📢⚠️ Watch out as Phantom malware is hiding in modded Android games, turning phones into silent ad fraud bots. If you're sideloading apps, you're a target.

Read: https://hackread.com/phantom-malware-android-game-mods-ad-fraud/

#Android #Phantom #Malware #AdFraud #Cybersecurity

Researchers report Android malware leveraging machine learning to automate click fraud via hidden WebView sessions.

The activity avoids traditional DOM-based scripts and instead relies on visual recognition, highlighting how automation techniques continue to evolve even in lower-impact threat categories.

Follow @technadu for balanced reporting on emerging mobile threats.

Source: https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-to-click-on-hidden-browser-ads/

#AndroidMalware #MobileThreatIntel #AdFraud #AIinCybersecurity #Infosec #TechNadu

Alright team, it's been a pretty packed start to the year in cyber! We've got some interesting developments on active exploitation, new malware campaigns, and a couple of big names facing regulatory heat. Let's dive in:

Recent Cyber Attacks ⚠️

- Unleash Protocol, a decentralised IP platform, lost approximately $3.9 million in crypto due to an unauthorised smart contract upgrade, initiated by an external address gaining administrative control via multisig governance.
- A Lithuanian national was extradited to South Korea for infecting 2.8 million systems globally with clipboard-stealing malware, disguised as the KMSAuto Windows/Office activator, siphoning around $1.2 million in virtual assets.
- Amazon successfully blocked over 1,800 suspected North Korean operatives from infiltrating its workforce since April 2024, who were posing as IT workers or recruiters to steal credentials and source code, as DPRK crypto theft surged to $2 billion in 2025.

📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

Actively Exploited Vulnerabilities 🛡️

- The RondoDox botnet has been actively exploiting the critical React2Shell (CVE-2025-55182, CVSS 10.0) RCE flaw in React Server Components and Next.js since December 2025, targeting IoT devices and web servers to deploy crypto miners and Mirai botnet variants.
- A coordinated campaign, primarily from Japan-based infrastructure, systematically exploited over 10 Adobe ColdFusion CVEs from 2023-2024 during Christmas 2025, leading to direct code execution, credential harvesting, and JNDI lookups.
- Researchers identified a 4-second window where AWS IAM eventual consistency allows attackers to leverage deleted access keys to create new ones, achieving persistence even after defenders believe credentials are revoked.

📰 The Hacker News | https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

New Threat Research & Malware Campaigns 🚨

- The GlassWorm supply chain campaign has resurfaced, now targeting macOS users with malicious Open VSX extensions (50,000 downloads) to steal funds from over 50 browser extension wallets, iCloud Keychain data, and developer credentials.
- OceanLotus (APT) is targeting China's Xinchuang initiative, exploiting CVE-2023-52076 (RCE in Atril document viewer) and deploying custom ELF Trojans specifically designed to bypass traditional Linux system checks on indigenous innovation platforms.
- The IPCola proxy network, offering 1.6 million IPs, is powered by the GaGaNode decentralised bandwidth monetization service, whose SDK contains a critical RCE vulnerability, enabling broad compromise of IoT, desktop, and mobile devices.
- Large-scale mobile adware campaigns, GhostAd (Android) and SkyWalk (iOS), are draining device resources and defrauding advertisers by running persistent background ad engines and serving invisible ads, respectively.
- Magecart attacks are evolving into full identity compromise, hijacking checkout and account creation flows with fake payment forms, phishing iframes, and anti-forensics techniques to steal credentials and personal information.
- A new cybercrime tool, ErrTraffic, automates "ClickFix" attacks by generating fake browser glitches on compromised websites, tricking users into installing information stealers or Android banking trojans.
- Kaspersky discovered 'Keenadu', a pre-installed backdoor in libandroid_runtime.so on certain Android tablet models, providing remote access for data exfiltration and command execution.

📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

Threat Landscape & AI Concerns 🧠

- Reddit banned the r/ChatGPTJailbreak subreddit (229,000 users) for violating rules, highlighting ongoing challenges with LLM safety filters, prompt injections, and the potential for generating non-consensual deepfakes; poetic prompts were found to increase attack success rates fivefold.
- Research details "hacktivist proxy operations" where ideologically aligned non-state cyber groups conduct disruptive activities (DDoS, defacement) that align with state geopolitical interests, providing plausible deniability for the benefiting state.

📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

Regulatory & Corporate Accountability ⚖️

- Reuters reported that Meta developed a "playbook" to mislead regulators about the prevalence of scam ads on its platform, by systematically deleting fraudulent ads from its Ad Library during regulatory searches.
- Disney agreed to pay a $10 million civil penalty to settle FTC allegations of violating children's privacy laws (COPPA) by misdesignating YouTube content, leading to unlawful data collection and targeted advertising without parental consent.

📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #Botnet #Malware #APT #SupplyChain #Adware #AdFraud #CryptoScam #NationState #DPRK #AI #LLM #DataPrivacy #COPPA #RegulatoryCompliance #InfoSec #IncidentResponse

Pluralistic: Google steers Americans looking for health care into "junk insurance" (25 Nov 2025)

https://fed.brid.gy/r/https://pluralistic.net/2025/11/25/open-season/