Malware Activity
Rising Tide of Cyber Threats: The VO1D Botnet, Clickfix and Phishing Attacks on the Rise
The new variant of the notorious VO1D botnet has grown to an alarming 1.6 million compromised Android TV boxes globally. The new variant botnet has evolved to enable hackers to exploit these devices for various malicious activities. This effectively transforms everyday tech into pawns of their operations. Meanwhile, cybersecurity experts are on high alert as a series of sophisticated hacking techniques that include the "Clickfix" attack to deploy malicious payloads like the Havoc command-and-control (C2) infrastructure via Microsoft SharePoint. This technique exploits users' trust in familiar platforms to bypass traditional security measures. The threat actors are blending this into their attacks by hiding it among legitimate documents and workflows. In a parallel concern, approximately 5,000 phishing PDFs were identified spanning across 260 different domains. The threat actors used the PDF files to redirect users to malicious websites aimed at extracting sensitive information. The convergence of these tactics illustrates a chilling evolution in cyber threats, emphasizing the urgent need for robust security measures to safeguard against increasingly deceptive and rampant online attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer.com: Vo1d Malware Botnet Grows article
- TheHackerNews: Vo1d Botnets Peak Surpasses 159m article
- SecurityWeek: Vo1d Botnet Evolves article
- TheHackerNews: Hackers Use Clickfix Trick article
- BleepingComputer: New Clickfix Attack Deploys Havoc C2 article
- TheHackerNews: 5000 Phishing PDFs article
Threat Actor Activity
Legal Action Taken Against Storm-2139 for Bypassing AI Guardrails to Create Deepfakes and Illicit Content
Microsoft has taken legal action against a global cybercrime network known as Storm-2139, which is accused of developing and distributing tools to bypass generative AI guardrails for creating harmful content, including celebrity deepfakes and non-consensual intimate images. The network comprises key figures such as Arian Yadegarnia from Iran, Alan Krysiak from the UK, Ricky Yuen from Hong Kong, and Phát Phùng Tấn from Vietnam, along with two (2) unnamed U.S. individuals based in Illinois and Florida. Storm-2139 exploited exposed customer credentials to unlawfully access AI services, reconfiguring them to generate illicit content. The network is organized into creators, who develop the tools; providers, who distribute them; and users, who employ them to create content that violates Microsoft's policies. Microsoft's legal efforts began with a lawsuit filed in December 2024 in the Eastern District of Virginia. A temporary restraining order and preliminary injunction allowed Microsoft to seize a website integral to Storm-2139's operations, disrupting the group's activities and prompting internal conflict. The seizure led to members turning on each other, speculating about the identities of "John Does" listed in the filings, and doxing Microsoft lawyers. Some members even emailed Microsoft, attempting to shift blame within the group. Microsoft is preparing criminal referrals to U.S. and international law enforcement agencies to further dismantle Storm-2139's operations and deter others from misusing AI technology.
Vulnerabilities
CISA Adds Cisco and Windows Vulnerability to the Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all U.S. federal agencies, urging them to secure their systems against actively exploited vulnerabilities in Cisco and Windows systems. The first vulnerability, tracked as CVE-2023-20118, affects various Cisco VPN routers and allows attackers to execute arbitrary commands, especially when combined with another flaw (CVE-2023-20025) that bypasses authentication. The second flaw, tracked as CVE-2018-8639, is a Windows elevation of privilege vulnerability that enables local attackers to gain kernel-level access and potentially take over affected systems. Both vulnerabilities have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, requiring all Federal Civilian Executive Branch (FCEB) agencies to patch their systems by no later than March 23, 2024. While CISA has not disclosed specific details about the attacks, it emphasized the critical threat these vulnerabilities pose. Microsoft and Cisco have yet to update their advisories following CISA’s announcement. CTIX analysts recommend that any affected entities ensure that their system administrators have applied all patches, workarounds, and mitigations listed in the CISA advisories to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
