Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 4 April
Crocodilus: new banking malware targeting Spain and Turkey
Researchers at ThreatFabric have detected a new banking malware targeting Android called Crocodilus and distributed via a proprietary dropper that circumvents Android 13 and later security protections. The malware integrates social engineering to make victims provide access to its cryptocurrency seed phrase through an overlay screen displayed when the user opens a banking app. This warns users to back up their wallet key so as not to lose access to their wallet, allowing Crocodilus to collect the text using its accessibility logger.
In its first operations, Crocodilus targeted users in Turkey and Spain, with the malware being of Turkish origin. The bot component of the malware supports a set of 23 commands that it can execute on the device, including triggering call forwarding, launching specific apps, sending and fetching SMS, publishing push notifications, locking the screen or requesting device administrator privileges. The malware also offers Remote Access Trojan (RAT) functionality and captures OTP codes.
Google and Mozilla release critical updates for their browsers
Google and Mozilla released new versions of their browsers, Chrome 135 and Firefox 137, respectively. Both updates fix multiple vulnerabilities, several of them classified as high-severity. Chrome version 135 fixes a total of 14 vulnerabilities, including a high-severity flaw identified as CVE-2025-3066 (CVSSv3 8.8 according to CISA), related to a use-after-free in Navigations. Medium and low severity bugs associated with improper implementations in features such as custom tabs, extensions, autofill and downloads were also fixed.
The new version is available at 135.0.7049.52 for Linux and 135.0.7049.41/42 for Windows and macOS. On the other hand, Firefox 137 incorporates patches for eight bugs, including three considered high severity. These include a use-after-free related to XSLTProcessor (CVE-2025-3028, CVSSv3 6.5 according to CISA) and several memory security bugs that could allow malicious code execution (CVE-2025-3030 and CVE-2025-3034, both with a CVSSv3 of 8.1 according to CISA). In addition, vulnerabilities were fixed that could facilitate address bar spoofing, exposure of sensitive information and arbitrary file uploads on Windows. Mozilla also released updates for its ESR and Thunderbird versions, with similar fixes.
Finally, although these flaws are not reported to be actively exploited, users are advised to update their browsers as soon as possible.
Anubis: advanced backdoor targeting Windows devices
PRODAFT researchers have identified Anubis, a sophisticated backdoor targeting Windows systems that allows attackers to gain persistent access and execute remote commands. Attributed to a financially motivated threat actor, Anubis employs advanced obfuscation and evasion techniques to avoid detection. The malware is distributed through phishing campaigns and malicious downloads, using command and control (C2) servers to receive instructions.
Its capabilities include credential collection, file system manipulation and installation of additional payloads. PRODAFT's analysis reveals that Anubis has been used in targeted attacks against government and financial sector organizations. Advanced detection rules and network segmentation measures are recommended to mitigate its impact.
Increase in phishing attacks using QR codes
Researchers at Palo Alto Networks Unit 42 have detected an increase in phishing attacks using QR codes, a technique known as quishing. These attacks seek to steal Microsoft account credentials by exploiting users' trust in QR codes and reduced security on mobile devices. Unlike traditional phishing, quishing bypasses email security filters by not including direct links, but rather QR codes that redirect to malicious sites.
Attackers employ advanced tactics such as using legitimate domains to redirect victims and integrating human verification mechanisms to evade detection. Phishing pages often mimic Microsoft services such as SharePoint and can auto-populate user email to increase their credibility. Key indicators of compromise include PDFs with malicious QR codes, redirects through legitimate domains and fake login pages.
To mitigate these attacks, organizations are advised to implement URL filtering, enforce security on personal devices and train employees to identify quishing attempts.
Expansion of North Korean IT workers' operations for infiltration and cybercrime
Google Threat Intelligence Group has identified an expansion in the operations of North Korean IT workers seeking employment with foreign companies to gain access to critical infrastructure and facilitate cybercrime and sanctions evasion activities. These actors have increased the scale and sophistication of their tactics, posing as legitimate developers on platforms such as GitHub and LinkedIn.
North Korean IT workers have been linked to exploiting privileged access for intellectual property theft, malware deployment, and credential harvesting. In addition, they have used advanced techniques to hide their true identity, including the use of VPNs, deepfaking interviews and manipulating activity logs on collaborative platforms. Google warns that these actors have also diversified their targets, affecting sectors beyond the technology industry, such as finance and healthcare.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
