operators Archives

Tech Optimizer

May 27, 2026

‘Adversaries are no longer just targeting products, they’re targeting the developers who build them’: CrowdStrike takes down major botnet targeting developers across the world

CrowdStrike, Google, and the Shadowserver Foundation dismantled the Glassworm botnet on May 26, 2026, which had been targeting software developers since early 2025. The botnet spread through compromised Visual Studio Code extensions, tainted npm and Python packages, and hacked GitHub repositories, stealing developer credentials and deploying the GlasswormRAT remote access tool across Windows, macOS, and Linux. Glassworm utilized four command-and-control channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS. The operation successfully disrupted all four channels, preventing infected machines from receiving new instructions or payloads.

AppWizard

May 25, 2026

Over 200 Fake Android Apps Are Quietly Stealing Money From Phone Bills

Zimperium identified a sophisticated malware campaign that exploited nearly 250 Android applications, posing as popular games and social media platforms. The malware ensnared users into premium subscription services without consent, using techniques like JavaScript injection and interception of one-time passwords. The campaign primarily targeted users in Malaysia, Romania, Thailand, and Croatia, with the malware capable of reading SIM cards and activating for specific mobile carriers. Zimperium first detected the scam in March 2025 and monitored it until at least January 2026. Google stated that none of the compromised applications were available on its app store and emphasized that Android users are protected by Google Play Protect. The hackers deployed three malware variants, with the first using an automated subscription engine, the second targeting users in Thailand with premium SMS messages, and the third combining SMS fraud with real-time notifications to attackers via Telegram. The campaign primarily affected Malaysian SIM card users, with significant activity also in Thailand and Romania. Despite the campaign's last known activity in January, parts of its infrastructure remain operational. The attacks highlight vulnerabilities in application security and the challenges of policing app downloads from third-party marketplaces.

Winsage

May 22, 2026

Microsoft Dismantles Fox Tempest: Ransomware Groups Paid Up to $9,500 to Fake Windows Software Signatures

Microsoft's Digital Crimes Unit has filed a lawsuit against Fox Tempest, a criminal enterprise selling fraudulently signed malware to ransomware groups, affecting hospitals, schools, and critical infrastructure in ten countries. The lawsuit was filed on May 19 in the U.S. District Court for the Southern District of New York. Fox Tempest created a portal at signspace[.]cloud, offering a user-friendly interface for uploading malicious files and generating over 580 fraudulent Microsoft accounts to bypass identity verification. The group provided pre-configured virtual machines for customers to upload malicious payloads in exchange for signed binaries. Fox Tempest's operations were linked to a ransomware attack chain involving a counterfeit Microsoft Teams installer that deployed the Rhysida ransomware. This ransomware strain has caused significant breaches, including an October 2023 attack on the British Library, which resulted in a data exfiltration of about 600GB and recovery costs of £6 to £7 million, and a September 2024 attack on Seattle-Tacoma International Airport with a ransom demand of .8 million. Microsoft's civil litigation approach allowed for a quicker legal process, leading to the seizure of the signspace[.]cloud domain and the suspension of around 1,000 Fox Tempest accounts. Despite these actions, Fox Tempest has begun shifting to alternative code-signing services, highlighting the evolving nature of cybercrime and the need for users to verify software through independent channels. The confirmed targets of Fox Tempest included organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

AppWizard

May 19, 2026

Google Unwraps Plans to Put AI to Work for Android, Web Developers

At the recent Google I/O event, Google introduced a suite of AI tools for Android and Chrome applications aimed at enhancing marketing and management for developers. In the Play Store, AI will assist in app discovery through Google’s Gemini and provide a Q&A interface for user inquiries. New AI-driven management tools for developers include creating app listings based on keyword insights, automating catalog management, analyzing payment issues, and offering retention incentives for users. Google also reduced Play Store charges for developers to a commission of 10% to 20%. For Android programmers, Google’s AI Studio offers coding assistance for specific app categories, while additional enhancements include a command-line interface guided by programming-assistant AIs and new marketing options. In Chrome, Google introduced a trial version of WebMCP for AI agents to connect with site APIs and expanded built-in AI tools for writing and debugging. New web-coding options are being tested to improve app-like interfaces and compatibility metrics. The “Immediate UI Mode” feature allows for a unified login interface to streamline passkey authentication.

AppWizard

May 19, 2026

Russia’s State-Mandated Max Messenger Reportedly Hides Powerful Tracking Tools

The state-mandated messenger Max, developed by VK and supported by the Kremlin, is preinstalled on all new smartphones in Russia as of September 1, 2025, and is designed to function during internet blackouts. Following WhatsApp's ban in February 2026, officials have promoted Max as a "sovereign" alternative to Western messaging platforms. A reverse-engineering study revealed numerous surveillance features in Max, including VPN detection that restricts access until VPNs are disabled, real-time monitoring of contact lists, NFC control for manipulating the phone's NFC chip, silent message deletion, IP address tracking, a persistent hardware identifier, the creation of fake chats and reviews, and code injection capabilities. The study also found an on-device machine-learning system that detects keywords from audio input and the ability to record microphone audio during calls without user notification. Additionally, Max monitors access to foreign services and compiles sensitive user information into reports sent to analytics channels. The integration of Max is part of Moscow's broader initiative to consolidate internet traffic through state-controlled platforms, even reaching the International Space Station for communication purposes. Critics view the promotion of Max as part of a strategy to establish a "sovereign" communications system, raising concerns about digital privacy and freedom in Russia.

AppWizard

May 13, 2026

What’s New in Android Security and Privacy in 2026

The company is implementing default-on theft protections globally for all new Android 17 devices and those recently reset or upgraded. This initiative follows a successful pilot in Brazil and will also extend to devices running Android 10 or higher in Argentina, Chile, Colombia, Mexico, and the UK. Features like Remote Lock and Theft Detection Lock will automatically activate to enhance security against theft. The frequency of PIN or password attempts has been reduced, with longer wait times between failed attempts to deter brute-force attacks. Users can access their device's IMEI from the lock screen on Android 12 or higher, aiding in the recovery of stolen devices. Additionally, Android 17 introduces a temporary location sharing button for specific applications, allowing users to share their location without permanent permissions.

AppWizard

May 12, 2026

This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, named TrickMo.C, targeting Android users in Europe since January 2026. TrickMo.C disguises itself as popular applications like TikTok and streaming services, using tactics such as phishing overlays to harvest login credentials and sensitive information. It can log keystrokes, record screens, livestream content, intercept SMS messages, suppress OTP notifications, modify the clipboard, filter notifications, and capture screenshots. The primary targets are in France, Italy, and Austria, allowing unauthorized access to bank accounts and cryptocurrency wallets. TrickMo.C distinguishes itself by using the TON network for communication, which enhances anonymity and complicates detection efforts.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

AppWizard

May 9, 2026

America is about to get tougher on VPNs

Numerous countries have implemented restrictions on online access, requiring users to verify their identities to view adult content. In Utah, Bill S.B. 73 has taken effect to prevent children from using VPNs to bypass age verification for adult content. The bill prohibits commercial entities from facilitating or encouraging the use of VPNs to circumvent age verification requirements. It lacks clarity on what constitutes "material harmful to minors," leading to varied interpretations. The bill also states that individuals are considered to be accessing a website from Utah if they are physically located in the state, regardless of VPN use, which poses challenges for website operators in determining user locations.