The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 3,500 mobile phones.

Source: Coredesign via Shutterstock

Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.

Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks.

Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.

"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."

**Pegasus Spyware Reach Underestimated?**

The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.

Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.

Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.

Related:Name That Edge Toon: Shackled!

Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.

"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.

Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.

**Hunt Your Own Device Threats**

Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.

Related:Microsoft Boosts Device Security With Windows Resiliency Initiative

Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The mobile device security firm iVerify has been offering a tool since May that makes spyware scanning accessible to anyone—and it’s already turning up victims.

In recent years, commercial spyware has been deployed by more actors against a wider range of victims, but the prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people. At the same time, though, it has been difficult to check devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that have been on the front lines of developing forensic techniques to detect mobile spyware. On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company's customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify's infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries.

“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”

Seven out of 2,500 scans may sound like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paying or free, who want to be monitoring their mobile device security at all, much less checking specifically for spyware. But the fact that the tool has already found a handful of infections at all speaks to how widely the use of spyware has proliferated around the world. Having an easy tool for diagnosing spyware compromises may well expand the picture of just how often such malware is being used.

“NSO Group sells its products exclusively to vetted US & Israel-allied intelligence and law enforcement agencies,” NSO Group spokesperson Gil Lainer told WIRED in a statement. "Our customers use these technologies daily.”

iVerify says that it took significant investment to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and don't allow monitoring software to have kernel access at the heart of the system. Cole says that the crucial insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for detection. Some spyware, like Pegasus, also has characteristic traits that make it easier to flag. In the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is in refining mobile monitoring tools to reduce false positives.

Developing the detection capability has already been invaluable, though. Cole says that it helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was the target of an alleged, foiled assassination attempt by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspected nation state activity on the mobile devices of two Harris-Walz campaign officials—a senior member of the campaign and an IT department member—during the presidential race.

“The age of assuming that iPhones and Android phones are safe out of the box is over,” Cole says. “The sorts of capabilities to know if your phone has spyware on it were not widespread. There were technical barriers and it was leaving a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative.”

_Updated at 12:12 pm EST, December 4, 2024, to include a statement from NSO Group._

A New Phone Scanner That Detects Spyware Has Already Found 7 Pegasus Infections

SUMMARY Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report…

****SUMMARY****

*   **SpyLoan Rise:** SpyLoan apps have increased by 75% between Q2 and Q3 2024, targeting users globally.

*   **Play Store Threat:** 15 malicious loan apps on Google Play have been downloaded over 8 million times.

*   **How They Work:** These apps lure users with fake loan offers, harvest sensitive data, and exploit victims financially.

*   **Global Impact:** High prevalence reported in India, Mexico, the Philippines, Kenya, and seven other countries.

*   **Staying Safe:** Users should research apps, avoid granting excessive permissions, and use antivirus software.

Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report a whopping 75% rise in SpyLoan apps and infected devices between Q2 and Q3 of 2024. These apps lure users with promises of quick, hassle-free loans but are designed to harvest sensitive data, resulting in extortion, harassment, and financial losses.

This increase can be understood by the fact that researchers spotted 15 such apps on the official Google Play Store with over 8 million installations worldwide. These apps, especially targeting users in South America, Southern Asia, and Africa, use social engineering tactics to trick users into providing sensitive information and granting excessive permissions.

Malicious apps (Credit: McAfee)

Here’s a list of malicious PayLoan apps found on the Google Play Store:

