New Immersive World LLM jailbreak lets anyone create malware with GenAI. Discover how Cato Networks researchers tricked ChatGPT, Copilot, and DeepSeek into coding infostealers - In this case, a Chrome infostealer.

Cato Networks, a Secure Access Service Edge (SASE) solution provider, has released its 2025 Cato CTRL Threat Report, revealing an important development. According to researchers, they have successfully designed a technique that allows individuals with no **prior coding experience** to create malware using readily available generative AI (GenAI) tools.

****LLM Jailbreak Created Functioning Chrome Infostealer via “Immersive World”****

The core of their research is a novel Large Language Model (LLM) jailbreak technique, dubbed “Immersive World,” developed by a Cato CTRL threat intelligence researcher. The technique involves creating a detailed fictional narrative where GenAI tools, including popular platforms like DeepSeek, Microsoft Copilot, and OpenAI’s ChatGPT, are assigned specific roles and tasks within a controlled environment.

By effectively bypassing the default security controls of these AI tools through this narrative manipulation, the researcher was able to force them into generating functional malware capable of stealing login credentials from **Google Chrome**.

> _“A Cato CTRL threat intelligence researcher with no prior malware coding experience successfully jailbreak multiple LLMs, including DeepSeek-R1, DeepSeek-V3, Microsoft Copilot, and OpenAI’s ChatGPT to create a fully functional Google Chrome infostealer for Chrome 133.”_
> 
> Cato Networks

This technique (Immersive World) indicates a critical flaw existing in the safeguards implemented by GenAI providers as it easily bypasses the intended restrictions designed to prevent misuse. As Vitaly Simonovich, a threat intelligence researcher at Cato Networks, **stated**, “We believe the rise of the zero-knowledge threat actor poses a high risk to organizations because the barrier to creating malware is now substantially lowered with GenAI tools.”

The report’s findings have prompted Cato Networks to reach out to the providers of the affected GenAI tools. While Microsoft and OpenAI acknowledged receipt of the information, DeepSeek remained unresponsive.

Screenshots show researchers interacting with DeepSeek, which ultimately generated a functional Chrome infostealer (Images via Cato Networks)

****Google Declined to Review Malware Code****

According to researchers, Google, despite being offered the opportunity to review the generated malware code, declined to do so. This lack of a unified response from major tech companies highlights the complexities surrounding the addressing of threats in advanced AI tools.

****LLMs and Jailbreaking****

Although LLMs are relatively new, jailbreaking has evolved alongside them. A report **published** in February 2024 revealed that DeepSeek-R1 LLM failed to prevent over half of the jailbreak attacks in a security analysis. Similarly, a **report** from SlashNext in September 2023 showed how researchers successfully jailbroke multiple AI chatbots to generate phishing emails.

****Protection****

The 2025 Cato CTRL Threat Report, the inaugural annual publication from Cato Networks’ threat intelligence team, emphasizes the critical need for proactive and comprehensive AI security strategies. These include preventing LLM jailbreaking by building a reliable dataset with expected prompts and responses and testing AI systems thoroughly.

Regular AI red teaming is also important, as it helps find vulnerabilities and other security issues. Additionally, clear disclaimers and terms of use should be in place to inform users they are interacting with an AI and define acceptable behaviours to prevent misuse.

Researchers Use AI Jailbreak on Top LLMs to Create Chrome Infostealer

Hackers are using .VHD files to spread VenomRAT malware, bypassing security software, reveals Forcepoint X-Labs. Learn how this stealthy attack works and how to protect yourself.

Cybersecurity researchers at Forcepoint X-Labs have spotted a new and tricky malware campaign that has been spreading and infecting targeted devices with VenomRAT, a remote access trojan known for targeting researchers in fake PoC (Proof of Concept) attacks

In this campaign, instead of the usually infected documents or executable files, cybercriminals are delivering the dangerous VenomRAT hidden inside a virtual hard disk image file (.vhd).

The campaign begins with a phishing email. This time, the bait is an apparently harmless purchase order. However, opening the attached archive doesn’t reveal a typical document. Instead, users find a .vhd file – a container that mimics a physical hard drive.

When a user opens the .vhd file, their computer treats it like a new drive. But this isn’t a drive full of legitimate files; it contains a malicious batch script designed to cause harm. Using a .vhd file to spread malware is a new trick. Since these files are commonly used for disk imaging and virtualization, security software doesn’t always flag them as a threat.

“This is a unique approach,” explains Prashant Kumar, a Security Researcher at Forcepoint X-Labs. “Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that.”

****The Attack and Stealing User Data****

According to research from Forcepoint X-Labs, shared with Hackread.com, the malware script is disguised with multiple layers of code and executes a series of malicious activities once activated. It starts by self-replicating, making sure a copy remains available at all times.

Then, it launches PowerShell, a legitimate Windows tool often exploited by attackers, and establishes persistence by placing a malicious script in the Startup folder, allowing it to run automatically whenever the user logs in. To dig in even more, the script modifies Windows registry settings, making it harder to detect and remove.

The malware also employs hidden communication by connecting to Pastebin, a popular text-sharing platform, to fetch instructions from a remote command-and-control (C2) server, which serves as the attacker’s command hub. Once established, the malware initiates data theft, logging keystrokes and storing sensitive information in a configuration file. It also downloads additional components, including a .NET executable, to assist in encryption and system manipulation.

Researchers noted that this VenomRAT variant uses HVNC (Hidden Virtual Network Computing), a remote control service that allows attackers to control the infected system without detection.

Phishing email and attack vector used in the campaign (Screenshots via Forcepoint X-Labs)

****What’s Next for Unsuspected Users?****

Be careful with email attachments, even if they seem legitimate; especially if they come from unknown senders. If you receive an unexpected invoice or purchase order, don’t trust the contact details in the email; verify it directly with the sender using a known phone number or email.

Keeping your operating system, antivirus, and security tools up to date is critical for blocking threats from executing on your system. Lastly, make sure your team knows how to spot and report phishing attempts. Awareness and common sense are two of the best cybersecurity measures anyone can use, anywhere and at all times.

Hackers Hide VenomRAT Malware Inside Virtual Hard Disk Image File

Austin, TX, United States, 19th March 2025, CyberNewsWire

**Austin, TX, United States, March 19th, 2025, CyberNewsWire**

The average corporate user now has 146 stolen records linked to their identity, an average 12x increase from previous estimates, reflecting a surge in holistic identity exposures.

SpyCloud, the leading identity threat protection company, today released its **2025 SpyCloud Annual Identity Exposure Report**, highlighting the rise of darknet-exposed identity data as the primary cyber risk facing enterprises today. As cybercriminals move beyond single data points and leverage stolen data from a number of sources – breaches, malware and phishes – they are embracing a more sophisticated approach to identity exploitation, and organizations must shift their focus to a comprehensive and holistic defense strategy that accounts for the interconnected nature of digital identities.

**Holistic Identity: The New Cyber Battleground**

Organizations have traditionally focused on securing individual account credentials, but SpyCloud’s research indicates that cybercriminals have expanded their tactics beyond conventional account takeover. Attackers now have access to extensive identity data from multiple sources—including data breaches, infostealer malware infections, phishing campaigns, and combolists—posing a challenge for organizations whose security measures have not yet adapted to address the full scope of interconnected identity exposures holistically.

SpyCloud’s collection of recaptured darknet data grew **22% in the past year**, now encompassing more than **53.3 billion distinct identity records and over 750+ billion total stolen assets** that are now circulating in the criminal underground, fueling identity-based cybercrime. These assets are a vast array of personal and professional credentials, session cookies, personally identifiable information (PII), financial data, IP addresses, national IDs and more that criminals are weaponizing in attacks against individuals and businesses. 

> “The cybersecurity industry has spent years defending against traditional credential-based threats, but the reality is that attackers have advanced as the data they have access to has exploded in volume,” said Damon Fleury, Chief Product Officer, SpyCloud. “Identity is the ultimate frontier of cyber risk, with users’ exposure across past and present, personal and professional identities the new attack surface. It requires organizations to rethink the risks posed by employees, consumers, partners and suppliers.”

> Fleury continues, “At SpyCloud, we’ve created holistic identity analytics built on the industry’s largest collection of recaptured darknet data, enabling our customers to correlate disparate data points that encompass an individual’s digital footprint—providing a truly holistic view of identity risk.”

**New Definition for Identity Risk Emerges**

With the explosion of available identity data, attackers can now piece together historical and present-day records to bypass security barriers. Traditionally, cybersecurity teams were only able to see a fraction of an individual’s darknet exposures – primarily only the exposed assets tied to a corporate identity – which were not comprehensive nor in correlation with other exposures. SpyCloud’s report shows that an individual’s identity exposure is more expansive than traditional cyber risk tools would indicate; in fact, it’s a sprawling web of interrelated assets that provide cybercriminals with a roadmap to exploit vulnerabilities and the keys to unlock valuable access.

*   Of particular concern for businesses, a single corporate user now has an **average of 146 stolen records** linked to their identity – across **13 unique emails and 141 credential pairs** (a username or email and its associated password) per corporate user, which highlights how attackers correlate historical data to uncover active enterprise access points.
*   In the consumer realm, the numbers are even higher with **229 records per consumer**, frequently including exposed PII such as full names, dates of birth, and phone numbers, as well as Social Security/ID numbers, addresses, and credit card or bank information. Consumer exposure averages **27 unique emails and 227 credential pairs per user.**

> “The record-breaking breaches of 2024, including the Mother of All Breaches (MOAB) and the National Public Data Breach, along with the growing use of infostealing malware and crafty phishing campaigns illustrate just how vast the pool of exposed identity data has become,” said Trevor Hilligoss, Senior Vice President of Security Research, SpyCloud Labs at SpyCloud. “By understanding how cybercriminals aggregate stolen data and the new tactics and trends they are leveraging to assume even more valuable information and access, organizations can take proactive steps to mitigate identity-based threats from these large underground sources before they escalate.” 

**Additional Report Findings:**

*   **17.3 billion cookies** were recaptured from malware-infected devices, enabling attackers to bypass MFA and hijack active user sessions.
*   **548 million credentials** were exfiltrated via infostealer malware, highlighting the growing role of stealthy, targeted data theft in enterprise attacks.
*   **3.1 billion passwords** were recaptured in 2024, marking a **125% increase from the previous year**.
*   **70% of users** whose credentials were exposed in breaches last year reused previously compromised passwords, significantly increasing their risk of account takeover attacks **–** a 9+ jump from 2023.
*   **44.8 billion PII assets – a 39% increase from 2023** are opening the door for new fraudulent activities.
*   **97%** of recaptured phished data logs in 2024, from popular phishing-as-a-service (PHaaS) platforms like ONNX, included an email address and **64%** had an associated IP address, giving criminals direct opportunities to perpetrate as the user and make lateral movements within an organization.
*   In the public sector, SpyCloud recaptured **127K .gov credentials** and observed **a 67% all-time password reuse rate** – an increase of 13% over the previous year – highlighting persistent security risks for our federal agencies and national security.

**Evolving Cybersecurity Strategies**

The findings highlight that cybercriminals are moving well-beyond their own legacy tactics and businesses must recognize that traditional defenses are no longer enough. SpyCloud’s approach leverages **holistic identity analytics**, powered by the industry’s largest collection of recaptured darknet data, to help organizations correlate disparate identity elements and shore up identity threat protection measures, while mitigating risk more effectively.

For further insights, the full **2025 SpyCloud Identity Exposure Report** is available here.

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

Top 10 Passwords hackers use to breach RDP revealed! Weak credentials cause successful cyberattacks- check if yours is on the list and secure your system now.

A recent study by the Specops research team reveals that hackers continue to exploit weak passwords in attacks on Remote Desktop Protocol (RDP) ports. This report also adds over 85 million compromised passwords to Specops’ Breached Password Protection service, sourced from their honeypot network and threat intelligence.

****What is RDP and Why Attack RDP Ports?****

RDP is a Microsoft-developed protocol that allows users to connect to and control another computer over a network remotely. RDP ports are network ports used by the Remote Desktop Protocol to establish a connection between a client and a remote server or computer. By default, RDP uses port 3389 (TCP/UDP) for communication.

RDP ports are a common target for hackers because they’re widely used for remote access in businesses. Whether it’s for remote work, system maintenance, or troubleshooting, these ports provide an easy entry point, making them a favourite for brute force and password-spraying attacks. It’s not uncommon to see countless failed login attempts from hackers trying to breach.

****Key Findings from the Research****

According to Specops’ research shared with Hackread.com ahead of publishing on Tuesday, March 18, 2025, here’s what they discovered:

**Common Passwords in Use:** The analysis determined that the most frequently attempted password was “123456,” followed by other basic choices such as “1234,” “Password1,” and even “P@ssw0rd.” A notable observation is the recurring use of “Welcome1,” pointing to the danger of temporary passwords assigned during employee onboarding that might never be updated.

**Simple Number Combinations Dominate:** Nearly 25% of the passwords used in these attacks consist solely of numbers. The study highlights that a notable portion of attempts, almost half, rely on either numbers or all lower-case letters.

**Password Length and Complexity:** Eight-character passwords are the most common, likely because many organizations set that length as the minimum requirement. Only about 1.35% of the attacked passwords exceeded 12 characters, indicating that longer passphrases could block nearly all of the attack attempts.

**Expanded Breached Password List:** Alongside these insights, Specops has added more than 85 million compromised passwords to its Breached Password Protection service. These figures come from data gathered through honeypot networks and threat intelligence sources, offering fresh insight into what hackers target.

****Top 10 Passwords in RDP Attacks****

The research team analyzed NTLMv2 hashes from their honeypot system, focusing on RDP-specific attacks. They managed to crack around 40% of these hashes, revealing the top ten passwords used in these attacks:

*   **123456** – 355,088 occurrences
*   **1234** – 309,812 occurrences
*   **Password1** – 271,381 occurrences
*   **12345** – 259,222 occurrences
*   **P@ssw0rd** – 254,065 occurrences
*   **password** – 138,761 occurrences
*   **Password123** – 121,998 occurrences
*   **Welcome1** – 113,820 occurrences
*   **12345678** – 86,682 occurrences
*   **Aa123456** – 69,058 occurrences

****How to Protect Your RDP Ports****

To protect your RDP ports from attacks, start by enabling Multi-Factor Authentication (MFA) so that even if a password is stolen, unauthorized access is blocked. Keeping your Windows servers and clients updated is crucial to patch security vulnerabilities that hackers exploit.

Additionally, ensure TCP port 3389 is secured with SSL encryption and not directly exposed to the internet. Another important step is to restrict RDP access to a specific range of trusted IP addresses, preventing unauthorized users from attempting to connect.

****Simple Password = Security Disaster****

The Specops report makes it clear that relying on simple passwords is a risk organizations can no longer afford. By switching to longer and more complex passwords companies can greatly reduce the impact of today’s RDP attacks.

Top/Featured Image by kalhh from Pixabay

Top 10 Passwords Hackers Use to Breach RDP – Is Yours at Risk?

Sydney, Australia, 19th March 2025, CyberNewsWire

**Sydney, Australia, March 19th, 2025, CyberNewsWire**

Sydney-based cybersecurity software company Knocknoc has raised a seed round from US-based venture capital firm Decibel Partners with support from CoAct and SomethingReal.

The funding will support go-to-market, new staff, customer onboarding and product development. The company has appointed Adam Pointon as Chief Executive Officer.

“The opportunity here is limitless,” Pointon said. “You’d be hard pressed to find an organisation that couldn’t benefit in some way from using Knocknoc.”

Knocknoc orchestrates network infrastructure to remove risk exposure by tying users’ network access to their SSO authentication status.

By selectively opening network connections to users on a just-in-time basis, Knocknoc eliminates attack surface and solves compliance challenges. Knocknoc prevents would-be attackers from being able to connect to the types of network devices and applications that are prone to falling victim to zero-day attacks.

Customers use Knocknoc to protect VPNs and firewalls, IP cameras, payroll systems, file transfer appliances, bastion hosts and other applications and network services. Knocknoc is also easy to use with cloud-based infrastructure.

It can also be used on internal networks to add multifactor authentication to legacy systems to satisfy compliance requirements.

Knocknoc has also appointed Decibel Partners Founder Advisor and Risky Business Media CEO Patrick Gray to its board of directors.

“Knocknoc is a terrific way for organisations to quickly and easily reduce their exposure to the types of attacks that are plaguing enterprises right now,” said Gray. “It’s simple, quick to implement and delivers an immediate benefit.”

Knocknoc is already in use in Australian and US critical infrastructure, large telecommunications networks and media companies.

The Knocknoc founders are Andrew Foster, David Kempe and Adam Pointon.

More information at https://knocknoc.io

**Contact**

**Cofounder & CEO**  
**Adam pointon**  
**Knocknoc.io**  
**\[email protected\]**

Knocknoc Raises Seed Funding to Scale Its Just-In-Time Network Access Control Technology

$32B Wiz acquisition: Google ramps up cloud security. Following Mandiant, this deal signals major GCP defense upgrade.

Google’s parent company, **Alphabet**, has announced its acquisition of Wiz, a leading cloud and cybersecurity platform for $32 billion. This acquisition, Google’s largest to date, signals the company’s enhancement of the security capabilities of Google Cloud Platform (GCP).

Wiz, founded in 2020, has quickly risen to prominence with its cloud-native application protection platform (CNAPP). Its technology allows organizations to gain visibility into their cloud environments, identifying vulnerabilities, misconfigurations, and security risks across multi-cloud deployments.

The massive $32 billion deal, far bigger than any previous acquisition, shows just how crucial cloud security is to Google’s long-term strategy. This move also stresses the intense competition within the cloud computing sector, where Google is fighting for market share against industry giants like Amazon Web Services (AWS) and Microsoft Azure.

_“_Wiz and Google Cloud share a vision to improve security by making it easier and faster for organizations of all types and sizes to protect themselves, end-to-end, across all major clouds,_“_ **stated** Google _“_Google Cloud is a leader in cloud infrastructure, with deep AI expertise and a track record of industry-leading security innovation. Bringing this to Wiz will help make their solutions even better and more scalable, helping protect more organizations faster._“_

This acquisition builds upon Google’s prior investments in cybersecurity. Notably, **in 2022, Google acquired Mandiant**, a leading cybersecurity incident response and threat intelligence firm, for $5.4 billion. The Mandiant acquisition strengthened Google’s ability to detect and respond to sophisticated cyberattacks, providing valuable threat intelligence to its customers. The addition of Wiz’s cloud security management capabilities further expands Google’s security lineup.

This acquisition also marks a big move in the cloud security market, but it’s likely to draw attention from regulators. Antitrust authorities will be looking at how it might affect competition and innovation in the industry. However, industry analysts suggest that the integration of Wiz into GCP will offer notable benefits to Google Cloud customers.

**Rom Carmel**, Co-Founder and CEO at Apono, a New York-based provider of privileged access for cloud solutions commented on the latest development stating, _“_Google’s acquisition of Wiz underscores the growing importance of cloud security in the AI-driven era. By bringing Wiz into Google Cloud’s portfolio alongside Mandiant and Siemplify, Google is reinforcing its commitment to helping enterprises secure their cloud environments; regardless of the provider._“_

**Dave Gerry**, CEO at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented, “With upwards of more than 6,000 cyber vendors in the market, customers are looking to consolidate their security spend to vendors they trust. While many hoped that 2025 would be the Year of the IPO, this deal may be a bellwether signalling other large-scale M&A activity_.”_

The acquisition of Wiz is expected to close in the coming months, subject to regulatory approvals. Once finalized, the integration of Wiz’s technologies into Google Cloud will begin, promising a new level of enhanced cloud security for Google Cloud customers.

Google Acquires Wiz for Record $32 Billion

Google Play Store hit by 300+ fake Android apps, downloaded more than 60 million times pushing ad fraud and data theft. Learn how to spot and remove these threats.

Cybersecurity researchers at Bitdefender have discovered a malicious ad fraud campaign that has successfully deployed over 300 applications within the Google Play Store. These malicious apps have collectively been downloaded over 60 million times, exposing users to invasive ads and phishing attempts.

****Malicious Apps on the Google Play Store****

The Google Play Store, a popular platform for Android applications, has become a target for cybercriminals. Despite Google’s efforts to maintain a safe environment by removing malicious apps, attackers continuously adapt new methods to slip them one way or another.

According to Bitdefender’s report shared with Hackread.com ahead of publishing on Tuesday,  its researchers along with IAS Threat Lab traced this campaign back to at least 331 malicious apps, 15 of which were still available on Google Play at the time of their investigation. These apps pose as harmless utilities, such as QR scanners, expense trackers, health apps, and wallpaper apps.

2 malicious apps out of 300+ both with more than 1 million download each (Screenshot: Bitdefender)

Many of these apps initially appeared harmless but were later updated to include malicious codes. The fraud campaign, active since Q3 2024, shows no signs of slowing down, with new malicious apps still appearing on the store as recently as March 2025. The top 5 counties impacted by this campaign include:

1.  Brazil
2.  United States
3.  Mexico
4.  Turkiye
5.  South Africa

****Hidden Icons**, **Pushing Ads and Phishing:****

One of the techniques involve hiding the app icon from the user’s launcher. This method, restricted in newer Android versions, suggests that attackers have either found a flaw or are exploiting an API vulnerability. Some apps even change their names to mimic legitimate services like Google Voice, further complicating their removal.

These apps are designed to display full-screen ads without user consent, even when another app is in use. Worse, they can initiate phishing attacks, tricking users into exposing sensitive information such as login credentials and credit card details.

Researchers have also revealed technical strategies used by these malicious apps to evade detection on infected devices. One such technique is Content Provider Abuse, where apps declare a contact content provider that is automatically queried by the system after installation, enabling execution without user interaction.

Another tactic involves activity launching through methods like DisplayManager.createVirtualDisplay and other API calls, allowing the apps to start activities without requiring user permission. This technique is often used to display intrusive ads or launch phishing attempts.

To maintain persistence, these apps rely on services and dummy receivers, ensuring they remain active even on newer Android versions that block certain background activities.

****Protect Your Devices****

Usually, it’s best to download apps only from official stores like Google Play and Apple’s App Store. However, in this case, it’s advised to avoid downloading unnecessary apps from both official and third-party stores.

Make sure to keep your device updated so security patches are installed automatically. Run regular malware scans and watch for suspicious activity, such as an app’s icon suddenly disappearing, its name changing, your device slowing down, or excessive battery drain. If you notice anything unusual, delete the app immediately.

Scammers Sneak 300+ Ad Fraud Apps onto Google Play with 60M Downloads

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

With Android devices deeply embedded in business operations, it’s no surprise that cybercriminals are increasingly targeting them.

Businesses are now prime targets, facing threats like banking trojans, spyware, ransomware, and ad fraud, all designed to steal sensitive company data, compromise financial systems, and disrupt operations.

The problem is, that many security tools aren’t built to catch these threats fast enough, leaving people and businesses vulnerable.

To help with this, ANY.RUN has added Android OS support to its interactive sandbox. Cybersecurity professionals can now run and analyze APK files in real-time, spot threats more quickly, and get a much clearer picture of what a malicious app is doing.

**Key Benefits for Cybersecurity Professionals**

Android OS support enhances security teams’ efficiency in several ways:

*   **Simplifies malware analysis:** Users can analyze Android threats, with detailed insights into network traffic, behavioural indicators, and file execution logs. 

*   **Accelerates incident response:** The interactive sandbox allows for real-time detection and mitigation of Android malware, reducing the time needed for investigations.

*   **Reduces costs and complexity:** Security teams don’t need to juggle multiple tools. Sandboxes like ANY.RUN consolidate everything into one platform, improving efficiency and lowering operational costs.

*   **Enhances SOC workflows:** Tier 1 analysts can quickly escalate cases to Tier 2 with comprehensive forensic data on Android malware, streamlining threat intelligence and response processes.

****How Android OS Inside Virtual Machine Makes Malware Analysis Easier****

Analyzing Android malware inside ANY.RUN’s sandbox is as easy as investigating threats on Windows or Linux. With the latest update, security professionals can interact with and examine Android malware in real time, making the process faster and more intuitive.

Before launching an analysis, users can select Android OS from the standard operating system menu. Once selected, they upload the APK file and begin the investigation. 

_Android OS option inside ANY.RUN sandbox_

Since ANY.RUN’s sandbox is fully interactive, analysts can engage with the malicious file as if they were running it on a real Android device.

In a real analysis session, you can see firsthand how easy it is to interact with a suspicious APK file inside ANY.RUN’s interactive sandbox. 

Let’s take Coper, for example – a well-known Android banking trojan designed to steal financial data, intercept SMS messages, and execute commands remotely. This malware often disguises itself as legitimate banking or financial apps, tricking users into granting permissions that allow full control over the device.

View analysis session with Coper

The fastest way to determine if a file is malicious is by checking the top right corner of the screen, where ANY.RUN automatically highlights suspicious activity. 

In our case, it’s marked in red, immediately alerting us that the sample is dangerous. The sandbox identifies that we are dealing with Coper, confirming that this APK is actively performing harmful actions.

_Malicious activity detected by ANY.RUN sandbox_

To dive deeper, analysts can inspect all processes in the Process Tree section. This view provides a structured breakdown of how the malware operates, making it easier to understand what actions it takes after execution. 

This allows SOC teams, malware analysts, and threat hunters to quickly assess the impact of a threat without wasting time on manual investigation.

Tree of processes inside ANY.RUN sandbox

Another crucial feature is the ATT&CK Matrix section, where you can see exactly what techniques and tactics the malware is using. This makes it much easier to map threats to real-world attack patterns. 

If more details are needed, users can simply click on any specific tactic or technique to get a detailed explanation of how it works and what risks it poses.

_Mitre ATT&CK Matrix techniques and tactics_

Finally, for a more structured breakdown, ANY.RUN provides a text report that compiles all findings into a well-organized format. 

This is especially useful for sharing insights with the team, documenting the investigation, or conducting a deeper analysis later on. 

Instead of manually piecing together information from different sources, security teams get a clear, detailed report that speeds up decision-making and incident response.

_Detailed report of analysis generated by ANY.RUN sandbox_

****Analyze Android Threats Faster in a Secure Environment****

With ANY.RUN’s new Android OS sandbox, cybersecurity professionals can now analyze APK files faster and more efficiently in a secure, interactive environment. 

Whether you’re investigating malware for incident response, threat hunting, or research, this update makes the process quicker, more intuitive, and highly effective.

*   **Faster detection:** Get real-time alerts on suspicious activity without delays.

*   **Easier analysis:** Interact with malware just like you would on a real device and inspect its behaviour effortlessly.

*   **Better collaboration:** Share structured reports with your team, helping everyone stay informed and respond quickly to threats.

Analyze Mobile Threats Faster: ANY.RUN Introduces Android OS to Its Interactive Sandbox

Cybercriminals exploit AI hype with SEO poisoning, tricking users into downloading malware disguised as DeepSeek software, warns McAfee Labs in a new report.

The rise of Artificial Intelligence (AI) has undeniably transformed various sectors, with tools like ChatGPT, DeepSeek and Gemini becoming household names. However, this advancement has also created an environment where scammers can thrive.

McAfee Labs has uncovered a concerning trend where malicious actors are exploiting the popularity of AI tools, to distribute malware. This tactic, often referred to as SEO poisoning, exploits trending search terms to lure unsuspecting users to malicious websites.

The recent surge in interest surrounding DeepSeek-R1, a cost-effective AI model released under an open-source license an AI model and its subsequent chatbot launch, provided a solid platform for such exploitation.

This increasing interest, coupled with occasional website unavailability due to high traffic, created an ideal scenario for scammers. They take advantage of the “excitement, anxiety, and impatience” of users by distributing malware disguised as DeepSeek installers, McAfee researchers noted in the blog post shared with Hackread.com.

The attack starts with a user’s search, after which they are directed to websites offering DeepSeek applications for Windows, Mac, and Android. These websites, however, are malicious, leading to the download of malware, fake installers that bundle unwanted third-party software, and fraudulent captcha pages.

Attack Vector (Source: McAfee)

****Fake DeekSeek Installers, Websites and Apps****

McAfee Labs identified several malware campaigns associated with DeepSeek, including fake installers, impersonator websites, and fake mobile apps. These campaigns distributed various types of malware, such as keyloggers, crypto miners, and password stealers. One notable example involved fake installers that bundled legitimate software with unwanted third-party applications, generating revenue through pay-per-install programs.

Another tactic observed was the use of fake captcha pages, designed to trick users into downloading and executing malicious software. These pages employed “brand impersonation,” mimicking DeepSeek’s branding to appear legitimate. Upon registering for a fake partnership program, users were redirected to these captcha pages, which then prompted them to execute commands that installed malware capable of stealing sensitive information.

