Vo1d Botnet Expands, Infecting Over 1.5 Million Android TV Devices
A new variant of the Vo1d malware botnet has compromised 1,590,299 Android TV devices across 226 countries, with 800,000 active bots still in operation. This botnet, tracked by XLab since November 2024, has evolved with enhanced encryption, a resilient command-and-control (C2) infrastructure, and stealth capabilities. Its infection rate has surged in certain regions, notably Brazil, South Africa, and Indonesia, with sharp fluctuations suggesting that operators are leasing infected devices as proxy servers for cybercriminal activities. Vo1d’s infrastructure uses 32 domain generation algorithm (DGA) seeds to create over 21,000 C2 domains, and its RSA-protected communication prevents security researchers from taking control of its bots. Vo1d is a multi-purpose cybercrime tool, primarily converting compromised devices into proxy servers to mask illicit activities, bypass security filters, and evade regional restrictions. It is also used for large-scale ad fraud, simulating human-like interactions to generate revenue for fraudulent advertisers. The botnet’s infection vector remains unknown, raising concerns about pre-installed malware in supply chains. Security experts recommend buying devices from reputable vendors, applying firmware updates, avoiding third-party app stores, disabling remote access when unnecessary, and isolating IoT devices from sensitive networks. As Vo1d expands, its operators leverage advanced techniques to sustain one of the largest botnets in recent years.
Update: Chinese Hackers Exploit Check Point VPN Flaw for Global Espionage
Chinese state-sponsored hackers have been exploiting CVE-2024-24919, a vulnerability in Check Point VPN security gateways. This flaw, patched in May 2024, allowed attackers to steal VPN credentials and move laterally within corporate networks, primarily targeting manufacturing firms involved in supply chain operations. The attackers used DLL sideloading techniques to deploy ShadowPad, a modular backdoor with advanced command-and-control capabilities. While the primary goal appeared to be cyberespionage focused on intellectual property theft, some opportunistic attacks resulted in ransomware deployment. The campaign’s reach extended across the U.S., Latin America, Europe, Africa, and the Middle East, with Mexico accounting for many victims. Analysts linked the activity to APT41, also known as Winnti, a group with a history of Chinese state-backed cyber operations. Many of the targeted organizations were small operational technology firms with minimal cybersecurity resources, making them easier targets for advanced threat actors. Attackers exploited the VPN bug to escalate privileges, gain access to domain controllers, and install remote persistence mechanisms, ensuring long-term access to compromised networks. Check Point has urged all affected organizations to apply the May 2024 patches, reset VPN credentials, and monitor networks for suspicious activity, such as unauthorized RDP sessions, anomalous VPN logins, and execution of binaries from non-standard directories. Indicators of compromise include connections to known malicious domains and IPs tied to ShadowPad’s infrastructure. The incident highlights the growing threat of cyberespionage against critical manufacturing and supply chain sectors, emphasizing the need for proactive patch management, multi-factor authentication on VPNs, and zero-trust security architectures to prevent future intrusions.
Update: Winos4.0 Malware Spreads via Malicious PDFs to Compromise Windows
A cyberattack campaign using the Winos4.0 malware framework has been targeting organizations in Taiwan through phishing emails disguised as tax audit notices from the National Taxation Bureau. These emails contain malicious PDF attachments that prompt victims to download a ZIP archive with an executable masquerading as a legitimate application. Once launched, the malware deploys a multi-stage infection process using DLL sideloading, registry-based payload storage, and advanced evasion tactics like sandbox detection via screenshot differential analysis. The payload, “loginmodule.dll,” establishes multiple threads to manipulate system settings, disable security tools, modify UAC settings, and hijack clipboard data related to financial transactions. It creates mutex objects to prevent redundant infections and logs stolen credentials in hidden directories, maintaining persistent access while avoiding detection. Researchers observed that the malware communicates with a command-and-control (C2) server, using encrypted channels to exfiltrate data and receive further instructions. Fortinet researchers identified infrastructure overlaps between this campaign and domains previously hosting gaming malware, suggesting resource reuse by threat actors. Given the targeting of Taiwan’s fiscal systems and the presence of Simplified Chinese annotations, researchers suspect potential links to Chinese state-sponsored groups. FortiGuard recommends enabling Content Disarm & Reconstruction (CDR) on email gateways, monitoring registry modifications for UAC bypass attempts, and deploying behavioral analysis tools to detect anomalies in system activity. Fortinet’s security solutions have updated their defenses to block associated malware signatures and C2 endpoints, but organizations must implement proactive security measures, including application allowlisting and employee phishing awareness training. As Winos4.0 continues to evolve with enhanced stealth and persistence techniques, organizations must prioritize endpoint detection and network monitoring to mitigate these highly sophisticated cyber threats.