1.  **Préstamo Seguro-Rápido, seguro** – Downloads 1M, Country: Mexico – Deleted
2.  **Préstamo Rápido-Credit Easy** – Downloads 1M, Country: Colombia – Available
3.  **ได้บาทง่ายๆ-สินเชื่อด่วน** – Downloads: 1M, Country: Senegal – Available
4.  **RupiahKilat-Dana cair** – Downloads: 1M, Country: Senegal – Available
5.  **ยืมอย่างมีความสุข – เงินกู้** – Downloads: 1M, Country: Thailand – Deleted
6.  **เงินมีความสุข – สินเชื่อด่วน** – Downloads: 1M, Country: Thailand – Deleted
7.  **KreditKu-Uang Online** – Downloads: 500K, Country: Indonesia – Deleted
8.  **Dana Kilat-Pinjaman kecil** – Downloads: 500K, Country: Indonesia – Available
9.  **Cash Loan-Vay tiền** – Downloads: 100K, Country: Vietnam – Available
10.  **RapidFinance** – Downloads: 100K, Country: Tanzania – Deleted
11.  **PrêtPourVous** – Downloads: 100K, Country: Senegal – Deleted
12.  **Huayna Money – Préstamo Rápido** – Downloads: 100K, Country: Peru – Deleted
13.  **IPréstamos: Rápido Crédito** – Downloads: 100K, Country: Chile – Available
14.  **ConseguirSol-Dinero Rápido** – Downloads: 100K, Country: Peru – Deleted
15.  **ÉcoPrêt Prêt En Ligne** – Downloads: 50K, Country: Thailand – Available

****How SpyLoan Apps Work****

These apps operate by using a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server. They often use deceptive marketing, mimicking reputable financial institutions, and are promoted through social media ads. Once installed, they request unnecessary permissions, such as access to contacts, SMS, storage, and even a microphone or camera.

The apps then use a similar onboarding process, including a countdown timer to create a sense of urgency and require users to provide sensitive identification documents and personal information. This data is then exfiltrated and used for financial exploitation, including hidden fees and high interest rates, as well as privacy violations, such as data misuse and harassment.

The consequences of using these apps can be devastating. Users have reported receiving threatening calls and death threats, having personal photos and IDs misused, and experiencing emotional and psychological distress. In some cases, victims have even reported suicidal thoughts.

The threat of SpyLoan apps is not limited to a single region. They have been reported globally, with localized adaptations. India, Mexico, Philippines, Indonesia, Thailand, Kenya, Colombia, Vietnam, Chile, and Nigeria are among the top 10 countries with the highest prevalence of fake loan apps.

****Law Enforcement Actions****

While law enforcement agencies have taken action against some of these operations, the threat persists. In Peru, authorities raided a call center engaged in extortion and fake loan app operations, detaining over 300 individuals. In Chile, the commission for the financial market has highlighted tens of fraudulent credit applications distributed on Google Play.

****Protecting Yourself****

To avoid falling victim to these predatory loan apps, users must be cautious when downloading financial apps. Here are some tips:

*   Read reviews and check ratings
*   Research the app and its developer thoroughly
*   Be wary of apps that request excessive permissions
*   Use reputable antivirus software to detect and block malicious apps
*   Never provide sensitive information without verifying the app’s legitimacy

1.  New Tool DVa Detects and Removes Android Malware
2.  Scammers Using Fake Loan Apps for Money Laundering
3.  These 8 Apps on Play Store Contain Android/FakeApp Trojan
4.  “Scary” FakeCall Android Malware Captures Photos and OTPs
5.  Octo2 Android Malware Uses Fake NordVPN App to Infect Phones

15 SpyLoan Apps Found on Play Store Targeting Millions

Over a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs.
"These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

Protect your social media presence with tools like privacy checkups, monitoring services, and digital footprint scanners. Stay secure by avoiding oversharing, limiting third-party app permissions, and using strong passwords.

Social media is where we connect, share, and sometimes overshare. It’s a space to celebrate birthdays, post selfies, or argue about whether pineapple belongs on pizza (it does, by the way). But while we’re busy scrolling and double-tapping, it’s easy to forget that social media can also be a minefield for privacy and security risks.

With **so many apps** and services available, it can be tough to know which ones are worth your time. Here’s a breakdown of some of the most effective tools to enhance your social media safety, including apps and services tailored to specific needs.

****Twitter Viewer Apps****

Twitter (now X) viewer apps are third-party tools that help you track your activity, analyze engagement, and monitor mentions. If you’re looking to keep an eye on Twitter activity—whether it’s for your account, parental monitoring, or just to make sure everything’s on the up and up—some tools can help.

Twitter viewer apps can track down social media profiles connected to a person. This is super helpful if you’re trying to figure out if a profile is fake or just want to do a little online sleuthing. Ademilade Shodipe-Dosunmu from Techopedia says the best **Twitter viewer apps** in 2024 should be compatible with both iOS and Android devices, prioritize security, and be user-friendly. 

****Privacy Checkup Tools****

Most major platforms have built-in privacy checkup tools that make it easy to review and update your privacy settings.

*   Facebook Privacy Checkup: This tool walks you through settings for posts, profile details, app permissions, and more.

*   Google Privacy Checkup: Perfect for reviewing privacy settings for YouTube, Google Photos, and connected apps.

*   Instagram Privacy Settings: Found under Settings > Privacy, this section lets you control who sees your content, tags you, or sends direct messages.

Regularly revisiting these tools ensures your account stays secure, especially when platforms roll out new features or privacy policies.

If you’re serious about tracking your online presence, social media monitoring tools are invaluable. These tools scan platforms for mentions of your name, brand, or specific keywords, helping you **spot fake accounts**, leaks, or negative content.

*   Mention and Brand24: Great for keeping tabs on mentions of your name or brand.

*   Hootsuite and Sprout Social: These tools combine monitoring with post-scheduling, making them ideal for managing your accounts professionally.

*   Google Alerts: Set up alerts for your name or other identifiers to stay informed about where you’re being mentioned online.

****Digital Footprint Scanners****

Your digital footprint includes everything about you that’s publicly accessible online. From old social media accounts to forgotten forum posts, these breadcrumbs can reveal more than you’d like. Digital footprint scanners help identify and clean up these traces.

*   Mine: This tool shows which companies and platforms have your data and helps you request its removal.

*   BrandYourself: Ideal for individuals looking to improve their online reputation, this tool scans for public mentions of your name and offers suggestions to optimize your footprint.

*   DeleteMe: Helps remove your personal information from data brokers and people-search websites.

****Lock Down Your Privacy Settings****

Privacy settings are your first line of defence against unwanted snoopers. Most social media platforms let you control who sees your posts, what information is visible on your profile, and who can tag you. But let’s be honest—how many of us have checked these settings?

On Instagram, switch to a private account if you want to approve followers before they can see your posts. You can also limit who can message you or tag you in photos. On Facebook, head to the “Privacy Checkup” tool. It walks you through everything, from post visibility to who can find you using your email or phone number.

On Twitter, make your account private if you don’t want strangers replying to your tweets. Only approved followers will see your posts. On TikTok, set your account to private in the settings, so only approved followers can watch your videos.

****Think Before You Post****

This one’s a classic but so important: **don’t overshare**. Posting about your exact location, showing off expensive purchases, or spilling too much personal info can make you a target for scammers, thieves, or stalkers.

Delay location tags. If you’re posting about your vacation, wait until you’re back home. No need to let everyone know your house is empty. Skip the personal details. Your birthdate, address, or phone number shouldn’t be public.

Scammers can use this info for **identity theft**. Be cautious with kids’ photos. If you’re sharing pictures of your kids, avoid posting school names, uniforms, or anything that reveals their location. If you wouldn’t want it shouted from a rooftop, think twice about sharing it online.

****Watch Out for Scams****

Social media is a playground for scammers. Fake giveaways, phishing links, or “urgent” messages from what looks like a trusted company—these are all common traps.

If something seems too good to be true, it probably is. “Win a free iPhone!” or “Click here for a $500 gift card” are almost always scams. Double-check links by hovering over them before clicking. If the URL looks suspicious or doesn’t match the supposed source, don’t click it. **Beware of fake accounts**. Scammers often create fake profiles that look like real people or companies. Verify their authenticity before engaging. When in doubt, ignore or report the suspicious activity. Better safe than sorry!

