CyberSecurity news

FlagThis - #google

Sergiu Gatlan@BleepingComputer //
Google has released a critical security update for its Chrome browser to address a high-severity zero-day vulnerability, identified as CVE-2025-2783. This vulnerability was actively exploited in a sophisticated espionage campaign targeting Russian organizations, specifically media companies, educational institutions, and government entities. According to Kaspersky, the vulnerability allowed attackers to bypass Chrome’s sandbox protections, gaining unauthorized access to affected systems without requiring further user interaction. This incident marks the first actively exploited Chrome zero-day since the start of the year, underscoring the persistent threat landscape faced by internet users.

Kaspersky's investigation, dubbed "Operation ForumTroll," revealed that the attacks were initiated through personalized phishing emails disguised as invitations to the "Primakov Readings" forum. Clicking the malicious link led victims to a compromised website that immediately exploited the zero-day vulnerability. The technical sophistication of the exploit chain points to a highly skilled Advanced Persistent Threat (APT) group. Google urges users to update their Chrome browsers immediately to version 134.0.6998.177/.178 for Windows to mitigate the risk.

Recommended read:
References :
  • cyberinsider.com: Google has released a security update for Chrome to address a high-severity zero-day vulnerability that was actively exploited in a sophisticated espionage campaign targeting Russian organizations.
  • thehackernews.com: Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks
  • securityaffairs.com: Google fixed the first actively exploited Chrome zero-day since the start of the year
  • techcrunch.com: Google fixes Chrome zero-day security flaw used in hacking campaign targeting journalists
  • thecyberexpress.com: Google has rolled out a new security update for Chrome users, following the discovery of a vulnerability, CVE-2025-2783, affecting the Windows version of the browser.
  • The DefendOps Diaries: Google Chrome Vulnerability CVE-2025-2783: A Closer Look
  • Cybernews: Google has patched a dangerous zero-day vulnerability that has already been exploited by sophisticated threat actors in the wild
  • Zack Whittaker: New: Google has fixed a zero-day bug in Chrome that was being actively exploited as part of a hacking campaign. Kaspersky says the bug was exploited to target journalists and employees at educational institutions.
  • Kaspersky official blog: Kaspersky’s GReAT experts have discovered the Operation ForumTroll APT attack, which used a zero-day vulnerability in Google Chrome.
  • bsky.app: Google has fixed a high-severity Chrome zero-day vulnerability exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations.
  • Cyber Security News: Operation ForumTroll: APT Hackers Use Chrome Zero-Day to Evade Sandbox Protections.
  • www.bleepingcomputer.com: Google has released out-of-band fixes to address a high-severity security flaw in Chrome browser for Windows that has been actively exploited.
  • Help Net Security: Help Net Security: Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783)
  • securityonline.info: CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
  • MSSP feed for Latest: Google remediated the high-severity Chrome for Windows zero-day vulnerability.
  • The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
  • thecyberexpress.com: CISA Issues Urgent Security Alerts: Critical Vulnerabilities in Schneider Electric, Chrome, and Sitecore
  • PCMag UK security: Details about Firefox also being affected by Chrome zero-day flaw
  • CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
  • iHLS: Google Patches Dangerous Zero-Day Flaw in Chrome
  • PCMag UK security: Time to Patch: Google Chrome Flaw Used to Spread Spyware
  • MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • securityaffairs.com: Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows.
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
  • The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
  • Blog: Mozilla has released updates to fix a critical security flaw in its Firefox browser for Windows. The vulnerability, designated CVE-2025-2857, stems from improper handling within the browser's inter-process communication (IPC) code, which could allow a compromised child process to gain elevated privileges by manipulating the parent process into returning a powerful handle, potentially leading to sandbox escape.
  • techcrunch.com: Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
  • securityaffairs.com: Google addressed a critical vulnerability, tracked as CVE-2025-2783, impacting its Chrome browser for Windows.
  • securityaffairs.com: U.S. CISA adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog
  • www.scworld.com: Mozilla Patches Firefox Bug Exploited in the Wild, Similar to Chrome Zero-Day
  • OODAloop: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
  • bsky.app: Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that has been exploited in the wild as part of attacks targeting organizations in Russia.

@cyberalerts.io //
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.

The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.

The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.

Recommended read:
References :
  • Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
  • gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
  • www.bitdefender.com: Free file converter malware scam “rampantâ€� claims FBI
  • Malwarebytes: Warning over free online file converters that actually install malware
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
  • Help Net Security: FBI: Free file converter sites and tools deliver malware
  • www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
  • securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
  • The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
  • PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
  • www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
  • www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
  • www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
  • www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
  • Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]

info@thehackernews.com (The@The Hacker News //
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
  • securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
  • The Stack: Phishing kits going to great lengths to personalise attacks
  • Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
  • securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
  • www.bleepingcomputer.com: A new phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. [...]
  • bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
  • Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
  • Talkback Resources: New Morphing Meerkat PhaaS platform examined

info@thehackernews.com (The@The Hacker News //
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.

