Zscaler Archives

Tech Optimizer

February 10, 2026

GuLoader Leverages Polymorphic Malware and Trusted Cloud Infrastructure to Evade Detection

GuLoader, also known as CloudEye, is a downloader malware that has been active since late 2019, primarily used to fetch and install secondary malware like Remote Access Trojans (RATs) and information stealers. It employs legitimate cloud services such as Google Drive and Microsoft OneDrive to host its malicious payloads, allowing it to evade detection by security tools. GuLoader utilizes advanced techniques including polymorphic code, which alters its appearance to avoid static detection signatures, and exception-based control flow to confuse analysis tools. Over the years, GuLoader has refined its tactics, including the use of software breakpoints and various exception types to redirect its operations. It also employs dynamic XOR encryption to obfuscate internal data, making it difficult for analysts to extract URLs. The malware's continuous evolution poses ongoing challenges for security researchers. Indicators of Compromise (IOCs) include specific hash values for different versions of GuLoader from 2022 to 2024.

AppWizard

November 27, 2025

My dad filled his phone with random PDF apps and I blame Google

The author's father struggled to open a PDF on his HONOR phone, despite the device's native office suite supporting PDF files. He downloaded multiple misleading PDF apps from the Play Store, which did not resolve the issue. Eventually, he received a deceptive alert suggesting he update his PDF application, which led him to download yet another app. The problem was resolved when the author advised him to uninstall WPS Office, eliminating the misleading alerts and allowing PDFs to open correctly. A report from Malwarebytes indicated that only 15% of users feel confident identifying scams, highlighting the challenges users face in navigating the Android ecosystem. The Google Play Store has been criticized for hosting low-quality apps and deceptive ads, with a report from Zscaler noting the presence of hundreds of malicious apps. The author emphasizes the need for stricter advertising practices and better management of preinstalled apps to protect less tech-savvy users.

Winsage

November 21, 2025

CVE-2025-50165: Critical Flaw in Windows Graphics Component

In May 2025, Zscaler ThreatLabz identified a critical remote code execution vulnerability, CVE-2025-50165, with a CVSS score of 9.8, affecting the Windows Graphics Component within the windowscodecs.dll library. Applications relying on this library, including Microsoft Office documents, are vulnerable to exploitation via a malicious JPEG image. When a user opens such a file, their system can be compromised, allowing remote code execution. Microsoft released a patch for this vulnerability on August 12, 2025, affecting several versions of Windows, including Windows Server 2025 and Windows 11 Version 24H2 for both x64 and ARM64-based systems. ThreatLabz recommends that all Windows users update their applications to the patched versions. The attack chain involves crafting a JPEG image to exploit the vulnerability, which can be triggered directly or indirectly through other files. The vulnerability's analysis revealed issues with uninitialized memory and the need for a Control Flow Guard bypass for exploitation. Attackers can manipulate the instruction pointer through heap spraying and Return-Oriented Programming. ThreatLabz developed a Proof-of-Concept application to demonstrate the exploitation process and has implemented protective measures against the vulnerability.

Winsage

November 14, 2025

All Microsoft Windows Users Warned As New Bot Attacks Confirmed

A t-shirt states, "It gets worse before it gets worse," reflecting the current situation for Microsoft users facing a zero-day vulnerability in Windows. Cybersecurity researchers report a resurgence of DanaBot, a trojan previously thought diminished after Operation Endgame, which resulted in the arrest of 16 individuals and the seizure of millions in stolen cryptocurrency. DanaBot is now operating under version 669, utilizing a new infrastructure and employing malicious emails and malvertising campaigns for attacks. Experts advise Microsoft Windows users to enhance security measures with advanced monitoring and detection systems while remaining vigilant against phishing and malvertising threats.