****Limit Third-Party Apps and Permissions****

Ever taken one of those fun “What’s your spirit animal?” quizzes or used an app to find your Instagram top nine? While they’re entertaining, they often ask for access to your account info—and not all of them are trustworthy. Take a few minutes to review which apps and services you’ve connected to your social media accounts.

On Facebook, for example, go to the “Apps and Websites” section in your settings and remove anything you don’t recognize or no longer use. Keep it clean and minimize potential vulnerabilities.

****Be Mindful of Your Friends List****

It’s tempting to accept every friend request or follow back everyone who follows you, but not everyone has good intentions. Do a little social media “spring cleaning” every now and then. Unfriend or unfollow accounts you don’t recognize. Avoid adding people you don’t know IRL. Watch out for accounts with no profile picture, minimal activity, or lots of generic comments—they’re likely bots or fake profiles.

****Monitor Your Accounts Regularly****

Even with all these precautions, it’s important to keep an eye on your accounts for any suspicious activity. Check your login history (most platforms show recent logins) and look out for things like messages you didn’t send, posts or comments you didn’t make, and changes to your profile info. If something seems off, change your password immediately and report the issue to the platform.

****Know How to Report and Block****

Don’t hesitate to use the report and block features on social media. If someone’s harassing you, sending spam, or acting shady, block them. You can also report problematic accounts or content. Whether it’s hate speech, **fake news**, or inappropriate behaviour, your report helps platforms identify and remove harmful users.

****Educate Yourself and Your Circle****

The more you know about social media safety, the better protected you’ll be—and the same goes for your friends and family. Share tips with your loved ones, especially if they’re not tech-savvy. Teaching someone how to set up 2FA or spot a phishing scam could save them from a lot of trouble.

1.  **Best SEO Experts to Follow on Twitter (X) in 2025**
2.  **4 Benefits of Having a Social Media Marketing Strategy**
3.  **Snapchat Safety for Parents: How to Safeguard Your Child**
4.  **Your Guide To Navigating Mastodon, an Alternative to Twitter**
5.  **Half of Online Child Grooming Cases Now** **Happen** **on Snapchat**
6.  **How businesses should deal with negative feedback on social media**

Tips and Tools for Social Media Safety

Google reveals GLASSBRIDGE: A network of thousands of fake news sites pushing pro-China narratives globally. These sites, run by PR firms, spread disinformation and lack transparency.

****Summary****

*   **Google has uncovered a network of over 1,000 fake news websites spreading pro-China narratives.**

*   **The sites are operated by four PR firms acting on behalf of an unknown client.**

*   **These firms create websites that mimic legitimate news outlets and publish a mix of repurposed and pro-China content.**

*   **Google has blocked the sites from appearing on its news platforms due to policy violations.**

*   **The operation highlights the use of PR firms to spread disinformation and obscure the source of the content.**

Google’s Threat Intelligence Group (TAG), in collaboration with its **cybersecurity firm Mandiant**, has discovered a large-scale network of fake news websites operated by four different public relations (PR) firms spreading propaganda aligned with the interests of the Chinese government.

Dubbed GLASSBRIDGE, this network of PR firms has been creating and distributing inauthentic content globally to shape public opinion on key geopolitical issues. Since 2022, Google has banned and deindexed over 1,000 websites linked to GLASSBRIDGE from appearing in Google News and Google Discover for violating policies against deceptive practices and lack of editorial transparency.

These sites pose as independent media outlets but push narratives that align with Beijing’s political agenda, including topics like Taiwan, the South China Sea, and COVID-19. It is worth noting that this news emerged just weeks after **reports revealed** North Korean hackers using fake news to distribute malware.

“These campaigns show how private PR firms are being used to conduct coordinated influence campaigns,” Google said in a **blog post**. “By using these firms, the actors behind the information operations gain deniability, obscuring their role in spreading inauthentic content.”

The campaigns rely on newswire services to syndicate their content, with two PR firms directly operating these services. The fake news network targets audiences in over 30 countries, including the United States, Australia, Germany, Japan, and Brazil, as well as Chinese-speaking diasporas worldwide.

The four firms within the GLASSBRIDGE network are:

****1. Shanghai Haixun Technology****

Shanghai Haixun Technology is the most prolific PR firm in the network, with more than 600 domains linked to its operations already removed by Google. These sites target both English- and Chinese-speaking audiences, as well as countries across Asia, Europe, and the Americas.

Haixun’s websites are often filled with low-quality, repetitive content that mixes irrelevant filler articles with pro-China stories. The firm has also been caught using freelance platforms such as Fiverr to hire social media accounts to amplify its messaging.

In July 2023, Haixun’s influence campaigns were spotted infiltrating legitimate news outlets through subdomains provided by its newswire services, Times Newswire and World Newswire, allowing it to piggyback on the credibility of established media brands.

****2. Times Newswire and Shenzhen Haimai Yunxiang Media****

Google researchers identified Times Newswire and its operator, Shenzhen Haimai Yunxiang Media, as key players in distributing pro-China propaganda. These entities were tied to the PAPERWALL campaign, a network of over 100 fake websites **reported** by Citizen Lab earlier this year.

These fraud sites, which spanned more than 30 countries, published a combination of copied local news, conspiracy theories, and smear campaigns targeting individuals critical of Beijing. Many of these articles were short, appearing briefly on the sites before being removed to avoid detection.

****3. DURINBRIDGE****

DURINBRIDGE, another PR and marketing firm in the network, operates over 200 fake news sites. While most of its content consists of press releases and generic news, a portion is dedicated to spreading pro-China narratives, including articles linked to **DRAGONBRIDGE**, a long-standing influence operation tracked by Google.

These sites have also been used to promote politically motivated smear campaigns, such as targeting Taiwanese presidential candidates in the lead-up to elections.

****4. Shenzhen Bowen Media****

Shenzhen Bowen Media controls a network of more than 100 imitation news sites designed to cater to specific countries and cities. Articles are published in local languages, including French, German, Japanese, and Thai, to appear more credible to regional audiences.

The content often blends legitimate-looking local news with pro-Beijing narratives sourced from its newswire service, World Newswire, which is also used by Haixun.

Campaign flow and 2 fake news sites in German and Portuguese language targeting Brazilian readers (Screenshot: Google)

**The Bigger Picture**

This operation is part of a growing trend where nation-states outsource influence campaigns to private PR firms, allowing deniability. By using fake news sites instead of traditional social media disinformation, these campaigns can target audiences more effectively, tailoring content to local languages and issues.

The operation also refreshes the memory of The EU DisinfoLab, a Brussels-based NGO specializing in disinformation research, which **exposed** a massive pro-Indian influence operation known as “Indian Chronicles.” This extensive campaign, active for over 15 years, aimed to discredit Pakistan and influence international institutions, including the United Nations and the European Parliament.

Google’s action to block these websites from its news platforms shows disinformation campaigns are a reality. The exposure of the GLASSBRIDGE network. For readers, the lesson is to critically evaluate the sources of news and verify information across multiple outlets.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **Hackers used fake job websites to scam jobless US veterans**
3.  **SEC Twitter Hacked, Spreads Fake News About Bitcoin ETFs**
4.  **Android XHelper App Exposed as Money Laundering Network**
5.  **Fake News Site Hit Android and Windows Users with Malware**

GLASSBRIDGE: Google Blocks Thousands of Pro-China Fake News Sites

Google has introduced a new feature called Restore Credentials to help users restore their account access to third-party apps securely after migrating to a new Android device.
Part of Android's Credential Manager API, the feature aims to reduce the hassle of re-entering the login credentials for every app during the handset replacement.
"With Restore Credentials, apps can seamlessly onboard

Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Malware exploits legitimate Avast anti-rootkit driver to disable security software. Trellix researchers uncover the attack and provide mitigation steps.

****Summary:****

*   **Malware exploits a legitimate Avast Anti-Rootkit driver to gain kernel-level access**.

*   **Driver is used to terminate critical security processes and seize control of the system**.

*   **BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms can prevent driver-based attacks**.

