Advisory ID:   ngCERT-2025-080004

SUMMARY

ngCERT is aware of the discovery of “Cobalt Strike Beacon” malware on Nigeria cyberspace. Cobalt Strike Beacon is the central payload of the commercial Cobalt Strike red-team framework, originally designed for penetration testing but increasingly abused by threat actors. The Beacon is a versatile and stealthy implant that provides attackers with command-and-control (C2) capabilities, post-exploitation tools, and the ability to persist in target networks. Its modularity, encryption features, and ability to mimic legitimate traffic make it one of the most commonly observed payloads in advanced cyber intrusions. While a legitimate security tool, Cobalt Strike has been weaponized by ransomware operators, state-backed advanced persistent threats (APTs), and financially motivated cybercriminals. Its widespread misuse has made it a critical security concern for governments, enterprises, and research institutions worldwide.

Probability:    High

Damage:        Critical

Platform(s): Windows, Linux, MacOS)

DESCRIPTION

Cobalt Strike Beacon is a memory resident, modular post exploitation implant built for stealthy, persistent C2 within enterprise environments. It supports multiple communication protocols—including HTTP/S, DNS tunneling, SMB named pipes, and peer-to-peer channels—which allow it to blend into normal network traffic. Beacon traffic is encrypted and obfuscated, often using customized C2 profiles that mimic legitimate web applications and services, complicating detection by traditional network security tools. The Beacon offers a wide range of post-exploitation capabilities, including process injection, privilege escalation, credential dumping, keylogging, file transfer, lateral movement, and persistence mechanisms. It can also dynamically load additional modules, execute PowerShell commands, and deliver secondary payloads such as ransomware. Its sleep and jitter functions enable it to remain dormant for extended periods, awakening at randomized intervals to avoid detection. This adaptability makes it a highly effective and dangerous tool for prolonged network intrusions.

CONSEQUENCES

Successful exploitation of the malware may lead to:

1. Covert Command-and-Control: Secure, stealthy communications that evade intrusion detection.
2. Data Theft: Exfiltration of sensitive organizational data, intellectual property, and credentials.
3. Privilege Escalation & Lateral Movement: Compromise of multiple systems and network segments.
4. Ransomware Deployment: Used as an entry vector by ransomware groups (e.g., LockBit, Conti).
5. Operational Disruption: Prolonged undetected presence leading to costly incident response and downtime.

SOLUTION/MITIGATION

To mitigate the risks, ngCERT recommends the following:

1. Deploy Endpoint Detection and Response (EDR) with behaviour-based detection.
2. Monitor network traffic for anomalies like DNS tunneling and suspicious SMB or HTTP/S activity.
3. Enforce least privilege access controls to limit attacker movement and privilege escalation.
4. Implement Multi-Factor Authentication (MFA) to protect accounts from credential theft.
5. Keep systems and applications patched and up to date to close vulnerabilities.
6. Conduct proactive threat hunting using memory and process analysis to identify hidden activity.
7. Train users on phishing awareness and block malicious delivery methods like macros or loaders.

HYPERLINK

• https://softhandtech.com/is-beacon-a-malware/. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="1">https://softhandtech.com/is-beacon-a-malware/
• https://hunt.io/glossary/c2-beaconing. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="2">https://hunt.io/glossary/c2-beaconing
• https://vercara.digicert.com/resources/dns-beacons. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="3">https://vercara.digicert.com/resources/dns-beacons
• https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="4">https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea

Advisory ID: NCC-CSIRT-2025-014

Summary: 

A sophisticated and dangerous Android banking trojan, known as "Hook," is being actively distributed to target users of banking, financial, and cryptocurrency applications. Hook is designed to steal credentials and Personally Identifiable Information (PII) through overlay attacks and has evolved to include capabilities for full remote device takeover, data exfiltration, and ransomware-like features. The primary infection vector is social engineering, tricking users into installing malicious applications from unofficial sources. 

Damage/Probability: High/Critical

Product(s): 

Android Mobile Devices and Applications (Banking, Financial, and Cryptocurrency Apps)

Version(s): 

All versions of Android OS (targeted via malicious apps) 

Platform(s): 

Android OS

Description: 

The Hook trojan operates by masquerading as a legitimate application, such as a utility tool, system update, or a popular app. Once installed, it persistently requests the user to grant it powerful permissions, specifically targeting Android's Accessibility Services.

