CYFIRMA Research – Details, episodes & analysis

New Malware Analysis Report

Our latest research uncovers Android/BankBot-YNRK, a mobile banking trojan disguised as a legitimate app such as Google News.

Key findings:
• Abuses Accessibility Services for remote control
• Uses C2 servers at ping.ynrkone[.]top for device commands
• Targets financial and cryptocurrency applications
• Employs code obfuscation via nmm-protect
• Capable of exfiltrating sensitive data and performing unauthorized transactions

Link to the Research Report: https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/

 #MalwareAnalysis #Android #BankBot #CyberSecurity #CYFIRMAResearch #ThreatResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Mobile Threat Alert: GhostGrab Malware!
 
Cybercriminals are getting more sophisticated, and GhostGrab is a clear example. This Android malware doesn’t just steal banking credentials—it can also:

• Run hidden cryptocurrency mining that drains your battery and CPU
• Harvest debit card and online banking login information
• Intercept SMS messages, including one-time passwords (OTPs)
• Collect detailed device and SIM data
• Hide itself and resist removal
• Use phishing pages within apps to trick victims into revealing sensitive information
• Leverage Firebase as a Command & Control (C2) server, making traditional detection more difficult

How to Protect Yourself:

✅ Only download apps from official sources, such as the Google Play Store or, for iOS devices, the Apple App Store
 ✅ Avoid unknown APKs and suspicious links
 ✅ Monitor your bank accounts and SMS activity regularly
 ✅ Keep your device and apps updated
 
Mobile malware is evolving—stay informed, stay protected.

Link to the Research Report: https://www.cyfirma.com/research/ghostgrab-android-malware/

#CYFIRMA #CyfirmaResearch #CyberSecurity #MobileSecurity #AndroidMalware #GhostGrab #CyberThreats #ThreatAlert #ETLM   #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

Stay ahead with CYFIRMA’s Monthly Ransomware Report – Aug 2025.

CYFIRMA’s August 2025 Ransomware Report recorded 522 global victims, a slight dip but still far above 2023–24 levels. Qilin led with 84 attacks, while Akira surged by 35% targeting SonicWall VPNs and abusing Intel drivers for BYOVD evasion. Charon adopted APT-grade stealth, and 4L4MD4R blended Chinese ToolShell exploits with ransomware deployment. AI abuse accelerated with Claude enabling RaaS and PromptLock showcasing LLM-powered ransomware. Emerging groups Yurei, Desolator, and Anubis expanded globally, with the U.S., Canada, and UK most affected, and professional services, consumer services, and manufacturing hit hardest.

Link to the Research Report: https://www.cyfirma.com/research/tracking-ransomware-august-2025/

#CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #Akira #Charon #4L4MD4R #AIThreats

https://www.cyfirma.com/

Ivanti Virtual Traffic Manager (vTM) users – A critical authentication bypass flaw (CVSS 9.8) is now being actively exploited! This vulnerability allows unauthenticated attackers to gain admin control over your systems. Patch now to prevent unauthorized access, data theft, or malware deployment. Public exploit code is already circulating. Stay secure!

Link to the Research Report: CVE-2024-7593 Vulnerability in Ivanti Virtual Traffic Manager : Vulnerability Analysis and Exploitation - CYFIRMA

#Cybersecurity #Ivanti #CVE20247593 #PatchNow #InfoSec#CyberThreats #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

CYFIRMA's investigation uncovered a major data breach at Cisco, led by the notorious threat actor IntelBroker. On October 14, 2024, IntelBroker posted on BreachForum, revealing that critical data such as source code, hard-coded credentials, SSL certificates, API tokens, and confidential documents were stolen. This breach impacts Cisco's B2B clients, with over 26 client source codes compromised.
 
Our investigation also found that despite Cisco’s efforts to block access, the hackers regained entry using hard-coded credentials found in previously exfiltrated data. This exposes serious security risks and highlights the need for immediate remediation.
 
Link to the Research Report: Data Breach Investigation on Cisco - CYFIRMA

#DataBreach #CyberSecurity #CYFIRMAInvestigation #CiscoBreach #ThreatIntel #SupplyChainRisk #HackerAlert #CyberDefense #Breachforum #DataLeak #CYFIRMA #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The proliferation of stealers, particularly those masquerading as open-source projects, poses significant risks to users. With capabilities to steal sensitive information, such as passwords, cryptocurrency wallets, and browser data, these malware variants not only threaten individual privacy but also create broader cybersecurity challenges.

