phishing sites Archives

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

Tech Optimizer

December 12, 2025

The digital impersonators: How cybercriminals hijack your brand to launch malvertising attacks

Brand trust is highly valued by consumers, leading cybercriminals to exploit it through malvertising, which embeds malicious code in legitimate ads. Malvertising can redirect users to phishing sites or download malware. Cybercriminals create fake ads that mimic trusted brands, targeting high-traffic moments and using real-time bidding to distribute these ads on reputable sites. The process involves setting up fake accounts, creating convincing ads, purchasing ad space, and delivering malware through exploit kits. The consequences include identity theft and financial loss for consumers, and reputational damage for brands. To protect against these threats, organizations should implement regular software updates, continuous employee training, protective tools, and consider partnering with managed service providers for enhanced security measures.

AppWizard

November 30, 2025

Signal’s president warns AI agents are an existential threat to secure messaging apps

Meredith Whittaker, president of Signal, expresses strong concerns about the rise of AI agents, describing them as an “existential threat” to secure messaging platforms and app developers. AI agents require access to sensitive information, creating new vulnerabilities that can be exploited by cybercriminals. Whittaker points out the risk of prompt injection attacks, which can manipulate AI to execute harmful actions, leading to data breaches. She argues that unrestricted access to user communications by AI agents poses a significant risk to privacy and security, undermining the foundational security of the internet. Whittaker criticizes the reckless implementation of AI by Big Tech companies, suggesting it compromises cybersecurity in favor of rapid deployment and financial pressures.

Tech Optimizer

November 4, 2025

3,000+ YouTube videos deliver malware disguised as free software

YouTube has been identified as a platform for a sophisticated malware distribution network known as the Ghost Network, which has been active since 2021 and surged in activity in 2025. This network uses over 3,000 videos disguised as software cracks and game hacks to spread information-stealing malware, targeting users searching for free software or cheat tools. Cybercriminals utilize compromised accounts and social engineering tactics to create a false sense of security, with videos featuring positive comments from fake accounts. The malware includes programs like Lumma Stealer, Rhadamanthys, StealC, and RedLine, which harvest sensitive information. Two significant campaigns were highlighted: one involved the Rhadamanthys infostealer through a channel with nearly 10,000 subscribers, and the other offered cracked software via a channel with around 129,000 subscribers, with one video gaining over 291,000 views. Users are advised to avoid cracked software, use strong antivirus protection, never disable antivirus software, be cautious with links, use password managers and two-factor authentication, keep systems updated, and utilize trusted data removal services to protect against these threats.

AppWizard

October 10, 2025

Fake WhatsApp and TikTok apps are trying to fool Android users into downloading spyware — don’t fall for this

A spyware campaign is disguising itself as popular applications like TikTok, YouTube, and WhatsApp to lure users into downloading the ClayRat spyware. This campaign uses Telegram channels for distribution and employs fake download counts and testimonials on malicious websites. Discovered by Zimperium, the spyware requires users to set it as their default SMS application, allowing it to access sensitive information and spread further. The campaign is primarily targeting Russian users, with at least 600 samples and 50 droppers detected in the last 90 days. The malware uses obfuscation techniques to evade detection. Android users with Google Play Protect have some protection, but best practices for online safety are recommended, such as using reputable app sources and avoiding suspicious links.

AppWizard

October 2, 2025

Signal Messenger Impersonated in ‘ProSpy’ Android Spyware Campaign

ESET researchers have identified two Android spyware campaigns, ProSpy and ToSpy, which masquerade as secure messaging apps, Signal and ToTok. These malware families were first detected in June 2025 and are distributed through phishing websites and fake app marketplaces. ProSpy, which mimics a “Signal encryption plugin” or an enhanced ToTok, extracts sensitive user information, including SMS messages, contacts, and device metadata, after gaining permissions. It disguises itself as “Play Services” to avoid detection. ToSpy, discovered concurrently, seeks to capture specific files related to ToTok backups and collects various document types. Both malware types maintain long-term access to infected devices and have been reported to Google, resulting in Play Protect blocking their known variants. The main targets of these campaigns are users in the United Arab Emirates.

Tech Optimizer

September 28, 2025

The weakest link – Why human error still beats the strongest antivirus

Businesses are investing heavily in advanced cybersecurity technologies such as antivirus solutions, firewalls, and intrusion detection systems. However, the greatest risk often comes from within the organization due to human error. Employees may inadvertently download malicious attachments, fall for phishing scams, or connect infected USB drives, which can compromise security. Hackers exploit this vulnerability by targeting individuals rather than systems, using tactics that create urgency to manipulate employees into clicking malicious links. The financial impact of such errors can be severe, leading to significant losses and regulatory penalties under the Nigeria Data Protection Act (NDPA 2023). Small businesses are particularly at risk, as a single breach can damage reputations and customer trust. Organizations need to prioritize employee training and awareness alongside technology investments, as compliance with the NDPA 2023 includes employee behavior. Effective measures include training employees to recognize threats, confirming sensitive requests, and encouraging the reporting of phishing attempts. Investing in a "human firewall" by equipping employees with knowledge and skills is essential for enhancing cybersecurity.

Tech Optimizer

September 15, 2025

Chinese malware is flooding GitHub pages – HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

Chinese users are facing malware campaigns that utilize spoofed download sites and SEO poisoning. The malware includes kkRAT, which has advanced capabilities such as clipboard hijacking, remote monitoring, and antivirus evasion. Attackers have also exploited GitHub Pages to host phishing sites.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.

AppWizard

August 5, 2025

New Android Malware Poses as SBI Card and Axis Bank Apps to Steal Financial Data

McAfee’s Mobile Research Team has identified a malware campaign targeting Android users in India, specifically Hindi speakers. The malware disguises itself as legitimate financial applications from banks like SBI Card, Axis Bank, and IndusInd Bank. It is distributed through phishing websites that mimic official banking portals and uses authentic assets to appear credible. The malware has dual functionality: it exfiltrates personal and financial data and mines Monero cryptocurrency using the XMRig tool, activated remotely via Firebase Cloud Messaging (FCM). It masquerades as a Google Play update, prompting users to install it, which leads to data theft. Upon installation, the malware presents a fake Google Play interface and requests sensitive information, which is sent to a command-and-control server. After data submission, users see a misleading confirmation page. The malware employs a multi-stage dropper to evade detection, with remote activation capabilities that keep it dormant until triggered. Phishing sites promote the malicious APK through SMS, WhatsApp, or social media. McAfee has reported these threats to Google, resulting in the blocking of the associated FCM account. All variants are classified as high-risk, with infections primarily in India but some in other regions. Users are advised to download apps only from Google Play and to be cautious with unsolicited links. Indicators of Compromise (IOCs) include specific APKs for various credit cards and phishing site URLs related to the campaign.