Advisory ID: NCC-CSIRT-2025-018

Summary: 

Researchers have discovered ClayRat, a new Android spyware disguised as popular apps like WhatsApp and TikTok. It spreads through Telegram and fake websites, stealing messages, photos, and other personal data. The malware can also take secret pictures and send malicious links to contacts, making it hard to detect and remove. 

Damage/Probability: Critical/High

Product(s): 

• Android mobile devices (APK (Android Package Kit) side-loaded or installed from untrusted stores / Telegram channels)
• Popular mobile app brands used as lures (WhatsApp, TikTok, YouTube, Google Photos)

Version(s): 

Not version-specific, it affects affects Android devices where a malicious APK is installed and granted required roles/permissions.

Platform(s): 

• Android OS (various versions).
• Devices with SMS/notification privileges and browsers/Telegram clients used to download APK droppers.

Description: 

Zimperium security researchers have discovered a new Android spyware called ClayRat, which pretends to be popular apps like WhatsApp, TikTok, YouTube, and Google Photos. The attackers share these fake apps through Telegram channels and phishing websites, often using lookalike domains and fake reviews to appear genuine.

When users download and install these fake apps manually, they are tricked into giving the spyware special permissions, such as access to text messages and notifications. This allows ClayRat to read messages (including security codes), check call logs, view contacts, take photos, and send stolen data to the attackers’ servers. It can also send harmful links to the victim’s contacts, spreading the infection further.

The malware is constantly changing, with over 600 different versions found in just a few months. It also uses advanced hiding techniques to avoid detection by antivirus software, making it difficult to remove once installed. Because it spreads through public channels like Telegram, the spyware can reach a large number of victims very quickly.

Impacts: 

• Disclosure of sensitive communications (SMS, verification codes) and account takeover risk.
• Loss of privacy (photos, location, microphone/camera capabilities).
• Rapid lateral spread via messages to contacts and Telegram channels, increasing scale of compromise.
• Potential secondary payloads installed by the loader (additional RATs, credential stealers).

Solutions: 

1. Deploy Mobile Threat Defense (MTD) and Google Play Protect to detect malicious APKs and abnormal behaviors.
2. Validate apps against an approved allowlist; remove any mismatched packages immediately.
3. Block malicious domains, phishing sites, and suspicious Telegram channels at the DNS/network level.
4. Disable side-loading on managed devices; allow installations only from the Play Store or enterprise app store.
5. For suspected devices, remove unknown APKs, revoke sensitive permissions, rotate credentials, and enforce phishing-resistant MFA.
6. Isolate and analyze compromised devices, collecting relevant artifacts for forensics.
7. Educate users to avoid installing apps from untrusted links or channels and to verify app sources.
8. Keep MTD/antivirus and EDR signatures updated and configure alerts for suspicious app or SMS-handler activities.

References:

• https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/

• https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia

• https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html

• https://www.csoonline.com/article/4070281/clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram.html

• https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html

Advisory ID: NCC-CSIRT-2025-017

Summary: 

win.satacom is a family of Trojan-downloaders (also reported as Satacom / LegionLoader) that has been active since at least 2019. It functions primarily as a loader/downloader, installing follow-on payloads such as cryptocurrency-stealing browser extensions and information-stealers. Recent campaigns have delivered stealthy Chromium extensions that intercept web sessions and siphon cryptocurrencies from victims on exchange and web wallet pages. Microsoft Defender, Kaspersky, and other AV vendors detect variants of this family. 

Damage/Probability: High/High

Product(s): 

• Windows endpoints
• Chromium-based browsers (via malicious extensions)
• Downloader distribution chains (phishing, droppers, packers)

Version(s): 

Not version-specific, it affects Windows systems where the downloader is executed and Chromium browsers that accept malicious extensions.

Platform(s): 

• Microsoft Windows (x86/x64)
• Chromium browser families (Chrome, Edge, Brave, etc.)
• Common enterprise environments where browser-based crypto wallets are used

Description: 

Satacom acts as a downloader/dropper. After initial execution (often from a malicious installer, bundled software, or an obfuscated dropper), it contacts Command & Control servers to retrieve additional payloads and loaders. Variant analysis shows multiple string-deobfuscation and packing techniques.

Documented campaigns (2023 onward) show Satacom delivering malicious Chromium extensions engineered to perform web injections on crypto exchange and wallet pages to exfiltrate funds and session cookies. Other follow-on binaries observed include RedLine, other stealers, and loaders.

Variants use common downloader evasion (packing/obfuscation, staged encryption of strings, anti-analysis checks), persistence via scheduled tasks/startup entries, and fallback C2 techniques.

Campaigns have targeted users in multiple regions (e.g., Brazil, India, Indonesia, Turkey, Egypt and others in prior reporting) with a focus on users who transact in cryptocurrency.

Impacts: 

• Loss/theft of cryptocurrency from web wallets and exchange accounts via browser extension or web-inject attacks.
• Compromise of user credentials, session cookies, and stored secrets leading to account takeover (ATO).
• Persistent foothold through additional downloaded payloads (infostealers, RATs).
• Lateral movement in poorly segmented networks if follow-on payloads include remote access tools.

Solutions: 

1. Scan endpoints with up-to-date anti-malware signatures (Microsoft Defender, Kaspersky, Broadcom/Symantec, Fortinet, etc.). Microsoft Defender and other engines include detections for Satacom variants.
2. Monitor for suspicious child processes of browser and common installer processes, and for downloads from known malicious gateways.
3. Inspect installed Chromium extensions centrally (via endpoint management or browser management policies) and flag any extension installed outside official enterprise channels or having excessive permissions.
4. Employ End Point Detection and Response (EDR) mechanism to hunt for known behavior patterns
5. Quarantine and remove detected Satacom binaries; block related Command & Control domains/IPs at network perimeter and in DNS
6. Enforce browser extension policy, allow only approved extensions via enterprise browser management; remove all unapproved/unknown extensions; rotate credentials and revoke sessions for any accounts accessed from infected hosts.
7. For users with suspected exposure, reset passwords, enable phishing-resistant Multi Factor Authentication where possible, and move high-value crypto to cold storage or wallets with hardware isolation.

References:

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description/

• https://www.broadcom.com/support/security-center/protection-bulletin/satacom-malware-spreading-cryptocurrency-infostealers

• https://threats.kaspersky.com/en/threat/Trojan-Downloader.Win32.Satacom.zs/

• https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/

• https://medium.com/%40tanmaymore06/reversing-satacom-decoding-c2-server-3696bfcb9111

Advisory ID: NCC-CSIRT-2025-016

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding ongoing attacks targeting Cisco ASA and Firepower devices, urging organizations to identify, analyse, and patch critical vulnerabilities immediately. The flaws allow unauthenticated remote code execution, privilege escalation, and firmware manipulation to maintain persistence even after reboots or upgrades.

The exploitation, linked to the ArcaneDoor (Storm-1849) threat group, has already compromised at least ten organizations worldwide, including several U.S. federal agencies. CISA noted that attackers have demonstrated the ability to tamper with read-only memory components since 2024.

Damage/Probability: High/Critical

Product(s): 

• Cisco Adaptive Security Appliance (ASA) / ASA-based firewall software
• Cisco Firepower / Firepower Threat Defense (FTD) appliances
• End-of-support or legacy Cisco firewall hardware

Version(s): 

• Cisco ASA / ASA firmware versions (across supported and unsupported releases)
• Cisco Firepower / FTD software versions
• Legacy ASA hardware reaching end-of-support (e.g. certain 5500-X series)

Platform(s): 

On-premises firewall and network edge infrastructure running Cisco ASA / Firepower; management and web services exposed via VPN/web services interfaces.

Description: 

Through its Emergency Directive, CISA has officially recognized a “widespread” exploitation campaign targeting Cisco ASA and Firepower devices. (Cybersecurity Dive) The exploited vulnerabilities (notably CVE-2025-20333, CVE-2025-20362, and, in some disclosures, CVE-2025-20363) allow attackers to obtain unauthenticated remote code execution, escalate privileges, and, critically, tamper with internal device firmware (read-only memory modules) so that malware or implants survive reboots and upgrades.

In practice, the attacker chain might proceed as follows:

1. Use CVE-2025-20333 to gain unauthenticated remote code execution on a vulnerable ASA / ASA-web services interface.
2. Use CVE-2025-20362 (privilege escalation) or other methods to gain full administrative/root privileges.
3. Modify ROM / firmware or boot components to embed malicious implants (e.g., replacing or altering ROMMON) so that control is retained across reboots, firmware upgrades, and factory resets.
4. Use the compromised firewall as a pivot point into internal networks, intercept or redirect traffic, or exfiltrate data.

Cisco itself has indicated that attackers utilized advanced evasion techniques, disabling logging, crashing devices to prevent diagnostic analysis, intercepting CLI commands, and tampering with boot mechanisms.

CISA’s directive notes that some ASA devices will reach end-of-support on 30 September 2025, and mandates their full decommissioning. The directive also mandates forensic core dumps, assessments of compromise, removal of compromised devices, upgrade or replacement of vulnerable systems, and reporting to CISA.

