Yandex Archives

Winsage

December 18, 2025

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

A newly identified cyber threat cluster called LongNosedGoblin has been linked to cyber espionage attacks targeting governmental entities in Southeast Asia and Japan, with activities traced back to at least September 2023. The group uses Group Policy to spread malware and employs cloud services like Microsoft OneDrive and Google Drive for command and control. Key tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, which perform functions such as collecting browser history, executing commands, and logging keystrokes. ESET first detected LongNosedGoblin's activities in February 2024, identifying malware on a governmental system. The attacks showed a targeted approach, with specific tools affecting select victims. Additionally, a variant of NosyDoor was found targeting an organization in an EU country, indicating a possible connection to other China-aligned threat groups.

Tech Optimizer

October 17, 2025

Russian tech firm attacked by Chinese state hackers in allied attack

The Chinese APT group Jewelbug infiltrated a Russian IT provider undetected for five months. They have increased their activity, targeting Russian entities as well as interests in South America, South Asia, and Taiwan. Jewelbug used a disguised version of the Microsoft Console Debugger (CDB) to bypass security measures and exfiltrate data. They cleared Windows Event Logs to avoid detection and used Yandex Cloud for data exfiltration. Symantec's report indicates that Russian organizations are vulnerable to attacks from Chinese state-sponsored groups.

AppWizard

August 28, 2025

Malicious Android App Uses Fake Antivirus Front to Spy on Russian Users

A new strain of Android malware, identified as Android.Backdoor.916.origin, is being distributed through an app called GuardCB, which poses as a security application. The app, with a Russian interface and a logo resembling that of the Central Bank of Russia, requests extensive permissions, including device location, microphone and camera access, messages and call logs, contacts, and administrator rights. It also seeks access to popular applications like WhatsApp, Telegram, Chrome, Gmail, and Yandex. The malware enables hackers to stream live video and audio, capture images, access stored files, monitor keystrokes, and track communications and geolocation in real time. The app conducts simulated antivirus scans and generates fake threat results to reassure users while compromising their security. There are no confirmed links to specific actors or espionage activities, but the malware's extensive permissions and targeted nature raise concerns about potential state involvement amidst escalating cyber conflicts in the region.

Tech Optimizer

August 25, 2025

New Android Spyware Masquerading as Antivirus Targets Business Executives

Doctor Web’s antivirus laboratory has identified a sophisticated Android backdoor malware named Android.Backdoor.916.origin, which has been evolving since January 2025. This spyware primarily targets Russian businesses through focused attacks, disseminated via private messages as a fake antivirus application called “GuardCB.” The app's icon resembles the Central Bank of the Russian Federation's emblem and is presented in Russian. Variants of the malware include names like “SECURITY_FSB” and “FSB,” falsely claiming to be security tools linked to Russian law enforcement. Upon execution, the malware simulates an antivirus scan, requesting extensive system permissions for surveillance and data exfiltration, including access to geolocation, audio recording, SMS, contacts, call logs, media files, and camera functions. It establishes connections to command-and-control servers, allowing attackers to send and receive sensitive data, initiate audio and video feeds, and execute commands. The malware employs keylogger functionality to intercept keystrokes and monitor specific applications for content theft. Doctor Web has notified domain registrars to disrupt the malware's infrastructure and confirms that all known variants are detected and neutralized by their antivirus solutions. Organizations are advised to enforce strict APK sideloading policies and verify app authenticity to counter such threats.

AppWizard

August 25, 2025

Corporate Leaders Targeted by Android Spyware Masquerading as Security Apps

Security experts at Doctor Web have identified a sophisticated Android spyware campaign targeting Russian business leaders, utilizing malware named Android.Backdoor.916. First detected in January 2025, this malware is distributed through APK files disguised as security applications, particularly under the name GuardCB, which mimics the emblem of the Central Bank of the Russian Federation. Other variants include “SECURITY_FSB” and “FSB,” and the app interface is exclusively in Russian. The malware is disseminated via private messages on popular messaging platforms, avoiding official app stores. Upon installation, it simulates device scans and generates fictitious threat reports while activating extensive spyware modules that request permissions for geolocation, camera and microphone usage, SMS and contact access, call logs, and background operation. It can transmit SMS messages, upload contact lists, forward call history and location data, and exfiltrate media. It also enables real-time audio streaming, video capture, and screen activity monitoring, using Accessibility Service to maintain a keylogger for intercepting sensitive content from various applications. Control over the malware is maintained through a modular system that reconnects to the command server every minute, with fallback connectivity options to multiple hosting providers. The malware is designed for targeted cyber-espionage rather than mass infections, focusing on corporate executives and business figures. Doctor Web's antivirus solutions for Android can detect and eliminate known variants of this backdoor, highlighting the vulnerability of high-value individuals to mobile spyware disguised as legitimate applications. Experts recommend enhancing mobile security policies and educating high-risk employees about social engineering tactics.

