Qwizzserial Android Malware Masquerades as Legit Apps to Steal Banking Data and 2FA Codes
The Android malware Qwizzserial has reemerged as a significant threat across Central Asia, particularly in Uzbekistan, where it targets mobile banking users and exploits SMS-based two-factor authentication systems. Initially discovered in 2024, the malware gained momentum in 2025 through widespread Telegram-based distribution campaigns. It disguises itself as legitimate apps—posing as government financial aid tools or even mimicking real banking apps—to trick users into installing it. Once installed, it aggressively seeks sensitive permissions and presents a fake interface to harvest personal data, including phone numbers and full banking card information. Group-IB estimates that over 100,000 users have been infected, with more than $62,000 in financial losses reported within three months. Qwizzserial’s infection method is carefully crafted for stealth and persistence. It repeatedly prompts for access to SMS messages, call data, and device state, enabling it to intercept one-time codes and read sensitive communications. It packages victims' SMS histories into ZIP files, sorts them by content type, and uses regex filters to extract financial keywords for targeted theft. More recent versions include advanced obfuscation using NP Manager and Allatori, along with enhanced persistence that disables battery optimization settings to prevent the malware from being stopped. Instead of using Telegram APIs for command and control, it now sends data via HTTP POST to gate servers, signaling ongoing development by a well-organized cybercrime network with clearly defined roles. The campaign's scale and infrastructure underscore a professionalized mobile fraud operation with expanding capabilities and a regional impact.
Keymous+ Emerges as a Hybrid Threat Blurring Hacktivism and Profit-Driven Cybercrime
Keymous+ is a newly prominent cyber group claiming responsibility for over 700 DDoS attacks in 2025, impacting targets across Europe, North Africa, the Middle East, and Asia. Identifying themselves as “North African hackers,” the group has struck government sites, telecom firms, banks, educational platforms, and manufacturing systems. Their targeting lacks a consistent ideological thread, despite slogans like “Hack for Humanity” and involvement in #OpIndia and #OpIsrael. This ambiguity sets them apart from traditional hacktivists, raising questions about whether their motivation is driven by political posturing or financial gain. The randomness of their victim profile and the volume of attacks point more toward disruption and visibility than coherent activism. The group’s growing presence on Telegram and X is reinforced through affiliations with other hacktivist collectives, such as NoName057(16) and Moroccan Dragons, often co-branding operations like “Red Eye Op.” Internally, Keymous+ appears structured, with a so-called “Alpha Team” handling data breaches and a more active “Beta Team” conducting daily DDoS campaigns. Evidence also suggests a commercial layer to their operations through a link to EliteStress, a subscription-based DDoS-for-hire platform offering attack packages as low as €5 per day. Keymous+ promotes EliteStress openly, hinting at insider control or direct monetization. Their messaging often emphasizes uptime, power, and tool reliability—language more commonly used in commercial service promotion than in ideological warfare. As Keymous+ straddles the line between hacktivism and cybercrime-as-a-service, they represent a new model of hybrid threat actors: part brand, part botnet, and fully geared toward performance-driven disruption.
Pro-Russian Hacktivist Alliances Fuel Surge in Sophisticated Cyberattacks on Western Infrastructure
Pro-Russian hacktivist activity surged in 2025, driven by new alliances among emerging and veteran groups aiming to disrupt Western infrastructure amid ongoing geopolitical tensions over the Russia-Ukraine conflict. Following the decline of KillNet, previously a dominant force in space, groups such as the IT Army of Russia and TwoNet have quickly risen to prominence. Their operations now go beyond simple defacements and involve coordinated DDoS attacks, SQL injection campaigns, and even intrusions into industrial control systems across Europe and North America. The #OpLithuania campaign in May 2025 showcased this collective strength, with seven groups—including Dark Storm Team, ServerKillers, and NoName057(16)—attacking the Lithuanian government and financial systems in retaliation for the country’s anti-Russian policy stance. Analysts at Intel 471 have identified this collaborative structure as a key factor behind the increased reach and resilience of pro-Russian hacktivist operations. At the forefront is NoName057 (16), who leads the DDoSia project, a crowdsourced attack platform that mimics the sophistication of state-sponsored capabilities. Written in Go, DDoSia allows volunteers to download attack clients, execute payloads locally, and track their participation through a unique ClientID system—with cryptocurrency incentives for top contributors. This approach enables rapid scalability and decentralized execution. In May 2025, Cloudflare documented one of the largest known attacks from this ecosystem: a 7.3 Tbps DDoS attack primarily powered by UDP floods. More concerning, some operations have expanded into operational technology (OT) systems, with documented incidents involving water treatment facilities being forced into manual operation after service disruption. These developments indicate a concerning shift in hacktivist methodology—where ideological campaigns are now bolstered by professional tooling, collaborative networks, and an increasing capacity to impact real-world infrastructure at scale.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing monitoring of vulnerabilities, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.