop]

↘️ Facebook awarded security researchers Ben Sadeghipour a bug bounty of $100,000 for discovering a security flaw in its ads platform that could have allowed malicious actors to run commands on the internal Facebook server by taking advantage of a previously fixed flaw found in the Chrome browser. The social media giant fixed the issue within one hour of responsible disclosure. [TechCrunch]

↘️ A new ransomware group dubbed FunkSec, which emerged in late 2024, has claimed dozens of victims to date. Despite the high numbers of published victims, it's assessed that the reality of FunkSec’s impact is modest, both in terms of actual victims as well as the group’s level of expertise. FunkSec’s operations are likely conducted by inexperienced actors linked to hacktivist activity. What's more, the group’s ransomware shows signs that it was developed using assistance from AI tools, thereby allowing them to quickly produce and refine their offerings. Little information is currently available about its origins or operations, although it's believed that at least some are from Algeria. [The Hacker News]

↘️ HuiOne Guarantee has become the largest illicit online marketplace, likely enabling $24 billion in gray market transactions, with the volume of activity on the platform rocketing up 51% since July 2024. At the same time, its parent HuiOne Group has expanded its slate of offerings to include a messaging app (ChatMe), stablecoin (USDH), and cryptocurrency exchange (HuiOne Crypto), indicating its efforts to stave off potential crackdowns and become a self-sufficient platform. A Chinese-language marketplace that has wider links to businesses associated with the Cambodian ruling family, Huione Guarantee first emerged in 2021 ostensibly as a way to sell cars and real estate. But one of its core features is that it acts as a hub for scammers, selling stolen data, fake investment websites, and others. HuiOne Guarantee mostly operates through the social media app Telegram, organized around groups and bots that have tens of thousands of members and followers. [WIRED / The Hacker News]

↘️ A version of PlugX malware used by the Chinese state-backed Mustang Panda hackers has been deleted from thousands of U.S. computers following a multi-month law enforcement operation, the U.S. Department of Justice (DoJ) announced. PlugX has long been the malware of choice for Chinese state-backed hacking groups, first emerging in attacks on Japan in 2008. PlugX possesses an array of advanced capabilities that make it a formidable and potent tool in cyber espionage. The malware can clandestinely harvest critical information by executing commands to retrieve system data, capture screen images, simulate keyboard and mouse activities, and log keystrokes. Additionally, it allows attackers to exert control over the system’s processes and services, manage Windows Registry entries, and open a command shell, providing extensive operational control to the infiltrating party. Such features make PlugX capable of conducting comprehensive surveillance and data theft without attracting attention, further complicating efforts to effectively detect and mitigate its presence. Some variants of the malware are known to spread via compromised USB drives. [The Hacker News]

↘️ A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices. The issue resides in a file named “reloader.efi,” a Microsoft-signed Extensible Firmware Interface (EFI) file that’s part of seven real-time system recovery software suites. The issue, in a nutshell, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. Essentially, the UEFI binary can serve as a backdoor for sneaking any kind of file during the startup process, completely bypassing UEFI Secure Boot checks. These types of attacks can be particularly pernicious because such infections hide inside the firmware that runs at an early stage, before even the operating system has loaded. This strategic position allows the malware to sidestep defenses installed by the operating system and gives it the ability to survive reboots and reformatting of hard drives. The malware acts acting as a “bootkit” capable of providing remote access to threat actors. [The Hacker News]

↘️ Block-owned Cash App has been cumulatively fined $255 million as part of two different settlements over its lack of compliance with laws intended to keep illicit activity off the platform, raising concerns that the service could be used to support money laundering and terrorism financing. Separately, the Consumer Financial Protection Bureau called out the company's weak security protocols that put consumers at risk and made it difficult for users to get help after experiencing fraud on the platform. [Conference of State Bank Supervisors / Consumer Financial Protection Bureau]

↘️ Separate spinoffs of the infamous Mirai botnet are responsible for a fresh wave of distributed denial-of-service (DDoS) attacks globally. While one is exploiting specific vulnerabilities in AVTECH IP cameras and Huawei routers to establish “expansive” botnet networks, the other has been targeting organizations in North America, Europe, and Asia with DDoS attacks since the end of 2024 using a network of various compromised IoT devices by leveraging known security flaws and weak credentials. The two campaigns underscore the continued risk posed by Mirai, a botnet that has spawned myriad variants since its source code was leaked in 2016. [The Hacker News]

↘️ The advanced persistent threat group DoNot Team is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups that are of likely national security interest to India. The malware-laced apps purport to be chat apps but, once installed on a system, they do not work as advertised and instead, prompt the user to turn on the device's accessibility feature and grant access to several dangerous permissions, gaining the ability to harvest a wide range of information from the compromised device. It has been found that the app uses a legitimate library called OneSignal to send fake push notifications to start a non-existent chat. A group with nexus to India, DoNot Team has been operational since at least 2016, primarily targeting various entities across Pakistan, Bangladesh, Sri Lanka, and Nepal. [The Hacker News]

↘️ There actors have been observed utilizing the Go-based FastHTTP library to launch brute-force password attacks targeting Microsoft 365 accounts globally staring January 6, 2025. “Sixty-five percent of the traffic associated with the agent originates from Brazil, leveraging a diverse range of ASN providers and IP addresses," SpearTip said. "Other source countries include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each contributing approximately 2–3% of the observed traffic." [SpearTip]

↘️ A stealthy attack campaign has turned Juniper enterprise-grade routers into entry points to corporate networks via the J-magic backdoor, which is loaded into the devices’ memory via an as-yet-undetermined method and spawns a reverse shell upon the receipt of a magic packet. The campaign was active between mid-2023 and mid-2024, targeting semiconductor, energy, manufacturing, and IT verticals among others. The malware in question is variant of cd00r, a 25-year-old program originally developed and released as a security tool in 2000. The findings yet again show how such old tools could be repurposed to target edge infrastructure, which continues to be a cybersecurity blindspot. [The Hacker News]

↘️ The overnight attention captured by Chinese company DeepSeek in recent weeks has also led to malicious actors attempting to cash in on the craze to deliver a stealer malware known as Poseidon by setting up fake sites masquerading as the artificial intelligence chatbot. Meanwhile, DeepSeek said it has been the target of cyber attacks, adding it would temporarily limit registrations because of “large-scale malicious attacks” on its platform. [g0njxa / The Hacker News]