WEEKLY TOP TEN: April 07, 2025, 14:39 GMT
- QR Codes on the Rise in Phishing Attempts
Phishing attacks using QR codes are on the rise, as cybercriminals exploit them to bypass email filters and target smartphone users, who often have weaker security. QR codes are difficult to identify as malicious and can lead to phishing sites, sometimes disguised in legitimate documents like employee handbooks. To protect against these attacks, users should stay updated, scrutinize QR codes before scanning, and use anti-malware protection on mobile devices. - Oracle Partially Confirms Data Breach
Oracle has acknowledged a breach in a legacy system from 2017, where attackers stole old client credentials and exfiltrated data from its Oracle Identity Manager database, including usernames and hashed passwords. Despite Oracle’s claim that the compromised data is not sensitive, the attacker has shared newer records from 2024 and 2025, with some information already being sold on hacking forums. The breach is still under investigation by CrowdStrike and the FBI, while Oracle continues to deny any breach involving its current cloud services. - HellCat Ransomware Group Employs Strange Negotiation
HellCat is a ransomware-as-a-service group that emerged in 2024, known for stealing sensitive data, encrypting systems, and demanding ransoms. In a bizarre twist, they once demanded part of a ransom from Schneider Electric be paid in baguettes, likely to humiliate the victim or gain publicity. Despite this odd demand, HellCat has targeted organizations like Israel’s parliament and Jordan’s Ministry of Education. - DPRK Threat Actors Use Click-Fix to Target Job Seekers
North Korean threat actors behind the Contagious Interview campaign have adopted the ClickFix tactic to distribute a previously undocumented Go-based malware, GolangGhost, targeting job seekers in the cryptocurrency sector. By impersonating legitimate companies, they lure victims into downloading malware through fake video interview setups. This marks a shift in their focus from decentralized finance (DeFi) to centralized finance, with the malware stealing sensitive data, including cryptocurrency. Additionally, the Lazarus Group has been linked to fraudulent IT worker schemes across Europe, further expanding their cyber operations to generate illicit revenue for North Korea. - Counterfeit Android Phones Sold with Preinstalled Malware
Counterfeit Android smartphones, sold at reduced prices, have been found preloaded with a modified version of the Triada malware, impacting over 2,600 users, primarily in Russia. Triada, a remote access trojan, grants attackers unfettered control over infected devices, enabling them to steal sensitive data, send messages, hijack clipboard content, and monitor web activity. This malware continues to evolve, with previous campaigns leveraging hardware supply chain compromises, and the latest version being actively used to transfer illicit funds, highlighting ongoing threats to Android device security. - Hackers Skim Credit Cards Online Using the Stripe API
Cybersecurity researchers at Jscrambler have uncovered a sophisticated web-skimming campaign targeting online retailers, utilizing a legacy Stripe API to validate stolen credit card details in real time. The attack injects malicious JavaScript into checkout pages, capturing payment data before verifying its validity through the deprecated API, then transmitting the details to attacker-controlled servers. The campaign, ongoing since at least August 2024, primarily affects e-commerce platforms like WooCommerce and PrestaShop, with tailored skimmer scripts and deceptive payment forms designed to bypass security defenses. - PoisonSeed Crypto Theft Campaign Uses Compromised Corporate Emails
A large-scale phishing campaign, named PoisonSeed, is targeting Coinbase and Ledger users by compromising corporate email marketing accounts at services like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. The attackers use stolen accounts to send emails containing fake crypto seed phrases designed to steal cryptocurrency from victims. By sending phishing emails that prompt users to enter a fraudulent Coinbase seed phrase into a new wallet, the attackers gain access to and drain the victim’s cryptocurrency wallet. SilentPush warns that users should never use seed phrases provided by unsolicited emails and should always verify requests directly with the platform. - Servers of Coquette Cybercrime Group Exposed Due to OPSEC Failures
A novice cybercriminal group, known as Coquettte, has been observed using a Russian bulletproof hosting provider, Proton66, to distribute malware under the guise of antivirus software. The malicious infrastructure was exposed after an operational security failure led to the discovery of a fake website. Coquettte’s operation involves delivering malware, like Rugmi, which is used to deploy information stealers such as Lumma, Vidar, and Raccoon. Coquettte’s activities also extend to running websites offering illegal substance manufacturing guides and weapons. The threat actor appears to be a young individual, possibly a student, and is linked to a broader cybercrime group called Horrid. - Hunters International Ransomware Group Shifts to Only Extorsion
The Hunters International Ransomware-as-a-Service (RaaS) group has rebranded to “World Leaks,” shifting from ransomware attacks to data theft and extortion-only tactics. Using a custom exfiltration tool, the group now focuses on stealing data from organizations without encryption. This change follows declining profitability and increased scrutiny of their previous ransomware activities. - Popular VPN Apps Route Data Through Chinese Companies
A report by the Tech Transparency Project reveals that up to 20% of the most popular mobile VPN apps for iOS are owned by Chinese companies, some with connections to the Chinese military. Notably, Qihoo 360, which owns several VPN apps like Turbo VPN, is listed on the U.S. Entity List for posing national security risks, raising concerns about user privacy and data security.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: