The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries.
"Phishing-as-a-Service (PhaaS) deployments have risen significantly recently," Netcraft said in a new report. "The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases,

The phishing-as-a-service (PhaaS) offering known as **Lighthouse** and **Lucid** has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries.

"Phishing-as-a-Service (PhaaS) deployments have risen significantly recently," Netcraft said in a new report. "The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases, hundreds of brands from countries around the world."

Lucid was first documented by Swiss cybersecurity company PRODAFT earlier this April, detailing the phishing kit's ability to send smishing messages via Apple iMessage and Rich Communication Services (RCS) for Android.

The service is assessed to be the work of a Chinese-speaking threat actor known as the XinXin group (changqixinyun), which has also leveraged other phishing kits like Lighthouse and Darcula in its operations. Darcula is developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv), while Lighthouse's development has been linked to LARVA-241 (aka Lao Wang or Wang Duo Yu).

The Lucid PhaaS platform enables customers to mount phishing campaigns at scale, targeting a wide range of industries, including toll companies, governments, postal companies, and financial institutions.

These attacks also incorporate various criteria – such as requiring a specific mobile User-Agent, proxy country, or a fraudster-configured path – to ensure that only the intended targets can access the phishing URLs. If a user other than the target ends up visiting the URL, they are served a generic fake storefront instead.

In all, Netcraft said it has detected phishing URLs targeting 164 brands based in 63 different countries hosted through the Lucid platform. Lighthouse phishing URLs have targeted 204 brands based in 50 different countries.

Lighthouse, like Lucid, offers template customization and real-time victim monitoring, and boasts the ability to create phishing templates for over 200 platforms across the world, indicating significant overlaps between the two PhaaS toolkits. Prices for Lighthouse range from $88 for a week to $1,588 for a yearly subscription.

"While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem," PRODAFT noted back in April.

Phishing campaigns using Lighthouse have used URLs impersonating the Albanian postal service Posta Shqiptare, while serving the same fake shopping site to non-targets, suggesting a potential link between Lucid and Lighthouse.

"Lucid and Lighthouse are examples of how fast the growth and evolution of these platforms can occur and how difficult they can sometimes be to disrupt," Netcraft researcher Harry Everett said.

The development comes as the London-based company revealed that phishing attacks are moving away from communication channels like Telegram to transit stolen data, painting a picture of a platform that's no longer likely to be considered a safe haven for cybercriminals.

In its place, threat actors are returning to email as a channel for harvesting stolen credentials, with Netcraft seeing a 25% increase in a span of a month. Cybercriminals have also been found to use services like EmailJS to harvest login details and two-factor authentication (2FA) codes from victims, eliminating the need for hosting their own infrastructure altogether.

"This resurgence is partly due to the federated nature of email, which makes takedowns harder," security researcher Penn Mackintosh said. "Each address or SMTP relay must be reported individually, unlike centralized platforms like Discord or Telegram. And it's also about convenience. Creating a throwaway email address remains quick, anonymous, and virtually free."

The findings also follow the emergence of new lookalike domains using the Japanese Hiragana character "ん" to pass off fake website URLs as almost identical to their legitimate ones in what's called a homoglyph attack. No less than 600 bogus domains employing this technique have been identified in attacks aimed at cryptocurrency users, with the earliest recorded use dating back to November 25, 2024.

These pages impersonate legitimate browser extensions on the Chrome Web Store, deceiving unsuspecting users into installing fake wallet apps for Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust that are designed to capture system information or harvest seed phrases, giving the attackers full control over their wallets.

"At a quick glance, it is intended to look like a forward slash '/,'" Netcraft said. "And when it's dropped into a domain name, it's easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware."

In recent months, scams have also exploited the brand identities of American firms like Delta Airlines, AMC Theatres, Universal Studios, and Epic Records to enroll people in schemes that offer a way to earn money by completing a series of tasks, such as operating as a flight booking agent.

The catch here is that in order to do so, would-be victims are asked to deposit at least $100 worth of cryptocurrency to their accounts, allowing the threat actors to make illicit profits.

The task scam "illustrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud across multiple verticals," Netcraft researcher Rob Duncan said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
"Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,"

Data Breach / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).

"Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert.

The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.

While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication.

According to CISA, the threat actors gained access to server running EPMM by combing the two vulnerabilities around May 15, 2025, following the publication of a proof-of-concept (PoC) exploit.

This permitted the attackers to run commands that made it possible to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials, the agency added.

Further analysis determined that the cyber threat actors dropped two sets of malicious files to the "/tmp" directory, each of which enabled persistence by injecting and running arbitrary code on the compromised server:

*   **Set 1** - web-install.jar (aka Loader 1), ReflectUtil.class, and SecurityHandlerWanListener.class
*   **Set 2** - web-install.jar (aka Loader 2) and WebAndroidAppInstaller.class

Specifically, both sets contain a loader which launches a malicious compiled Java class listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads for subsequent execution.

"ReflectUtil.class manipulates Java objects to inject and manage the malicious listener SecurityHandlerWanListener in Apache Tomcat," CISA said. "\[SecurityHandlerWanListener.class\] malicious listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads, which dynamically create and execute a new class."

WebAndroidAppInstaller.class, on the other hand, works differently by retrieving and decrypting a password parameter from the request using a hard-coded key, the contents of which are used to define and implement a new class. The result of the execution of the new class is then encrypted using the same hard-coded key and generates a response with the encrypted output.

The end result is that it allows the attackers to inject and execute arbitrary code on the server, enabling follow-on activity and persistence, as well as exfiltrate data by intercepting and processing HTTP requests.

To stay protected against these attacks, organizations are advised to update their instances to the latest version, monitor for signs of suspicious activity, and implement necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428

This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire.

Thursday, September 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1.  **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2.  **Peer support.** Whether it's a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3.  **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4.  **Mandatory decompression/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

**The one big thing **

In Talos' latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

**Why do I care? **

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

**So now what? **

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

**Top security headlines of the week **

**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts**   
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit**   
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

**Google nukes 224 Android malware apps behind massive ad fraud campaign**   
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

**Former FinWise employee may have accessed nearly 700K customer records**   
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

**Can’t get enough Talos? **

*   **Alex Ryan: From zero chill to quiet confidence**   
    Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
*   **Beers with Talos: How to ruin an APT's day**   
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
*   **Tampered Chef: When malvertising serves up infostealers**   
    Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in "malvertising" and challenges in defense.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: executable.exe   
Claimed Product: N/A     
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Typical Filename: nwx3hgsl.exe   
Claimed Product: Self-extracting archive   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Typical Filename: werrx01USAHTML   
Claimed Product: N/A   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Typical Filename: ~3B6A.tmp   
Claimed Product: N/A   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Claimed Product:   
Detection Name: Win.Dropper.Miner::95.sbx.tg

Put together an IR playbook — for your personal mental health and wellbeing

Scammers are now using “SMS blasters” to send out up to 100,000 texts per hour to phones that are tricked into thinking the devices are cell towers. Your wireless carrier is powerless to stop them.

Cybercriminals have a new way of sending millions of scam text messages to people. Typically when fraudsters send waves of phishing messages to phones—such as toll or delivery scams—they may use a huge list of phone numbers and automate the sending of messages. But as phone companies and telecom services have rolled out more tools to detect scams in texts, criminals have started driving around cities with fake cell phone towers that send messages directly to nearby phones.

Over the last year, there has been a marked uptick in the use of so-called “SMS blasters” by scammers, with cops in multiple countries detecting and arresting people using the equipment. SMS blasters are small devices, which have been found in the back of criminals’ cars and sometimes backpacks, that impersonate cell phone towers and force phones into using insecure connections. They then push the scam messages, which contain links to fraudulent websites, to the connected phones.

While not a new type of technology, the use of SMS blasters in scamming was originally detected in Southeast Asian countries and has increasingly spread to Europe and South America—just last week, Switzerland’s National Cybersecurity Centre issued a warning about SMS blasters. The devices are capable of sending huge volumes of scam texts indiscriminately. The Swiss agency said some blasters are able to send messages to all phones in a radius of 1,000 meters, while reports about an incident in Bangkok say a blaster was used to send around 100,000 SMS messages per hour.

“This is essentially the first time that we have seen large-scale use of mobile radio-transmitting devices by criminal groups,” says Cathal Mc Daid, VP of technology at telecommunication and cybersecurity firm Enea, who has been tracking the use of SMS blasters. “While some technical expertise would help in using these devices, those actually running the devices don’t need to be experts. This has been shown by reports of arrests of people who have been basically paid to drive around areas with SMS blasters in cars or vans.”

SMS blasters act as illegitimate phone masts, often known as cell-site simulators (CSS). The blasters are not dissimilar to so-called IMSI catchers, or “Stingrays,” which law enforcement officials have used to scoop up people’s phone data. But instead of being used for surveillance, they broadcast false signals to targeted devices.

Phones near a blaster can be forced to connect to its illegitimate 4G signals, before the blaster pushes devices to downgrade to the less secure 2G signal. “The 2G fake base station is then used to send (blast) malicious SMSes to the mobile phones initially captured by the 4G false base station,” Mc Daid says. “The whole process—4G capture, downgrade to 2G, sending of SMS and release—can take less than 10 seconds,” Mc Daid explains. It’s something people who receive the messages may not even notice.

The growth of SMS blasters comes at a time when scams are rampant. In recent years, technology firms and mobile network operators have increasingly rolled out greater protections against fraudulent text messages—from better filtering and detection of possible scam messages to blocking tens of millions of messages per month. This month, UK telecom Virgin Media O2 said it has blocked more than 600 million scam text messages during 2025, which is more than its combined totals for the last two years. Still, millions of scam messages get through, and cybercriminals are quick to try to evade detection systems.

Because blasters operate outside of traditional mobile networks, the messages they send are not subject to the security measures that have been put in place by mobile providers. “None of our security controls apply to the messages that phones receive from them,” says Anton Reynaldo Bonifacio, the chief information security officer and chief AI officer at Philippines communications firm Globe Telecom. “Once phones are connected to these fake cell sites, they can spoof any sender ID or number to send the scam message.”

Back in 2022, Globe Telecom made the decision to stop delivering SMS messages that contain URLs, and Bonifacio says he believes scammers use the blasters to “bypass” these measures. “The technology used to be more niche, but I think sales and assembly of these IMSI catcher devices have become more prevalent for criminal organizations,” he says. Researchers have found SMS blasters being sold openly online for thousands of dollars.

Samantha Kight, the head of industry security at the mobile operator industry group the GSMA, says the Asia-Pacific region has been most impacted by SMS blasters so far, but there are cases appearing in Western Europe and South America. “It might be a problem in one or two regions, but then we tend to see these things pop up in different regions,” Kight says. Reporting from Commsrisk and Risky Business, have highlighted reports of SMS blasters being used in Thailand, Vietnam, Japan, New Zealand, Qatar, Indonesia, Oman, Brazil, Hong Kong, and more in recent months. Law enforcement officials in London say they have so far seized seven SMS blasters, and in June, a student from China was sentenced to jail for more than a year after being caught using one of the devices.

Kight says that tackling SMS blasters involves telecom operators and government regulators being aware of the devices, law enforcement agencies taking actions, as well as people recognizing and reporting scam messages to the relevant authorities. “As the mobile industry, we want to be able to find these, we want people to trust what’s on their device, and we want to be able to protect them,” Kight says.

Yomna Nasser, a software engineer at Android, says people can stop their phones connecting to 2G networks in their settings. “Once enabled, your device will no longer scan for or connect to 2G cell towers,” Nasser says, adding the only exception is if an emergency call is being made and 3G, 4G and 5G are not available. Android’s Advanced Protection mode will also disable 2G automatically on some newer phones. Apple did not answer WIRED’s request for comment by the time of publication, although its Lockdown Mode will disable 2G connections.

Ultimately, you may not know if an SMS blaster is used to send you a scam. Ben Hurley, a detective sergeant with the City of London’s Dedicated Card and Payment Crime Unit, which is investigating cases locally, says that while the delivery is different, the actual scams themselves haven’t changed. Phishing messages are often designed to get you to click on a malicious link and hand over your personal information. “It’s a new way of doing the same thing,” Hurley says. “It’s changed how we have to investigate it, but actually it’s not changed the end result,” he says, adding that people should always be cautious of clicking links in unknown messages and take a moment before acting if the message feels suspicious.

As with all cybercrime, though, there is a chance that those operating the schemes and blasters could evolve their tactics. “The actual SMS blaster devices they use are relatively unsophisticated so far,” Mc Daid says, adding that the type of technology originally came from the world of governments, law enforcement, and militaries. If criminals are able to gain access to more sophisticated technology and expertise, he says, “this could be the beginning of a cat and mouse game.”

Cybercriminals Have a Weird New Way to Target You With Scam Texts

Researchers have discovered a large ad fraud campaign on Google Play Store.

Researchers have discovered a large ad fraud campaign on Google Play Store.

The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign “SlopAds.”

Ad fraud is a type of fraud that lets advertisers pay for ads even though the number of impressions (the times that the ad has been seen) is enormously exaggerated.

While the main victims of ad fraud are the advertisers, there are consequences for the users that had these apps installed as well, such as slowed-down devices and connections due to the apps executing their malicious activity in the background without the user even being aware.

At first, to stay under the radar of Google’s app review process and security software, the downloaded app will behave as advertised, if a user has installed it directly from the Play Store.

_Image courtesy of HUMAN Satori_

But if the installation has been initiated by one of the campaign’s ads, the user will receive some extra files in the form of a steganographically encrypted payload.

If the app passes the first check it will receive four .png images that, when decrypted and reassembled, are actually an .apk file. The malicious file uses WebView (essentially a very basic browser) to send collected device and browser information to a Control & Command (C2) server which determines, based on that information, what domains to visit in further hidden WebViews.

The researchers found evidence of an AI (Artificial Intelligence) tool training on the same domain as the C2 server (ad2\[.\]cc). It is unclear whether this tool actively managed the ad fraud campaign.

Based on similarities in the C2 domain, the researchers found over 300 related domains promoting SlopAds-associated apps, suggesting that the collection of 224 SlopAds-associated apps was only the beginning.

Google removed all of the identified apps listed in this report from Google Play. Users are automatically protected by Google Play Protect, which warns users and blocks apps known to exhibit SlopAds associated behavior at install time on certified Android devices, even when apps come from sources outside of the Play Store.

You can find a complete list of the removed apps here: SlopAds app list

**How to avoid installing malicious apps**

While the official Google Play Store is the safest place to get your apps from, there is no guarantee that it will remain a non-malicious app just because it is in the Google Play Store. So here are a few extra measures you can take:

*   Always check what permissions an app is requesting, and don’t just trust an app because it’s in the official Play Store. Ask questions such as: Do the permissions make sense for what the app is supposed to do? Why did necessary permissions change after an update? Do these changes make sense?
*   Occasionally go over your installed apps and remove any you no longer need.
*   Make sure you have the latest available updates for your device, and all your important apps (banking, security, etc.)
*   Protect your Android with security software. Your phone needs it just as much as your computer.

Another precaution you can take if you’re looking for an app, do your research about the app before you go to the app store. As you can see from the screenshot above, many of the apps are made to look exactly the same as very popular legitimate ones (e.g. ChatGPT).

So, it’s important to know in advance who the official developer is of the app you want and if it’s even available from the app store.

As researcher Jim Nielsen demonstrated for the Mac App Store, there are a lot of apps trying to look like ChatGPT, but they are not the real thing. ChatGPT is not even in the Mac App Store, it is available in the Google Play Store for Android, but make sure to check that OpenAI is listed as the developer.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 224 malicious apps removed from the Google Play Store after ad fraud campaign discovered 

Apple has released security updates for all platforms to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.

Apple has released security updates for iPhones, iPads, Apple Watches, Apple TVs, and Macs as well as for Safari, and Xcode to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.

****How to update your iPhone or iPad****

For iOS and iPadOS users, you can check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

****How to update macOS on any version****

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

****How to update Apple Watch****

*   Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General > Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

****How to update Apple TV****

*   Turn on your Apple TV and make sure it’s connected to the internet.
*   Open the Settings app on Apple TV.
*   Navigate **to System > Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**Updates for your particular device**

Apple has today released version 26 for all its software platforms. This new version brings in a new “Liquid Glass” design, expanded Apple Intelligence, and new features. You can choose to update to that version, or just update to fix the vulnerabilities:

iOS 26 and iPadOS 26

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

iOS 18.7 and iPadOS 18.7

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

iOS 16.7.12 and iPadOS 16.7.12

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.5 and iPadOS 15.8.5

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Tahoe 26

Mac Studio (2022 and later), iMac (2020 and later), Mac Pro (2019 and later), Mac mini (2020 and later), MacBook Air with Apple silicon (2020 and later), MacBook Pro (16-inch, 2019), MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), and MacBook Pro with Apple silicon (2020 and later)

macOS Sequoia 15.7

macOS Sequoia

macOS Sonoma 14.8

macOS Sonoma

tvOS 26

Apple TV HD and Apple TV 4K (all models)

watchOS 26

Apple Watch Series 6 and later

visionOS 26

Apple Vision Pro

Safari 26

macOS Sonoma and macOS Sequoia

Xcode 26

macOS Sequoia 15.6 and later

**Technical details**

Apple did not mention any actively exploited vulnerabilities, but there are two that we would like to highlight.

A vulnerability tracked as CVE-2025-43357 in Call History was found that could be used to fingerprint the user. Apple addressed this issue with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26, iOS 26, and iPadOS 26.

A vulnerability in the Safari browser tracked as CVE-2025-43327 where visiting a malicious website could lead to address bar spoofing. The issue was fixed by adding additional logic.

Address bar spoofing is a trick cybercriminals might use to make you believe you’re on a trusted website when in reality you’re not. Instead of showing the real address, attackers exploit browser flaws or use clever coding so the address bar displays something like login.bank.com even though you’re not on your bank’s site at all. This would allow the criminals to harvest your login credentials when you enter them on what is really their website.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your Apple devices to fix dozens of vulnerabilities 

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories.
"These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN’s Satori Threat Intelligence and

Ad Fraud / Mobile Security

A massive ad fraud and click fraud operation dubbed **SlopAds** ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories.

"These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN's Satori Threat Intelligence and Research Team said in a report shared with The Hacker News.

The name "SlopAds" is a nod to the likely mass-produced nature of the apps and the use of artificial intelligence (AI)-themed services like StableDiffusion, AIGuide, and ChatGLM hosted by the threat actor on the command-and-control (C2) server.

The company said the campaign accounted for 2.3 billion bid requests a day at its peak, with traffic from SlopAds apps mainly originating from the U.S. (30%), India (10%), and Brazil (7%). Google has since removed all the offending apps from the Play Store, effectively disrupting the threat.

What makes the activity stand out is that when a SlopAds-associated app is downloaded, it queries a mobile marketing attribution SDK to check if it was downloaded directly from the Play Store (i.e., organically) or if it was the result of a user clicking on an ad that redirected them to the Play Store listing (i.e., non-organically).

The fraudulent behavior is initiated only in scenarios where the app was downloaded following an ad click, causing it to download the ad fraud module, FatModule, from the C2 server. On the other hand, if it was originally installed, the app behaves as advertised on the app store page.

"From developing and publishing apps that only commit fraud under certain circumstances to adding layer upon layer of obfuscation, SlopAds reinforces the notion that threats to the digital advertising ecosystem are only growing in sophistication," HUMAN researchers said.

"This tactic creates a more complete feedback loop for the threat actors, triggering fraud only if they have reason to believe the device isn't being examined by security researchers. It blends malicious traffic into legitimate campaign data, complicating detection."

The FatModule is delivered by means of four PNG image files that conceal the APK, which is then decrypted and reassembled to gather device and browser information, as well as conduct ad fraud using hidden WebViews.

"One cashout mechanism for SlopAds is through HTML5 (H5) game and news websites owned by the threat actors," HUMAN researchers said. "These game sites show ads frequently, and since the WebView in which the sites are loaded is hidden, the sites can monetize numerous ad impressions and clicks before the WebView closes."

Domains promoting SlopAds apps have been found to link back to another domain, ad2\[.\]cc, which serves as the Tier-2 C2 server. In all, an estimated 300 domains advertising such apps have been identified.

The development comes a little over two months after HUMAN flagged another set of 352 Android apps as part of an ad fraud scheme codenamed IconAds.

"SlopAds highlights the evolving sophistication of mobile ad fraud, including stealthy, conditional fraud execution and rapid scaling capabilities," Gavin Reid, CISO at HUMAN, said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

Every VPN says it’s the best, but only some of them are telling the truth.

*   **The Best VPN for Streaming**
    
    Screenshot courtesy of Scott Gilberson via NordVPN
    
    NordVPN has a long history, and it's one of the most prominent VPN services on the market. It comes with one of the largest VPN networks available, enough features to make Surfshark blush, and decent (though not the best) speeds. It's a little more expensive than I'd hoped for, but that's the price you pay for such an extensive network and feature set.
    
    Where NordVPN really excels is in media. Streaming providers like Netflix and HBO Max are privy to how VPNs circumvent geo-restrictions, and a small network means you're more likely to get blocked. The fact that NordVPN has such a large network gives it an edge in streaming and less sensitive online browsing. It really wins with its NordWhisper protocol. The company recommends using its WireGuard-based NordLynx protocol most of the time, but NordWhisper sacrifices a bit of speed to obfuscate VPN traffic further, getting around most blocks.
    
    NordWhisper isn't made for normal streaming environments, but it's great to have on restrictive networks. If you're traveling internationally and using hotel Wi-Fi, for instance, NordWhisper can help circumvent VPN blocks. The company saw a minor breach in 2018 and stirred up controversy in 2022 with a subtle change in wording regarding cooperation with law enforcement. In both cases, it responded quickly and maintained transparency, so contrary to what you may have read, NordVPN is safe to use.
    
    Specs
    
    **Number of devices:** 10
    
    **Number of servers:** 7,400+
    
    **Applications:** Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Edge, Google TV, Apple TV
    
    **Features:** Kill switch, split tunneling, double-hop, dark web monitoring, P2P servers
    

**Other VPNs We’ve Tested**

**Private Internet Access (PIA)** has a long history in the VPN space, and it's maintained a track record of defending user privacy—even in the face of actual criminal activity. In 2016, a criminal complaint was filed in Florida against Preston Alexander McWaters for threats made online. McWaters was eventually convicted and sentenced to 42 months in prison. Investigators traced the online threats back to PIA's servers and subpoenaed the company. As the complaint reads, “A subpoena was sent to \[Private Internet Access\] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States.” McWaters engaged in several other identifying activities, according to the complaint, but PIA wasn't among them. Despite such a clear view of a VPN provider upholding its no-logging policy, PIA didn't impress me during my tests. It's slightly more expensive than a lot of our top picks, and it delivered the worst speeds out of any VPN I tested, with more than a 50 percent drop on the closest US server. (Windscribe, for context, only dropped 15.6 percent of my speed.)

**MysteriumVPN** is the go-to dVPN, or decentralized VPN, as far as I can tell. The concept of a decentralized VPN has existed for a while, but it's really gained traction over the last couple of years. The idea is to have a network of residential IP addresses that make up the network, routing your traffic through normal IP addresses to get around the increasingly common block lists for VPN servers. Mysterium accomplishes this network with MystNodes. It's a crypto node. People buy the node to earn crypto, and they're put into the Mysterium network. It's not inherently bad, but routing your traffic through a single residential IP is a little worrisome. Even without the decentralized kick, Mysterium was slow, and it doesn't maintain any sort of privacy materials, be it a third-party audit, warranty canary, or transparency report.

**PrivadoVPN** is one of the popular options to recommend as a free VPN. It offers a decent free service, with a handful of full-speed servers and 10 GB of data per month. You'll have to suffer through four—yes, four—redirects begging you to pay for a subscription before signing up, but the free plan works. The problem is how new PrivadoVPN is. There's no transparency report or audit available, and although the speeds are decent, they aren't as good as Proton, Windscribe, or Surfshark. PrivadoVPN isn't bad, but it's hard to recommend when Proton and Windscribe exist with free plans that are equally as good.

**How We Test VPNs**

Functionally, a VPN should do two things: keep your internet speed reasonably fast, and actually protect your browsing data. That's where I focused my testing. Extra features, a comfy UI, and customization settings are great, but they don't matter if the core service is broken.

Speed testing requires spot-checking, as the time of day, the network you're connected to, and the specific VPN server you're using can all influence speeds. Because of that, I always set a baseline speed on my unprotected connection directly before recording results, and I ran the test three times across both US and UK servers. With those baseline drops, I spot-checked at different times of the day over the course of a week to see if the speed decrease was similar.

Security is a bit more involved. For starters, I checked for DNS, WebRTC, and IP leaks every time I connected to a server using Browser Leaks. I also ran brief tests sniffing my connection with Wireshark to ensure all of the packets being sent were secured with the VPN protocol in use.

On the privacy front, the top-recommended services included on this list have been independently audited, and they all maintain some sort of transparency report. In most cases, there's a proper report, but in others, such as Windscribe, that transparency is exposed through legal proceedings.

5 Best VPN Services (2025), Tested and Reviewed

Big name AI chatbots are happy to create phishing emails and malicious code to target senior citizens.

If you are under the impression that cybercriminals need to get their hands on compromised AI chatbots to help them do their dirty work, think again.

Some AI chatbots are just so user friendly that they can help the user craft phishing text, and even malicious HTML and Javascript code.

A few weeks ago we published an article about the actions Anthropic was taking to stop its Claude AI from helping cybercriminals launch a cybercrime spree.

A recent investigation by Reuters journalists showed that Grok was more than happy to help them craft and perfect a phishing email targeting senior citizens. Grok is the AI marketed by Elon Musk’s xAI. Reuters reported:

> “Grok generated the deception after being asked by Reuters to create a phishing email targeting the elderly. Without prodding, the bot also suggested fine-tuning the pitch to make it more urgent.”

In January 2025, we told you about a report that AI-supported spear phishing mails were equally as effective as phishing emails thought up by experts, and able to fool more than 50% of targets. But since then, the development of AI has grown exponentially and researchers are worrying about how to recognize AI-crafted phishing.

Phishing is the first step in many cybercrime campaigns. It poses an enormous problem with billions of phishing emails sent out every day. AI helps criminals to create more variation which makes pattern detection less effective and it helps them fine tune the messages themselves. And Reuters focused on senior citizens for a reason.

The FBI’s Internet Crime Complaint Center (IC3) 2024 report confirms that Americans aged 60 and older filed 147,127 complaints and lost nearly $4.9 billion to online fraud, representing a 43% increase in losses and a 46% increase in complaints compared to 2023.

Besides Grok, the reporters tested five other popular AI chatbots: ChatGPT, Meta AI, Claude, Gemini, and DeepSeek. Although most of the AI chatbots protested at first and cautioned the user not to use the emails in a real-life scenario, in the end their “will to please” helped overcome these obstacles.

Fred Heiding, a Harvard University researcher and an expert in phishing helped Reuters put the crafted emails to the test. Using a targeted approach to reach those most likely to fall for them, about 11% of the seniors clicked on the emails sent to them.

An investigation by Cybernews showed that Yellow.ai, an agentic AI provider for businesses such as Sony, Logitech, Hyundai, Domino’s, and hundreds of other brands could be persuaded to produce malicious HTML and JavaScript code. It even allowed attackers to bypass checks to inject unauthorized code into the system.

In a separate test by Reuters, Gemini produced a phishing email, saying it was “for educational purposes only,” but helpfully added that “for seniors, a sweet spot is often Monday to Friday, between 9:00 AM and 3:00 PM local time.”

After damaging reports like these are release, AI companies often build in additional guardrails for their chatbots, but that only highlights an ongoing dilemma in the industry. When providers tighten restrictions to protect users, they risk pushing people toward competing models that don’t play by the same rules.

Every time a platform moves to shut down risky prompts or limit generated content, some users will look for alternatives with fewer safety checks or ethical barriers. That tug of war between user demand and responsible restraint will likely fuel the next round of debate among developers, researchers, and policymakers.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Grok, ChatGPT, other AIs happy to help phish senior citizens 

Several of our staff have reported receiving a job offer as an online evaluator. A job that pays very well for a few hours of work.

Looking at our team’s recent text messages, you’d think that remote online evaluators are in high demand right now.

Several members of our team have received the almost exact same job offer scam texts. The content of the messages is almost identical, but there is a variation in background images.

> “We are hiring  
>  Join our professional team  
> Job content Job title: remote online evaluator  
> Salary: $100-$600 per day  
> Working hours: 1-2 hours per day  
> Time: freedom can be done at home anytime  
> Job requirements: Age 25+
> 
> If you’re interested in this position, please answer ‘yes’ or ‘interested’ and I’ll send you the details. “

This type of scam has been around for a while, but the ones sending this exact same text have really taken off the last week. All the recipients that reported this scam are in the US and the messages all came from different US numbers.

You can rely on the fact that the only lazy job here is the scammer’s. There are different possible scenarios when the targets reply, but they all have negative consequences.

*   Advance fee scams are the most likely scenario. This is where the prospective employer explains what the job entails and then asks the target to pay for materials, start capital, or other onboarding costs. Typically, these payments are required in cryptocurrencies like USDT or Bitcoin.
*   Identity theft. Under the guise of needing your personal information before you can start working, the scammers will send you to a website to fill out sensitive information (full name, address, date of birth, SSN, banking details).
*   Money mule or laundering. The victim is actually working unknowingly to launder stolen money or cryptocurrency on behalf of the scammers. They will act as the person where the police come knocking first, giving the scammer more time to grab the money and run.
*   Phishing for further exploitation. Even if there is no immediate ask for money, they may direct the victim to click malicious links or install apps that harvest data.

**How to stay safe from hiring scams**

There are a few simple but very effective guidelines to stay out of the grasp of scammers that reach out to you with unsolicited job offers:

*   Don’t reply. Even if you reply ‘no’, all you’re doing is sending a signal that you’re reading their texts.
*   Never give out your personal information based on an unsolicited message.
*   Treat employers that want you to send them money before you can earn some with a healthy dose of suspicion. The same is true for those that pay a small amount and then ask for more in return.
*   Ignore offers that are too good to be true. They probably ARE too good to be true.
*   Is there a company name on the job ad? If not, question why.
*   If there is a company name mentioned, does the location of the company match the location of the phone number?

If you have already engaged with the scammers, there are some actions that can help you limit any damage:

*   Stop communication immediately.
*   Do not send money.
*   Contact your bank if you’ve shared any financial information.
*   Consider an identity monitoring service.
*   File a police/FTC report.
*   US recipients can forward scam texts to 7726 (SPAM).

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Tag

#android