Upon receiving these permissions, Hook gains the ability to:

• Perform Overlay Attacks: When a user opens a targeted banking or financial app, Hook displays a fake, identical-looking login screen over the real app. The user unknowingly enters their credentials into this malicious window, which are then captured and sent to the attacker's server.
• Act as a Remote Access Tool (RAT): Attackers can establish a remote connection to the infected device, view the screen in real-time, simulate screen taps, log keystrokes, and navigate the device's user interface.
• Intercept Communications: The malware can read SMS messages, allowing it to bypass Two-Factor Authentication (2FA) codes sent via text.
• Exfiltrate Files: Hook can browse the device's file system and steal sensitive documents, photos, and other personal data.

Impacts: 

A successful infection by the Hook trojan can lead to severe consequences, including:

• Direct Financial Loss: Unauthorized access to bank accounts, leading to theft of funds.
• Data Breach: Theft of sensitive personal information, including login credentials for multiple services, contacts, and private files.
• Identity Theft: The stolen information can be used to impersonate the victim and open fraudulent accounts.
• Complete Device Compromise: Attackers can gain full control over the device, using it for further malicious activities.
• Ransomware Attack: The trojan can lock the device's screen and demand a ransom payment for its release.

Solutions: 

All Android users are strongly advised to adopt the following security measures to protect against this threat:

Immediate User Actions:

• Restrict App Sources: Only install applications from the official Google Play Store. Disable the "Install from unknown sources" option in your Android settings.
• Scrutinize Permissions: Be extremely cautious of any application requesting Accessibility Service permissions. These permissions grant extensive control over your device and should only be given to fully trusted applications from reputable developers.
• Enable Google Play Protect: Ensure this built-in security feature is active on your device.
• Update Regularly: Keep your Android operating system and all installed applications updated to the latest versions to ensure you have the most recent security patches.
• Practice Phishing Awareness: Do not click on suspicious links or download attachments from unknown senders in emails, SMS, or messaging apps.
• Use a Mobile Security Solution: Install a reputable antivirus or anti-malware application from a known security vendor.

If an Infection is Suspected:

1. Immediately disconnect the device from all networks (Wi-Fi and Mobile Data).
2. Boot the device into Safe Mode to prevent third-party apps from running and attempt to uninstall the malicious application.
3. If the malicious app cannot be removed, a full factory reset is the most reliable method to ensure the malware is completely eradicated. Note that this will erase all data on the device.
4. After securing your device, immediately change the passwords for your banking, email, and other critical online accounts from a separate, trusted device.

References:

• https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities

• https://blog.polyswarm.io/hook-android-banking-trojan-evolves

• https://thehackernews.com/2025/08/hook-android-trojan-adds-ransomware.html

• https://www.scworld.com/brief/more-sophisticated-hook-android-banking-trojan-emerges

Advisory ID:   ngCERT-2025-080003

SUMMARY

ngCERT is aware of a persistent “AdLoad” malware infiltrating macOS through deceptive installers and bypassing Apple’s native security protections. Once installed, it hijacks browsers, injects unwanted advertisements, and collects user data while embedding itself deeply via launch agents, login items, and configuration profiles to maintain persistence. Detecting AdLoad can be challenging due to its stealthy nature and use of legitimate system mechanisms. Manual detection involves inspecting login items, system profiles, and startup agents, but these methods may miss advanced variants. Proactive monitoring, regular audits, and user education are crucial for mitigating risk and protecting system integrity. The malware exemplifies the increasing sophistication of macOS threats, making layered defense and timely detection critical to maintaining secure computing environments.  

Probability:    High

Damage:        Critical

Platform(s): macOS (Intel + Apple Silicon)

DESCRIPTION

AdLoad is a sophisticated adware targeting macOS, utilising deceptive installers to infiltrate systems without detection. It exploits macOS’s native features to establish deep persistence, manipulating browser settings and injecting unsolicited advertisements. Unlike typical malware, AdLoad blends into legitimate system processes, complicating detection efforts. Indicators of infection include unexpected browser redirects, unfamiliar startup items, and subtle system slowdowns. Its stealth is enhanced by employing configuration profiles and launch agents, tools generally used for legitimate purposes. Traditional antivirus tools often struggle to identify AdLoad due to its use of signed components and legitimate macOS mechanisms. 

