Trending Topics

SpyLend Android Malware Downloaded 100,000 Times from Google Play
GhostSocks Malware Uses SOCKS5 Proxy to Evade Detection Systems
LockBit Ransomware Strikes: Exploiting a Confluence Vulnerability

SpyLend, an Android malware app posing as a financial management tool, was downloaded over 100,000 times from Google Play before researchers at CYFIRMA identified it as a predatory lending scam. Operating under the broader "SpyLoan" category, SpyLend and its variants—KreditApple, PokketMe, and StashFur—specifically targeted users in India by promising quick loans with minimal documentation. Once installed, the app requested extensive permissions, gaining access to contacts, call logs, SMS messages, photos, clipboard data, banking details, and real-time location tracking. This stolen data was weaponized for harassment, blackmail, and extortion, with scammers threatening victims with fabricated explicit images if payments were not made under steep interest rates. Many victims reported being coerced through aggressive repayment tactics, falsely believing the app to be a legitimate Non-Banking Financial Company (NBFC). To evade detection, SpyLend did not directly provide loan services on Google Play but instead redirected Indian users via WebView to an external site where the malicious APK was downloaded. The app remained functional even after being removed from the Play Store, continuing to collect sensitive user data in the background. CYFIRMA researchers also found evidence that the stolen data may be used for financial fraud or sold on cybercriminal marketplaces. Users who installed the app are advised to remove it immediately, revoke permissions, reset credentials, and scan their devices for malware. Enabling Google Play Protect and exercising caution when downloading financial apps can help prevent falling victim to similar threats.

GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, has gained traction in the cybercrime ecosystem since its emergence on Russian-language forums in late 2023. By mid-2024, it expanded to English-speaking criminal platforms, operating under a Malware-as-a-Service (MaaS) model that enables cybercriminals to exploit compromised systems for financial gain. Its integration with the LummaC2 information stealer in early 2024 has significantly increased its effectiveness, allowing attackers to abuse stolen credentials and evade anti-fraud measures. GhostSocks employs obfuscation techniques like Garble and Gofuscator to evade detection, making it a popular tool for targeting high-value sectors, including financial institutions. The malware hijacks network traffic through a SOCKS5 backconnect proxy, masking the attacker’s origin and bypassing IP-based security restrictions. It establishes relay-based command-and-control (C2) communications using HTTP APIs, leveraging intermediary servers to maintain a persistent foothold. Researchers have identified multiple C2 servers associated with GhostSocks, primarily hosted on Russian-speaking Virtual Dedicated Server (VDS) providers. Beyond proxying, the malware includes backdoor capabilities such as executing arbitrary commands, modifying SOCKS5 credentials, and deploying additional payloads. With its seamless integration into LummaC2 and its increasing adoption on MaaS platforms, GhostSocks exemplifies the growing sophistication of cybercriminal tools, requiring defenders to track unique behavioral indicators and implement proactive detection measures.

LockBit ransomware operators executed a highly coordinated attack by exploiting CVE-2023-22527, a critical remote code execution vulnerability in Atlassian Confluence servers. This flaw allowed attackers to inject malicious Object-Graph Navigation Language (OGNL) expressions, gaining initial access to an exposed Windows server. Atlassian patched the vulnerability on January 16, 2024, but with a proof-of-concept (PoC) exploit publicly released soon after, threat actors, including LockBit, quickly leveraged it to target unpatched systems. The attack began with reconnaissance commands to enumerate user accounts and system details before deploying AnyDesk for persistence and establishing command-and-control (C2) channels through Metasploit. Within minutes, they escalated privileges by creating a new administrator account, disabled Windows Defender, and moved laterally using Remote Desktop Protocol (RDP) to compromise backup servers and file shares. Tools like Mimikatz and SoftPerfect’s NetScan enabled credential harvesting and network mapping, while PowerShell scripts were used to extract Veeam credentials for deeper access. The threat actor initiated data exfiltration an hour into the attack, transferring stolen files to MEGA[.]io via Rclone. They wiped Windows event logs and deleted operational artifacts to cover their tracks before launching the LockBit ransomware payload. Initially executed manually on select servers, the ransomware was distributed using PDQ Deploy to automate encryption across multiple endpoints via SMB shares. The attackers mounted remote systems' C$ shares for secondary encryption as a redundancy measure. Within two hours of initial access, files were encrypted with the [.]rhddiicoE extension, and ransom notes were left across affected systems. The swift execution and advanced toolset used in this attack highlight the urgency of patching known vulnerabilities and strengthening network defenses to detect and disrupt ransomware operations before they escalate.

💡

Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.