Malware Activity
Mobile and IoT Malware Highlights Growing Risks
Recently, cybersecurity experts have identified new threats targeting both mobile devices and Internet of Things (IoT) devices. A malware called Albiriox has appeared on Android platforms, distributed through a malware-as-a-service platform that offers various malicious features. It tricks users into installing fake apps by using social engineering, then gains extensive control over infected phones to steal sensitive data, manipulate screens, and perform fraud. Meanwhile, a botnet named ShadowV2, based on the Mirai malware, has been attacking IoT devices like routers from brands such as D Link and TP Link by exploiting known security flaws, including some outdated vulnerabilities in unsupported devices. ShadowV2 can launch large-scale Distributed Denial of Service (DDoS) attacks, disrupting online services across sectors worldwide. Both threats underscore the increasing sophistication of cybercriminals and the urgent need for users and organizations to keep their devices updated and secure against these evolving dangers. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: New Albiriox MaaS Malware Targets 400+ Apps For On-Device Fraud And Screen Control article
- BleepingComputer: New ShadowV2 Botnet Malware Used AWS Outage As A Test Opportunity article
Threat Actor Activity
Australian Man Sentenced for 'Evil Twin' WiFi Attacks at Airports and Flights
Michael Clapsis, a 44-year-old Australian man, has been sentenced to seven (7) years and four (4) months in prison for operating "evil twin" WiFi networks at airports and on flights in Australia, including Perth, Melbourne, and Adelaide. Using a WiFi Pineapple device designed for network penetration testing, Clapsis created rogue access points with the same names as legitimate networks, tricking travelers into connecting. Victims were then directed to phishing pages where they were prompted to enter email or social media credentials. The Australian Federal Police (AFP) launched an investigation after an airline employee discovered a suspicious network, leading to the seizure of Clapsis's equipment, including a laptop and mobile phone. Forensic analysis revealed thousands of stolen images and videos, as well as personal credentials from the fraudulent WiFi pages. Clapsis pleaded guilty to multiple charges, including unauthorized access and modification of data, stealing, and attempted destruction of evidence. He also accessed his employer's laptop to obtain information about confidential meetings with the AFP. This case highlights the risks associated with free and public WiFi networks. CTIX analysts recommend using virtual private networks (VPNs), strong passwords, and to disable automatic WiFi connectivity to protect against such attacks.
Vulnerabilities
CISA Flags Exploited OpenPLC ScadaBR Flaw Amid Hacktivist ICS Targeting
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a medium-severity cross-site scripting (XSS) vulnerability in the open-source OpenPLC ScadaBR human-machine interface, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed real-world abuse targeting industrial control systems. Although the flaw was patched in 2021 and affects older Windows and Linux versions of ScadaBR, it was recently exploited by pro-Russian hacktivist group TwoNet during attacks against ICS/OT honeypots designed to mimic water treatment facilities and operated by Forescout. In these incidents, attackers leveraged weak or default credentials to access the environment, created rogue user accounts, and exploited the XSS flaw to deface the HMI login page with scripted pop-up messages, while also disabling logs and alarms (demonstrating how low-skill adversaries can still disrupt operational technology environments using easily exploitable, legacy weaknesses). While the targeted systems were simulated and caused no real-world impact, the activity highlights ongoing hacktivist interest in the water sector and broader ICS infrastructure, as well as the risk posed by outdated interfaces and poor security hygiene. CISA has directed all U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability under Binding Operational Directive 22-01 by no later than December 19, 2025, and recommends that private organizations likewise review the KEV catalog to reduce exposure, warning that more sophisticated threat actors could quietly exploit similar flaws in targeted, undisclosed operations. CTIX analysts urge any affected administrators to ensure their infrastructure is patched in time.
- Security Affairs: CVE-2021-26829 Article
- Security Week: CVE-2021-26829 Article
- CISA: CVE-2021-26829 Advisory
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
