Cybercrime/malcode – Lifeboat News: The Blog

Aug 19
2025

ERMAC Android malware source code leak exposes banking trojan infrastructure

The source code for version 3 of the ERMAC Android banking trojan has been leaked online, exposing the internals of the malware-as-a-service platform and the operator’s infrastructure.

The code base was discovered in an open directory by Hunt.io researchers while scanning for exposed resources in March 2024.

They located an archive named Ermac 3.0.zip, which contained the malware’s code, including backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.

Aug 16
2025

Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

EncryptHub exploits CVE-2025–26633 with social engineering and rogue MSC files, delivering Fickle Stealer malware.

Aug 16
2025

Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools

UAT-7237 exploits unpatched Taiwan servers using SoundBill, Cobalt Strike, and SoftEther VPN for persistent control.

Aug 16
2025

U.S. Sanctions Garantex and Grinex Over $100M in Ransomware-Linked Illicit Crypto Transactions

U.S. sanctions Garantex, successor Grinex, after $100M illicit crypto flow fuels ransomware and sanctions evasion.

Aug 15
2025

Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS

CrossC2-enabled attacks from Sept–Dec 2024 target Linux, overlap with ransomware, bypass EDR for stealth.

Aug 15
2025

New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits

Defend against PhantomCard, SpyBanker, and KernelSU exploits—secure banking, block NFC fraud, and stop Android malware today.

Aug 14
2025

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

PS1Bot malvertising campaign uses in-memory PowerShell attacks since early 2025, enabling stealth data theft.

Aug 14
2025

Webinar: What the Next Wave of AI Cyberattacks Will Look Like — And How to Survive

AI-driven deepfakes, bots, and synthetic identities overwhelm legacy defenses, making identity the key to stopping breaches.

Aug 13
2025

Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics

The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.

The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.

“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.

Aug 13
2025

Cybercrime Groups ShinyHunters, Scattered Spider Join Forces in Extortion Attacks on Businesses

An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show.

“This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s previous credential theft and database exploitation,” ReliaQuest said in a report shared with The Hacker News.

These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.