actors Archives

AppWizard

December 5, 2025

New Android malware threat can wipe your bank account

A new malware called Albiriox has emerged, posing significant risks to Android users by allowing remote control of devices and the ability to drain bank accounts without passwords. Albiriox is often hidden within counterfeit Google Play Store pages for financial applications on external sites. Users who download these apps may unknowingly install the malware, which activates the "install unknown apps" permission, enabling further harmful software installation. Once active, Albiriox can mimic user actions to access sensitive information and finances. Users are advised to avoid downloading financial applications from unofficial sources and to remain cautious even with apps from the official Play Store, as some malicious apps have been reported to record user data.

Winsage

December 5, 2025

Microsoft Silently Fixes 8-Year Windows Security Flaw

Microsoft addressed a critical vulnerability in Windows, identified as CVE-2025-9491, which had existed for nearly eight years and allowed cybercriminals to conceal malicious commands within .LNK (shortcut) files. This flaw was exploited by state-sponsored hacking groups from countries including China, Iran, North Korea, and Russia, with evidence of nearly 1,000 malicious shortcut files used in various campaigns. The vulnerability was initially downplayed by Microsoft, which stated it did not require immediate servicing. However, as exploitation increased, Microsoft eventually included a fix in its November 2025 Patch Tuesday updates, which was not publicly announced. The fix allows the entire Target command to be displayed in the Properties dialog, addressing the security risk. Research indicated that around 70% of campaigns exploiting this flaw were focused on espionage and information theft across multiple sectors.

Winsage

December 3, 2025

Microsoft mitigates Windows LNK flaw exploited as zero-day

Microsoft has addressed a security vulnerability in Windows tracked as CVE-2025-9491, which allows malicious actors to embed harmful commands in Windows LNK files, requiring user interaction to exploit. Threat actors often distribute these files in ZIP formats to bypass email security. In March 2025, 11 hacking groups, including Evil Corp and Kimsuky, were actively exploiting this vulnerability using various malware payloads. Although Microsoft initially did not consider the issue urgent, it later modified the handling of LNK files in November updates to allow users to view the entire character string in the Target field. However, this change does not eliminate the malicious arguments embedded in the files. ACROS Security has released an unofficial patch that restricts shortcut target strings to 260 characters and alerts users about risks associated with long target strings, covering multiple Windows versions.

Winsage

December 3, 2025

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft has addressed a long-standing security vulnerability, identified as CVE-2025-9491, which has been exploited since 2017. This vulnerability involves a misinterpretation issue within Windows Shortcut (LNK) files, potentially allowing remote code execution. The flaw was highlighted in the November 2025 Patch Tuesday updates, with a CVSS score of 7.8/7.0. It allows crafted .LNK files to obscure harmful content, making it invisible to users, thus enabling attackers to execute code under the current user's context. The vulnerability was exploited by various state-sponsored groups, including those from China, Iran, North Korea, and Russia, for data theft and espionage. Microsoft initially deemed the flaw not warranting immediate attention, citing user interaction requirements and existing system warnings. Subsequent investigations revealed its exploitation by cyber espionage groups, including XDSpy and China-affiliated actors targeting European entities. The recent patch aims to ensure that the entire Target command is displayed in the Properties dialog, while 0patch provides warnings for LNK files exceeding 260 characters.

AppWizard

December 2, 2025

India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse

India's Department of Telecommunications (DoT) has mandated that app-based communication service providers implement measures requiring an active SIM card linked to the user's mobile number. This applies to messaging applications such as WhatsApp, Telegram, and Signal, which must comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, aims to mitigate the misuse of telecommunication identifiers exploited for phishing and scams. The directive requires continuous linkage to the SIM card, and web service instances will log out every six hours, necessitating re-linking via QR code. This is intended to reduce account takeover risks and ensure that accounts are linked to KYC-verified SIMs. The DoT also announced a Mobile Number Validation (MNV) platform to combat identity fraud related to unverified mobile number associations.

Tech Optimizer

December 2, 2025

Is Antivirus Software Enough? What It Can (and Can’t) Protect You From

Malware remains a significant threat, with DanaBot targeting Windows devices and a new strain of Android malware capable of stealing debit card information. Nearly three-quarters of Americans have experienced online attacks, highlighting the importance of antivirus software for digital security. Antivirus software can protect against various threats, including malware, ransomware, Trojans, spyware, and adware, but it cannot prevent social engineering attacks, physical theft, zero-day exploits, or vulnerabilities from outdated software. Regular updates and additional security measures are necessary for comprehensive protection.

AppWizard

December 2, 2025

Google bans popular apps as Android users told to check their phones

Android users are advised to examine their devices due to Google's decision to blacklist several applications infected with GhostAd malware, which drains battery life and mobile data. The malware has infiltrated at least 15 popular applications, including utility and emoji-editing tools, leading to significant resource drainage and disruption of normal device functionality. Many of these compromised apps were available on Google's Play Store, with one app, GenMoji Studio, reaching the number two spot in the 'Top Free Tools' category. Users have reported issues such as disappearing app icons, incessant pop-up ads, and decreased device performance. Google has removed the compromised apps from its Play Store, but users must still delete them from their devices. Millions of Android users have unknowingly become part of a hidden ad network due to this malware. Users are encouraged to review app feedback, verify app developers' credibility, and exercise caution with permissions to protect their devices from future threats.

AppWizard

December 2, 2025

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

A new Android malware named Albiriox has emerged, marketed as malware-as-a-service (MaaS). It features a hard-coded list of over 400 applications, including banking and cryptocurrency platforms, and is distributed through social engineering tactics using dropper applications. Initially advertised in late September 2025, it became a full MaaS offering by October, with Russian-speaking threat actors behind its development. Albiriox allows remote control of compromised devices via an unencrypted TCP socket connection and Virtual Network Computing (VNC), enabling attackers to extract sensitive information and perform overlay attacks for credential theft. One campaign targeted victims in Austria using German-language lures and counterfeit Google Play Store listings. Albiriox also utilizes Android's accessibility services to bypass security measures and employs a novel distribution strategy involving a counterfeit website that collects phone numbers. Additionally, another Android MaaS tool, RadzaRat, was introduced, masquerading as a file management utility while offering extensive surveillance and remote control capabilities. RadzaRat can log keystrokes and maintain persistence through specific permissions, highlighting a trend in the availability of sophisticated cybercrime tools.

AppWizard

December 1, 2025

Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks

A new malware-as-a-service (MaaS) called Albiriox has emerged, targeting banking and cryptocurrency applications, particularly focusing on Austrian users. It is marketed on the dark web and employs deceptive tactics, such as mimicking legitimate businesses and creating fake landing pages and app listings on the Google Play Store. Victims are tricked into providing their phone numbers, leading to the delivery of a malicious APK file via SMS or WhatsApp. This APK acts as a dropper, designed to bypass detection methods and requests permissions under the guise of a “software update” to download the actual malicious payload. Once installed, it can take control of the device or function as an infostealer, extracting sensitive information like phone numbers and passwords, which is sent to a Telegram channel. Cleafy researchers suggest that the Albiriox campaign is linked to Russian cyber actors based on their activities on cybercrime forums and communication style.

AppWizard

December 1, 2025

Popular YouTube app for Android TV ‘SmartTube’ compromised with malware

The developer of SmartTube, an ad-free YouTube client for Android TV, confirmed a security breach involving the app's signing key, which allowed malicious actors to inject harmful code into app updates. The breach was disclosed by Yuriy Yuliskov, the maintainer, who advised users to avoid reinstalling the old app and instead wait for a newly signed version. A reverse-engineering analysis of the infected APKs revealed that they were gathering sensitive information and transmitting it to a remote server. Versions 28.56 to 30.52 were particularly affected, and Google Play Protect began disabling installations of SmartTube. In response, Yuliskov wiped his hard drive and released a new version, 30.56, with a different signing key and app ID. Transparency concerns remain, and the developer plans to disclose details about the breach and measures to prevent future incidents. Users have requested additional security assurances, including hashes of clean builds.