WEEKLY TOP TEN: March 03, 2025, 16:00 GMT
- Vo1d Malware Botnet Grows to 1.6 Million Android TVS Worldwide
A new Vo1d malware variant has infected over 1.5 million Android TV devices across 226 countries, creating a massive botnet that peaked in January 2025 and currently maintains 800,000 active bots. XLab researchers discovered this evolved version features advanced encryption, DGA-powered infrastructure, and enhanced stealth capabilities, making it one of the largest botnets in recent history. Brazil (25%), South Africa (13.6%), and Indonesia (10.5%) are the most affected regions.
The botnet’s fluctuating infection patterns suggest the operators may be “renting” devices as proxy servers for various illegal activities. The C2 infrastructure leverages 32 DGA seeds to produce over 21,000 domains protected by 2048-bit RSA keys. - FBI Confirms Lazarus Hackers Were Behind $1.5B Bybit Crypto Heist
North Korean hackers stole $1.5 billion from cryptocurrency exchange Bybit on February 21, 2025, marking the largest crypto heist ever recorded, according to the FBI. The state-sponsored Lazarus Group intercepted a scheduled transfer by redirecting funds to addresses under their control after compromising a Safe{Wallet} developer machine that had access to Bybit’s account.
Blockchain investigators identified the North Korean link when funds stolen from Bybit were sent to the same Ethereum addresses previously used in North Korean hacks against Phemex, BingX, and Poloniex. The FBI has shared 51 Ethereum addresses connected to the hackers and urged cryptocurrency services to block transactions from these addresses as the attackers rapidly convert stolen assets across thousands of addresses on multiple blockchains. - A Wolf in Dark Mode: The Malicious VS Code Theme That Fooled Millions
A popular VSCode theme extension, “Material Theme,” was discovered to contain malware, affecting nearly 4 million developers. The malicious code was hidden in a compromised dependency, leading Microsoft to remove it and other extensions from publisher Equinusocio, including “Material Theme Icons” with 5+ million installs. With Equinusocio’s extensions totaling over 13 million installs, the impact remains significant. Users should check their environments for infection if the extensions have been installed. - Encrypthub Breaches 618 Orgs to Deploy Infostealers, Ransomware
LARVA-208 (EncryptHub) is a threat actor conducting sophisticated spear-phishing attacks since June 2024 using SMS or direct calls to trick victims into installing remote monitoring software. The attackers create phishing sites targeting organization VPNs or exploit Open URL Redirection in Microsoft services to harvest credentials and bypass MFA. After gaining access, they deploy PowerShell scripts and stealers like Fickle, StealC, and Rhadamanthys to collect sensitive information. Research shows the threat actor has compromised 618 different organizations, typically concluding attacks by deploying ransomware, including their custom PowerShell-based “locker.ps1” variant. - Massive Botnet Targets M365 with Stealthy Password Spraying Attacks
A massive botnet of over 130,000 compromised devices is conducting large-scale password-spraying attacks against Microsoft 365 accounts by exploiting non-interactive sign-ins with Basic Authentication. This technique effectively bypasses modern login protections and evades MFA enforcement by causing login events to be logged in Non-Interactive Sign-In logs, which are frequently overlooked by security teams.
Researchers identified six C2 servers hosted in the US but configured with the “Asia/Shanghai” timezone that use Apache Zookeeper and Kafka to manage the distributed botnet infrastructure. The attackers leverage stolen credentials from infostealer logs to systematically target accounts while using proxy servers hosted in UCLOUD HK and CDS Global Cloud to evade detection.
Organizations should immediately verify their Non-Interactive Sign-In logs for suspicious activity with the user agent “fasthttp” and rotate credentials for any affected accounts. - Dropping a 0 day: Parallels Desktop Repack Root Privilege Escalation
A 0-day vulnerability has been discovered that bypasses the patch for CVE-2024-34331 in Parallels Desktop, with two distinct methods to circumvent the fix. The first method exploits a TOCTOU (Time-of-Check to Time-of-Use) vulnerability where an attacker can replace the createinstallmedia tool after signature verification but before execution.
TOCTOU is a race condition where the security check and the actual use of a resource happen at different times, creating an exploitable gap. The second method takes advantage of weak signature verification requirements (“anchor apple”), allowing malicious code to be injected into legitimate Apple-signed binaries. Additionally, a new issue in the do_repack_manual function was identified that allows arbitrary file writes to root-owned paths by manipulating controlled variables and using symlinks to redirect folders.
Despite multiple reports to both Zero Day Initiative and Parallels over a seven-month period (May 2024 to February 2025), these vulnerabilities remain unpatched, creating security risks for users running Parallels Desktop. - Fake CAPTCHAs, Malicious PDFs, SEO Traps Leveraged for User Manual Searches
Netskope Threat Labs has uncovered a large-scale phishing campaign using fake CAPTCHA images in PDF files distributed across 260 unique domains hosting nearly 5,000 malicious documents. The attackers use SEO poisoning techniques to trick victims searching for PDF documents into clicking malicious search engine results that lead to phishing sites designed to steal credit card information.
Some PDF files contain fake CAPTCHAs that trick users into executing malicious PowerShell commands, ultimately delivering Lumma Stealer malware through a multi-stage infection chain. The campaign has affected more than 1,150 organizations and 7,000 users since late 2024, primarily targeting victims in North America, Asia, and Southern Europe across technology, financial services, and manufacturing sectors. - Android Trojan TgToxic Updates Its Capabilities
Intel 471 researchers have documented three rapid evolutionary updates to the TgToxic Android banking trojan, which Trend Micro first discovered in 2022. After Cleafy published details on the “ToxicPanda” strain in October 2024, threat actors responded with a new variant that shifted from hard-coded C2 servers to using 25 community forums as dead drop locations for encrypted malware configurations.
By December 2024, a third variant emerged, employing domain generation algorithms to create new C2 domains, making detection and takedown significantly more difficult. The latest version also incorporates sophisticated anti-emulation techniques that perform detailed hardware fingerprinting and system property analysis to evade automated security analysis.
These quick changes show how hackers watch security blogs and adapt rapidly while also shifting their focus from Asian banks to new targets across Europe and Latin America. - Research Finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek’s Training Data
Truffle Security scanned the Common Crawl (400TB of web data used to train LLMs) and found 11,908 live API keys and passwords across 2.76 million web pages. This research explains why LLMs might suggest hardcoding credentials in generated code—they’re learning from insecure examples in their training data.
Most concerning was the high reuse rate (63% of secrets appeared on multiple pages) and the prevalence of specific credentials like Mailchimp API keys. The researchers contacted affected vendors to help revoke thousands of exposed keys. They recommend using LLM instructions to explicitly prohibit insecure coding patterns and expanding secret scanning to include public datasets used for AI training. - JavaGhost’s Persistent Phishing Attacks From the Cloud
Unit 42 researchers have tracked JavaGhost, a threat group that started with website defacements in 2019 before pivoting to phishing campaigns in 2022. Rather than exploiting AWS vulnerabilities, they target misconfigured environments with exposed access keys. Their evolution includes bypassing typical detection methods by avoiding standard reconnaissance commands and using sophisticated evasion techniques previously only seen with more advanced threat actors.
After gaining access, they leverage the victim’s own email services to send phishing messages that easily bypass security filters while creating backdoor accounts for persistence. Despite becoming more sophisticated, they still leave their calling card, security groups named “Java_Ghost” with the description “We Are There But Not Visible”, and all their activities remain traceable in CloudTrail logs.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: