Daily Brief

A new Android banking trojan named Crocodilus is actively targeting users in Europe, South America, and other regions, masquerading as legitimate applications. ThreatFabric reports that Crocodilus uses advanced obfuscation techniques to evade detection and has capabilities to launch overlay attacks to steal banking and cryptocurrency credentials. The malware abuses Android accessibility services to capture cryptocurrency wallet seed phrases, enabling theft of virtual assets. Recent developments show the malware extending its operational scope to countries like Poland, Argentina, Brazil, India, Indonesia, and the United States. Distribution methods include deceptive ads on social platforms mimicking banks and e-commerce sites, and fake prompts for web browser updates or online casino applications. New features in the malware include the ability to add contacts in victims' phones, possibly to bypass new security measures introduced by Google. Crocodilus also features an automated seed phrase collector that targets specific cryptocurrency wallets, further enhancing its threat to financial security. These updates indicate not only enhanced technical sophistication but also a strategic expansion of the malware's reach globally.

The latest update of the Crocodilus malware introduces a feature adding fake contacts to deceive Android users during calls. Initially documented in late March 2025, Crocodilus has since enhanced its data theft and remote control features and broadened its geographic target scope. New evasion tactics include code packing and layered XOR encryption to complicate detection and reverse engineering efforts. The malware can now create local contacts on infected devices, causing impersonation of banks or trusted entities when receiving calls. This version also improves data parsing before exfiltration, ensuring higher-quality thefts. The Threat Fabric research highlights the rapid evolution of the malware, emphasizing its increased use of social engineering techniques. Android users are advised to download apps only from Google Play or trusted sources and to keep Google Play Protect active.

Google Chrome announces plans to remove trust for digital certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, due to compliance and conduct issues. Affected certificates will mainly relate to TLS (Transport Layer Security) server authentication from these providers. This decision follows observations of compliance failures, unmet improvement commitments, and insufficient progress addressing publicly disclosed incidents over several years. Users visiting websites with certificates from these authorities after the cutoff will receive a full-screen security warning in Chrome. Google advises website operators using these CAs to transition to new publicly-trusted CAs to avoid disruptions. Enterprises can still manually trust these CAs by installing their root certificates locally on devices running Chrome. Similar actions were previously taken against Entrust’s certificates, whose certificate business was sold to Sectigo. Apple has also distrusted NetLock Arany certificates from November 2024. In March, the CA/Browser Forum adopted new security measures for domain control validation and to flag insecure X.509 certificate practices.

Microsoft and CrowdStrike have collaborated to standardize their threat actor taxonomies through a joint mapping initiative. This initiative aims to clarify and align the diverse names assigned to hackers by various cybersecurity vendors, improving response time and analysis accuracy. The mapping encompasses several categories of hackers including nation-state actors, financially motivated groups, and private sector offensive actors. Previously, a single threat actor might be known under multiple aliases across different security organizations, complicating attribution and response. The partnership has already led to the deconfliction of over 80 adversaries, enhancing the ability to correlate data and track adversary campaigns across platforms. Although the current effort is a collaboration between Microsoft, CrowdStrike, Google’s Mandiant, and Palo Alto Networks' Unit 42, other companies are expected to join. The initiative is not meant to create a universal naming standard but to assist in the correlation of threat actor aliases and improve the overall attribution process.

Google released emergency security updates for Chrome to fix a critical zero-day vulnerability (CVE-2025-5419) exploited in the wild. The vulnerability involved an out-of-bounds read and write in the Chrome V8 engine, affecting all platforms. The exploit allowed attackers to cause heap corruption through a crafted HTML page, posing significant security risks. Detected and reported by Google's Threat Analysis Group, the flaw was patched within a day of its reporting. This marks the second zero-day vulnerability in Chrome that Google has addressed this year, following CVE-2025-2783. Chrome users are urged to update their browsers to the latest versions to protect against potential exploits. Other Chromium-based browsers like Edge and Opera are also recommended to update as patches become available.

