Weekly Summary Cyberattacks 03-09 July

TapTrap attack, an Animation-Driven Tapjacking on Android   

Researchers have discovered a new type of attack targeting Android devices, dubbed TapTrap. Taptrap allows for a malicious app to exploit android's interface animations to bypass permission systems. By doing so, users are tricked to allow access to sensitive data, and to perform other destructive actions. When the malicious app is installed it launches an harmless transparent activity on top of a malicious one. TapTrap creates a visual mismatch with users supposedly interacting with a visible app, but their taps registered on the hidden screen. The app can use this to lure the user into tapping on specific areas of the screen that correspond to sensitive actions on the hidden screen, allowing it to perform actions without user knowledge. Unlike traditional overlay-based Tapjacking, the attacks are capable of working with zero-permission apps. According to researchers, the attack works on the latest Android version. As of July 2025, browsers have already fixed the issue, but Android remains vulnerable.  

NordDragonScan Attacks Windows Users to Steal Login Credentials   

Researchers discovered an active delivery infrastructure that hosts a weaponized HTA script and silently drops the "NordDragonScan" infostealer into victims’ environments. The malware targets Microsoft Windows systems. The attack leverages shortened URLs that conduct to fake file-sharing sites that deliver malicious RAR archives disguised as Ukrainian documents. The RAR archives contain a crafted LNK shortcut that executes Microsoft’s "mshta.exe" utility to run the embedded HTA payload. Once executed, the malware copies PowerShell.exe to a public directory and renames it as “install.exe” to mask its presence from security software. Now installed, the infostealer scans the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The stolen data is then sent over TLS , being exfiltrated through the command-and-control server “kpuszkiev.com”. This infrastructure is also a heartbeat server that allows hackers to determine whether the victim is still online and request additional data.  

Spanish Law Enforcement Dismantled a Cyber-Enabled Investment Fraud Ring   

Spanish authorities dismantled a cyber-enabled fraud operation that caused over €10 million losses in Spain through fake cryptocurrency and financial investment platforms. The criminal network active since 2022, was run by a group posing as financial experts. The group approached victims through fake telephone call centers with fake financial advisors and fake social media advertisements that redirected to forged investment websites and crypto portals. The investments were allegedly made in well-known companies and, at first, victims were allowed some withdrawals to build trust. Once the investments became larger, access to funds would be blocked. The criminal network was uncovered in coordinated raid operations across Barcelona, Madrid, Mallorca, and Alicante. Authorities arrested 21 suspects and seized €1.3 million in cash and cryptocurrency, along with seven luxury vehicles.  

Over 40 malicious Firefox extensions found stealing cryptocurrency   

Cybersecurity researchers have uncovered over 40 malicious Mozilla Firefox extensions aimed at stealing crypto wallet keys and seed phrases. These add-ons impersonated trusted tools like Coinbase, MetaMask, Trust Wallet, and Exodus, copying their names and logos. The campaign, active since at least April 2025, used fake five-star reviews to simulate popularity and gain user trust. Attackers leveraged open-source code from real extensions to insert harmful functions without disrupting user experience. The extensions also collected victims' IP addresses and exfiltrated stolen data to remote servers. Unlike traditional phishing attacks, these threats operated within the browser, making detection more difficult. Mozilla has removed nearly all identified extensions and has introduced a detection system to prevent similar scams from spreading.  

Surge in identity impersonation using PDF attachments in phishing campaigns   

A significant rise has been observed in phishing attacks using PDF files to impersonate well-known brands such as Microsoft, Adobe, PayPal, and Geek Squad. These attachments often include fake logos, QR codes, or hidden links that lead to phishing sites. A growing tactic is callback phishing (TOAD), where victims are prompted to call attacker-controlled phone numbers to extract sensitive information. These VoIP numbers are frequently reused and hard to trace. There have also been cases of e-signature platforms being misused to distribute malicious PDFs. Attackers further conceal threats using invisible annotations within the PDF structure to bypass security systems.