As developers continue to leverage and modify existing stealers, users must remain vigilant and aware of the potential dangers associated with seemingly benign software, particularly those offered for free.

Link to the Research Report: The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer - CYFIRMA

#CyberSecurity #CyberThreat #DivulgeStealer #Dedsec #DuckStealer #CYFIRMA 

#CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The Israeli invasion of Lebanon began with the declared goal to remove Hezbollah's military infrastructure from the south of the country so that Israelis living in northern Israel could return to their homes, from which they have been driven by the low-intensity conflict raging on the border since Hamas' raid on Gaza last year.

The Israeli army has hit thousands of Hezbollah targets in Lebanon and Syria and has eliminated Hezbollah’s leader Hassan Nasrallah. After a brief hesitation, Iran finally carried out a large-scale ballistic missile strike on Israel in retaliation, and the whole world is now waiting for Israel's response. The targets could be Iran's nuclear program and spark a war that would affect the whole region and have secondary consequences for the entire world.

Link to the Research Report: WORLD ON THE BRINK : WAR IN THE MIDDLE EAST THREATENS TO ENTER A NEW DESTRUCTIVE PHASE - CYFIRMA

#Geopolitics #CYFIRMAresearch #ThreatIntelligence #Cybersecurity #ETLM #currentaffairs #ExternalThreatLandscapeManagement #ETLM #CYFIRMA #HassanNasrallah

https://www.cyfirma.com/

Stay ahead of cybersecurity trends with CYFIRMA's September 2024 Ransomware Report. This month’s analysis highlights significant shifts among top ransomware groups like Medusa, which saw a 525% surge in victims, while others like RansomHub and Meow experienced declines.
 
Key industries such as IT and transportation saw notable increases, while sectors like manufacturing and finance recorded drops. The report also explores emerging threats like Kransom, a ransomware disguised as a popular game and highlights the impact of ransomware groups leveraging vulnerabilities in SonicWall systems. Don’t miss out—read the full report to understand the evolving threat landscape and how you can protect your organization.
 
Link to the Research Report: TRACKING RANSOMWARE - SEPTEMBER 2024 - CYFIRMA

#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #Ransomhub #Medusa #orca #kransom #USA #Manufacturing #CyfirmaResearch #ExternalThreatLandscapeManagement #StayProtected #DataProtection

https://www.cyfirma.com/

Immediate action is required for all organizations using iTunes for Windows! CVE-2024-44193 is a critical local privilege escalation vulnerability that could lead to unauthorized system access. Attackers exploit misconfigured permissions in the AppleMobileDeviceService.exe to elevate privileges and gain control. Given the widespread use of iTunes, this poses a significant risk. Update iTunes to version 12.13.3 or later, monitor systems for anomalies, and review permissions to prevent exploitation. Stay proactive and secure your systems now! Check CYFIRMA Research's latest report. 

Link to the Research Report: iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #VulnerabilityManagement #iTunes #CVE202444193 #CYFIRMAResearch #VulnerabilitySummary #ExternalThreatLandscapeManagement #ETLM #Cyfirma

https://www.cyfirma.com/

Our latest research dives deep into Yunit Stealer, a sophisticated malware designed to steal sensitive data, such as credentials, cookies, and cryptocurrency wallets. This malware employs advanced evasion techniques, including obfuscation and persistence methods, making it a formidable threat to cybersecurity. Yunit Stealer can disable Windows Defender, modify registry keys, and use scheduled tasks to maintain its presence on infected systems. It exfiltrates data via Telegram and Discord webhooks, ensuring the stolen information reaches the attacker securely.
 
 The developer has connections to various gaming platforms, indicating a possible link between gaming interests and the creation of this malware. Our analysis highlights the importance of staying informed and vigilant to protect your systems from such threats. Stay informed and protect your systems with our comprehensive insights!

Link to the Research Report: YUNIT STEALER - CYFIRMA

#CyberSecurity #Malware #YunitStealer #DataProtection #CyberThreats #TechNews #CYFIRMA #StaySafe #CyberAwareness #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/