Malware Activity
The Rising Threat of Sophisticated Malware and Counterfeit Devices
A concerning report has identified a surge in counterfeit Android devices, often posing as budget-friendly options from reputable brands, that are pre-loaded with the Triada malware. Triada malware poses significant security threats to unsuspecting consumers. Triada can gain root access, making it difficult to detect and allowing malicious activities such as data theft and unauthorized ad displays. As these counterfeit sales rise, experts urge buyers to be cautious and verify device authenticity. Compounding the issue, the notorious Lazarus Group has targeted job seekers through sophisticated phishing campaigns, using fake job postings to steal personal information and introduce ransomware. Additionally, researchers have revealed a malware delivery chain deploying the Remote Access Trojan (RAT) known as DCRat through phishing emails. This malware chain leverages various techniques, including phishing emails containing malicious attachments, to infiltrate systems and establish persistent access for attackers. Advanced malware loaders are also leveraging call stack manipulation to evade detection by hiding within legitimate processes. By cleverly disguising their operations within legitimate processes, these loaders make it significantly more challenging for security measures to detect their malicious activities. These articles demonstrate that users remain vigilant and prioritize safety when engaging with technology and online opportunities. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Counterfeit Android Devices Found Preloaded with Triada Malware article
- TheHackerNews: Triada Malware Preloaded on Counterfeit Android Phones article
- TheHackerNews: Lazarus Group Targets Job Seekers article
- BleepingComputer: We Smell a DCRat article
- TheHackerNews: New Malware Loaders use Call Stack Spoofing article
Threat Actor Activity
Earth Alux, China-Linked Threat Actor, Targeting Key Sectors in APAC and LATAM
A new China-linked threat actor, Earth Alux, has emerged as a sophisticated cyberespionage group targeting key sectors across the Asia-Pacific (APAC) and Latin American (LATAM) regions. Researchers have documented Earth Alux's activities, noting its presence since the second quarter of 2023, primarily in APAC, and its expansion into Latin America by mid-2024. The group targets countries including Thailand, the Philippines, Malaysia, Taiwan, and Brazil, focusing on sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Earth Alux initiates attacks by exploiting vulnerabilities in internet-exposed web applications, deploying the Godzilla web shell to facilitate further payload deployment. Key payloads include backdoors named VARGEIT and COBEACON (also known as Cobalt Strike Beacon). VARGEIT functions to load tools directly from its command-and-control (C&C) server, utilizing Microsoft Paint processes for reconnaissance and data exfiltration. It also supports tasks like lateral movement and network discovery in a fileless manner. COBEACON acts as a first-stage backdoor, launched via MASQLOADER or RSBINJECT, a Rust-based shellcode loader. MASQLOADER incorporates anti-API hooking techniques to evade detection by security programs, allowing malware to operate stealthily. VARGEIT deploys additional tools, including RAILLOAD, which uses DLL side-loading to run encrypted payloads, and RAILSETTER, a module that alters timestamps and creates scheduled tasks for persistence. VARGEIT supports ten (10) different C&C communication channels, including HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, utilizing the Graph API for command exchanges via the drafts folder of an attacker-controlled mailbox. Earth Alux conducts detection tests with RAILLOAD and RAILSETTER and seeks new hosts for DLL side-loading. Tools like ZeroEye and VirTest, popular in the Chinese-speaking community, are employed to maintain stealth and long-term access to target environments.
Vulnerabilities
Verizon API Flaw Grants Users Access to Incoming Call Logs for Other Verizon Wireless Numbers
A critical security flaw was discovered in Verizon's Call Filter application that allowed users to access incoming call logs of other Verizon customers through an improperly secured API. Security researcher Evan Connelly identified the vulnerability on February 22, 2025, and Verizon patched it by mid-March, though the exact duration of exposure remains unknown. The vulnerability stemmed from the applicationโs API, which accepted requests authenticated by a valid JWT (JSON Web Token) but failed to verify that the phone number in the header matched the userโs own number. This allowed anyone with a valid token to retrieve another user's call history by simply modifying a header value. Connelly, who tested the iOS version of the application, believes Android users were also likely affected, as the flaw resided in the shared backend API. The exposed call data could have serious privacy implications, particularly for high-profile individuals like journalists, law enforcement, or politicians, by revealing contacts, routines, and personal relationships. The vulnerable endpoint was hosted by Cequint, a lesser-known third-party firm handling Verizonโs caller ID services, raising further concerns about the handling of sensitive user data. Although Verizon responded quickly and stated there was no evidence of exploitation, they also claimed the issue only impacted iOS users, a point that remains uncertain.
๐ง Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