The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace.

Recommended read:
References :
  • infosec.exchange: NEW: North Korean government hackers snuck spyware onto the official Android app store, and tricked a few people to download it, according to Lookout.
  • techcrunch.com: North Korean government hackers snuck spyware on Android app store
  • The DefendOps Diaries: KoSpy: Unmasking the North Korean Spyware Threat
  • PCMag UK security: Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
  • BleepingComputer: New North Korean Android spyware slips onto Google Play
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
  • The Record: A North Korean nation-state group tracked as APT37 or ScarCruft placed infected utilities in Android app stores as part of an espionage campaign, according to researchers
  • www.scworld.com: Android spyware ‘KoSpy’ spread by suspected North Korean APT
  • securityaffairs.com: North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
  • The Hacker News: The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
  • securityonline.info: North Korea’s APT ScarCruft Places Spyware on Google Play
  • securityaffairs.com: North Korea-linked APT group ScarCruft used a new Android spyware dubbed KoSpy to target Korean and English-speaking users.
  • Secure Bulletin: New Android spyware “KoSpyâ€� linked to North Korean APT37
  • securityonline.info: North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware
  • Carly Page: North Korean-linked hackers uploaded Android spyware to Google Play. The spyware, which collects an “extensive amountâ€� of sensitive data, was downloaded more than 10 times before Google removed it, according to Lookout

Andres Ramos@Arctic Wolf //
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.

This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.

Recommended read:
References :
  • Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
  • hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
  • Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
  • SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
  • www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
  • Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
  • www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
  • Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
  • Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites

@The DefendOps Diaries //
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.

This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance.

Recommended read:
References :
  • The DefendOps Diaries: Cybercriminals exploit Google Ads to target SEO pros, using fake Semrush ads to steal Google credentials.
  • Help Net Security: Malicious ads target Semrush users to steal Google account credentials
  • Malwarebytes: Semrush impersonation scam hits Google Ads
  • www.tripwire.com: Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • bsky.app: Fake Semrush ads used to steal SEO professionals’ Google accounts
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • : Threat actors are looking to compromise Google accounts to further malvertising and data theft
  • Email Security - Blog: Cyber criminals have launched a sophisticated phishing campaign that exploits the trusted reputation of Semrush — an SEO firm that's captured of Fortune 500 brands as customers — to compromise Google account credentials.
  • gbhackers.com: Hackers Deploy Fake Semrush Ads to Steal Google Account Credentials

info@thehackernews.com (The@The Hacker News //
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.

Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware.

Recommended read:
References :
  • Infoblox Blog: DNS Early Detection – Fast Propagating Fake Captcha distributes LummaStealer
  • Talkback Resources: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • The Hacker News: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • gbhackers.com: Netskope Threat Labs uncovered a sprawling phishing operation involving 260 domains hosting approximately 5,000 malicious PDF files.
  • Talkback Resources: Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus [mal]
  • gbhackers.com: Beware! Fake CAPTCHA Hidden LummaStealer Threat Installing Silently
  • Cyber Security News: Beware! Fake CAPTCHA Scam That Silently Installs LummaStealer
  • gbhackers.com: Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fixâ€� Style Attack

Pierluigi Paganini@Security Affairs //
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05.

Recommended read:
References :
  • securityaffairs.com: Reports the release of Google's March 2025 Android security update, which addresses actively exploited zero-day vulnerabilities.
  • cyberinsider.com: Google Patches Two Actively Exploited Zero-Day Flaws in Android
  • The Hacker News: Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities.
  • bsky.app: Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days. Serbian authorities have used one of the zero-days to unlock confiscated devices.
  • Information Security Buzz: Google Issues Urgent Alert for Exploited Android Vulnerabilities

Pierluigi Paganini@securityaffairs.com //
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.

Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.

Recommended read:
References :
  • cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
  • BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
  • securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
  • securityaffairs.com: Russia-linked threat actors exploit Signal messenger
  • Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
  • cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
  • bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
  • cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devicesâ€� Feature for Espionage in Ukraine
  • Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
  • cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
  • Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
  • Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
  • www.onfocus.com: Google Threats on Signals of Trouble
  • cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
  • arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
  • MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
  • Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
  • thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.

Aman Mishra@gbhackers.com //
A large-scale malware campaign has been discovered exploiting a vulnerable Windows driver, truesight.sys, associated with Adlice's RogueKiller Antirootkit suite. Attackers are leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy the HiddenGh0st RAT malware. Over 2,500 distinct variants of the truesight.sys driver have been identified, allowing attackers to evade EDR solutions and Microsoft’s Vulnerable Driver Blocklist.