Cartier experienced a data breach that led to the exposure of customer personal information, including names, email addresses, and residency countries. The luxury fashion brand emphasized that no sensitive data like passwords or credit card information was compromised. The incident was contained swiftly, and Cartier has enhanced their system protections to secure data more effectively. Customers have been urged to remain cautious of unsolicited communications that may utilize the stolen data for targeted attacks. Cartier has notified law enforcement and is collaborating with an external cybersecurity firm to investigate and remediate the breach. This data breach comes amid a series of similar incidents affecting other major fashion brands, indicating a concerning trend in the industry targeting luxury brands. Despite the breach, Cartier reassures clients that immediate corrective actions have been implemented to prevent future incidents.

Ukraine successfully executed "Operation Spiderweb," targeting Russian airbases using 117 drones, damaging over 40 aircraft and costing Russia an estimated $7 billion. Ukrainian President Volodymyr Zelenskyy revealed that the 18-month-long operation was coordinated across three time zones, inflicting significant damage on Russia's bomber fleet. The drones were strategically hidden in prefabricated cabins within trucks, which were unknowingly driven by Russian drivers to locations near military targets. Russian defense sources confirmed attacks on five airbases and reported extinguishing fires on several aircraft without civilian or military casualties. The Security Service of Ukraine (SSU) led by Lieutenant General Vasyl Maliuk emphasized that these strikes were in retaliation to persistent bombings by Russian forces and aimed at military airfields and strategic bombers. Ukrainian and Russian narratives differ on the impact and extent of the operation, highlighting ongoing information and physical warfare between the countries. Despite Russia's claims of repelling some attacks, Ukraine plans to continue such strikes as long as their territory remains under threat from Russian missile and drone attacks.

The North Face has notified customers of a credential stuffing attack in April, compromising personal data but not payment information. Owned by VF Corporation, The North Face is a major outdoor brand with annual revenues exceeding $3 billion, with 42% derived from e-commerce. Credential stuffing involves automated login attempts using previously breached username-password pairs, posing risks primarily if accounts lack multi-factor authentication (MFA). This recent incident marks the fourth similar cyberattack on The North Face's website since 2020, highlighting ongoing vulnerabilities. Data breach notifications have been issued following the discovery of the attack on April 23, 2025. An unrelated ransomware incident in December 2023 had impacted 35 million customers, representing a severe security breach for the company. Continuing lack of mandatory MFA is criticized, given the company's history of related security breaches.

American cybersecurity firm SentinelOne experienced a seven-hour outage affecting multiple customer-facing services due to a software flaw. The outage was caused by an outdated infrastructure control system which incorrectly deleted critical network configurations. This incident occurred during a transition to a new cloud architecture built on Infrastructure-as-Code principles. Key customer services such as Unified Asset Management/Inventory and Identity services were disrupted, preventing access to vulnerability assessments and identity consoles. Programmatic access and Managed Detection and Response alerts were also affected, although direct customer endpoint protection remained unaffected. SentinelOne confirmed that the outage was not the result of a cyberattack but an internal software issue. The company has assured that threat data reporting was delayed but not lost, maintaining the overall integrity of security data.

Google Chrome plans to distrust certificates from Chunghwa Telecom and Netlock starting August 1, 2025, due to ongoing compliance failures. The browsers will display privacy warnings on websites using these certificates, urging web admins to transition to trusted CAs. Despite past opportunities for improvement, both Chunghwa Telecom and Netlock have failed to meet Google's security compliance and improvement standards. Chunghwa Telecom and Netlock, previously trusted entities in the Chrome Root Store, are major providers of digital certification in Taiwan and Hungary, respectively. The decision reflects Google's strengthened enforcement of security requirements following similar actions against other certifying authorities like Entrust. Google's updated policy could lead to more CA distrust actions as the company tightens security and compliance assessments. This action is specific to Google Chrome and does not affect other browsers like Microsoft Edge, Mozilla Firefox, or Apple Safari.