*   **Expert rules can be deployed to identify and block vulnerable drivers.**

Cybersecurity researchers at Trellix have identified a malicious campaign that exploits a legitimate Avast Anti-Rootkit driver, aswArPot.sys, to disable security software and take control of infected systems.

****How the Attack Works:****

The malware, dubbed “kill-floor.exe,” begins by dropping the aswArPot.sys driver into an apparently harmless Windows directory, disguising it as “ntfs.bin.” It then registers the driver as a service, granting the malware kernel-level access – the highest level of system privilege allowing it to terminate critical security processes and take control of the system.

The malware contains a hardcoded list of 142 security applications it targets for termination. The malware continuously monitors active processes and compares them against this list. When a match is found, the malware uses the Avast Anti-Rootkit driver to terminate the security process.

Simply put: The Avast driver, meant to remove malicious rootkits, unintentionally disables legitimate security software. Malware takes advantage of this trusted driver to avoid detection and work quietly within the system.

****Technical Look****

Trellix’s **technical analysis** of the Avast driver revealed the specific function, “FUN\_14001dc80,” responsible for terminating the security processes. This function utilizes standard Windows kernel functions (KeAttachProcess and ZwTerminateProcess) to carry out the termination, further masking the malicious activity as normal system operations.

****Protecting Yourself****

To prevent such driver-based attacks, Trellix recommends the use of BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms. These mechanisms can identify and block specific vulnerable drivers based on their unique signatures or hashes.

Once these rules are integrated into your antivirus solution, organizations can prevent malware from exploiting legitimate drivers, elevate privileges, or disable security measures. Trellix has also provided a specific BYOVD expert rule to detect and block the malicious use of the aswArPot.sys driver.

1.  After Avast, the NordVPN server gets hacked
2.  Fake Antivirus Sites Spread Malware Disguised as Avast
3.  SpyNote Android Spyware Poses as Legit Crypto Wallets
4.  Avast hacked after attackers gained domain admin privileges
5.  Chinese APT Flax Typhoon uses legit tools for cyber espionage

Malware Exploits Trusted Avast Anti-Rootkit Driver to Disable Security Software

Plus: The worst telecom hack in US history rolls on, iPhones are harder to break into, and more of the week’s top security news.

A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org uncovered that US companies legally collecting digital ad data are enabling adversaries to cheaply track American military and intelligence personnel. A collaborative analysis of billions of location coordinates from a US-based data broker revealed detailed tracking of thousands of devices from sensitive US sites in Germany, including NSA facilities and bases reportedly housing US nuclear weapons.

Elsewhere, social media giant Meta has disclosed for the first time its efforts to combat the forced-labor compounds driving the surge in pig butchering scams on its platforms. The company revealed that it has been quietly collaborating with global law enforcement, tech industry partners, and external experts for over two years to dismantle the crime syndicates behind these operations in Southeast Asia and the UAE. This year alone, Meta reports it has taken down more than 2 million accounts linked to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE.

At the Cyberwarcon security conference on Friday, the cybersecurity firm SpyCloud shared findings about publicly accessible black market services offering low-cost access to sensitive information on Chinese citizens, including phone numbers, banking details, hotel and flight records, and even real-time location data. According to the firm’s researchers, these services seem to obtain their data through insiders within Chinese surveillance agencies and government contractors, who sell their access. Also at the conference, cybersecurity firm Volexity uncovered that a Russian hacking group has reportedly developed a novel Wi-Fi-hacking technique that involves taking control of a nearby laptop and using it as a bridge to infiltrate a targeted Wi-Fi network. Dubbed a “nearest neighbor attack,” the method was uncovered during a 2022 investigation by the firm into a network breach of an unnamed Washington, DC. client. And finally, researchers explored how the US is calling out foreign influence campaigns faster than they ever have—but there’s plenty of room for improvement.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**“King of Toxic Masculinity” Gets Hacked**

Hacktivists have breached an online “educational platform” founded by the misogynistic right-wing influencer Andrew Tate reportedly revealing the email addresses of hundreds of thousands of users as well as the contents of the platforms’ private chat servers. Data from the hack, first reported by the Daily Dot, has now been published by the transparency nonprofit Distributed Denial of Secrets.