One of the fake DeepSeek AI websites, malicious winManager (left) and Audacity software (right) and Android app involved in the malware scam (Screenshot credit: McAfee)

****Monero Miner Behind Fake DeepSeek Installer****

A technical analysis of a crypto miner disguised as DeepSeek software revealed that after installation the malware communicated with a command-and-control server to download and execute a PowerShell script. This script employed process injection techniques to evade detection and establish persistence in the victim’s system. The payload, identified as XMRig mining software, then initiated a Monero mining operation, utilizing a portion of the system’s CPU resources.

Scammers chose Monero probably due to its emphasis on anonymity, making it difficult to trace the flow of funds. This highlights the attackers’ focus on covert operations and maximizing their gains while minimizing the risk of detection.

McAfee Labs emphasizes the importance of staying alert and informed, especially during hype cycles surrounding emerging technologies. Another step toward safety is scanning suspicious links and files on VirusTotal before opening or executing them.

Fake DeepSeek AI Installers, Websites, and Apps Spreading Malware

Palo Alto, USA, 18th March 2025, CyberNewsWire

**Palo Alto, USA, March 18th, 2025, CyberNewsWire**

**Groundbreaking initiative reveals browser vulnerabilities in understudied yet critical attack surface**

SquareX, a pioneer in Browser Detection and Response (BDR) space, announced the launch of the “Year of Browser Bugs” (YOBB) project today, a year-long initiative to draw attention to the lack of security research and rigor in what remains one of the most understudied attack vectors – the browser.

The browser has evolved from a simple web rendering engine to be the new “endpoint” — the primary gateway through which users interact with the Internet, for work, leisure, and transactions. Yet, traditional security solutions continue to focus on endpoints and networks despite the exponential growth of browser-native attacks.

The YOBB project was inspired by Month of Bugs (MOB), an iconic cybersecurity initiative where security researchers would publish one major vulnerability found in major software providers every day of the month. MOB projects played a huge role in improving the gravity at which security and responsible disclosure are taken in these companies. Notable projects included the Month of Browser Bugs (July 2006), Month of Kernel Bugs (November 2006), and Month of Apple Bugs (January 2007). SquareX is bringing back this tradition with the YOBB to raise awareness of cyberthreats that the browser is vulnerable to. However, unlike H. D. Moore’s original Month of Browser Bugs which focused on software bugs in the browser itself, SquareX will be disclosing application layer attacks that can be delivered through any website, app, or cloud data storage accessed through the browser. 

Throughout 2025, SquareX’s research team will disclose at least one critical web attack per month as part of the YOBB project, focusing on vulnerabilities that exploit architectural limitations of the browser and incumbent solutions. The research will reveal never-seen-before attack vectors that remain unknown even to the cybersecurity community. Each disclosure will include attack video demonstrations, technical breakdowns, and mitigation strategies. These disclosures will be wholly SquareX-researched and discovered, rather than an aggregation of existing security research. 

Under the YOBB initiative, SquareX has already made major releases since 2024 and into the first two months of 2025:

**2025**

*   **January:** **SquareX Discloses “Browser Syncjacking”, a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk** 
*   **February:** **SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk** 

**2024**

*   **August:** **SquareX Uncovers Critical Flaw in Secure Web Gateways**
*   **December:** **Cyberhaven’s OAuth Identity Attack — Are your Extensions Affected?**

> Quoting Vivek Ramachandran, the Founder and CEO of SquareX, “As browsers become the new endpoint, attackers are increasingly targeting employees to break into organizations and exfiltrate data, just like the Cyberhaven incident. Unfortunately, beyond mainstream media attention, there is little done by vendors from a security perspective to prevent similar exploits from happening in the future. The YOBB is our attempt to draw attention to an attack surface that is exponentially growing. We hope that this will serve as a call to action for browser and security vendors to solve these vulnerabilities that give rise to application layer attacks that simply cannot be solved through browser patches.”

As the year progresses, security teams can expect monthly disclosures to be documented at https://sqrx.com/research.

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate and threat-hunt client-side web attacks targeting employees in real time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Polymorphic Extension,s, and Browser Syncjacking. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

To learn more about SquareX’s BDR, users can contact \[email protected\]. For press inquiries on this disclosure on the Year of Browser Bugs, users can contact \[email protected\].

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Source

HackRead