< Back
Abstract image with a hacker silhouette

Tags:

Threat intelligence
27 June 2025

Weekly Summary Cyberattacks June 19-25

Proactive techniques can shut down malicious cryptomining networks   

A team of researchers has developed two innovative techniques to dismantle malicious cryptomining networks, effectively reducing their operations to zero without relying on third parties. By exploiting weaknesses in mining topologies and pool policies, they were able to disrupt attackers’ infrastructure. In one campaign active for six years, they successfully brought down a hashrate of 3.3 million hashes per second, cutting off an annual income of around $26,000. The techniques, based on submitting invalid “shares”, known as “bad shares”, trick mining pools into banning key components like proxies or wallet addresses. This action impacts the entire botnet, freeing infected victims. One of the tools used, XMRogue, impersonates a miner and sends crafted data that ultimately disables the operation. Although not always a permanent fix, especially in public pool scenarios, the method has proven highly effective at interrupting and, in some cases, fully shutting down illicit cryptomining campaigns.  

New spyware detected in App Store and Google Play linked to cryptocurrency theft   

A new cyberespionage campaign has been discovered in apps available on both Google Play and the App Store. It is SparkKitty, a malware that appears to be an evolution of the SparkCat spyware, already known for attacking cryptocurrency wallets. This malware operates on Android and iOS devices, stealing images from users' galleries, especially those that may contain seed phrases linked to cryptocurrencies, by using optical character recognition (OCR). The campaign has been active since at least February 2024 and has been spread through official stores, modified apps and fraudulent websites that simulate online stores. On iOS, it has been distributed via enterprise profiles, leveraging malicious libraries disguised as legitimate tools such as AFNetworking or Alamofire. On Android, the malware has even been detected in apps with more than 10,000 downloads. Most victims are concentrated in Southeast Asia and China. Researchers warn that this threat could spread to other regions, as it has no technical restrictions to do so.  

Massive leak of credentials already stolen in the past 

A file containing nearly 16 billion credentials has recently been exposed online, generating headlines that erroneously describe it as a new security breach. However, experts clarify that this is not a new attack, but a compilation of data previously stolen through infostealer-type malware, credential stuffing attacks and old leaks. The finding was made by Cybernews, which notes that the database appears to be composed of files generated by this type of malware, which extracts passwords stored in browsers and applications from infected computers. Despite the volume, no unpublished information has been detected. Against this backdrop, users are advised to maintain good cybersecurity practices, use unique and strong passwords, and enable two-step authentication to protect their accounts.  

GodFather malware virtualizes real apps to steal banking and cryptographic data  

 A variant of the GodFather malware has been detected that uses an advanced virtualization technique on mobile devices. Unlike traditional attacks that simulate fake screens, this new approach installs a malicious “host” application capable of running real versions of banking or cryptocurrency apps within a controlled virtual environment. This allows attackers to intercept credentials, PINs and sensitive data in real time, without arousing suspicion. The malware manages to completely fool the user, as the actions are performed on the original application, now executed inside a container invisible to the operating system. It leverages legitimate tools such as Xposed and hooking techniques to modify key functions and evade detection. In addition, GodFather can obtain permissions through trickery, manipulate APK files to avoid static analysis and hide from security services. The campaign already affects some 500 global apps, with a current focus on Turkish banks, but with targets including large financial institutions, payment services, social networks and cryptocurrency platforms. This development represents a serious threat to trust in mobile apps, transforming even legitimate apps into instruments of digital espionage.  

Active cyberespionage campaign in Spain, France, Portugal, Italy, Belgium and the Netherlands   

A cyberespionage campaign active in Europe has revealed the use of the Sorillus remote access Trojan (RAT), also known as SambaSpy. The attack, attributed to Portuguese-speaking actors, is distributed via phishing emails with fake invoices that redirect to malicious servers via services such as OneDrive, Ngrok and MediaFire. The malware, sold since 2019 as a service, allows spying on webcams, recording audio, stealing data and controlling Windows, macOS and Linux operating systems. Despite the closure of its commercial website in January 2025, hacked versions continue to circulate in forums and social networks. The campaign affects organizations in Spain, France, Portugal, Italy, Belgium and the Netherlands, using messages in several languages and sophisticated evasion techniques. Researchers recommend blocking the associated domains and monitoring or blocking cloud storage and network tunneling services if they are not being used for authorized organizational purposes.