This sophisticated campaign employs a multi-stage infection process, where initial-stage malware samples are disguised as legitimate applications and distributed via deceptive websites and messaging apps. These samples download the vulnerable truesight.sys driver alongside encrypted payloads, ultimately delivering advanced malware such as the Gh0st RAT. The campaign primarily targets victims in China, Singapore, and Taiwan, with infrastructure hosted on public cloud services within China.

Recommended read:
References :
  • Cyber Security News: A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
  • Talkback Resources: 2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT [exp] [mal]
  • The Hacker News: A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.
  • Information Security Buzz: Massive Cyberattack Exploits Legacy Windows Driver to Evade Detection
  • gbhackers.com: New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

Aman Mishra@gbhackers.com //
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud. GitLab's security team discovered these extensions on the official Google Web Store and were used to insert ads and manipulate search engine results.

The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally. They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections. Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store. However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls.

Recommended read:
References :
  • bsky.app: GitLab's security team has discovered a cluster of 16 malicious Chrome extensions on the official Google Web Store. The extensions were used to insert ads and manipulate search engine results. Over 3.2 million users downloaded the extensions
  • gbhackers.com: A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.
  • Cyber Security News: Chrome Under Siege: 16 Malicious Extensions Infect Over 3.2 Million Users
  • thecyberexpress.com: Remove These Extensions Now! Hackers Hijack Google Chrome Add-ons for Fraud

info@thehackernews.com (The Hacker News)@The Hacker News //
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.

The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.

Recommended read:
References :
  • cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
  • The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
  • CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
  • www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.

@www.the420.in //
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.

This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems.

Recommended read:
References :
  • Cyber Security News: cyberpress.org on 35,000 Websites Compromised with Malicious Scripts Redirecting Users to Chinese Websites
  • gbhackers.com: Over 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese Websites
  • Talkback Resources: talkback.sh on Over 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam
  • Sucuri Blog: Sucuri article detailing WordPress spam

@PCWorld //
Google Chrome has introduced a new layer of security, integrating AI into its existing "Enhanced protection" feature. This update provides real-time defense against dangerous websites, downloads, and browser extensions, marking a significant upgrade to Chrome's security capabilities. The AI integration allows for immediate analysis of patterns, enabling the identification of suspicious webpages that may not yet be classified as malicious.

This AI-powered security feature is an enhancement of Chrome's Safe Browsing. The technology apparently enables real-time analysis of patterns to identify suspicious or dangerous webpages. The improved protection also extends to deep scanning of downloads to detect suspicious files.

Recommended read:
References :
  • BleepingComputer: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
  • Anonymous ???????? :af:: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
  • PCWorld: Google Chrome adds real-time AI protection against dangerous content

@Talkback Resources //
Google Cloud has launched quantum-safe digital signatures within its Cloud Key Management Service (Cloud KMS), now available in preview. This cybersecurity enhancement prepares users against future quantum threats by aligning with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards. The upgrade provides developers with the necessary tools to protect encryption.

Google's implementation integrates NIST-standardized algorithms FIPS 204 and FIPS 205, enabling signing and validation processes resilient to attacks from quantum computers. By incorporating these protocols into Cloud KMS, Google enables enterprises to future-proof authentication workflows, which is particularly important for systems requiring long-term security, such as critical infrastructure firmware or software update chains. This allows organizations to manage quantum-safe keys alongside classical ones, facilitating a phased migration.

Recommended read:
References :
  • gbhackers.com: Google Introduces Quantum-Safe Digital Signatures in Cloud KMS
  • BleepingComputer: Google Cloud has introduced quantum-safe digital signatures to its Cloud Key Management Service (Cloud KMS), making them available in preview.
  • Talkback Resources: Google Cloud KMS Adds Quantum-Safe Digital Signatures to Defend Against Future Threats [cloud] [crypto]
  • gbhackers.com: Google Cloud has unveiled a critical cybersecurity upgrade: quantum-safe digital signatures via its Key Management Service (Cloud KMS), now available in preview.
  • www.bleepingcomputer.com: BleepingComputer reports on Quantum-Safe Digital Signatures.
  • The Quantum Insider: Google Expands Post-Quantum Cryptography Support with Quantum-Safe Digital Signatures

Aman Mishra@gbhackers.com //
Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States. These campaigns, observed since August 2024, have exploited the academic calendar and institutional trust to deceive students, faculty, and staff. The attacks have been linked to a broader campaign dating back to at least October 2022, targeting thousands of users monthly.

The phishing attacks are strategically timed to coincide with key academic events such as the start of the school year and financial aid deadlines. Attackers have tricked victims into revealing sensitive credentials and financial information by leveraging these high-pressure periods. The campaigns employ various tactics, including hosting malicious Google Forms on compromised university domains and cloning university login portals to carry out payment redirection attacks. Google is addressing security concerns surrounding SMS 2FA codes by replacing Gmail’s SMS authentication with QR codes in the coming months.