CONSEQUENCES

Successful exploitation of Adload malware may lead to the following outcomes:

1. Persistent and Intrusive Advertisements: AdLoad continuously injects unwanted ads into browsers and applications, disrupting normal workflows and degrading the overall user experience.
2. Browser Hijacking and Redirects: The malware modifies browser settings to redirect users to suspicious or malicious websites.
3. Unauthorized Data Collection: AdLoad covertly gathers browsing history, search queries, and other personal information without user consent.
4. Difficult Removal and Persistence: Utilizing legitimate macOS mechanisms like launch agents and configuration profiles, AdLoad embeds itself deeply within the system.
5. Degraded System Performance: Running background processes and injecting ads consume CPU, memory, and network bandwidth, leading to slower system responsiveness and reduced efficiency over time.
6. Potential Vector for More Threats: By weakening system security and opening hidden backdoors, AdLoad can serve as a gateway for more dangerous malware, including ransomware or spyware.

SOLUTION/MITIGATION

To mitigate the risks associated with adload malware, ngCERT recommends the following actions:

1. Use trusted anti-malware tools.
2. Perform manual inspection and cleanup.
3. Keep macOS and software updated.
4. Limit software installation sources.
5. Educate users on phishing and fake installers.
6. Implement endpoint monitoring.
7. Restrict administrative privileges.
8. Maintain regular backups.

HYPERLINK

• https://www.pcrisk.com/removal-guides/16328-adload-malware-mac
• https://cybernoz.com/new-macos-adload-malware-bypasses-built-in-antivirus-detection/
• https://www.malwarebytes.com/blog/detections/adware-adload

Advisory ID:   ngCERT-2025-080002

SUMMARY

ngCERT is aware of an increase in Android.Vo1d malware infections within the Nigerian cyberspace. Android.vo1d, otherwise known as Void, is a recent Android Trojan campaign reported to have infected over 1.3 million Android TV boxes worldwide, including in Nigeria. The malware is identified as a sophisticated backdoor capable of secretly downloading and installing malicious applications on infected devices, particularly those running outdated Android operating systems. Android.vo1d poses a major risk to Android TV box users, with implications on system compromise and takeover, as well as data exfiltration, among other negative impacts. Consequently, ngCERT strongly advises individuals and organisations to take immediate steps to safeguard their systems and data from this emerging threat.  

Probability:    High

Damage:        Critical

Platform(s): Android 7.1.2, Android 10.1, Android 12.1

DESCRIPTION

Android.Vo1d is a backdoor trojan that installs itself deep in the device’s system files and operates covertly by employing advanced techniques to evade detection while establishing persistence. It achieves this by infiltrating the system storage and modifying critical files like install-recovery.sh and daemonsu files. Thereafter, it creates news files, /system/bin/debuggerd,  /system/bin/debuggerd_real, /system/xbin/vo1d,and /system/xbin/wd. Attackers cleverly disguises the malware by altering the file name “vold,” a system program, to “vo1d,” substituting the lowercase “l” with the number “1”. This trick allows the malware to evade detection while establishing a foothold in infected systems. Additionally, the backdoor’s components, Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 work concurrently to ensure continued malicious activity. Particularly, Vo1d.1 manages activities and downloads executables files from the C&C server, Vo1d.3 installs and launches the encrypted Android.Vo1d.5 daemon, while monitoring directories and installing APK files, with Vo1d.5 providing additional functionality. Furthermore, TV boxes running older Android versions are particularly vulnerable, as they often lack critical security updates. Some of these devices include the R4 (Android 7.1.2) and KJ-SMART4KVIP (Android 10.1).

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS). 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Regularly update of TV box firmware from official sources.
2. Installation of antivirus software to detect potential infections.
3. Avoid downloading apps or firmware from unofficial sources.
4. Consider replacing TV boxes running on outdated Android versions with newer and more secure models. 

HYPERLINK

• https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/
• https://securityonline.info/massive-android-tv-box-infection-over-1-3-million-devices-compromised-by-android-vo1d/
• https://thehackernews.com/2024/09/beware-new-vo1d-malware-infects-13.html
• https://www.androidheadlines.com/2024/09/these-android-tv-boxes-are-infected-by-vo1d-malware.html