Andrew Tate, the so-called “king of toxic masculinity,” is currently under house arrest in Romania and faces two separate criminal charges, including allegations of forming an organized criminal group and trafficking women across Romania, the UK, and the US.

The compromised platform, a subscription-based service known as The Real World (formerly called Hustler's University), describes itself as a “global community” focused on “personal growth.” According to its website, members receive expert training, mentorship, and access to a wide range of educational courses for around $50 per month.

According to the Daily Dot, hacktivists announced their breach of the platform on Thursday by disrupting the course's main chatroom with a barrage of uploaded emojis while Tate was livestreaming an episode of his show _Emergency Meeting_ on Rumble. The emojis included a transgender pride flag, a feminist fist, an AI-generated image of Tate wrapped in a rainbow flag.

Data from the breach, verified by WIRED, includes more than 700,000 usernames and reportedly includes messages from 221 public and 395 private chat servers. An analysis by the Daily Dot reveals a mix of content within the chat logs, ranging from motivational quotes and personal progress updates to grievances about the “LGBTQ agenda.” WIRED is continuing to analyze the leaked material.

**The “Worst Telecom Hack in US History” Is Still Ongoing**

Chinese government hackers have infiltrated over a dozen US telecommunications companies in what a senior senator is calling the worst telecom breach in American history—and they’re still inside the networks. The hacking group, Salt Typhoon, has been able to eavesdrop on audio calls in real time and obtain millions of records of call and text metadata from targeted individuals, according to a Washington Post interview with Senator Mark Warner of Virginia, chairman of the Senate Intelligence Committee.

Fewer than 150 victims have been identified and notified by the FBI so far—most of them in the DC region—including president-elect Donald Trump, his vice president-elect, JD Vance, as well as people working for Vice President Kamala Harris and state department officials.

Warner said, however, that the effort was not directly election-related, as the hackers got into some telecom systems more than a year ago.

**Leaked Documents Show GrayKey Struggles to Access Modern iPhones**

Leaked documents obtained by 404 Media reveal that GrayKey, a phone-hacking tool used by law enforcement to extract data from devices in their possession, can at the moment only partially access information from modern iPhones running iOS 18.0 and 18.0.1.

While the precise details of exactly how Graykey operates are unknown, the tool reportedly brute-forces iPhone or Android passcodes to unlock them—essentially hacking the phone—allowing law enforcement to then access and extract encrypted device data. While the specific types of data accessible during a “partial” extraction are unclear, it likely includes unencrypted files and metadata, such as file sizes and folder structures.

The document provides context to an ongoing cat-and-mouse dynamic between forensic technology companies and mobile device manufacturers. With each new software update, tools like GrayKey are temporarily thwarted, prompting developers to quickly adapt their technology to catch up. At the moment it appears that they have not. This leak follows another report from 404 Media about a feature in iOS 18 called “inactivity reboot,” which forces devices to restart after four days of inactivity, adding another layer of difficulty for law enforcement attempting to access data on seized devices.

**Europe Probes Undersea Cable Sabotage**

European authorities are investigating suspected sabotage to two undersea fiber-optic cables: one linking Finland and Germany, and the other connecting Sweden and Lithuania. Russia—widely suspected as the likely perpetrator—denies involvement, dismissing the allegations as “ridiculous.”

The incident began on Sunday when two telecommunications companies detected traffic disruptions likely caused by physical damage to undersea cables. One of the affected cables, known as C-Lion—a vital 730-mile link between Finland and Central Europe—runs alongside other critical infrastructure, including gas pipelines and power lines.

By Wednesday, the Danish navy had reportedly intercepted a Chinese cargo ship in connection with the disruptions. The vessel, which had most recently docked in Russia before the incident, was near the damaged area at the time. It is now under investigation, with its crew being questioned about their possible involvement.

Tag

#android