San Mateo, CA, March 24, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
JPEG images hide dangerous malware
Analysts at Broadcom identified a steganographic malware campaign infecting users through seemingly harmless JPEG image files. “The attack leverages hidden malicious code embedded within image files that, when executed, initiates a complex chain of events designed to steal sensitive information from victims’ systems.” The attack begins with victims downloading JPEG files containing undetectable scripts, targeting credentials, email clients, and FTP apps. Data is then sent to command-and-control servers, downloading more malware. “The steganographic technique used in this campaign is particularly sophisticated, making detection challenging for traditional security tools,” said Broadcom researchers. The campaign highlights increasingly advanced obfuscation methods. Read more.
SpyX breach hits 2 million victims
Consumer-grade spyware company SpyX experienced a data breach last year, which the company failed to report to authorities or customers, according to TechCrunch. Nearly two million people were affected, exposing how stalkerware targets Apple iPhones. Have I Been Pwned’s Troy Hunt “received a copy of the breached data in the form of two text files, which contained 1.97 million unique account records with associated email addresses.” Most addresses are directly linked to SpyX, but nearly 300,000 are associated with SpyX clones MSafely and SpyPhone. SpyX is marketed to parents for child safety, but such apps frequently enable domestic spying. Read more.
Paragon spyware customer countries uncovered
Researchers at the University of Toronto’s Citizen Lab named six previously unidentified countries as customers of spyware firm Paragon. Researchers “mapped the infrastructure of Paragon’s Graphite tool after a tip from a collaborator, and found a subset of suspected Paragon deployments linked to Australia, Canada, Cyprus, Denmark, Israel and Singapore. It also found potential links between Paragon and the Ontario Provisional Police.” Paragon advertises its spyware as “abuse-proof,” but the reported surveillance of Italian activists suggests otherwise. “The pattern in these cases challenges Paragon’s marketing approach which has claimed that the company would only sell to clients that abide by international norms and respect fundamental rights and freedoms,” reads a Citizen Lab report. Read more.
DollyWay malware hits 20,000 sites
GoDaddy researchers uncovered a malware operation called “DollyWay,” active since 2016, that compromised over 20,000 WordPress sites. GoDaddy’s report states, “Researchers have uncovered evidence linking multiple malware campaigns into a single, long-running operation we’ve named ‘DollyWay World Domination’… While previously thought to be separate campaigns, our research reveals these attacks share common infrastructure, code patterns, and monetization methods – all appearing to be connected to a single, sophisticated threat actor.” DollyWay targets vulnerable WordPress plugins and themes, automatically reinfecting sites on every page load, making removal complicated. Read more.
BlackBasta linked to Russian officials
Leaked internal chat logs appear to expose connections between the BlackBasta ransomware gang and Russian authorities. Shared by Telegram user @ExploitWhispers allegedly after BlackBasta targeted Russian banks, the over 20,000 messages suggest leader Oleg Nefedov escaped arrest with official help. Nefedov claimed to have contacted officials for a “green corridor.” Logs also indicate BlackBasta maintains two physical Moscow offices, conducting business-like operations, including gatherings at restaurants and saunas. Chats confirm the gang uses AI tools such as ChatGPT to rewrite ransomware scripts and create phishing emails. Read more.
331 Android apps bypass security
Researchers from Bitdefender reported discovering 331 malicious apps on the Google Play Store that “exploit vulnerabilities in Android 13 to bypass security restrictions and carry out phishing attacks, ad fraud, and credential theft.” The apps, downloaded over 60 million times, pose as QR scanners, expense trackers, health apps, and wallpaper tools. Once installed, the apps harvest user data or display intrusive ads without typical permissions. Initially benign, the apps received malicious updates during Q3 2024. Read more.
SocGholish spreads Ransomhub ransomware
Threat actors from the SocGholish group weaponized compromised websites to deliver Ransomhub ransomware, according to Trend Micro. Using hijacked legitimate sites, the attackers serve malicious JavaScript, delivering fake browser update notifications. Victims are tricked into downloading malicious ZIP files. Active since 2018, SocGholish is known for its “highly obfuscated JavaScript loader, which employs a range of evasion techniques that enable it to bypass traditional signature-based detection methods effectively.” Read more.
Edimax camera flaw fuels botnets
Edimax IC-7100 network cameras have an unpatched security flaw exploited by threat actors deploying Mirai botnets since at least May 2024. The flaw, CVE-2025-1316 (CVSS v4 score: 9.3), is a “critical operating system command injection flaw that an attacker could exploit to achieve remote code execution on susceptible devices by means of a specially crafted request.” Akamai researchers note a proof-of-concept exploit available since June 2023. Edimax confirmed that affected cameras were discontinued over a decade ago and urges users to upgrade. “One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices,” Akamai stated. “The legacy of Mirai continues to plague organizations worldwide as the propagation of Mirai malware–based botnets shows no signs of stopping. With all sorts of freely available tutorials and source code (and, now, with AI assistance) spinning up a botnet has become even easier.” Read more.
Windows updates mistakenly remove Copilot
Microsoft warned users that its March 2025 updates for Windows 10 and Windows 11 automatically remove its AI-powered Copilot assistant. “We’re aware of an issue with the Microsoft Copilot app affecting some devices. The app is unintentionally uninstalled and unpinned from the taskbar,” the company explains. “This issue has not been observed with the Microsoft 365 Copilot app.” Microsoft has yet to disclose the cause of this issue or add it to its Windows release health dashboard. “In the meantime, affected users can reinstall the app from the Microsoft Store and manually pin it to the taskbar,” the company said. Copilot has faced repeated issues, forcing Microsoft to remove it previously due to bugs or administrative backlash. Read more.
Apple resists UK iCloud backdoor
The UK government’s demand that Apple insert a backdoor into its encrypted iCloud storage is being challenged by civil rights groups Liberty and Privacy International. Their complaint calls the demand “unacceptable and disproportionate,” warning of “global consequences” extending beyond the UK. The groups legally challenged Home Department Secretary Yvette Cooper’s “decision to serve Apple with a technical capability notice (TCN) under the Investigatory Powers Act (IPA).” Exposed by press coverage, the secret order drew widespread condemnation. “Privacy International and Liberty fear this TCN, or similar TCNs in the future, could be used to undermine end-to-end encryption essential to the protection of privacy and free expression,” the groups wrote. They’re pushing for a public hearing. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
