Push notifications are a common feature that many websites use to keep users engaged. However, what happens when these notifications turn malicious? Renée Burton, Vice President of Threat Intel at Infoblox, recently shared her firsthand experience with this alarming trend. Here’s a look at how scammers exploit push notifications to deliver scams, including fake gift cards and sweepstakes.

****The Push Notification Trap****

Renée found that when users visit a website that requests permission to send notifications, they may unknowingly grant scammers a powerful tool. Cybercriminals take advantage of this by tricking users into accepting notifications, often without fully understanding the consequences. Once accepted, users are bombarded with misleading messages that redirect them to fraudulent content.

These misleading messages often pose as legitimate alerts from trusted brands like Google or Walmart. They may falsely claim that a user’s account has been hacked or that they have won a gift card. Engaging with these notifications can lead to downloading harmful apps or surrendering personal information.

****The Gift Card Scam****

As part of her investigation, Renée visited sites that employ push notification scams and observed how scammers entice users with promises of substantial winnings. A notification may claim the recipient has won a $10,000 Walmart gift card, prompting them to click on it. Instead of receiving a prize, users are redirected through multiple domains before landing on a fraudulent site.

To claim the gift card, users are asked to provide personal details, including their email and home address. In many cases, they must complete a survey before they can “win.” However, the survey never ends, keeping users trapped in a cycle of never-ending ads and data collection schemes.

Screenshot of a series of non-stop email spam pushing gift card scams (Credit: Renée Burton – Infoblox)

****The Survey Scam****

Renée discovered that survey scams are a prevalent tactic used by scammers. Upon clicking a notification that promises a prize, users are led to websites like reward-lockercom. These sites request personal details such as name, email, address, and phone number under the guise of confirming eligibility.

Once users provide this information, they are required to complete a series of surveys. Each survey leads to additional advertisements, and scammers keep them engaged with the illusion of an imminent reward. However, the prize never materializes, and users remain stuck in an endless loop of data harvesting.

****The Sweepstakes Scam****

Similar to survey scams, sweepstakes scams exploit users’ trust. Renée investigated fraudulent sites like zippywinnercom, which advertise lucrative sweepstakes that appear genuine. These sites lure users into believing they have won big prizes, but in reality, the odds of winning are practically nonexistent. Instead, users are funnelled into more surveys and deceptive schemes designed to extract personal information and generate ad revenue for scammers.

****The Bigger Picture****

Through her research, Renée uncovered that scammers use advanced techniques to evade detection. They employ domain cloaking and traffic distribution systems (TDSs) to deliver varied content, making it difficult for security teams to identify and mitigate these threats.

Infoblox has observed this malicious adtech (advertising technology) operating across various websites, including scientific research platforms, car dealership pages, and activist blogs. The problem is extensive, with millions of websites compromised by push notification scams each year.

****The Impact****

While some may dismiss these scams as minor nuisances, Renée’s findings highlight their severe consequences. Scammers harvest personal and financial information, keeping users locked in cycles of misleading ads and phishing attempts. The only beneficiaries of this system are the scammers themselves.

In conclusion, Renée’s research underscores the dangers of push notifications when misused by cybercriminals. While push notifications can be valuable engagement tools, they can also serve as a gateway for scams. Users should remain alert, avoid clicking suspicious notifications, and never share personal information in response to unsolicited alerts.

What Happens When Push Notifications Go Malicious?

Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts.
The multi-signature (multisig) platform, which has roped in Google Cloud Mandiant to

Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist

Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Former US congresswoman Tulsi Gabbard’s ascendance to director of national intelligence last month signaled a major shift in views toward government surveillance at the highest rung of the US intelligence community. While backing down from some of her more extreme anti-surveillance views in the run-up to her confirmation, Gabbard nevertheless held fast to a few promises of reform that have been traditionally eschewed by federal law enforcement leaders.

Now, some of the nation’s premier civil liberties organizations have begun lobbying America’s “top spy” to follow through on a pledge to bring about new levels of oversight and transparency to a key US surveillance program that’s long been plagued by reports of misuse.

Led by the American Civil Liberties Union, at least 20 major privacy groups this week urged Gabbard to declassify information concerning Section 702 of the Foreign Intelligence Surveillance Act (FISA)—the nation’s cornerstone wiretap authority that, while aimed at collecting intelligence on foreigners overseas, is known to vacuum up large quantities of calls, texts, and emails belonging to Americans.

In a letter first obtained by WIRED, the groups privately urged Gabbard this week to declassify information regarding the types of US businesses that can now be secretly compelled to install wiretaps on the US National Security Agency’s (NSA) behalf.

While it’s no secret that the government routinely compels phone and email service providers like AT&T and Google into conducting wiretaps, Congress passed a new provision last year expanding the range of businesses that can receive such orders. Legal experts had warned in advance that the provision was far too ambiguous and likely to vastly increase the number of Americans whose communications are wiretapped. But their warnings were not heeded.

It is widely assumed that the classified purpose behind the expanded authority is allowing the government to obtain access to communications in US data centers. Lawyers for the US Justice Department attempted to unilaterally expand the reach of the program in 2022, but its efforts were foiled by the secret surveillance court that oversees FISA. Only Congress has the power to expand FISA, the department was told.

As its a matter of secret law, lawmakers were unable to specify much about the limits of the government’s access in the provision they ultimately passed. This inevitably led to the adoption of a vague new definition for what the government calls an “electronic communications service provider” (ECSP)—the term for companies whose cooperation can be compelled under FISA.

Privacy experts and industry leaders had likewise raised concerns about introducing ambiguity into a law that defines the scope of a powerful surveillance tool, warning the changes could expose a near limitless new range of new businesses to secret government demands.

As WIRED reported last spring, opponents of the provision in Washington had cast the surveillance program’s new parameters as effectively “Stasi-like”—a reference to the defunct East German secret police agency notorious for infiltrating industry and forcing private citizens to spy on one another.

Senator Ron Wyden of Oregon, a renowned privacy hawk who has served on the Senate intelligence committee since just after 9/11, has referred to the new provision as “one of the most dramatic and terrifying expansions of government surveillance authority in history.”

Declassifying the new types of businesses that can actually be considered an ECSP is an essential step in bringing about clarity to an otherwise nebulous change in federal surveillance practices, according to the ACLU and the other organizations joined in its effort. “Without such basic transparency, the law will likely continue to permit sweeping NSA surveillance on domestic soil that threatens the civil liberties of all Americans,” the groups wrote in their letter to Gabbard this week.

The Office of the Director of National Intelligence did not respond to multiple requests for comment.

In addition to urging Gabbard to declassify details about the reach of the 702 program, the ACLU and others are currently pressing Gabbard to publish information to quantify just how many Americans have been “incidentally” wiretapped by their own government. Intelligence officials have long claimed that doing so would be “impossible,” as any analysis of the wiretaps would involve the government accessing them unjustifiably, effectively violating those Americans’ rights.

The privacy groups, however, point to research published in 2022 out of Princeton University, which details a methodology that could effectively solve that issue. “The intelligence community’s refusal to produce the requested estimate undermines trust and weakens the legitimacy of Section 702,” the groups say.

Gabbard is widely reported to have softened her stance against government spying while working to secure her new position as director of the nation’s intelligence apparatus. During the 116th Congress, for instance, Gabbard introduced legislation that sought to completely dismantle the Section 702 program, which is considered the “crown jewel” or US intelligence collection and crucial to keeping tabs on foreign threats abroad, including terrorist organizations and cybersecurity threats—exhibiting a stance far more extreme than those traditionally held by lawmakers and civil society organizations who’ve long campaigned for surveillance reform.

While begging off from this position in January, Gabbard’s newly espoused views have, in fact, brought her more closely in line with mainstream reformers. In response to questions from the US Senate ahead of her confirmation, for example, Gabbard backed the idea of requiring the Federal Bureau of Investigation to obtain warrants before accessing the communications of Americans swept up by the 702 program.

Slews of national security hawks from former House speaker Nancy Pelosi to former House intelligence committee chairman Mike Turner have long opposed this warrant requirement, as traditionally have all directors of the FBI. “This warrant requirement strengthens the \[intelligence community\] by ensuring queries are targeted and justified," Gabbard wrote in response to Senate questions in late January.

The Section 702 program was reauthorized last spring, but only for an additional two years. Early discussions about reauthorizing the program once more are expected to kick off again as early as this summer.

Sean Vitka, executive director of Demand Progress, one of the organizations involved in the lobbying effort, notes that Gabbard has a long history of supporting civil liberties, and refers to her recent statements about secret surveillance programs “encouraging.” “Congress needs to know, and the public deserves to know, what Section 702 is being used for,” Vitka says, “and how many Americans are swept up in that surveillance.”

“Section 702 has been repeatedly used to conduct warrantless surveillance on Americans, including journalists, activists, and even members of Congress,” adds Kia Hamadanchy, senior policy counsel for the ACLU. “Declassifying critical information, as well as providing long-overdue basic data about the number of US persons whose communications are collected under this surveillance are essential steps to increasing transparency as the next reauthorization debate approaches.”

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot…

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot the red flags, and how to protect your account from credential theft.

A new sophisticated phishing operation, leveraging artificial intelligence, has recently targeted YouTube content creators. Scammers have utilized deepfake technology to create a convincing video of YouTube’s CEO, Neal Mohan, delivering a fabricated announcement about changes to the platform’s monetization policies.

This video is privately shared with targeted users to steal their login credentials and install malware on their devices. The fraudulent scheme begins with an email, seemingly originating from an official YouTube address, notifying creators that a private video has been shared with them. The video itself features a remarkably realistic deepfake of Neal Mohan, mimicking his appearance, voice, and mannerisms to an alarming degree.

In the video, the AI-generated Mohan discusses alleged alterations to YouTube’s monetization, urging viewers to take specific actions. These actions typically involve clicking on links, entering login credentials on fake websites, or downloading software from untrusted sources.

The Fraudulent Video (Source: Reddit)

Upon compromising a user’s account, the attackers gain access to their YouTube channel. This access can then be exploited for various malicious purposes, including spreading misinformation, conducting further phishing attacks, or engaging in fraudulent activities.

YouTube has responded to this threat with an urgent warning to its creator community. The company has explicitly stated that it will never share important information or contact users through private videos. Furthermore, they emphasized that any private video claiming to be from YouTube, particularly those featuring its CEO, should be treated as a phishing scam.

“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. YouTube and its employees will never attempt to contact you or share information through a private video,” Google’s official announcement read.

“If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam. Do not click these links as the videos will likely lead to phishing sites that can install malware or steal your credentials,” Rob from YouTube warned users.

AI deepfakes are a dangerous illusion created by sophisticated AI models trained on real footage and voice samples, exploiting people’s trust in public figures. Even tech-savvy individuals would struggle to distinguish them from real footage. This incident highlights that the sophistication of phishing attacks has increased, with deepfake technology being used to impersonate high-profile figures like YouTube’s CEO.

Cybercriminals exploit creators’ trust in official platform communications, creating believable deceptions. Content creators are encouraged to exercise caution and avoid downloading files from untrusted sources. If you receive the video, Google recommends following these steps to report it.

Max Gannon, Intelligence Manager at Cofense commented on the latest development stating, _“_Given that deepfakes have typically only been used in high-value targeted scams, it’s a surprise that threat actors are using it for such a broad attack. It’s concerning and potentially indicates a shift in the threat landscape where we can expect to see more deepfakes and other targeted attack methods being broadly applied to larger audiences._“_

_“_However, according to affected users posting about these fake YouTube emails on various social media platforms, the emails deliver malicious executables to steal session cookies and hijack YouTube accounts. Ultimately, the initial phishing hook may be shifting, but the best defence remains the same: training and awareness to detect suspect emails and not click on their links.”

1.  YouTube Channels Hacked to in Fake CS2 Giveaways Scam
2.  Malware in Fake Business Proposals Hits YouTube Creators
3.  Ukrainian News Channel Hacked to Run Zelensky’s Deepfake
4.  Scam Uses AI-Generated Images to Represent Fake Law Firm
5.  “Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets

Hackers Deploy AI Deepfake of YouTube CEO in Credential Theft Scam

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information.
"These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said. "And more phone calling scammers are using spoofing techniques to hide their real

Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud

Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.

Google has issued updates to fix 43 vulnerabilities in Android, including two zero-days that are being actively exploited in targeted attacks.

The updates are available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-03-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs assigned to the two zero-days are:

CVE-2024-43093: A possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege (EoP) with no additional execution privileges needed. Exploitation of this vulnerability requires user interaction. Google confirms that CVE-2024-43093 has been under limited, targeted exploitation.

A file path filter is supposed to prevent access to sensitive directories on a device. In this case the ‘shouldHideDocument’ function. However, due to incorrect Unicode normalization, an attacker might be able to bypass this filter. Unicode normalization refers to the process of standardizing Unicode characters to ensure that equivalent characters are treated as the same. Flaws in this process can lead to security issues, such as bypassing the filter, allowing an attacker access to normally off-limits files, such as system configuration files or sensitive data.

The specific nature of the required user interaction is not detailed in the available information. Typically, user interaction might involve opening a malicious app or file, clicking on a link, or performing another action that triggers the exploit.

CVE-2024-50302: An issue in the Linux Kernel which allowed unauthorized access to kernel memory reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

This flaw lies in the Linux kernel’s driver used by Android for Human Interface Devices and allows an attacker to unlock devices that they have physical access to. The flaw was used in a chain of vulnerabilities which Amnesty International’s Security Lab found on a device unlocked by Serbian authorities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android zero-day vulnerabilities actively abused. Update as soon as you can 

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm and Sliver C2 exploit cloud misconfigurations.

Recent research conducted by Veriti shared with Hackread.com, sheds light on the alarming trend of cybercriminals exploiting cloud infrastructure for malicious purposes. The study reveals that cloud platforms are increasingly being used not only to host and deliver malware payloads but also to serve as command-and-control centres.  

A particularly concerning finding is that over 40% of networks permit unrestricted communication with at least one major cloud provider. This “any/any” configuration creates a significant security vulnerability, allowing attackers to easily exfiltrate data and deploy malware from seemingly trusted cloud sources. 

Veriti’s research highlighted specific instances of malware campaigns leveraging cloud storage. The most noteworthy instances include the XWorm malware’s utilization of Amazon Web Services (AWS) S3 storage to distribute its malicious executables. Similarly, a Remcos campaign employed malicious RTF files, exploiting known vulnerabilities, with payloads also hosted on AWS S3.

Beyond malware distribution, cloud platforms are being actively used as command-and-control (C2) servers. Various malware families, including Havoc, NetSupportManager, Unam Miner, Mythic, Pupy RAT, Caldera, HookBot and Brutal Ratel, were observed utilizing infrastructure from major cloud providers like AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 operations.

Cloud services and the type of malware being spread through them (Screenshot credit: Veriti)

Researchers also documented malware strains commonly found in cloud-based attacks, such as Mirai and njRAT, further emphasizing the growing abuse of cloud environments. Another concerning development is the increasing use of Sliver C2, which is being weaponized by Advanced Persistent Threat (APT) groups for stealthy C2 operations and post-exploitation tactics, Veriti’s report revealed.

For your information, Sliver C2 is an open-source command-and-control framework, initially developed for penetration testing but is now being weaponized by threat actors. It is often used with Rust-based malware to establish backdoors and exploits zero-day vulnerabilities, including recent Ivanti Connect Secure and Policy Secure vulnerabilities.

Furthermore, the study revealed critical vulnerabilities affecting cloud-hosted services across AWS, Azure, and Alibaba Cloud. These vulnerabilities, identified by CVE numbers, highlight the need for organizations to adopt a proactive approach to cloud security. 

The increasing abuse of cloud services demands a shift towards a _security-first approach_ to protect against these evolving threats, researchers noted.

“Veriti Research’s findings emphasize the critical need for organizations to rethink cloud security strategies. The increasing abuse of cloud services for malware hosting, C2 operations, and exploitation calls for a proactive, security-first approach,” the report read.

This should include restricting “any/any” network rules, implementing cloud-native security solutions for threat monitoring, and enforcing stronger cloud security policies.

Hackers Exploit Cloud Misconfigurations to Spread Malware

Google has released its monthly Android Security Bulletin for March 2025 to address a total of 44 vulnerabilities, including two that it said have come under active exploitation in the wild.
The two high-severity vulnerabilities are listed below -

CVE-2024-43093 - A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb,"

Tag

#google