Recommended read:
References :
  • gbhackers.com: Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
  • Virus Bulletin: Researchers from Google's Mandiant have observed a notable increase in phishing attacks targeting the education sector. These attacks, timed to coincide with key dates in the academic calendar, exploit trust within academic institutions to deceive students, faculty & staff.
  • Cyber Security News: Google, in collaboration with Mandiant, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
  • Anonymous ???????? :af:: Mandiant reported a surge in phishing campaigns targeting U.S. universities, exploiting trust to deceive students and staff, with tactics like Google Forms and website cloning, coinciding with key academic dates.
  • be4sec: Is your university prepared for the latest wave of phishing attacks? A recent blog post on Google Cloud dives deep into the concerning increase in phishing campaigns specifically targeting higher education institutions.

CISO2CISO Editor 2@ciso2ciso.com //
Google is introducing a new security feature called Identity Check for Android devices to combat theft. This feature locks sensitive settings, such as device and account passwords, behind biometric authentication when outside a trusted location. This prevents thieves from making unauthorized changes even if they possess the device's passcode. The intent is to safeguard user data and improve overall device security.

Identity Check requires biometric verification for accessing sensitive areas like performing factory resets, changing screen locks, adding new fingerprints, and disabling ‘Find My Device’. It also protects access to developer options and Google Password Manager. Initially, the feature will roll out to Samsung Galaxy devices eligible for One UI 7, both as part of the new OS and potentially on older versions in the near future. Non-Samsung users will receive the security update later in the year.

Recommended read:
References :
  • ciso2ciso.com: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • discuss.privacyguides.net: New Android Identity Check locks settings outside trusted locations
  • AAKL: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • Pyrzout :vm:: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • security.googleblog.com: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • BleepingComputer: Google has announced a new Android "Identity Check" security feature that lock sensitive settings behind biometric authentication when outside a trusted location.
  • www.bleepingcomputer.com: New Android Identity Check locks settings outside trusted locations
  • ciso2ciso.com: Android improves theft protection with Identity Check and additional features.
  • The Hacker News: Discussion of Android's new Identity Check feature and improved device security.

@cyberalerts.io //
References: cyberinsider.com , Dan Goodin ,
George Mason University researchers have revealed a novel attack, dubbed "nRootTag," that exploits Apple's Find My network to track computers, smartphones, and IoT devices. This method uses a device’s Bluetooth address to trick the Find My network into identifying the target device as a lost AirTag. This effectively transforms the targeted device into a covert tracking beacon, enabling hackers to monitor its location remotely.

This unauthorized "AirTag" silently transmits Bluetooth signals to nearby Apple devices, which then anonymously relay the device's location via Apple Cloud. According to the research, a stationary computer’s location could be pinpointed to within 10 feet, and a moving e-bike's route could be accurately tracked. The researchers informed Apple about the exploit in July 2024 and recommended that the company update its Find My network to better verify Bluetooth devices.

Recommended read:
References :
  • cyberinsider.com: Apple’s Find My Exploited in nRootTag Attacks for User Tracking
  • Dan Goodin: The new "nRootTag" attack that transforms phones, computers and IoT devices into AirTags that can be tracked over Apple Find My sounds newsworthy at first blush.
  • Techlore: : Researchers uncovered some nasty vulnerabilities in Apple's Find My network

@www.bleepingcomputer.com //
A new phishing scam is targeting PayPal users by exploiting the platform's address settings. Scammers are sending fraudulent purchase confirmation emails, tricking recipients into contacting them under the guise of resolving unauthorized transactions. These emails often carry the subject line "You added a new address" and include a fake purchase confirmation, such as for a MacBook M4, urging users to call a provided phone number if they didn't authorize the transaction. The goal is to create panic and prompt users to seek help from the scammers.

The scam emails originate from PayPal's legitimate email servers, allowing them to bypass security and spam filters. Scammers exploit PayPal's gift address feature by inserting the phishing message into the Address 2 field of a PayPal account, triggering an official PayPal confirmation email containing the scam message. Once a victim calls the fake PayPal support number, the scammers attempt to gain remote access to the user's device, potentially leading to the theft of personal information or the installation of malware.

Recommended read:
References :
  • BleepingComputer: An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers
  • Report Boom: PayPal Scam Alert: How Fake Emails Trick Users into Trouble
  • www.bleepingcomputer.com: An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers
  • reportboom.com: PayPal Scam Alert: How Fake Emails Trick Users into Trouble
  • www.cysecurity.news: Scammers Exploit Google and PayPal’s Infrastructure to Steal Users Private Data