Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android.
The tech giant said it will begin using Gemini Nano, its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops.
"The on-device approach provides instant insight on risky websites and allows us to offer

Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android

As per a recent FBI warning, criminals are phishing users of payroll, and similar platforms to not only steal their credentials but also their funds.

The relentless battle against online fraud is a constant evolution, a digital chase where security teams and malicious actors continually adapt. The increasing sophistication of attacks is blurring the lines between legitimate user behavior and impersonation attempts.

The campaign we are exposing today is a reminder that even the most advanced security technologies do not dissuade threat actors. We discovered a new phishing kit targeting payroll and payment platforms that aims to not only steal victims’ credentials but also to commit wire fraud.

Our investigation began with a fraudulent search ad for Deel, a payroll and human resources company. Clicking on the ad sent employees and employers to a phishing website impersonating Deel.

Beside stealing usernames, passwords and circumventing two factor authentication, we identified malicious code capable of performing additional nefarious actions unbeknownst to the victim. Using a fully authenticated web worker, this phishing kit is using a legitimate hosted web service called Pusher with the intent of manipulating sensitive profile data fields related to banking and payment information.

While we were working this case, the FBI issued a public service announcement (PSA250424) warning people that cyber criminals are _using search engine advertisements to impersonate legitimate websites_ and _expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire transactions or redirecting payments_.

The Google ad was taken down quickly, and we have informed Deel and MessageBird (Pusher’s parent company) about the misuse of their respective platforms.

Deel is a US-based payroll and human resources company founded in 2019 Deel whose platform is designed to streamline the complexities of managing a global workforce, offering solutions for payroll, HR, compliance, and more.

We first identified a malicious Google Search ad for Deel in mid April for the keywords ‘_deel login_‘. The top link is a sponsored search result, appearing just above the organic search result for Deel’s official website.

The URL in the ad (_deel\[.\]za\[.\]com_) uses the .ZA.COM subdomain of .COM targeting South Africa, essentially an alternative to the .CO.ZA extension. That URL is used as a redirect only, allowing the threat actors to use cloaking in order to redirect clicks to decoy websites (white page) or phishing domains they can rotate.

**Phishing portal and 2FA**

The first phishing domain we saw was _login-deel\[.\]app_ but at the time we checked it did not resolve. Shortly thereafter, the same Google ad URL pointed to a new domain, _accuont-app-deel\[.\]cc_.

The phishing page is a replica of Deel’s login page with one minor difference: _the Log in using Google_ and _Continue with QR code_ options are disabled, only leaving the user name and password fields for authentication.

After entering their credentials, victims are social engineered by the crooks to type a security code that was sent to their email address. While two-factor authentication is a great added security feature, we can see that it can be rendered useless when victims authenticate into the wrong website.

On the surface, this looks just like another phishing site, until you look deeper and discover more intriguing code.

**Traffic analysis**

To better understand how this phishing kit works, we recorded a network capture showing the web requests sent and received. This allowed us to identify several interesting components that make this phishing campaign unique.

Of particular interest are several JavaScript libraries, namely _pusher.min.js_, _Worker.js_ and _kel.js_.

The phishing kit uses anti-debugging techniques to prevent us from stepping through its code. This is a common practice to hide malicious intent and makes analysis more time consuming.

**Scripts analysis**

Looking at the files that the anti-debugger is trying to conceal, we see that only one is human readable, while the other two are heavily obfuscated using _obfuscator.io_. The _pusher.min.js_ JavaScript file is a legitimate library from Pusher, a hosted web service that uses APIs, developer tools and libraries to manage connections between servers and clients using technologies like WebSockets.

There seems to be two different types of sessions, based on the functions named _createBankSession_ and _createCardSession_. When attempting to login into the phishing site, we see a session\_type value of “bank” which belongs to the former function.

The _kel.js_ and Worker.js files are both used for authenticating the victim into the real Deel website while a web worker communicates with the threat actor’s infrastructure for processing the credentials and to receive the OTP code to get past two-factor authentication.

WebSockets are a persistent communication protocol that allows for full-duplex communication between a user’s browser and a server. This means data can be pushed from the server to the client in real-time without the client having to constantly request it.