Microsoft and CrowdStrike have formed a partnership to synchronize the aliases used for identifying specific hacking groups through their security platforms. The initiative involves creating a reference guide that maps out common names for hacking groups as used by both companies, which will allow for streamlined sharing and understanding of threat data. This collaboration does not aim to create a universal naming standard, but rather facilitates better communication and rapid response by allowing security teams to translate terminology across different systems. The partnership has already addressed the naming conventions for over 80 significant and active threat actors through direct, analyst-led efforts. Additional cybersecurity firms, including Google/Mandiant and Palo Alto Networks' Unit 42, are contributing to this initiative, with the potential for more companies to join. The ultimate goal of this initiative is to offer clearer attribution and enhance the ability for network defenders to track and counteract malicious activities efficiently, reducing confusion in overlapping threat actor tracking. According to leaders from both Microsoft and CrowdStrike, the success of this mapping project depends on it becoming a broad, community-led effort.

Cybersecurity researchers have identified a new cryptojacking campaign, JINX-0132, exploiting vulnerabilities in DevOps web servers such as Docker, Gitea, and HashiCorp's tools. Attackers utilize misconfigurations and known vulnerabilities to install cryptocurrency mining malware on compromised systems. This campaign involves downloading mining tools directly from GitHub, hiding the attackers' tracks and complicating efforts to attribute the attacks. The misused resources from compromised Nomad instances could represent tens of thousands of dollars in computing costs per month. Vulnerabilities in Gitea allow remote code execution if attackers gain access under certain conditions, such as having permissions to create git hooks or if specific security features are disabled. HashiCorp Consul and Nomad servers are exploited by attackers who can register services and execute arbitrary code through unchecked health checks and job creation APIs. Global exposure of vulnerable systems includes over 5,300 Consul servers and more than 400 Nomad servers, primarily concentrated in high-tech regions and countries.

Security researchers disclosed vulnerabilities in preinstalled apps on Ulefone and Krüger&Matz smartphones. The flaws could enable any installed app to factory reset the device or manipulate encryption. One specific vulnerability, CVE-2024-13917, allows exploitation if the attacker knows the device's PIN. Another related issue, CVE-2024-13916, can be used to leak the PIN code, increasing the risk. The vulnerabilities were identified by Szymon Chadam and reported by CERT Polska. The current patch status of these security issues is not confirmed. Responses from Ulefone and Krüger&Matz regarding the issue are pending.

"Russian Market" has become a leading cybercrime marketplace for trading stolen credentials, gaining traction after the shutdown of Genesis Market. Despite 85% of the sold credentials being recycled, the marketplace offers items starting at $2, appealing to a broad cybercrime audience. The logs sold contain extensive personal data including passwords, credit card details, and session cookies from infected devices. Analysts note a significant proportion of the stolen data pertains to corporate systems, with 61% involving SaaS platform credentials and 77% including SSO credentials. The prevalent use of infostealers like Lumma and the emerging Acreed highlights a focus on enterprise targets, posing severe risks to corporate cybersecurity. Following law enforcement action against Lumma, Acreed has quickly risen in popularity, uploading over 4,000 logs in its first operational week on the Russian Market. Experts recommend organizations to reinforce vigilance and improve software security practices to mitigate risks posed by infostealers spreading via phishing and malvertising.

Qualcomm has released updates to fix three zero-day vulnerabilities in its Adreno GPU, exploited in targeted attacks. The vulnerabilities were responsibly reported by the Google Android Security team and confirmed by indications from Google Threat Analysis Group. The specific vulnerabilities, labeled CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were exploited in limited, selective scenarios. Patches for the affected GPU drivers were distributed to Original Equipment Manufacturers (OEMs) with an urgent recommendation to update devices immediately. Previous similar vulnerabilities in Qualcomm chipsets have been used by commercial spyware providers like Variston and Cy4Gate. In a related incident, a security flaw identified as CVE-2024-43047 was used by Serbian authorities to access and spy on Android devices owned by activists and journalists. The exact methods of exploitation and the attackers behind these current vulnerabilities remain undisclosed.