GLOBAL GROUP Ransomware Surfaces with Cross-Platform Reach and Roots in Legacy Threats
A new Ransomware-as-a-Service offering called GLOBAL GROUP is being marketed by a threat actor known as “Dollar Dollar Dollar” on the Ramp4u forum, aiming to recruit affiliates with promises of automated negotiations, scalable attacks, and high profit shares. Written in Golang, the malware executes across Windows, Linux, and macOS, although no specific OS versions were disclosed, suggesting broad compatibility through static binaries. GLOBAL GROUP uses monolithic payloads that don't rely on external dependencies, making them easier to deploy across environments. Picus Security Labs’ forensic analysis determined that GLOBAL GROUP is not a ground-up creation, but rather a rebranding of previous ransomware families—Mamona RIP and Black Lock—confirmed by code-level reuse and infrastructure similarities. The reuse of a unique mutex string from older variants underscores direct code inheritance and continuity in tactics, rather than innovation. Technically, GLOBAL GROUP employs the ChaCha20-Poly1305 encryption algorithm and leverages Golang’s goroutines to perform concurrent encryption across all drives, which drastically shortens the attack window. Affiliates can assign their encrypted file extensions, and the malware includes built-in logic for creating ransom notes, complete with Tor-based communication and access to leak sites. At this time, no confirmed attacks have been publicly attributed to GLOBAL GROUP, and there is no indication of specific industries being targeted. However, the malware’s flexible architecture and affiliate-driven model raise the risk of widespread abuse across sectors. Delivery methods remain unconfirmed, but given the nature of similar campaigns, common vectors would likely include phishing emails, exploit kits, or compromised RDP endpoints. Organizations should monitor for unusual Golang binary activity, restrict RDP access, implement robust backup strategies, and ensure EDR solutions are tuned to detect abnormal concurrent file operations and Tor-related communications.
New Android Malware Blends Click Fraud and Credential Theft in Global Campaign
A recent Android malware campaign is targeting users in Southeast Asia, Latin America, and parts of Europe through sideloaded APKs disguised as casual games, reward apps, or spoofed Chrome and Facebook tools. These apps are promoted via social media lures, QR-code flyers, and fake landing pages that push users to install outside the Google Play ecosystem—circumventing Google’s built-in security checks. Once installed, the malicious apps request excessive permissions, granting them deep access into the device’s functions, contacts, camera, and foreground services. The malware originates from a shared codebase but is tailored regionally to impersonate banks, telecom providers, and betting services. Trustwave SpiderLabs researchers identified the operation after analyzing a Facebook-themed variant that dropped from a spoofed site. Despite appearing to be low-risk apps, each sample launches background routines to simulate user interaction with ads and siphon sensitive login credentials, thereby maximizing both financial gain and data theft. Technically, the malware operates using a modular system, where C2 addresses are encrypted in AES-ECB mode and encoded in Base64, unlocked using a hardcoded key embedded directly in the APK. It utilizes a known APK signing bypass to inject secondary payloads without compromising Android’s trust model, enabling it to install updates or new modules silently. Initial contact with the C2 infrastructure triggers a configuration fetch and activates click-fraud or credential-stealing modules, depending on the campaign settings. Users typically don’t notice anything wrong until data consumption or battery use spikes, by which time credentials and ad revenue have already been exfiltrated. There are no confirmed industry-specific targets, but given the flexibility of the lure themes and payloads, the campaign appears to prioritize reach and monetization over precision. To mitigate risk, users should avoid sideloading apps, apply mobile threat detection solutions, and monitor for abnormal data behavior or app permission misuse on managed devices.
Iran-Backed MuddyWater Revives DCHSpy Android Malware Amid Regional Tensions
In the wake of renewed hostilities between Israel and Iran, the Iranian state-linked APT group MuddyWater has resurfaced with updated versions of its DCHSpy Android surveillanceware. Tracked under multiple aliases—including Mango Sandstorm, Mercury, and Static Kitten—MuddyWater has a long history of espionage in the Middle East and is publicly attributed to Iran’s Ministry of Intelligence and Security (MOIS). Mobile security researchers at Lookout observed new samples of DCHSpy being deployed just one week after the escalation of the Israel-Iran conflict. The malware is often disguised as VPN or banking applications, sometimes under politically charged names, including Earth VPN or Hazrat Eshq. These samples were primarily distributed through Telegram channels in both English and Farsi, leveraging themes that resonate with anti-Iranian sentiment or capitalize on recent events—such as claims of Starlink internet access in Iran—to increase infection rates. Once installed, DCHSpy exhibits full surveillance functionality. It can exfiltrate contacts, messages, local files, WhatsApp content, location data, and audio-visual feeds by hijacking the microphone and camera. It shares technical infrastructure with SandStrike, another MuddyWater-linked spyware, and uses fake VPN configs or messaging app links to deploy its payload silently. The malware encrypts stolen data using a C2-delivered password and uploads it to a remote SFTP server. Distribution is highly targeted, relying on direct social engineering rather than broad app store campaigns. This wave of infections underscores how APTs are leveraging geopolitical events to accelerate mobile surveillance programs against both regional adversaries and domestic dissidents. To reduce risk, users should avoid downloading VPNs or tools promoted through unofficial channels, especially messaging apps, and implement mobile threat detection that can identify permission abuse, SFTP beaconing, or microphone activation without user interaction.
Greedy Sponge Targets Mexican Firms with Customized AllaKore RAT and Financial Fraud Tactics
Greedy Sponge, a financially motivated threat actor, has been targeting organizations across Mexico using a heavily customized version of the AllaKore RAT. Initially noted for references to a SpongeBob meme in its infrastructure, the group has evolved significantly, focusing on banking credential theft and authentication data to facilitate financial fraud. Active since at least 2022, Greedy Sponge has recently begun incorporating secondary payloads, including SystemBC, to expand its capabilities further, executing complex, layered attacks. Their targets span banking, retail, and public service sectors, with a clear emphasis on medium to large organizations. Recent campaigns demonstrate improved stealth through server-side geofencing, shifting away from earlier MSI-based client-side checks tied to Mexican IP addresses, making detection more challenging. Their delivery methods rely on spear-phishing and drive-by downloads, which are bundled in deceptive zip files containing legitimate applications alongside malicious installers. The infection chain begins with fake installers deploying a [.]NET downloader, which then retrieves the custom AllaKore RAT. This RAT enables remote access, keylogging, file manipulation, screenshot capture, and system control, all while maintaining persistence through scheduled updates in the system’s startup folder. To increase the impact, SystemBC is deployed in parallel, enabling encrypted communications and additional payload delivery. The group uses Spanish-language lures and infrastructure hosted on U.S.-based servers, with phishing domains spoofing legitimate Mexican business portals. Indicators suggest local ties, with remote access to C2 servers traced to within Mexico. Greedy Sponge’s sustained four-year campaign, coupled with infrastructure stability and malware refinement, reflects operational maturity. Arctic Wolf recommends strengthening phishing defenses, restricting unauthorized software installations, and enabling detailed PowerShell logging. Without coordinated disruption, Greedy Sponge is expected to maintain its foothold in the region and continue monetizing compromised systems through targeted financial schemes.