Here’s an example of a WebSocket communication where the user provided the wrong login credentials:

The conversation begins with a pusher:connection_established message, confirming a successful connection to the Pusher real-time service and providing a unique socket_id and an activity_timeout of 120 seconds.

Next, a pusher:subscribe message shows the client requesting to listen for events on a specific channel identified by a unique session ID, indicating a desire to receive real-time updates for that session.

The server then acknowledges this request with a pusher_internal:subscription_succeeded message for the same channel, confirming that the client is now successfully subscribed and will receive broadcasts.

Finally, an events message is received on that session channel, carrying data indicating a “wrongLogin” event has occurred and instructing the client-side application to “Show” something, likely an error message to the user in real-time.

**Additional targets**

This phishing kit is unique and can be tracked with the following characteristics:

*   Obfuscator.io
*   Pusher WebSockets
*   _Worker.js_ library
*   _kel.js_/_otp.js_/_auth.js/jquery.js_ library

We identified several other targets, related to payroll, HR, billing, payment solutions and even commerce platform Shopify. The earliest use we could find goes back to July 2024, but it appears to have flown under the radar.

**Justworks**: Payroll, benefits, HR, and compliance — all in one place.

**Marqeta**: End to end credit and payment solutions integration into business processes

**Shopify**: Commerce platform

**OmniFlex** (Worldpay): online point of sale solution

**Conclusion**

The FBI’s PSA highlights several key measures businesses can adopt to protect users related to the following:

*   Domain spoofing: Brand impersonation is a real problem that companies need to proactively lookout for.
*   Notifications: Victims need to be alerted in several different ways in a timely manner.
*   Education: Phishing is getting more sophisticated and users need to be aware of how to best protect themselves.

In that same report, the FBI advises consumers to check the URL to make sure the site is authentic before clicking on an advertisement. This is usually a sound practice, but as we have documented it on this blog many times, URLs within ads can be spoofed also.

Ultimately, the discovery of this phishing kit, with its advanced capability to interact with financial data, reinforces a critical message: online security is a shared responsibility. Users must exercise caution and critical thinking in their online interactions while enhancing their security with available tools; platforms must remain committed to detecting and preventing abuse.

Browser extensions such as Malwarebytes Browser Guard will block ads but also the scams or malware sites associated with these schemes.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Indicators of Compromise**

Redirect

deel\[.\]za\[.\]com

Phishing domains

login-deel\[.\]app  
accuont-app-deel\[.\]cc  
justvvokrs-login\[.\]cc  
vye-starr\[.\]net  
maqreta\[.\]com  
ctelllo\[.\]com  
angelistt\[.\]com  
account\[.\]datedeath\[.\]com  
account\[.\]turnkeycashsite\[.\]com  
admin-shopffy\[.\]cc  
biilll\[.\]com  
app-parker\[.\]com  
shluhify\[.\]com  
login-biil\[.\]net  
founderga\[.\]com  
admin-shoopiffy\[.\]com  
access-shupfify\[.\]com  
virluaterminal\[.\]net

Worker.js (SHA256)

56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f

kel.js/otp.js/auth.js/jquery.js (SHA256)

72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb  
6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f  
908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9  
5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3  
0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f  
95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164  
3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac  
a37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb  
15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be  
81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573  
1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871  
c56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4f

 Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds 

We're rolling out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.

Sponsored ads on Google search don’t just irritate users—they also provide a dangerous opportunity for cybercriminals to spread malware and scams to their unsuspecting victims. What looks like a harmless search result can be a carefully disguised trap.  

At Malwarebytes, our researchers have uncovered a variety of threats hiding in plain sight within these sponsored ads, including Mac stealers distributed through Google Ads, scams targeting popular utility software, and tech support traps.  

In some cases, scammers use advanced AI tools like DeepSeek AI to create convincing ads and web pages, increasing the risk to unsuspecting users.  

That’s why we’re excited to roll out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.  

If you’ve used our iOS app before, you already know it blocks ads on webpages and ad trackers. But with our newest feature, we’re extending protection to cover those annoying and potentially dangerous sponsored ads listed on search results.  

Now, with just a simple toggle, you can make those annoying sponsored ads disappear from your Safari browsing experience.  

**Try it for yourself**: Download Malwarebytes for iOS and enjoy this feature—alongside scam text filtering, a privacy VPN, and call protection—with a free seven-day trial.  

Existing users should already have this feature option in their app—check it out now!

**Don’t have an iOS device?** Download our free Browser Guard extension for ad blocking and scam protection while browsing on your desktop.

 Tired of Google sponsored ads? So are we! That’s why we’re introducing the option to block them on iOS     

Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a…

Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials.

Cybersecurity researchers at Morphisec have identified a new malware campaign utilizing fake and malicious artificial intelligence (AI) platforms to distribute a new information stealer dubbed Noodlophile Stealer.

This sophisticated tactic exploits the surging popularity of AI tools to trick users into downloading malware that can steal browser credentials, and cryptocurrency wallets, and potentially deploy remote access tools like XWorm.

****How Does it Work?****

Morphisec’s threat analysis, shared with Hackread.com ahead of its publishing on 8 May 2025, details how cybercriminals are creating convincing fake AI websites, often advertised through Facebook groups with global reach (some posts exceeding 62,000 views on a single post).

These platforms lure users with promises of free AI video and image generation, prompting them to upload their own images. Instead of the expected AI-processed content, victims unknowingly download a malicious ZIP archive containing the Noodlophile Stealer.

Source: Morphisec

This campaign stands out due to its exploitation of AI as a social engineering lure, targeting a potentially more trusting audience of creators and small businesses exploring AI, mainly within Facebook communities.

Morphisec report notes that Noodlophile Stealer is a newly documented malware combining credential theft, wallet exfiltration, and optional remote access deployment. Notably, it exfiltrates stolen information through a Telegram bot.

Open-source intelligence (OSINT) investigations led Morphisec to identify the developer behind Noodlophile, likely of Vietnamese origin, who was observed promoting this method in Facebook posts and on online cybercrime marketplaces. The developer’s profile also reveals further involvement in malware sales and distribution, with links found in Facebook groups leading directly to their profile.

Source: Morphisec

****Multi-Stage Attack Designed for Evasion****

The attack chain involves a multi-stage infection process designed for stealth and persistence. Users interacting with the fake AI site download a ZIP file (VideoDreamAI.zip) containing a deceptive executable (Video Dream MachineAI.mp4.exe), which is a repurposed version 445.0 of the legitimate video editing tool, CapCut, and is even signed using a certificate created via Winauth.

This executable then drops further malicious components from a hidden folder named 5.0.0.1886, including CapCut.exe (a wrapper for embedded .NET malware), AICore.dll (a command execution helper), and disguised files like Document.docx (a batch script) and Document.pdf (a password-protected archive).

The install.bat script, launched by CapCutLoader (within CapCut.exe, which first verifies internet connectivity by pinging google.com up to 10 times), decodes the archive (password: TONGDUCKIEMDEVELOPER2025), establishes persistence, and downloads and executes a Python payload (srchost.exe) containing the Noodlophile Stealer and the XWorm loader.

These final payloads operate in memory to evade detection, with the XWorm loader employing techniques like shellcode injection and PE hollowing (especially targeting RegAsm.exe if Avast is present).

The Noodlophile Stealer and its use of fake AI platforms is just another cybersecurity threat against unsuspected users. Therefore, one must remain cautious at all times, refrain from downloading tools directly from social media posts or third-party platforms, and always use official websites to download files.

Even after downloading a file from a verified source, do not execute/install the program on your device before scanning it on websites like VirusTotal or ANY.RUN.

Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

> “This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp hack: Meta wins payout over NSO Group spyware 

A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents.

*   Cisco Talos identified a spam campaign targeting Brazilian users with commercial remote monitoring and management (RMM) tools since at least January 2025. Talos observed the use of PDQ Connect and N-able remote access tools in this campaign. 
*   The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox. 
*   Talos has observed the threat actor abusing RMM tools in order to create and distribute malicious agents to victims. They then use the remote capabilities of these agents to download and install Screen Connect after the initial compromise.
*   Talos assesses with high confidence that the threat actor is an initial access broker (IAB) abusing the free trial periods of these RMM tools. 

Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2). 

Figure 1. Spam message purporting to be from a cell phone provider. 

Figure 2. Spam message masquerading as a bill from a financial institution. 

Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool. The file names also contain references to NF-e in their names: 

*   AGENT\_NFe\_<random>.exe 
*   Boleto\_NFe\_<random>.exe 
*   Eletronica\_NFe\_<random>.exe 
*   Nf-e<random>.exe 
*   NFE\_<random>.exe 
*   NOTA\_FISCAL\_NFe\_<random>.exe 

_Note: <random> means the filename uses a random sequence of letters and numbers in that position._ 

The victims targeted in this campaign are mostly C-level executives and financial and human resources accounts across several industries, including some educational and government institutions. This assessment is based on the most common recipients found in the messages Talos observed during this campaign. 

Figure 3. Targeted recipients.

This campaign's objective is to lure the victims into installing an RMM tool, which allows the threat actor to take complete control of the target machine. N-able RMM Remote Access is the most common tool distributed in this campaign and is developed by N-able, Inc., previously known as SolarWinds. N-able is aware of this abuse and took action to disable the affected trial accounts. Another tool Talos observed in some cases is PDQ Connect, a similar RMM application. Both provide a 15-day free trial period.

To assess whether these actors were using a trial version rather than stolen credentials to create these accounts, Talos checked samples older than 15 days and confirmed all of them returned errors that the accounts were disabled, while newer samples found in the last 15 days were all active.

Talos also examined the email accounts used to register for the service. They all use free email services such as Gmail or Proton Mail, as well as usernames following the theme of the spam campaign, with few exceptions where the threat actors used personal accounts. These exceptions are potentially compromised accounts which are being abused by the threat actors to create additional trial accounts. Talos did not find any samples in which the registered account was issued by a private company, so we can assess with high confidence these agents were created using trial accounts instead of stolen credentials.

_N-able is aware of this abuse and took action to disable the affected trial accounts._

Talos found no evidence of a common post-infection behavior for the affected machines, with most machines staying infected for days before any other malicious activity was executed by the tool. However, in some cases, we observed the threat actor installing an additional RMM tool and removing all security tools from the machine a few days after the initial compromise. This is consistent with actions of initial access broker (IAB) groups. 

An IAB's main objective is to rapidly create a network of compromised machines and then sell access to the network to third parties. Threat actors commonly use IABs when looking for specific target companies to deploy ransomware on. However, IABs have varied priorities and may sell their services to any threat actors, including state-sponsored actors.  

Adversaries’ abuse of commercial RMM tools has steadily increased in recent years. These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.  

Talos created a trial account to test what features were available for a trial user. In the case of the N-able remote access tool, the trial version offers a full set of features only limited by the 15-day trial period. Talos was able to confirm that by using a trial account, the threat actor has full access to the machine, including remote desktop like access, remote command execution, screen streaming, keystroke capture and remote shell access. 

Figure 4. N-able management interface showing available remote access tools. 

Figure 5. Administrative shell executed on a remote machine. 

The threat actor also has access to a fully featured file manager to easily read and write files to the remote file system. 

Figure 6. N-able file manager. 

The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider. For example, N-able Remote Access uses a domain associated with its management interface, hosted on Amazon Web Services (AWS): 

*   hxxps://upload1\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload2\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload3\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload4\[.\]am\[.\]remote\[.\]management/ 

_**Disclaimer**: The URLs above are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. Customers must complete an assessment before enabling block signatures for these domains._ 

The domain the agent uses is the same for any customer using the tool, with only the username and API key differentiating which customer the agent belongs to, as can be seen in Figure 7. This makes it even more difficult to identify the origin of the attacks and perform threat actor attribution.

Figure 7. Example configuration file. 

By extracting the configuration files inside the agent installer files still available on Dropbox, we can see some email addresses follow the same theme of the spam emails, using names of finance-related users and domains, while others could be potentially compromised accounts being used to create trial accounts for N-able Remote Access.  

With these trial versions being limited only by time and providing full remote-control features with little to no cost to the threat actors, Talos expects these tools to become even more common in attacks. 

Cisco Secure Firewall Application control is able to detect the unintended usage of RMM tools in customer's networks. Instructions on how to set up Application control can be found at Cisco Secure Firewall documentation. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

ClamAV detections are also available for this threat:  

Txt.Backdoor.NableRemoteAccessConfig-10044370-0  
Txt.Backdoor.NableRemoteAccessConfig-10044371-0   
Txt.Backdoor.NableRemoteAccessConfig-10044372-0 

**Indicators of Compromise **

_**Disclaimer**: The URLs below are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. An assessment must be done by customers before enabling block signatures for these domains._ 

_IOCs for this threat can be found on our GitHub repository_ _here__._ 

**Network IOCs **

hxxps://upload1\[.\]am\[.\]remote\[.\]management/   
hxxps://upload2\[.\]am\[.\]remote\[.\]management/   
hxxps://upload3\[.\]am\[.\]remote\[.\]management/   
hxxps://upload4\[.\]am\[.\]remote\[.\]management/   
198\[.\]45\[.\]54\[.\]34\[.\]bc\[.\]googleusercontent\[.\]com 

**RMM Installer - Hashes **

03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e   
0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10   
080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39   
0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412   
1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23   
14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878   
2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77   
4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b   
51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd   
527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff   
57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683   
63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea   
79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63   
a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a   
b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589   
c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef   
ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5   
d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c   
e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c   
e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd   
ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f   
f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf   
f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c   
F68ae2c1d42d1b95e3829f08a516fb1695f75679fcfe0046e3e14890460191cf   
a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures.
"LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," the Google Threat

Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware

Security leaders must address both internal and external risks, ranging from sophisticated cyberattacks to insider threats. At the same time, they must also adhere to an ever-growing list of regulations, including the General Data Protection Regulation (GDPR), the EU Cyber Resilience Acts (CRA) and industry-specific mandates like Payment Card Industry Data Security Standard (PCI DSS) and the Digital Operational Resilience Act (DORA). Balancing these concerns requires a strategic approach that integrates security and compliance without compromising operational efficiency.External threatsCybercr

Security leaders must address both internal and external risks, ranging from sophisticated cyberattacks to insider threats. At the same time, they must also adhere to an ever-growing list of regulations, including the General Data Protection Regulation (GDPR), the EU Cyber Resilience Acts (CRA) and industry-specific mandates like Payment Card Industry Data Security Standard (PCI DSS) and the Digital Operational Resilience Act (DORA). Balancing these concerns requires a strategic approach that integrates security and compliance without compromising operational efficiency.

**External threats**

Cybercriminals change up their tactics continuously, leveraging ransomware, phishing and software supply chain attacks to exploit known or emerging vulnerabilities. High-profile security breaches, such as those impacting financial institutions and healthcare organizations, highlight the need for robust cybersecurity measures. Security leaders must implement strong access controls, real-time threat detection and incident response strategies to mitigate risks.

**Internal threats**

Not all threats originate from external actors. Insider threats, whether malicious or accidental, also pose a significant risk. Employees may mishandle sensitive data, click on phishing links or abuse their access privileges. Organizations must deploy user behavior analytics (UBA) and data loss prevention (DLP) tools to monitor and help prevent these and other internal risks.

Here are some ways you can use technology to better address some security and compliance challenges:

**Artificial intelligence (AI)**

AI-driven security tools enhance threat detection by analyzing patterns in real time, identifying anomalies and predicting potential cyberattacks before they occur. Machine learning (ML) models can also help organizations comply with regulations by automating data classification and enforcing data protection measures.

While AI can help protect against attacks, it is also being used by cybercriminals, including novice threat actors, to execute sophisticated attacks with minimal expertise. AI-powered phishing campaigns and chatbots can craft highly convincing emails that evade traditional detection systems. It’s also feasible for AI-generated deepfakes  to be used for identity fraud attempts, as they can enable  attackers to potentially bypass authentication systems relying on various physical characteristics

**Zero trust security model**

A zero trust security framework is one in which no user or device is inherently trusted (“never trust, always verify”). By implementing strict access controls, continuous authentication and network segmentation, organizations can reduce both external and internal threats while simplifying compliance maintenance.

**Automated compliance management**

Regulatory compliance is a continuous process that requires consistent monitoring and reporting. Compliance automation platforms streamline policy enforcement, audit readiness and risk assessments, reducing the burden on security teams and minimizing the risk of non-compliance penalties.

**Why CISOs are deprioritizing generative AI**

Despite the rapid advancements in AI technology, many Chief Information Security Officers (CISOs) are deprioritizing generative AI (gen AI) due to a lack of proven value in security operations.Additionally, CISOs are wary of the risks associated with AI-generated content, including misinformation, adversarial attacks and compliance errors. Without clear regulatory frameworks and proven security use cases, many security leaders prefer to focus on more established technologies.

**What you can do**

Here are some ideas about how you can mitigate some of these issues.

**Invest in automation**

Organizations should explore automated security solutions such as Red Hat Ansible Automation Platform and Event-Driven Ansible that can streamline compliance reporting, detect threats in real time, and reduce human error in security operations.

**Adopt Kubernetes for security and scalability**

Containerized applications running on Kubernetes platforms, such as Red Hat OpenShift, provide greater operational resilience and security capabilities, enabling organizations to deploy scalable security controls and isolate workloads more effectively.

**Utilize AI for threat detection, not just compliance**

AI-driven security tools are increasingly critical for real-time anomaly detection, predictive threat intelligence and automated incident response.

**Implement a zero trust architecture**

Organizations should move towards a zero trust framework to enforce strict access controls and continuously validate the security posture of users and devices. Your operating system is the foundation for your IT environment and zero trust architecture, providing essential security features, controlling user and application access, encrypting sensitive information and protecting secrets to establish and maintain a security-focused computing environment.

To implement a zero trust architecture, your operating system must be able to isolate and control access to resources on an individual basis. Red Hat Enterprise Linux (RHEL) includes built-in mandatory access controls (MAC) with Security-Enhanced Linux (SELinux), a technology that manages access using centralized security policies.

**Continuously monitor and improve**

Cyber threats and compliance requirements are constantly evolving. Businesses should regularly audit security postures, refine security automation workflows, and stay updated on regulatory changes to maintain compliance and protect critical data assets.

Red Hat Advanced Cluster Security for Kubernetes helps you build, deploy and run cloud-native applications with an enhanced security posture. It helps protect containerized Kubernetes workloads in all major clouds, on premises and across hybrid platforms, including Red Hat OpenShift, Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE).

**Final thoughts**

Security, risk and privacy leaders must strike a delicate balance between mitigating technical risks and adhering to regulatory compliance requirements. By using advanced technologies such as AI, zero trust, cloud security and compliance automation, organizations can enhance their security posture while maintaining regulatory compliance.

The dual challenge: Security and compliance

Google has patched 47 Android vulnerabilities in its May update, including an actively exploited FreeType vulnerability.

Google has patched 47 vulnerabilities in Android, including one actively exploited zero-day vulnerability in its May 2025 Android Security Bulletin.

Zero-days are vulnerabilities that are exploited before vendors have a chance to patch them—often before they even know about them.

The May updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-05-05 or later then you can consider the issues as fixed. The difference with patch level 2025-05-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**The zero-day**

The actively exploited zero-day patched with this update was flagged by Facebook in March and found in the FreeType library. FreeType is an open-source software library that Android devices use to display text by rendering fonts. In essence, it turns font files into the letters and characters that you see on your screen. It is designed to be small, fast, and flexible, supporting many font formats and used widely across billions of devices and applications.

The vulnerability, tracked as CVE-2025-27363, allows attackers to execute remote code (RCE) by exploiting how FreeType processes certain TrueType GX and variable font files. Because FreeType mishandles values in the device’s memory, it creates an out-of-bounds write vulnerability. When a program accesses memory outside its allocated area—either by reading or writing beyond the bounds—it can cause crashes, run arbitrary code, or expose sensitive information. This happens when the data size exceeds the allocated memory, when data writes target incorrect memory locations, or when the program miscalculates data size or position.

FreeType versions newer than 2.13.0 fix this vulnerability. Since FreeType operates as a native library embedded within system components that render fonts, typical Android users cannot easily check which version their device uses. Therefore, the best defense is to install the latest system updates and run active anti-malware protection.

Facebook warned that attackers “may have exploited the vulnerability in the wild,” and Google confirmed the vulnerability “may be under limited, targeted exploitation,” though neither disclosed further details.

It’s reasonable to assume that simply opening a document or app containing a malicious font could compromise your device—without requiring any additional user action or permissions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android fixes 47 vulnerabilities, including one zero-day. Update as soon as you can! 

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS…

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS and Azure.

A new report by CyCognito reveals wide differences in security across cloud providers, with Google Cloud and several smaller players showing significantly higher rates of vulnerable assets than Amazon Web Services (AWS) or Microsoft Azure.

The research, based on nearly five million internet-exposed assets, comes at a time when cloud security is top of mind for many organizations. Palo Alto Networks recently reported a 388% year-over-year spike in cloud security alerts, driven by the growing complexity of multi-cloud environments and the rising number of exposed online assets.

CyCognito, known for its attack surface management platform, analyzed assets hosted by the three largest cloud platforms including AWS, Azure, and Google Cloud, along with a group of smaller cloud providers and major hosting companies. The goal was to assess which environments are exposing customers to more risk through vulnerabilities and misconfigurations.

****Google Cloud Leads in Overall Exposure****

The study found that 38% of Google Cloud-hosted assets had at least one security issue, compared to just 15% for AWS and 27% for Azure. That puts Google Cloud more than twice as risky as AWS by this measure.

The same 38% figure also applied to smaller cloud providers like Oracle Cloud, DigitalOcean, and Linode. Meanwhile, major hosting companies like GoDaddy, Hetzner, and DreamHost came in at 33%.

When looking specifically at critical issues, defined by a CVSS score of 9.0 or higher, Azure showed the highest rate among the big three, at 0.07%. AWS and Google Cloud both registered 0.04%.

Though these numbers may seem small, they represent significant exposure at scale. Across millions of assets, even a fraction of a percent can translate to hundreds of weak points.

Smaller cloud platforms were more concerning in this category. Nearly 0.5% of assets hosted by non-major clouds had critical vulnerabilities, a rate more than ten times higher than that of AWS or Google Cloud. Hosting providers weren’t far behind, with 0.32% of their assets falling into this category.

****Easy Targets Still Common****

CyCognito also looked at how exploitable these vulnerabilities are, not just how severe they look on paper. The company factored in threat intelligence and attacker behaviour to assess which issues would be easiest for attackers to exploit.

Here again, smaller providers fared poorly. More than 13% of assets on smaller clouds had easily exploitable flaws. For hosting providers, the number was close to 10%.

Among the big three, Google Cloud again led with 5.35% of assets having issues classified as easy to exploit. That’s more than twice the rate of AWS (1.98%) or Azure (2.37%).

Image credit: CyCognito

****Combined Risk Still Low at Major Providers****

While each of these risk types matters on its own, CyCognito also measured where they overlap assets with issues that are both critical and easy to exploit. Less than 0.1% of AWS, Azure, and Google Cloud assets fell into this high-risk category.

But outside the big players, things were more concerning. Around 0.3% of assets hosted on smaller clouds and 0.25% of those on hosting providers were affected by both critical and easily exploitable vulnerabilities. That’s roughly ten times the rate seen on AWS.

****What Security Teams Should Do****

With more organizations spreading their infrastructure across multiple cloud environments, visibility has become a major concern. Assets get forgotten, misconfigured, or left out of internal inventories, creating shadow IT that attackers can find and exploit.

CyCognito recommends organizations go further than traditional inventory tools and adopt “seedless” discovery techniques that don’t rely on internal documentation. It also urges the use of dynamic security testing after applications are deployed, not just during development.

Tag

#google