Bi-weekly Cyber Landscape Reviews - April 11th 2025

Ransomware/Malware

New Android Malware Uses Social Tricks

A new Android malware named Crocodilus is targeting cryptocurrency and banking applications, primarily in Spain and Turkey. This sophisticated Trojan exploits Android's Accessibility Service to gain extensive control over infected devices. Once installed, it prompts users to enable accessibility features, allowing the malware to overlay fake login screens, log keystrokes, and capture sensitive data such as wallet seed phrases and two-factor authentication codes. Crocodilus employs deceptive tactics, like displaying urgent prompts to back up wallet keys, tricking users into revealing their credentials. Additionally, it can take screenshots, simulate gestures, and even mute the device to operate covertly. The malware spreads through phishing campaigns, malicious links, and fake apps, evading detection by bypassing Google Play Protect. Experts advise users to avoid downloading apps from untrusted sources, be cautious with accessibility permissions, and store wallet seed phrases securely offline to mitigate the risk of infection. ​

New Malware Targeting Ivanti Zero-Day Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a new malware variant, Resurge, which exploits a critical stack buffer overflow vulnerability (CVE-2025-0282) in Ivanti's Connect Secure, Policy Secure, and ZTA Gateway products. Initially disclosed in January 2025, this vulnerability has been actively targeted by the Chinese espionage group UNC5337. Resurge shares similarities with the Spawn malware family, specifically SpawnChimera, and is capable of creating web shells, harvesting credentials, initiating password resets, and tampering with system logs. Notably, Resurge can bypass Ivanti's Integrity Checker Tool, rendering it ineffective in detecting exploitation. CISA recommends organizations conduct factory resets using known clean images to ensure devices are free from malicious activity.

Phishing/Scams

Tax Season Brings Tax-Themed Phishing

With U.S. tax season, Microsoft has issued a warning about a surge in tax-themed phishing campaigns aimed at stealing personal and financial information. Cybercriminals are exploiting the urgency of tax season by sending deceptive emails with alarming subjects like "IRS Audit" to prompt hasty reactions from recipients. These campaigns utilize techniques such as QR codes, URL shorteners, and malicious attachments to distribute malware, including Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader. Some attacks begin with benign messages to build trust before delivering harmful PDFs. GuLoader stands out as a sophisticated threat, using encrypted shellcode and process injection to deploy credential-stealing trojans. These threats can lead to identity theft and unauthorized financial activities like fraudulent credit card applications. Microsoft emphasizes the importance of public awareness and education in recognizing and resisting phishing threats.

Over 500 Phishing Domains Emerge

​In the aftermath of a significant cryptocurrency heist, cybersecurity experts have identified over 500 phishing domains designed to deceive users into revealing sensitive information. These fraudulent sites mimic legitimate cryptocurrency platforms, aiming to steal login credentials and funds. The phishing campaigns have been linked to the notorious APT34 group, also known as OILRIG, which has previously targeted financial institutions in the Middle East. Security professionals advise users to exercise caution when interacting with unsolicited messages and to verify website URLs carefully to avoid falling victim to these scams.

Toll Payment Texts Return in Massive Phishing Wave

​A recent surge in toll-related SMS phishing scams, or "smishing," has been reported across the United States, with over 2,000 complaints filed since early March 2024. These fraudulent messages impersonate toll agencies to falsely claim recipients owe unpaid tolls and threaten penalties unless immediate payment is made. The messages contain links to counterfeit websites designed to steal personal and financial information. The FBI and local authorities have issued warnings, advising individuals not to click on suspicious links, delete such messages, and report them to the Internet Crime Complaint Center (IC3).

Artificial Intelligence

How AI Is Becoming the New Tool for Tax Scams

Scammers are increasingly leveraging AI to perpetrate sophisticated tax fraud schemes, posing significant risks to taxpayers. These criminals utilize AI to create realistic deepfake communications, such as emails and phone calls, that mimic legitimate tax authorities like the IRS. By doing so, they deceive individuals into divulging sensitive personal information, which is then used to file fraudulent tax returns and redirect refunds to the fraudsters' accounts. The IRS has reported a rise in such incidents, noting that many victims only discover the fraud when their legitimate tax filings are rejected due to duplicate submissions. Experts advise taxpayers to file early, be cautious of unsolicited communications, and regularly monitor their financial statements to detect any unauthorized activities promptly.