Tech Optimizer

August 24, 2025

New Android malware poses as antivirus from Russian intelligence agency

A new strain of Android malware, named 'Android.Backdoor.916.origin,' has emerged from Russia's Federal Security Services (FSB) and targets executives in Russian businesses. Identified by Dr. Web, this malware is a standalone entity with no ties to previous malware families. It has capabilities including monitoring conversations, streaming video from the camera, logging user input, and exfiltrating data from messaging applications. Since its detection in January 2025, it has shown multiple iterations, indicating ongoing enhancements. The malware is specifically designed for Russian enterprises, using the Russian language in its interface and employing branding efforts that impersonate the Central Bank of Russia and the FSB. The malware masquerades as an antivirus tool but lacks protective features, simulating scans that yield false positives. It requests high-risk permissions such as geo-location access, SMS and media file access, and camera and audio recording capabilities. Once installed, it can exfiltrate SMS messages, contacts, call history, geo-location data, and stored images, activate the microphone and camera, capture text input from messaging and browser applications, and execute shell commands. It can switch between 15 different hosting providers, indicating resilience and adaptability. Dr. Web has made the complete indicators of compromise related to this malware available on their GitHub repository.

AppWizard

August 20, 2025

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Cybersecurity experts at Doctor Web have identified a new variant of Android malware called Android.Backdoor.916.origin, active since January 2025. This malware can eavesdrop on conversations, steal messages, stream video, and log keystrokes. It targets Russian business representatives rather than average users, being distributed through direct messages as a fake antivirus app named GuardCB, which mimics the Russian Central Bank's emblem. The app requests extensive permissions, including geolocation, audio recording, camera access, and SMS data, and can function as a keylogger. It is designed for persistence, launching background services and communicating with multiple command-and-control servers. The malware can livestream audio, broadcast video, capture text, and upload contacts and call history. It exploits Android’s Accessibility Service to capture keystrokes and prevent uninstallation. The interface is exclusively in Russian, indicating it is specifically designed for a targeted group. Users in Russia are advised to download applications only from trusted sources to mitigate risks.

AppWizard

August 18, 2025

Russian Regulators Restrict WhatsApp, Telegram In Latest Internet Crackdown

Russian regulators, through Roskomnadzor, are implementing partial restrictions on phone calls made via WhatsApp and Telegram, citing their use in fraudulent activities. This action is part of a strategy to promote a government-managed "super app" called Max, developed by VK, which aims to consolidate various services into one platform. The initiative aims to enhance oversight over communications and information access for Russian citizens. WhatsApp has acknowledged the restrictions while emphasizing the importance of maintaining end-to-end encryption. Activist Mikhail Klimarev has warned that severe restrictions could negatively impact the economy and public perception.

Winsage

August 5, 2025

North Korean Cyberattackers Conceal Malicious Software Inside JPEG Images

North Korean state-sponsored hackers, part of the APT37 group, are using advanced steganography techniques to embed malicious software within JPEG image files. The RoKRAT malware variant employs a two-stage encryption process, starting with the creation of large malicious shortcut files disguised as legitimate documents. These .lnk files download JPEG images from cloud storage services, which appear to contain valid image headers but actually conceal encrypted malware code. The malware is revealed through multiple XOR decryption operations. Security researchers have identified the steganographic payload at offset 0x4201 within the images. The malware generates temporary files in the %LOCALAPPDATA% directory and executes through rundll32.exe, complicating detection. APT37 also uses fileless attack strategies, injecting shellcode into legitimate Windows processes and exploiting cloud services for command and control operations. Recent attacks have targeted South Korean organizations using social engineering tactics. Traditional antivirus solutions are inadequate against these techniques, prompting experts to recommend Endpoint Detection and Response (EDR) systems for real-time monitoring of anomalous activities.

Winsage

August 5, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A new variant of the RoKRAT malware, attributed to North Korea's APT37 group, utilizes advanced techniques such as steganography to hide malicious code within JPEG image files, complicating detection efforts. This malware is primarily distributed in South Korea through compressed archives containing Windows shortcut files that lead to a multi-stage infection process. The process involves executing PowerShell commands to decrypt and run the malware, which can inject itself into trusted Windows processes like mspaint.exe and notepad.exe, leaving minimal forensic traces. The malware also exfiltrates sensitive information using legitimate cloud APIs, making attribution difficult. APT37 has demonstrated adaptability by changing its injection targets and camouflaging its development artifacts, highlighting the need for advanced Endpoint Detection and Response (EDR) solutions and proactive security measures.