AppWizard

November 8, 2025

‘Dangerous’ mobile apps on Google Play hit 42 million Android users, India top target: Report – The Times of India

A report from Zscaler reveals a significant increase in mobile security threats, with hundreds of malicious applications on the Google Play Store totaling over 42 million installs. Mobile malware has risen by 67% year-over-year, primarily due to spyware and banking malware. India is the most affected country, accounting for 26% of all mobile attacks, representing a 38% increase from the previous year. The United States leads in IoT attacks, responsible for 54% of such incidents. The energy sector has experienced a 387% increase in attacks, while manufacturing and transportation account for over 40% of total IoT malware incidents. Hackers are shifting focus from card fraud to exploiting mobile payment systems.

AppWizard

November 8, 2025

A dangerous rise in Android malware hits critical industries

A study by Zscaler has reported a significant increase in mobile and IoT security incidents, with 239 malicious Android applications on Google Play downloaded 42 million times. There has been a 67% year-over-year increase in Android malware transactions, primarily involving spyware, banking trojans, and adware, which now constitutes 69% of all malware detections. The energy sector has seen a 387% rise in attack attempts, while manufacturing and transportation industries face over 40% of IoT threats. IoT attacks are largely driven by malware families like Mirai, Mozi, and Gafgyt, which account for about 75% of malicious payloads, with routers being the primary targets. Mobile attacks are concentrated in a few countries, emphasizing the need for enhanced security measures.

AppWizard

November 6, 2025

Productivity and Workflow Apps Target for Android Malware and IoT Attacks: Study

- There has been a 67% year-over-year increase in malware aimed at mobile devices. - A 387% rise in IoT and OT attacks has been observed, particularly in the energy sector. - Researchers identified 239 malicious applications on the Google Play Store, which collectively had 42 million downloads. - A significant amount of malware was found in the "Tools" category, where malicious apps disguised themselves as legitimate productivity tools. - The manufacturing sector is a primary target for mobile and IoT attacks, with manufacturing and transportation industries accounting for 20.2% of all observed IoT malware attacks. - Mobile attacks are primarily concentrated in India, the United States, and Canada, with the U.S. being the epicenter for IoT threats, accounting for 54% of incidents. - India leads in mobile attacks at 26%, followed by the U.S. at 15% and Canada at 14%, with India experiencing a 38% increase in mobile threat attacks compared to the previous year. - There is a shift from card-focused fraud schemes to mobile payment methods among threat actors.

AppWizard

November 5, 2025

Beware: 239 Dangerous Android Apps Found on Google Play with 40M+ Installs

Cybersecurity threats targeting mobile devices and critical infrastructure have significantly increased, with Zscaler's research revealing that 239 malicious Android applications on the Google Play Store have been downloaded 42 million times. The energy sector has experienced a 387% rise in cyberattacks compared to the previous year. Malicious applications often disguise themselves as legitimate tools, exploiting user trust, especially in hybrid and remote work environments. There has been a 67% year-over-year increase in Android malware transactions, with spyware and banking malware posing significant risks. The manufacturing and transportation sectors accounted for 20.2% of all observed IoT malware attacks, with a shift in focus from manufacturing to include transportation. Approximately 40% of blocked transactions were linked to the Mirai malware family, while Mozi has become the second most prevalent. Geographically, India is the top target for mobile attacks (26%), followed by the United States (15%) and Canada (14%). The U.S. also leads in IoT malware incidents at 54%. New threats include Android Void malware, affecting 1.6 million Android TV boxes, and Xnotice, a Remote Access Trojan targeting job seekers in the oil and gas industry. Adware now represents 69% of mobile threats, surpassing the Joker malware family.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

Tech Optimizer

September 15, 2025

Chinese malware is flooding GitHub pages – HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

Chinese users are facing malware campaigns that utilize spoofed download sites and SEO poisoning. The malware includes kkRAT, which has advanced capabilities such as clipboard hijacking, remote monitoring, and antivirus evasion. Attackers have also exploited GitHub Pages to host phishing sites.