< Back
Cyberthreat intelligence news

Tags:

Threat intelligence
02 April 2025

Weekly Summary Cyberattacks March 27 - April 02

New Salvador Stealer malware steals Android banking credentials  

A new Android malware, dubbed Salvador Stealer, has been identified by cybersecurity researchers. This threat masquerades as a legitimate banking app to steal personal and financial data, including phone numbers, banking credentials and OTP codes. The malware uses a two-stage strategy: first, an APK acting as a dropper installs the payload, and then internal phishing tricks users into entering their data. Salvador Stealer intercepts SMS messages to capture verification codes, allowing attackers to bypass two-step authentication systems. The stolen data is sent to phishing servers and a Telegram channel controlled by the cybercriminals. In addition, the malware employs persistence mechanisms to continue operating even after device reboots. During the analysis, experts discovered the attack infrastructure and an exposed administration panel, revealing a possible link to India.  


HijackLoader strengthens its evasion tactics   

HijackLoader, a malware discovered in 2023, continues to evolve with new techniques to evade detection. The malware, designed to load and execute other malicious programs, has added modules that enhance its ability to hide on infected systems. Recent updates include the use of “call stack spoofing”, a technique that masks the origin of calls to system functions, making it difficult for security programs to identify them. In addition, it now includes a module that detects whether it is executed in virtual environments, used by researchers to analyze malware. Another of its improvements allows it to establish persistence in systems by means of scheduled tasks, ensuring their permanence even after reboots. HijackLoader also employs advanced methods, such as the “Heaven's Gate” technique, to execute 64-bit code from 32-bit processes, and modifies system libraries to avoid analysis. Its constant evolution suggests that it will continue to develop mechanisms to evade detection, representing a persistent threat in the cybersecurity arena.  


Crocodilus banking Trojan targets Spain and Turkey   

Cybersecurity researchers have discovered a new banking Trojan called Crocodilus, designed to take full control of Android devices. This malware employs advanced techniques such as overlay attacks, accessibility logging and hidden remote control to steal credentials and financial data. Crocodilus manages to install itself on devices via a dropper that bypasses Android 13+ restrictions, requesting access to accessibility services to operate undetected. Once activated, it can log keystrokes, capture two-step authentication information and execute fraudulent transactions without the victim noticing, thanks to a black screen that hides its activities. The first campaigns have identified attacks targeting banks and cryptocurrency wallets in Spain and Turkey, although global expansion is expected. In addition, a link to previous threat actors, possibly Turkish speaking, has been detected.  

PJobRAT resurfaces, attacks messaging apps again   

Cybersecurity researchers have discovered a new campaign of the PJobRAT Trojan, an Android malware first detected in 2019. This time, the attack has been targeting users in Taiwan, using fake messaging apps to infect devices. Among the malicious apps were “SangaalLite” and “CChat”, which were distributed through now-dormant WordPress sites. The malware is capable of stealing SMS messages, contacts, device information and multimedia files. In addition, in this new version it has incorporated the ability to execute shell commands, giving it greater control over infected devices. Unlike previous attacks, it does not include a specific function to steal WhatsApp messages, but it can obtain data from any application. PJobRAT communicates with the attackers' servers via Firebase Cloud Messaging and HTTP, allowing it to hide its activity within normal Android traffic. Although the campaign seems to be over, researchers warn that cybercriminals often change their strategy and reappear with new tactics. Users are advised to avoid downloading applications from unknown links to prevent such threats.  


New malware called CoffeeLoader detected   

Researchers have identified a new malware called CoffeeLoader, first detected in September 2024, which is designed to download and execute second-stage payloads while evading detection by security systems. CoffeeLoader is distributed through SmokeLoader, sharing similarities in its behavior. Its features include the use of a domain generation algorithm (DGA) and the “certificate pinning” technique to avoid man-in-the-middle attacks. The malware employs several strategies to prevent detection by antivirus and Endpoint Detection and Response systems (EDR), such as call stack manipulation and the use of cryptographic functions in memory. In addition, it uses an HTTPS protocol to communicate with its control servers, encrypting requests and responses with RC4 keys. Although a relationship with SmokeLoader has been observed, it has not yet been clarified whether CoffeeLoader is a new version of SmokeLoader or a different malware.