Impacts: 

• Complete compromise of firewall appliances, enabling attackers to intercept, reroute, or modify network traffic
• Persistence even after firmware upgrades/reboots, making detection and cleanup extremely difficult
• Lateral movement into downstream systems and network segments
• Exfiltration of sensitive data, credential theft, internal espionage
• Disruption of network security controls or denial of service
• Reputational/regulatory / compliance fallout for organizations relying on affected infrastructure

Solutions: 

1. Immediately inventory all Cisco ASA and Firepower / FTD devices in use, especially those with VPN or web services enabled.
2. Decommission / permanently disconnect ASA hardware that reaches or passes end-of-support (particularly those that go end-of-support on 30 Sept 2025).
3. For supported devices, immediately upgrade firmware/software to Cisco’s patched versions (apply latest updates and subsequent releases within 48 hours of availability).
4. Reset device configurations: treat all configurations, credentials, certificates, and keys as potentially compromised. Rebuild or reconfigure from scratch where possible after patching.
5. Segregate/restrict access: management and administrative interfaces should be accessible only from trusted internal networks or VPN tunnels; ensure no exposure to the public internet if not strictly necessary.
6. Monitor logs, traffic, and anomalies: flag unexpected firmware integrity deviations, abnormal traffic flows, or CLI/admin changes.
7. Report inventory, actions taken, and outcomes to the relevant oversight authority (for U.S. federal: to CISA) by the required deadline (by Oct 2, 2025, for inventory).
8. Engage in threat hunting and retrospective audits to identify whether lateral movement or secondary compromises have occurred.

What Organizations Should Do

Ensure that critical firewall and network infrastructure devices aren’t being overlooked; these are high-value targets.

1. Maintain an up-to-date inventory of network edge devices, firmware versions, and support status.
2. Subscribe to vendor security advisories and threat intelligence feeds; act on zero-day alerts quickly.
3. Introduce firmware integrity checks or attestation mechanisms where feasible.
4. Enforce the principle of least privilege and restrict management channel access.
5. Periodically rehearse incident response and evacuation of compromised infrastructure.

Train administrators to recognise signs of firmware/ROM tampering, as well as anomalies in firewall behaviour.

References:

• https://www.cybersecuritydive.com/news/cisa-emergency-directive-cisco-vulnerabilities-arcanedoor/761150/

• https://www.techradar.com/pro/security/us-government-tells-agencies-to-patch-cisco-firewalls-immediately-or-face-attack

• https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-cisco-flaws-exploited-in-zero-day-attacks/

• https://www.reuters.com/legal/litigation/us-sounds-alarm-over-hackers-targeting-cisco-security-devices-2025-09-25/

• https://www.axios.com/2025/09/25/us-agencies-cisco-firewalls-hacks-breaches

Advisory ID:   ngCERT-2025-080006

SUMMARY

The Avalanche botnet infrastructure has been identified as one of the largest global network hosting infrastructures, utilized by cyber criminals to perform phishing and malware campaigns, as well as money mule scams. Successful malware infections have resulted in theft of sensitive data, ransomware attacks, deployment of banking trojans and execution of distributed denial-of-service (DDoS) attacks through compromised systems. Although the Avalanche botnet was taken down by foreign law enforcement agencies in 2016, recent investigations revealed traces of the malware infections impacting some systems and IP addresses within Nigeria. Consequently, individuals and organizations are advised to emplace safeguards to mitigate the risks associated with the Avalanche botnet infrastructure and other malware threats..Probability:    High

Damage:      Critical

Probability:  High 

Platform(s):  Windows, web browsers, and email platforms

DESCRIPTION

The Avalanche botnet is capable of providing botnet operators with an extra layer of protection against take-down and domain blocking, enabling malware hosting and distribution services, supporting numerous phishing operations, and the deployment of DoS attacks, including various money laundering schemes. The network makes use of DNS techniques to hide cybercrimes behind the ever-changing network of compromised hosts (systems) acting as proxies. Threat actors deploy spam emails pretending to be trustworthy organisations, which serve as a click-bait for victims to install malicious software attached to the emails. Thereafter, the malware steals personal information, such as passwords and credit card detailsever-changing, granting cybercriminals remote access to an infected computer.

CONSEQUENCES

A successful malware installation and attack process could result in:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Theft of user credentials and other sensitive data.
4. Ransomware attacks.
5. System takeover.
6. Financial loss.
7. DDoS attacks.

SOLUTION/MITIGATION

The following are recommended:

1. Avoid downloading or opening attachments in emails received from unknown sources or unexpectedly from trustworthy users.
2. Ensure that the assets/systems’ operating system, software, antivirus, and plugins are updated.
3. Block all harmful external IP addresses on your network.
4. Activate built-in security features on endpoint devices which scan malware applications.
5. Implement stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions, including anti-malware software.
6. Enforce a strong password policy and implement regular password changes.
7. Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

HYPERLINK

• https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure 
• https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Botnetz-Avalanche/botnet-avalanche_node.html
• https://www.dataleaklawyers.co.uk/blog/avalanche-largest-cybercriminal-phishing-network-dismantled