Malware Activity
Cyber Underbelly: A Surge of Sophisticated Threats Targeting Victims Worldwide
A new silent cryptominer, named "SilentCryptoMiner", has infiltrated around 2,000 Russian computers, using deceptive tactics to quietly siphon off processing power without user detection. The cryptominer, that is derived from the open-source XMRig, pads the malicious file with random blocks of data to artificially increase its file size to 690 MB. This strategy is intended to evade automated analysis by antivirus programs and sandboxes. Meanwhile, content creators on YouTube are experiencing extortion via false copyright claims and being tricked into distributing cryptocurrency miners and malware to unwitting victims. Adding to the cyber chaos, a notorious ransomware gang known as "Akira", have been found using an insecure webcam vulnerability to infiltrate the organizations network, effectively sidestepping endpoint detection and response systems. Finally, a new player in the realm of cybercrime, dubbed "Desert Dexter". The malicious group is utilizing advanced tactics, to include a modified version of "AsyncRAT", to target over 900 individuals with a sophisticated malware campaign, key logging, spear-phishing schemes and custom malware. The attack has been characterized by its methodical approach, which includes reconnaissance to identify specific targets and leveraging social engineering to maximize the success of their campaigns. Cybersecurity firms also report that the notorious hacking groups FIN7 and FIN8 have been linked to the deployment of the "Ragnar Loader" malware tool designed to facilitate various cyberattacks. "Ragnar Loader' has been adopted by various threat groups, including the notorious FIN7 and FIN8. This loader is particularly notable for its ability to evade detection and facilitate the deployment of additional malicious payloads, targeting financial and business organizations. The researchers highlight how "Ragnar Loader" employs advanced techniques, such as modular architecture and obfuscation methods, making it a versatile tool for cybercriminals. Meanwhile, SafeWallet has confirmed that it fell victim to a state-sponsored North Korean cyber operation known as "TraderTraitor". The incident included the infiltration of a SafeWallet developer's laptop and the takeover of AWS session tokens to circumvent multi-factor authentication measure. As these incidents illustrate, the digital world is a battleground where vigilance and proactive defenses are paramount to safeguarding information and privacy. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews.com: SilentCryptoMiner Infects 2000 Russian Users article
- BleepingComputer: YouTubers Extorted article
- BleepingComputer.com: Ransomware Gang Encrypted Network From a Webcam article
- TheHackerNews: Desert Dexter Targets 900 Victims Using Facebook Ads article
- TheHackerNews: FIN7, FIN8 and Others Use Ragnar Loader article
- TheHackerNews: Safewallet Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion article
Threat Actor Activity
Recent Campaign Sweeps Across US Cities Under the Guise of Unpaid Parking Phishing Texts
US cities are currently facing a widespread mobile phishing campaign where scammers send texts pretending to be from city parking violation departments, claiming there are unpaid parking invoices that will incur a $35 daily fine if not paid. This scam has prompted warnings from cities across the US, including Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Charlotte, San Diego, San Francisco, and many others. The texts, which began circulating December 2024, have been targeting residents with messages that include a link to a fake payment site. A notable tactic in these scams is the use of an open redirect via google[.]com to lead victims to phishing websites named after the cities they claim to represent, such as nycparkclient[.]com for New York City. This method exploits the trust associated with Google’s domain, as Apple's iMessage does not disable links from known domains, making it easier to deceive users into clicking. Once users follow the link, they are taken to a site posing as the "NYC Department of Finance: Parking and Camera Violations," where they are asked to enter their name and zip code. Regardless of the input, users are informed of an outstanding parking invoice and prompted to settle the balance, which varies but is typically low to avoid suspicion. A key indicator of the scam is the incorrect placement of the dollar sign after the amount, suggesting the scam originates from outside the US. On proceeding, victims are led to a page where their personal details, including name, address, phone number, email, and credit card information, are requested. This data can then be used for identity theft, financial fraud, or sold to other malicious actors. To protect themselves, CTIX analysts recommend individuals report and block numbers from unknown sources, especially those requesting immediate action or providing links to unfamiliar sites.
Vulnerabilities
"Undocumented Commands" Vulnerability in Espressif ESP32 Bluetooth Chip Impacts a Billion Devices
Researchers from Tarlogic Security have discovered undocumented commands in the widely used ESP32 microchip, manufactured by Espressif, which could act as a backdoor for cyberattacks on millions of IoT devices. Presented at RootedCON, their findings reveal that these hidden commands allow attackers to impersonate trusted devices, manipulate memory, access sensitive data, establish long-term persistence, and potentially grant access to other devices via Bluetooth. Using their newly developed BluetoothUSB tool, the researchers identified twenty-nine (29) undocumented HCI commands (code 0x3F) in the ESP32 Bluetooth firmware, which enable low-level control over Bluetooth functions, including RAM and Flash modification, MAC address spoofing, and LMP/LLCP packet injection. The vulnerability, now tracked as CVE-2025-27840, raises concerns about potential supply chain attacks and OEM-level exploitation. While the researchers clarify that these commands are more accurately described as a "hidden feature" rather than a deliberate backdoor, their existence poses a significant security risk, especially if attackers gain root access or exploit vulnerable firmware. Given that over a billion ESP32 chips are in circulation, affecting devices such as smartphones, smart locks, and medical equipment, the implications are vast. Tarlogic aims to democratize Bluetooth security testing with their BluetoothUSB tool, helping manufacturers identify and mitigate such vulnerabilities. Espressif has yet to comment on these findings, while further technical details are expected to be released in the coming weeks. CTIX analysts will continue to monitor this situation, and may release updates in future issues of the CTIX FLASH Update.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
